vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall

Deploying, Troubleshooting, and Monitoring VMware

NSX Distributed Firewall

Srinivas Nimmagadda, VMware

Shadab Shah, VMware

SEC5894

#SEC5894

Agenda

Introduce NSX Firewall

Architecture and Packet Path for NSX Firewall

Demonstrate powerful provisioning paradigms of NSX Firewall

• 3-Tier Application – (3 VXLANs) or (1 VXLAN)

• Multi-Tenant Scenario

Troubleshooting NSX Firewall

Deployment of NSX Firewall (RBAC, Audit Logging, …)

Monitoring NSX Firewall

Hypervisor Kernel Embedded Firewall

Benefits… • Is built right in to the Hypervisor

• “Line Rate” Performance (15Gbps+ per host)

• No VM can circumvent Firewall

• Better compliance model

Distributed Virtual Firewall

Benefits… • No “Choke Point”

• Scale Out

• Enforcement closest to VM

Flexible Access Control Mechanisms

Benefits… • IP/VLAN: Support physical infrastructure based rules

• Security Groups: Logical grouping of VMs

• VM Asset Tags: Dynamic VM attributes

• Rules follow the VMs

VM VM VM

VM VM VM VM

VM VM VM

VM VM VM VM

VM VM VM

Identity Based Access Control

Active Directory

Eric Frost

User AD Group App Name Originating VM

Destination

VM Name

Source IP Destination IP

Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78

IP: 192.168.10.75

Source Destination Services Action

Engineering Ent-Sharepoint http Permit, Log

Rule Table

Packet Path – Source & Destination on same Host

External Network

Source Destination

vSwitch

Traffic between two VMs on the

same host does not hit the

physical switch

Firewalling enforced close to

the source VM

Firewalling also done as traffic

enters the Destination VM’s

Packet Path – Traffic across Hosts

External Network

Source Destination

vSwitch vSwitch

Traffic between two

VMs on different hosts

hit the physical switches

Firewalling enforced at

source and destination

VM vNICs

Similar flow for Virtual to

Physical Traffic

Firewall Management Life Cycle

Prepare Deploy firewall on hosts

Enable Logging

VMTools for VMs, Activity Monitoring

Policy vCenter Objects

Configure Access Rules

Sections

Troubleshoot Logs with Rule IDs

Rule Hit Count

Enforced Rules on a Host

Packet Captures

Monitor Flow Monitoring

Activity Monitoring

Operations Audit Tracking

Role Based Access Control

Import/Export of Configutations

Prepare Deploy Firewall

Enable Logging

Deploy VMTools

Deploy NSX Firewall

Network Setup

Enable Firewall Logging

Syslog.global.logHost tcp://10.24.131.189:514

Enable VMTools

Policy Policy Objects

Access Control Rules

Editable Text Here

External

Networks Single Logical

Switch

Vxlan-5004

sv-02a

App-sv-

Db-sv-

Client

Logical Switch

Vxlan-5000

Client-

Web Services

Logical Switch

Vxlan-5002

App Services

Logical Switch

Vxlan-5003

DB Services

Logical Switch

Vxlan-5001

sv-01a App-sv-

01a Db-sv-

3-Tier Application Deployment

Create Security Groups (Static VM Assignment)

Create Security TAGs for PCI & DevTest Zones

Define AD Domain (for IDFW Rules)

Create User Based Access Rules

Multi-Tenancy With NSX Firewall

External

Networks

Tenant 2

Logical Switch

Tenant 1

Logical Switch

Routing, VPN, NAT

Tenant Specific

Micro-segmentation

Tenant 2

Logical Switch

Tenant-01 Access Rules

Objects

ALL-CUST-VXLANS

Tenant01-VXLAN Tenant02-VXLAN

Tenan01-Services (192.168.10.0/24) Tenant02-FIN-Apps (192.168.10.0/24)

Tenant-01 Section

Source Destination Services Action Apply To

Tenant01-VXLAN Tenant01-Services Any Permit Tenant01-VXLAN

… … … … Tenant01-VXLAN

Tenant01-VXLAN Tenant01-VXLAN Any Deny Tenant01-VXLAN

SP Tenant-01 Section

ALL-CUST-VXLANS Tenant01-VXLAN Any Deny

Tenant01-VXLAN ALL-CUST-VXLANS Any Deny

Tenant-02 Access Rules

Tenant-02 Section

Tenant02-FINANCE Tenant02-FIN-Apps http, https Permit, log Tenant02-VXLAN

… … … … Tenant02-VXLAN

Tenant02-VXLAN Tenant02-VXLAN Any Deny Tenant02-VXLAN

SP Tenant-02 Section

ALL-CUST-VXLANS Tenant02-VXLAN Any Deny

Tenant02-VXLAN ALL-CUST-VXLANS Any Deny

Host And Network Security Services

Anti Virus

Vulnerability Scanner

Dynamic Security Group Membership

Firewall Rule Table

Troubleshooting Log Policy

Rule Hit Count

Enforced Per Host Rules

Packet Capture

vCenter Host Kernel Log

Log Insight

Source Dest SPORT DPORT Action Rule ID

10.113.132.192 172.25.40.101 62517 3389 DROP 1011

Lookup Rules By ID

Rule Statistics

Per VM Rules

> summarize-dvfilter

> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2

ruleset domain-c7 {

# Filter rules

rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to

addrset ip-securitygroup-29 port 80 accept with log;

rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to

addrset ip-securitygroup-29 port 443 accept with log;

rule 1002 at 11 inout protocol any from any to any accept with log;

ruleset domain-c7_L2 {

rule 1001 at 1 inout ethertype any from any to any accept;

