disclaimer - vmwaredownload3.vmware.com/vmworld/2014/downloads/session-pdfs/...disclaimer •this...
TRANSCRIPT
Disclaimer
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
CONFIDENTIAL 2
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX:– Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFIDENTIAL 3
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX:– Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFIDENTIAL 4
Network & Security Services Are Used by (All Crazy) Applications
• Switching / DHCP server-or-relay / DNS
• Routing / NAT
• Firewalling
• Load Balancing
• L2 and L3 VPN
NSX offers all those Network & Security services with central configuration and automation
Let's focus here on Firewalling, Load Balancing, and VPN
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
Dynamic Routing
THAT'S IT!!!! OneArm LB
Router/ Firewall / Inline Load Balancer / VPN
5CONFIDENTIAL
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX:– Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFIDENTIAL 6
Firewalling/Security – Configuration (1/4)
• Firewalling is configured centrally AND distributed to all ESXi on their VM NICs
192.168.10.0/29
Web LS10.0.1.0/24
.11 .12
.12.11
App LS10.0.2.0/24
.1
.1
.1
STOP
Web to App TCP/8443
Pros:
• FW is distributed between all ESXi: Amazing firewalling scale!
• Offer security even within the same IP subnet / logical switch
VM1 VM2
VM1 VM2
7CONFIDENTIAL
Firewalling/Security – Configuration (2/4)
• L2 MAC addresses and L3 IP addresses can be used
• In addition any vCenter object name can be used
vSphere Distributed Switch
Web-LS1 – 10.0.1.0/24
App-LS1 – 10.0.2.0/24
192.168.150.51 192.168.150.52 192.168.250.51
Pros:
• Ease-of-use
VM1 VM2
VM1 VM2
8CONFIDENTIAL
Web-LS1 – 10.0.1.0/24
App-LS1 – 10.0.2.0/24
Firewalling/Security – Configuration (3/4)
• Port numbers can be used
• In addition protocol names can be used
Note: ALG (Application-Level Gateway) support for FTP, CIFS, ORACLE TNS, MS-RPC, and SUNRPC
vSphere Distributed Switch
192.168.150.51 192.168.150.52 192.168.250.51
Pros:
• Ease-of-use
VM1 VM2
VM1 VM2
9CONFIDENTIAL
Firewalling/Security – Configuration (4/4)
Dynamic firewalling (Service Composer)
Security Groups
WHAT you want to
protect
Members (VM, vNIC…) and
Context (user identity, security
posture)
HOW you want to
protect it
Services (Firewall, antivirus…)
and Profiles (labels representing
specific policies)
APPLY
Pros:
• Agility
• Service Compliance
10
Firewalling/Security – Performance (1/2)
• Performance Lab Test
– Two Hypervisors with two VMs each
– Two 10G Physical NICs per server
– VM1 talks to VM3 & VM2 talks to VM4
11
VM1 VM2 VM3 VM4
10GInterfaces
10GInterfaces
Test Setup
CONFIDENTIAL
Firewalling/Security – Performance (2/2)
• Results
20Gbps Per Host of Firewall Performancewith Negligible CPU Impact
Throughput Measurement
12CONFIDENTIAL
Dynamic firewalling
• Compliance Demo
Firewalling/Security – Demo
13
.1
.1
.1
.1
app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
win-01 win-02linux-01 linux-02
Servers Linux Servers Windows
Access
Linux update serversAccess
Windows update servers
linux-03
New Linux Servers
are automatically
granted access
There is a dedicated session on DFW:
"SEC1746 – NSX DFW deep dive"
Firewalling/Security – more information
15
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX:– Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFIDENTIAL 16
Load Balancing – Configuration (1/3)
Both One-Arm and Inline modes are supported
Pros:
• Flexibilty
OneArm LB
.1
.1
.1
web-01 web-02 app-01 app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
.1
.1
.1
web-01 web-02 app-01 app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
Load Balancing – Configuration (2/3)
Services (1/2):
Protocols TCP / UDP
FTP
HTTP
HTTPS (SSL-Passthrough)
HTTPS (SSL Offload)
LB methodsHow end-users connections are split
across back-end servers.
Round Robin
Source IP hash
Least Connection
URI/HTTP header/URL
Health ChecksLoad Balancer checks the
application health of each back-end
server.
TCP/UDP/ICMP
HTTP (GET, OPTION, POST)
HTTPS (GET, OPTION, POST)
PersistenceAll connections from the same end-
user go to the same back-end
server.
TCP: SourceIP, MSRDP
HTTP: SourceIP, Cookie,
HTTPS: SourceIP, Cookie, ssl_session_id
18
Load Balancing – Configuration (2/3)
Services (2/2):
Connection
throttlingLimit the connections to the VIP
/ to the back-end servers.
Client side:
. Max conc. connections
. Max new conn / sec
Server side:
. Max conc. Connections
High Availability Yes.
Monitoring . View VIP/Pool/Servers objects
. View VIP/Pool/Servers stats
. Global stats VIP sessions
L7 manipulationThe load balancer modifies the
end-users requests and/or back-
end servers responses.
