Changing the Economics of Firewall Services in the

Software-Defined Center –

VMware NSX Distributed Firewall

Srinivas Nimmagadda, VMware

Anirban Sengupta, VMware

SEC5893

#SEC5893

2

Business Needs

Agility

Flexibility

Elasticity/Scalability

Simplicity

Business Challenges

Reality

Inflexible Networks

Archaic Security

Perf/Scale Issues

Complex Rule Bases

3

Data Center Firewall Architecture

Aggregation Layer

Campus

Core

Core Layer

Access Layer

4

Application Profiles Changing…

Campus

Core

Client – Server

& Web 1.0

Server

3-Tier Apps

Web

App DB

Web 2.0,

Portals,

Enterprise Apps

5

Virtualization - Changing Dynamics

Campus

Core

VM – VM traffic doesn’t hit network

IP Address Based Rule Sets

Scalability Issues

Complex Firewall Rule Tables

Firewall – “Choke Point”

6

Firewall as a VM

IP Address Based Rule Sets

Server Consolidation Issues

Virtual Appliance Issues

VM Firewall – Still a bottleneck

vMotion & App Placement Issues

7

Wouldn’t It Be Great If My Firewall…

Removes the need to hair-pin traffic

Enables Rules based on VM attributes

Provides High Performance & Scale

API based Programmability

8

Distributed Virtual Firewall

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

Focus

• Custom built for

Virtual Data Centers

• Distributed

Enforcement

• Centralized

Management

• Performance & Scale

9

DVFW – Hypervisor Embedded Firewall

ESXi

VM VM FW

Benefits… • Is built right in to the Hypervisor and is lightening fast

• “Line Rate” Performance (10Gbps+ per host)

• No VM can circumvent Firewall

ESXi

VM VM VM

ESXi

VM VM

FW

VM

10

DVFW – Scale Out Architecture

ESXi

VM VM

FW

Benefits… • Scales with additional “Hosts”

• No “Fork Lift” upgrade to get better scale

ESXi

VM VM

FW ESXi

VM VM

FW

11

DVFW – Flexible Access Control Mechanisms

Benefits… • Security Groups: Logical grouping of VMs

• VM Tags: Dynamic VM attributes

• User Identity: Identity based firewall

• IP/VLAN: Support physical infrastructure based rules

• Rules follow the VMs

ESXi

Web App

FW

DB

ESXi

Web App

FW

DB

ESXi

Web App

FW

DB

12

Identity & Application Visibility

Active Directory

Eric Frost

User AD Group App Name Originating VM

Name

Destination

VM Name

Source IP Destination IP

Eric Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78

ESXi FW

13

DVFW – Centralized Management

ESXi

VM VM VM

ESXi

VM VM VM

Reuse vCenter Objects

Single Rule Table

Role Based (RBAC)

Control

Full REST API

Familiar “Apply To” Model

Central Monitoring

14

Extensibility…

15

Security Service Insertion

Hypervisor

VM

DFW

VM

VM

AV

Vulnerability

Scan

DLP

IPS NG

FW APT

16

Vulnerability Scan + Firewall Use Case

Security Architect Deny outbound traffic from “Quarantine” VMs

Vulnerability

Scanner

Identifies serious vulnerabilities in APP-VM-6

and tags the VM as “Quarantine” system

Firewall Blocks outbound traffic from APP-VM-6

Security Operations Patches the OS/Application to address vulnerability

Vulnerability

Scanner

APP-VM-6 is no longer a “Quarantine” machine

Firewall Outbound traffic from APP-VM-6 permitted

17

IPS Use Case

Hypervisor

VM

DFW

VM

VM

IPS

VMware DVFW

High Throughput

User, VM Segmentation

Selective IPS Forward

IPS

Signature Based IPS

+ Malware/APT

18

Changing The Economics…

19

Themes

Security

• VM Attribute Based

• User Identity

• VM Appliance

Agility

• vCenter Integration

• REST API

• vMotion

Integration with existing Host &

Network Security solutions

Perf & Scale

Better Consolidation

Compliance (PCI)

20

Deployment

Edge Firewall & Distributed Firewall

Firewall Monitoring & Troubleshooting

RBAC and Admin Separation

Auditing & Compliance

21

N-S Firewall, E-W Router / Firewall Logical Topology

Distributed Router & Firewall

VXLAN Transit/Uplink Network

………..

VLAN last mile

FW HA Pair

(High Throughput & CPS)

LB, DHCP

(One-arm)

NET 1 NET 2 NET 3

Web F

ront E

nds

App T

ier

Data

base B

ackends

3-tier App

OSPF

Physical Routing Edge Physical Network Fabric

Network Virtualization

iBGP

NAT, FW, VPN, LB

High Port Density

Router & Firewall

NET 1000

22

WAN /

INTERNET /

Corp backbone

Model for Routing & L4-L7 Services

FW/Routing - Phy. Or Virtual

Appiance

Features: NAT,

Perimeter Firewall,

SSLVPN, IPsec VPN,

GSLB, DNS

Routing

L2 Bridge

Distributed Routing

One-armed LB

Features: Server

Loadbalancing, DHCP,

L2VPN

Features: Distributed

ACLs in OVS, anti-spoof

control

Logical L2

23

Other VMware Activities Related to This Session

HOL:

HOL-SDC-1303

VMware NSX Network Virtualization Platform

Group Discussions:

SEC1000-GD

Distributed Virtual Firewall - Management, Architecture, Scalability and

Performance with Serge Maskalik

SEC5893

THANK YOU

Changing the Economics of Firewall Services in the

Software-Defined Center –

VMware NSX Distributed Firewall

Srinivas Nimmagadda, VMware

Anirban Sengupta, VMware

SEC5893

#SEC5893