elnemesisdivina's Posts

elnemesisdivina's Posts

In some way it can, but in strict sense of the word the DFW cannot see the traffic between physical instances, let me explain my idea with an example. let's assume we have a cluster with NSX Dis... See more...
In some way it can, but in strict sense of the word the DFW cannot see the traffic between physical instances, let me explain my idea with an example. let's assume we have a cluster with NSX Distributed Firewall prepared, we have tiers like DB and app tier, but we need to have interaction with legacy systems or because we can do something to virtualized them maybe a cost or a license we don't know just let's assume we have to back up the App tier and the DB tier, this means that VMs in DB tier and VMs in the App tier need some interaction with the backup application running in a physical server and is network base backup application, so we have installed agents in each tier, so how to protect the designated as network for backups? who to make secure and avoid some other VM's that can be attached to this backup network be able to "see" the traffic between agents of backup and the physical backup server without compromise the security? well DFW will set a bunch of rules for traffic in and out of the virtual tiers (DB and App) in this way we can set by means of grouping the IP addresses of physical servers as an object inside the firewall and make it part of a rule avoiding this problem, so for instance could be something like this: source                         destination               service                    action               action applied to physical_servers_ip       DB_tier                    any_ecxep_permit         block               backup_network or dvPortgroup                                                                   explicit regards.
Hi there, As per best practice a common deployment is composed with minimum 3 ESXi hosts in the management cluster for DRS rules and each NSX controller with anti-affinity rules to "live" in e... See more...
Hi there, As per best practice a common deployment is composed with minimum 3 ESXi hosts in the management cluster for DRS rules and each NSX controller with anti-affinity rules to "live" in each ESXi, there is not minimum for NSX edge cluster as well for payload or all the ESXi that will support the virtual production applications, but at the end it depend, in my experience sometimes 3 or 2 ESXi hosts with a huge amount of RAM and CPU is like a waste for this reason even counting  (in management cluster) with other tools so it is possible to have living the NSX controllers in one cluster but it a kind of risk that we have to understand/justify why. regards
Although very unlikely, the recovery mode is similar to an appliance physical network, unless the cost of having vApp is far from a physical appliance, plus the dump configuration backup, in the ... See more...
Although very unlikely, the recovery mode is similar to an appliance physical network, unless the cost of having vApp is far from a physical appliance, plus the dump configuration backup, in the natural normal behavior if example one of the ESXi host that has an instance of DFW has problems effect is to block traffic safety, however sometimes this behavior is not expected but can be determined from when a fault is present the vM can be evacuated another ESXi hosts without reconfiguring the DFW, we also have a control plane and data plane in case of failure of control plane the plane data is independent and "saved" rules are maintained in each instance DFW by default. regards
It is relatively transparent, since the very nature of the tool allows us to segment between virtual machines, so that the virtualizer or hypervisor in this case ceases to be a trusted zone whe... See more...
It is relatively transparent, since the very nature of the tool allows us to segment between virtual machines, so that the virtualizer or hypervisor in this case ceases to be a trusted zone where traditional schemes the perimeter firewall to address IP level "protects" the VMs, the answer to the question? which is what happens within the realm of the kingdom of hypervisor if a VM is committed ?, Well the answer is that security NSX is embedded so that it contained the problem, if it is necessary to stop maintenance hardware, the VM can be moved freely without reconfiguring their safety, or even if the VM is discarded and an equal is created with the same name, for example, is automatically added to the protection group has been applied. Specifically it is not only possible to have a model like the zero trust something that was unthinkable a while ago, but it is also possible to propose more advanced security services leveraging with third parties and network services the solution offers. regards +vRay
We have define how the DFW works and his interaction with 3 party vendors, so let’s check some functionality of this, well you can have a function of a  flat Firewall running on the hypervisor, b... See more...
