Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall

2,128 views

Published on

VMworld 2013

Srinivas Nimmagadda, VMware
Shadab Shah, VMware

Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare

Published in: Technology
  • Be the first to comment

vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall

  1. 1. Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall Srinivas Nimmagadda, VMware Shadab Shah, VMware SEC5894 #SEC5894
  2. 2. 2 Agenda Introduce NSX Firewall Architecture and Packet Path for NSX Firewall Demonstrate powerful provisioning paradigms of NSX Firewall • 3-Tier Application – (3 VXLANs) or (1 VXLAN) • Multi-Tenant Scenario Troubleshooting NSX Firewall Deployment of NSX Firewall (RBAC, Audit Logging, …) Monitoring NSX Firewall
  3. 3. 3 Hypervisor Kernel Embedded Firewall Benefits… • Is built right in to the Hypervisor • “Line Rate” Performance (15Gbps+ per host) • No VM can circumvent Firewall • Better compliance model
  4. 4. 4 Distributed Virtual Firewall VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Benefits… • No “Choke Point” • Scale Out • Enforcement closest to VM
  5. 5. 5 Flexible Access Control Mechanisms Benefits… • IP/VLAN: Support physical infrastructure based rules • Security Groups: Logical grouping of VMs • VM Asset Tags: Dynamic VM attributes • Rules follow the VMs VM VM VM VM VMVM VM VM VMVM VM VM VM VM VM VM VM VMVMVMVM VM VM VM VM VM VM VM VM VM VM VM VM VM VMVM VM VM VMVM VM VM VM VM VM VM VM VMVMVMVM VM VM VM VM VM VM VM VM VM
  6. 6. 6 Identity Based Access Control Active Directory Eric Frost User AD Group App Name Originating VM Name Destination VM Name Source IP Destination IP Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78 IP: 192.168.10.75 Source Destination Services Action Engineering Ent-Sharepoint http Permit, Log Rule Table Logs
  7. 7. 8 8 | ©2012, Palo Alto Networks. Confidential and Proprietary. Packet Path – Source & Destination on same Host External Network Source Destination vSwitch Traffic between two VMs on the same host does not hit the physical switch Firewalling enforced close to the source VM Firewalling also done as traffic enters the Destination VM’s vNIC
  8. 8. 9 9 | ©2012, Palo Alto Networks. Confidential and Proprietary. Packet Path – Traffic across Hosts External Network Source Destination vSwitch vSwitch Traffic between two VMs on different hosts hit the physical switches Firewalling enforced at source and destination VM vNICs Similar flow for Virtual to Physical Traffic
  9. 9. 10 Firewall Management Life Cycle Prepare Deploy firewall on hosts Enable Logging VMTools for VMs, Activity Monitoring Policy vCenter Objects Configure Access Rules Sections Troubleshoot Logs with Rule IDs Rule Hit Count Enforced Rules on a Host Packet Captures Monitor Flow Monitoring Activity Monitoring Operations Audit Tracking Role Based Access Control Import/Export of Configutations
  10. 10. 11 Prepare Deploy Firewall Enable Logging Deploy VMTools
  11. 11. 12 Deploy NSX Firewall
  12. 12. 13 Network Setup
  13. 13. 14 Enable Firewall Logging Syslog.global.logHost tcp://10.24.131.189:514
  14. 14. 15 Enable VMTools
  15. 15. 16 Policy Policy Objects Access Control Rules
  16. 16. 17 Editable Text Here External Networks Single Logical Switch Vxlan-5004 Web- sv-02a App-sv- 02a Db-sv- 02a Client Logical Switch Vxlan-5000 Client- 01 Client- 02 Web Services Logical Switch Vxlan-5002 App Services Logical Switch Vxlan-5003 DB Services Logical Switch Vxlan-5001 Web- sv-01a App-sv- 01a Db-sv- 01a 3-Tier Application Deployment
  17. 17. 18 Create Security Groups (Static VM Assignment)
  18. 18. 19 Create Security TAGs for PCI & DevTest Zones
  19. 19. 20 Define AD Domain (for IDFW Rules)
  20. 20. 21 Create User Based Access Rules
  21. 21. 22 Multi-Tenancy With NSX Firewall External Networks Tenant 2 Logical Switch Tenant 1 Logical Switch VM VM VM VM VM VM Routing, VPN, NAT Tenant Specific Micro-segmentation Tenant 2 Logical Switch
