NEXT-GENERATION SECURITY WITH VMWARE NSX AND PALO ALTO NETWORKS VM-SERIES

Transcription

1 NEXT-GENERATION SECURITY WITH VMWARE NSX AND PALO ALTO NETWORKS SERIES Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 1

2 Table of Contents Introduction 3 VMware NSX Network Virtualization Overview 3 Palo Alto Networks Virtualized Next-Generation Firewall Overview 4 NSX Architecture Components 5 VMware NSX Virtual Components 5 Consumption Platform 5 Management Platform 5 Control Plane 5 Data Plane 6 NSX Distributed Firewalling 6 Network Isolation 6 Network Segmentation 6 Palo Alto Networks Integration Components 7 Virtualized Next-Generation Firewall 7 Dynamic Address Groups 7 Panorama Centralized Management 7 How the VMware NSX and Integration Works 7 Advanced Security Service Insertion and Traffic Steering 7 Panorama Service Registration and Deployment 8 Service Composer/Security Groups and Dynamic Address Groups 9 Traffic Steering 11 VMware NSX and Integration Use Cases 12 Use Case 1: VXLAN Segmentation With Advanced Protection Across Tiers 12 Use Case 2: Micro-Segmentation of a Multi-Tiered Application With Malware Protection 14 Use Case 3: Enterprise Multi-Zone Security PCI, Production and Development Zones 15 Use Case 4: Scale-In/Scale-Out for Elastic Applications 17 Traffic Visibility and Operational Efficiency 18 Integrated Offering Benefits 20 Conclusion 21 References 21 Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 2

3 Introduction This document is targeted at virtualization, security and network architects interested in deploying cloud and software-defined data center architectures based on VMware network virtualization solutions with Palo Alto Networks next-generation firewalls and services. VMware pioneered the software-defined data center to transform data center economics and increase business agility. The SDDC is rooted in virtualization and defined by three pillars: server virtualization, storage virtualization and network virtualization. Although server virtualization has enabled organizations to speed application deployment and reduce data center costs, applications also need fast provisioning of networking and security services, including support for mixed trust level workloads, to optimize infrastructure resources without compromising security. VMware and Palo Alto Networks have collaborated on an integrated offering to enable companies to realize the full potential of the SDDC while providing protection against potential vulnerabilities. The joint offering addresses current challenges faced by data centers, including: Lack of visibility into east-west (to-vm) traffic Manual, process-intensive networking configurations to deploy security within the virtualized environment Security not keeping pace with the speed of server provisioning Incomplete or irrelevant feature sets within virtualized network security platforms The VMware NSX network virtualization platform provides the network virtualization pillar of the SDDC. Using the VMware NSX platform s extensible service insertion and service chaining capabilities, Palo Alto Networks virtualized next-generation firewall is automatically and transparently deployed on every ESXi server. Context is shared between VMware NSX and Palo Alto Networks centralized management platform, enabling security teams to dynamically apply security policies to virtualized application creation and changes. This is accomplished while maintaining the separation of duties between security and virtualization/cloud IT administrators. The integrated offering provides several benefits: Better security: Enterprises can automate the delivery of Palo Alto Networks next-generation security features, including visibility, safe application enablement, and protection against known and unknown threats, to protect their virtual and cloud environments. Dynamic network security policies stay in sync with virtual application changes. Operational flexibility: Next-generation security capabilities are deployed in an automated, transparent manner without added operational complexities. Accelerated deployments of business-critical applications: Enterprises can provision security services more quickly and utilize the capacity of cloud infrastructures more efficiently to deploy, move and scale their applications without worrying about security. VMware NSX Network Virtualization Overview VMware s vision of the SDDC leverages virtualization technologies to drive economic benefits, including greater business responsiveness and improved cost efficiencies in the data center. NSX is the functional equivalent of a network hypervisor and reproduces the complete set of L2 L7 services (e.g., switching, routing, access control, firewalling, quality-of-service and load balancing) in software. As a result, these services can be programmatically assembled in any arbitrary combination to produce unique, isolated virtual networks in seconds. In much the same way that server virtualization programmatically creates, snapshots, deletes and restores software-based virtual machines, or VMs, NSX does so for software-based virtual networks. Just as VMs are independent of their underlying x86 platforms and allow IT to treat physical hosts as pools of compute capacity, virtual networks are independent of their underlying IP network hardware and allow IT to treat physical networks as pools of transport capacity that can be consumed and re-purposed on demand. Unlike legacy architectures, virtual networks can be provisioned, changed, stored, deleted and restored programmatically without reconfiguring the underlying physical hardware or topology. By delivering a completely new operational model for networking, NSX transforms networking economics, allowing data center managers to achieve orders of magnitude greater agility and scale, as well as a vastly simplified operational model for the underlying physical networks. Able to be deployed on any IP network, including existing traditional networking models and next-generation fabric architectures from any vendor, NSX is a completely non-disruptive solution. With NSX, the physical network infrastructure you already have is all you need to deploy an SDDC. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 3