We have define how the DFW works and his interaction with 3 party vendors, so let’s check some functionality of this, well you can have a function of a  flat Firewall running on the hypervisor, but what makes so special NSX is the way we can set rules thru the service composer. So what Is the service composer piece and how is related with DFW ?, well first depending on how are you securing your virtual datacenter maybe using one flat Logical Switch (virtual wires) or in tie-ring way having each bunch of VMs in their own isolate logical switch it is possible to build some architectures like shown:                                                                   Fig. DFW security topology Taking this is a account we still working with object VM as a piece of building the 5 tuple for Firewall rules, but there is more, you can leverage of vCenter Server object all time you need to build your firewall rules every object but folders, so your firewall rules are more human understandable, so Service composer uses this object to automate the creation of rules on the fly, for example assume when have 2 VM’s VM1 and VM2 an you need to secure the layer between them making or not communication on ports defined , ok assuming they are in logical switch (single tier different VMs or apps) you can set a policy rule against this logical switch in where VM with some criterion can fit and automatically allow or deny these ports, at glace VM1 is a DB server and VM2 is running a WEB server app on it, for that reason when need that WEB server only be possible to communicate to the DB VN by port 1433 and nothing else and this WEB VMs have open the 80 port to the world (it is just a simple example  and there is much more to adequate like the infrastructure services for each VM like ntp, dns etc.)                                                                             Fig. dispousal of VMs in two tier. An important piece in security in VMware NSX is the concept of Security Group, as I mention in the example before, the service composer uses objects of vCenter to grouping VMs dynamically and this grouping is called security groups, something like a logical container of VMs on which we can apply security policies (open or close ports ) we need to notice that all these vCenter Objects are dependent of the vMtools on VMs and we describe the functionality with an example: Let’s say that  we have two logical switches attached to a logical router (at this moment think on the router as a flat logical router running in ESXi host level similarly to DFW) just a big note the security is orthogonal to network topology and is not dependent of other features on NSX, so we have those two logical switches and each logical switch has two VMs running applications windows or Linux within, when we use the Service Composer and create a SG (security Group) called windows and the projection is over the two logical switches the action will be “include all VMs called windows in the security group Windows o WIN or APP-Windows whatever could be the criterion but only take in account the simplest way is the more efficient” in auto those VMs will be include in the SG in this picture you can see the name of the SG is SG-WINDOWS and VM1 and VM3 are part of the security group, the name of the logical switches are WEB Logical-switch-1 [or the real name ID of the Virtual Extensible Network : 5001] and the second one is called APP logical-switch-2, then if we want to apply SP(Security policies) on the SG we just set the DFW rules to be applied and be something like the figure below:                                                                                   Fig. Security Groups on DFW NSX As you can see the VMs in the example lives and contents for resources with others in same clusters of ESXi hosts, this mean for instance Distributed Scheduler on cluster decides to move VMs from one ESXi hosts to another the security will be stick with the VM no matters what happens in same way the engine service will not lost the VM to keep minoring on security behavior,. Conclusion: DFW is a big power tool to make easy the security implementation something that in recent years was nearly impossible due to nature of virtualization, empowering clients with all functionalities in the market today at line speed and with the nature of a VM, is more ahead to come but the future now about VMware NSX is making valuable solutions for today dynamics of business.
Now let see in deep the concept of DFW and service composer, there is something we need to understand before go deep in this awesome stuff, from security perspective NSX has two stateFull firewal... See more...
