NSX-T Advanced Security and Networking Service Insertion ...dl.geekboy.pro:8080/VMworld...

#vmworld

SAI2781BU

NSX-T Advanced Security and Networking Service Insertion Deep Dive

Stijn Vanveerdeghem, VMware, Inc.

#SAI2781BU

VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc.

Disclaimer

This presentation may contain product features or functionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

2

The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc. 3

Micro-segmentation with NSX-TIntrinsic Security

Baremetal

VMsVMC

on AWS

Public Clouds,

AWS, AzureContainers

Micro-segmentation

Zone Firewalling

Realtime visibility

Net-SecAnalytics

Data Center Branch VMC Cloud

Unified Management Plane

Layer 3-7

Edge appliance

Service Insertion

Layer 2-7

Identity Firewalling

URL Filtering

Service Insertion

Endpoint Protection

Ubiquitous enforcement based on ApplicationContext Distributed for Cloud-scale and baked into the Infrastructure.VMworld 2019 Content: Not for publication or distribution


Micro-segmentation with NSX-TKey New NSX-T Security Functionality

Internal Firewall

Use Distributed Firewall for East-West traffic micro &

macro segmentation

Gateway Firewall Vendor IntegrationDeploy partner solutions for

specific use cases in conjunction with NSX

(Endpoint Protection/Service Insertion

Use Perimeter Firewall for North-South traffic into SDDC

and between Tenants

N S X I n t e l l i g e n c e Network & Security Analytics

C l u s t e r e d M a n a g e m e n t Simplified UI and Declarative Policy



Driving Value with our NSX Partner Ecosystem

Cloud

Automation and DevOps Operations and VisibilityNetworking and Security Services

Network Infrastructure


http://www.equinix.com/

http://www.iix.net/

https://www.zscaler.com/


Consistent Visibility and Security across all workloads

NSX-T Network and Security Service Insertion

VMs Containers PhysicalServers

NativePublic Cloud

Distributed Firewall

GW Firewall

E-W Service Insertion

N-S Service InsertionVMworld 2019 Content: Not for publication or distribution


NSX-T Service InsertionValue Proposition

Insertion of 3rd party services in the SDDC and Cloud

Intercepts Data in Motion across the network

• Perimeter (N-S)

• At each workload’s vNIC (E-W)

Security and Visibility services across workloads and platforms

Chaining of multiple services

Redirection or Copy of traffic to partner service

Consistent Partner Policy Across Multiple vCenters

Deep Integration with partners

Micro-Segmentation

IPS

URL Filtering

Reputation

Sandboxing

Anti-Virus

Network Monitoring



NSX-T Service InsertionDeep Partner Integration

Granular Service

insertion

Simplified Provisioning

Ubiquitous Application-

based policies

Flexible, and Scalable

Service Chain



Granular Traffic Redirection

Perimeter and Per-workload

For Containers, VMs, BM and Cloud

IPS/IDS, Threat Prevention, NGFW, Web Filtering, Anti-malware, Outbreak Prevention

Granular Traffic Copy

Per –workload

Containers and VMs

Aggregation, Processing, Analytics and distribution of application traffic

Performance monitoring, security analytics and forensics

Inline Advanced Security Controls Traffic Aggregation, Visibility and Analytics

NSX-T Service InsertionKey Use Cases



Certified Service Insertion Solutions (North-South)

NSX-T Service Insertion

PAN-OS 9.0.3FortiGate-VM NGFW 6.0.4CloudGuard IaaS for NSX-T R80.10



Certified Service Insertion Solutions (East-West)


* Upcoming Integration announced by Partner, check the VMware Compatibility Guide for the most up-to-date information!

PAN-OS *FortiGate-VM NGFW 6.2.1CloudGuard IaaS for NSX-T R80.30 vStream *GigaVUE *



Service Consumption Workflow


Same Workflow across N-S and E-W Service Insertion

Partner Specific Universal Partner Specific

Service Registration

Service Deployment

Service Application

Service Consumption


©2019 VMware, Inc. 13Confidential │ ©2018 VMware, Inc.

