Disclaimer

This presentation may contain product features that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these

features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or

sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or presented have not

been determined.

CONFIDENTIAL

Agenda
1

What Network & Security services are used by

(all crazy) applications
What are TODAY exactly the NSX:

2
3

Firewalling/Security services
Load Balancing services
VPN services

Service enhancements with NSX 3rd party vendors

CONFIDENTIAL

Agenda
1

What Network & Security services are used by

(all crazy) applications
What are TODAY exactly the NSX:

2
3

Firewalling/Security services
Load Balancing services
VPN services

Service enhancements with NSX 3rd party vendors

CONFIDENTIAL

Network & Security Services Are Used by (All Crazy) Applications

Switching / DHCP server-or-relay / DNS

Routing / NAT
Firewalling

Dynamic Routing

Load Balancing

.1
Router/ Firewall / Inline Load Balancer / VPN

L2 and L3 VPN

.1

.1
.1

Web-Tier-01
10.0.1.0/24

THAT'S IT!!!!

OneArm LB

web-01

web-02

App-Tier-01
10.0.2.0/24
app-01

app-02

DB -Tier-01
10.0.3.0/24
db-01

NSX offers all those Network & Security services with central configuration and automation
Let's focus here on Firewalling, Load Balancing, and VPN
CONFIDENTIAL

Agenda
1

What Network & Security services are used by

(all crazy) applications
What are TODAY exactly the NSX:

2
3

Firewalling/Security services
Load Balancing services
VPN services

Service enhancements with NSX 3rd party vendors

CONFIDENTIAL

Firewalling/Security Configuration (1/4)

Firewalling is configured centrally AND distributed to all ESXi on their VM NICs

Pros:
FW is distributed between all ESXi: Amazing firewalling scale!
Offer security even within the same IP subnet / logical switch

STOP

.11

Web LS
10.0.1.0/24

.12

VM2

VM1

.1

Web to App
TCP/8443

App LS
10.0.2.0/24

.11

.12

VM1

VM2

.1

192.168.10.0/29
.1

CONFIDENTIAL

Firewalling/Security Configuration (2/4)

L2 MAC addresses and L3 IP addresses can be used

In addition any vCenter object name can be used

Pros:
Ease-of-use
VM2

VM1
App-LS1 10.0.2.0/24

VM2

VM1
Web-LS1 10.0.1.0/24

vSphere Distributed Switch

192.168.150.51

192.168.150.52

192.168.250.51

CONFIDENTIAL

Firewalling/Security Configuration (3/4)

Port numbers can be used

In addition protocol names can be used

Note: ALG (Application-Level Gateway) support for FTP, CIFS, ORACLE TNS, MS-RPC, and SUNRPC

Pros:
Ease-of-use

VM2

VM1
App-LS1 10.0.2.0/24

VM2

VM1
Web-LS1 10.0.1.0/24

vSphere Distributed Switch

192.168.150.51

192.168.150.52

192.168.250.51

CONFIDENTIAL

Firewalling/Security Configuration (4/4)

Dynamic firewalling (Service Composer)

Pros:
Agility
Service Compliance

WHAT you want to

protect

Security Groups

Members (VM, vNIC) and

Context (user identity, security
posture)

HOW you want to

protect it

APPLY

Services (Firewall, antivirus)

and Profiles (labels representing
specific policies)

10

Firewalling/Security Performance (1/2)

Performance Lab Test
Two Hypervisors with two VMs each
Two 10G Physical NICs per server
VM1 talks to VM3 & VM2 talks to VM4

VM1

VM2

VM3

VM4

Test
Setup
10G
Interfaces

10G
Interfaces

CONFIDENTIAL

11

Firewalling/Security Performance (2/2)

Results
Throughput Measurement

20Gbps Per Host of Firewall Performance

with Negligible CPU Impact
CONFIDENTIAL

12

Firewalling/Security Demo
Dynamic firewalling
Access
Access
Linux update
servers
Windows
update
servers

Compliance Demo

.1

.1

.1
.1

Web-Tier-01
10.0.1.0/24
linux-03

linux-01

linux-02

win-01

win-02

App-Tier-01
10.0.2.0/24
app-01

app-02

DB -Tier-01
10.0.3.0/24
db-01

New Linux Servers

are automatically
granted access
Servers Linux

Servers Windows

13

Firewalling/Security Demo

14

Firewalling/Security more information

There is a dedicated session on DFW:

"SEC1746 NSX DFW deep dive"

15

Agenda
1

What Network & Security services are used by

(all crazy) applications
What are TODAY exactly the NSX:

2
3

Firewalling/Security services
Load Balancing services
VPN services

Service enhancements with NSX 3rd party vendors

CONFIDENTIAL

16

Load Balancing Configuration (1/3)

Both One-Arm and Inline modes are supported

Pros:
Flexibilty

.1

.1

.1

.1
.1

Web-Tier-01
10.0.1.0/24

OneArm LB

web-01

web-02

App-Tier-01
10.0.2.0/24
app-01

app-02

.1
Web-Tier-01
10.0.1.0/24
web-01

web-02

App-Tier-01
10.0.2.0/24
app-01

app-02

Load Balancing Configuration (2/3)

Services (1/2):

Protocols

TCP / UDP
FTP
HTTP
HTTPS (SSL-Passthrough)
HTTPS (SSL Offload)

LB methods

Round Robin
Source IP hash
Least Connection
URI/HTTP header/URL

How end-users connections are split

across back-end servers.

Health Checks
Load Balancer checks the
application health of each back-end
server.

Persistence
All connections from the same enduser go to the same back-end
server.

TCP/UDP/ICMP
HTTP (GET, OPTION, POST)
HTTPS (GET, OPTION, POST)
TCP: SourceIP, MSRDP
HTTP: SourceIP, Cookie,
HTTPS: SourceIP, Cookie, ssl_session_id
18

Load Balancing Configuration (2/3)

Services (2/2):

Connection
throttling
Limit the connections to the VIP
/ to the back-end servers.

Client side:
. Max conc. connections
. Max new conn / sec
Server side:
. Max conc. Connections

High Availability

Yes.

Monitoring

. View VIP/Pool/Servers objects

. View VIP/Pool/Servers stats
. Global stats VIP sessions

L7 manipulation

. HTTP/HTTPS request/response headers

(For instance: URL block, url rewrite, header
rewrite)

The load balancer modifies the

end-users requests and/or backend servers responses.

19

Load Balancing - Performance

Per Logical Load Balancer:
L4
Throughput

9.23 Gbps

# conc. sessions

1M

# sessions/sec

131k cps

L7 - HTTP

L7 - HTTPS

Throughput

6.59 Gbps

Throughput

2.07 Gbps

# conc. sessions

60k

# conc. sessions

60k

# sessions/sec

45k cps

# sessions/sec

607 cps

Reqs/sec

82.3k rps

Reqs/sec

35.0k rps

20

Load Balancing Demo (1/2)

Demo1:
VIP SSL off-load

HTTPS

.1

HTTP

.1

.1
.1

Web-Tier-01
10.0.1.0/24
web-01

web-02

App-Tier-01
10.0.2.0/24
app-01

app-02

DB -Tier-01
10.0.3.0/24
db-01

21

Load Balancing - Demo

22

Load Balancing Demo (2/2)

Demo2:
Single VIP redirecting traffic to specific pool based on host

app2.acme.com
app1.acme.com
app3.acme.com == VIP1@
VIP1@

app1.acme.comapp2.acme.com

.1

app3.acme.com
.1

.1
.1

Web-Tier-01
10.0.1.0/24
web-01

web-02

Pool1

web-03

web-04

Pool2

web-05

web-06

Pool3

App-Tier-01
10.0.2.0/24
app-01

app-02

DB -Tier-01
10.0.3.0/24
db-01

Demos (2/2)

Load Balancing more information

There is a specific session on LB:

"NET1588 - Load Balancer as a Service using NSX or Partner Solutions"

25

Agenda
1

What Network & Security services are used by

(all crazy) applications
What are TODAY exactly the NSX:

2
3

Firewalling/Security services
Load Balancing services
VPN services

Service enhancements with NSX 3rd party vendors

CONFIDENTIAL

26

Logical VPN User and Site-to-Site

Use Cases

Internet/
WAN

Cloud to Corporate
Cloud On-boarding
Remote Office/Branch Office
Remote Management