Now let see in deep the concept of DFW and service composer, there is something we need to understand before go deep in this awesome stuff, from security perspective NSX has two stateFull firewalls, I would say inner core and extra core, in other words the conceptual FW for the North –South traffic inspection and the East-West traffic, the North-South FW service is present in the External Service Gateway, a VM format appliance which is able to provide this and other services. In the other hand is the DFW the firewall we are going to describe, and both can be controlled by NSX manager as figure depicts                                                                                 Fig.DFW and Edge Firewall The distributed firewall is compose by two pieces or is taking care of two tables: Rule ID table: used to store all the policies rules of the DFW Flow entry table: used to caching all flow entries with permit action in the DFW As many firewall in the market DFW enforces firewall rules from top to bottom the first packet who reaches the DFW is analyzed then if the flow exists in the flow entry the packet is checked against the FW rule otherwise if the incoming packet is not in the flow table then is check the Rule Id table and only then if, is permitted the flow is caching so that when other packet reached the firewall only check the flow cache if the rule is to drop the packet the packed is discarded. Of course this is not new from the state full firewall functionality but is an elegant way to characterize the how the DFW works all at line rate speed at hypervisor level, of course there is other piece in the picture that answer the question what happen when there is another third party vendor in place? Well in principle is the same the only difference is the packet flow internally at hypervisor at fast plane and slow plane to send the packet to be analyzed by the engine of the 3 rd party vendor, but let’s describe the architecture of DFW.                                                                                                            Fig  packet processing by DFW Just ot remember the DFW is working or works at hypervisol level, then at Vnic level and there is the enforcement of policies,  but let hold on for a moment on describing the complete architecture: (try to follow with the figure below) VMware NSx cosnis of  two components fundamental pieces for the micro-segmentation, and plase forgo for a moment about NSX controllers, those are no necessary for a microsegmetnation deployment but in case of VXLAN sure you will need them, so let [s assume that we hace the basic componentes as goes are: the web client important piece to consume the DFW services, this can be substitude by a Cloud platform manager or a rest client like postman, o perl, ppython scripts pointing to the ResAPI exposed by the NSX manager, then we have the NSx manager and the vCenter server those two are the control plane one for vSphere layer and VDS (a.k.k vSphere Distributed Switch) , the NSX manager as control plane for the DFW since this is instanciated on every ESXi host in a cluster(not indivualy ) for matters of explannation we have in the picture only one Esxi host from that prepare cluster for DFW in other words you hav eto install in every ESXi host oof a cluster the vSphere Installation bundle from NSX manager (NSX manager comes with it so don’t worry to try to get that piece from somewehere else). Ok, the Nsx manager is containing the vpostgress DB, the Identity Engine and the clien for some sort of bus messaging protocol as application but not worries this is only informative and maybe just maybe if you have a problem there let GSS guys take of you since all of this embeded, so , the AMPQ client inside the NSX manager talks with the vsfwd which is on char of the FW processing, just like the vCenter does with the vpxa for the objects and resources inside the ESXi hosts for make the forecast and calculations for demand and available resources, then this module “vsfwd” been in the user space or slow plane keeps a deep communication to the vSIP or the vSphere Integration Platform or the  VMware Internetworking Service Insertion Platform I put it like that since I have found sometimes confusing called in way or other but is the same, so this vSIP is a daemon in the Kernel space or fast plane whitin the ESXi host and this one  is on chager of all the data plane for the DFW it receives the firewall rules from NSX manager and enfoce in the VNIC level of every VM in that particular ESXi host, in addiotion this will take care of desition on what to to if there is a thir party vendor engine in place and what to do with the packet to be analized by this engine and then go back to the VM.                                                                 Fig. NSX architecture The order of processing is formed in slots inside the VNIC the first 4 are for vSphere NSX and the last for other product engines like Palo Alto Networks, TrenMicro, Hydra, Rapid7 so on so forth, there Is not an specific order but it counts to 16 slots.                                              Fig.service chaining or service serialization in DFW for NSX This will be continued….
As I mentioned before traditional Datacenters are a shell in terms in security and the focus is in the perimeter, sometimes the same firewall is used to protect virtual workloads making challenge... See more...
