VMworld Europe 2014: Advanced Network Services with NSX
0 likes988 views
This document provides an overview and agenda for a presentation on Network and Security services provided by VMware's NSX software-defined networking platform, including: 1. What network and security services are used by applications today. 2. Details on NSX firewalling, load balancing, and VPN services, including demos. 3. How NSX integrates with third-party security and load balancer vendors to enhance services.
VMworld Europe 2014: Advanced Network Services with NSX
- 2. Disclaimer • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined. CONFIDENTIAL 2
- 3. Agenda 1 What Network & Security services are used by (all crazy) applications 2 What are TODAY exactly the NSX: – Firewalling/Security services – Load Balancing services – VPN services 3 Service enhancements with NSX 3rd party vendors CONFIDENTIAL 3
- 4. Agenda 1 What Network & Security services are used by (all crazy) applications 2 What are TODAY exactly the NSX: – Firewalling/Security services – Load Balancing services – VPN services 3 Service enhancements with NSX 3rd party vendors CONFIDENTIAL 4
- 5. Network & Security Services Are Used by (All Crazy) Applications • Switching / DHCP server-or-relay / DNS • Routing / NAT • Firewalling • Load Balancing • L2 and L3 VPN NSX offers all those Network & Security services with central configuration and automation Let's focus here on Firewalling, Load Balancing, and VPN .1 .1 .1 .1 web-01 web-02 app-01 db-01app-02 Web-Tier-01 10.0.1.0/24 App-Tier-01 10.0.2.0/24 DB -Tier-01 10.0.3.0/24 Dynamic Routing THAT'S IT!!!! OneArm LB Router/ Firewall / Inline Load Balancer / VPN 5CONFIDENTIAL
- 6. Agenda 1 What Network & Security services are used by (all crazy) applications 2 What are TODAY exactly the NSX: – Firewalling/Security services – Load Balancing services – VPN services 3 Service enhancements with NSX 3rd party vendors CONFIDENTIAL 6
- 7. Firewalling/Security – Configuration (1/4) • Firewalling is configured centrally AND distributed to all ESXi on their VM NICs 192.168.10.0/29 Web LS 10.0.1.0/24 .11 .12 .12.11 App LS 10.0.2.0/24 .1 .1 .1 STOP Web to App TCP/8443 Pros: • FW is distributed between all ESXi: Amazing firewalling scale! • Offer security even within the same IP subnet / logical switch VM1 VM2 VM1 VM2 7CONFIDENTIAL
- 8. Firewalling/Security – Configuration (2/4) • L2 MAC addresses and L3 IP addresses can be used • In addition any vCenter object name can be used vSphere Distributed Switch Web-LS1 – 10.0.1.0/24 App-LS1 – 10.0.2.0/24 192.168.150.51 192.168.150.52 192.168.250.51 Pros: • Ease-of-use VM1 VM2 VM1 VM2 8CONFIDENTIAL
- 9. Web-LS1 – 10.0.1.0/24 App-LS1 – 10.0.2.0/24 Firewalling/Security – Configuration (3/4) • Port numbers can be used • In addition protocol names can be used Note: ALG (Application-Level Gateway) support for FTP, CIFS, ORACLE TNS, MS-RPC, and SUNRPC vSphere Distributed Switch 192.168.150.51 192.168.150.52 192.168.250.51 Pros: • Ease-of-use VM1 VM2 VM1 VM2 9CONFIDENTIAL
- 10. Firewalling/Security – Configuration (4/4) Dynamic firewalling (Service Composer) Security Groups WHAT you want to protect Members (VM, vNIC…) and Context (user identity, security posture) HOW you want to protect it Services (Firewall, antivirus…) and Profiles (labels representing specific policies) APPLY Pros: • Agility • Service Compliance 10
- 11. Firewalling/Security – Performance (1/2) • Performance Lab Test – Two Hypervisors with two VMs each – Two 10G Physical NICs per server – VM1 talks to VM3 & VM2 talks to VM4 11 VM1 VM2 VM3 VM4 10G Interfaces 10G Interfaces Test Setup CONFIDENTIAL
- 12. Firewalling/Security – Performance (2/2) • Results 20Gbps Per Host of Firewall Performance with Negligible CPU Impact Throughput Measurement 12CONFIDENTIAL
- 13. Dynamic firewalling • Compliance Demo Firewalling/Security – Demo 13 .1 .1 .1 .1 app-01 db-01app-02 Web-Tier-01 10.0.1.0/24 App-Tier-01 10.0.2.0/24 DB -Tier-01 10.0.3.0/24 win-01 win-02linux-01 linux-02 Servers Linux Servers Windows Access Linux update servers Access Windows update servers linux-03 New Linux Servers are automatically granted access
