NSX Distributed Firewall

Updated on

In this section we will learn about Micro-segmentation with NSX Distributed Firewall

1. Micro-segmentation with NSX Distributed Firewall

NSX Distributed Firewall (DFW) is a hypervisor kernel-based firewall that monitors all your East-West traffic. DFW can be applied to individual workloads like VMs and enforce a Zero-Trust security model. Micro-segmentation logically divides a department or set of applications into security segments and distribute firewalls to each VM.

In traditional data centers, high-level segmentation is built, which can help to prevent various types of workloads from communicating. But the main challenge of the legacy security model is data centers facing a lack of lateral prevention  between workloads within a tier. In other words, traffic can traverse freely inside a network segment and access the crucial information until it reaches the physical firewall to get dropped. In addition, implementing different layers of security and firewalls can cause complexity and add costs.

The main advantages of using DFW are an orchestration of policies with security groups or tags, horizontal movement reduction in data centers to minimize the risk of security breaches, and finally, reduction of capital expenditure (CAPEX) cost. Furthermore, NSX DFW not only can operate based on layer 2 to layer 4, but it can also take advantage of Layer 7 information.

2. Rules for predefined categories

DFW comes with predefined categories for firewall rules, allowing you to organize security policies.

Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated from top down.

3. Distributed firewall categories

Distributed firewall comes with predefined categories for firewall rules. Categories allow you to organize security policies.

Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated top down.

4. Ethernet – Layer 2 policies

  1. Ethernet  Layer 2 policies are the first line of defense and should be considered before layer 3 rules.
  • In NSX Manager, select Security (1)
  • Navigate to Distributed Firewall (2)
  • Choose the Ethernet tab (3) to view category-specific rules.

5. Emergency policies

2. Emergency  For emergency situations, you can employ temporary firewall rules.

Within the same Distributed Firewall location, choose the Emergency tab (1).

6. Infrastructure policies

3. Infrastructure  On the Infrastructure tab, you can review non-application firewall rules like vCenter, ESXi, DNS, Active Directory and so on.

  • Choose the Infrastructure tab (1).
  • Apply the filter. Click on Basic Detail (2), Select Rule Name NSXSecops-DNS-Allow (3) and click on Apply.
  • Observe here that traffic is allowed for shared services - that is, NTP and DNS to the Production group - for respective context profiles.

7. Environment policies

4. Environment  In the Environment tab, you can manage high-level policy groupings like eliminating communication for test and production environments. These policy groupings can allow for more efficient security and granular traffic control with context profiles such as SSL, TLS and more.

  • Choose the Environment tab (1).
  • Observe that traffic here is micro-segmented for multiple environments -  such as Production, Development and DMZ - that consist of various groups like VDI_Contractors, VDI_Employees and so on.

8. Application policies

5. Application  In this tab, you can apply Application policy rules between tiers. The priority to apply rules is from top-down and left to right. Meaning, if you write a rule in Infrastructure, it has priority over a rule in Application. So, you need to place the most fundamental rules at the top of the list.

  • Choose the Application tab (1).
  • Observe that distributed firewall rules are applied here for tiers serving multiple applications. By setting these rules, you can achieve app isolation as well as define inter-application tiers communication such as web, app and database with related services/ports like Oracle DB, MySQL and so on.

As shown in this section, NSX micro-segmentation provides a foundational architectural shift to enable topology-agnostic, distributed-security services to applications in the evolving data center.

To complement this security approach, you can use VMware Aria Operations for Logs to help build an infrastructure-related rule base. VMware Aria Operations for Logs helps you preserve your logs and gain better visibility of whats going on in your environment. Find out more in the next section.