- 70% of threats are from internal...apply micro segmentation.
- In traditional datacenter we had only security on edge and incoming layer.
- Now you need within the network security. Let see if you have 2 VM in a cluster than you need security for both VM that where it should be applied.
- We now need within the network firewall not only between the firewall. Means context-based firewall.
- Within the datacenter itself, we have many networks. We need security within that.
- If we use physical firewall, then it may be quite high number.
- If we are not using NSX then firewall need to be applied at each layer.
- Our traffic will come to core firewall then it will send to base on the rules. If we are not using physical firewall, then we must do in such way. Even though if our source and destination are on same network, still network will flow in this way. So, this is a challenge.
- Let’s take example of cloud, we have one host which may have VM for multi tenants. Than how will you provide security between them? We cannot achieve it with physical firewall. This is also challenge.
- Where we need to do firewall? Physical host or VM?
- If it will be on host then there will be multi hops between that. If it’s in VM than there might be chances of high consumption.
- We will implement the firewall in our hypervisor which will be right place. You do not need to install firewall in each VM.
- There will be single centralized console from where you can define rules for each VM.
When we talk about DFW, it is per vNIC level firewall. If we have one VM and there is 2 NIC, then there will be firewall rules for each vNIC.
Now even if your VM are on same or different host, then also firewall rules will be applied.
- It has 16 slots. Out of those, 8 slots have been kept by VMware starting from 0-3 and 12-15.
- Rest 8 slots from 4-11 are open for you. It can be used if you want to integrate any 3rd party product with NSX then you can use those 8 ports.
- These slots are like service insertion point.
No hair pinning
Consistent configuration – If you migrate your VM, rules get migrate.
- Create using NSX Manager.
- NSX manager will talk to ESXi using AMQP over the port 5671.’
- It will direct communicate with ESXi.
- ESXi has vsfwd, DFW will directly communicate with this service.
- Now these rules will be delivered to vsfwd.
- Now these rules will communicate to vsip (VMware internetworking service insertion platform).
- Connection tracker table
- Rule table
- You create a SpoofGuard policy for specific networks that allows you to authorize the IP addresses reported by VMware Tools and alter them if necessary to prevent spoofing.
- SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK.
- Operating separately from Firewall rules, you can use SpoofGuard to block traffic determined to be spoofed.
- At client end
We can associate GIS and NIS with security group.
- It means that source in firewall rules, I want it to be a user or group of users from AD.
- To use identity-based firewall, you need a guest introspection VM.
- For integration any third-party solution, you need one service VM for each VM.
- Service Introspection VM will be created on each host in cluster, and the number of VM will be equal to number of ESXi exist in that cluster.
- This VM should be reachable to NSX manager.
- Third party service VM will be on a same network where actual management services are running of that third party service.