As I mentioned before traditional Datacenters are a shell in terms in security and the focus is in the perimeter, sometimes the same firewall is used to protect virtual workloads making challenge how to detail the protection in this ambit. Fig Actual approach in traditional virtual datacenters VMware NSX bring the answer to this and other challenges  enabling visibility inside the datacenter and how is protected the virtual datacenter as well as reducing the breach of security  in granular fashion  using distributed controls like DFW or Distributed Firewall.                                                                    Fig. conceptual Virtual datacenter Security First lets describe what is the DFW and how it works and mainly what brings to complement the picture on micro-segmentation. A DFW is a Statefull firewall at hypervisor kernel level, this means that the DFW is running embedded in the VMware vSphere  but hidden from VMs, this means that is not a VM protecting other VM’s is an instance of a FW per each ESXi host you have in datacenter (running ESXi and working in cluster). The inner layer of this firewall enforces firewall rules at vNIC level per every VM been protected, again is not a virtual appliance running part in the user space and some in kernel space like 3party appliance we try to describe further, so that the throughput is related to the number of physical nics in each ESXi hosts, as said this is a statefull firewall and work on OSi layers 2 to 4 but is able to offer a complete solution integrated with 3party vendors extend his capabilities up and including  layer 7. As in traditional FW there is a central management for all the configuration but is only one for all the DFW instances per ESXi Hosts and there are three ways to manage and configure and consume is want so, for the DFW, using the vSphere Web Client, using a Cloud Platform or using Rest API. Will see more in deep how the DFW works but first let’s map what bring to the Virtual Datacenter: Micro-segmentation can enabling administrators with isolation between layers inside the virtual datacenter, this means that we are now able to enforce separate tiers and isolate the applications between each other’s by using overlay networks, breaking the physical limitation of implement vLANS. Segmentation is another advantage, this means that we can have between those tiers switching and routing services and more over firewall services where we can control all the communications between tiers and making exactly what kind of packets we want to traverse and what direction horizontally without the need to determine a piece of hardware outside the virtual datacenter dealing with performance and nearest the applications. Advance services and Policy framework, this advantage consists on take to upper layers the DFW by integrating 3 rd party vendors for advance security introspection, security policy enforcement, and other advance services offered nowadays in the market.                                                                                                        Fig. advantages from micro-segmentation Now let see in deep the concept of DFW and service composer, there is something we need to understand before go deep in this awesome stuff, from security perspective NSX has two statefull firewalls, I would say inner core and extra core, in other words the conceptual FW for the North –South traffic inspection and the East-West traffic, the North-South FW service is present in the External Service Gateway, a VM format appliance which is able to provide this and other services. In the other hand is the DFW the firewall we are going to describe, and both can be controlled by NSX manager as figure depicts                                                                             Fig. DFW and Edge Firewall this will be continued...
Today security in the data center software defined has been a constant demand and increasingly specific as Gathner , which implies greater investment in tools for this area , according to Forres... See more...
Today security in the data center software defined has been a constant demand and increasingly specific as Gathner , which implies greater investment in tools for this area , according to Forrester and his model -Zero - Trust- one zero confidence zone is one that does not have not have confidence in any packet traveling through the network either internal or external to the data center , although it is a reference model . the dynamics of the data center should be on par with the threats today , the VMware solution is in tune with these challenges and aware at all times of the need for better mechanisms to a safer SDDC without the inherent complexity new tools has a solution that provides us plus a flexibility the following advantages to be essential for the solution of micro -segmentation : Isolation : Creating and Isolating networks using NSX Network Virtualization technologies Segmentation : Ability to segment workloads/applications on a granular basis using NSX Distributed Firewall. Advanced Services : Ability to bring in third party advanced security technologies from PAN, McAfee and others Policy Framework : Tie host, network and partner security components together with a seamless policy leveraging NSX Service Composer This session will discuss some of the technical aspects of each point and how the solution VMware NSX makes its implementation is simplified and making safer Software Defined Data Center .
check vmwareNSx deployment on cisco ucs for details. regards.
Hello, Today there are many sources but not all are reliable and easy to get lost among so much information, I enlisted some that I think are the most important, depending the goal is that we ... See more...
