Technical Deep Dive: Build a Collapsed DMZ

Architecture for Optimal Scale and Performance

Based on NSX Firewall Services

Shubha Bheemarao, VMware

Bruno Germain, VMware

SEC5891

#SEC5891

2

Objective

Review DMZ design considerations

Propose new DMZ design that is secure, scalable and cloud ready

Provide deployment guidance using NSX highlighting benefits

applicable to DMZ

3

Related Sessions

NET5847 - NSX: Introducing the World to VMware NSX

NET5266 - Bringing Network Virtualization to VMware

environments with NSX

SEC5893 - Changing the Economics of Firewall Services in

the Software-Defined Center – VMware NSX Distributed

Firewall

4

Agenda

Current DMZ design challenges and considerations

New DMZ Design

VMware NSX Components for the DMZ

Proposed DMZ Architecture

Conclusion

5

DMZ Design Often Relies On Physical Separation Of Trust Zones

DMZ Design: 1. Trust zones separated using

separate hardware

2. Design is complex and inflexible

6

DMZ Application Deployment Is Slow

DMZ Challenge #1 • New application deployment

involves configurations at

multiple zones

• Configuration spread across

devices

• Configuration managed by

multiple teams

• Cannot automate

Address using:

• Build a Software Defined Data

Center

• Build focus teams for cloud

architecture and operations

Network Team #2

Network Team #1

Security Team

7

DMZ Challenge #2

• Non DMZ traffic often not

fully secured

• Large firewall rule sets

• Networking or placement

changes could break security

• Hard to manage

Address using:

• Tie configuration to

application objects instead of

networks

• Secure all application traffic

including East West traffic

DMZ Design May Compromise Data Center Security

8

DMZ Challenge #3

• Forces rip and replace to

scale up

• Not cloud ready

Address using:

• Build design suited to scale

incrementally using

distribution of services

DMZ Design Cannot Scale

9

You Need A Cloud Ready DMZ

Design Considerations:

1. Security

2. Manageability

3. Scale and performance

4. Automation

10

Agenda

Current DMZ design challenges and considerations

New DMZ Design

VMware NSX Components for the DMZ

Proposed DMZ Architecture

Conclusion

11

Building A Logical DMZ Trust Zone Is A Better Approach

Steps:

• Pull DMZ zone into the

datacenter

• Use virtual networking and

security constructs for

application isolation and

protection

Benefits:

• Higher agility - flexible

placement

• Simpler configuration

management

• Lower cost – fewer hardware

devices

• Easier automation

12

Agenda

Current DMZ design challenges and considerations

New DMZ Design

VMware NSX Components for the DMZ

Proposed DMZ Architecture

Conclusion

13

VMware NSX – Networking & Security Capabilities

Any Application (without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

Logical

Firewall

Logical

Load Balancer

Logical L3

Logical

VPN

Any Hypervisor

Logical Switching– Layer 2 over Layer 3,

decoupled from the physical network

Logical Routing– Routing between virtual

networks without exiting the software

container

Logical Firewall – Distributed Firewall,

Kernel Integrated, High Performance

Logical Load Balancer – Application Load

Balancing in software

Logical VPN – Site-to-Site & Remote

Access VPN in software

NSX API – RESTful API for integration into

any Cloud Management Platform

Partner Eco-System

14

1. Deploy Each Tier Of DMZ Application On A Logical Switch

DB Web App

Benefits for DMZ

• Speed of new application

deployment

• Does not require physical

network configuration at

multiple devices

• Scale is not limited by

limitations of physical

VLANs

• Higher Security:

• Reduce attack perimeter

• Contain risk within virtual

perimeter

• Physical switching and

network not exposed to

attack

15

2. Protect Every Virtual Server Using Distributed Firewall

Benefits for DMZ

• Achieve line rate throughput using vNIC level hypervisor firewall

• Higher security – Complete East West traffic protection via distributed enforcement

• Easy Scale and Automation

• Mobility of security rules – Rules follow the VM

DB Web App

16

3. Provide Perimeter Protection Using Logical Gateway

Benefits for DMZ:

• Deploy logical Perimeter

Firewall, Load Balancer and

VPN programmatically and as

needed

• Perimeter services and policy

can be tied to the application

• Virtual appliance model allows

cloud agility and scale-out

• Higher security through VIP

hiding internal IP addresses DB Web App

Services Edge NAT, FW, VPN, LB

17

4. Optimize Application Traffic Flow Using Distributed Router

Benefits for DMZ • Optimize traffic flows to

minimize latency

• Minimize advertising internal

routers to perimeter devices

DB Web App

Logical Distributed

Router

18

5. Automate Application Protection Using Logical Switches

Web

Benefits for DMZ:

