Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
#vmworld
SAI2781BU
NSX-T Advanced Security and Networking Service Insertion Deep Dive
Stijn Vanveerdeghem, VMware, Inc.
#SAI2781BU
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Disclaimer
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
2
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 3
Micro-segmentation with NSX-TIntrinsic Security
Baremetal
VMsVMC
on AWS
Public Clouds,
AWS, AzureContainers
Micro-segmentation
Zone Firewalling
Realtime visibility
Net-SecAnalytics
Data Center Branch VMC Cloud
Unified Management Plane
Layer 3-7
Edge appliance
Service Insertion
Layer 2-7
Identity Firewalling
URL Filtering
Service Insertion
Endpoint Protection
Ubiquitous enforcement based on ApplicationContext Distributed for Cloud-scale and baked into the Infrastructure.VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 4
Micro-segmentation with NSX-TKey New NSX-T Security Functionality
Internal Firewall
Use Distributed Firewall for East-West traffic micro &
macro segmentation
Gateway Firewall Vendor IntegrationDeploy partner solutions for
specific use cases in conjunction with NSX
(Endpoint Protection/Service Insertion
Use Perimeter Firewall for North-South traffic into SDDC
and between Tenants
N S X I n t e l l i g e n c e Network & Security Analytics
C l u s t e r e d M a n a g e m e n t Simplified UI and Declarative Policy
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 5
Driving Value with our NSX Partner Ecosystem
Cloud
Automation and DevOps Operations and VisibilityNetworking and Security Services
Network Infrastructure
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 6
Consistent Visibility and Security across all workloads
NSX-T Network and Security Service Insertion
VMs Containers PhysicalServers
NativePublic Cloud
Distributed Firewall
GW Firewall
E-W Service Insertion
N-S Service InsertionVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 7
NSX-T Service InsertionValue Proposition
Insertion of 3rd party services in the SDDC and Cloud
Intercepts Data in Motion across the network
• Perimeter (N-S)
• At each workload’s vNIC (E-W)
Security and Visibility services across workloads and platforms
Chaining of multiple services
Redirection or Copy of traffic to partner service
Consistent Partner Policy Across Multiple vCenters
Deep Integration with partners
Micro-Segmentation
IPS
URL Filtering
Reputation
Sandboxing
Anti-Virus
Network Monitoring
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 8
NSX-T Service InsertionDeep Partner Integration
Granular Service
insertion
Simplified Provisioning
Ubiquitous Application-
based policies
Flexible, and Scalable
Service Chain
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 9
Granular Traffic Redirection
Perimeter and Per-workload
For Containers, VMs, BM and Cloud
IPS/IDS, Threat Prevention, NGFW, Web Filtering, Anti-malware, Outbreak Prevention
Granular Traffic Copy
Per –workload
Containers and VMs
Aggregation, Processing, Analytics and distribution of application traffic
Performance monitoring, security analytics and forensics
Inline Advanced Security Controls Traffic Aggregation, Visibility and Analytics
NSX-T Service InsertionKey Use Cases
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 10
Certified Service Insertion Solutions (North-South)
NSX-T Service Insertion
PAN-OS 9.0.3FortiGate-VM NGFW 6.0.4CloudGuard IaaS for NSX-T R80.10
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 11
Certified Service Insertion Solutions (East-West)
NSX-T Service Insertion
* Upcoming Integration announced by Partner, check the VMware Compatibility Guide for the most up-to-date information!
PAN-OS *FortiGate-VM NGFW 6.2.1CloudGuard IaaS for NSX-T R80.30 vStream *GigaVUE *
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 12
Service Consumption Workflow
NSX-T Service Insertion
Same Workflow across N-S and E-W Service Insertion
Partner Specific Universal Partner Specific
Service Registration
Service Deployment
Service Application
Service Consumption
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 13Confidential │ ©2018 VMware, Inc.
