This document discusses how VMware NSX Distributed Firewall changes the economics of firewall services in software-defined data centers. It introduces a distributed, virtual firewall architecture that is embedded in the hypervisor and provides centralized management. This allows firewall rules to be applied based on VM attributes rather than IP addresses for improved security and flexibility. The distributed firewall also offers high performance, scalability and integration with other security services.
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
VMworld 2013: Changing the Economics of Firewall Services in the Software-Defined Center – VMware NSX Distributed Firewall
1. Changing the Economics of Firewall Services in the
Software-Defined Center –
VMware NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Anirban Sengupta, VMware
SEC5893
#SEC5893
5. 5
Virtualization - Changing Dynamics
Campus
Core
VM – VM traffic doesn’t hit network
IP Address Based Rule Sets
Scalability Issues
Complex Firewall Rule Tables
Firewall – “Choke Point”
6. 6
Firewall as a VM
IP Address Based Rule Sets
Server Consolidation Issues
Virtual Appliance Issues
VM Firewall – Still a bottleneck
vMotion & App Placement Issues
7. 7
Wouldn’t It Be Great If My Firewall…
Removes the need to hair-pin traffic
Enables Rules based on VM attributes
Provides High Performance & Scale
API based Programmability
8. 8
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Focus
• Custom built for
Virtual Data Centers
• Distributed
Enforcement
• Centralized
Management
• Performance & Scale
9. 9
DVFW – Hypervisor Embedded Firewall
ESXi
VM VM FW
Benefits…
• Is built right in to the Hypervisor and is lightening fast
• “Line Rate” Performance (10Gbps+ per host)
• No VM can circumvent Firewall
ESXi
VM VM VM
ESXi
VM VM
FW
VM
10. 10
DVFW – Scale Out Architecture
ESXi
VM VM
FW
Benefits…
• Scales with additional “Hosts”
• No “Fork Lift” upgrade to get better scale
ESXi
VM VM
FW ESXi
VM VM
FW
11. 11
DVFW – Flexible Access Control Mechanisms
Benefits…
• Security Groups: Logical grouping of VMs
• VM Tags: Dynamic VM attributes
• User Identity: Identity based firewall
• IP/VLAN: Support physical infrastructure based rules
• Rules follow the VMs
ESXi
Web App
FW
DB
ESXi
Web App
FW
DB
ESXi
Web App
FW
DB
12. 12
Identity & Application Visibility
Active Directory
Eric Frost
User AD Group App Name Originating VM
Name
Destination
VM Name
Source IP Destination IP
Eric Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78
ESXi FW
13. 13
DVFW – Centralized Management
ESXi
VM VM VM
ESXi
VM VM VM
Reuse vCenter Objects
Single Rule Table
Role Based (RBAC)
Control
Full REST API
Familiar “Apply To” Model
Central Monitoring
16. 16
Vulnerability Scan + Firewall Use Case
Security Architect Deny outbound traffic from “Quarantine” VMs
Vulnerability
Scanner
Identifies serious vulnerabilities in APP-VM-6
and tags the VM as “Quarantine” system
Firewall Blocks outbound traffic from APP-VM-6
Security Operations Patches the OS/Application to address vulnerability
Vulnerability
Scanner
APP-VM-6 is no longer a “Quarantine” machine
Firewall Outbound traffic from APP-VM-6 permitted
21. 21
N-S Firewall, E-W Router / Firewall Logical Topology
Distributed Router & Firewall
VXLAN Transit/Uplink Network
………..
VLAN last mile
FW HA Pair
(High Throughput & CPS)
LB, DHCP
(One-arm) NET 1 NET 2 NET 3
WebFrontEnds
AppTier
DatabaseBackends
3-tier App
OSPF
Physical Routing Edge
Physical Network Fabric
Network Virtualization
iBGP
NAT, FW, VPN, LB
High Port Density
Router & Firewall
NET 1000
22. 22
WAN /
INTERNET /
Corp backbone
Model for Routing & L4-L7 Services
FW/Routing - Phy. Or Virtual
Appiance
Features: NAT,
Perimeter Firewall,
SSLVPN, IPsec VPN,
GSLB, DNS
Routing
L2 Bridge
Distributed Routing
One-armed LB
Features: Server
Loadbalancing, DHCP,
L2VPN
Features: Distributed
ACLs in OVS, anti-spoof
control
Logical L2
23. 23
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform
Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik
26. Changing the Economics of Firewall Services in the
Software-Defined Center –
VMware NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Anirban Sengupta, VMware
SEC5893
#SEC5893