nsx: la virtualizzazione di rete e il futuro della sicurezza
TRANSCRIPT
© 2016 VMware Inc. All rights reserved.
NSX La Virtualizzazione di Rete e il Futuro della Sicurezza
Luca Morelli Sr. Systems Engineer @ VMware
Qualche Info sullo Speaker…
© 2016 VMware Inc. All rights reserved. 2
• Nato a Catanzaro, la città delle 3 V, circa 37 anni fà
• Ingegnere Informatico – Università di Rende
• Nell’IT da circa 15 anni – Esperienze in Spagna, Francia, Olanda e altri paesi
• Iniziato con lo sviluppo software quindi prevendita da circa 8 anni
• Quasi 7 anni con un vendor di rete “fisica”
• “Virtualizzato” dal Gennaio 2015
• Appassionato di subacquea, apnea, arrampicata e della mia splendida compagna
• Aggiungetemi su LinkedIn (Non solo NSX)
Agenda
3
1 La Visione di VMware nel Software Defined Data Center
2 Introduzione alla Virtualizzazione di Rete con NSX
3 Il Paradigma della Micro-Segmentazione
4 Principali Casi d’Uso
© 2016 VMware Inc. All rights reserved.
Software-Defined Data Center (SDDC) The Foundation of the New Model of IT
© 2016 VMware Inc. All rights reserved. 4
Any Application
One Cloud
Any Device
Build-Your-Own Converged Infrastructure
Hyper-Converged Infrastructure
Software-Defined Data Center
Cloud Management
Compute Network Storage
Extensibility
Traditional Applications
Modern, Cloud Applications
Business Mobility: Applications | Devices | Content
Hybrid Cloud
PRIVATE
Your
Data Center
PUBLIC
vCloud Air
MANAGED
vCloud Air Network
Compute Virtualization Abstraction Layer
The Network Is a Barrier to Software Defined Data Center!!
Physical Network
Software Defined Data Center
• Provisioning is slow • Mobility is limited • Hardware dependent • Operationally intensive
5
Servers
© 2016 VMware Inc. All rights reserved.
NSX - Distributed Services in the Hypervisor
Applications
Virtual Machines
Virtual Networks
Virtual Storage
Data Center Virtualization
Location Independence
Software
Hardware
L2 Switching
L3 Routing
Firewalling/ACLs
Load Balancing
Automated operational model of the SDDC
Network & Security Services Now in the Hypervisor
Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt.
Compute Capacity
Network Capacity
Storage Capacity
© 2016 VMware Inc. All rights reserved.
NSX Logical Switching
• Per Application/Multi-tenant segmentation • VM Mobility requires L2 everywhere • Large L2 Physical Network Sprawl – STP
Issues • HW Memory (MAC, FIB) Table Limits
• Scalable Multi-tenancy across data center • Enabling L2 over L3 Infrastructure • Overlay Based with VXLAN, etc. • Logical Switches span across Physical Hosts
and Network Switches
Challenges Benefits
VMwareNSX
Logical Switch 1 Logical Switch 2 Logical Switch 3
Ani
mat
ed S
lide
Generic IP Fabric
Host A
vSphere Distributed Switch
NSX and VXLAN
8
dvUplink-PG
Logical SW A
VM1
dvPG-VTEP
VXLAN VTEP
• VXLAN can be seen as service on the host
• VXLAN uses a vmknic and implements a VXLAN Virtual Tunnel End Point (VTEP) functionality
• Depending on the uplink configuration, there might be several VTEPs on a host – A single dvPortGroup is created for all VTEPs
• A logical switch is a L2 broadcast domain implemented using VXLAN – A dvPortGroup is created for each logical switch
Generic IP Fabric
Host A Host B
vSphere Distributed Switch
Traffic Flowing on a VXLAN Backed VDS
9
• In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch • A VXLAN tunnel is established between the two hosts
dvUplink-PG
Logical SW A
VM1
dvUplink-PG
dvPG-VTEP
VTEP
dvPG-VTEP
VTEP
VXLAN Tunnel
Logical SW A
VM2
Host B Host A
vSphere Distributed Switch
Traffic Flowing on a VXLAN Backed VDS
10
• Assume VM1 sends some traffic to VM2:
dvUplink-PG
Logical SW A
VM1
dvUplink-PG
dvPG-VTEP
VTEP
dvPG-VTEP
VTEP
Logical SW A