Features

Internet/
WAN

Interoperable IPsec tested with major vendors

Clients on all major OS (Win, Apple, Linux)
Remote Authentication via Active Directory, RSA
Secure ID, LDAP, Radius
TCP Acceleration
Encryption 3DES, AES128, AES256
AESNI H/W Offload
NAT & Perimeter Firewall Traversal
Scale and Performance
High Performance AES-NI acceleration
2+ Gb/s throughput per tenant
27

Logical VPN Layer 2

Use Cases
Cloud On-boarding
Cloud Bursting

VM

VM

VM

VLAN/VXLAN

VLAN/VXLAN

Internet/
WAN

Public
Cloud

Features

SSL-based
Web-proxy Support
L2 Extension to Cloud
Broadcast support
Extend multiple L2 Segments with a single pair of
L2 VPN Appliances

Scale & Performance

High Performance AES-NI acceleration
2+ Gb/s throughput per tenant

Agenda
1

What Network & Security services are used by

(all crazy) applications
What are TODAY exactly the NSX:

Firewalling/Security services
Load Balancing services
VPN services

Service enhancements with NSX 3rd party

vendors

CONFIDENTIAL

29

Security Partner Integrations

Next-generation IPS

Malware Protection

Granular protection of individual VM

workloads with customizable policy definitions

Unified management for physical and

virtual sensors

Data Center security with agentless

anti-malware and guest network
threat protection
Real-time, dynamic threat protection and
response for workloads moving between
hosts and virtual data centers

Vulnerability Management

Next-Generation Firewall

Malware Protection

Automatic vulnerability risk assessment

Multiple threat prevention disciplines including

firewall, IPS, and antimalware

Single virtual appliance

provides agentless:

Safe application enablement with continuous

content inspection for all threats
Granular user-based controls for apps,
content, users,

Anti-malware with URL filtering

Vulnerability and software scanning
Detection of file changes
Intrusion Detection & Prevention

NSX is the platform for

integrating advanced
security services

Data Center wide real- time risk visibility

Auto segmentation of risky assets
Vulnerability prioritization for
effective remediation

Automation of advanced malware interception

CONFIDENTIAL

30

Load Balancer/ADC Partner integrations

NSX is the platform for

Application Delivery
Controller services.

Application Delivery Controller

Application Delivery Controller

F5 specializes in Application Delivery

Networking (ADN) technology that optimizes
the delivery of network-based applications and
the security, performance, availability of
servers, data storage devices, and other
network resources.

Radware is a provider of
integrated application delivery / load
balancing and application & network
security solutions for virtual and cloud data
centers.

Application Delivery Controller

Citrix NetScaler makes apps and cloud-based
services run five times better by offloading
app and database servers, accelerating app
and service performance, and integrating
security.

Operations Partner Integrations

NSX is the platform for

Operation services

Network Operations

Network Operations

Riverbed provides comprehensive

monitoring and troubleshooting capabilities
across physical and virtual data center
networks based on NSX and Riverbed
SteelCentral NetProfiler

EMC Service Assurance Suite and

VMware NSX break through the physical
network barriers and achieve the
provisioning speed, operational efficiency,
and management visibility and insight
promised by network virtualization

Network Operations
Gigamon and VMware are extending their
partnership to provide pervasive and
intelligent visibility into the physical and virtual
networks by integrating the Gigamon Visibility
Fabric with VMware NSX platform
CONFIDENTIAL

32

Demo with Symantec

Quarantine Vulnerable Systems until Remediated
Security Group = Quarantine Zone
Members = {Tag = ANTI_VIRUS.VirusFound, L2 Isolated Network}

Security Group = Desktop VMs

CONFIDENTIAL

33

Demo with Symantec

Quarantine Vulnerable Systems until Remediated

Full demo with config: https://www.youtube.com/watch?v=q1P7Xuicp84

34

How to test?
Hands on lab available:

http://labs.hol.vmware.com/HOL/catalogs/

CONFIDENTIAL

35

Key take aways

NSX offers all Network and Security services most crazy applications require

Firewalling / Load Balancing / VPN services are offered natively with unique benefits
in security with micro-segmentation
in scale with distribution of services

in ease-of-use
And automation capabilities
And NSX services can be enhanced with 3rd party vendors

CONFIDENTIAL

36