NSX-T Service InsertionDeployment Options

North-South East-West

Use Cases SDDC/Tenant Perimeter, Kubernetes Namespaces, NSX Cloud Security

Advanced Security and Visibility Controls for Micro-segmentation,

Partner Services NGFW (IPS, Botnet filtering, URL Filtering) NGFW, Network Visibility, Network Performance Management

Protected Workloads Any workload behind T0/T1 gateway on prem and in NSX Cloud

K8S, VMs on ESXi

Traffic Interception Uplink of T0 / T1 Gateway Logical Port (VM vNIC/Container Interface)

Transport Layer 2 (Bump in the Wire) Service Plane (NSH/Geneve)

SVM Placement ESXI TN (Placement close to Edge) Each ESXI Compute TN or ESXI Service Cluster

High Availability Support Active/Standby Load Balancing across multiple Service Instances

Service Chaining Per Logical Router (Topology Dependent) Per Policy (Topology Independent)

Redirect / Copy Support Redirect Redirect and CopyVMworld 2019 Content: Not for publication or distribution


North-South Service Insertion with NSX-TSecurity Use Cases

North-South Service Insertion NSX-T NSX for vSphere

Protect SDDC Perimeter

Protect Tenant Perimeter

Secure Kubernetes Namespaces

Protect Bare Metal Workloads

Protect Native Public Cloud Workloads

Active/Standby Support



NSX Manager Cluster

North-South Service Insertion with NSX-T

Partner Manager

• Registers service with NSX

• Manages Service Policy

• Received Group Updates from NSX Manager

NSX Manager Cluster

• Deploys Service

• Creates Service Links

• Configures SI Classifier based on Redirection Rules

SI Classifier

• Intercepts and redirects traffic

Major Components

Partner Manager

Service

Registration

GroupUpdates

Edge Node

Tier0 SR

Service Node

Up

link

SI Classifier

Tier 0 DR

Tier 1

DR

Tier 1

SR

Un

tru

ste

d S

eg

me

nt NGFW

Instance

(Active)

NGFW Instance(Stby.)

DownlinkT

rust

ed

Se

gm

en

t

HA



NSX Manager Cluster


Service Links

• Overlay Segments

• Connects T0/T1 (SR) to Service Instances

• Untrusted and Trusted

• HA Segment

• Automatically created

Service Instances

• Instantiation of a Service

• Active/Standby

• Bump-in-the-wire

Major Components

Partner Manager

Service

Registration

GroupUpdates

Edge Node

Tier0 SR

Service Node

Up

link

SI Classifier

Tier 0 DR

Tier 1

DR

Tier 1

SR

Un

tru

ste

d S

eg

me

nt NGFW

Instance

(Active)


DownlinkT

rust

ed

Se

gm

en

t

HA



Redirection is applied to uplink of T0/T1

Protected Workloads can be VM, BM, K8

Service instances can only be deployed on ESXi Transport Nodes managed by vCenter

Edge Nodes can be co-located on the same ESXI Transport Node

Active/Standby and Standalone LR/SVM are supported, Active/Active is not supported

