Distributed Networking and Security Services: Deep Dive · 2019-06-27 · NSX Distributed Services...
Transcript of Distributed Networking and Security Services: Deep Dive · 2019-06-27 · NSX Distributed Services...
© 2014 VMware Inc. All rights reserved.
NET1932
Anirban Sengupta, Sr. Director, NSXJayant Jain, Architect, NSX August 2017
Distributed Networking and Security Services: Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#NET1932 CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 Introduction
2 Distributed Service Architecture
3 Distributed Services in NSX
4 Architecture Deep Dive
5 Demo
6 Q&A
3#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Introduction
Distributed Service Architecture
Distributed Services in NSX
Architecture Deep Dive
Demos
Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
Increased Application Complexity
• Applications are becoming larger and distributed
• Tiered Application model to Micro services and Containers
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Deployment Agility
• Application owners are expecting faster deployment from IT
• LOBs are expecting automated and self service deployment to support CI/CD
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Advanced Security
• Hackers have become highly funded, sophisticated and resourceful
• Attacks are oriented towards lateral movement and privilege escalation than perimeter
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Introduction
Distributed Service Architecture
Distributed Services in NSX
Architecture Deep Dive
Demos
Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional Data Center Design
• Services in Data Center Aggregation layer
• Optimized for N/S Design
• Most traffic today is E/W
• Traffic needs to hairpin to Aggregation Layer for E/W
• Difficult to Automate.
• Uncertain Performance and capacity provisioning
• Unfriendly to App mobility
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
App Network
Virtual Appliance based Services
DMZ Network
Services Network
DB Network
Finance
Finance
Finance
HR
HR
HR
IT
IT
IT
AD NTP DHCP DNS CERT
• Deployment complexity
• Topology Dependency
• Performance bottleneck
• Appliance Management
• Harder to change security policy
Internal Services
Perimeter Services
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
App Network
Distributed Services
DMZ Network
Services Network
DB Network
Finance
Finance
Finance
HR
HR
HR
IT
IT
IT
AD NTP DHCP DNS CERT
• Omnipresent
• Topology Agnostic
• Full Automation
• Easier operations
• No Appliance Management
• Zero Trust Isolation
• Linear scalability
Internal Services
Perimeter Services
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Omnipresent and Topology Agnostic
App VLAN
DMZ VLAN
Services VLAN
DB VLAN
Perimeter
firewall
Inside
firewall
Finance
Finance
Finance
HR
HR
HR
IT
IT
IT
AD NTP DHCP DNS CERT
• Distributed services are deployed everywhere and can be enforced anywhere irrespective
of application architecture and network connectivity
• With each application, configuration can be added and deleted as needed.
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Full Automation and Easier Operations
• Software services make automation possible hence increasing agility
• Distributed services minimizes deployment and capacity challenges.
• No Appliance to deploy and manage
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Zero Trust Isolation and Enforcement
• Distributed Firewall makes zero trust isolation feasible
• As Firewall enforcement is on vNIC level, any security policy is easy to enforce
Internet
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Capacity On Demand and Line Rate Performance
• Services linearly scales with application and hence minimal provisioning and management.
• Less number of network hops making it way more efficient.
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Introduction
Distributed Service Architecture
Architecture Deep Dive
Distributed Services and NSX
Demos
Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
17
vSphere vSphere vSphere
Data Plane
Operations
UI
Logs/Stats
CMP
Consumption
Control Plane Run-time state
Management Plane
API
API, config, etc.
NSX Manager
NSX Controller
Logical Switch
DistributedLogical Router
EdgeService Gateway
Distributed Firewall (DFW)
VMware NSX Functional Overview
Distributed Load Balancer
Distributed Network Encryption (DNE)
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Distributed Routing
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Micro Segmentation with Distributed Firewall • L4 Distributed Firewall facilitating Micro Segmentation of Datacenter
• Rules based on VC entities, IPSets, VMs with flexible Services with ipv6 compliance
Identity
-AD Groups
VC containers
- Clusters
- datacenters
- Portgroups
- VXLANServices
- Protocol
- Ports
- Custom
Action
- Allow
- Block
- Reject
IPv6 Services
VM containers
- VM names
- VM tags
- VM attributes
Choice of PEP (Policy
Enforcement Point)
-Clusters
- VXLAN
- vNICs
-…
IPv6 compliant
- IPv6 address
- IPv6 sets
Src/Dst
-IPAddress/IPSets
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Context Aware Micro Segmentation
Context Aware Micro Segmentation
• Extend L4 DFW to be Context Aware
• User, Protocols, Applications, Mobile Manifest, Third party context, etc
L4 Rule based Micro segmentation
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Distributed Network Encryption
21
DNE ControllerDNE Controller
DNE ManagerDNE Manager
• NSX Manager
–User defines encryption
policies
• NSX Controller
–Pushes rules to Hypervisors
–Generates tickets for
hypervisors to get secret
keys
• Key Manager
–Generates secret keys for
hypervisors
• Hypervisors
–Get secret keys from the Key
Manager and
encrypt/authenticate network
packets in and out of the
VMs
NSX Manager
NSX Controller
Hypervisor1 Hypervisor2 HypervisorN
Key Manager
1) Rules
2) Key Policies
Ticket Ticket Ticket
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Distributed Load Balancing
22
Load Balancer
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-01
10.0.1.0/24App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
Web App DBWeb App
Service-Group_Web
• Appliance-less Client based East/West Load balancer
• Linearly scalable with optimal performance
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Introduction
Distributed Service Architecture
Distributed Services in NSX
Architecture Deep Dive
Demo
Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
SSH Client
NSX DFW
vSphereTCP/5671
TCP/443
TCP/443
vSphere
Client
NSX
Manager
vCenter
Server
AP
I
ESXi
Host
REST API
Client
TC
P/2
2
NSX Distributed Services – System Architecture
UI Access to the NSX
Management Plane via
vSphere vCenter
1
Policy Rules are stored
in NSX Manager
.
