VMWorld 2014 - Advanced Network Services With NSX (2)

8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)

1/38


2/38

Disclaimer

• This presentation may contain product features that are currently under develop

• This overview of new technology represents no commitment from VMware to de

features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchassales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presenbeen determined.

CONFI


3/38

Agenda

1

What Network & Security services are used by

(all crazy) applications

2

What are TODAY exactly the NSX: – Firewalling/Security services

– Load Balancing services

– VPN services

3 Service enhancements with NSX 3rd party vendors

CONFI


4/38

Agenda

1



2



– VPN services


CONFI


5/38

Network & Security Services Are Used by (All Crazy) A

• Switching / DHCP server-or-relay / DNS

• Routing / NAT

• Firewalling

• Load Balancing

• L2 and L3 VPN

NSX offers all those Network & Security services with central configuration and au

Let's focus here on Firewalling, Load Balancing, and VPN

.1

.1

.1

.1

web-01 web-02 app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -T

10.0.3

Dynamic Routing

THAT'S IT!!!!OneAr

m LB

Router/ Firewall / Inline Loa

CONFI


6/38

Agenda

1



2



– VPN services


CONFI


7/38

Firewalling/Security – Configuration (1/4)

• Firewalling is configured centrally AND distributed to all ESXi on their VM NICs

192.168.10.0/

Web LS10.0.1.0/24

.11 .12

.12.11

App LS10.0.2.0/24

.1

.1

.1

STOP

Web to AppTCP/8443

Pros:

• FW is distributed between all ESXi: Amazing firewalling scale!

• Offer security even within the same IP subnet / logical switch

VM1 VM2

VM1 VM2

CONFI


8/38


• L2 MAC addresses and L3 IP addresses can be used

• In addition any vCenter object name can be used

vSphere Distributed Switch

Web-LS1 – 10.0.1.0/24

App-LS1 – 10.0.2.0/24

192.168.150.51 192.168.150.52 192.168.250.51

Pros:

• Ease-of-use

VM1 VM2

VM1 VM2

CONFI


9/38

Web-LS1 – 10.0.1.0/24

App-LS1 – 10.0.2.0/24


• Port numbers can be used

• In addition protocol names can be used

Note: ALG (Application-Level Gateway) support for FTP, CIFS, ORACLE TNS, MS-RPC, and SUN

vSphere Distributed Switch

192.168.150.51 192.168.150.52 192.168.250.51

Pros:

• Ease-of-use

VM1 VM2

VM1 VM2

CONFI


10/38


Dynamic firewalling (Service Composer)

Secur i ty Groups

WHAT you want to

protect

Members (VM, vNIC…) andContext (user identity, security

posture)

H

Servic

and Pr

specifi

APPLY

Pros:• Agility

• Service Compliance


11/38

Firewalling/Security – Performance (1/2)

• Performance Lab Test

– Two Hypervisors with two VMs each

– Two 10G Physical NICs per server

– VM1 talks to VM3 & VM2 talks to VM4

VM1 VM2 VM3 VM4

10GInterfaces

10GInterfaces

TestSetup

CONFI


12/38

Firewalling/Security – Performance (2/2)

• Results

20Gbps Per Host of Firewall Performancewith Negligible CPU Impact

Throughput Measurement

CONFI


13/38

Dynamic firewalling

• Compliance Demo

Firewalling/Security – Demo

.1

.1

.1

.1

app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

win-01 win-02linux-01 linux-02

Servers Linux Servers Windows

Access

Linux update serversAccess

Windows update servers

linux-03

New Linux Servers

are automatically

granted access


14/38

Firewalling/Security – Demo


15/38

There is a dedicated session on DFW:

"SEC1746 – NSX DFW deep dive"

Firewalling/Security – more information


16/38

Agenda

1



2



– VPN services


CONFI


17/38

Load Balancing – Configuration (1/3)

Both One-Arm and Inline modes are supported

Pros:

• Flexibilty

OneArm LB

.1

.1

.1

web-01 web-02 app-01 app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

.1

.1

.1

web-01 web-02 app-01 app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24


18/38


Services (1/2):

Protocols TCP / UDP

FTPHTTP

HTTPS (SSL-Passthrough)

HTTPS (SSL Offload)

LB methodsHow end-users connections are split

across back-end servers.

Round Robin

Source IP hash

Least Connection

URI/HTTP header/URLHealth ChecksLoad Balancer checks the

application health of each back-end

server.

TCP/UDP/ICMP

HTTP (GET, OPTION, POST)

HTTPS (GET, OPTION, POST)

Persistence All connections from the same end-

user go to the same back-end

server.

TCP: SourceIP, MSRDP

HTTP: SourceIP, Cookie,

HTTPS: SourceIP, Cookie, ssl_session_id


19/38


Services (2/2):

Connection

throttlingLimit the connections to the VIP

/ to the back-end servers.

Client side:

. Max conc. connections

. Max new conn / sec

Server side:

. Max conc. Connections

High Availability Yes.

Monitoring . View VIP/Pool/Servers objects. View VIP/Pool/Servers stats

. Global stats VIP sessions

L7 manipulationThe load balancer modifies the

end-users requests and/or back-

end servers responses.

. HTTP/HTTPS request/response headers

(For instance: URL block, url rewrite, header

rewrite)


20/38

Load Balancing - Performance

Per Logical Load Balancer:

L4

Throughput 9.23 Gbps

# conc. sessions 1M

# sessions/sec 131k cps

L7 - HTTP


# conc. sessions 60k

# sessions/sec 45k cps

Reqs/sec 82.3k rps

L7 - HTTPS


# conc. sessions 60k

# sessions/sec 607 cps

Reqs/sec 35.0k rps


21/38

Load Balancing – Demo (1/2)

Demo1:

• VIP SSL off-load

.1

.1

.1

.1

web-01 web-02 app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

HTTPS

HTTP


22/38


23/38

Load Balancing – Demo (2/2)

• Demo2:

– Single VIP redirecting traffic to specific pool based on host

.1

.1

.1

.1

app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

app1.acme.com = VIP1@

web-05 web-06web-03 web-04web-01 web-02

Pool1 Pool2 Pool3

app1.acme.com


app2.acme.com


app3.acme.com


24/38

Demos (2/2)


25/38

There is a specific session on LB:

"NET1588 - Load Balancer as a Service using NSX or Partner Solutions"

Load Balancing – more information


26/38

Agenda

1What Network & Security services are used by


2



– VPN services

3Service enhancements with NSX 3rd party vendors

CONFI


27/38

Logical VPN – User and Site-to-Site

• Interoperable IPsec tested with

• Clients on all major OS (Win, Ap

• Remote Authentication via ActiveSecure ID, LDAP, Radius

• TCP Acceleration

• Encryption – 3DES, AES128, AE

• AESNI H/W Offload

• NAT & Perimeter Firewall Traver

Features

• High Performance – AES-NI acc

• 2+ Gb/s throughput per tenant

Scale and Performance

• Cloud to Corporate

• Cloud On-boarding

• Remote Office/Branch Office

• Remote Management

Use Cases

Internet/

WAN

Internet/

WAN


28/38

Logical VPN – Layer 2

PublicCloud

• SSL-based

• Web-proxy Support

• L2 Extension to Cloud

• Broadcast support

• Extend multiple L2 Segments with a L2 VPN Appliances

Features

• High Performance – AES-NI acceler

• 2+ Gb/s throughput per tenant

Scale & Performance

• Cloud On-boarding

• Cloud Bursting

Use Cases

Internet/

WAN

VM VM VM

VLAN/VXLAN VLAN/VXLAN


29/38

Agenda

1What Network & Security services are used by


2



– VPN services

3Service enhancements with NSX 3rd party

vendors

CONFI


30/38

Security Partner Integrations

Next-generation IPS Malware Protecti

Granular protection of individual VMworkloads with customizable policy definitions

Automation of advanced malware interception

Unified management for physical andvirtual sensors

Data Center security anti-malware and guethreat protection

Real-time, dynamic thresponse for workloadhosts and virtual data

Vulnerability Management

Automatic vulnerability risk assessment

Data Center wide real- time risk visibility

Auto segmentation of risky assets

Vulnerability prioritization foreffective remediation

MalwareProtectio

Single virtual appliancprovides agentless:

Anti-malware with UR

Vulnerability and softw

Detection of file chan

Intrusion Detection &

Next-Generation Firewall

Multiple threat prevention disciplines includingfirewall, IPS, and antimalware

Safe application enablement with continuouscontent inspection for all threats

Granular user-based controls for apps,content, users,

NSX is the platform forintegrating advanced

security services

CONFI


31/38

Load Balancer/ADC Partner integrations

NSX is the platform for Application Delivery

Controller services. Application Delivery Controller

F5 specializes in Application DeliveryNetworking (ADN) technology that optimizesthe delivery of network-based applications andthe security, performance, availability ofservers, data storage devices, and othernetwork resources.

Application Delivery

Radware is a provider ofintegrated application debalancing and applicationsecurity solutions for virtucenters.

Application Delivery Controller

Citrix NetScaler makes apps and cloud-basedservices run five times better by offloadingapp and database servers, accelerating appand service performance, and integratingsecurity.


32/38

Operations Partner Integrations

NSX is the platform for

Operation servicesNetwork Operations

Riverbed provides comprehensivemonitoring and troubleshooting capabilitiesacross physical and virtual data centernetworks based on NSX and Riverbed®SteelCentral™ NetProfiler

Network Operations

EMC Service Assurance SuVMware NSX break throughnetwork barriers and achievprovisioning speed, operatioand management visibility apromised by network virtual

Network Operations

Gigamon and VMware are extending theirpartnership to provide pervasive andintelligent visibility into the physical and virtualnetworks by integrating the Gigamon VisibilityFabric with VMware NSX™ platform

CONFI


33/38

Demo with SymantecQuarantine Vulnerable Systems until Remediated

Security Group = Quarantine Zone

Members = {Tag = ‘ ANTI_VIRUS.VirusFound ’, L2 Isolated N

Security Group = Desktop VMs

CONFI


34/38

Demo with SymantecQuarantine Vulnerable Systems until Remediated

Full demo with config: https://www .youtube.com/watch?v=q1P7Xuicp84

https://www.youtube.com/watch?v=q1P7Xuicp84https://www.youtube.com/watch?v=q1P7Xuicp84https://www.youtube.com/watch?v=q1P7Xuicp84


35/38

How to test?

• Hands on lab available:

http://labs.hol.vmware.com/HOL/catalogs/

CONFI

http://labs.hol.vmware.com/HOL/catalogs/http://labs.hol.vmware.com/HOL/catalogs/


36/38

Key take aways

NSX offers all Network and Security services most crazy applications require

Firewalling / Load Balancing / VPN services are offered natively with unique ben

in security with micro-segmentation

in scale with distribution of services

in ease-of-use

And automation capabilities

And NSX services can be enhanced with 3rd party vendors

CONFI


37/38


38/38

VMWorld 2014 - Advanced Network Services With NSX (2)

Documents

Transcript of VMWorld 2014 - Advanced Network Services With NSX (2)