8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
1/33
Technical Deep Dive: Build a Collapsed DMZArchitecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMwareBruno Germain, VMware
SEC589
#SEC5891
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
2/33
2
ObjectiveReview DMZ design considerations
Propose new DMZ design that is secure, scalable and cloud ready
Provide deployment guidance using NSX highlighting benefitsapplicable to DMZ
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
3/33
3
Related SessionsNET5847 - NSX: Introducing the World to VMware NSX
NET5266 - Bringing Network Virtualization to VMware
environments with NSXSEC5893 - Changing the Economics of Firewall Services inthe Software-Defined Center – VMware NSX DistributedFirewall
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
4/33
4
AgendaCurrent DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZProposed DMZ Architecture
Conclusion
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
5/33
5
DMZ Design Often Relies On Physical Separation Of Trust Zones
DMZ Design:1. Trust zones separated using
separate hardware2. Design is complex and inflexible
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
6/33
6
DMZ Application Deployment Is Slow
DMZ Challenge #1• New application deployment
involves configurations atmultiple zones• Configuration spread across
devices• Configuration managed by
multiple teams
• Cannot automateAddress using:• Build a Software Defined Data
Center• Build focus teams for cloud
architecture and operations
Network Team #2Network Team #1Security Team
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
7/33
7
DMZ Challenge #2• Non DMZ traffic often not
fully secured • Large firewall rule sets• Networking or placement
changes could break security• Hard to manage
Address using:• Tie configuration toapplication objects instead ofnetworks
• Secure all application trafficincluding East West traffic
DMZ Design May Compromise Data Center Security
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
8/33
8
DMZ Challenge #3• Forces rip and replace to
scale up• Not cloud readyAddress using:• Build design suited to scale
incrementally using
distribution of services
DMZ Design Cannot Scale
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
9/33
9
You Need A Cloud Ready DMZ
Design Considerations:1. Security
2. Manageability3. Scale and performance
4. Automation
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
10/33
10
AgendaCurrent DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZProposed DMZ Architecture
Conclusion
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
11/33
11
Building A Logical DMZ Trust Zone Is A Better Approach
Steps:• Pull DMZ zone into the
datacenter
• Use virtual networking andsecurity constructs forapplication isolation andprotection
Benefits:• Higher agility - flexibleplacement
• Simpler configurationmanagement
• Lower cost – fewer hardwaredevices
• Easier automation
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
12/33
12
AgendaCurrent DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZProposed DMZ Architecture
Conclusion
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
13/33
13
VMware NSX – Networking & Security Capabilities
Any Application(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
LogicalFirewall
LogicalLoad Balancer
Logical L3
LogicalVPN
Any Hypervisor
Logical Switching – Layer 2 over Layer 3,decoupled from the physical network
Logical Routing – Routing between virtualnetworks without exiting the softwarecontainer
Logical Firewall – Distributed Firewall,Kernel Integrated, High Performance
Logical Load Balancer – Application LoadBalancing in software
Logical VPN – Site-to-Site & Remote Access VPN in software
NSX API – RESTful API for integration intoany Cloud Management Platform
Partner Eco-System
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
14/33
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
15/33
15
2. Protect Every Virtual Server Using Distributed Firewall
Benefits for DMZ
• Achieve line ratethroughput using vNIC levelhypervisor firewall
• Higher security – CompleteEast West traffic protectionvia distributed enforcement
• Easy Scale and Automation• Mobility of security rules –
Rules follow the VMDBWeb App
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
16/33
16
3. Provide Perimeter Protection Using Logical Gateway
Benefits for DMZ:
• Deploy logical PerimeterFirewall, Load Balancer andVPN programmatically and asneeded
• Perimeter services and policycan be tied to the application
• Virtual appliance model allowscloud agility and scale-out
• Higher security through VIPhiding internal IP addressesDBWeb App
Services EdgeNAT, FW, VPN, LB
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
17/33
17
4. Optimize Application Traffic Flow Using Distributed Router
Benefits for DMZ• Optimize traffic flows to
minimize latency• Minimize advertising internal
routers to perimeter devices
DBWeb App
Logical DistributedRouter
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
18/33
18
5. Automate Application Protection Using Logical Switches
Web
Benefits for DMZ:• No needs to re-program the
perimeter security functionas workloads move withinthe infrastructure
• Application specific securityis following the workload
• “Configure and forget”
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
19/33
19
6. Protect Application Access Using Identity Firewall
Benefits for DMZ
• Create firewall rules using useridentity for VDI
• limit application access toonly authorized groups ofusers
• prevent insider attack
• Get visibility into in-guestapplications and applicationaccess
• Ensure no rogueapplications are runningon your servers
• Get reporting onapplication usage by usergroups
DBWeb App
DBAdmins
Web
Admins
✔ ✔
ApplicationVisibility
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
20/33
20
7. Define Application Security Using Logical Containers
Benefits for DMZ• Simplify rule creation and
management – Use Logicalboundaries to reflectapplication boundaries, preventrule sprawl by tying securitypolicy to applications
• Automate protection for newVMs as new security groupmembers inherit securitypolicies
• Flexible and manageablecontainer creation options -Use vSphere objects instead ofnetwork identifiers in logicalcontainer creation to ensurepolicy persists across vMotionor networking changes
Web
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VMVMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
VM VM
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
21/33
21
Architecture Can Easily Scale
DBWeb App
Benefits for DMZ:• Achieve Multitenancy
using perimetergateway for tenantseparation
• Fully automate usingREST API scripts orCloud Managementportals
• Scale easily by addingessential services ondemand in software
• Built for highperformance
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
22/33
22
AgendaCurrent DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZProposed DMZ Architecture
Conclusion
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
23/33
23
Functional View of Data Center With Logical DMZ
Any devices overany networks
App gatewaysand perimeter devices Admin jump points
Common Services Applications
EDS AD
DB
Edge TransportRouting and
AV/AS
Client AccessClient
connectivityWeb services
Hub TransportRouting and
policy
Mailbox Storage of
mailbox items
2550636
135
389, 3268, 88,53, 135
To AD
RPC808
5060, 50615062, dynamic
UnifiedMessaging
Voice mail andvoice access
Exchange
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
24/33
24
Physical View Of NSX Component Deployment
C om
p u t e C l u
s t er s
M an
a g em
en
t C l u
s t er
E d g e C l u
s t er
NSX Manager
NSX Edge
NSX Controller
Data Center IP network Management network(vMotion & storage)
vCenterServer
Physical Appliances
External networksWAN/ Internet
Compute Racks Infra Racks Edge Racks
Controller Software• Virtual network orchestrator• Massive scale
Hypervisor Service Modules• Distributed network services (Switching, Routing)• Load Balancer, Switch, Firewall, Router/VPN
Gateway Software• Integration with existing physical
infra.• V to V / V to P
L2
L3
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
25/33
25
AgendaCurrent DMZ design challenges and considerations
New DMZ Design
VMware NSX Components for the DMZProposed DMZ Architecture
Conclusion
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
26/33
26
Build Your Cloud Ready DMZ with NSX
Before: DMZ with physical separationof trust zones
After: DMZ with Logical separationof trust zones
Build security that is designed for the virtual workloads instead ofadapting the existing physical constructs to work with mobile
virtual workloads
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
27/33
27
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
28/33
28
mailto:[email protected]:[email protected]:[email protected]:[email protected]
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
29/33
THANK YOU
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
30/33
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
31/33
Technical Deep Dive: Build a Collapsed DMZArchitecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMware
Bruno Germain, VMware
SEC589
#SEC5891
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
32/33
32
Mixed Mode / Multi-tenant and the test of auditing
We are not alone:
Automated andself-healing
Security &compliancetrust zones
Power of cloudinfrastructureautomation
8/18/2019 VMWorld 2013 - Technical Deep Dive Build a Collapsed DMZ Architecture
33/33
33
A validated methodology for the migration to mixed trust zones
»VMware Confidential
vSpher e vSpher e vSpher e
Aggr.
Acc.
Core
Aggr.
»Acc.
Core
»vSpher e
Aggr.
Acc.
»vSpher e
vShield App Based Security
Vmware vSphere + vShield
Cluster1
HR App FIN App Sales App
Web Frontend
Apps
Database
Legend
Increased Confidencewith Virtualization andVirtualization Security
Mixed-Trust Zone withVirtual Enclaves