Understanding NSX Distributed Firewall – Exploring Networking, Security, and AWS Integrations

NSX Distributed Firewall is a stateful firewall distributed to all ESXi hosts in an SDDC. It protects the SDDC’s east/west traffic with micro-segmentation. It offers advanced protection for workloads within the same L2 domain. The rules do not have to be based on the traditional infrastructure parameters such as subnets but, rather, can leverage NSX tags or VM naming conventions to build a security policy. The following figure shows a traditional segmentation approach for a three-tier application:

Figure 2.28 – Traditional segmentation

DFW removes the need for centralized GW firewalls. It’s not enforced at a single location, as is the case with gateway firewalls, instead it is enforced on the virtual machine network interfaces (vNICs) of each VM in the network. This allows for new flexible ways to manage network security, which are impossible to implement in a traditional data center network.

For example, NSX enables the creation of grouping objects for DFW and Edge firewalls. NSX will automatically identify and place workloads in the group-based criteria, such as IP address and VM instance naming conventions.

NSX firewall policies follow a top-to-bottom evaluation process. The first rule that matches a connection is applied. For all new network connections, the rulesets for both SDDC ingress and SDDC egress are assessed and firewall policies are applied bidirectionally.

Note

The default explicit security policy for DFW is Allow any. This means all traffic is allowed unless specified otherwise by the administrator.

The following figure shows a micro-segmentation approach for a three-tier web application placed on the same subnet, in contrast to the traditional approach:

Figure 2.29 – Micro-segmentation

Only the compute network is eligible for DFW, not the management networks. DFW’s purpose is to allow the security administrator to create a security policy applied within a compute network.

Discovering the NSX Advanced Firewall Add-On

The NSX Advanced Firewall Add-On is available to customers as a purchase option on top of the SDDC costs, and it has to be activated for all hosts in the SDDC cluster. NSX Advanced Firewall helps customers enhance the NSX security capabilities beyond distributed Layer 4 firewall security to advanced application security capabilities, such as distributed IPS/IDS, Layer 7 Context Profiles (app IDs), FQDN filtering, and Identity-Based Firewall.

Leave a Reply

Your email address will not be published. Required fields are marked *