All right, welcome. My name is Sean O'Dell. I'm a member of the Network and Security business unit here at VMware. I'm excited today to talk to you about the tooling evolution. A little bit of fun as we go through it today. There's a lot of questions that get asked. What specifically can I do from a network and security perspective with NSX? Obviously, we've covered those. But in today's session, we're actually going to talk about how you can solve challenges. How you can overcome obstacles, and really the tooling that is necessary. There is a people and process portion that we obviously could cover, and we've done that in some of our other sessions. But for today, we actually just want to talk about the tooling. The first thing I want to discuss as we begin here today is really the platform itself. So from an NSX perspective, so I'm actually going to throw up NSX platform. The platform has several things built in for our customers to truly continue, maybe in the fashion of doing that what you've done in the past, things like syslog is an example. So today, obviously, we support syslog, and we have the ability to send the syslogs to up to five syslog aggregators, servers, however you want to define it. The second thing of importance is IPFIX. Now, IPFIX, NetFlow, however you want to define that. We actually also support five IPFIX servers. The thing is the NSX platform ultimately provides the same level of operations of tooling capabilities that you have from your existing, native, traditional, however you want to define it, network. So in this example, obviously, syslog and IPFIX. Because it's software defined and because that's the focus of NSX, and obviously, the VMware technology set, is we also have a comprehensive API and a CLI. So from a day to day networking perspective, some of our customers have asked, Well, what am I supposed to do? Is it significantly different than my traditional network? As you can tell here, we have built into the platform the same capabilities that you have on the physical or on the overlay network, assuming on the underlay network within your environment. So I always begin this conversation as the NSX platform is purpose built to help you and your organization utilize maybe some of the existing solutions that you have. Right. So you can mention third-party integrations. Some of our partners that have developed specific content, specific solutions around the NSX platform, and it continues in the area of tooling. We've got a significant list of partners that we work with, and the other thing that I want to mention is not only do we have the existing physical networking, what you'd say traditional methodologies, but we also have third parties. But more importantly, and really what we're going to focus on for part of our discussion today, or most of our discussion, is from VMware. Now, there are three key areas that we're going to focus on when we get into the tooling aspects from VMware. But as mentioned before, I wanted to go ahead and start with the platform functions that are available to you. So now as we go into that, I want to talk about three focus areas that our customers tend to ask for direction, help, guidance. The first area that we typically work with our customers on and the question that comes about is microsegmentation. The key with microsegmentation is not just the microsegmentation concepts but more importantly planning. So microsegmentation plannning. As you've seen in some of the other videos from my peers and coworkers is how we've used microsegmentation to secure your workloads placing a firewall on each virtual machine, and what we'll discuss here in just a little bit is how we can actually do microsegmentation planning with the tools that are available to you today. The second area that we often are asked about as it relates to NSX and how I can fully consume and utilize NSX is overlay and underlay visibility. Now you say overlay, yes, that is the NSX portions, and then we have the underlay, and that is your physical networking devices, your Layer 7 devices. If you're doing some service insertion, offloading, et cetera. So overlay and underlay visibility. Now, when we think about these areas, it's very important that we have a very distinct difference between the two, right? If I was to look at this, microsegmentation is ultimately not making any changes, not having any effect on the underlay network. Some of our customers do microsegmentation first, then followed by the SDN pieces and Distributed Logical Routing, switching, et cetera. So we tend to break these down into two key focus areas, and then the third area that kind of is special to me and we'll look at it with one of the solutions is really just NSX operations in general. How is NSX performing? Do I have specific limits that are being reached from my firewall and my edges, et cetera? So, overall, NSX operations. Now, I want to be very clear as we talk about NSX operations. The platform itself has done a really good job. We've built in many checks and balances, obviously provided that the existing solution or tool sets. But we want to ensure that you have a very clear idea how NSX is performing, how it's operating from within the platform itself. Ultimately, we think we've done a really good job with that, continue to improve each and every release, and we've really been listening to our customers in what they're looking for and what they need. Now, to begin specifically with some of asked from our customers, there's one other piece to the NSX platform that I want to call out and we're going to discuss that here kind of at length in just a minute, and we'll have a video on it. But that is Application Rule Manager. Application Rule Manager, or ARM