. HTTP/HTTPS request/response headers
(For instance: URL block, url rewrite, header
rewrite)
19
Load Balancing - Performance
Per Logical Load Balancer:
L4
Throughput 9.23 Gbps
# conc. sessions 1M
# sessions/sec 131k cps
L7 - HTTP
Throughput 6.59 Gbps
# conc. sessions 60k
# sessions/sec 45k cps
Reqs/sec 82.3k rps
L7 - HTTPS
Throughput 2.07 Gbps
# conc. sessions 60k
# sessions/sec 607 cps
Reqs/sec 35.0k rps
20
Load Balancing – Demo (1/2)
Demo1:
• VIP SSL off-load
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
HTTPS
HTTP
21
Load Balancing – Demo (2/2)
• Demo2:
– Single VIP redirecting traffic to specific pool based on host
.1
.1
.1
.1
app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
app1.acme.com = VIP1@
web-05 web-06web-03 web-04web-01 web-02
Pool1 Pool2 Pool3
app1.acme.com
app2.acme.com = VIP1@
app2.acme.com
app3.acme.com = VIP1@
app3.acme.com
There is a specific session on LB:
"NET1588 - Load Balancer as a Service using NSX or Partner Solutions"
Load Balancing – more information
25
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX:– Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFIDENTIAL 26
Logical VPN – User and Site-to-Site
• Interoperable IPsec tested with major vendors
• Clients on all major OS (Win, Apple, Linux)
• Remote Authentication via Active Directory, RSA Secure ID, LDAP, Radius
• TCP Acceleration
• Encryption – 3DES, AES128, AES256
• AESNI H/W Offload
• NAT & Perimeter Firewall Traversal
Features
• High Performance – AES-NI acceleration
• 2+ Gb/s throughput per tenant
Scale and Performance
• Cloud to Corporate
• Cloud On-boarding
• Remote Office/Branch Office
• Remote Management
Use Cases
Internet/
WAN
Internet/
WAN
27
Logical VPN – Layer 2
Public
Cloud
• SSL-based
• Web-proxy Support
• L2 Extension to Cloud
• Broadcast support
• Extend multiple L2 Segments with a single pair of L2 VPN Appliances
Features
• High Performance – AES-NI acceleration
• 2+ Gb/s throughput per tenant
Scale & Performance
• Cloud On-boarding
• Cloud Bursting
Use Cases
Internet/
WAN
VM VM VM
VLAN/VXLAN VLAN/VXLAN
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX:– Firewalling/Security services
– Load Balancing services
– VPN services
3Service enhancements with NSX 3rd party
vendors
CONFIDENTIAL 29
Security Partner Integrations
30
Next-generation IPS Malware Protection
Granular protection of individual VM workloads with customizable policy definitions
Automation of advanced malware interception
Unified management for physical and virtual sensors
Data Center security with agentless anti-malware and guest network threat protection
Real-time, dynamic threat protection and response for workloads moving between hosts and virtual data centers
Vulnerability Management
Automatic vulnerability risk assessment
Data Center wide real- time risk visibility
Auto segmentation of risky assets
Vulnerability prioritization for effective remediation
Malware Protection
Single virtual appliance provides agentless:
Anti-malware with URL filtering
Vulnerability and software scanning
Detection of file changes
Intrusion Detection & Prevention
Next-Generation Firewall
Multiple threat prevention disciplines including firewall, IPS, and antimalware
Safe application enablement with continuous content inspection for all threats
Granular user-based controls for apps, content, users,
NSX is the platform for
integrating advanced
security services
CONFIDENTIAL
Load Balancer/ADC Partner integrations
NSX is the platform for
Application Delivery
Controller services. Application Delivery Controller
F5 specializes in Application Delivery Networking (ADN) technology that optimizes the delivery of network-based applications and the security, performance, availability of servers, data storage devices, and other network resources.
Application Delivery Controller
Radware is a provider of integrated application delivery / load balancing and application & network security solutions for virtual and cloud data centers.
Application Delivery Controller
Citrix NetScaler makes apps and cloud-based services run five times better by offloading app and database servers, accelerating app and service performance, and integrating security.
Operations Partner Integrations
NSX is the platform for
Operation servicesNetwork Operations
Riverbed provides comprehensive monitoring and troubleshooting capabilities across physical and virtual data center networks based on NSX and Riverbed® SteelCentral™ NetProfiler
Network Operations
EMC Service Assurance Suite and VMware NSX break through the physical network barriers and achieve the provisioning speed, operational efficiency, and management visibility and insight promised by network virtualization
Network Operations
Gigamon and VMware are extending their partnership to provide pervasive and intelligent visibility into the physical and virtual networks by integrating the Gigamon Visibility Fabric with VMware NSX™ platform
CONFIDENTIAL 32
Demo with Symantec
33
Quarantine Vulnerable Systems until Remediated
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
Security Group = Desktop VMs
CONFIDENTIAL
Demo with SymantecQuarantine Vulnerable Systems until Remediated
Full demo with config: https://www.youtube.com/watch?v=q1P7Xuicp84
34
How to test?
• Hands on lab available:
http://labs.hol.vmware.com/HOL/catalogs/
CONFIDENTIAL 35
Key take aways
NSX offers all Network and Security services most crazy applications require
Firewalling / Load Balancing / VPN services are offered natively with unique benefits
in security with micro-segmentation
in scale with distribution of services
in ease-of-use
And automation capabilities
And NSX services can be enhanced with 3rd party vendors
CONFIDENTIAL 36