Principles
- Determine challenges with physical network implementations
- Understand common VMware NSX terms
- Differentiate NSX network and security functions and services
- Differentiate common use cases for VMware NSX
References
- VMware NSX Datasheet
- Business Transformation Through IT Transformation: VMware IT Improves Application and Network Security Through VMware NSX™
- VMware NSX Network Virtualization Platform White Paper
- VMware NSX Network Virtualization Design Guide
Determine challenges with physical network implementations
Legacy Approach
Perimeter
- Legacy network and security architectures rely on the premise that securing the datacenter perimeter sufficiently protects against threats
- Does not work because traffic inside the perimeter is not secured
Server Virtualisation
- Applications no longer tied to a single datacenter
- Applications can be replicated to a remote location
- Move between Datacenters or hybrid cloud
- Legacy network configurations tied to hardware and therefore location
- Networks vary greatly from site to site
- Requires a lot of application customisation
- Barrier to Application mobility
Challenges due to lack of Network Virtualisation
Complexity in Service Deployment
- 90% of companies surveyed say they are limited by network complexity when deploying services or applications
- Businesses wait 270 days on average per-annum waiting for IT
Manual and Risk Prone Configuration
- Manual configuration for new services or applications
- Add VLANS, configure multiple switches etc.
- 1/3 of network outages caused by configuration errors
Capital and Operational Costs
- High Capital and Operations costs
- Manual processes for managing physical networks
- High costs for standalone solutions for Routing, Firewall, Load Balancing
- Over-provision to meet peaks in demand
- Periodic forklift upgrades
Insufficient and Weak Security
- Once Perimeter Firewall is breached threats spread easily inside Datacenter
- Too expensive to deploy Firewalls inside the datacenter between networks (East-West)
Common Complaints
- Too much time spent deploying Lab environments
- VLANS limited to specific pods
- Concerns about Virus and Malware inside the Datacenter
- Network must be updated every time a new application is needed
- VPN solution overwhelmed – does not scale
- Load Balancer saturated
Network Virtualization
- NSX provides network virtualization
- Abstraction moves intelligence from Physical to Software layer
- Software based services easily distributed e.g.
- Routing
- Switching
- Firewalling
- Load Balancing
Abstraction
Network is:
- Simplified
- Stable
- Reliable
- Apply Operational Model of Virtual Machines to Networks
- Programmatically do the following to applications in the same way as VMs:
- Create
- Snapshot
- Store
- Move
- Delete
- Restore
Understand common VMware NSX Terms
Physical Network
Any type of IP network that provides data transport
Data Plane
The Data Plane is where actual traffic flows.
NSX Virtual Switch
- Based on vSphere DVS with additional components
- Abstracts the physical network
- Provides access level switching in the hypervisor
- Enable logical networks that are independent of physical constructs
Distributed Logical Router
- Routing function at hypervisor level
- Bridges VXLAN to VLAN traffic
Security Services
- Distributed Firewall:
- Kernel and Nic Level
- Minimal CPU overhead
- Line rate performance
- Edge Firewall
- Spoof Guard
Extensibility
- Extensible Framework
- Security Vendors provide umbrella of services
- Anti-virus/Anti-malware/Anti-Bot Solutions
- Layer 7 Firewall
- Host and Network Based IPS/IDS Services
- File Integrity Monitoring
- Guest Vulnerability Management
NSX Edge Services Gateway
- L2 and L3 Services
- Firewall
- Load Balancing
- SSL VPN
- DHCP
- NAT
Control Plane
- Runs in the NSX Controller Cluster
- Advanced Distributed State Management System
- Provides Control Plane functions for NSX Logical Routing and Switching services
- Responsible for managing the distributed switching and routing modules in the hypervisor
- Distribute network information to hosts
- Maintains information for all Hosts, DLRs and Logical Switches
- No Data Pane traffic passes through them
Logical Router Control VM
Provides routing control plane that allows
- Local Forwarding within an ESXi Host
- Dynamic Routing between ESXi Hosts
- North South routing provided at the Edge
User World Agent (UWA)
- The UWA is composed of netcpad + vsfwd daemons on ESXi hosts
- Uses SSL to communicate with NSX Manager
- Mediates between NSX Controller and Hypervisor Kernel Modules except DFW
- Retrieves information from NSX Manager through Message Bus Agent
Management Plane
- Built by NSX Manager
- Single Point of configuration
- REST API entry points
Consumption Model
- Driven through NSX Manager UI through vSphere plugin
- NSX can be configured through:
- vSphere Web Client
- CLI
- REST API
- Out of the box integration with:
- vRealize Automation
- vCloud Director
- VMware Integrated OpenStack with Neutron plugin
Differentiate common use cases for VMware NSX
Main Use Cases:
- Security
- Automation
- Application Continuity
Security
Micro-Segmentation
Micro-Segmentation Basics
- At most basic level, it’s the ability to segment elements of a system into granular components
- Security policies can be applied at different level from cluster level to single VMs
- MS targets lateral (East-West) traffic
- Permits “Zero-Trust” model
Micro-Segmentation Detail
- Traffic patterns changed from North/South to East/West
- Micro Segmentation has not been possible at scale -> too many firewalls difficult to administer (operationally infeasible)