for short. Now, you say, okay, what is Application Rule Manager? It's actually a direct tie into the microsegmentation planning piece that a lot of our customers are asking for. Now, we're actually going to take a quick moment and look at Application Rule Manager in kind of a quick demonstration, and then we'll come back and have a few talking points about it. So here we go. All right, so this is Application Rule Manager, and one of my favorite things. It's actually associated with the vSphere Web Client, familiar with NSX UI that we're all accustomed to. As you can tell here, we created an HR application. We've defined the application, shows a few virtual machines, and now we're collecting the data. That's similar to an application real quick, and we're going to go ahead and generate some connections against the database. Obviously, ensuring some source and destination connectivity is generated by the application, and as you can tell here, I've got a few flows, five to be exact. I've got some HTTP communication, HTTPS communication. Really the goal here is to show you what flows, how many sources that you have, and then at the end of this, we can go ahead and stop collecting the data. Now, we're just doing this in a quick video. You can run this for your sort of application length of time that you choose. Now, let's go ahead and take a look here, as we stop the application. Now, we want to analyze the data and this is really the second part of application rule manager. We get into this data and now we've analyzed it. It is providing the information that's necessary, obviously from a communication perspective. The NSX platform is going to provide some recommended rules for you. We've got a couple of roles here from infected virtual machines, from an HTTPS perspective. Then I have another role that we're recommending based on the HRDB server and notice here HTTPS, HTTP. Maybe you want to change up the app underscore HTTP, security group, and maybe define it as maybe one of the standards that we're utilizing throughout NSX, or through some of our other security groups, maybe from a service perspective. So, what we're going to do here is we're going to edit the firewall, firewall group change the service from app underscore HTTP. We're going to do a quick search. Obviously, you can see the existing services. In this case, we're going to change it to HTTP and we're going to save it. Now, we will click "OK". We actually haven't applied this firewall rules. So, now is we choose OK. Now we can go on and published this. Really one of my favorite parts of application rule manager is the ability to publish those firewall rules in a very simple form. So, let's give it a name and we'll give it the HR application and we're going to- you can choose the insert how you want to do that. Then from there we see here we have went ahead and published those firewall rules. They're fully functioning and consuming, we've validated that there's the NSX distributed firewall. From an administrative perspective you see those firewall rules that have been applied. That is a quick look at application role managers. All right. Thank you for having- Obviously, we want to give you an opportunity to see application rule manager in action. Now, to help with that, what I would like to do is explain why we did some of those things. Maybe the steps that it takes that is necessary for you to truly accomplish a fundamental 100 percent deployed application micro-segmentation use case that our customers are utilizing today. How we do that you might say, "Okay I'm getting flows, I'm getting processes, I'm ultimately building out within application rule manager those capabilities, but I have to have NSX for that." Ultimately we do have some of our customers who are asking for maybe a precursor, in some cases they'd say, "Hey, I want to deploy NSX. I want to have the micro-segmentation firewalls, but I really would like to migrate those VMs from day zero where they have some policy of some kind." So when we look at this between application rule manager and some of the things that we're about to discuss, from a VMware perspective, is it's really up to you. We're giving you choice, we're giving you options in this area. I personally love application rule manager. I love what we're about to discuss with network insight and log insight. But really you as an organization get to pick and choose which method is right for you. So let me talk about these pieces real quick. In some cases, I do have customers that like to get information or data, but as I mentioned before they rule their workloads into NSX and actually had the distributed firewall rule up and running, right. So one way to do that is with the introduction of network insight. Now I think many of you know my history, my past. I did work with Network Insight before it was acquired by VMware back in the arcken days. You've probably seen a few of my light board videos on that specific subject, which I'm obviously still excited about. But network insight will allow you to go out into your environment in really two key ways. Number one, is go out without NSX now you're probably like, "Wait a minute, I can do this without NSX? " Absolutely, it really depends on you the organization. So in my discussion today, I am not telling you to do it this way, or that way. My goal is to really provide you the options and you get to decide what is a better fit for you. There's plenty of scenarios. We could go into that. But with network insight we utilize some of the core functions that the platform provides. So you may be using another SYS log server, SYS log solution, maybe another IP FIX solution. Maybe you've had a flow monitoring, a flow collector on the physical