vmworld 2013: technical deep dive: build a collapsed dmz architecture for optimal scale and...
DESCRIPTION
VMworld 2013 Shubha Bheemarao, VMware Bruno Germain, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshareTRANSCRIPT
![Page 1: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/1.jpg)
Technical Deep Dive: Build a Collapsed DMZ
Architecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMware
Bruno Germain, VMware
SEC5891
#SEC5891
![Page 2: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/2.jpg)
2
Objective
Review DMZ design considerations
Propose new DMZ design that is secure, scalable and cloud ready
Provide deployment guidance using NSX highlighting benefits
applicable to DMZ
![Page 3: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/3.jpg)
3
Related Sessions
NET5847 - NSX: Introducing the World to VMware NSX
NET5266 - Bringing Network Virtualization to VMware
environments with NSX
SEC5893 - Changing the Economics of Firewall Services in
the Software-Defined Center – VMware NSX Distributed
Firewall
![Page 4: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/4.jpg)
4
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
![Page 5: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/5.jpg)
5
DMZ Design Often Relies On Physical Separation Of Trust Zones
DMZ Design: 1. Trust zones separated using
separate hardware
2. Design is complex and inflexible
![Page 6: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/6.jpg)
6
DMZ Application Deployment Is Slow
DMZ Challenge #1 • New application deployment
involves configurations at
multiple zones
• Configuration spread across
devices
• Configuration managed by
multiple teams
• Cannot automate
Address using:
• Build a Software Defined Data
Center
• Build focus teams for cloud
architecture and operations
Network Team #2
Network Team #1
Security Team
![Page 7: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/7.jpg)
7
DMZ Challenge #2
• Non DMZ traffic often not
fully secured
• Large firewall rule sets
• Networking or placement
changes could break security
• Hard to manage
Address using:
• Tie configuration to
application objects instead of
networks
• Secure all application traffic
including East West traffic
DMZ Design May Compromise Data Center Security
![Page 8: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/8.jpg)
8
DMZ Challenge #3
• Forces rip and replace to
scale up
• Not cloud ready
Address using:
• Build design suited to scale
incrementally using
distribution of services
DMZ Design Cannot Scale
![Page 9: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/9.jpg)
9
You Need A Cloud Ready DMZ
Design Considerations:
1. Security
2. Manageability
3. Scale and performance
4. Automation
![Page 10: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/10.jpg)
10
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
![Page 11: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/11.jpg)
11
Building A Logical DMZ Trust Zone Is A Better Approach
Steps:
• Pull DMZ zone into the
datacenter
• Use virtual networking and
security constructs for
application isolation and
protection
Benefits:
• Higher agility - flexible
placement
• Simpler configuration
management
• Lower cost – fewer hardware
devices
• Easier automation
![Page 12: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/12.jpg)
12
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
![Page 13: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/13.jpg)
13
VMware NSX – Networking & Security Capabilities
Any Application (without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall
Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Logical Switching– Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing– Routing between virtual
networks without exiting the software
container
Logical Firewall – Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer – Application Load
Balancing in software
Logical VPN – Site-to-Site & Remote
Access VPN in software
NSX API – RESTful API for integration into
any Cloud Management Platform
Partner Eco-System
![Page 14: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/14.jpg)
14
1. Deploy Each Tier Of DMZ Application On A Logical Switch
DB Web App
Benefits for DMZ
• Speed of new application
deployment
• Does not require physical
network configuration at
multiple devices
• Scale is not limited by
limitations of physical
VLANs
• Higher Security:
• Reduce attack perimeter
• Contain risk within virtual
perimeter
• Physical switching and
network not exposed to
attack
![Page 15: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/15.jpg)
15
2. Protect Every Virtual Server Using Distributed Firewall
Benefits for DMZ
• Achieve line rate throughput using vNIC level hypervisor firewall
• Higher security – Complete East West traffic protection via distributed enforcement
• Easy Scale and Automation
• Mobility of security rules – Rules follow the VM
DB Web App
![Page 16: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/16.jpg)
16
3. Provide Perimeter Protection Using Logical Gateway
Benefits for DMZ:
• Deploy logical Perimeter
Firewall, Load Balancer and
VPN programmatically and as
needed
• Perimeter services and policy
can be tied to the application
• Virtual appliance model allows
cloud agility and scale-out
• Higher security through VIP
hiding internal IP addresses DB Web App