NSX-T Service InsertionDeployment Options
North-South East-West
Use Cases SDDC/Tenant Perimeter, Kubernetes Namespaces, NSX Cloud Security
Advanced Security and Visibility Controls for Micro-segmentation,
Partner Services NGFW (IPS, Botnet filtering, URL Filtering) NGFW, Network Visibility, Network Performance Management
Protected Workloads Any workload behind T0/T1 gateway on prem and in NSX Cloud
K8S, VMs on ESXi
Traffic Interception Uplink of T0 / T1 Gateway Logical Port (VM vNIC/Container Interface)
Transport Layer 2 (Bump in the Wire) Service Plane (NSH/Geneve)
SVM Placement ESXI TN (Placement close to Edge) Each ESXI Compute TN or ESXI Service Cluster
High Availability Support Active/Standby Load Balancing across multiple Service Instances
Service Chaining Per Logical Router (Topology Dependent) Per Policy (Topology Independent)
Redirect / Copy Support Redirect Redirect and CopyVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 14Confidential │ ©2018 VMware, Inc.
North-South Service Insertion with NSX-TSecurity Use Cases
North-South Service Insertion NSX-T NSX for vSphere
Protect SDDC Perimeter
Protect Tenant Perimeter
Secure Kubernetes Namespaces
Protect Bare Metal Workloads
Protect Native Public Cloud Workloads
Active/Standby Support
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 15
NSX Manager Cluster
North-South Service Insertion with NSX-T
Partner Manager
• Registers service with NSX
• Manages Service Policy
• Received Group Updates from NSX Manager
NSX Manager Cluster
• Deploys Service
• Creates Service Links
• Configures SI Classifier based on Redirection Rules
SI Classifier
• Intercepts and redirects traffic
Major Components
Partner Manager
Service
Registration
GroupUpdates
Edge Node
Tier0 SR
Service Node
Up
link
SI Classifier
Tier 0 DR
Tier 1
DR
Tier 1
SR
Un
tru
ste
d S
eg
me
nt NGFW
Instance
(Active)
NGFW Instance(Stby.)
DownlinkT
rust
ed
Se
gm
en
t
HA
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 16
NSX Manager Cluster
North-South Service Insertion with NSX-T
Service Links
• Overlay Segments
• Connects T0/T1 (SR) to Service Instances
• Untrusted and Trusted
• HA Segment
• Automatically created
Service Instances
• Instantiation of a Service
• Active/Standby
• Bump-in-the-wire
Major Components
Partner Manager
Service
Registration
GroupUpdates
Edge Node
Tier0 SR
Service Node
Up
link
SI Classifier
Tier 0 DR
Tier 1
DR
Tier 1
SR
Un
tru
ste
d S
eg
me
nt NGFW
Instance
(Active)
NGFW Instance(Stby.)
DownlinkT
rust
ed
Se
gm
en
t
HA
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 17
Redirection is applied to uplink of T0/T1
Protected Workloads can be VM, BM, K8
Service instances can only be deployed on ESXi Transport Nodes managed by vCenter
Edge Nodes can be co-located on the same ESXI Transport Node
Active/Standby and Standalone LR/SVM are supported, Active/Active is not supported
Only 1 service per router is supported
Requirements
North-South Service Insertion with NSX-T
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 18
Single Partner VM per Logical Router
Logical Router in A/S Mode
No H/A Support
Fail-Open/Closed support
A/S Partner SVM pair per Logical Router
Logical Router in A/S Mode
Additional (HA) Segment to sync between partner SVMs
BFD is used to detect failure on Active
Fail-Open/Closed support
Standalone Active/Standby
North-South Service Insertion with NSX-TSupported configurations
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 19
North-South Service Insertion with NSX-T
1. Security admin creates service definition on Partner Manager
2. Service Definition is registered in NSX Catalog
3. NSX admin deploys select service
4. NSX Manager deploys OVA on Transport Node via vCenter
5. Service Links are created and attached to SVM and Logical Router (SR)
6. Partner SVM Registers itself with Partner Manager
Service Registration and Deployment
NSX-T “Service” Transport NodeNSX-T NSX Manager Cluster
ServiceRegistration in Catalog
Partner SVM
vCenterService
Deployment
Partner Manager
NSX-T Edge Node
ServiceRouters
Ove
rla
y-b
ase
dS
erv
ice
Pla
ne
Service SVMPartner Manager Registration
Service Plane Attachment
Admin
Admin
Se
rvic
eD
efi
nit
ion
ServiceDeployment
Up
link
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 20
North-South Service Insertion with NSX-T
1. Security Admin configured Partner Policy
2. NSX Admin Configures Redirection policy
• Redirection Rules are applied to LR Uplink
• Redirect/Do-Not-Redirect Action
• Redirection Rules are Stateless, but reflexive rules are auto-created
Service Application and Consumption
NSX-T “Service” Transport NodeNSX-T Manager Cluster
Partner SVM
Partner Manager
NSX-T Edge Node
ServiceRouters
Ove
rla
y-b
ase
dS
erv
ice
Pla
ne
Admin
Admin
Se
rvic
eD
efi
nit
ion
Redirection PolicyConfiguration
RedirectionRules
Up
link
PolicyConfigurationVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 21
North-South Service Insertion with NSX-T
2 Segments are automatically created per service
Service VM data interfaces are attached to segments
Untrusted/Trusted Router ports are created on SR
Router ports are attached to segments
Service Segments
Edge Node
Tier0 SR
Service Node
Up
link
SI Classifier
Tier 0 DR
Tier 1
DR
Tier 1
SR
Un
tru
ste
d S
eg
me
nt1
NGFW Instance
(Active)
NGFW Instance(Stby.)
