vmworld 2013 - technical deep dive build a collapsed dmz architecture

8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture

1/33

Technical Deep Dive: Build a Collapsed DMZArchitecture for Optimal Scale and Performance

Based on NSX Firewall Services

Shubha Bheemarao, VMwareBruno Germain, VMware

SEC589

#SEC5891


2/33

2

ObjectiveReview DMZ design considerations

Propose new DMZ design that is secure, scalable and cloud ready

Provide deployment guidance using NSX highlighting benefitsapplicable to DMZ


3/33

3

Related SessionsNET5847 - NSX: Introducing the World to VMware NSX

NET5266 - Bringing Network Virtualization to VMware

environments with NSXSEC5893 - Changing the Economics of Firewall Services inthe Software-Defined Center – VMware NSX DistributedFirewall


4/33

4

AgendaCurrent DMZ design challenges and considerations

New DMZ Design

VMware NSX Components for the DMZProposed DMZ Architecture

Conclusion


5/33

5

DMZ Design Often Relies On Physical Separation Of Trust Zones

DMZ Design:1. Trust zones separated using

separate hardware2. Design is complex and inflexible


6/33

6

DMZ Application Deployment Is Slow

DMZ Challenge #1• New application deployment

involves configurations atmultiple zones• Configuration spread across

devices• Configuration managed by

multiple teams

• Cannot automateAddress using:• Build a Software Defined Data

Center• Build focus teams for cloud

architecture and operations

Network Team #2Network Team #1Security Team


7/33

7

DMZ Challenge #2• Non DMZ traffic often not

fully secured • Large firewall rule sets• Networking or placement

changes could break security• Hard to manage

Address using:• Tie configuration toapplication objects instead ofnetworks

• Secure all application trafficincluding East West traffic

DMZ Design May Compromise Data Center Security


8/33

8

DMZ Challenge #3• Forces rip and replace to

scale up• Not cloud readyAddress using:• Build design suited to scale

incrementally using

distribution of services

DMZ Design Cannot Scale


9/33

9

You Need A Cloud Ready DMZ

Design Considerations:1. Security

2. Manageability3. Scale and performance

4. Automation


10/33

10


New DMZ Design


Conclusion


11/33

11

Building A Logical DMZ Trust Zone Is A Better Approach

Steps:• Pull DMZ zone into the

datacenter

• Use virtual networking andsecurity constructs forapplication isolation andprotection

Benefits:• Higher agility - flexibleplacement

• Simpler configurationmanagement

• Lower cost – fewer hardwaredevices

• Easier automation


12/33

12


New DMZ Design


Conclusion


13/33

13

VMware NSX – Networking & Security Capabilities

Any Application(without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

LogicalFirewall

LogicalLoad Balancer

Logical L3

LogicalVPN

Any Hypervisor

Logical Switching – Layer 2 over Layer 3,decoupled from the physical network

Logical Routing – Routing between virtualnetworks without exiting the softwarecontainer

Logical Firewall – Distributed Firewall,Kernel Integrated, High Performance

Logical Load Balancer – Application LoadBalancing in software

Logical VPN – Site-to-Site & Remote Access VPN in software

NSX API – RESTful API for integration intoany Cloud Management Platform

Partner Eco-System


14/33


15/33

15

2. Protect Every Virtual Server Using Distributed Firewall

Benefits for DMZ

• Achieve line ratethroughput using vNIC levelhypervisor firewall

• Higher security – CompleteEast West traffic protectionvia distributed enforcement

• Easy Scale and Automation• Mobility of security rules –

Rules follow the VMDBWeb App


16/33

16

3. Provide Perimeter Protection Using Logical Gateway

Benefits for DMZ:

• Deploy logical PerimeterFirewall, Load Balancer andVPN programmatically and asneeded

• Perimeter services and policycan be tied to the application

• Virtual appliance model allowscloud agility and scale-out

• Higher security through VIPhiding internal IP addressesDBWeb App

Services EdgeNAT, FW, VPN, LB


17/33

17

4. Optimize Application Traffic Flow Using Distributed Router

Benefits for DMZ• Optimize traffic flows to

minimize latency• Minimize advertising internal

routers to perimeter devices

DBWeb App

Logical DistributedRouter


18/33

18

5. Automate Application Protection Using Logical Switches

Web

Benefits for DMZ:• No needs to re-program the

perimeter security functionas workloads move withinthe infrastructure

• Application specific securityis following the workload

• “Configure and forget”