- 15. There is a dedicated session on DFW: "SEC1746 – NSX DFW deep dive" Firewalling/Security – more information 15
- 16. Agenda 1 What Network & Security services are used by (all crazy) applications 2 What are TODAY exactly the NSX: – Firewalling/Security services – Load Balancing services – VPN services 3 Service enhancements with NSX 3rd party vendors CONFIDENTIAL 16
- 17. Load Balancing – Configuration (1/3) Both One-Arm and Inline modes are supported Pros: • Flexibilty OneArm LB .1 .1 .1 web-01 web-02 app-01 app-02 Web-Tier-01 10.0.1.0/24 App-Tier-01 10.0.2.0/24 .1 .1 .1 web-01 web-02 app-01 app-02 Web-Tier-01 10.0.1.0/24 App-Tier-01 10.0.2.0/24
- 18. Load Balancing – Configuration (2/3) Services (1/2): Protocols TCP / UDP FTP HTTP HTTPS (SSL-Passthrough) HTTPS (SSL Offload) LB methods How end-users connections are split across back-end servers. Round Robin Source IP hash Least Connection URI/HTTP header/URL Health Checks Load Balancer checks the application health of each back-end server. TCP/UDP/ICMP HTTP (GET, OPTION, POST) HTTPS (GET, OPTION, POST) Persistence All connections from the same end- user go to the same back-end server. TCP: SourceIP, MSRDP HTTP: SourceIP, Cookie, HTTPS: SourceIP, Cookie, ssl_session_id 18
- 19. Load Balancing – Configuration (2/3) Services (2/2): Connection throttling Limit the connections to the VIP / to the back-end servers. Client side: . Max conc. connections . Max new conn / sec Server side: . Max conc. Connections High Availability Yes. Monitoring . View VIP/Pool/Servers objects . View VIP/Pool/Servers stats . Global stats VIP sessions L7 manipulation The load balancer modifies the end-users requests and/or back- end servers responses. . HTTP/HTTPS request/response headers (For instance: URL block, url rewrite, header rewrite) 19
- 20. Load Balancing - Performance Per Logical Load Balancer: L4 Throughput 9.23 Gbps # conc. sessions 1M # sessions/sec 131k cps L7 - HTTP Throughput 6.59 Gbps # conc. sessions 60k # sessions/sec 45k cps Reqs/sec 82.3k rps L7 - HTTPS Throughput 2.07 Gbps # conc. sessions 60k # sessions/sec 607 cps Reqs/sec 35.0k rps 20
- 21. Load Balancing – Demo (1/2) Demo1: • VIP SSL off-load .1 .1 .1 .1 web-01 web-02 app-01 db-01app-02 Web-Tier-01 10.0.1.0/24 App-Tier-01 10.0.2.0/24 DB -Tier-01 10.0.3.0/24 HTTPS HTTP 21
- 22. Load Balancing - Demo 22
- 23. Load Balancing – Demo (2/2) • Demo2: – Single VIP redirecting traffic to specific pool based on host .1 .1 .1 .1 app-01 db-01app-02 Web-Tier-01 10.0.1.0/24 App-Tier-01 10.0.2.0/24 DB -Tier-01 10.0.3.0/24 app1.acme.com = VIP1@ web-05 web-06web-03 web-04web-01 web-02 Pool1 Pool2 Pool3 app1.acme.com app2.acme.com = VIP1@ app2.acme.com app3.acme.com = VIP1@ app3.acme.com
- 24. Demos (2/2)
- 25. There is a specific session on LB: "NET1588 - Load Balancer as a Service using NSX or Partner Solutions" Load Balancing – more information 25
- 26. Agenda 1 What Network & Security services are used by (all crazy) applications 2 What are TODAY exactly the NSX: – Firewalling/Security services – Load Balancing services – VPN services 3 Service enhancements with NSX 3rd party vendors CONFIDENTIAL 26
- 27. Logical VPN – User and Site-to-Site • Interoperable IPsec tested with major vendors • Clients on all major OS (Win, Apple, Linux) • Remote Authentication via Active Directory, RSA Secure ID, LDAP, Radius • TCP Acceleration • Encryption – 3DES, AES128, AES256 • AESNI H/W Offload • NAT & Perimeter Firewall Traversal Features • High Performance – AES-NI acceleration • 2+ Gb/s throughput per tenant Scale and Performance • Cloud to Corporate • Cloud On-boarding • Remote Office/Branch Office • Remote Management Use Cases Internet/ WAN Internet/ WAN 27