VM2 L2 frame L2 frame
VM1 sends L2 frame to local VTEP 1 VTEP adds VXLAN, UDP
& IP headers 2 Physical Transport Network forwards as a regular IP packet
3 Destination Hypervisor VTEP decapsulates frame 4 L2 frame delivered
to VM2 5
Generic IP Fabric VXLAN Tunnel
IP/UDP/VXLAN L2 frame
NSX Routing: Distributed, Feature-Rich
• Physical Infrastructure Scale Challenges – Routing Scale
• VM Mobility is a challenge • Multi-Tenant Routing Complexity • Traffic hair-pins
Challenges
• Distributed Routing in Hypervisor • Dynamic, API based Configuration • Full featured – OSPF, BGP, IS-IS • Logical Router per Tenant • Routing Peering with Physical Switch
Benefits
SCALABLE ROUTING – Simplifying Multi-tenancy
L2
L2
Tenant A
Tenant B
L2
L2
L2 Tenant C
L2
L2
L2
CMP
Ani
mat
ed S
lide
NSX vSwitch
With NSX Before NSX
Default Gateway
UCS Fabric A UCS Fabric B
UCS Blade 1
vswitch
6 wire hops 6 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
vswitch vswitch
UCS Fabric A UCS Fabric B
0 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
With NSX Before NSX
East-West Routing / Same host East-West Routing / Host to host
2 wire hops
NSX vSwitch
UCS Blade 1
The Advantage of Distributing Services Routing - more efficient networking, fewer hops
Default Gateway Default Gateway Default Gateway
© 2016 VMware Inc. All rights reserved.
NSX Edge Services Gateway: Integrated Network Services
….
Firewall
Load Balancer
VPN
Routing/NAT DHCP/DNS relay DDI
VM VM VM VM VM
• Integrated L3 – L7 services • Virtual appliance model to provide
rapid deployment and scale-out
Overview
• Real time service instantiation
• Support for dynamic service differentiation per tenant/application
• Uses x86 compute capacity
Benefits
VLAN 20 Edge Uplink
External Network
Physical Router
Web1 App1 DB1 Webn Appn DBn
NSX Edge
VXLAN 5020 Transit Link
Distributed Routing
Routing P
eering
14
How it looks like a Basic NSX Topology
…
High Scale Multi Tenant Topology
External Network
Tenant 1 Web Logical Switch App Logical Switch DB Logical Switch
…
Web Logical Switch App Logical Switch DB Logical Switch
Tenant NSX Edge Services Gateway
NSX Edge X-Large (Route Aggregation Layer)
Tenant NSX Edge Services Gateway
VXLAN Uplinks (or VXLAN Trunk)
VXLAN Uplinks (or VXLAN Trunk)
VXLAN 5100 Transit
15
NSX provides Highest Level of Visibility in the Network
05/04/16
16
Log Insight NSX content pack
Native capabilities
Integration with partner ecosystem
NSX API
Syslog
IPFIX
Port mirroring
SNMP
Traceflow
And more.
vRealize Operations Suite
How do I manage NSX ?
17
Traditional approaches to Micro-Segmentation
18
Centralized firewalls
• Create firewall rules before provisioning • Update firewall rules when moving or changing • Delete firewall rules when app decommissioned • Problem increases with more east-west traffic
Internet
Internet
How an SDDC approach makes Micro-Segmentation feasible
19
Security policy
Perimeter firewalls
Cloud Management
Platform
NSX Distributed Firewalling
• Centralized Firewall Model • Static Configuration • IP Address based Rules • 40 Gbps per Appliance • Lack of visibility with encapsulated traffic
• Distributed at Hypervisor Level • Dynamic, API based Configuration • VM Name, VC Objects, Identity-based Rules • Line Rate ~20 Gbps per host • Full Visibility to encapsulated traffic
Challenges Benefits
PHYSICAL SECURITY MODEL DISTRIBUTED FIREWALLING
Firewall Mgmt
VMwareNSX
API
CMP
NSX Distributed Firewall Enablement
DFW enforces rules at vNIC layer: • DFW independent of
transport network (VLAN or VXLAN)
• All VM ingress and egress packets are subject to DFW processing
• Security Policy independent of VM location
• V-to-V and P-to-V support
21
DFW has NO Dependancy on Network Topology !
