VMWORLD 2020 -- It can be a challenge to provide a zero-trust model to a data center as heterogenous environments become more popular. VMware's NSX distributed firewall can provide security for VMs, containers and physical servers with the help of microsegmentation, which applies security rules to various objects, such as security tags, IP addresses, VMs, containers and logical switches.
In a session at VMworld 2020 called "Apply Consistent Security Across VMs, Containers and Physical Server with NSX-T," speaker Ganapathi Bhat, senior technical product manager at VMware, shared an in-depth look at the NSX distributed firewall and its ability to provide intrinsic security to VMs, containers and physical servers.
Understand categories for NSX distributed firewall rules
Prior to using the NSX distributed firewall, IT administrators must first understand the technology's predefined categories for firewall rules. These categories include:
- Ethernet category: Geared toward Layer 2 firewall rules.
- Emergency category: Often used to quarantine vulnerable or compromised hosts.
- Infrastructure category: Enables traffic to access infrastructure services, such as the Active Directory and DNS.
- Environment category: Admins can define zone firewalls between different zones, including production zone and dev zone.
- Application category: This is where admins can define all of the application to application specific policies.
- Default policy: Automatically defaults to an allow-list or zero-trust policy.
When defining their security policies, admins should look out for the "Applied to" feature in NSX. By default, the NSX distributed firewall applies firewall rules to all of the VMs within a system, which can cause unnecessary role duplication in the data path. This can affect memory usage and performance significantly. The "Applied to" feature enables admins to apply security rules to specific objects, such as VMs, rather than applying those rules to every object.
Overview of the NSX distributed firewall
One of the main benefits of the NSX distributed firewall is its ability to provide intrinsic security to admins' systems.
"Intrinsic security unifies your administrative tools and also the security teams and IT teams to accelerate how to identify risks and also detect, prevent and respond to real-time threats," Bhat said in the session.
The NSX distributed firewall provides microsegmentation policies, which are built into the hypervisor. It supports Layer 3, 4 and 7 application ID-based firewalling and the distributed IDS/IPS is also built into the hypervisor to protect workloads from threats. Primarily, the NSX distributed firewall protects east-west traffic on VMs.
"With the distributed firewall, enforcing security can be moved from the edge of the network -- and from physical firewalls -- to an enforcement point at the network adapters of individual workloads. [This] protects from malicious traffic originating outside of the network, [and] protects machines against attacks from inside the network too," said Rob Bastiaansen, an independent trainer and consultant based in the Netherlands.
The NSX manager oversees the distributed firewall's security controls, which offers an intent-based policy API for user interaction as well as a single-pane-of-glass approach. The NSX intelligence platform enables admins to monitor the current state of their data center's security and profile applications to provide application groups and replication policies based on the flows it observes over time.
Some NSX distributed firewall use cases include network segmentation, secure VDI, compliance and application consolidation. Network segmentation enables zone firewalling and removes the trade-offs required for traditional appliance-based zone firewalling. Network segmentation also creates zones in software without the need for network changes. Secure VDI halts lateral movement of malicious attackers by blocking vulnerabilities and prevents malware from spreading in VDI environments. It also uses Active Directory integration to define policy based on the user group. Compliance enables admins to achieve compliance from PCI-DSS, HIPAA and SOX. Appliance consolidation consolidates physical appliances to simplify security and improve effectiveness.
How the NSX distributed firewall secures VMs
The NSX distributed firewall provides zero-trust security by installing microsegmentations at the virtual machine network interface card (vNIC) level within the hypervisor kernel, enabling every VM to have its own firewall. In addition, the NSX distributed firewall can run on any network topology. If admins require additional compute, the NSX distributed firewall adds firewall capacity to the data center.
Before using the NSX distributed firewalls, admins must install the NSX manager, which contains a three-node cluster for high availability, redundancy and scale as well as a management plane and a control plane. The management plane enables admins to configure security policies through a user interface or policy API. Once admins configure the security policies, the management plane stores the configurations in a distributed database across all three node clusters. From there, the control plane exports these configurations and converts the object-based policy into IP before migrating the configurations to the data path.
NSX security groups are one of the key features of the NSX distributed firewall. Security grouping provides admins with different options for grouping workloads, such as grouping based on the IP or IP subnet. Admins also have the option to dynamically group workloads based on a tag, such as a VM name or mission host name.
An NSX security tag is an essential component for the product's security capabilities. Admins can tag any object, though it's especially useful for tagging VMs, vNICs or segment ports. NSX supports 30 tags per object. As admins tag objects and define matching criteria, they can then group those objects and obtain their respective IP addresses and policies as needed.
Using the NSX distributed firewall for container security
The NSX distributed firewall ensures the security of containers by providing independent firewalls for each container. To achieve this, NSX uses a six-container plug-in and NCP plug-in with a container orchestration tool, such as VMware Tanzu. The NCP plug-in offers networking, firewalling, IP address management and a load balancer for any microservices using the NCP plug-in.
Admins can define policies in three phases: Kubernetes Network Policy, Kubernetes Label and Default Policy. The Kubernetes Network Policy enables admins to take a Kubernetes construct and apply it to a namespace. NSX then takes the Kubernetes Network Policy and converts it to an NSX firewall policy that is then applied to all of the containers.
The Kubernetes Label enables admins to configure a policy directly onto the NSX distributed firewall using labels or tags. A Kubernetes label automatically converts to an NSX tag when admins spawn containers with labels. Admins can use those tags to group workloads, at which point admins can then define policies. The Kubernetes Label is especially useful for admins who require dynamic policies; as they spin up more containers with the same label, NSX updates the current policies with the new containers and the new containers receive any existing policies.
The Default Policy is a one-time configuration that enables either allow-any or deny-any for containers.