VMworld 2013
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
2. 2
Agenda
Introduce NSX Firewall
Architecture and Packet Path for NSX Firewall
Demonstrate powerful provisioning paradigms of NSX Firewall
• 3-Tier Application – (3 VXLANs) or (1 VXLAN)
• Multi-Tenant Scenario
Troubleshooting NSX Firewall
Deployment of NSX Firewall (RBAC, Audit Logging, …)
Monitoring NSX Firewall
3. 3
Hypervisor Kernel Embedded Firewall
Benefits…
• Is built right in to the Hypervisor
• “Line Rate” Performance (15Gbps+ per host)
• No VM can circumvent Firewall
• Better compliance model
5. 5
Flexible Access Control Mechanisms
Benefits…
• IP/VLAN: Support physical infrastructure based rules
• Security Groups: Logical grouping of VMs
• VM Asset Tags: Dynamic VM attributes
• Rules follow the VMs
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VMVMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VMVMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
6. 6
Identity Based Access Control
Active Directory
Eric Frost
User AD Group App Name Originating VM
Name
Destination
VM Name
Source IP Destination IP
Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78
IP: 192.168.10.75
Source Destination Services Action
Engineering Ent-Sharepoint http Permit, Log
Rule Table
Logs
9. 10
Firewall Management Life Cycle
Prepare Deploy firewall on hosts
Enable Logging
VMTools for VMs, Activity Monitoring
Policy vCenter Objects
Configure Access Rules
Sections
Troubleshoot Logs with Rule IDs
Rule Hit Count
Enforced Rules on a Host
Packet Captures
Monitor Flow Monitoring
Activity Monitoring
Operations Audit Tracking
Role Based Access Control
Import/Export of Configutations
21. 22
Multi-Tenancy With NSX Firewall
External
Networks
Tenant 2
Logical Switch
Tenant 1
Logical Switch
VM
VM
VM
VM
VM
VM
Routing, VPN, NAT
Tenant Specific
Micro-segmentation
Tenant 2
Logical Switch
22. 23
Tenant-01 Access Rules
Objects
ALL-CUST-VXLANS
Tenant01-VXLAN Tenant02-VXLAN
Tenan01-Services (192.168.10.0/24) Tenant02-FIN-Apps (192.168.10.0/24)
Tenant-01 Section
Source Destination Services Action Apply To
Tenant01-VXLAN Tenant01-Services Any Permit Tenant01-VXLAN
… … … … Tenant01-VXLAN
Tenant01-VXLAN Tenant01-VXLAN Any Deny Tenant01-VXLAN
SP Tenant-01 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant01-VXLAN Any Deny
Tenant01-VXLAN ALL-CUST-VXLANS Any Deny
23. 24
Tenant-02 Access Rules
Tenant-02 Section
Source Destination Services Action Apply To
Tenant02-FINANCE Tenant02-FIN-Apps http, https Permit, log Tenant02-VXLAN
… … … … Tenant02-VXLAN
Tenant02-VXLAN Tenant02-VXLAN Any Deny Tenant02-VXLAN
SP Tenant-02 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant02-VXLAN Any Deny
Tenant02-VXLAN ALL-CUST-VXLANS Any Deny
24. 25
Host And Network Security Services
Anti Virus
Vulnerability Scanner
DLP
IPS
NGFW
31. 32
Per VM Rules
> summarize-dvfilter
> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2
ruleset domain-c7 {
# Filter rules
rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 80 accept with log;
rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 443 accept with log;
rule 1002 at 11 inout protocol any from any to any accept with log;
}
ruleset domain-c7_L2 {
rule 1001 at 1 inout ethertype any from any to any accept;
}
43. 44
Summary
NSX
Firewall
East/West Traffic Control
Identity & VM Awareness
High Performance & Scale-out
Operational
Workflows
Policy Management
Troubleshooting
Monitoring
RBAC
REST API & Automation
Take Aways Enables Business Agility
Delivers Superior Performance & Scale
Simplifies Firewall Management
44. 45
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform
Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik
48. 62
The Transformative Value of Network Virtualization
Labor/OPEX Savings
Innovation Speed & New Business
83%
Reduction*
88%
Reduction*
93%
Reduction*
Increase in Business Velocity
* Projected savings off current baseline spend, steady
state 75% reduction in IT infrastructure spending.
Source: Large US-based Financial Services company
• Valuable labor moves to SDDC architects, away from high-cost siloed orgs
• Manual design, config & deploy moves to automated / self service provisioning
• Complex / custom hardware configuration moves to simplified IP forwarding
• Box-based net security moves to centrally defined, scale-out security policies
• Physical Infra labor moves to “rack-n-stack” with limited “operator” functions
• Adds/moves/changes no longer require full manual re-provisioning effort