Only 1 service per router is supported

Requirements




Single Partner VM per Logical Router

Logical Router in A/S Mode

No H/A Support

Fail-Open/Closed support

A/S Partner SVM pair per Logical Router

Logical Router in A/S Mode

Additional (HA) Segment to sync between partner SVMs

BFD is used to detect failure on Active

Fail-Open/Closed support

Standalone Active/Standby

North-South Service Insertion with NSX-TSupported configurations




1. Security admin creates service definition on Partner Manager

2. Service Definition is registered in NSX Catalog

3. NSX admin deploys select service

4. NSX Manager deploys OVA on Transport Node via vCenter

5. Service Links are created and attached to SVM and Logical Router (SR)

6. Partner SVM Registers itself with Partner Manager

Service Registration and Deployment

NSX-T “Service” Transport NodeNSX-T NSX Manager Cluster

ServiceRegistration in Catalog

Partner SVM

vCenterService

Deployment

Partner Manager

NSX-T Edge Node

ServiceRouters

Ove

rla

y-b

ase

dS

erv

ice

Pla

ne

Service SVMPartner Manager Registration

Service Plane Attachment

Admin

Admin

Se

rvic

eD

efi

nit

ion

ServiceDeployment

Up

link




1. Security Admin configured Partner Policy

2. NSX Admin Configures Redirection policy

• Redirection Rules are applied to LR Uplink

• Redirect/Do-Not-Redirect Action

• Redirection Rules are Stateless, but reflexive rules are auto-created

Service Application and Consumption

NSX-T “Service” Transport NodeNSX-T Manager Cluster

Partner SVM

Partner Manager

NSX-T Edge Node

ServiceRouters

Ove

rla

y-b

ase

dS

erv

ice

Pla

ne

Admin

Admin

Se

rvic

eD

efi

nit

ion

Redirection PolicyConfiguration

RedirectionRules

Up

link

PolicyConfigurationVMworld 2019 Content: Not for publication or distribution



2 Segments are automatically created per service

Service VM data interfaces are attached to segments

Untrusted/Trusted Router ports are created on SR

Router ports are attached to segments

Service Segments

Edge Node

Tier0 SR

Service Node

Up

link

SI Classifier

Tier 0 DR

Tier 1

DR

Tier 1

SR

Un

tru

ste

d S

eg

me

nt1

NGFW Instance

(Active)


To

Co

mp

ute

No

de

/Wo

rklo

ad

…

Tru

ste

d S

eg

me

nt

HA




SI Classifier is applied to the Uplink of SR

SI Classifier Matches traffic based on redirection rules

Redirect Action determines next hop IP address

• “Untrusted” Service Link IP in case of N-S traffic

• “Trusted” Service Link IP in case of S-N traffic

Traffic is sent out on Untrusted/Trusted interface to Partner SVM in “Bump in the wire mode”

Classifier

Edge Node

Tier 0

SR

SI Classifier

Edge Node

Tier 1

SR

SI Classifier

Tier 0

SR Untrusted

Trusted

Untrusted

Trusted



Tier 0 Gateway

Web-Tier

App-Tier

DB-Tier

Share

d S

erv

ices

Share

d S

erv

ices

Tier 1 Gateway

“Production”

Tier 1 Gateway

“DevTest”

Demo


Web-Tier

App-Tier

DB-Tier



Tier 0 Gateway

Web-Tier

App-Tier

DB-Tier

Share

d S

erv

ices

Share

d S

erv

ices

Demo


Palo Alto Networks Proprietary and Confidential

Web-Tier

App-Tier

DB-Tier

Palo Alto VM Series Fortinet FortiGuard



Demo: N-S



North-South Service Insertion

• L3 based N-S Service Insertion to Service VM in Transit VPC/VNET

• Redirection at T0

• Redirected Traffic Routed across VPN between NSX Cloud Gateway and partner services

• BYOD Mode

NSX Cloud

IGWTransit

AZ-2

AZ-1

Standby

Active

...

