SEC5891

Technical Deep Dive: Build a Collapsed DMZ

Architecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMware
Bruno Germain, VMware

#SEC5891

Objective
Review DMZ design considerations
Propose new DMZ design that is secure, scalable and cloud ready
Provide deployment guidance using NSX highlighting benefits
applicable to DMZ

Related Sessions
NET5847 - NSX: Introducing the World to VMware NSX
NET5266 - Bringing Network Virtualization to VMware
environments with NSX

SEC5893 - Changing the Economics of Firewall Services in

the Software-Defined Center VMware NSX Distributed
Firewall

Agenda

Current DMZ design challenges and considerations

New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion

DMZ Design Often Relies On Physical Separation Of Trust Zones

DMZ Design:
1.
2.

Trust zones separated using

separate hardware
Design is complex and inflexible

DMZ Application Deployment Is Slow

Security Team
Network Team #1
Network Team #2

DMZ Challenge #1

New application deployment

involves configurations at
multiple zones

Configuration spread across

devices

Configuration managed by
multiple teams

Cannot automate
Address using:
Build a Software Defined Data
Center
Build focus teams for cloud
architecture and operations

DMZ Design May Compromise Data Center Security

DMZ Challenge #2
Non DMZ traffic often not
fully secured
Large firewall rule sets
Networking or placement
changes could break security
Hard to manage
Address using:
Tie configuration to
application objects instead of
networks
Secure all application traffic
including East West traffic

DMZ Design Cannot Scale

DMZ Challenge #3
Forces rip and replace to
scale up
Not cloud ready
Address using:
Build design suited to scale
incrementally using
distribution of services

You Need A Cloud Ready DMZ

Design Considerations:
1. Security
2. Manageability
3. Scale and performance
4. Automation

Agenda

10

Current DMZ design challenges and considerations

New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion

Building A Logical DMZ Trust Zone Is A Better Approach

Steps:
Pull DMZ zone into the
datacenter
Use virtual networking and
security constructs for
application isolation and
protection

Benefits:
Higher agility - flexible
placement
Simpler configuration
management
Lower cost fewer hardware
devices
Easier automation

11

Agenda

12

Current DMZ design challenges and considerations

New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion

VMware NSX Networking & Security Capabilities

Logical Switching Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing Routing between virtual
networks without exiting the software
container

Any Application
(without modification)

Virtual Networks
Any Cloud Management Platform
VMware NSX Network Virtualization Platform
Logical
Firewall

Logical
Load Balancer

Logical L2

Logical
VPN
Logical L3

Any Hypervisor

Any Network Hardware

Logical Firewall Distributed Firewall,

Kernel Integrated, High Performance
Logical Load Balancer Application Load
Balancing in software
Logical VPN Site-to-Site & Remote
Access VPN in software
NSX API RESTful API for integration into
any Cloud Management Platform
Partner Eco-System

13

1. Deploy Each Tier Of DMZ Application On A Logical Switch

Benefits for DMZ

Speed of new application

deployment

Does not require physical

network configuration at
multiple devices

Scale is not limited by

limitations of physical
VLANs

Web

14

App

DB

Higher Security:

Reduce attack perimeter

Contain risk within virtual

perimeter

Physical switching and

network not exposed to
attack

2. Protect Every Virtual Server Using Distributed Firewall

Benefits for DMZ

Web

15

App

DB

Achieve line rate

throughput using vNIC level
hypervisor firewall

Higher security Complete

East West traffic protection
via distributed enforcement

Easy Scale and Automation

Mobility of security rules

Rules follow the VM

3. Provide Perimeter Protection Using Logical Gateway

Benefits for DMZ:
Deploy logical Perimeter
Firewall, Load Balancer and
VPN programmatically and as
needed

Services Edge
NAT, FW, VPN, LB

Perimeter services and policy

can be tied to the application
Virtual appliance model allows
cloud agility and scale-out

Web

16

App

DB

Higher security through VIP

hiding internal IP addresses

4. Optimize Application Traffic Flow Using Distributed Router

Benefits for DMZ

Logical Distributed
Router

Web

17

App

DB

Optimize traffic flows to

minimize latency
Minimize advertising internal
routers to perimeter devices

5. Automate Application Protection Using Logical Switches

Benefits for DMZ:
No needs to re-program the
perimeter security function
as workloads move within
the infrastructure
Application specific security
is following the workload
Configure and forget

