Dwayne MacKenzie, Solutions Architect for Secure Networking >>
Most of our customers have already virtualized their server environments, taking their physical servers and placing multiple virtual servers on to them. While virtualization improves performance in the data center, it doesn’t address security concerns. When our customers want to address data center security, historically what we have done is place a firewall appliance at the edge of the network, blocking external users from accessing the data center resources.
However when securing the data center resources themselves, this creates some problems. For example, a web server that needs to talk to a backend application server will need to send its traffic outside of the physical host to the firewall for inspection. Once inspected and the traffic is allowed, the firewall will then resend that traffic back to the physical host ultimately to the virtual machine on the same physical host.
This creates what we call “hairpinning,” where traffic constantly leaves the virtual environment to go to a physical appliance and then back into the virtual environment. This same holds true when a virtual server needs to talk to another virtual server on another physical host. The traffic leaves the server, moves across the physical host, across the data center network, to a physical firewall, back onto the data center network, through a physical host to that virtual server.
VMware NSX Distributed Firewall Feature
To address this challenge, VMware has introduced NSX. With NSX we can move security policy from a physical firewall into our virtual environment, placing the functionality at the hypervisor on our host system. For example, if a server in our web group needs to talk to a database server for information, we will allow that traffic. The way we do it in policy is to say … “from the web to the database, talking sequel is allowed.” If the web server and the database server are on the same physical host, the traffic never leaves. The web server requests the conversation, the firewall allows it, and the traffic passes, never leaving the physical host.
The same policy is applied across the data center. When a web server on your first physical host needs to talk to a database server on another physical host anywhere within your data center environment, that traffic is inspected then allowed across the network to that other systems and into the database server.
An interesting feature built into NSX is that all security policy is also “stateful.” When a session is initiated from the web server to a database server, NSX opens a flow of data between those systems. When the database server needs to talk back to the web server, that traffic is allowed explicitly without the creation of a second rule within the firewall. With NSX we have migrated our security policy from a physical appliance to every host within our virtualized data center environment. We can gain additional security by grouping our policies and applying them to very small groups of systems within the data center.
A good example is database servers that needs to talk through an application server. Our application server may only exist in a few instances. If we segment to a very small number, applying the same rules of traffic flow, but we apply that at the VMware level across only two systems, those policies will only ever be addressed by those two systems. We will never interfere with the traffic on our web environment and the web environment will never even see the rule. This “microsegmentation” is a quantum leap forward in security in our virtualized data center environment.
Simplify Your data Center Network
While we’ve addressed the security features of NSX, the real power that we can gain by deploying the solution is by moving all network features, as well as our security features, into the hypervisor. Currently VMware allows for a distributed switch to exist, allowing communications at the hypervisor level between virtual servers. If we take all of those Layer 2 services off of our data center network and place them within the hypervisor, any broadcast traffic from any server in the same vLAN is handled at the hypervisor and does not need additional processing at the physical network level.
However, when a web server needs to talk to a server in another vLAN or another IP segment, a rout decision needs to be made. Currently that’s done at the data center network level. If we move that as well and put all of our routing decisions in a logical distributed router, all of our Layer 3 networking decisions migrate off of our data center network into the hypervisor. What that allows us to do is to flatten our entire data center network and place it into a single vLAN negating the need to modify our data center network to support additional servers or additional network functionality at the host level.
So as we increase virtualization in our data center, we expose some security issues that can be addressed using the firewall features of NSX. But NSX has so much more to offer around simplification of the data center network that I will address in a later blog post.
Partner with Data Networks
To learn more, email or call (800.283.6387) our team of experts at Data Networks. We can design, implement, support and manage your simplified data center environment.