Compute

Redirection Rule Matched Service VM

Inspects Traffic

IPSec VPN

Uplink

Uplink

NGFWInstance

1

NGFW Instance

2



East-West Service Insertion with NSX-TSecurity Use Cases

East-West Service Insertion NSX-T NSX for vSphere

Protect Intra-VM communication

Protect Intra Container Communication

Central (Clustered) SVM Deployment

Local (Per host) SVM Deployment

Service Chaining

Multi vCenter Support

Guest VM vMotion Support

Load Balancing across Service Instances

Standards-Based Packet Delivery



NSX Manager Cluster

East-West Service Insertion with NSX-T

Partner Manager

• Registers service with NSX

• Manages Service Policy

• Received Group Updates from NSX Manager

• Manages vendor templates

NSX Manager Cluster

• Deploys Service

• Creates Service Plane

• Creates Filters

• Configures SI Classifier based on Redirection Rules

Service Plane

• Connects GVM to Service Instances

Major Components

Partner Manager

Service

Registration

GroupUpdates

Service Node

NGFW

IPS

NETMON

Se

rvic

e P

lan

eS

eg

me

nt

Compute Node 2

VM 3

VM 4W

ork

loa

d

Se

gm

en

t

Compute Node 1

VM 1

VM 2

Wo

rklo

ad

S

eg

me

nt

SI

Cla

ssif

ier

Se

rvic

e P

roxy

Se

rvic

e P

roxy

LocalCircuit



NSX Manager Cluster


SI Classifier

• Intercepts traffic after it passes through the distributed firewall

• Redirects packets on to the service segment

Service Proxy

• Sits in front of every Service Instance

• Presents packets to the Partner service and back to service chain

• Performs liveness detection

Major Components

Partner Manager

Service Node

NGFW

IPS

NETMON

Se

rvic

e P

lan

eS

eg

me

nt

Compute Node 2

VM 3

VM 4W

ork

loa

d

Se

gm

en

t

Compute Node 1

VM 1

VM 2

Wo

rklo

ad

S

eg

me

nt

SI

Cla

ssif

ier

Service

Registration

GroupUpdates

Se

rvic

e P

roxy

Se

rvic

e P

roxy

LocalCircuit



E-W Traffic Interception/classification is applied to Logical Ports on ESXi

Protected Workloads can be VM

Service instances can only be deployed on ESXi Transport Nodes managed by vCenter

Service instances can be deployed on each local compute node in a compute cluster or dedicated “service cluster”

Requirements




Chosen number of Service Instances deployed on hosts on a specified cluster

Cluster can be dedicated to hosting Service Instances or can be co-located with guest workloads

1 Service Instance is deployed on every host in a compute cluster

Similar to NSX for vSphere SI Deployment option

If both Local and Central service Instance are available, Local will be preferred path

East-West Service Insertion with NSX-TSupported Deployment Options

Central / Cluster-Based Local / Host-Based




Service plane is parallel to regular network plane

Traffic can be directed away from regular network stack into service plane by SI Classifier

Traffic is returned to original source after being processed

Service Plane traffic is source-routed along a pre-defined service path

NSH protocol (RFC8300) is used to carry traffic and metadata through the Service Plane

NSH meta-data is carried inside of GNV TLV to cross hypervisor

Service Plane

Service Node

NGFW

IPS

NETMON

Service PlaneSegment

Compute Node 2

VM 3

VM 4

Wo

rklo

ad

S

eg

me

nt

Service Chain 1 NGFW IPSNETMON

Compute Node 1

VM 1

VM 2

Wo

rklo

ad

S

eg

me

nt

SI

Cla

ssif

ier

Se

rvic

e P

roxy

Se

rvic

e P

roxy

LocalCircuit



North-South Service Insertion with NSX-TService Classifier / Service Function Forwarder

Guest VM S

I C

lass

ifie

r

Service Plane

DFW

Service Function Forwarder

Sits at the vNIC of a VM

Intercepts traffic after it has been allowed by the DFW Filter

Traffic is classified in a stateful manner against user-configured redirection rules

Redirection rules are L4 based and can leverage NSX Groups

Provides the metadata that specify which path the traffic must take and which actions must be performed

Transport Node (ESXi)



Service Profiles, Service Instances, Chains and Paths

East-West Service Insertion

Service Chain 1 NGFWFTNT

Service Chains

FTNTInst 1

IPS NETMON

Service Chain 2 NGFWCHKP

SECMON

Service Paths

FTNTInst 2

FTNTInst 3

IPS Inst 1

IPSInst 2

NetMonInst 1

CHKPInst 1

CHKPInst 2

CHKPInst 3

SECMONInst 1

SECMONInst 2

SECMONInst 3

Service Profiles




MRS-WEB-1

MRS-WEB-2

MRS-APP-1

MRS-DB-1

HRM-WEB-1

HRM-WEB-2

HRM-APP-1

HRM-DB-1

Restricted Private

AD DNS NTP

Web Tier

Segment

App Tier

Segment

DB Tier

Segment

Shared Services

Segment

Tier 1 Gateway

Tier 0 Gateway

Shared Services

Demo

Restricted IPSNETMON

Private IPS


NSX-T Advanced Security and Networking Service Insertion ...dl.geekboy.pro:8080/VMworld...

Documents

Transcript of NSX-T Advanced Security and Networking Service Insertion ...dl.geekboy.pro:8080/VMworld...