19/33

19

6. Protect Application Access Using Identity Firewall

Benefits for DMZ

• Create firewall rules using useridentity for VDI

• limit application access toonly authorized groups ofusers

• prevent insider attack

• Get visibility into in-guestapplications and applicationaccess

• Ensure no rogueapplications are runningon your servers

• Get reporting onapplication usage by usergroups

DBWeb App

DBAdmins

Web

Admins

✔ ✔

ApplicationVisibility


20/33

20

7. Define Application Security Using Logical Containers

Benefits for DMZ• Simplify rule creation and

management – Use Logicalboundaries to reflectapplication boundaries, preventrule sprawl by tying securitypolicy to applications

• Automate protection for newVMs as new security groupmembers inherit securitypolicies

• Flexible and manageablecontainer creation options -Use vSphere objects instead ofnetwork identifiers in logicalcontainer creation to ensurepolicy persists across vMotionor networking changes

Web

VM

VM

VM VM

VMVM

VM

VM

VMVM

VM

VM

VM

VM

VM VM VM

VMVMVMVM

VM VM

VM VM VM

VM

VM

VM

VM

VM VM


21/33

21

Architecture Can Easily Scale

DBWeb App

Benefits for DMZ:• Achieve Multitenancy

using perimetergateway for tenantseparation

• Fully automate usingREST API scripts orCloud Managementportals

• Scale easily by addingessential services ondemand in software

• Built for highperformance


22/33

22


New DMZ Design


Conclusion


23/33

23

Functional View of Data Center With Logical DMZ

Any devices overany networks

App gatewaysand perimeter devices Admin jump points

Common Services Applications

EDS AD

DB

Edge TransportRouting and

AV/AS

Client AccessClient

connectivityWeb services

Hub TransportRouting and

policy

Mailbox Storage of

mailbox items

2550636

135

389, 3268, 88,53, 135

To AD

RPC808

5060, 50615062, dynamic

UnifiedMessaging

Voice mail andvoice access

Exchange


24/33

24

Physical View Of NSX Component Deployment

C om

p u t e C l u

s t er s

M an

a g em

en

t C l u

s t er

E d g e C l u

s t er

NSX Manager

NSX Edge

NSX Controller

Data Center IP network Management network(vMotion & storage)

vCenterServer

Physical Appliances

External networksWAN/ Internet

Compute Racks Infra Racks Edge Racks

Controller Software• Virtual network orchestrator• Massive scale

Hypervisor Service Modules• Distributed network services (Switching, Routing)• Load Balancer, Switch, Firewall, Router/VPN

Gateway Software• Integration with existing physical

infra.• V to V / V to P

L2

L3


25/33

25


New DMZ Design


Conclusion


26/33

26

Build Your Cloud Ready DMZ with NSX

Before: DMZ with physical separationof trust zones

After: DMZ with Logical separationof trust zones

Build security that is designed for the virtual workloads instead ofadapting the existing physical constructs to work with mobile

virtual workloads


27/33

27


28/33

28

[email protected]

[email protected]

mailto:[email protected]:[email protected]:[email protected]:[email protected]


29/33

THANK YOU


30/33


31/33

Technical Deep Dive: Build a Collapsed DMZArchitecture for Optimal Scale and Performance

Based on NSX Firewall Services

Shubha Bheemarao, VMware

Bruno Germain, VMware

SEC589

#SEC5891


32/33

32

Mixed Mode / Multi-tenant and the test of auditing

We are not alone:

Automated andself-healing

Security &compliancetrust zones

Power of cloudinfrastructureautomation


33/33

33

A validated methodology for the migration to mixed trust zones

»VMware Confidential

vSpher e vSpher e vSpher e

Aggr.

Acc.

Core

Aggr.

»Acc.

Core

»vSpher e

Aggr.

Acc.

»vSpher e

vShield App Based Security

Vmware vSphere + vShield

Cluster1

HR App FIN App Sales App

Web Frontend

Apps

Database

Legend

Increased Confidencewith Virtualization andVirtualization Security

Mixed-Trust Zone withVirtual Enclaves

vmworld 2013 - technical deep dive build a collapsed dmz architecture

Documents