VMWorld 2014 - Advanced Topics & Future Directions in Network Virtualization With NSX
VMworld 2013: Changing the Economics of Firewall Services in the Software-Defined Center – VMware...
-
Upload
vmworld -
Category
Technology
-
view
134 -
download
2
Transcript of VMworld 2013: Changing the Economics of Firewall Services in the Software-Defined Center – VMware...
Changing the Economics of Firewall Services in the
Software-Defined Center –
VMware NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Anirban Sengupta, VMware
SEC5893
#SEC5893
2
Business Needs
Agility
Flexibility
Elasticity/Scalability
Simplicity
Business Challenges
Reality
Inflexible Networks
Archaic Security
Perf/Scale Issues
Complex Rule Bases
3
Data Center Firewall Architecture
Aggregation Layer
Campus
Core
Core Layer
Access Layer
4
Application Profiles Changing…
Campus
Core
Client – Server
& Web 1.0
Server
3-Tier Apps
Web
App DB
Web 2.0,
Portals,
Enterprise Apps
5
Virtualization - Changing Dynamics
Campus
Core
VM – VM traffic doesn’t hit network
IP Address Based Rule Sets
Scalability Issues
Complex Firewall Rule Tables
Firewall – “Choke Point”
6
Firewall as a VM
IP Address Based Rule Sets
Server Consolidation Issues
Virtual Appliance Issues
VM Firewall – Still a bottleneck
vMotion & App Placement Issues
7
Wouldn’t It Be Great If My Firewall…
Removes the need to hair-pin traffic
Enables Rules based on VM attributes
Provides High Performance & Scale
API based Programmability
8
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Focus
• Custom built for
Virtual Data Centers
• Distributed
Enforcement
• Centralized
Management
• Performance & Scale
9
DVFW – Hypervisor Embedded Firewall
ESXi
VM VM FW
Benefits… • Is built right in to the Hypervisor and is lightening fast
• “Line Rate” Performance (10Gbps+ per host)
• No VM can circumvent Firewall
ESXi
VM VM VM
ESXi
VM VM
FW
VM
10
DVFW – Scale Out Architecture
ESXi
VM VM
FW
Benefits… • Scales with additional “Hosts”
• No “Fork Lift” upgrade to get better scale
ESXi
VM VM
FW ESXi
VM VM
FW
11
DVFW – Flexible Access Control Mechanisms
Benefits… • Security Groups: Logical grouping of VMs
• VM Tags: Dynamic VM attributes
• User Identity: Identity based firewall
• IP/VLAN: Support physical infrastructure based rules
• Rules follow the VMs
ESXi
Web App
FW
DB
ESXi
Web App
FW
DB
ESXi
Web App
FW
DB
12
Identity & Application Visibility
Active Directory
Eric Frost
User AD Group App Name Originating VM
Name
Destination
VM Name
Source IP Destination IP
Eric Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78
ESXi FW
13
DVFW – Centralized Management
ESXi
VM VM VM
ESXi
VM VM VM
Reuse vCenter Objects
Single Rule Table
Role Based (RBAC)
Control
Full REST API
Familiar “Apply To” Model
Central Monitoring
14
Extensibility…
15
Security Service Insertion
Hypervisor
VM
DFW
VM
VM
AV
Vulnerability
Scan
DLP
IPS NG
FW APT
16
Vulnerability Scan + Firewall Use Case
Security Architect Deny outbound traffic from “Quarantine” VMs
Vulnerability
Scanner
Identifies serious vulnerabilities in APP-VM-6
and tags the VM as “Quarantine” system
Firewall Blocks outbound traffic from APP-VM-6
Security Operations Patches the OS/Application to address vulnerability
Vulnerability
Scanner
APP-VM-6 is no longer a “Quarantine” machine
Firewall Outbound traffic from APP-VM-6 permitted
17
IPS Use Case
Hypervisor
VM
DFW
VM
VM
IPS
VMware DVFW
High Throughput
User, VM Segmentation
Selective IPS Forward
IPS
Signature Based IPS
+ Malware/APT
18
Changing The Economics…
19
Themes
Security
• VM Attribute Based
• User Identity
• VM Appliance
Agility
• vCenter Integration
• REST API
• vMotion
Integration with existing Host &
Network Security solutions
Perf & Scale
Better Consolidation
Compliance (PCI)
20
Deployment
Edge Firewall & Distributed Firewall
Firewall Monitoring & Troubleshooting
RBAC and Admin Separation
Auditing & Compliance
21
N-S Firewall, E-W Router / Firewall Logical Topology
Distributed Router & Firewall
VXLAN Transit/Uplink Network
………..
VLAN last mile
FW HA Pair
(High Throughput & CPS)
LB, DHCP
(One-arm)
NET 1 NET 2 NET 3
Web F
ront E
nds
App T
ier
Data
base B
ackends
3-tier App
OSPF
Physical Routing Edge Physical Network Fabric
Network Virtualization
iBGP
NAT, FW, VPN, LB
High Port Density
Router & Firewall
NET 1000
22
WAN /
INTERNET /
Corp backbone
Model for Routing & L4-L7 Services
FW/Routing - Phy. Or Virtual
Appiance
Features: NAT,
Perimeter Firewall,
SSLVPN, IPsec VPN,
GSLB, DNS
Routing
L2 Bridge
Distributed Routing
One-armed LB
Features: Server
Loadbalancing, DHCP,
L2VPN
Features: Distributed
ACLs in OVS, anti-spoof
control
Logical L2
23
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform
Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik
SEC5893
THANK YOU
Changing the Economics of Firewall Services in the
Software-Defined Center –
VMware NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Anirban Sengupta, VMware
SEC5893
#SEC5893