network. I've seen obviously there's plenty of that taps et cetera. But a lot of organizations actually kind of left the virtual network, the VMware network, kind of as a black hole. Maybe they didn't collect the flows like they did on the physical network. Obviously, if you have a virtual distributed switch, which is what we are going to be discussing or at least you understand works with NSX, I could have two VMs sitting on the same host and that communication, those flows, never actually hit the physical network. So therefore, my physical taps, the things that I've had historically, would not have visibility or per view into that. So, as we talk about that micro-segmentation planning use case, that being how and where do I start, right? I've got two virtual machines how are they communicating? Then I can build a policy on top of that. As you've seen in some of the other demonstrations from my peers, NSX micro-segmentation is a is a valuable use case, but the problem is or the situation kind of arise is, I don't know what my applications are doing. I've got a Visio diagram, it maybe perfect, it maybe old, it maybe something. I've even had customers tell me flat out, I have no idea what's going on between my workloads in the VMware environment. So with network insight we allow you to collect net flow data from a couple of different sources. So, I actually referred to it is IPFIX or we refer to it as IPFIX within the platform. So, were an IPFIX collector. That IPFIX collector allows you to aggregate data from multiple V-centers, from multiple environments, multiple data centers. That IPFIX data is ultimately brought into our collection methodology process. We've done some de-duplication, some validation. Maybe we don't really care about seeing a ping traffic. So we do whitelisting some things here and there, maybe VMware management traffic. Those types of things that we have and kind of white-listed. But we take this IPFIX data and our first step is to get it from the virtual distributed switch or the DVS right you can call it DVS VDS doesn't really matter to me. With that IPFIX data from the virtual distributed switch, we can then build models, policies, generic policies, if you would like to call it that, around an application. With micro-segmentation, just kind of draw this out and kind of help you kind of get a visualization, if I've got VM1 communicating with VM2 Over, I don't know, 443. Well, from a flow perspective, I obviously would assume this as more of an application web traffic type of situation. Well, I know it's a base form, but what if it was on port 8080, 20, whatever application, maybe you built internally, we can allow you to group traffic within Network Insight based upon the flow data and actually build out an application for you. We can show you VM to VM communication, we can show you VLAN communication. With Network Insight, we've helped really simplify this process by allowing you to build applications within the platform and tiers of that application. Now you say, "Okay, how are you building those applications?" We're taking the flow data and we're applying some very key principles, VCenter folder. VCenter tags, we can even use some of the base VCenter functions. It's the constructs that you're accustomed to within the VMware environment that allows you to group applications, group workloads accordingly. The other key with this, is not only can we group those applications and tiers using the discovered traffic, we can also create groupings of those applications ourselves. So, you can take the API for an example and you can build out a three-tiered application, web, app, and dB and within Network Insight, you can use this IPFIX data to actually build out this application and show a complete topology map of that application and how it is communicating. So, maybe you come to realize that after that discovery, after that information is gathered, that you are seeing some FTP traffic to some web servers. That may not be the ideal situation, road traffic, misconfiguration, et cetera. So, within Network Insight, you use that IPFIX data to build those applications. The other thing that we've done within Network Insight is not only provide the IPFIX data from a VDS perspective but ultimately, we also provide the IPFIX data from an NSX perspective. So, now that I have NSX, I'm consuming and utilizing an NSX, we can continue to pull the VDS but more importantly now we can go get the additional details that come from NSX itself. So, you can actually take the distributed firewall and we will tell you the rule ID, that a specific flow between two VMs. So, in this case, I can take that same flow from before which I had VDS data now I had the NSX data and I can give you a rule ID on that specific communication and flow. So, we're giving you a couple of options to help with this micro-segmentation planning use case. Now, our customers have been very open in specific on some needs. One of those needs is not only the VDS which we have adding NSX but adding net flow from physical devices. So, I'll just say, "Physical networking devices." Now we have an even clearer picture. So, one of the challenges especially from a planning perspective since we're still talking about that, is okay, I've got the data from the VDS, I've got a VM communicating with a physical server or I've got two physical servers maybe I'm going to migrate those to virtual machines and I need to put micro-segmentation around and there's a couple of use cases for this but more importantly we provide that VDS data but now we can provide the physical net flow data. Part of that's validation, we didn't have the purview outside of the VMware space, this could also not only be physical assets but