© 2016 VMware Inc. All rights reserved.

NSX La Virtualizzazione di Rete e il Futuro della Sicurezza

Luca Morelli Sr. Systems Engineer @ VMware

Qualche Info sullo Speaker…

© 2016 VMware Inc. All rights reserved. 2

•  Nato a Catanzaro, la città delle 3 V, circa 37 anni fà

•  Ingegnere Informatico – Università di Rende

•  Nell’IT da circa 15 anni – Esperienze in Spagna, Francia, Olanda e altri paesi

•  Iniziato con lo sviluppo software quindi prevendita da circa 8 anni

•  Quasi 7 anni con un vendor di rete “fisica”

•  “Virtualizzato” dal Gennaio 2015

•  Appassionato di subacquea, apnea, arrampicata e della mia splendida compagna

•  Aggiungetemi su LinkedIn (Non solo NSX)

Agenda

3

1 La Visione di VMware nel Software Defined Data Center

2 Introduzione alla Virtualizzazione di Rete con NSX

3 Il Paradigma della Micro-Segmentazione

4 Principali Casi d’Uso

© 2016 VMware Inc. All rights reserved.

Software-Defined Data Center (SDDC) The Foundation of the New Model of IT

© 2016 VMware Inc. All rights reserved. 4

Any Application

One Cloud

Any Device

Build-Your-Own Converged Infrastructure

Hyper-Converged Infrastructure

Software-Defined Data Center

Cloud Management

Compute Network Storage

Extensibility

Traditional Applications

Modern, Cloud Applications

Business Mobility: Applications | Devices | Content

Hybrid Cloud

PRIVATE

Your

Data Center

PUBLIC

vCloud Air

MANAGED

vCloud Air Network

Compute Virtualization Abstraction Layer

The Network Is a Barrier to Software Defined Data Center!!

Physical Network

Software Defined Data Center

•  Provisioning is slow •  Mobility is limited •  Hardware dependent •  Operationally intensive

5

Servers

© 2016 VMware Inc. All rights reserved.

NSX - Distributed Services in the Hypervisor

Applications

Virtual Machines

Virtual Networks

Virtual Storage

Data Center Virtualization

Location Independence

Software

Hardware

L2 Switching

L3 Routing

Firewalling/ACLs

Load Balancing

Automated operational model of the SDDC

Network & Security Services Now in the Hypervisor

Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt.

Compute Capacity

Network Capacity

Storage Capacity

© 2016 VMware Inc. All rights reserved.

NSX Logical Switching

•  Per Application/Multi-tenant segmentation •  VM Mobility requires L2 everywhere •  Large L2 Physical Network Sprawl – STP

Issues •  HW Memory (MAC, FIB) Table Limits

•  Scalable Multi-tenancy across data center •  Enabling L2 over L3 Infrastructure •  Overlay Based with VXLAN, etc. •  Logical Switches span across Physical Hosts

and Network Switches

Challenges Benefits

VMwareNSX

Logical Switch 1 Logical Switch 2 Logical Switch 3

Ani

mat

ed S

lide

Generic IP Fabric

Host A

vSphere Distributed Switch

NSX and VXLAN

8

dvUplink-PG

Logical SW A

VM1

dvPG-VTEP

VXLAN VTEP

•  VXLAN can be seen as service on the host

•  VXLAN uses a vmknic and implements a VXLAN Virtual Tunnel End Point (VTEP) functionality

•  Depending on the uplink configuration, there might be several VTEPs on a host –  A single dvPortGroup is created for all VTEPs

•  A logical switch is a L2 broadcast domain implemented using VXLAN –  A dvPortGroup is created for each logical switch

