Date post: | 07-Jul-2018 |
Category: |
Documents |
Upload: | kinankazuki104 |
View: | 235 times |
Download: | 2 times |
of 38
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
1/38
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
2/38
Disclaimer
• This presentation may contain product features that are currently under develop
• This overview of new technology represents no commitment from VMware to de
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchassales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presenbeen determined.
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
3/38
Agenda
1
What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX: – Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
4/38
Agenda
1
What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX: – Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
5/38
Network & Security Services Are Used by (All Crazy) A
• Switching / DHCP server-or-relay / DNS
• Routing / NAT
• Firewalling
• Load Balancing
• L2 and L3 VPN
NSX offers all those Network & Security services with central configuration and au
Let's focus here on Firewalling, Load Balancing, and VPN
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -T
10.0.3
Dynamic Routing
THAT'S IT!!!!OneAr
m LB
Router/ Firewall / Inline Loa
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
6/38
Agenda
1
What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX: – Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
7/38
Firewalling/Security – Configuration (1/4)
• Firewalling is configured centrally AND distributed to all ESXi on their VM NICs
192.168.10.0/
Web LS10.0.1.0/24
.11 .12
.12.11
App LS10.0.2.0/24
.1
.1
.1
STOP
Web to AppTCP/8443
Pros:
• FW is distributed between all ESXi: Amazing firewalling scale!
• Offer security even within the same IP subnet / logical switch
VM1 VM2
VM1 VM2
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
8/38
Firewalling/Security – Configuration (2/4)
• L2 MAC addresses and L3 IP addresses can be used
• In addition any vCenter object name can be used
vSphere Distributed Switch
Web-LS1 – 10.0.1.0/24
App-LS1 – 10.0.2.0/24
192.168.150.51 192.168.150.52 192.168.250.51
Pros:
• Ease-of-use
VM1 VM2
VM1 VM2
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
9/38
Web-LS1 – 10.0.1.0/24
App-LS1 – 10.0.2.0/24
Firewalling/Security – Configuration (3/4)
• Port numbers can be used
• In addition protocol names can be used
Note: ALG (Application-Level Gateway) support for FTP, CIFS, ORACLE TNS, MS-RPC, and SUN
vSphere Distributed Switch
192.168.150.51 192.168.150.52 192.168.250.51
Pros:
• Ease-of-use
VM1 VM2
VM1 VM2
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
10/38
Firewalling/Security – Configuration (4/4)
Dynamic firewalling (Service Composer)
Secur i ty Groups
WHAT you want to
protect
Members (VM, vNIC…) andContext (user identity, security
posture)
H
Servic
and Pr
specifi
APPLY
Pros:• Agility
• Service Compliance
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
11/38
Firewalling/Security – Performance (1/2)
• Performance Lab Test
– Two Hypervisors with two VMs each
– Two 10G Physical NICs per server
– VM1 talks to VM3 & VM2 talks to VM4
VM1 VM2 VM3 VM4
10GInterfaces
10GInterfaces
TestSetup
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
12/38
Firewalling/Security – Performance (2/2)
• Results
20Gbps Per Host of Firewall Performancewith Negligible CPU Impact
Throughput Measurement
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
13/38
Dynamic firewalling
• Compliance Demo
Firewalling/Security – Demo
.1
.1
.1
.1
app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
win-01 win-02linux-01 linux-02
Servers Linux Servers Windows
Access
Linux update serversAccess
Windows update servers
linux-03
New Linux Servers
are automatically
granted access
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
14/38
Firewalling/Security – Demo
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
15/38
There is a dedicated session on DFW:
"SEC1746 – NSX DFW deep dive"
Firewalling/Security – more information
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
16/38
Agenda
1
What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX: – Firewalling/Security services
– Load Balancing services
– VPN services
3 Service enhancements with NSX 3rd party vendors
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
17/38
Load Balancing – Configuration (1/3)
Both One-Arm and Inline modes are supported
Pros:
• Flexibilty
OneArm LB
.1
.1
.1
web-01 web-02 app-01 app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
.1
.1
.1
web-01 web-02 app-01 app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
18/38
Load Balancing – Configuration (2/3)
Services (1/2):
Protocols TCP / UDP
FTPHTTP
HTTPS (SSL-Passthrough)
HTTPS (SSL Offload)
LB methodsHow end-users connections are split
across back-end servers.
Round Robin
Source IP hash
Least Connection
URI/HTTP header/URLHealth ChecksLoad Balancer checks the
application health of each back-end
server.
TCP/UDP/ICMP
HTTP (GET, OPTION, POST)
HTTPS (GET, OPTION, POST)
Persistence All connections from the same end-
user go to the same back-end
server.
TCP: SourceIP, MSRDP
HTTP: SourceIP, Cookie,
HTTPS: SourceIP, Cookie, ssl_session_id
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
19/38
Load Balancing – Configuration (2/3)
Services (2/2):
Connection
throttlingLimit the connections to the VIP
/ to the back-end servers.
Client side:
. Max conc. connections
. Max new conn / sec
Server side:
. Max conc. Connections
High Availability Yes.
Monitoring . View VIP/Pool/Servers objects. View VIP/Pool/Servers stats
. Global stats VIP sessions
L7 manipulationThe load balancer modifies the
end-users requests and/or back-
end servers responses.
