Successfully reported this slideshow.
Your SlideShare is downloading. ×

NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza

Loading in …3

Check these out next

1 of 36 Ad

More Related Content

Slideshows for you (20)

Similar to NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza (20)


More from VMUG IT (20)

Recently uploaded (20)


NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza

  1. 1. © 2016 VMware Inc. All rights reserved. NSX La Virtualizzazione di Rete e il Futuro della Sicurezza Luca Morelli Sr. Systems Engineer @ VMware
  2. 2. Qualche Info sullo Speaker… © 2016 VMware Inc. All rights reserved. 2 •  Nato a Catanzaro, la città delle 3 V, circa 37 anni fà •  Ingegnere Informatico – Università di Rende •  Nell’IT da circa 15 anni – Esperienze in Spagna, Francia, Olanda e altri paesi •  Iniziato con lo sviluppo software quindi prevendita da circa 8 anni •  Quasi 7 anni con un vendor di rete “fisica” •  “Virtualizzato” dal Gennaio 2015 •  Appassionato di subacquea, apnea, arrampicata e della mia splendida compagna •  Aggiungetemi su LinkedIn (Non solo NSX)
  3. 3. Agenda 3 1 La Visione di VMware nel Software Defined Data Center 2 Introduzione alla Virtualizzazione di Rete con NSX 3 Il Paradigma della Micro-Segmentazione 4 Principali Casi d’Uso © 2016 VMware Inc. All rights reserved.
  4. 4. Software-Defined Data Center (SDDC) The Foundation of the New Model of IT © 2016 VMware Inc. All rights reserved. 4 Any Application One Cloud Any Device Build-Your-Own Converged Infrastructure Hyper-Converged Infrastructure Software-Defined Data Center Cloud Management Compute Network Storage Extensibility Traditional Applications Modern, Cloud Applications Business Mobility: Applications | Devices | Content Hybrid Cloud PRIVATE Your Data Center PUBLIC vCloud Air MANAGED vCloud Air Network
  5. 5. Compute Virtualization Abstraction Layer The Network Is a Barrier to Software Defined Data Center!! Physical Network Software Defined Data Center •  Provisioning is slow •  Mobility is limited •  Hardware dependent •  Operationally intensive 5 Servers © 2016 VMware Inc. All rights reserved.
  6. 6. NSX - Distributed Services in the Hypervisor Applications Virtual Machines Virtual Networks Virtual Storage Data Center Virtualization Location Independence Software Hardware L2 Switching L3 Routing Firewalling/ACLs Load Balancing Automated operational model of the SDDC Network & Security Services Now in the Hypervisor Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt. Compute Capacity Network Capacity Storage Capacity © 2016 VMware Inc. All rights reserved.
  7. 7. NSX Logical Switching •  Per Application/Multi-tenant segmentation •  VM Mobility requires L2 everywhere •  Large L2 Physical Network Sprawl – STP Issues •  HW Memory (MAC, FIB) Table Limits •  Scalable Multi-tenancy across data center •  Enabling L2 over L3 Infrastructure •  Overlay Based with VXLAN, etc. •  Logical Switches span across Physical Hosts and Network Switches Challenges Benefits VMware NSX Logical Switch 1 Logical Switch 2 Logical Switch 3
  8. 8. Generic IP Fabric Host A vSphere Distributed Switch NSX and VXLAN 8 dvUplink-PG Logical SW A VM1 dvPG-VTEP VXLAN VTEP •  VXLAN can be seen as service on the host •  VXLAN uses a vmknic and implements a VXLAN Virtual Tunnel End Point (VTEP) functionality •  Depending on the uplink configuration, there might be several VTEPs on a host –  A single dvPortGroup is created for all VTEPs •  A logical switch is a L2 broadcast domain implemented using VXLAN –  A dvPortGroup is created for each logical switch
