Principles
- Differentiate logical and physical topologies, components and services
- Differentiate logical and physical security constructs
- Endpoint Security
- Data Security
- Flow Monitoring
- Activity Monitoring
- Distributed Firewall
- Perimeter Firewall
References
- VMware NSX Network Virtualization Design Guide
- NSX Administration Guide
- https://blogs.vmware.com/networkvirtualization/2014/07/physical-virtual-networking.html/
Differentiate logical and physical topologies, components and services
Topology
Physical
The Physical Network Topology consists of the various bit of hardware used to make up a network, including Cables, Switches, Hubs, Routers, Servers/Workstations etc.
Logical
The Logical Network Topology relates to the manner in which the particular network passes data amongst those physical components. The Logical Topology is dependent therefore on the Physical Topology combined with the software/protocols used for the creation, transmission and processing of data. The Logical Topology can be largely de-coupled from the Physical Topology through the use of an Overlay network such as NSX.
Components
Physical
- Hubs, Switches, Routers, Network Interface Cards etc.
- Hubs
Repeater devices that receives forward frames received on a port to all other Ports on that devices. All devices connected to such a device see all data sent by a connected workstation.
- Switches
Switches are multi-port bridges that forward traffic only to the destination device/workstation instead of broadcasting it out of all ports. Switches learn the MAC addresses associated with each Port, thereby allowing them to restrict traffic only to the necessary ports, thereby reducing the collision domain in Ethernet networks. Domains are further reduced through the adoption of VLANS
- Routers
Routers or Gateways connect different network segments together. A key difference with Hubs and Switches is that Routers do not forward broadcast traffic, therefore reducing the size of a broadcast domain.
- Network Interface Cards (NICs)
NICs provide the physical interface between a network connected device and the physical media attached to it. On a workstation or server a NIC may be an Ethernet Card or Wireless Network Adapter. On a Switch/Hub/Router may have multiple Ports/Interfaces.
- Transmission Media
The physical medium of data transfer including Cables (Copper, Fibre) and Radio Frequency (aka RF/Wireless)
Logical
Switching
A logical switch topology is built around Virtual Local Area Networks (VLANs) which can be either Port Based whereby a group of physical ports belongs to a VLAN or Logical, where traffic on an individual port can be tagged with different VLANs using VLAN IDs.
Tagged VLANS are governed by the IEEE 802.1q standard https://en.wikipedia.org/wiki/IEEE_802.1Q. VLAN tagging is the process of tagging Ethernet frames with a 12 bit VLAN Identifier (VLAN ID). A 4-byte (32-bit) VLAN field is inserted into the header of a standard Ethernet frame with 12 bits reserved for VLAN ID providing a maximum range of 2^12 -2 = 4094 VLAN IDs.
- VLAN ID 0 (0x000) is used to indicate the frame is untagged (aka “Native”)
- VLAN ID 4096 (0xFFF) is reserved for internal implementation use by the Switch software
Ordinarily VLAN 1 (0x001) is the default VLAN ID applied to incoming traffic on a network port and is commonly referred to as the default “Management VLAN” although it can sometimes be changed to a different value if so desired and supported by the Switch/Router in question.
Along with VLANs, NSX also supports VXLANs which is the major distinguishing factor in the NSX Data Plane compared with traditional VLAN switched networks. VXLANs are implemented by the NSX vSwitch that is a vSphere Distributed Switch with additional VIBs installed on the hypervisor.
VXLAN frames add a 50 byte header to the original Ethernet frame, taking the maximum frame length from 1522 bytes (for VLAN tagged frames, 1518 for untagged frames) to 1572 bytes for VXLAN frames.
VXLAN frames introduce an additional 3 byte (24-bit) field named “Virtual Network Identifier (VNI)” that Identifies VXLAN Segments and provides a theoretical maximum of 2^24 VXLANs ~ 16 Million. As VXLANs are encapsulated in IP datagrams, the Layer 2 boundary is extended beyond the traditional VLAN centric constraints to a much wider Layer 3 centric model.
Routing
Traditional Physical Routers are built with dedicate routing and forwarding engines implemented with Application Specific Integrated Circuits (ASICs). Data is processed from incoming ports/interfaces with the dedicated hardware and memory components. The physical routing topology consists of the various interconnections between Routers and Switches. The logical routing topology is concerned with manner in which traffic forwarding decisions are made across the network. To that end various routing protocols are used including OSPF and BGP.
NSX provides logical routing services through Edge Services Gateways and the Distributed Logical Router. The ESG is primarily concerned with North-South routing into and out from the NSX logical environment whereas the DLR deals with East-West traffic inside the datacenter. DLR forwarding is handled at the ESXi host level which means traffic does not need to leave the server environment in order to pass between hosts.
Services
Firewall and Security
Physical Firewalls operate a bit like Routers and are placed directly within the data flow. Traffic is inspected as it passes through the device and security policies applied accordingly.
NSX provides two types of logical Firewall: Edge Services Gateway for North-South traffic and Distribute Firewall (DFW) for East-West traffic. The ESG FW is similar to a traditional Physical Firewall as it sits in line with data traffic flow as an appliance through which all traffic must flow. The DFW o the other hand is applied at the hypervisor kernel level directly against a VMs vNIC. In this respect it is a little like a Host based firewall except that the end user has no access to or control of the security policies applied to it which is instead configured through the NSX Manager.
NSX also provides integration with 3rd party services through vendor integration. Use traffic can be directed towards a 3rd party provided security appliance for further inspection and policy enforcement such as IDS/IPS services.
Load Balancing
Physical Load Balancers are network appliances that act as service endpoints for application traffic. The appliance presents TCP, IP and HTTP/S services to users on a single IP/Port whilst directing backend traffic to a Pool or Group of servers/hosts configured for a given application. Popular vendors include F5 Networks and NetScaler.
An NSX Edge Services Gateway provides Load Balancing services that can be configured either through NSX Manager or programmatically through the NSX REST API. Supported services include:
- Load Balancing Algorithms including Round-Robin, IP Hash, URI and Number of Connections
- TCP and UDP Services
- Session Persistence with Source IP, Cookie, SSL Session ID
- URL and URI Re-write
NSX Load Balancing is provided by an Edge Services Gateway and can be configured in one of two ways:
- In-Line
- Proxy
Note: The NSX Edge Firewall must be enabled for the Load Balancing function to work, even if it only has a default “permit” rule configured.
- Maximums:
- Throughput: 9Gbps
- Concurrent Connections: 1 Million
- New Connections per section: 131,000
In-Line
In this configuration the LB is placed in direct line of traffic flow i.e. application traffic must pass through it regardless of whether it is destined for a Load Balanced application endpoint or not. The default gateway for VMs on the application subnet is configured on the Load Balancer and VIPs are configured on another interface connect to a different subnet.
Proxy Mode (One-Arm)
In Proxy-Mode configuration the Load Balancer VIPs are configured on the same subnet as the VMs being pooled.
Note in this configuration traffic does not have to pass through the Load Balancer to reach a VM on the workload subnet as the LB has a single connection to the same network and default gateway for that subnet is usually a separate device. In order to force traffic application traffic back through the Load Balancer, any traffic passing through a VIP has its Source IP Address translated to the VIP IP Address. The VMs therefore return traffic back through the Load Balancer.
NAT
Network Address Translation is the process of converting or “translating” the IP Address of a packet. NSX Edge Services Gateways provide NAT Services in a similar manner to physical devices such as Routers and Firewalls. 3 types of NAT supported by NSX:
- Source Address Translation (SNAT)
In this configuration the Source IP Address of a packet is converted to a pre-configured IP Address on the NSX Edge. Source NAT is used for example where Internet Access is required or a VPN IP address to mask or hide the private IP Address of a network from public addresses. One may consider Source NAT is “outbound” NAT.
- Destination Address Translation (DNAT)
Destination NAT is an “inbound” translation technique used to direct traffic towards a different IP Address that that originally set in the IP packet. This is useful for example in Load Balancing scenarios whereby a private IP Address is placed behind a published IP Address for a particular service e.g. Web Server.
- Port Address Translation (PAT)
Port Address Translation combines DNAT with additional support for TCP Sockets, so as well as inspecting an IP Packets Destination IP Address, it also inspects the Destination Port.
Differentiate logical and physical security constructs
Physical Security Constructs are limited in nature because of the inherent limitations placed by the largely inflexible network and security topology. e.g. Firewall rules can only be placed at set points in the network where the physical appliance is located rather than closer to the source or destination of network traffic. In traditional physical networks the only perimeter of the network is secured with Firewalls and IDS systems (North->South). Traffic inside the Datacenter is not protected (East-West)
With NSX Security constructs can be flexibly configured to support a wide range of workload both within the datacenter as well as securing the perimeter. North->South traffic is secured with and Edge Services Gateway and East-West traffic inside the datacenter is secured with the NSX Distributed Firewall (DFW). The latter is implemented at the ESXi Kernel Layer providing near line rate performance and increased virtualisation, identity and activity awareness or internal traffic compared with traditional physical firewalls located at the Edge of the datacenter.
Distributed Firewall Rules may be configured manually or using the NSX Service Composer to dynamically allocate objects such as VMs to security groups based and apply Firewall Policies accordingly. In so doing the DFW provides location and policy independence i.e. the security policy applied to a VM is independent of its location because the policies stays with the VM regardless of where in the virtual datacenter it is located.
Endpoint Security
Endpoint Security is the practice of securing devices that access computer resources remotely. Permitting remote access to network resources inside an organisation creates vulnerabilities from disparate endpoints – e.g. PCs, Mobile Phone etc. Securing such endpoints in a physical environment includes host based firewalls, VPN Concentrators and host based Anti-Virus.
In a virtual environment much of these functions can be performed at the network level. NSX leverages 3rd party services to protect VMs without having to use host-based guest agents through a process known as Service Insertion, whereby traffic is steered through a dedicated 3rd party appliance for deep packet inspection e.g. Intrusion Detection Services. Additionally, data may be secured at rest through Guest Introspection and Data Security.
Guest Introspection (GI) is a pre-requisite for installing Endpoint Monitoring. GI offloads security functions to a separate security appliance. Enabling GI involves deploying a new VIB and ESX Agent on each host in a cluster. 3rd party appliances can be used with GI to provide security services such as Anti-Virus and Anti-Malware from a centralised service VM. Having a single service VM allows updates to be made immediately available to all protected VMs, thereby reducing administration and management overhead. Introspection health status is shown vCenter Server console as alarms. Further status information can be gathered by looking at the event logs.
Data Security
Guest Introspection is a pre-requisite for installing Data Security.
The Data Security service detects sensitive data in VMs e.g. Credit Card numbers, PCI Data etc. Over 100 sensitive data detection policies are built into NSX.
Flow Monitoring
Flow Monitoring configures the Distributed Firewall to capture flows and sends them to NSX Manager. Once data has been collected it can be viewed and analysed from the NSX Manager dashboard. Flows can be viewed by Service and Live Monitoring in real time
Additionally, NSX supports the following flow collection techniques:
- IPFIX, available through an IPFIX collector
- Syslog e.g. Log InsightTM, Splunk, etc
Flow Monitoring, IPFIX and SYSLOG are sent by ESXi hosts out of the Management vmnic – physical uplink (using VM kernel vmk0).
Activity Monitoring
- Guest Introspection is a pre-requisite for Activity Monitoring.
- Activity monitoring is not supported on Linux VMs (Windows only)
- A Windows AD domain must be registered with NSX Manager
- Data Collection must be enabled on one or more VMs
Network connections from individual applications can be monitored from inside a VM with Activity Monitoring. Integration with Active Directory provides further details on the actual user’s connections from applications.
Reports to show inbound traffic (e.g. VMs accessed) as well as outbound traffic (resource utilization, interaction between inventory containers, and AD groups that accessed a server).
Distributed Firewall
Traditional Firewalls are network appliances through which all network traffic flows. They are dedicated platforms that site in the line of traffic and also perform some limited routing functions. One problem with this approach is that traffic is only secured North->South i.e. into and exiting a compute environment. One traffic enters the security perimeter it is free to flow amongst devices inside the Datacenter i.e. East-West.
The NSX Distributed Firewall is a logical firewall embedded in the ESXi kernel. As such it is able to inspect traffic between VMs at the vNic level. In so doing East-West traffic inside the datacenter is also secured by a firewall. By taking this approach it is no longer necessary to deploy gust VM Firewalls or dedicated VM Firewall appliances, thereby making centralised configuration and management of security policies relatively straightforward. The Distributed Firewall offers multiple sets of configurable rules for network layers 2, 3, and 4.
Perimeter Firewall
A Perimeter Firewall secures the Edge of a Datacenter or compute environment. This function is usually provided with a hardware based firewall appliances or alternatively through VM based appliance firewall.
In an NSX environment this function may be fulfilled through an Edge Services Gateway. The ESG firewall provides additional services such as NAT and either SSL or IPSec VPN. Firewall rules can be configured from L2->L4.