VMware NSX A Perspective for Service Providers part 2

49  Download (0)

Full text


VMware NSX – A Perspective for Service

Providers – part 2

Using Software Defined Networking to harden DC security controls

Trevor Gerdes


NSX for SPs Part 2 - Agenda

1 Case Studies

2 Data Centre Security

3 Distributed Firewall – Use Cases 4 Current SDN Technologies

5 NSX Service Composer

6 Building a Zero Trust Model


Case Studies


Australian MSP

• Existing vSphere customer

• Using 3rd party orchestration system (non-vmware) • Wanted to improve service delivery times

• Looking at hybrid virtual solution using elements from Juniper, Cisco and VMware


Australian MSP

• Implemented NSX into new cloud offering inside 3 months • Reduced service delivery time from 6 weeks to 3 days

• Brought forward revenue billing by 5 weeks

• Selected NSX over hybrid Cisco, VMware and Juniper solution due to all in one package of logical L2 networking, L3 routing and

perimeter gateway services including VPN and LB services.

• Integrated NSX via API into 3rd party cloud solution inside 1 week using python scripts.

• Looking for next wave of feature integration and “value add” using NSX distributed FW and security partners.




First Problem – VM Conversion required









Data Centre Cloud Hosting Service



NSX – Providing Stretch Layer 2 (over Layer 3)



Data Centre Cloud Hosting Service


10 Confidential

SDDC Micro-Segmentation Business Case - Sample

Data Center Environment Firewall Throughput Required for Micro-Segmentation

Number of VMs 1,000 Average Application Throughput per Host 7 Gbps Number of VMs per CPU 5 Throughput Required to Support All VMs 700 Gbps Number of CPUs per Host 2 Segmentation Ratio (% of VMs requiring FW controls) 40% Number of Hosts 100 Effective Firewall Throughput Requirement 280 Gbps

Firewalls Required (20Gbps each x2 for HA) 28 Firewalls

Firewall Cost

List Price of 20Gbps Firewalls $150,000 Total CAPEX for Firewalls $4,200,000

Note: Operationally Infeasible

NSX Cost

List Cost for NSX Platform ~$1,300,000


11 Confidential

Large US Financial

25,000 VM deployment

$10m investment in NSX

$50m savings over 5 years

NSX improved host utilisation from 9:1 to 14:1

• NSX helped avoid hardware refresh on ESX hosts, Load

Balancers, Network hardware

• SDDC helped reduce labour costs by $8m

15 month PoC which morphed into full SDDC PoC (vCAC, vCO, vCOps, LogInsight)



NVP, combined with OpenStack

is a game changer. Together we are bringing enterprise private networking to the cloud.



• Rackspace Cloud Networks • $15-$20 million a year

savings by not

overprovisioning servers

Deliver enterprise-class private networking in a public, multi-tenant cloud.


Improved Server Utilization – less overprovisioning of servers Without Network Virtualization 60% Asset Utilization


Data Centre Security

A Better Way


“Hard Shell

on the Outside” Physical Workloads “Soft on the Inside”


Secure Micro-Segmentation in the Data Center



Secure Micro-Segmentation in the Data Center




Secure Micro-Segmentation with VMware NSX






Operational Model


NSX Distributed Firewall – Overview

Hypervisor Kernel Embedded Firewall:

• Built directly in to the Hypervisor

• Near Line-Rate Performance

• Removes dependence on Guest based Firewall

• L2-4 Stateful East/West Firewalling

Distributed to Every VM:

• No “Choke Point”

• Policy independent of VM location

• Enforcement closest to VM


Distributed Firewall

-Use Cases


21 Dev Test Production Isolation Web App DB No Communication Path Controlled Communication Path Web App DB

Advanced Services Controlled Communication Path


22 Internet Security Policy Perimeter Firewalls Cloud Management Platform

NSX Distributed Firewall for vMotion

• Hypervisor-based, in kernel distributed firewalling

• Platform-based automated provisioning and workload adds/moves/changes



PCI Non-PCI Private


Automated Security in a Software Defined Data Center Data Center Micro-Segmentation


Network-Segmentation or Micro-Segmentation CONFIDENTIAL 25 Web App Database VM VM VM VM VM VM NSX Load Balancer Multi-Tier, Multi-subnet Multi-Tier, Single-subnet NSX Distributed Router VM VM VM VM VM VM Web App DB NSX Load Balancer Or