• No needs to re-program the

perimeter security function

as workloads move within

the infrastructure

• Application specific security

is following the workload

• “Configure and forget”

19

6. Protect Application Access Using Identity Firewall

Benefits for DMZ

• Create firewall rules using user

identity for VDI

• limit application access to

only authorized groups of

users

• prevent insider attack

• Get visibility into in-guest

applications and application

access

• Ensure no rogue

applications are running

on your servers

• Get reporting on

application usage by user

groups

DB Web App

DB

Admins Web

Admins

✔ ✔

Application

Visibility

20

7. Define Application Security Using Logical Containers

Benefits for DMZ

• Simplify rule creation and

management – Use Logical

boundaries to reflect

application boundaries, prevent

rule sprawl by tying security

policy to applications

• Automate protection for new

VMs as new security group

members inherit security

policies

• Flexible and manageable

container creation options -

Use vSphere objects instead of

network identifiers in logical

container creation to ensure

policy persists across vMotion

or networking changes

Web

VM

VM

VM VM

VM VM

VM

VM

VM VM

VM

VM

VM

VM

VM VM VM

VM VM VM VM

VM VM

VM VM VM

VM

VM

VM

VM

VM VM

21

Architecture Can Easily Scale

DB Web App

Benefits for DMZ:

• Achieve Multitenancy

using perimeter

gateway for tenant

separation

• Fully automate using

REST API scripts or

Cloud Management

portals

• Scale easily by adding

essential services on

demand in software

• Built for high

performance

22

Agenda

Current DMZ design challenges and considerations

New DMZ Design

VMware NSX Components for the DMZ

Proposed DMZ Architecture

Conclusion

23

Functional View of Data Center With Logical DMZ

Any devices over

any networks

App gateways

and perimeter devices

Admin jump points

Common Services

Applications

EDS AD

DB

Edge Transport

Routing and

AV/AS

Client Access

Client

connectivity

Web services

Hub Transport

Routing and

policy

Mailbox

Storage of

mailbox items

25

50636

135

389, 3268, 88,

53, 135

To AD

RPC

808

5060, 5061

5062, dynamic

Unified

Messaging

Voice mail and

voice access

Exchange

24

Physical View Of NSX Component Deployment

Co

mp

ute

Clu

ste

rs

Man

ag

em

en

t Clu

ste

r

Ed

ge C

luste

r

NSX Manager

NSX Edge

NSX Controller

Data Center IP network Management network

(vMotion & storage)

vCenter

Server Physical

Appliances

External networks

WAN/ Internet

Compute Racks Infra Racks Edge Racks

Controller Software • Virtual network orchestrator

• Massive scale

Hypervisor Service Modules • Distributed network services (Switching, Routing)

• Load Balancer, Switch, Firewall, Router/VPN

Gateway Software • Integration with existing physical

infra.

• V to V / V to P

L2

L3

25

Agenda

Current DMZ design challenges and considerations

New DMZ Design

VMware NSX Components for the DMZ

Proposed DMZ Architecture

Conclusion

26

Build Your Cloud Ready DMZ with NSX

Before: DMZ with physical separation

of trust zones After: DMZ with Logical separation

of trust zones

Build security that is designed for the virtual workloads instead of

adapting the existing physical constructs to work with mobile

virtual workloads

27

28

Questions? bheemaraos@vmware.com

bgermain@vmware.com

THANK YOU

Technical Deep Dive: Build a Collapsed DMZ

Architecture for Optimal Scale and Performance

Based on NSX Firewall Services

Shubha Bheemarao, VMware

Bruno Germain, VMware

SEC5891

#SEC5891

32

Mixed Mode / Multi-tenant and the test of auditing

We are not alone:

Automated and

self-healing

Security &

compliance

trust zones

Power of cloud

infrastructure

automation

33

A validated methodology for the migration to mixed trust zones

»VMware Confidential

vSphere vSphere vSphere

Aggr.

Acc.

Core

Aggr.

»Acc.

Core

»vSphere

Aggr.

Acc.

»vSphere

vShield App Based Security

Vmware vSphere + vShield

Cluster1

HR App FIN App Sales App

Web Frontend

Apps

Database

Legend

Increased Confidence with Virtualization and Virtualization Security

Mixed-Trust Zone with Virtual Enclaves