Generic IP Fabric

Host A Host B

vSphere Distributed Switch

Traffic Flowing on a VXLAN Backed VDS

9

•  In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch •  A VXLAN tunnel is established between the two hosts

dvUplink-PG

Logical SW A

VM1

dvUplink-PG

dvPG-VTEP

VTEP

dvPG-VTEP

VTEP

VXLAN Tunnel

Logical SW A

VM2

Host B Host A

vSphere Distributed Switch

Traffic Flowing on a VXLAN Backed VDS

10

•  Assume VM1 sends some traffic to VM2:

dvUplink-PG

Logical SW A

VM1

dvUplink-PG

dvPG-VTEP

VTEP

dvPG-VTEP

VTEP

Logical SW A

VM2 L2 frame L2 frame

VM1 sends L2 frame to local VTEP 1 VTEP adds VXLAN, UDP

& IP headers 2 Physical Transport Network forwards as a regular IP packet

3 Destination Hypervisor VTEP decapsulates frame 4 L2 frame delivered

to VM2 5

Generic IP Fabric VXLAN Tunnel

IP/UDP/VXLAN L2 frame

NSX Routing: Distributed, Feature-Rich

•  Physical Infrastructure Scale Challenges – Routing Scale

•  VM Mobility is a challenge •  Multi-Tenant Routing Complexity •  Traffic hair-pins

Challenges

•  Distributed Routing in Hypervisor •  Dynamic, API based Configuration •  Full featured – OSPF, BGP, IS-IS •  Logical Router per Tenant •  Routing Peering with Physical Switch

Benefits

SCALABLE ROUTING – Simplifying Multi-tenancy

L2

L2

Tenant A

Tenant B

L2

L2

L2 Tenant C

L2

L2

L2

CMP

Ani

mat

ed S

lide

NSX vSwitch

With NSX Before NSX

Default Gateway

UCS Fabric A UCS Fabric B

UCS Blade 1

vswitch

6 wire hops 6 wire hops

UCS Fabric A UCS Fabric B

UCS Blade 1 UCS Blade 2

vswitch vswitch

UCS Fabric A UCS Fabric B

0 wire hops

UCS Fabric A UCS Fabric B

UCS Blade 1 UCS Blade 2

With NSX Before NSX

East-West Routing / Same host East-West Routing / Host to host

2 wire hops

NSX vSwitch

UCS Blade 1

The Advantage of Distributing Services Routing - more efficient networking, fewer hops

Default Gateway Default Gateway Default Gateway

© 2016 VMware Inc. All rights reserved.

NSX Edge Services Gateway: Integrated Network Services

….

Firewall

Load Balancer

VPN

Routing/NAT DHCP/DNS relay DDI

VM VM VM VM VM

•  Integrated L3 – L7 services •  Virtual appliance model to provide

rapid deployment and scale-out

Overview

•  Real time service instantiation

•  Support for dynamic service differentiation per tenant/application

•  Uses x86 compute capacity

Benefits

VLAN 20 Edge Uplink

External Network

Physical Router

Web1 App1 DB1 Webn Appn DBn

NSX Edge

VXLAN 5020 Transit Link

Distributed Routing

Routing P

eering

14

How it looks like a Basic NSX Topology

…

High Scale Multi Tenant Topology

External Network

Tenant 1 Web Logical Switch App Logical Switch DB Logical Switch

…

Web Logical Switch App Logical Switch DB Logical Switch

Tenant NSX Edge Services Gateway

NSX Edge X-Large (Route Aggregation Layer)

Tenant NSX Edge Services Gateway

VXLAN Uplinks (or VXLAN Trunk)

VXLAN Uplinks (or VXLAN Trunk)

VXLAN 5100 Transit

15

NSX provides Highest Level of Visibility in the Network

05/04/16

16

Log Insight NSX content pack

Native capabilities

Integration with partner ecosystem

NSX API

Syslog

IPFIX

Port mirroring

SNMP

Traceflow

And more.

vRealize Operations Suite

How do I manage NSX ?

17

Traditional approaches to Micro-Segmentation

18

Centralized firewalls

•  Create firewall rules before provisioning •  Update firewall rules when moving or changing •  Delete firewall rules when app decommissioned •  Problem increases with more east-west traffic

Internet

Internet

How an SDDC approach makes Micro-Segmentation feasible

19

Security policy

Perimeter firewalls

Cloud Management

Platform

NSX Distributed Firewalling

•  Centralized Firewall Model •  Static Configuration •  IP Address based Rules •  40 Gbps per Appliance •  Lack of visibility with encapsulated traffic

•  Distributed at Hypervisor Level •  Dynamic, API based Configuration •  VM Name, VC Objects, Identity-based Rules •  Line Rate ~20 Gbps per host •  Full Visibility to encapsulated traffic

Challenges Benefits

PHYSICAL SECURITY MODEL DISTRIBUTED FIREWALLING

Firewall Mgmt

VMwareNSX

API

CMP

NSX Distributed Firewall Enablement

DFW enforces rules at vNIC layer: •  DFW independent of

transport network (VLAN or VXLAN)

•  All VM ingress and egress packets are subject to DFW processing

•  Security Policy independent of VM location

•  V-to-V and P-to-V support

21

DFW has NO Dependancy on Network Topology !