Hello, Today there are many sources but not all are reliable and easy to get lost among so much information, I enlisted some that I think are the most important, depending the goal is that we can count: Intro NSX This is an online course of short duration (3hrs), it's any basis for understanding NSX in friendly way, this can take you to  the exam VCA-NV or entry level VMware NSX, however, if the goal is to learn without NSX enter in depth, this course is appropriate. For the purpose of certification VCP-NV, apart from the "blue print" this link to guide crumbling all points mentioned in the official print of Blue exam.- https://richdowling.wordpress.com/vcp-nv/ Just take into account the examination code version NSX being evaluated. If the goal is to learn only a little more detail tech talks of VMware on YouTube are a good choice if flat or have access to recorded sessions from VMworld some also on YouTube, mainly those that are not technical about NSX, otherwise, the 2014 and 2015 sessions of NSX and Security are good sources of knowledge, including to fine issues NSX performance and design. for the purpose of certification VCIX-NV, also apart from Blue print Official certification for this link: VCIX-NV Study Guide | Lostdomain.org which is an excellent guide who covers all points in the Blue print, continuing the theme of VMworld sessions, in addition to those mentioned in the preceding paragraph, the good operational practice sessions and design are fundamental. In both cases it is helpful to take hols (Hands On Labs) of VMware, if for VCP follow procedures for each laboratory, if it is to VCIX-NV try to assess configurations or leave a little script, that is all is reduced to follow the Blue print and evaluate everything about the lab we have available without following the proceeding described in each laboratory, it is very useful to experiment and likewise have the feeling of an advanced exam, since the VCIX-NV is a Live examination based on assessed by human tasks for the pass.                                     HOLS catalog networking HOLS NSX In addition there are very good documents about good design practices on specific hardware vendors, Cisco UCS, edge, Dell etc. communities in VMware NSX: VMware Communities Docs There are sources of payment for example in VMware the list of official VMware courses NSX: VMware Certification VCP-NV VCIX-NV Books: Networking for VMware Administrators (VMware Press Technology): Christopher Wahl, Steve Pantol: 9780133511086: Amazon.co… Other sources: NPV o NSX-Multi Hypervisor VMware NSX | Network Virtualization  Troubleshooting NSX + vRay
Hi there, First, doing a little bit of history, VMware is not new to virtualization as it is known by everyone in the same way has continued in parallel the development of solutions initially ... See more...
Hi there, First, doing a little bit of history, VMware is not new to virtualization as it is known by everyone in the same way has continued in parallel the development of solutions initially network virtualization in a virtual environment of vSphere, from the characteristics in VSS (vSphere Standard Switch) and VDS (vSphere Distributed Switch), things that today are taken for granted without a virtual data center simply would not be complete, following in this regard the development of management technologies networks became more and more sophisticated, it realize products like vShield, which brought changes to the network services of the hand of the already existing natural behavior of vSphere Virtual Network finally in this last wave with Nicira acquisition, VMware is betting on the abstraction of the network and network services, making a merger between vShield and the NPV (Network virtualization platform), resulting VMware NSX. As a platform for software defined networks, NSX comes to add more abstraction functions that only a check box or button on a nice GUI, NSX is embedded in the most determinant level of performance of VMware virtualization, ie the hypervisor, in the days of the switches distributed N1KV, this pointed to physical network functions and security would be reduced to a special purpose virtual machine (security or switching), and that the market would remain gray and shades,as per today NSX moved in all that security and network control to the hypervisor, see your proposed solutions with third party vendror as IDS, NGFWs, among others. VMware NSX as solution SDN although not only is the most disruptive in many ways, and its main difference between all solutions is basically the way works to the SDN within a data center defined by software, not the aggregation of another layer to the hypervisor, nor a passive intermediary between virtual machines and the Kingdom of the network, it is the network itself, it is the security running in the hypervisor at service of Virtual Machines. +vRay
Hi there, -In the story "Goldilocks and the Three Bears," a little girl named Goldilocks liked everything just right. Her porridge couldn't be too hot or too cold. And her bed couldn't be too ... See more...
Hi there, -In the story "Goldilocks and the Three Bears," a little girl named Goldilocks liked everything just right. Her porridge couldn't be too hot or too cold. And her bed couldn't be too hard or too soft. On Earth, everything is just right for living things. It's warm, but not too warm. And it has water, but not too much water-.                                     Then Planet Earth is a goldilocks planet or a planet in the goldilocks zone, according to NASA definition, in short, the planer earth has the duality in conditions mutually exclusive which gives the sustainability of life. So if we made the extrapolation of concepts in terms of security, the duality mutually exclusive of properties for secure the apps running in a VM by taken the security as near as the VM, but not so far to not control the physical network to not to know what is the application, what is the data and users accessing that application. Let me try to be concise on his point, the hypervisor is the goldilocks zone for the security, which means that we can have nowadays thanks to NSX and nobody has it, let’s called security zone running inside the hypervisor been able to be enough isolated like the memory management mechanisms does for VM’s, for nor to be in the same attack zone in same “wire” or communication channel of threats, this is called isolation or micro-segmentation, at the same time we have a channel of communication inside the VM to know what is going on, again like the memory management mechanism in VMware vSphere does for instance for ballooning driver, so we can have the ability to control everything thanks to the universe of third party vendors for wherever security condition, thanks again to API’s (netX or EPSec API’s) exposure of VMware NSX. Where in addition can take actions or orchestrate what to do in presence of some conditions. So VMware NSX empowers security to be everywhere at same time in VMware hypervisor turning in VMware vSphere hypervisor into the Virtual Networking and Security hypervisor, for the Software Defined Datacenter. +vRay
Hello there, From a holistic perspective, the NSX is a core piece both in the solutions of public cloud, hybrid or private, first hybrid cloud or public cloud mainly composed of vCloud Directo... See more...
