vvmworld 2013: deploying, troubleshooting, and monitoring vmware nsx distributed firewall
DESCRIPTION
VMworld 2013 Srinivas Nimmagadda, VMware Shadab Shah, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshareTRANSCRIPT
Deploying, Troubleshooting, and Monitoring VMware
NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
SEC5894
#SEC5894
2
Agenda
Introduce NSX Firewall
Architecture and Packet Path for NSX Firewall
Demonstrate powerful provisioning paradigms of NSX Firewall
• 3-Tier Application – (3 VXLANs) or (1 VXLAN)
• Multi-Tenant Scenario
Troubleshooting NSX Firewall
Deployment of NSX Firewall (RBAC, Audit Logging, …)
Monitoring NSX Firewall
3
Hypervisor Kernel Embedded Firewall
Benefits… • Is built right in to the Hypervisor
• “Line Rate” Performance (15Gbps+ per host)
• No VM can circumvent Firewall
• Better compliance model
4
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Benefits… • No “Choke Point”
• Scale Out
• Enforcement closest to VM
5
Flexible Access Control Mechanisms
Benefits… • IP/VLAN: Support physical infrastructure based rules
• Security Groups: Logical grouping of VMs
• VM Asset Tags: Dynamic VM attributes
• Rules follow the VMs
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
6
Identity Based Access Control
Active Directory
Eric Frost
User AD Group App Name Originating VM
Name
Destination
VM Name
Source IP Destination IP
Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78
IP: 192.168.10.75
Source Destination Services Action
Engineering Ent-Sharepoint http Permit, Log
Rule Table
Logs
8 8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Packet Path – Source & Destination on same Host
External Network
Source Destination
vSwitch
Traffic between two VMs on the
same host does not hit the
physical switch
Firewalling enforced close to
the source VM
Firewalling also done as traffic
enters the Destination VM’s
vNIC
9 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Packet Path – Traffic across Hosts
External Network
Source Destination
vSwitch vSwitch
Traffic between two
VMs on different hosts
hit the physical switches
Firewalling enforced at
source and destination
VM vNICs
Similar flow for Virtual to
Physical Traffic
10
Firewall Management Life Cycle
Prepare Deploy firewall on hosts
Enable Logging
VMTools for VMs, Activity Monitoring
Policy vCenter Objects
Configure Access Rules
Sections
Troubleshoot Logs with Rule IDs
Rule Hit Count
Enforced Rules on a Host
Packet Captures
Monitor Flow Monitoring
Activity Monitoring
Operations Audit Tracking
Role Based Access Control
Import/Export of Configutations
11
Prepare Deploy Firewall
Enable Logging
Deploy VMTools
12
Deploy NSX Firewall
13
Network Setup
14
Enable Firewall Logging
Syslog.global.logHost tcp://10.24.131.189:514
15
Enable VMTools
16
Policy Policy Objects
Access Control Rules
17
Editable Text Here
External
Networks Single Logical
Switch
Vxlan-5004
Web-
sv-02a
App-sv-
02a
Db-sv-
02a
Client
Logical Switch
Vxlan-5000
Client-
01
Client-
02
Web Services
Logical Switch
Vxlan-5002
App Services
Logical Switch
Vxlan-5003
DB Services
Logical Switch
Vxlan-5001
Web-
sv-01a App-sv-
01a Db-sv-
01a
3-Tier Application Deployment
18
Create Security Groups (Static VM Assignment)
19
Create Security TAGs for PCI & DevTest Zones
20
Define AD Domain (for IDFW Rules)
21
Create User Based Access Rules
22
Multi-Tenancy With NSX Firewall
External
Networks
Tenant 2
Logical Switch
Tenant 1
Logical Switch
VM
VM
VM
VM
VM
VM
Routing, VPN, NAT
Tenant Specific
Micro-segmentation
Tenant 2
Logical Switch
23
Tenant-01 Access Rules
Objects
ALL-CUST-VXLANS
Tenant01-VXLAN Tenant02-VXLAN