- NSX enables parallel virtual networks fully isolated from the underlying physical network
- NSX secure communication within a network with flexible security policies that reflect business logic
- NSX is a platform for advanced services => ecosystem of leading security vendors
Benefits of NSX and Micro-Segmentation
- Uses power of hypervisor based DFW for EW traffic control
- Inherent security and automation capabilities of NSX make Micro Segmentation Operationally feasible
- Cost effective: Improves ratio of security to level of effort and is much cheaper than hardware
Micro-Segmentation Simplifies Network Security
- Security Policies at Object Level
- Each VM has its own Security Parameters
- Policies are portable i.e. they move with the machine
- Create Security Groups
- Create Security Policies
- Apply Security Policies to Security Groups
DMZ Anywhere
- Normally DMZ is a restricted network with specific security policies and services
- Complicates new applications deployment and involved negotiations between stakeholders:
- Application Owner
- Network Team
- Security Team
- Slows things down significantly
- NSX allows specific security policies to be applied to workloads anywhere in the network topology
- Securing User environments in a VDI Infrastructure is complex
- Multiple user groups must be mapped to various resources
- NSX makes thing simpler by allowing Security Groups to be ties to users based on individual attributes
Advanced Services Insertion
NSX Integrates with 3rd party network solutions e.g. Palo Alto
- Solution management tool registers with Controller
- Controller distributes security VM to each hypervisor
- Security Policies created in management tool are distributed to each ESXi Host via the Controllers
- Traffic is then steered from the VM to the 3rd party security VM
- Security Policies move with VMs
Security: Secure End-User
VMware Horizon
Security Concerns:
- Securing user desktops from one another
- Securing user desktops from servers
- Horizon View Virtual Desktop
The VM running in vSphere containing all application and user data
- View Composer
Create desktop images based on a golden image
- View Connection Server
Provides authentication and handles incoming connection requests – aka View Manager
- View Security Server
Extra layer of security deployed in DMZ. Provides secure connection and helps authenticate external users
- View Administrator
Manage View environment, desktops and policy
- View Client
Runs on desktop, laptop, tablet, thin client or mobile device.
Connects to connection or security server
VDI Challenges
- VDI runs on same infrastructure as server
- Must protect:
- vDesktop -> vDesktop
- vDesktop -> Server
- Need to provide vDesktops necessary access to applications deployed in the datacenter
- Much larger security surface area with VDI
Enterprise Mobility Management (EMM)
- EMM every End-Point, Use-Case and OS
- VMware Airwatch can manage all access devices from a single console
- Airwatch manages:
- Applications
- Content
- Browsing
- Workspace
- Aware of device posture
- EMM:
- Enforce restrictions:
- Jail Break
- Password Strength
- Lost
- Mobile Apps Compliance
- Enterprise Application Awareness
- Enforce restrictions:
- VPN:
- Secure Communications
- Full Device Access
- Network Access Control (NAC)
- Device Posture & Quarantine
- No micro-segmentation
VPN:
- Once a device has DC access, how do you control access resources inside it?
- Mobile devices introduce potential access to corporate resources from untrusted sources
- No device, user or application profile data once connected
AirWatch Encrypted Tunnel
- Traffic is encrypted over the tunnel
- Supports Micro-Segmentation
AirWatch Strategic Features
AirWatch can provide information for DFW security policies
- Helps create a matrix of policies that define the firewall policies to protect the data centre from east-west traffic
- Provides micro-segmentation as part of desktop and application deliver services in an enterprise environment
Automation
IT Automating IT
- Faster project on-boarding
- Multitenant Infrastructure
- Developer Cloud
- Faster Application Development
- Business Value: Reduce Infrastructure-provisioning time from months to weeks
- NSX can help automation in a variety of ways
- vRA can use the NSX API to create topologies on demand
- vRA supports the dynamic configuration and deployment to their reservations and blueprints
vRA on-demand Multi-Machine Blueprints
- If a DLR is used as Routed Gateway in Reservation then it must exist already (pre-created)
- If an ESG is used as Routed Gateway in Reservation then ESGs are created on demand
vRA pre-created Multi-Machine Blueprints
- DLR must exist
Developer Cloud
- Use VMware Integrated OpenStack
Multi-Tenant Infrastructure
Use NSX to create multi-tenant topologies
Application Continuity
- Disaster Recovery
- Metro Pooling
- Hybrid Cloud Networking
- Application Continuity is about delivering the Data Center anywhere
- NSX supports up to 8 x vCenter
- 1 x vCenter per site
- 1:1 relationship between vCenter and NSX Manager
- Challenge: Multisite Infrastructure is too siloed
- Cross site connectivity complex and expensive
- Security Policies are local to a site => policies must be replicated which is error prone
- vSphere 6 Cross-vCenter vMotion + Metro Storage Cluster (vMSC) address the storage challenge
- Cross Site NSX:
- 3 x Universal Controllers supported
Cross-vCenter
- <= 150ms latency
Multi-vCenter NSX
- 1 x Primary and up to 7 Secondary NSX Managers
- 3 x Universal Controllers
Cross-vCenter NSX Benefits