VXLAN 5001

vSphere Host

VM1 MAC1 IP1

VTEP IP: 10.20.10.10

vSphere Distributed Switch

vSphere Host

VM2

VTEP IP: 10.20.10.11

VM3 MAC2 IP2

MAC3 IP3

DFW Policy Rules: Source Destination Service Action

VM1 VM2, VM3 TCP port 123 Allow

VM1 VM2, VM3 any Block

DVS port-group

vSphere Host

VM1 MAC1 IP1

VTEP IP: 10.20.10.10

vSphere Distributed Switch

vSphere Host

VM2

VTEP IP: 10.20.10.11

VM3 MAC2 IP2

MAC3 IP3

DFW Policy Rules: Source Destination Service Action

VM1 VM2, VM3 TCP port 123 Allow

VM1 VM2, VM3 any Block

VLAN 501 VLAN 501 VLAN 501

VXLAN 5001

Logical Switch

VXLAN 5001

CONFIDENTIAL

NSX DFW Policy Objects

•  Policy rules construct: •  Rich dynamic container based rules apart from just IP addresses:

VC containers •  Clusters

•  datacenters •  Portgroups

•  VXLAN

VM containers •  VM names •  VM tags

•  VM attributes

Identity •  AD Groups

IPv6 compliant •  IPv6 address

•  IPv6 sets

Services •  Protocol •  Ports

•  Custom

IPv6 Services

Choice of PEP (Policy Enforcement Point)

•  Clusters •  VXLAN •  vNICs

•  …

Rule ID Rule Name Source Destination Service Action Applied To

Action

•  Allow •  Block •  Reject

22

23

Configure Policies with Security Groups

Select elements to uniquely identify application workloads

Use attributes to create Security Groups Apply policies to security groups 1 2 3

ABC DEF

Group XYZ

App 1 OS: Windows 8

TAG: “Production”

§ Enforce policy based on logical constructs

§ Reduce configuration errors

§ Policy follows VM, not IP

§ Reduce rule sprawl and complexity

Use security groups to abstract policy from application workloads.

Group XYZ

Policy 1 “IPS for Desktops” “FW for Desktops”

Policy 2 “AV for Production” “FW for Production”

Element type Static Dynamic

Data center Virtual net

Virtual machine vNIC

VM name OS type User ID

Security tag

Micro-segmentation simplifies network security

§  Each VM can now be its own perimeter §  Policies align with logical groups §  Prevents threats from spreading

App

DMZ

Services

DB

Perimeter firewall

AD NTP DHCP DNS CERT

Inside firewall

Finance Engineering HR

WAN Internet

Compute Cluster Compute Cluster

Perimeter Firewall (Physical)

NSX EDGE Service Gateway

Compute Cluster

SDDC (Software Defined DC)

DFW DFW DFW

DFW: E-W

NSX EDGE Service Gateway positioned to protect border of the

SDDC: EDGE: North – South

traffic protection

NSX DFW positioned for internal SDDC traffic

protection: DFW: East – West traffic protection

Physical

Virtual

Compute Cluster EDG

E: N

-S

NSX Security in SDDC

25

Micro-segmentation in detail

Segmentation Isolation Advanced services

Controlled communication path within a single network

•  Fine-grained enforcement of security

•  Security policies based on logical groupings of VMs

Advanced services: addition of 3rd party security, as needed by policy

•  Platform for including leading security solutions

•  Dynamic addition of advanced security to adapt to changing security conditions

No communication path between unrelated networks •  No cross-talk between networks