it could be internet based traffic. So, internet-based traffic, VM to internet, internet to VM. It's really about getting a holistic view, a holistic picture of what your environment would look like. Now, as we take it a little bit further, ultimately, we've added things around change, audit capabilities, things that have been asked for by our customers, what flows, I mean, literally, you can actually go into Network Insight and just do a simple search that says VMs where port equals X and Y and somebody doing different things like that but that's really the basis for Network Insight from a micro-segmentation planning. So, just a quick review, we do have application roll manager which you've seen in the demonstration video, which is utilizing pure NSX traffic. Two VMs that have already been applied with a virtual distributed firewall on them. With Network Insight we can actually do it pre-NSX. Now, the fun part here is we firmly believe this is a a better together story. You as the organization, you as the customer, your situation will dictate whether you use ARM, whether you use the VDS, or whether you have to go get net flow data from the physical devices but at the end of the day between Application Rule Manager and Network Insight it's all about micro-segmentation planning. We want to help you get from no distributed firewall to a distributed firewall as quickly as possible, and this is kind of a quick rundown from a tooling perspective. Now, there's another way to do this and it actually comes from another solution that VMware provides called Log Insight. Now, Log Insight is a very important solution in our stack and the key about Log Insight is it is gathering Syslog data, obviously, from the platform, pretty simple. So, with Log Insight, we can actually do micro-segmentation planning some customers utilize this today, some do some very different methodologies than this but the key would Log Insight and what I always tell our customers is obviously we have built-in content packs and within that content packs we have things like dashboards, I believe as of today and I'll just say, approximately, we have 12 dashboard, we have over 90 widgets that are on those dashboards, and last but not least, we have about 35 alarms. Now, this does change, we used to release things happen in NSX maybe a modification, an architectural change so that could obviously be affected when you're looking at the solution overall. Now, we've given you really three options to help with the micro-segmentation planning use case. I've shown you the demonstration of Application Rule Manager. At this point in time, I'm actually going to jump into Network Insight and we're going to show you a quick demonstration of how you do micro-segmentation planning with Network Insight. So, let's take a look at Network Insight in action. So, this is the Network Insight UI. I like to do everything via search going back to the archon days. So, here we go, let's take a look at applications. Currently, we have a couple of applications built in this dataset and we're going to focus on the prod applications, made up of three tiers. As you can tell here prod Midtier, prod Web, and prod DB. One of the things about Network Insight is you can define these applications in a couple of ways. For the Midtier, I've got 14 virtual machines, web tier 29, as well as some physical IP addresses. Yes. Network Insight allows you to collect flows from outside of the VMware space, as mentioned before, and then from the database perspective, five virtual machines. When we looked at Application Rule Manager, it does require an NSX and as we stated in more of the light board session, Network Insight allows you to collect VDS net flow data, NSX net flow data, as well as net flow data from physical devices and even from AWS, from a VPC flow lock perspective. Now, we've created this application, so let's analyze the flows that have been occurring for these virtual machines or physical IP addresses over the last 24 hours. As you can tell, Network Insight allows you to see the incoming and outgoing flows, color codes the incoming and outgoing flows associated, as well as helps you quickly understand and define what each tier of the application is doing. I've got prod web, prod midtier, prod dB and the key here is as you look at each of the filters, you can highlight the ingress and egress communication. You can also notice internet-based communication, communication to physical assets whether they're in the data center, maybe whether it's some shared services, DNS and so on and I can even highlight some of the data center for virtual environments that maybe you're not associated with this particular application, maybe I forgot a virtual machine or two. Let's keep focus on prod right little quick, and as you can see, once again, each of the communication bands to the other tiers, in this case, it's to prod midtier. I can see communication over port 8080, the number of counts, the sum of the bytes, and just as you've seen, Application Rule Manager, you do have the ability to see a recommended firewall role within Network Insight. Within Network Insight, we'll show you the source destination, service information is the protocol. The key is with Network Insight, you can export this to an XML file. Now, this XML file is formatted in the proper NSX API format, you can use a postman or something else to apply that specifically adding this particular security groups, firewall rule, et cetera, to your NSX instance and that's a quick look at Network Insight in the application's functionality, and the ability to recommend firewall roles to NSX. All right, that was our demonstration of Network Insight and how you do micro-segmentation planning.
