This document discusses how VMware NSX Distributed Firewall changes the economics of firewall services in software-defined data centers. It introduces a distributed, virtual firewall architecture that is embedded in the hypervisor and provides centralized management. This allows firewall rules to be applied based on VM attributes rather than IP addresses for improved security and flexibility. The distributed firewall also offers high performance, scalability and integration with other security services.

1. Changing the Economics of Firewall Services in the
Software-Defined Center –
VMware NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Anirban Sengupta, VMware
SEC5893
#SEC5893

2. 2
Business Needs
Agility
Flexibility
Elasticity/Scalability
Simplicity
Business Challenges
Reality
Inflexible Networks
Archaic Security
Perf/Scale Issues
Complex Rule Bases

3. 3
Data Center Firewall Architecture
Aggregation Layer
Campus
Core
Core Layer
Access Layer

4. 4
Application Profiles Changing…
Campus
Core
Client – Server
& Web 1.0
Server
3-Tier Apps
Web
App
DB
Web 2.0,
Portals,
Enterprise Apps

5. 5
Virtualization - Changing Dynamics
Campus
Core
VM – VM traffic doesn’t hit network
IP Address Based Rule Sets
Scalability Issues
Complex Firewall Rule Tables
Firewall – “Choke Point”

6. 6
Firewall as a VM
IP Address Based Rule Sets
Server Consolidation Issues
Virtual Appliance Issues
VM Firewall – Still a bottleneck
vMotion & App Placement Issues

7. 7
Wouldn’t It Be Great If My Firewall…
 Removes the need to hair-pin traffic
 Enables Rules based on VM attributes
 Provides High Performance & Scale
 API based Programmability

8. 8
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Focus
• Custom built for
Virtual Data Centers
• Distributed
Enforcement
• Centralized
Management
• Performance & Scale

9. 9
DVFW – Hypervisor Embedded Firewall
ESXi
VM VM FW
Benefits…
• Is built right in to the Hypervisor and is lightening fast
• “Line Rate” Performance (10Gbps+ per host)
• No VM can circumvent Firewall
ESXi
VM VM VM
ESXi
VM VM
FW
VM

10. 10
DVFW – Scale Out Architecture
ESXi
VM VM
FW
Benefits…
• Scales with additional “Hosts”
• No “Fork Lift” upgrade to get better scale
ESXi
VM VM
FW ESXi
VM VM
FW

11. 11
DVFW – Flexible Access Control Mechanisms
Benefits…
• Security Groups: Logical grouping of VMs
• VM Tags: Dynamic VM attributes
• User Identity: Identity based firewall
• IP/VLAN: Support physical infrastructure based rules
• Rules follow the VMs
ESXi
Web App
FW
DB
ESXi
Web App
FW
DB
ESXi
Web App
FW
DB

12. 12
Identity & Application Visibility
Active Directory
Eric Frost
User AD Group App Name Originating VM
Name
Destination
VM Name
Source IP Destination IP
Eric Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78
ESXi FW

13. 13
DVFW – Centralized Management
ESXi
VM VM VM
ESXi
VM VM VM
Reuse vCenter Objects
Single Rule Table
Role Based (RBAC)
Control
Full REST API
Familiar “Apply To” Model
Central Monitoring

14. 14
Extensibility…

15. 15
Security Service Insertion
Hypervisor
VM
DFW
VM
VM
AV
Vulnerability
Scan
DLP
IPS
NG
FW
APT

16. 16
Vulnerability Scan + Firewall Use Case
Security Architect Deny outbound traffic from “Quarantine” VMs
Vulnerability
Scanner
Identifies serious vulnerabilities in APP-VM-6
and tags the VM as “Quarantine” system
Firewall Blocks outbound traffic from APP-VM-6
Security Operations Patches the OS/Application to address vulnerability
Vulnerability
Scanner
APP-VM-6 is no longer a “Quarantine” machine
Firewall Outbound traffic from APP-VM-6 permitted

17. 17
IPS Use Case
Hypervisor
VM
DFW
VM
VM
IPS
VMware DVFW
High Throughput
User, VM Segmentation
Selective IPS Forward
IPS
Signature Based IPS
+ Malware/APT

18. 18
Changing The Economics…

19. 19
Themes
Security
• VM Attribute Based
• User Identity
• VM Appliance
Agility
• vCenter Integration
• REST API
• vMotion
Integration with
existing Host &
Network Security
solutions
Perf & Scale
Better
Consolidation
Compliance (PCI)

20. 20
Deployment
 Edge Firewall & Distributed Firewall
 Firewall Monitoring & Troubleshooting
 RBAC and Admin Separation
 Auditing & Compliance

21. 21
N-S Firewall, E-W Router / Firewall Logical Topology
Distributed Router & Firewall
VXLAN Transit/Uplink Network
………..
VLAN last mile
FW HA Pair
(High Throughput & CPS)
LB, DHCP
(One-arm) NET 1 NET 2 NET 3
WebFrontEnds
AppTier
DatabaseBackends
3-tier App
OSPF
Physical Routing Edge
Physical Network Fabric
Network Virtualization
iBGP
NAT, FW, VPN, LB
High Port Density
Router & Firewall
NET 1000

22. 22
WAN /
INTERNET /
Corp backbone
Model for Routing & L4-L7 Services
FW/Routing - Phy. Or Virtual
Appiance
Features: NAT,
Perimeter Firewall,
SSLVPN, IPsec VPN,
GSLB, DNS
Routing
L2 Bridge
Distributed Routing
One-armed LB
Features: Server
Loadbalancing, DHCP,
L2VPN
Features: Distributed
ACLs in OVS, anti-spoof
control
Logical L2

23. 23
Other VMware Activities Related to This Session
 HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform
 Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik

24. THANK YOU

26. Changing the Economics of Firewall Services in the
Software-Defined Center –
VMware NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Anirban Sengupta, VMware
SEC5893
#SEC5893