•  Overlay technology assures networks are separated by default

Third-Party Firewall, Network Security Options for NSX Integration

Src Dst Action

ANY Shared Service Allow

Desktop WEB_GROUP Redirect to 3rd party

Platform for Distributed Services

Redirect via global rule to 3rd party

WEB_ GROUP

“Web Policy” þ  Firewall – redirect to 3rd

party þ  3rd party – do deep packet

inspection

Redirect via policy template, for reuse in automation workflows

3rd party can program NSX distributed firewall directly – and set/get context to inform policy

27

Example : Orchestrating Security Between Multiple Services (Vulnerability Scan)

SG: Quarantine SG: Web Servers

1.Web Server VM running IIS is deployed, unknowingly having a vulnerability

2.Vulnerability Scan is initiated on web server (3rd party AV product)

3.VM is tagged in NSX Manager with the CVE and CVSS Score

4.NSX Manager associates the VM with the Quarantine (F/W Deny)

5.[Externally] Admin applies patches, 3rd party AV product re-scans VMs, clears tag

6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal duties

Services Services

Membership: Include VMs which have CVSS score >= 9 Membership: Include VMs which have been provisioned as “WebServer”

NSX Manager

antivirus antivirus

NSX Partners and Service Categories Application

Delivery Services Physical-to-Virtual

Services Operations and Visibility Security

NSX Partner Extensions

http://www.vmware.com/products/nsx/resources.html

Ground-breaking use cases

30

Enterprises can often justify the cost of NSX through a single use case

Micro segmentation

DMZ anywhere

Secure end user

Security

IT automating IT

Multi-tenant infrastructure

Developer cloud

IT automation

Disaster recovery

Metro pooling

Hybrid cloud networking

Application continuity IT optimization

Server asset utilization

Price | performance

Hardware lifecycle

$

Use Case: Infrastructure Management with vRealize Automation

New Features §  Simplified Multi-Tier App Deployment

§  Improved Connectivity − Deployment of logical switches and networks

§  Enhanced Security −  Intelligent placement of workloads in security groups

protected by firewalls

§  Increased Availability −  Via deployment of NSX distributed

firewalls and load balancers

Benefits §  Deliver secure, scalable, performing

application-specific infrastructure on-demand

Dynamically Provision and Decommission NSX Logical Services

Use Case: Disaster recovery with NSX network virtualization

SAN SAN

10.0.30.21 10.0.30.21

Virtual Network 10.0.30/24

Virtual Network 10.0.30/24

NSX Controller NSX Controller

Snapshot network security

2b 1

Snapshot VM Network and security already exists

Recover the VM

3

Physical network infrastructure Physical network infrastructure 2a

Replicate VM and storage

10.0.10/24 10.0.20/24

Step 1 & 2 (e.g VMware SRM)

32

Primary site Recovery Site

Use Case: A True Hybrid Cloud powered by VMware NSX

Local Data Center

Internet IPSec VPN

(vCloud Air Network) (vCloud Air Network)

vCloud Air L2 VPN

Some Benefits:

•  L2VPN for DC Extension •  Granular Network Security with Trust Groups •  Bi-directional workload migration using

vSphere web client 33

Some Benefits:

•  Today with vCloud AIR •  Tomorrow with Amazon AWS,

Azure, Google and other Public Cloud Providers

NSX Vision: Driving NSX Everywhere Managing Security and Connectivity for many Heterogeneous End Points

34

Automation

IT at the Speed of Business

Security

Inherently Secure Infrastructure

Application Continuity

Data Center Anywhere

On-Premise Data Center

New app frameworks

Mobile Devices (Airwatch)

Virtual Desktop (VDI)

Branch offices (Partner)

Internet of things

Public clouds

What’s Next…

VMware NSX Hands-on Labs

labs.hol.vmware.com

35

Explore, Engage, Evolve virtualizeyournetwork.com

Network Virtualization Blog

blogs.vmware.com/networkvirtualization

NSX Product Page vmware.com/go/nsx

NSX Training & Certification

www.vmware.com/go/NVtraining

NSX Technical Resources Reference Designs

vmware.com/products/nsx/resources

VMware NSX YouTube Channel youtube.com/user/vmwarensx

VMware NSX Community

communities.vmware.com/community/vmtn/nsx

Play Learn Deploy

Thank you.