. HTTP/HTTPS request/response headers
(For instance: URL block, url rewrite, header
rewrite)
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
20/38
Load Balancing - Performance
Per Logical Load Balancer:
L4
Throughput 9.23 Gbps
# conc. sessions 1M
# sessions/sec 131k cps
L7 - HTTP
Throughput 6.59 Gbps
# conc. sessions 60k
# sessions/sec 45k cps
Reqs/sec 82.3k rps
L7 - HTTPS
Throughput 2.07 Gbps
# conc. sessions 60k
# sessions/sec 607 cps
Reqs/sec 35.0k rps
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
21/38
Load Balancing – Demo (1/2)
Demo1:
• VIP SSL off-load
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
HTTPS
HTTP
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
22/38
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
23/38
Load Balancing – Demo (2/2)
• Demo2:
– Single VIP redirecting traffic to specific pool based on host
.1
.1
.1
.1
app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
app1.acme.com = VIP1@
web-05 web-06web-03 web-04web-01 web-02
Pool1 Pool2 Pool3
app1.acme.com
app2.acme.com = VIP1@
app2.acme.com
app3.acme.com = VIP1@
app3.acme.com
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
24/38
Demos (2/2)
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
25/38
There is a specific session on LB:
"NET1588 - Load Balancer as a Service using NSX or Partner Solutions"
Load Balancing – more information
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
26/38
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX: – Firewalling/Security services
– Load Balancing services
– VPN services
3Service enhancements with NSX 3rd party vendors
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
27/38
Logical VPN – User and Site-to-Site
• Interoperable IPsec tested with
• Clients on all major OS (Win, Ap
• Remote Authentication via ActiveSecure ID, LDAP, Radius
• TCP Acceleration
• Encryption – 3DES, AES128, AE
• AESNI H/W Offload
• NAT & Perimeter Firewall Traver
Features
• High Performance – AES-NI acc
• 2+ Gb/s throughput per tenant
Scale and Performance
• Cloud to Corporate
• Cloud On-boarding
• Remote Office/Branch Office
• Remote Management
Use Cases
Internet/
WAN
Internet/
WAN
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
28/38
Logical VPN – Layer 2
PublicCloud
• SSL-based
• Web-proxy Support
• L2 Extension to Cloud
• Broadcast support
• Extend multiple L2 Segments with a L2 VPN Appliances
Features
• High Performance – AES-NI acceler
• 2+ Gb/s throughput per tenant
Scale & Performance
• Cloud On-boarding
• Cloud Bursting
Use Cases
Internet/
WAN
VM VM VM
VLAN/VXLAN VLAN/VXLAN
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
29/38
Agenda
1What Network & Security services are used by
(all crazy) applications
2
What are TODAY exactly the NSX: – Firewalling/Security services
– Load Balancing services
– VPN services
3Service enhancements with NSX 3rd party
vendors
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
30/38
Security Partner Integrations
Next-generation IPS Malware Protecti
Granular protection of individual VMworkloads with customizable policy definitions
Automation of advanced malware interception
Unified management for physical andvirtual sensors
Data Center security anti-malware and guethreat protection
Real-time, dynamic thresponse for workloadhosts and virtual data
Vulnerability Management
Automatic vulnerability risk assessment
Data Center wide real- time risk visibility
Auto segmentation of risky assets
Vulnerability prioritization foreffective remediation
MalwareProtectio
Single virtual appliancprovides agentless:
Anti-malware with UR
Vulnerability and softw
Detection of file chan
Intrusion Detection &
Next-Generation Firewall
Multiple threat prevention disciplines includingfirewall, IPS, and antimalware
Safe application enablement with continuouscontent inspection for all threats
Granular user-based controls for apps,content, users,
NSX is the platform forintegrating advanced
security services
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
31/38
Load Balancer/ADC Partner integrations
NSX is the platform for Application Delivery
Controller services. Application Delivery Controller
F5 specializes in Application DeliveryNetworking (ADN) technology that optimizesthe delivery of network-based applications andthe security, performance, availability ofservers, data storage devices, and othernetwork resources.
Application Delivery
Radware is a provider ofintegrated application debalancing and applicationsecurity solutions for virtucenters.
Application Delivery Controller
Citrix NetScaler makes apps and cloud-basedservices run five times better by offloadingapp and database servers, accelerating appand service performance, and integratingsecurity.
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
32/38
Operations Partner Integrations
NSX is the platform for
Operation servicesNetwork Operations
Riverbed provides comprehensivemonitoring and troubleshooting capabilitiesacross physical and virtual data centernetworks based on NSX and Riverbed®SteelCentral™ NetProfiler
Network Operations
EMC Service Assurance SuVMware NSX break throughnetwork barriers and achievprovisioning speed, operatioand management visibility apromised by network virtual
Network Operations
Gigamon and VMware are extending theirpartnership to provide pervasive andintelligent visibility into the physical and virtualnetworks by integrating the Gigamon VisibilityFabric with VMware NSX™ platform
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
33/38
Demo with SymantecQuarantine Vulnerable Systems until Remediated
Security Group = Quarantine Zone
Members = {Tag = ‘ ANTI_VIRUS.VirusFound ’, L2 Isolated N
Security Group = Desktop VMs
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
34/38
Demo with SymantecQuarantine Vulnerable Systems until Remediated
Full demo with config: https://www .youtube.com/watch?v=q1P7Xuicp84
https://www.youtube.com/watch?v=q1P7Xuicp84https://www.youtube.com/watch?v=q1P7Xuicp84https://www.youtube.com/watch?v=q1P7Xuicp84
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
35/38
How to test?
• Hands on lab available:
http://labs.hol.vmware.com/HOL/catalogs/
CONFI
http://labs.hol.vmware.com/HOL/catalogs/http://labs.hol.vmware.com/HOL/catalogs/
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
36/38
Key take aways
NSX offers all Network and Security services most crazy applications require
Firewalling / Load Balancing / VPN services are offered natively with unique ben
in security with micro-segmentation
in scale with distribution of services
in ease-of-use
And automation capabilities
And NSX services can be enhanced with 3rd party vendors
CONFI
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
37/38
8/18/2019 VMWorld 2014 - Advanced Network Services With NSX (2)
38/38