The document discusses security challenges in shared networks within VMware NSX, highlighting issues like traffic sniffing and spoofing. It outlines solutions including network offering configurations, security appliances, and automation scripts for enhancing security. A specific focus is on the DHCP spoofing and spoofguard functionalities of NSX for detecting and blocking unauthorized IPs.

1. Security in Shared Networks
with VMware NSX
Alireza Eskandari

2. SPONSORED BY:

3. whoami
 Manager of Cloud Services at Afranet
 Senior DevOps Engineer at Snapp!
 Senior Cloud Engineer at Solvians

4. Shared Networks
 A type of network offerings in CloudStack
 Users share a common L2 and L3 network
 Useful when you want assign public IPs directly to VMs

5. Security Concerns
 Traffic sniffing
 MAC spoofing
 IP spoofing
 DHCP spoofing

6. Solution
 Network offering configuration
 Security appliances

7. Service Offering Configuration
 Traffic Spoofing
 MAC Spoofing

8. Service Offering Configuration

9. Security Appliances
Vmware NSX
 Firewall
 DHCP Spoofing
 SpoofGuard
 IP Spoofing

10. NSX Configuration
 No control plane
 No VXLAN
 Only enable firewall

15. DHCP Protocol

36. SpoofGuard
 Detects VMs IPs by ARP or/and DHCP traffic
 Blocks packets from VMs which their IPs are not approved
 Detects IP conflicts

43. Automation Script
 A python script uses NSX and CloudStack API to
automate the procedure.
 https://github.com/aleskxyz/cloudstack-spoofguard-manager

44. Thanks for your attention!