VMworld 2013: Changing the Economics of Firewall Services in the Software-Defined Center – VMware NSX Distributed Firewall
0 likes1,018 views
This document discusses how VMware NSX Distributed Firewall changes the economics of firewall services in software-defined data centers. It introduces a distributed, virtual firewall architecture that is embedded in the hypervisor and provides centralized management. This allows firewall rules to be applied based on VM attributes rather than IP addresses for improved security and flexibility. The distributed firewall also offers high performance, scalability and integration with other security services.
VMworld 2013: Changing the Economics of Firewall Services in the Software-Defined Center – VMware NSX Distributed Firewall
- 1. Changing the Economics of Firewall Services in the Software-Defined Center – VMware NSX Distributed Firewall Srinivas Nimmagadda, VMware Anirban Sengupta, VMware SEC5893 #SEC5893
- 2. 2 Business Needs Agility Flexibility Elasticity/Scalability Simplicity Business Challenges Reality Inflexible Networks Archaic Security Perf/Scale Issues Complex Rule Bases
- 3. 3 Data Center Firewall Architecture Aggregation Layer Campus Core Core Layer Access Layer
- 4. 4 Application Profiles Changing… Campus Core Client – Server & Web 1.0 Server 3-Tier Apps Web App DB Web 2.0, Portals, Enterprise Apps
- 5. 5 Virtualization - Changing Dynamics Campus Core VM – VM traffic doesn’t hit network IP Address Based Rule Sets Scalability Issues Complex Firewall Rule Tables Firewall – “Choke Point”
- 6. 6 Firewall as a VM IP Address Based Rule Sets Server Consolidation Issues Virtual Appliance Issues VM Firewall – Still a bottleneck vMotion & App Placement Issues
- 7. 7 Wouldn’t It Be Great If My Firewall… Removes the need to hair-pin traffic Enables Rules based on VM attributes Provides High Performance & Scale API based Programmability
- 8. 8 Distributed Virtual Firewall VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Focus • Custom built for Virtual Data Centers • Distributed Enforcement • Centralized Management • Performance & Scale
- 9. 9 DVFW – Hypervisor Embedded Firewall ESXi VM VM FW Benefits… • Is built right in to the Hypervisor and is lightening fast • “Line Rate” Performance (10Gbps+ per host) • No VM can circumvent Firewall ESXi VM VM VM ESXi VM VM FW VM
- 10. 10 DVFW – Scale Out Architecture ESXi VM VM FW Benefits… • Scales with additional “Hosts” • No “Fork Lift” upgrade to get better scale ESXi VM VM FW ESXi VM VM FW
- 11. 11 DVFW – Flexible Access Control Mechanisms Benefits… • Security Groups: Logical grouping of VMs • VM Tags: Dynamic VM attributes • User Identity: Identity based firewall • IP/VLAN: Support physical infrastructure based rules • Rules follow the VMs ESXi Web App FW DB ESXi Web App FW DB ESXi Web App FW DB
- 12. 12 Identity & Application Visibility Active Directory Eric Frost User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78 ESXi FW
- 13. 13 DVFW – Centralized Management ESXi VM VM VM ESXi VM VM VM Reuse vCenter Objects Single Rule Table Role Based (RBAC) Control Full REST API Familiar “Apply To” Model Central Monitoring
- 16. 16 Vulnerability Scan + Firewall Use Case Security Architect Deny outbound traffic from “Quarantine” VMs Vulnerability Scanner Identifies serious vulnerabilities in APP-VM-6 and tags the VM as “Quarantine” system Firewall Blocks outbound traffic from APP-VM-6 Security Operations Patches the OS/Application to address vulnerability Vulnerability Scanner APP-VM-6 is no longer a “Quarantine” machine Firewall Outbound traffic from APP-VM-6 permitted
- 17. 17 IPS Use Case Hypervisor VM DFW VM VM IPS VMware DVFW High Throughput User, VM Segmentation Selective IPS Forward IPS Signature Based IPS + Malware/APT
- 19. 19 Themes Security • VM Attribute Based • User Identity • VM Appliance Agility • vCenter Integration • REST API • vMotion Integration with existing Host & Network Security solutions Perf & Scale Better Consolidation Compliance (PCI)
- 20. 20 Deployment Edge Firewall & Distributed Firewall Firewall Monitoring & Troubleshooting RBAC and Admin Separation Auditing & Compliance
- 21. 21 N-S Firewall, E-W Router / Firewall Logical Topology Distributed Router & Firewall VXLAN Transit/Uplink Network ……….. VLAN last mile FW HA Pair (High Throughput & CPS) LB, DHCP (One-arm) NET 1 NET 2 NET 3 WebFrontEnds AppTier DatabaseBackends 3-tier App OSPF Physical Routing Edge Physical Network Fabric Network Virtualization iBGP NAT, FW, VPN, LB High Port Density Router & Firewall NET 1000
- 22. 22 WAN / INTERNET / Corp backbone Model for Routing & L4-L7 Services FW/Routing - Phy. Or Virtual Appiance Features: NAT, Perimeter Firewall, SSLVPN, IPsec VPN, GSLB, DNS Routing L2 Bridge Distributed Routing One-armed LB Features: Server Loadbalancing, DHCP, L2VPN Features: Distributed ACLs in OVS, anti-spoof control Logical L2
- 23. 23 Other VMware Activities Related to This Session HOL: HOL-SDC-1303 VMware NSX Network Virtualization Platform Group Discussions: SEC1000-GD Distributed Virtual Firewall - Management, Architecture, Scalability and Performance with Serge Maskalik
- 24. THANK YOU
- 26. Changing the Economics of Firewall Services in the Software-Defined Center – VMware NSX Distributed Firewall Srinivas Nimmagadda, VMware Anirban Sengupta, VMware SEC5893 #SEC5893