NSX Design Notes (4/10) – Firewall and Security Services

NSX firewall components are Edge Services Gateway (ESG) and Distributed Firewall (DFW).

1) Network Isolation

  1. Virtual networks are created in isolation and remain isolated unless explicitly connected together. No physical subnets,VLANs, ACLs or firewalls are required to enable isolation
  2. Virtual networks are also isolated from underlying physical network.
  3. Workloads in single virtual network can spread across multiple ESX servers. Workloads in multiple virtual networks can run on same ESX.
  4. Isolation allows overlapping IP addresses.
  5. Virtual network could support ipv6 on top of ipv4 physical network.

2) Network Segmentation

  1. Segmentation with multiple L2 segments

  2. Segmentation within single L2 segment using DFW rules

3) Abstraction

Network virtualization abstracts application workload communication from the physical network hardware and topology, allowing network security to break free from physical constraints and apply network security based on user, application, and business context.

4) Service Insertion

  1. Between guest VM and logical network there is a service space implemented into vNIC context.

  2. Slot-ID materializes service connectivity to VMs
  3. Service Chaining: Multiple third party services can be plugged in through multiple slots.
  4. Traffic exiting VM follows the path with increasing Slot-ID number (slot-2, slot-4, etc.). Traffic reaching guest VM follows the path with decreasing slot-id number (slot-4, slot-2)
    The Distributed Firewall has 16 slots of which VMware reserve 0-3 and 12-15. Slots 4-11 can be used for registered Network Introspection services
    Source: https://networkinferno.net/service-composer-security-groups-and-security-tags

5) Visibility – Consistent Visibility and Security across Physical and Virtual Insertion

  1. Enhance existing tools and processes
  2. Control closer to application without downside
  3. Reduce human error in equation

6) Service Composer

  1. Traditional services like firewall or advanced services like agentless AV, L7 firewall, IPS, and traffic monitoring can be deployed independent of the underlying physical or logical networking topologies
  2. Service Composer contains three broad parts
    1. Security Groups : NSX achieves decoupling of workloads from the underlying topology via creation of these security groups
    2. 3rd Party service registration and deployment
    3. Security Policy : Apply specific security rules to specified workloads


  3. Advantages of decoupling service and rule creation from underlying physical topology
    1. Distribution of services : Workload mobility without hair pinning of traffic
    2. Policies are workload centric
    3. Truly Agile and Adaptive security controls
    4. Service chaining is policy based and vendor independent
  4. Security Groups
    1. Criteria : vCenter Objects, VM Properties, NSX Objects , Identity Manager objects ( AD Groups)
    2. Mechanism : Static and Dynamic



  5. Security Tags : NSX provides security tags that can be applied to any VM

    Most common forms of classification for using security tags are Security State,Department,Data(PCI),Environment (Dev,Prod),Geo Location
  6. Security Policy
    1. Security policy is comprised of Services and Profiles

    2. Security policy can be created in traditional method or in NSX policy method


      Note: Source for the above two images: http://nsxperts.com/?p=65.
    3. Security policy consists of rules, weights and inheritance

      NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

References:

NSX Design Notes (3/10) - Logical Routing
NSX Design Notes (5/10) – Micro Segmentation
No tags for this post.

Leave a Comment