Tenan01-Services (192.168.10.0/24) Tenant02-FIN-Apps (192.168.10.0/24)
Tenant-01 Section
Source Destination Services Action Apply To
Tenant01-VXLAN Tenant01-Services Any Permit Tenant01-VXLAN
… … … … Tenant01-VXLAN
Tenant01-VXLAN Tenant01-VXLAN Any Deny Tenant01-VXLAN
SP Tenant-01 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant01-VXLAN Any Deny
Tenant01-VXLAN ALL-CUST-VXLANS Any Deny
24
Tenant-02 Access Rules
Tenant-02 Section
Source Destination Services Action Apply To
Tenant02-FINANCE Tenant02-FIN-Apps http, https Permit, log Tenant02-VXLAN
… … … … Tenant02-VXLAN
Tenant02-VXLAN Tenant02-VXLAN Any Deny Tenant02-VXLAN
SP Tenant-02 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant02-VXLAN Any Deny
Tenant02-VXLAN ALL-CUST-VXLANS Any Deny
25
Host And Network Security Services
Anti Virus
Vulnerability Scanner
DLP
IPS
NGFW
26
Dynamic Security Group Membership
Firewall Rule Table
27
Troubleshooting Log Policy
Rule Hit Count
Enforced Per Host Rules
Packet Capture
28
vCenter Host Kernel Log
29
Log Insight
Source Dest SPORT DPORT Action Rule ID
10.113.132.192 172.25.40.101 62517 3389 DROP 1011
30
Lookup Rules By ID
31
Rule Statistics
32
Per VM Rules
> summarize-dvfilter
> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2
ruleset domain-c7 {
# Filter rules
rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 80 accept with log;
rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 443 accept with log;
rule 1002 at 11 inout protocol any from any to any accept with log;
}
ruleset domain-c7_L2 {
rule 1001 at 1 inout ethertype any from any to any accept;
}
33
Packet Capture
summarize-dvfilter
pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfile
test.pcap
34
Monitoring Flow Monitor
Activity Monitor
35
Flow Monitoring
• All flows from the VMs accumulated on NSX Manager
• Provides aggregated historic data for dropped, active and inactive flows
36
Flow Monitoring, Details
37
Live Flows
38
Enable Activity Monitoring for VMs
39
Activity Monitoring
40
Operations Audit Log
Users & RBAC
Config Backup/Restore
41
Audit Log
42
User Management & RBAC
43
Firewall Config Backup/Restore
44
Summary
NSX Firewall
East/West Traffic Control
Identity & VM Awareness
High Performance & Scale-out
Operational Workflows
Policy Management
Troubleshooting
Monitoring
RBAC
REST API & Automation
Take Aways Enables Business Agility
Delivers Superior Performance & Scale
Simplifies Firewall Management
45
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform
Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik
SEC5894
THANK YOU
Deploying, Troubleshooting, and Monitoring VMware
NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
SEC5894
#SEC5894
62
The Transformative Value of Network Virtualization
Labor/OPEX Savings
Innovation Speed & New Business
83%
Reduction*
88%
Reduction*
93%
Reduction*
Increase in Business Velocity
* Projected savings off current baseline spend, steady
state 75% reduction in IT infrastructure spending.
Source: Large US-based Financial Services company
• Valuable labor moves to SDDC architects, away from high-cost siloed orgs
• Manual design, config & deploy moves to automated / self service provisioning
• Complex / custom hardware configuration moves to simplified IP forwarding
• Box-based net security moves to centrally defined, scale-out security policies
• Physical Infra labor moves to “rack-n-stack” with limited “operator” functions
• Adds/moves/changes no longer require full manual re-provisioning effort
63
Introducing VMware NSX
2013
vCNS v5.1
vCloud Suite (Network & Security) v5.1
vCloud Suite (Network & Security) v5.5
2014
vCloud Network & Security