To
Co
mp
ute
No
de
/Wo
rklo
ad
…
Tru
ste
d S
eg
me
nt
HA
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 22
North-South Service Insertion with NSX-T
SI Classifier is applied to the Uplink of SR
SI Classifier Matches traffic based on redirection rules
Redirect Action determines next hop IP address
• “Untrusted” Service Link IP in case of N-S traffic
• “Trusted” Service Link IP in case of S-N traffic
Traffic is sent out on Untrusted/Trusted interface to Partner SVM in “Bump in the wire mode”
Classifier
Edge Node
Tier 0
SR
SI Classifier
Edge Node
Tier 1
SR
SI Classifier
Tier 0
SR Untrusted
Trusted
Untrusted
Trusted
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 23
Tier 0 Gateway
Web-Tier
App-Tier
DB-Tier
Share
d S
erv
ices
Share
d S
erv
ices
Tier 1 Gateway
“Production”
Tier 1 Gateway
“DevTest”
Demo
North-South Service Insertion with NSX-T
Web-Tier
App-Tier
DB-Tier
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 24
Tier 0 Gateway
Web-Tier
App-Tier
DB-Tier
Share
d S
erv
ices
Share
d S
erv
ices
Demo
North-South Service Insertion with NSX-T
Palo Alto Networks Proprietary and Confidential
Web-Tier
App-Tier
DB-Tier
Palo Alto VM Series Fortinet FortiGuard
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 25
Tier 0 Gateway
Web-Tier
App-Tier
DB-Tier
Share
d S
erv
ices
Share
d S
erv
ices
Demo
North-South Service Insertion with NSX-T
Palo Alto Networks Proprietary and Confidential
Web-Tier
App-Tier
DB-Tier
Palo Alto VM Series Fortinet FortiGuard
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 26
Demo: N-S
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 27
North-South Service Insertion
• L3 based N-S Service Insertion to Service VM in Transit VPC/VNET
• Redirection at T0
• Redirected Traffic Routed across VPN between NSX Cloud Gateway and partner services
• BYOD Mode
NSX Cloud
IGWTransit
AZ-2
AZ-1
Standby
Active
...
Compute
Redirection Rule Matched Service VM
Inspects Traffic
IPSec VPN
Uplink
Uplink
NGFWInstance
1
NGFW Instance
2
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 28Confidential │ ©2018 VMware, Inc.