  9. 9. Generic IP Fabric Host A Host B vSphere Distributed Switch Traffic Flowing on a VXLAN Backed VDS 9 •  In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch •  A VXLAN tunnel is established between the two hosts dvUplink-PG Logical SW A VM1 dvUplink-PG dvPG-VTEP VTEP dvPG-VTEP VTEP VXLAN Tunnel Logical SW A VM2
  10. 10. Host BHost A vSphere Distributed Switch Traffic Flowing on a VXLAN Backed VDS 10 •  Assume VM1 sends some traffic to VM2: dvUplink-PG Logical SW A VM1 dvUplink-PG dvPG-VTEP VTEP dvPG-VTEP VTEP Logical SW A VM2L2 frame L2 frame VM1 sends L2 frame to local VTEP1 VTEP adds VXLAN, UDP & IP headers2 Physical Transport Network forwards as a regular IP packet 3 Destination Hypervisor VTEP decapsulates frame4 L2 frame delivered to VM25 Generic IP Fabric VXLAN Tunnel IP/UDP/VXLAN L2 frame
  11. 11. NSX Routing: Distributed, Feature-Rich •  Physical Infrastructure Scale Challenges – Routing Scale •  VM Mobility is a challenge •  Multi-Tenant Routing Complexity •  Traffic hair-pins Challenges •  Distributed Routing in Hypervisor •  Dynamic, API based Configuration •  Full featured – OSPF, BGP, IS-IS •  Logical Router per Tenant •  Routing Peering with Physical Switch Benefits SCALABLE ROUTING – Simplifying Multi-tenancy L2 L2 Tenant A Tenant B L2 L2 L2 Tenant C L2 L2 L2 CMP
  12. 12. NSX vSwitch With NSXBefore NSX Default Gateway UCS Fabric A UCS Fabric B UCS Blade 1 vswitch 6 wire hops 6 wire hops UCS Fabric A UCS Fabric B UCS Blade 1 UCS Blade 2 vswitch vswitch UCS Fabric A UCS Fabric B 0 wire hops UCS Fabric A UCS Fabric B UCS Blade 1 UCS Blade 2 With NSXBefore NSX East-West Routing / Same host East-West Routing / Host to host 2 wire hops NSX vSwitch UCS Blade 1 The Advantage of Distributing Services Routing - more efficient networking, fewer hops Default Gateway Default Gateway Default Gateway © 2016 VMware Inc. All rights reserved.
  13. 13. NSX Edge Services Gateway: Integrated Network Services …. Firewall Load Balancer VPN Routing/NAT DHCP/DNS relayDDI VM VM VM VM VM •  Integrated L3 – L7 services •  Virtual appliance model to provide rapid deployment and scale-out Overview •  Real time service instantiation •  Support for dynamic service differentiation per tenant/application •  Uses x86 compute capacity Benefits
  14. 14. VLAN 20 Edge Uplink External Network Physical Router Web1 App1 DB1 Webn Appn DBn NSX Edge VXLAN 5020 Transit Link Distributed Routing RoutingPeering 14 How it looks like a Basic NSX Topology …
  15. 15. High Scale Multi Tenant Topology External Network Tenant 1 Web Logical Switch App Logical Switch DB Logical Switch … Web Logical Switch App Logical Switch DB Logical Switch Tenant NSX Edge Services Gateway NSX Edge X-Large (Route Aggregation Layer) Tenant NSX Edge Services Gateway VXLAN Uplinks (or VXLAN Trunk) VXLAN Uplinks (or VXLAN Trunk) VXLAN 5100 Transit 15
  16. 16. NSX provides Highest Level of Visibility in the Network 16 Log Insight NSX content pack Native capabilities Integration with partner ecosystem NSX API Syslog IPFIX Port mirroring SNMP Traceflow And more. vRealize Operations Suite
  17. 17. How do I manage NSX ? 17
  18. 18. Traditional approaches to Micro-Segmentation 18 Centralized firewalls •  Create firewall rules before provisioning •  Update firewall rules when moving or changing •  Delete firewall rules when app decommissioned •  Problem increases with more east-west traffic Internet
  19. 19. Internet How an SDDC approach makes Micro-Segmentation feasible 19 Security policy Perimeter firewalls Cloud Management Platform
  20. 20. NSX Distributed Firewalling •  Centralized Firewall Model •  Static Configuration •  IP Address based Rules •  40 Gbps per Appliance •  Lack of visibility with encapsulated traffic •  Distributed at Hypervisor Level •  Dynamic, API based Configuration •  VM Name, VC Objects, Identity-based Rules •  Line Rate ~20 Gbps per host •  Full Visibility to encapsulated traffic Challenges Benefits PHYSICAL SECURITY MODEL DISTRIBUTED FIREWALLING Firewall Mgmt VMware NSX API CMP
  21. 21. NSX Distributed Firewall Enablement DFW enforces rules at vNIC layer: •  DFW independent of transport network (VLAN or VXLAN) •  All VM ingress and egress packets are subject to DFW processing •  Security Policy independent of VM location •  V-to-V and P-to-V support 21 DFW has NO Dependancy on Network Topology ! VXLAN 5001 vSphere Host VM1 MAC1 IP1 VTEP IP: vSphere Distributed Switch vSphere Host VM2 VTEP IP: VM3 MAC2 IP2 MAC3 IP3 DFW Policy Rules: Source Destination Service Action VM1 VM2, VM3 TCP port 123 Allow VM1 VM2, VM3 any Block DVS port-group vSphere Host VM1 MAC1 IP1 VTEP IP: vSphere Distributed Switch vSphere Host VM2 VTEP IP: VM3 MAC2 IP2 MAC3 IP3 DFW Policy Rules: Source Destination Service Action VM1 VM2, VM3 TCP port 123 Allow VM1 VM2, VM3 any Block VLAN 501 VLAN 501 VLAN 501 VXLAN 5001 Logical Switch VXLAN 5001
  22. 22. CONFIDENTIAL NSX DFW Policy Objects •  Policy rules construct: •  Rich dynamic container based rules apart from just IP addresses: VC containers •  Clusters •  datacenters •  Portgroups •  VXLAN VM containers •  VM names •  VM tags •  VM attributes Identity •  AD Groups IPv6 compliant •  IPv6 address •  IPv6 sets Services •  Protocol •  Ports •  Custom IPv6 Services Choice of PEP (Policy Enforcement Point) •  Clusters •  VXLAN •  vNICs •  … Rule ID Rule Name Source Destination Service Action Applied To Action •  Allow •  Block •  Reject 22
  23. 23. 23 Configure Policies with Security Groups Select elements to uniquely identify application workloads Use attributes to create Security Groups Apply policies to security groups 1 2 3 ABC DEF Group XYZ App 1 OS: Windows 8 TAG: “Production” §  Enforce policy based on logical constructs §  Reduce configuration errors §  Policy follows VM, not IP §  Reduce rule sprawl and complexity Use security groups to abstract policy from application workloads. Group XYZ Policy 1 “IPS for Desktops” “FW for Desktops” Policy 2 “AV for Production” “FW for Production” Element type Static Dynamic Data center Virtual net Virtual machine vNIC VM name OS type User ID Security tag
  24. 24. Micro-segmentation simplifies network security §  Each VM can now be its own perimeter §  Policies align with logical groups §  Prevents threats from spreading App DMZ Services DB Perimeter firewall AD NTP DHCP DNS CERT Inside firewall Finance EngineeringHR
  25. 25. WAN Internet Compute Cluster Compute Cluster Perimeter Firewall (Physical) NSX EDGE Service Gateway Compute Cluster SDDC (Software Defined DC) DFW DFW DFW DFW: E-W NSX EDGE Service Gateway positioned to protect border of the SDDC: EDGE: North – South traffic protection NSX DFW positioned for internal SDDC traffic protection: DFW: East – West traffic protection Physical Virtual Compute Cluster EDGE:N-S NSX Security in SDDC 25
  26. 26. Micro-segmentation in detail SegmentationIsolation Advanced services Controlled communication path within a single network •  Fine-grained enforcement of security •  Security policies based on logical groupings of VMs Advanced services: addition of 3rd party security, as needed by policy •  Platform for including leading security solutions •  Dynamic addition of advanced security to adapt to changing security conditions No communication path between unrelated networks •  No cross-talk between networks •  Overlay technology assures networks are separated by default