Web

18

6. Protect Application Access Using Identity Firewall

DB
Admins

Web
Admins

Benefits for DMZ

Create firewall rules using user
identity for VDI
limit application access to
only authorized groups of
users
prevent insider attack
Get visibility into in-guest
applications and application
access

Web

Application
Visibility
19

App

DB

Ensure no rogue
applications are running
on your servers
Get reporting on
application usage by user
groups

7. Define Application Security Using Logical Containers

Benefits for DMZ

VM VM VM

VM

VM

VM

VM VM

VM VM
VM VM
VM

VM

VM

VM

VM VM

VM
VM VM VM

VM

VM VM

Web

20

VM

Simplify rule creation and

management Use Logical
boundaries to reflect
application boundaries, prevent
rule sprawl by tying security
policy to applications
Automate protection for new
VMs as new security group
members inherit security
policies
Flexible and manageable
container creation options Use vSphere objects instead of
network identifiers in logical
container creation to ensure
policy persists across vMotion
or networking changes

Architecture Can Easily Scale

Web

21

App

DB

Benefits for DMZ:

Achieve Multitenancy
using perimeter
gateway for tenant
separation
Fully automate using
REST API scripts or
Cloud Management
portals
Scale easily by adding
essential services on
demand in software
Built for high
performance

Agenda

22

Current DMZ design challenges and considerations

New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion

Functional View of Data Center With Logical DMZ

Any devices over
any networks

50636
135

389, 3268, 88,

53, 135
To AD

23

Admin jump points

Applications

Common Services

Hub Transport
Routing and
policy

Edge Transport
Routing and
25
AV/AS

Client Access
Client
connectivity
Web services

App gateways
and perimeter devices

RPC

Mailbox
Storage of
mailbox items

5060, 5061
5062, dynamic
Unified
Messaging
Voice mail and
voice access

808
Exchange

AD

EDS

DB

Physical View Of NSX Component Deployment

Data Center IP network

Management network
(vMotion & storage)

External networks
WAN/ Internet

L3
L2

Distributed network services (Switching, Routing)

Load Balancer, Switch, Firewall, Router/VPN

24

vCenter
Server

Infra Racks

Controller Software
Virtual network orchestrator
Massive scale

Physical
Appliances

NSX Edge

Edge Cluster

Hypervisor Service Modules

NSX Controller

Management Cluster

Compute Clusters

Compute Racks

NSX Manager

Edge Racks

Gateway Software
Integration with existing physical
infra.
V to V / V to P

Agenda

25

Current DMZ design challenges and considerations

New DMZ Design
VMware NSX Components for the DMZ
Proposed DMZ Architecture
Conclusion

Build Your Cloud Ready DMZ with NSX

Build security that is designed for the virtual workloads instead of
adapting the existing physical constructs to work with mobile
virtual workloads
Before: DMZ with physical separation
of trust zones

26

After: DMZ with Logical separation

of trust zones

27

Questions?
bheemaraos@vmware.com
bgermain@vmware.com

28

THANK YOU

SEC5891
Technical Deep Dive: Build a Collapsed DMZ
Architecture for Optimal Scale and Performance
Based on NSX Firewall Services
Shubha Bheemarao, VMware
Bruno Germain, VMware

#SEC5891

Mixed Mode / Multi-tenant and the test of auditing

Automated and
self-healing

We are not alone:

32

Security &
compliance
trust zones

Power of cloud
infrastructure
automation

A validated methodology for the migration to mixed trust zones

Core

Increased Confidence
with Virtualization and
Virtualization Security

vShield App Based Security

Aggr.

Cluster1
HR App

Aggr.

FIN App
Sales App

Acc.
Acc.
Vmware vSphere + vShield

vSphere

vSphere

Core

Mixed-Trust Zone with

Virtual Enclaves

Aggr.

Acc.

Legend
Web Frontend
vSphere

vSphere

vSphere

Apps
Database

33

VMware Confidential