VMware NSX Distributed Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Julie star security specialist with VMware today I wanted to talk about the nsx distributed firewall what makes the distributed firewall on this NSX so powerful is where it's located I talked previously about the unique capabilities with nsx and opening up that virtualized environment where we had the OS and the network capabilities opened up in the virtualized environment now one of the key features that you get with NSX is the ability to do firewalling throughout all of your virtual machines we call that the distributed firewall now what's a little bit different is where it's enforcing so we've now given you a new enforcement point where before we had network enforcement points we had firewalls or maybe in your operating system with a distributed firewall what we've done is we've said hey if I have a VM I've got a virtual NIC and let's say I have a vSphere distributed switch now traditionally in the operating system my enforcement point would be in the virtual machine in that server operating system itself with a networked firewall I would have to have traffic that's somehow traversing on switches and routers so what's a little bit different with the vSphere distributed switch is I'm saying hey as those packets kind of leave that server and go through that virtual NIC before they hit the vSphere distributed switch that's where I'm gonna grab those and I'm gonna execute policy so if I have a if I understand that I've got a web server I want to allow traffic into that web server but not a lot else I can enforce that ingress and egress at that virtual NIC level so now that opens up a lot of interesting possibilities for example what if I have a DMZ now traditionally on Dan's ease that's been a lot of servers on the same layer to network now they might have all been hanging off of the same leg of your firewall and so what that's meant that you had a large blast area the idea with the DNC was that anything on the demilitarized zone well if it got compromised that's where the damage was going to be contained it wasn't really a good way to have the servers on your DMC to stop them from attacking each other so what we can do with the ability to have that policy enforcement at that v-neck level is we can actually have policy in force in between VMs so that as packets try to go from one VM to another policy is enforced on egress as it leaves one server before it hits the VDS it only gets to go on the the vSphere distributor switch if policy allows it but then also on the target let's say your FTP server was trying to send a packet to your web server well you know it would have to not only be allowed from the your FTP server but also to your web server going in so we've got those two enforcement points so on egress leaving your one of your servers on the DMZ and then on egress going in so that's something that you just haven't had the ability to do now the nice thing here is that you've got this great you know control you've got amazing granular capabilities for enforcing policy so one of the first questions you might ask is how is this magic possible how can you enforce that and how good is that firewall well first off it's a stateful inspection firewall so and its ingress and egress now it's not the same as your Network firewalls it doesn't have a lot of the it doesn't do everything that your network border firewalls do because again the special thing about the NSX should be firewall is it's it's where no other firewall has ever has ever been able to sit right if you think about it you've got that virtualized environment and where does the distributed firewall sit it's it's in kernel so what I always like to say about sitting in kernel it's lean it's mean you don't want to do anything and everything because performance is a big issue so what we've done is we've kind of taken the best of both worlds we're being able to we're able to do stateful inspection firewalling in the kernel and we're able to give you a great performance and why is performance why would you care so much about performance we're dealing with firewalls what do all firewalls do when they're pushed to the max when their resources are full up and can all utilize all firewalls do the same thing and it's not necessarily fun what they do is they drop packets so what you don't want is you don't want to get into sizing exercises well hmm you know if I turn on all of these security controls how much more how much if I giving up well the nice thing is that with the NSX distributed firewall you're talking about 15 plus depending on your hardware over 15 gig per host potentially I'm distributed firewall performance with minimal overhead I for that so you're able to just kind of put to bed any question of hey am i maxing out my resources because you've got a you've got a very powerful firewall with a tremendous amount of performance on there and also yeah the reason if the packets are dropped is it's failed it's a fail close policy again that's different than something like an IPS your intrusion prevention systems those are designs that they typically fail open when they get over one so again we've got this ability to go very granular right to the v-neck level something you've never really had before we're able to do this by being in kernel again no one else is really you have to be in the virtualized environment to really get that that hook in at the kernel level and that again is what helps us with the performance so with all of those those are some of the things that makes the distributive firewall in NSX in your restore environment special unique and just control that you've never had before

Info

Channel: VMware NSX

Views: 22,332

Rating: 4.884058 out of 5

Keywords: cloud storage, virtual machine, virtualization, vmware, vmware nsx, data center, cloud hosting, cloud computing, nsx, sddc, sdn

Id: O-2LkqzBYdE

Channel Id: undefined

Length: 6min 40sec (400 seconds)

Published: Tue Jun 28 2016