Packet Capture

summarize-dvfilter

pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfile

test.pcap

Monitoring Flow Monitor

Activity Monitor

Flow Monitoring

• All flows from the VMs accumulated on NSX Manager

• Provides aggregated historic data for dropped, active and inactive flows

Flow Monitoring, Details

Live Flows

Enable Activity Monitoring for VMs

Activity Monitoring

Operations Audit Log

Users & RBAC

Config Backup/Restore

Audit Log

User Management & RBAC

Firewall Config Backup/Restore

Summary

NSX Firewall

East/West Traffic Control

Identity & VM Awareness

High Performance & Scale-out

Operational Workflows

Policy Management

Troubleshooting

Monitoring

REST API & Automation

Take Aways Enables Business Agility

Delivers Superior Performance & Scale

Simplifies Firewall Management

Other VMware Activities Related to This Session

HOL-SDC-1303

VMware NSX Network Virtualization Platform

Group Discussions:

SEC1000-GD

Distributed Virtual Firewall - Management, Architecture, Scalability and

Performance with Serge Maskalik

SEC5894

THANK YOU

Deploying, Troubleshooting, and Monitoring VMware

NSX Distributed Firewall

Srinivas Nimmagadda, VMware

Shadab Shah, VMware

SEC5894

#SEC5894

The Transformative Value of Network Virtualization

Labor/OPEX Savings

Innovation Speed & New Business

Reduction*

Increase in Business Velocity

* Projected savings off current baseline spend, steady

state 75% reduction in IT infrastructure spending.

Source: Large US-based Financial Services company

• Valuable labor moves to SDDC architects, away from high-cost siloed orgs

• Manual design, config & deploy moves to automated / self service provisioning

• Complex / custom hardware configuration moves to simplified IP forwarding

• Box-based net security moves to centrally defined, scale-out security policies

• Physical Infra labor moves to “rack-n-stack” with limited “operator” functions

• Adds/moves/changes no longer require full manual re-provisioning effort

Introducing VMware NSX

vCNS v5.1

vCloud Suite (Network & Security) v5.1

vCloud Suite (Network & Security) v5.5

vCloud Network & Security

vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall

Technology

Step-By-Step Guide to Deploying Policies for Windows Firewall With Advanced Security

Deploying MongoDB “as-a-service” Inside the Firewall

Topcerts 642-617 Exam - Deploying Cisco ASA Firewall Solutions

Micro segmentation with Next Generation Firewall and Vmware NSX Daniel Bortolazo Thiago Koga

Deploying Cisco ASA Firewall Solutions for CCNP Securityd2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKCRT-8104.pdf · Deploying Cisco ASA Firewall Solutions for CCNP Security BRKCRT-8104

Deploying Enterprise Scale User Firewall and Device Identity · Deploying Enterprise Scale User Firewall and Device Identity Harry Cornwell ... Anti-virus Intrusion Prevention Web/Content

Reference Design: Deploying NSX for vSphere with Cisco … · ... and layer-3 peering and routing configurations • Cisco Nexus 9000 connectivity options with NSX in a virtual Port

VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, and Monitoring for VMware NSX Service Composer

Deploying NSX Advanced Load Balancer with VMware Cloud ...€¦ · aimed at helping VCCP Cloud Providers deploying the Advanced Load Balancer features in multi-tenant environment

Deploying Cisco ASA Firewall Solutions

Deploying Cisco ASA Firewall Solutions (FIREWALL) · PDF fileDeploying Cisco ASA Firewall Solutions (FIREWALL) ... command? A. nspect ... and telnet connections to the Cisco ASA C

Architecting a VMware NSX Solution for VMware Distributed firewall (DFW) – Security enforcement implemented as a kernel module and providing a virtual NIC level firewall. This enables

NET1350BE Deploying NSX on a Cisco Infrastructure or ... · PDF fileDeploying NSX on a Cisco Infrastructure VMworld 2017 ... Originating Port ... UCS B-Series UCS B-Series Spine Leaf-Series

NSX API Guide - VMware · VMware, Inc. 3 Contents About This Book 19 1 Overview of NSX 21 NSX Capabilities 22 Logical Switches 22 Logical Routers 22 Logical Firewall 22 Logical Virtual

VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall

Examways 642-617 Exam - Deploying Cisco ASA Firewall Solutions

Operationalizing VMware NSX® - Mobius Partners...Figure 4.4 vRealize Automation and NSX integrated capability ..... 39 Figure 4.5 Distributed Firewall Event Summary in vRealize Log

Deploying Oracle Audit Vault and Database Firewall in Oracle … · 2019-12-10 · 2 | DEPLOYING ORACLE AUDIT VAULT AND DATABASE FIREWALL IN ORACLE CLOUD INFRASTRUCTURE Disclaimer

Manual de servicio Aiwa+Nsx Sz80+Nsx Sz83+Nsx Aj80+Nsx Sz80e

SAI2803BU The Road to Micro- Segmentation or distribution · 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation VMworld