Services Edge NAT, FW, VPN, LB
![Page 17: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/17.jpg)
17
4. Optimize Application Traffic Flow Using Distributed Router
Benefits for DMZ • Optimize traffic flows to
minimize latency
• Minimize advertising internal
routers to perimeter devices
DB Web App
Logical Distributed
Router
![Page 18: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/18.jpg)
18
5. Automate Application Protection Using Logical Switches
Web
Benefits for DMZ:
• No needs to re-program the
perimeter security function
as workloads move within
the infrastructure
• Application specific security
is following the workload
• “Configure and forget”
![Page 19: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/19.jpg)
19
6. Protect Application Access Using Identity Firewall
Benefits for DMZ
• Create firewall rules using user
identity for VDI
• limit application access to
only authorized groups of
users
• prevent insider attack
• Get visibility into in-guest
applications and application
access
• Ensure no rogue
applications are running
on your servers
• Get reporting on
application usage by user
groups
DB Web App
DB
Admins Web
Admins
✔ ✔
Application
Visibility
![Page 20: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/20.jpg)
20
7. Define Application Security Using Logical Containers
Benefits for DMZ
• Simplify rule creation and
management – Use Logical
boundaries to reflect
application boundaries, prevent
rule sprawl by tying security
policy to applications
• Automate protection for new
VMs as new security group
members inherit security
policies
• Flexible and manageable
container creation options -
Use vSphere objects instead of
network identifiers in logical
container creation to ensure
policy persists across vMotion
or networking changes
Web
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
VM VM
![Page 21: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/21.jpg)
21
Architecture Can Easily Scale
DB Web App
Benefits for DMZ:
• Achieve Multitenancy
using perimeter
gateway for tenant
separation
• Fully automate using
REST API scripts or
Cloud Management
portals
• Scale easily by adding
essential services on
demand in software
• Built for high
performance
![Page 22: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/22.jpg)
22
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
![Page 23: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/23.jpg)
23
Functional View of Data Center With Logical DMZ
Any devices over
any networks
App gateways
and perimeter devices
Admin jump points
Common Services
Applications
EDS AD
DB
Edge Transport
Routing and
AV/AS
Client Access
Client
connectivity
Web services
Hub Transport
Routing and
policy
Mailbox
Storage of
mailbox items
25
50636
135
389, 3268, 88,
53, 135
To AD
RPC
808
5060, 5061
5062, dynamic
Unified
Messaging
Voice mail and
voice access
Exchange
![Page 24: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/24.jpg)
24
Physical View Of NSX Component Deployment
Co
mp
ute
Clu
ste
rs
Man
ag
em
en
t Clu
ste
r
Ed
ge C
luste
r
NSX Manager
NSX Edge
NSX Controller
Data Center IP network Management network
(vMotion & storage)
vCenter
Server Physical
Appliances
External networks
WAN/ Internet
Compute Racks Infra Racks Edge Racks
Controller Software • Virtual network orchestrator
• Massive scale
Hypervisor Service Modules • Distributed network services (Switching, Routing)
• Load Balancer, Switch, Firewall, Router/VPN
Gateway Software • Integration with existing physical
infra.
• V to V / V to P
L2
L3
![Page 25: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/25.jpg)
25
Agenda
Current DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion
![Page 26: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/26.jpg)
26
Build Your Cloud Ready DMZ with NSX
Before: DMZ with physical separation
of trust zones After: DMZ with Logical separation
of trust zones
Build security that is designed for the virtual workloads instead of
adapting the existing physical constructs to work with mobile
virtual workloads
![Page 27: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/27.jpg)
27
![Page 29: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/29.jpg)
THANK YOU
![Page 30: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/30.jpg)
![Page 31: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/31.jpg)
Technical Deep Dive: Build a Collapsed DMZ
Architecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMware
Bruno Germain, VMware
SEC5891
#SEC5891
![Page 32: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/32.jpg)
32
Mixed Mode / Multi-tenant and the test of auditing
We are not alone:
Automated and
self-healing
Security &
compliance
trust zones
Power of cloud
infrastructure
automation
![Page 33: VMworld 2013: Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services](https://reader034.vdocuments.net/reader034/viewer/2022051015/5571c2efd8b42ac0228b5231/html5/thumbnails/33.jpg)
33
A validated methodology for the migration to mixed trust zones
»VMware Confidential
vSphere vSphere vSphere
Aggr.
Acc.
Core
Aggr.
»Acc.
Core
»vSphere
Aggr.
Acc.
»vSphere
vShield App Based Security
Vmware vSphere + vShield
Cluster1
HR App FIN App Sales App
Web Frontend
Apps
Database
Legend
Increased Confidence with Virtualization and Virtualization Security
Mixed-Trust Zone with Virtual Enclaves