2
Policy Rules are pushed
down to ESXi Host
[DFW Data Plane]
3
TCP/443
VXLAN DR DFWSwitch
SecurityVMworld 2017 Content: N
ot for publicatio
n or distribution
NSX Distributed Services – Internal ArchitectureComponent Details and Communication Channels
NSX Manager
Virtual Switch
VNIC User Space
Kernel Space
vsfwd/CPA
Web Browser
AMQP
Queue
Exchange
Queue Queue
IOC
hain
s
Message Bus:
AMQP
TCP 5671
TCP
443
VNIC
vSIP
IOC
hain
s
Queue
VNIC-FWVNIC-FW
vpxa
hostd
Heartbeat
TCP/UDP
902
DatabaseConfig EngineTCP
443
Services Kernel Module
vCenter Server
ESXi Host
# esxcli software vib list
…
esx-vsip 5.5.0-0.0.1744190
API
VMworld 2017 Content: Not fo
r publication or distri
bution
26
vSphere vSphere vSphere
NSX Manager
Ruleset and Flows per vNic/VM
AppWeb DBWeb AppCPA CPA CPA
• Applied-To: Each vNic/VM can have its own
custom/crafted ruleset and Service Chain
• Contextualization: Each vNic has its own set of
flows.
• Exclude List: Individual vNic/VMs can be excluded
from having a Service Instance or Chain
• Stateful (Default) as well as Stateless Rules
Supported
• Revalidation of Rules with Ruleset change.
Control Cluster
Compute Manager
RuleSets
Inventory Updates
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Distributed Services Enablement
VXLAN 5001
vSphere Host
VM1
MAC1
IP1
VTEP IP: 10.20.10.10
vSphere Distributed Switch
vSphere Host
VM2
VTEP IP: 10.20.10.11
VM3MAC2
IP2
MAC3
IP3
DFW Policy Rules:
Source Destination Service Action
VM1 VM2, VM3 TCP port 80 Allow
VM1 VM2, VM3 any Block
VXLAN 5001 Logical Switch
• Enforce policy at vNic:
- Services independent of
transport network (VLAN or
VXLAN) and of each other
- All VM ingress and egress
packets are subject to
Service processing.
- Independent Security Policy
per Service.
- Flexible Service Chain
- Uniformly applicable to
virtualized and non-
virtualized networks:
V-to-V and P-to-V support.
VXLAN 5001 VXLAN 5001
Source Destination Service Action
VM1 VIP1 TCP port 80 Balance
VM1 VIP2 TCP port 53 Balance
Source Destination Service Action
VM1 VM2, VM3 TCP port 80 Encrypt
VM1 VM5, VM6 any Encrypt
DLB Policy Rules:
DNE Policy Rules:
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Distributed Services Packet PipelineL2 Pipeline.
• L2 Packet Sanity, Spoofguard.
• L2 Rule analysis.
• Flow Cache to speed up stateless processing.
L3-L7 Pipeline.
• L3 Packet Sanity, Spoofguard.
• Fragmented Packet Support
• Support for ICMP Type/Code.
• L4 Packet Sanity.
• Context discovery and mapping
• Flow Lookup.
• TCP State and Sequence Number Support, State based timers
• Address-Set Lookup, Rule Analysis.
• Flow Creation and logging.
• ALG Support (FTP, MSRPC, Oracle, DCERPC, TFTP)
Partner Pipeline [a..b..c]
• Policy Lookup for Stateful Flow
• Punt packet to Partner Service (In-Host, L2, L3)
• Receive from Partner Service and forward packet.
DNE Pipeline
• Policy Lookup for Stateful Flow
• Encrypt/Decrypt Per Policy
L2 Pipeline
L3-L7 Pipeline
1
2
From vNIC/vPort
To vPort/vNic
DFW Service
Partner Pipeline
DNE Pipeline
PS
#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Service Chaining
• Traffic exits guest VM and reaches DFW
for processing.
• Rule/Flow analysis done by DFW
• Filtering Module (Service/s) rule/flow
analysis done.
• Traffic Redirection Module steers to
Partner Services VM (In-Host/L2/L3).
• Permitted traffic forwarded via Traffic
Redirection Module.
VDS
Guest VMPartner
Services VM
Partner Console
DFW
Filtering Module
Traffic
Redirection
Module
vCenter
External Network
Slot 2
Slot 4
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Distributed Services and vMotion
vMotion source
vMotion destination
• NSX Distributed Services fully support vMotion.
• During vMotion event, all services context move with
the VM:- Rules/Address Table
- Connection Tracker Table
- L4-L7 State
• No session loss during vMotion:
• All active sessions before mobility event remain
intact after the move.
• Separation of Control Plane-Data Plane
• All Services completely independent of VM location
or Logical Network!
No disruption to end user !
1
2
1
2
VMworld 2017 Content: Not fo
r publication or distri
bution
Introduction to Distributed Services
Why does it matter?
Distributed Services and NSX
Architecture Deep Dive
Demo
Q&A
VMworld 2017 Content: Not fo
r publication or distri
bution
Context Aware Micro Segmentation
32#NET1932 CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution