Technical Deep Dive: Build a Collapsed DMZ
Architecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMware
Bruno Germain, VMware
SEC5891
#SEC5891
2
Objective
Review DMZ design considerations
Propose new DMZ design that is secure, scalable and cloud ready
Provide deployment guidance using NSX highlighting benefits
applicable to DMZ
3
Related Sessions
NET5847 - NSX: Introducing the World to VMware NSX
NET5266 - Bringing Network Virtualization to VMware
environments with NSX
SEC5893 - Changing the Economics of Firewall Services in
the Software-Defined Center – VMware NSX Distributed
Firewall
4
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
5
DMZ Design Often Relies On Physical Separation Of Trust Zones
DMZ Design: 1. Trust zones separated using
separate hardware
2. Design is complex and inflexible
6
DMZ Application Deployment Is Slow
DMZ Challenge #1 • New application deployment
involves configurations at
multiple zones
• Configuration spread across
devices
• Configuration managed by
multiple teams
• Cannot automate
Address using:
• Build a Software Defined Data
Center
• Build focus teams for cloud
architecture and operations
Network Team #2
Network Team #1
Security Team
7
DMZ Challenge #2
• Non DMZ traffic often not
fully secured
• Large firewall rule sets
• Networking or placement
changes could break security
• Hard to manage
Address using:
• Tie configuration to
application objects instead of
networks
• Secure all application traffic
including East West traffic
DMZ Design May Compromise Data Center Security
8
DMZ Challenge #3
• Forces rip and replace to
scale up
• Not cloud ready
Address using:
• Build design suited to scale
incrementally using
distribution of services
DMZ Design Cannot Scale
9
You Need A Cloud Ready DMZ
Design Considerations:
1. Security
2. Manageability
3. Scale and performance
4. Automation
10
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
11
Building A Logical DMZ Trust Zone Is A Better Approach
Steps:
• Pull DMZ zone into the
datacenter
• Use virtual networking and
security constructs for
application isolation and
protection
Benefits:
• Higher agility - flexible
placement
• Simpler configuration
management
• Lower cost – fewer hardware
devices
• Easier automation
12
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
13
VMware NSX – Networking & Security Capabilities
Any Application (without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall
Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Logical Switching– Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing– Routing between virtual
networks without exiting the software
container
Logical Firewall – Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer – Application Load
Balancing in software
Logical VPN – Site-to-Site & Remote
Access VPN in software
NSX API – RESTful API for integration into
any Cloud Management Platform
Partner Eco-System
14
1. Deploy Each Tier Of DMZ Application On A Logical Switch
DB Web App
Benefits for DMZ
• Speed of new application
deployment
• Does not require physical
network configuration at
multiple devices
• Scale is not limited by
limitations of physical
VLANs
• Higher Security:
• Reduce attack perimeter
• Contain risk within virtual
perimeter
• Physical switching and
network not exposed to
attack
15
2. Protect Every Virtual Server Using Distributed Firewall
Benefits for DMZ
• Achieve line rate throughput using vNIC level hypervisor firewall
• Higher security – Complete East West traffic protection via distributed enforcement
• Easy Scale and Automation
• Mobility of security rules – Rules follow the VM
DB Web App
16
3. Provide Perimeter Protection Using Logical Gateway
Benefits for DMZ:
• Deploy logical Perimeter
Firewall, Load Balancer and
VPN programmatically and as
needed
• Perimeter services and policy
can be tied to the application
• Virtual appliance model allows
cloud agility and scale-out
• Higher security through VIP
hiding internal IP addresses DB Web App
Services Edge NAT, FW, VPN, LB
17
4. Optimize Application Traffic Flow Using Distributed Router
Benefits for DMZ • Optimize traffic flows to
minimize latency
• Minimize advertising internal
routers to perimeter devices
DB Web App
Logical Distributed
Router
18
5. Automate Application Protection Using Logical Switches
Web
Benefits for DMZ:
• No needs to re-program the
perimeter security function
as workloads move within
the infrastructure
• Application specific security
is following the workload
• “Configure and forget”
19
6. Protect Application Access Using Identity Firewall
Benefits for DMZ
• Create firewall rules using user
identity for VDI
• limit application access to
only authorized groups of
users
• prevent insider attack
• Get visibility into in-guest
applications and application
access
• Ensure no rogue
applications are running
on your servers
• Get reporting on
application usage by user
groups
DB Web App
DB
Admins Web
Admins
✔ ✔
Application
Visibility
20
7. Define Application Security Using Logical Containers
Benefits for DMZ
• Simplify rule creation and
management – Use Logical
boundaries to reflect
application boundaries, prevent
rule sprawl by tying security
policy to applications
• Automate protection for new
VMs as new security group
members inherit security
policies
• Flexible and manageable
container creation options -
Use vSphere objects instead of
network identifiers in logical
container creation to ensure
policy persists across vMotion
or networking changes
Web
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
VM VM
21
Architecture Can Easily Scale
DB Web App
Benefits for DMZ:
• Achieve Multitenancy
using perimeter
gateway for tenant
separation
• Fully automate using
REST API scripts or
Cloud Management
portals
• Scale easily by adding
essential services on
demand in software
• Built for high
performance
22
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
23
Functional View of Data Center With Logical DMZ
Any devices over
any networks
App gateways
and perimeter devices
Admin jump points
Common Services
Applications
EDS AD
DB
Edge Transport
Routing and
AV/AS
Client Access
Client
connectivity
Web services
Hub Transport
Routing and
policy
Mailbox
Storage of
mailbox items
25
50636
135
389, 3268, 88,
53, 135
To AD
RPC
808
5060, 5061
5062, dynamic
Unified
Messaging
Voice mail and
voice access
Exchange
24
Physical View Of NSX Component Deployment
Co
mp
ute
Clu
ste
rs
Man
ag
em
en
t Clu
ste
r
Ed
ge C
luste
r
NSX Manager
NSX Edge
NSX Controller
Data Center IP network Management network
(vMotion & storage)
vCenter
Server Physical
Appliances
External networks
WAN/ Internet
Compute Racks Infra Racks Edge Racks
Controller Software • Virtual network orchestrator
• Massive scale
Hypervisor Service Modules • Distributed network services (Switching, Routing)
• Load Balancer, Switch, Firewall, Router/VPN
Gateway Software • Integration with existing physical
infra.
• V to V / V to P
L2
L3
25
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
26
Build Your Cloud Ready DMZ with NSX
Before: DMZ with physical separation
of trust zones After: DMZ with Logical separation
of trust zones
Build security that is designed for the virtual workloads instead of
adapting the existing physical constructs to work with mobile
virtual workloads
27
THANK YOU
Technical Deep Dive: Build a Collapsed DMZ
Architecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMware
Bruno Germain, VMware
SEC5891
#SEC5891
32
Mixed Mode / Multi-tenant and the test of auditing
We are not alone:
Automated and
self-healing
Security &
compliance
trust zones
Power of cloud
infrastructure
automation
33
A validated methodology for the migration to mixed trust zones
»VMware Confidential
vSphere vSphere vSphere
Aggr.
Acc.
Core
Aggr.
»Acc.
Core
»vSphere
Aggr.
Acc.
»vSphere
vShield App Based Security
Vmware vSphere + vShield
Cluster1
HR App FIN App Sales App
Web Frontend
Apps
Database
Legend
Increased Confidence with Virtualization and Virtualization Security
Mixed-Trust Zone with Virtual Enclaves