  22. 22. 23 Tenant-01 Access Rules Objects ALL-CUST-VXLANS Tenant01-VXLAN Tenant02-VXLAN Tenan01-Services (192.168.10.0/24) Tenant02-FIN-Apps (192.168.10.0/24) Tenant-01 Section Source Destination Services Action Apply To Tenant01-VXLAN Tenant01-Services Any Permit Tenant01-VXLAN … … … … Tenant01-VXLAN Tenant01-VXLAN Tenant01-VXLAN Any Deny Tenant01-VXLAN SP Tenant-01 Section Source Destination Services Action Apply To ALL-CUST-VXLANS Tenant01-VXLAN Any Deny Tenant01-VXLAN ALL-CUST-VXLANS Any Deny
  23. 23. 24 Tenant-02 Access Rules Tenant-02 Section Source Destination Services Action Apply To Tenant02-FINANCE Tenant02-FIN-Apps http, https Permit, log Tenant02-VXLAN … … … … Tenant02-VXLAN Tenant02-VXLAN Tenant02-VXLAN Any Deny Tenant02-VXLAN SP Tenant-02 Section Source Destination Services Action Apply To ALL-CUST-VXLANS Tenant02-VXLAN Any Deny Tenant02-VXLAN ALL-CUST-VXLANS Any Deny
  24. 24. 25 Host And Network Security Services Anti Virus Vulnerability Scanner DLP IPS NGFW
  25. 25. 26 Dynamic Security Group Membership Firewall Rule Table
  26. 26. 27 Troubleshooting Log  Policy Rule Hit Count Enforced Per Host Rules Packet Capture
  27. 27. 28 vCenter Host Kernel Log
  28. 28. 29 Log Insight Source Dest SPORT DPORT Action Rule ID 10.113.132.192 172.25.40.101 62517 3389 DROP 1011
  29. 29. 30 Lookup Rules By ID
  30. 30. 31 Rule Statistics
  31. 31. 32 Per VM Rules > summarize-dvfilter > vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2 ruleset domain-c7 { # Filter rules rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to addrset ip-securitygroup-29 port 80 accept with log; rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to addrset ip-securitygroup-29 port 443 accept with log; rule 1002 at 11 inout protocol any from any to any accept with log; } ruleset domain-c7_L2 { rule 1001 at 1 inout ethertype any from any to any accept; }
  32. 32. 33 Packet Capture  summarize-dvfilter  pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfile test.pcap
  33. 33. 34 Monitoring Flow Monitor Activity Monitor
  34. 34. 35 Flow Monitoring • All flows from the VMs accumulated on NSX Manager • Provides aggregated historic data for dropped, active and inactive flows
  35. 35. 36 Flow Monitoring, Details
  36. 36. 37 Live Flows
  37. 37. 38 Enable Activity Monitoring for VMs
  38. 38. 39 Activity Monitoring
  39. 39. 40 Operations Audit Log Users & RBAC Config Backup/Restore
  40. 40. 41 Audit Log
  41. 41. 42 User Management & RBAC
  42. 42. 43 Firewall Config Backup/Restore
  43. 43. 44 Summary NSX Firewall East/West Traffic Control Identity & VM Awareness High Performance & Scale-out Operational Workflows Policy Management Troubleshooting Monitoring RBAC REST API & Automation Take Aways Enables Business Agility Delivers Superior Performance & Scale Simplifies Firewall Management
  44. 44. 45 Other VMware Activities Related to This Session  HOL: HOL-SDC-1303 VMware NSX Network Virtualization Platform  Group Discussions: SEC1000-GD Distributed Virtual Firewall - Management, Architecture, Scalability and Performance with Serge Maskalik
  45. 45. THANK YOU
  46. 46. Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall Srinivas Nimmagadda, VMware Shadab Shah, VMware SEC5894 #SEC5894
  47. 47. 62 The Transformative Value of Network Virtualization Labor/OPEX Savings Innovation Speed & New Business 83% Reduction* 88% Reduction* 93% Reduction* Increase in Business Velocity * Projected savings off current baseline spend, steady state 75% reduction in IT infrastructure spending. Source: Large US-based Financial Services company • Valuable labor moves to SDDC architects, away from high-cost siloed orgs • Manual design, config & deploy moves to automated / self service provisioning • Complex / custom hardware configuration moves to simplified IP forwarding • Box-based net security moves to centrally defined, scale-out security policies • Physical Infra labor moves to “rack-n-stack” with limited “operator” functions • Adds/moves/changes no longer require full manual re-provisioning effort
  48. 48. 63 Introducing VMware NSX 2013 vCNS v5.1 vCloud Suite (Network & Security) v5.1 vCloud Suite (Network & Security) v5.5 2014 vCloud Network & Security

×