East-West Service Insertion with NSX-TSecurity Use Cases
East-West Service Insertion NSX-T NSX for vSphere
Protect Intra-VM communication
Protect Intra Container Communication
Central (Clustered) SVM Deployment
Local (Per host) SVM Deployment
Service Chaining
Multi vCenter Support
Guest VM vMotion Support
Load Balancing across Service Instances
Standards-Based Packet Delivery
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 29
NSX Manager Cluster
East-West Service Insertion with NSX-T
Partner Manager
• Registers service with NSX
• Manages Service Policy
• Received Group Updates from NSX Manager
• Manages vendor templates
NSX Manager Cluster
• Deploys Service
• Creates Service Plane
• Creates Filters
• Configures SI Classifier based on Redirection Rules
Service Plane
• Connects GVM to Service Instances
Major Components
Partner Manager
Service
Registration
GroupUpdates
Service Node
NGFW
IPS
NETMON
Se
rvic
e P
lan
eS
eg
me
nt
Compute Node 2
VM 3
VM 4W
ork
loa
d
Se
gm
en
t
Compute Node 1
VM 1
VM 2
Wo
rklo
ad
S
eg
me
nt
SI
Cla
ssif
ier
Se
rvic
e P
roxy
Se
rvic
e P
roxy
LocalCircuit
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 30
NSX Manager Cluster
East-West Service Insertion with NSX-T
SI Classifier
• Intercepts traffic after it passes through the distributed firewall
• Redirects packets on to the service segment
Service Proxy
• Sits in front of every Service Instance
• Presents packets to the Partner service and back to service chain
• Performs liveness detection
Major Components
Partner Manager
Service Node
NGFW
IPS
NETMON
Se
rvic
e P
lan
eS
eg
me
nt
Compute Node 2
VM 3
VM 4W
ork
loa
d
Se
gm
en
t
Compute Node 1
VM 1
VM 2
Wo
rklo
ad
S
eg
me
nt
SI
Cla
ssif
ier
Service
Registration
GroupUpdates
Se
rvic
e P
roxy
Se
rvic
e P
roxy
LocalCircuit
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 31
E-W Traffic Interception/classification is applied to Logical Ports on ESXi
Protected Workloads can be VM
Service instances can only be deployed on ESXi Transport Nodes managed by vCenter
Service instances can be deployed on each local compute node in a compute cluster or dedicated “service cluster”
Requirements
East-West Service Insertion with NSX-T
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 32
Chosen number of Service Instances deployed on hosts on a specified cluster
Cluster can be dedicated to hosting Service Instances or can be co-located with guest workloads
1 Service Instance is deployed on every host in a compute cluster
Similar to NSX for vSphere SI Deployment option
If both Local and Central service Instance are available, Local will be preferred path
East-West Service Insertion with NSX-TSupported Deployment Options
Central / Cluster-Based Local / Host-Based
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 33
East-West Service Insertion with NSX-T
Service plane is parallel to regular network plane
Traffic can be directed away from regular network stack into service plane by SI Classifier
Traffic is returned to original source after being processed
Service Plane traffic is source-routed along a pre-defined service path
NSH protocol (RFC8300) is used to carry traffic and metadata through the Service Plane
NSH meta-data is carried inside of GNV TLV to cross hypervisor
Service Plane
Service Node
NGFW
IPS
NETMON
Service PlaneSegment
Compute Node 2
VM 3
VM 4
Wo
rklo
ad
S
eg
me
nt
Service Chain 1 NGFW IPSNETMON
Compute Node 1
VM 1
VM 2
Wo
rklo
ad
S
eg
me
nt
SI
Cla
ssif
ier
Se
rvic
e P
roxy
Se
rvic
e P
roxy
LocalCircuit
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 34
North-South Service Insertion with NSX-TService Classifier / Service Function Forwarder
Guest VM S
I C
lass
ifie
r
Service Plane
DFW
Service Function Forwarder
Sits at the vNIC of a VM
Intercepts traffic after it has been allowed by the DFW Filter
Traffic is classified in a stateful manner against user-configured redirection rules
Redirection rules are L4 based and can leverage NSX Groups
Provides the metadata that specify which path the traffic must take and which actions must be performed
Transport Node (ESXi)
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 35
Service Profiles, Service Instances, Chains and Paths
East-West Service Insertion
Service Chain 1 NGFWFTNT
Service Chains
FTNTInst 1
IPS NETMON
Service Chain 2 NGFWCHKP
SECMON
Service Paths
FTNTInst 2
FTNTInst 3
IPS Inst 1
IPSInst 2
NetMonInst 1
CHKPInst 1
CHKPInst 2
CHKPInst 3
SECMONInst 1
SECMONInst 2
SECMONInst 3
Service Profiles
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 36
East-West Service Insertion with NSX-T
MRS-WEB-1
MRS-WEB-2
MRS-APP-1
MRS-DB-1
HRM-WEB-1
HRM-WEB-2
HRM-APP-1
HRM-DB-1
Restricted Private
AD DNS NTP
Web Tier
Segment
App Tier
Segment
DB Tier
Segment
Shared Services
Segment
Tier 1 Gateway
Tier 0 Gateway
Shared Services
Demo
Restricted IPSNETMON
Private IPS
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 37
VMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution