Disclaimer

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

CONFIDENTIAL 2

Agenda

1What Network & Security services are used by

(all crazy) applications

2

What are TODAY exactly the NSX:– Firewalling/Security services

– Load Balancing services

– VPN services

3 Service enhancements with NSX 3rd party vendors

CONFIDENTIAL 3

Agenda

1What Network & Security services are used by

(all crazy) applications

2

What are TODAY exactly the NSX:– Firewalling/Security services

– Load Balancing services

– VPN services

3 Service enhancements with NSX 3rd party vendors

CONFIDENTIAL 4

Network & Security Services Are Used by (All Crazy) Applications

• Switching / DHCP server-or-relay / DNS

• Routing / NAT

• Firewalling

• Load Balancing

• L2 and L3 VPN

NSX offers all those Network & Security services with central configuration and automation

Let's focus here on Firewalling, Load Balancing, and VPN

.1

.1

.1

.1

web-01 web-02 app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

Dynamic Routing

THAT'S IT!!!! OneArm LB

Router/ Firewall / Inline Load Balancer / VPN

5CONFIDENTIAL

Agenda

1What Network & Security services are used by

(all crazy) applications

2

What are TODAY exactly the NSX:– Firewalling/Security services

– Load Balancing services

– VPN services

3 Service enhancements with NSX 3rd party vendors

CONFIDENTIAL 6

Firewalling/Security – Configuration (1/4)

• Firewalling is configured centrally AND distributed to all ESXi on their VM NICs

192.168.10.0/29

Web LS10.0.1.0/24

.11 .12

.12.11

App LS10.0.2.0/24

.1

.1

.1

STOP

Web to App TCP/8443

Pros:

• FW is distributed between all ESXi: Amazing firewalling scale!

• Offer security even within the same IP subnet / logical switch

VM1 VM2

VM1 VM2

7CONFIDENTIAL

Firewalling/Security – Configuration (2/4)

• L2 MAC addresses and L3 IP addresses can be used

• In addition any vCenter object name can be used

vSphere Distributed Switch

Web-LS1 – 10.0.1.0/24

App-LS1 – 10.0.2.0/24

192.168.150.51 192.168.150.52 192.168.250.51

Pros:

• Ease-of-use

VM1 VM2

VM1 VM2

8CONFIDENTIAL

Web-LS1 – 10.0.1.0/24

App-LS1 – 10.0.2.0/24

Firewalling/Security – Configuration (3/4)

• Port numbers can be used

• In addition protocol names can be used

Note: ALG (Application-Level Gateway) support for FTP, CIFS, ORACLE TNS, MS-RPC, and SUNRPC

vSphere Distributed Switch

192.168.150.51 192.168.150.52 192.168.250.51

Pros:

• Ease-of-use

VM1 VM2

VM1 VM2

9CONFIDENTIAL

Firewalling/Security – Configuration (4/4)

Dynamic firewalling (Service Composer)

Security Groups

WHAT you want to

protect

Members (VM, vNIC…) and

Context (user identity, security

posture)

HOW you want to

protect it

Services (Firewall, antivirus…)

and Profiles (labels representing

specific policies)

APPLY

Pros:

• Agility

• Service Compliance

10

Firewalling/Security – Performance (1/2)

• Performance Lab Test

– Two Hypervisors with two VMs each

– Two 10G Physical NICs per server

– VM1 talks to VM3 & VM2 talks to VM4

11

VM1 VM2 VM3 VM4

10GInterfaces

10GInterfaces

Test Setup

CONFIDENTIAL

Firewalling/Security – Performance (2/2)

• Results

20Gbps Per Host of Firewall Performancewith Negligible CPU Impact

Throughput Measurement

12CONFIDENTIAL

Dynamic firewalling

• Compliance Demo

Firewalling/Security – Demo

13

.1

.1

.1

.1

app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

win-01 win-02linux-01 linux-02

Servers Linux Servers Windows

Access

Linux update serversAccess

Windows update servers

linux-03

New Linux Servers

are automatically

granted access

Firewalling/Security – Demo

14

There is a dedicated session on DFW:

"SEC1746 – NSX DFW deep dive"

Firewalling/Security – more information

15

Agenda

1What Network & Security services are used by

(all crazy) applications

2

What are TODAY exactly the NSX:– Firewalling/Security services

– Load Balancing services

– VPN services

3 Service enhancements with NSX 3rd party vendors

CONFIDENTIAL 16

Load Balancing – Configuration (1/3)

Both One-Arm and Inline modes are supported

Pros:

• Flexibilty

OneArm LB

.1

.1

.1

web-01 web-02 app-01 app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

.1

.1

.1

web-01 web-02 app-01 app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

Load Balancing – Configuration (2/3)

Services (1/2):

Protocols TCP / UDP

FTP

HTTP

HTTPS (SSL-Passthrough)

HTTPS (SSL Offload)

LB methodsHow end-users connections are split

across back-end servers.

Round Robin

Source IP hash

Least Connection

URI/HTTP header/URL

Health ChecksLoad Balancer checks the

application health of each back-end

server.

TCP/UDP/ICMP

HTTP (GET, OPTION, POST)

HTTPS (GET, OPTION, POST)

PersistenceAll connections from the same end-

user go to the same back-end

server.

TCP: SourceIP, MSRDP

HTTP: SourceIP, Cookie,

HTTPS: SourceIP, Cookie, ssl_session_id

18

Load Balancing – Configuration (2/3)

Services (2/2):

Connection

throttlingLimit the connections to the VIP

/ to the back-end servers.

Client side:

. Max conc. connections

. Max new conn / sec

Server side:

. Max conc. Connections

High Availability Yes.

Monitoring . View VIP/Pool/Servers objects

. View VIP/Pool/Servers stats

. Global stats VIP sessions

L7 manipulationThe load balancer modifies the

end-users requests and/or back-

end servers responses.

. HTTP/HTTPS request/response headers

(For instance: URL block, url rewrite, header

rewrite)

19

Load Balancing - Performance

Per Logical Load Balancer:

L4

Throughput 9.23 Gbps

# conc. sessions 1M

# sessions/sec 131k cps

L7 - HTTP

Throughput 6.59 Gbps

# conc. sessions 60k

# sessions/sec 45k cps

Reqs/sec 82.3k rps

L7 - HTTPS

Throughput 2.07 Gbps

# conc. sessions 60k

# sessions/sec 607 cps

Reqs/sec 35.0k rps

20

Load Balancing – Demo (1/2)

Demo1:

• VIP SSL off-load

.1

.1

.1

.1

web-01 web-02 app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

HTTPS

HTTP

21

Load Balancing - Demo

22

Load Balancing – Demo (2/2)

• Demo2:

– Single VIP redirecting traffic to specific pool based on host

.1

.1

.1

.1

app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

app1.acme.com = VIP1@

web-05 web-06web-03 web-04web-01 web-02

Pool1 Pool2 Pool3

app1.acme.com

app2.acme.com = VIP1@

app2.acme.com

app3.acme.com = VIP1@

app3.acme.com

Demos (2/2)

There is a specific session on LB:

"NET1588 - Load Balancer as a Service using NSX or Partner Solutions"

Load Balancing – more information

25

Agenda

1What Network & Security services are used by

(all crazy) applications

2

What are TODAY exactly the NSX:– Firewalling/Security services

– Load Balancing services

– VPN services

3 Service enhancements with NSX 3rd party vendors

CONFIDENTIAL 26

Logical VPN – User and Site-to-Site

• Interoperable IPsec tested with major vendors

• Clients on all major OS (Win, Apple, Linux)

• Remote Authentication via Active Directory, RSA Secure ID, LDAP, Radius

• TCP Acceleration

• Encryption – 3DES, AES128, AES256

• AESNI H/W Offload

• NAT & Perimeter Firewall Traversal

Features

• High Performance – AES-NI acceleration

• 2+ Gb/s throughput per tenant

Scale and Performance

• Cloud to Corporate

• Cloud On-boarding

• Remote Office/Branch Office

• Remote Management

Use Cases

Internet/

WAN

Internet/

WAN

27

Logical VPN – Layer 2

Public

Cloud

• SSL-based

• Web-proxy Support

• L2 Extension to Cloud

• Broadcast support

• Extend multiple L2 Segments with a single pair of L2 VPN Appliances

Features

• High Performance – AES-NI acceleration

• 2+ Gb/s throughput per tenant

Scale & Performance

• Cloud On-boarding

• Cloud Bursting

Use Cases

Internet/

WAN

VM VM VM

VLAN/VXLAN VLAN/VXLAN

Agenda

1What Network & Security services are used by

(all crazy) applications

2

What are TODAY exactly the NSX:– Firewalling/Security services

– Load Balancing services

– VPN services

3Service enhancements with NSX 3rd party

vendors

CONFIDENTIAL 29

Security Partner Integrations

30

Next-generation IPS Malware Protection

Granular protection of individual VM workloads with customizable policy definitions

Automation of advanced malware interception

Unified management for physical and virtual sensors

Data Center security with agentless anti-malware and guest network threat protection

Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers

Vulnerability Management

Automatic vulnerability risk assessment

Data Center wide real- time risk visibility

Auto segmentation of risky assets

Vulnerability prioritization for effective remediation

Malware Protection

Single virtual appliance provides agentless:

Anti-malware with URL filtering

Vulnerability and software scanning

Detection of file changes

Intrusion Detection & Prevention

Next-Generation Firewall

Multiple threat prevention disciplines including firewall, IPS, and antimalware

Safe application enablement with continuous content inspection for all threats

Granular user-based controls for apps, content, users,

NSX is the platform for

integrating advanced

security services

CONFIDENTIAL

Load Balancer/ADC Partner integrations

NSX is the platform for

Application Delivery

Controller services. Application Delivery Controller

F5 specializes in Application Delivery Networking (ADN) technology that optimizes the delivery of network-based applications and the security, performance, availability of servers, data storage devices, and other network resources.

Application Delivery Controller

Radware is a provider of integrated application delivery / load balancing and application & network security solutions for virtual and cloud data centers.

Application Delivery Controller

Citrix NetScaler makes apps and cloud-based services run five times better by offloading app and database servers, accelerating app and service performance, and integrating security.

Operations Partner Integrations

NSX is the platform for

Operation servicesNetwork Operations

Riverbed provides comprehensive monitoring and troubleshooting capabilities across physical and virtual data center networks based on NSX and Riverbed® SteelCentral™ NetProfiler

Network Operations

EMC Service Assurance Suite and VMware NSX break through the physical network barriers and achieve the provisioning speed, operational efficiency, and management visibility and insight promised by network virtualization

Network Operations

Gigamon and VMware are extending their partnership to provide pervasive and intelligent visibility into the physical and virtual networks by integrating the Gigamon Visibility Fabric with VMware NSX™ platform

CONFIDENTIAL 32

Demo with Symantec

33

Quarantine Vulnerable Systems until Remediated

Security Group = Quarantine Zone

Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}

Security Group = Desktop VMs

CONFIDENTIAL

Demo with SymantecQuarantine Vulnerable Systems until Remediated

Full demo with config: https://www.youtube.com/watch?v=q1P7Xuicp84

34

How to test?

• Hands on lab available:

http://labs.hol.vmware.com/HOL/catalogs/

CONFIDENTIAL 35

Key take aways

NSX offers all Network and Security services most crazy applications require

Firewalling / Load Balancing / VPN services are offered natively with unique benefits

in security with micro-segmentation

in scale with distribution of services

in ease-of-use

And automation capabilities

And NSX services can be enhanced with 3rd party vendors

CONFIDENTIAL 36