  27. 27. Third-Party Firewall, Network Security Options for NSX Integration Src Dst Action ANY Shared Service Allow Desktop WEB_GROUP Redirect to 3rd party Platform for Distributed Services Redirect via global rule to 3rd party WEB_ GROUP “Web Policy” þ  Firewall – redirect to 3rd party þ  3rd party – do deep packet inspection Redirect via policy template, for reuse in automation workflows 3rd party can program NSX distributed firewall directly – and set/get context to inform policy 27
  28. 28. Example : Orchestrating Security Between Multiple Services (Vulnerability Scan) SG: QuarantineSG: Web Servers 1.Web Server VM running IIS is deployed, unknowingly having a vulnerability 2.Vulnerability Scan is initiated on web server (3rd party AV product) 3.VM is tagged in NSX Manager with the CVE and CVSS Score 4.NSX Manager associates the VM with the Quarantine (F/W Deny) 5.[Externally] Admin applies patches, 3rd party AV product re-scans VMs, clears tag 6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal duties Services Services Membership: Include VMs which have CVSS score >= 9Membership: Include VMs which have been provisioned as “WebServer” NSX Manager antivirus antivirus
  29. 29. NSX Partners and Service Categories Application Delivery Services Physical-to-Virtual Services Operations and Visibility Security NSX Partner Extensions
  30. 30. Ground-breaking use cases 30 Enterprises can often justify the cost of NSX through a single use case Micro segmentation DMZ anywhere Secure end user Security IT automating IT Multi-tenant infrastructure Developer cloud IT automation Disaster recovery Metro pooling Hybrid cloud networking Application continuity IT optimization Server asset utilization Price | performance Hardware lifecycle $
  31. 31. Use Case: Infrastructure Management with vRealize Automation New Features §  Simplified Multi-Tier App Deployment §  Improved Connectivity − Deployment of logical switches and networks §  Enhanced Security −  Intelligent placement of workloads in security groups protected by firewalls §  Increased Availability −  Via deployment of NSX distributed firewalls and load balancers Benefits §  Deliver secure, scalable, performing application-specific infrastructure on-demand Dynamically Provision and Decommission NSX Logical Services
  32. 32. Use Case: Disaster recovery with NSX network virtualization SAN SAN Virtual Network 10.0.30/24 Virtual Network 10.0.30/24 NSX Controller NSX Controller Snapshot network security 2b 1 Snapshot VM Network and security already exists Recover the VM 3 Physical network infrastructure Physical network infrastructure2a Replicate VM and storage 10.0.10/24 10.0.20/24 Step 1 & 2 (e.g VMware SRM) 32 Primary site Recovery Site
  33. 33. Use Case: A True Hybrid Cloud powered by VMware NSX Local Data Center InternetIPSec VPN (vCloud Air Network)(vCloud Air Network) vCloud Air L2 VPN Some Benefits: •  L2VPN for DC Extension •  Granular Network Security with Trust Groups •  Bi-directional workload migration using vSphere web client 33 Some Benefits: •  Today with vCloud AIR •  Tomorrow with Amazon AWS, Azure, Google and other Public Cloud Providers
  34. 34. NSX Vision: Driving NSX Everywhere Managing Security and Connectivity for many Heterogeneous End Points 34 Automation IT at the Speed of Business Security Inherently Secure Infrastructure Application Continuity Data Center Anywhere On-Premise Data Center New app frameworks Mobile Devices (Airwatch) Virtual Desktop (VDI) Branch offices (Partner) Internet of things Public clouds
  35. 35. What’s Next… VMware NSX Hands-on Labs 35 Explore, Engage, Evolve Network Virtualization Blog NSX Product Page NSX Training & Certification NSX Technical Resources Reference Designs VMware NSX YouTube Channel VMware NSX Community Play Learn Deploy
  36. 36. Thank you.