Current SDN Technologies


Software Defined Networking - Layers C on sumpt ion D ata P lan e M an ag ement

How an end user consumes SDN

Build Networks and security services via WebUI, REST API (XML, JSON), Python Scripts etc e.g. vRealize Automation, CloudForms, ServiceMesh, CloudFoundry

Configuration interface REST XML API or WebUI

e.g. vCenter, NSX manager, APIC, Openstack

Forwards Packets

Provides: workload connectivity & services processing e.g. hypervisors, physical switches and appliances

27 C on tr ol P lan e

Programs Data Plane

Provides: API North side, Openflow or Proprietary Southbound e.g. NSX Controller, ACI N9K Spine sw., Contrail, OpenDaylight



Hardware-based SDN




The anatomy of the most agile & efficient data centers is SDDC

Custom Application

Google / Facebook / Amazon Data Centers

Custom Platform

Any x86 Any Storage Any IP network

Software / Hardware Abstraction Software / Hardware Abstraction

Facebook “6-pack”: the first open hardware

modular switch.

12 switching elements, 1.28Tbits/s each


“New IT” will be SDDC Software Defined Data Center (SDDC) Any Application SDDC Platform Any x86 Any Storage Any IP network

Data Center Virtualization

Public Data Center

Any Application

Any x86 Any Storage Any IP network

Hybrid- Data Center

Any Application

Any x86 Any Storage Any IP network SDDC Platform


NSX Service Composer


NSX Service Composer

CONFIDENTIAL 33 Security services are consumed more efficiently in a software-defined datacenter

VMware Network and Security Platform





Security Tags Security Groups Security Policies Service Insertion


NSX Service Composer – Security Group

Security Policies– collection of Security Policy Objects (SPOs) assigned to this Security Group.

How you want to protect this container • Can have multiples with weighting

e.g. “PCI Compliance Policy”

Included Security Groups - Nested containers

e.g. “Quarantine Zone” is a sub group within “PCI DSS Zone”

Virtual Machines that belong to this container.

e.g. “Apache-Web-VM”, “Exchange Server-vM”

Security Group (SG) - Container of VMs by IP, Security tag, switch etc

Defines what you want to protect.

• e.g. “PCI DSS Zone”, “DMZ”, “Quarantine Zone”

Guest Introspection

• Anti-virus

• Vulnerability Management • Data Loss Prevention (DLP)

Firewall Rules

• Inbound, Outbound, Intra-Zone • Allow, Deny, and Log

Network Introspection – 3rd party services integrated via NetX

• Intrusion Prevention (IPS), • Nextgen F/W


Security Group = Virtual_Desktops

Members = {Connected to VDI-01-Logical-Switch}

Policy = Standard Desktop

Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated


Security Group = Quarantine Zone

Members = {Tag = ‘ANTI_VIRUS.VirusFound’} Policy = Quarantine Zone

Policy Standard Desktop

 Anti-Virus – Scan

Policy Quarantine Zone

 Firewall – Permit remediation, deny all  Anti-Virus – Scan and remediate


Building a Zero-Trust Model


Forrester Zero Trust Model


“In short, Zero Trust flips the mantra "trust but verify" into "verify and never trust."


Zero-Trust with NSX – Stage 1








Resulting Policy


Layer 4 – 7 Advanced Services Insertion


NSX and Palo Alto Networks VM Series Firewall



Distributed Firewall Optimal Traffic Steering – Web Tier

 Rule1: Any to Web – PAN Insertion  Rule2: Web to App – DFW Permit

 Rule3: Web to Web – DFW Deny VM VM





Complexity driven by applications / E-W traffic flows






• East-West traffic hairpins across the perimeter Firewall

• Complex static inter zone routing

• Requires punching holes across security zones

• Internal security zones exposed on perimeter devices


Zero-Trust Model Implementation with NSX

Any devices over any networks

App gateways and perimeter devices

Admin jump points

Common Services Applications EDS AD DB Edge Transport Routing and AV/AS Client Access Client connectivity Web services Hub Transport Routing and policy Mailbox Storage of mailbox items 25 50636 135 389, 3268, 88, 53, 135 To AD 443 RPC 808 5060, 5061 5062, dynamic Unified Messaging

Voice mail and voice access


In Summary

A Good Security Approach Requires

• Zero-Trust: Don’t Trust Anyone, Verify Always

• Control at the Perimeter alone is not enough NSX with Distributed Firewall Provides

• Easy Enforcement of East/West Policy

• Security Policy that Follows the Workload

• Enforcement at the Smallest Unit of Trust

• Easy Hardening of Data Centre Core through Micro-segmentation

• Integration with Best-of-Breed Security Vendors





Related subjects :