VXLAN 5001
vSphere Host
VM1 MAC1 IP1
VTEP IP: 10.20.10.10
vSphere Distributed Switch
vSphere Host
VM2
VTEP IP: 10.20.10.11
VM3 MAC2 IP2
MAC3 IP3
DFW Policy Rules: Source Destination Service Action
VM1 VM2, VM3 TCP port 123 Allow
VM1 VM2, VM3 any Block
DVS port-group
vSphere Host
VM1 MAC1 IP1
VTEP IP: 10.20.10.10
vSphere Distributed Switch
vSphere Host
VM2
VTEP IP: 10.20.10.11
VM3 MAC2 IP2
MAC3 IP3
DFW Policy Rules: Source Destination Service Action
VM1 VM2, VM3 TCP port 123 Allow
VM1 VM2, VM3 any Block
VLAN 501 VLAN 501 VLAN 501
VXLAN 5001
Logical Switch
VXLAN 5001
CONFIDENTIAL
NSX DFW Policy Objects
• Policy rules construct: • Rich dynamic container based rules apart from just IP addresses:
VC containers • Clusters
• datacenters • Portgroups
• VXLAN
VM containers • VM names • VM tags
• VM attributes
Identity • AD Groups
IPv6 compliant • IPv6 address
• IPv6 sets
Services • Protocol • Ports
• Custom
IPv6 Services
Choice of PEP (Policy Enforcement Point)
• Clusters • VXLAN • vNICs
• …
Rule ID Rule Name Source Destination Service Action Applied To
Action
• Allow • Block • Reject
22
23
Configure Policies with Security Groups
Select elements to uniquely identify application workloads
Use attributes to create Security Groups Apply policies to security groups 1 2 3
ABC DEF
Group XYZ
App 1 OS: Windows 8
TAG: “Production”
§ Enforce policy based on logical constructs
§ Reduce configuration errors
§ Policy follows VM, not IP
§ Reduce rule sprawl and complexity
Use security groups to abstract policy from application workloads.
Group XYZ
Policy 1 “IPS for Desktops” “FW for Desktops”
Policy 2 “AV for Production” “FW for Production”
Element type Static Dynamic
Data center Virtual net
Virtual machine vNIC
VM name OS type User ID
Security tag
Micro-segmentation simplifies network security
§ Each VM can now be its own perimeter § Policies align with logical groups § Prevents threats from spreading
App
DMZ
Services
DB
Perimeter firewall
AD NTP DHCP DNS CERT
Inside firewall
Finance Engineering HR
WAN Internet
Compute Cluster Compute Cluster
Perimeter Firewall (Physical)
NSX EDGE Service Gateway
Compute Cluster
SDDC (Software Defined DC)
DFW DFW DFW
DFW: E-W
NSX EDGE Service Gateway positioned to protect border of the
SDDC: EDGE: North – South
traffic protection
NSX DFW positioned for internal SDDC traffic
protection: DFW: East – West traffic protection
Physical
Virtual
Compute Cluster EDG
E: N
-S
NSX Security in SDDC
25
Micro-segmentation in detail
Segmentation Isolation Advanced services
Controlled communication path within a single network
• Fine-grained enforcement of security
• Security policies based on logical groupings of VMs
Advanced services: addition of 3rd party security, as needed by policy
• Platform for including leading security solutions
• Dynamic addition of advanced security to adapt to changing security conditions
No communication path between unrelated networks • No cross-talk between networks
• Overlay technology assures networks are separated by default
Third-Party Firewall, Network Security Options for NSX Integration
Src Dst Action
ANY Shared Service Allow
Desktop WEB_GROUP Redirect to 3rd party
Platform for Distributed Services
Redirect via global rule to 3rd party
WEB_ GROUP
“Web Policy” þ Firewall – redirect to 3rd
party þ 3rd party – do deep packet
inspection
Redirect via policy template, for reuse in automation workflows
3rd party can program NSX distributed firewall directly – and set/get context to inform policy
27
Example : Orchestrating Security Between Multiple Services (Vulnerability Scan)
SG: Quarantine SG: Web Servers
1.Web Server VM running IIS is deployed, unknowingly having a vulnerability
2.Vulnerability Scan is initiated on web server (3rd party AV product)
3.VM is tagged in NSX Manager with the CVE and CVSS Score
4.NSX Manager associates the VM with the Quarantine (F/W Deny)
5.[Externally] Admin applies patches, 3rd party AV product re-scans VMs, clears tag
6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal duties
Services Services
Membership: Include VMs which have CVSS score >= 9 Membership: Include VMs which have been provisioned as “WebServer”
NSX Manager
antivirus antivirus
NSX Partners and Service Categories Application
Delivery Services Physical-to-Virtual
Services Operations and Visibility Security
NSX Partner Extensions
http://www.vmware.com/products/nsx/resources.html
Ground-breaking use cases
30
Enterprises can often justify the cost of NSX through a single use case
Micro segmentation
DMZ anywhere
Secure end user
Security
IT automating IT
Multi-tenant infrastructure
Developer cloud
IT automation
Disaster recovery
Metro pooling
Hybrid cloud networking
Application continuity IT optimization
Server asset utilization
Price | performance
Hardware lifecycle
$
Use Case: Infrastructure Management with vRealize Automation
New Features § Simplified Multi-Tier App Deployment
§ Improved Connectivity − Deployment of logical switches and networks
§ Enhanced Security − Intelligent placement of workloads in security groups
protected by firewalls
§ Increased Availability − Via deployment of NSX distributed
firewalls and load balancers
Benefits § Deliver secure, scalable, performing
application-specific infrastructure on-demand
Dynamically Provision and Decommission NSX Logical Services
Use Case: Disaster recovery with NSX network virtualization
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network 10.0.30/24
Virtual Network 10.0.30/24
NSX Controller NSX Controller
Snapshot network security
2b 1
Snapshot VM Network and security already exists
Recover the VM
3
Physical network infrastructure Physical network infrastructure 2a
Replicate VM and storage
10.0.10/24 10.0.20/24
Step 1 & 2 (e.g VMware SRM)
32
Primary site Recovery Site
Use Case: A True Hybrid Cloud powered by VMware NSX
Local Data Center
Internet IPSec VPN
(vCloud Air Network) (vCloud Air Network)
vCloud Air L2 VPN
Some Benefits:
• L2VPN for DC Extension • Granular Network Security with Trust Groups • Bi-directional workload migration using
vSphere web client 33
Some Benefits:
• Today with vCloud AIR • Tomorrow with Amazon AWS,
Azure, Google and other Public Cloud Providers
NSX Vision: Driving NSX Everywhere Managing Security and Connectivity for many Heterogeneous End Points
34
Automation
IT at the Speed of Business
Security
Inherently Secure Infrastructure
Application Continuity
Data Center Anywhere
On-Premise Data Center
New app frameworks
Mobile Devices (Airwatch)
Virtual Desktop (VDI)
Branch offices (Partner)
Internet of things
Public clouds
What’s Next…
VMware NSX Hands-on Labs
labs.hol.vmware.com
35
Explore, Engage, Evolve virtualizeyournetwork.com
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
NSX Product Page vmware.com/go/nsx
NSX Training & Certification
www.vmware.com/go/NVtraining
NSX Technical Resources Reference Designs
vmware.com/products/nsx/resources
VMware NSX YouTube Channel youtube.com/user/vmwarensx
VMware NSX Community
communities.vmware.com/community/vmtn/nsx
Play Learn Deploy
Thank you.