Hello there, From a holistic perspective, the NSX is a core piece both in the solutions of public cloud, hybrid or private, first hybrid cloud or public cloud mainly composed of vCloud Director and vCloud Air VMware NSX is not only an element in the underlying all the virtual network infrastructure but also provides advanced network services, namely translation of IP addresses, DHCP, firewall, routing, VPN "site to site" ipsec VPN or extensibility to other data centers or cloud based on VMware vSphere with NSX also have a level of security that no one has at hypervisor level, distributed routing as well as  abstraction of network segments in layer 2 (OSI) by means of logical switches (VXLAN). The issue of virtual networks is not new within the VMware cloud computing, however VMware NSX potentiates the possibilities of setting up virtual networks, making more simplified the complexity of operation and implementation, and are profitable costs against the benefits of purchasing hardware for managing a multi-tenant service in terms of physical network, ie can provide even more services network independent of physical network topology. As VCD-SP is in my opinion, 90% networking virtual NSX gives us a cloud solution less complicated and more complete, sticking not only the functions Commercial papers to but can provide the necessary service provisioning elasticity Network to virtual machines. In the field of private cloud with VRA (vRealize Automation) in conjunction with NSX results in a greater degree of control over the services of virtualized to provide network, such as talking about a tier virtual machines or applications, it can be a demand to provide services such as networking pack, routing to demand, demand security, load balancing among others, and even more integration with third-party software through the API's (the dvfilter) shades are possible; also through the plug-in NSX VRO (vRealize Orchestrator) "zero trust model" -Forrester- a virtual level possible. In conclusion VMware NSX gives us a different way of services as they have always been on the market, where technically possible schemes never seen before are provided, and a degree of control, integration and operation very important intra / inter clouds like for example DRP to cloud, cloud extensibility between virtual data center, and very soon hypersegmentacion and hybrid networking. Forrester Research : Research : No More Chewy Centers: The Zero Trust Model Of Information Security NSX and vCloud Director - The Missing Guide http://cacm.acm.org/magazines/2014/10/178789-abstractions-for-software-defined-networks/abstract http://yuba.stanford.edu/~casado/nsdi14-paper-koponen.pdf
HI, The main difference is that NSX does not require multicast mode to make the Virtual Extensible LAN (vXLAN) or the virtual wires of vXLAN, in addition you can have more granular security, t... See more...
HI, The main difference is that NSX does not require multicast mode to make the Virtual Extensible LAN (vXLAN) or the virtual wires of vXLAN, in addition you can have more granular security, the vCloud network and Security does not support dynamic routing and NSX is able to work with routing protocols like OSP and BGP. While products like vCloud Director (VCD) leverage of vCNS as an integral product of public cloud solution from VMware, at present only vCD is out of sale and end of support, but there is an exclusive version for service providers vCD -SP which continues to use vNCS but even supporting it until version 5.5.3 of vCNS, indicating that the NSX is the evolution of vCNS, something like vCNS with steroids, vCNS in its flavours vShield App, vShield Edge and vShield endpoint from the perspective of functionality were improved and correspondingly mapped to NSX Firewall, NSX Edge Gateway and NSX endpoint , and are generated from the NSX Manager before vShield Manager , more over, many of the logs and semantics of APIs NSX have labels regarding " vShield " . regards +vRay