- 28. Logical VPN – Layer 2 Public Cloud • SSL-based • Web-proxy Support • L2 Extension to Cloud • Broadcast support • Extend multiple L2 Segments with a single pair of L2 VPN Appliances Features • High Performance – AES-NI acceleration • 2+ Gb/s throughput per tenant Scale & Performance • Cloud On-boarding • Cloud Bursting Use Cases Internet/ WAN VM VM VM VLAN/VXLAN VLAN/VXLAN
- 29. Agenda 1 What Network & Security services are used by (all crazy) applications 2 What are TODAY exactly the NSX: – Firewalling/Security services – Load Balancing services – VPN services 3 Service enhancements with NSX 3rd party vendors CONFIDENTIAL 29
- 30. Security Partner Integrations 30 Next-generation IPS Malware Protection Granular protection of individual VM workloads with customizable policy definitions Automation of advanced malware interception Unified management for physical and virtual sensors Data Center security with agentless anti-malware and guest network threat protection Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers Vulnerability Management Automatic vulnerability risk assessment Data Center wide real- time risk visibility Auto segmentation of risky assets Vulnerability prioritization for effective remediation Malware Protection Single virtual appliance provides agentless: Anti-malware with URL filtering Vulnerability and software scanning Detection of file changes Intrusion Detection & Prevention Next-Generation Firewall Multiple threat prevention disciplines including firewall, IPS, and antimalware Safe application enablement with continuous content inspection for all threats Granular user-based controls for apps, content, users, NSX is the platform for integrating advanced security services CONFIDENTIAL
- 31. Load Balancer/ADC Partner integrations NSX is the platform for Application Delivery Controller services. Application Delivery Controller F5 specializes in Application Delivery Networking (ADN) technology that optimizes the delivery of network-based applications and the security, performance, availability of servers, data storage devices, and other network resources. Application Delivery Controller Radware is a provider of integrated application delivery / load balancing and application & network security solutions for virtual and cloud data centers. Application Delivery Controller Citrix NetScaler makes apps and cloud-based services run five times better by offloading app and database servers, accelerating app and service performance, and integrating security.
- 32. Operations Partner Integrations NSX is the platform for Operation services Network Operations Riverbed provides comprehensive monitoring and troubleshooting capabilities across physical and virtual data center networks based on NSX and Riverbed® SteelCentral™ NetProfiler Network Operations EMC Service Assurance Suite and VMware NSX break through the physical network barriers and achieve the provisioning speed, operational efficiency, and management visibility and insight promised by network virtualization Network Operations Gigamon and VMware are extending their partnership to provide pervasive and intelligent visibility into the physical and virtual networks by integrating the Gigamon Visibility Fabric with VMware NSX™ platform CONFIDENTIAL 32
- 33. Demo with Symantec 33 Quarantine Vulnerable Systems until Remediated Security Group = Quarantine Zone Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network} Security Group = Desktop VMs CONFIDENTIAL
- 34. Demo with Symantec Quarantine Vulnerable Systems until Remediated Full demo with config: https://www.youtube.com/watch?v=q1P7Xuicp84 34
- 35. How to test? • Hands on lab available: http://labs.hol.vmware.com/HOL/catalogs/ CONFIDENTIAL 35
- 36. Key take aways NSX offers all Network and Security services most crazy applications require Firewalling / Load Balancing / VPN services are offered natively with unique benefits in security with micro-segmentation in scale with distribution of services in ease-of-use And automation capabilities And NSX services can be enhanced with 3rd party vendors CONFIDENTIAL 36