4 Application Application Application Workload Workload Workload x86 environment L2, L3, L4 7 network services Virtual machine Virtual machine Virtual machine Virtual network Virtual network Virtual network Server hypervisor Requirement: x86 Decoupled Network virtualization platform Requirement: IP Transport Physical computer and memory Physical network Figure 1: Compute and network virtualization Figure 1 draws an analogy between compute and network virtualization. With server virtualization, a software abstraction layer that is, a server hypervisor reproduces the familiar attributes of an x86 physical server (e.g., CPU, RAM, disk, NIC) in software, allowing them to be programmatically assembled in any arbitrary combination to produce a unique VM. NSX includes firewalling capability to provide inherent isolation, security and network segmentation. Because each virtual network operates in its own address space, it is by default isolated from other virtual networks and the underlying physical networks. This approach effectively delivers the principle of least privilege without requiring physical subnets, VLANs, ACLs or firewall rules. Traditional firewalling solutions suffer from performance choke points and increased network capacity costs due to the need for hairpinning and multiple hops to route traffic through essential network services. Increased east-west traffic in a data center exacerbates this problem. NSX has been architected for performance at scale, and avoids the security and service blind spots that result when data center operators deploy risky routing schemes to avoid hairpinning. NSX is natively extensible to provide third-party, best-of-breed solutions. Its distributed services framework and service insertion capability allow ecosystem partners to integrate advanced services at multiple points in the logical service chain. A powerful traffic-steering capability allows any combination of network and security services to be chained together in the order defined by application policies for every application workload. NSX distributes partner services to every hypervisor, making the services available locally to VMs at runtime. Using the NSX platform s extensible service insertion and chaining capabilities, Palo Alto Networks builds on VMware s native, kernel-based firewall capabilities to add next-generation security services. Palo Alto Networks Virtualized Next-Generation Firewall Overview Fundamental shifts in application usage, user behavior and network infrastructure have evolved the threat landscape and exposed weaknesses in traditional port-based firewall protection. Users are accessing growing numbers of applications with a wide range of device types, often for work purposes, yet with little regard for the business or security risks. Meanwhile, data center expansion, network segmentation, virtualization and mobility initiatives are forcing organizations to rethink how they should enable access to applications and data while still protecting their networks from a new, more sophisticated class of advanced threats adept at evading traditional security mechanisms. Historically, organizations were left with two basic choices: block everything in the interest of network security or enable everything in the interest of business. These choices left little room for compromise. Palo Alto Networks pioneered the next-generation firewall to enable organizations to do both safely enable applications while protecting themselves against known and unknown threats. Unique to Palo Alto Networks Next-Generation Security Platform is the use of a positive control model that lets security IT administrators safely enable specific applications or functions and block all else, implicitly or explicitly. This model uses the following approach: Classify all traffic, across all ports, all the time: Today, applications and their associated content can easily bypass port-based firewalls using a variety of techniques. Palo Alto Networks Next-Generation Security Platform addresses the traffic classification visibility limitations that plague port-based security by natively applying multiple classification mechanisms to the traffic stream, as soon as the platform sees it, to identify the applications traversing your network and determine if they are carrying threats or malware. All traffic is classified, regardless of port, encryption or evasive techniques employed. Unidentified applications typically a small percentage of traffic, yet high in potential risk are automatically categorized for systematic management. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 4

5 Reduce threat footprint, prevent known threats: Once their traffic is fully classified, organizations can protect their networks from a range of cyberattacks by allowing only business-critical applications and inspecting the content of said applications for exploits, malware, dangerous files or content. Intrusion Prevention System capabilities block network and application-layer vulnerability exploits, buffer overflows, denial-of-service attacks and port scans. Antivirus and anti-spyware protection blocks millions of malware variants, including those hidden within compressed files, web traffic and PDFs. For traffic that may be encrypted with SSL, policy-based decryption can be selectively applied, and traffic can be inspected for threats, regardless of port. Threat prevention capabilities go beyond simply blocking malicious content to include the control of specific file types by policy, as well as inspection of traffic for specific content to prevent data loss. Prevent unknown threats: Custom or otherwise unknown threats, such as polymorphic malware, are increasingly used in modern cyberattacks. The Next-Generation Security Platform uses WildFire cloud-based threat analysis service to identify unknown threats by executing unknown files and directly observing their malicious behavior in a sandbox environment. If WildFire discovers new malware, it automatically generates a signature for the malicious file and related traffic, and delivers the signature to the rest of the platform in as few as five minutes. WildFire supports all major file types, including PE files,.doc,.xls,.ppt, PDF, Java Applet files; Android Application Package, Flash and links. Unlike traditional blade or UTM architectures that notoriously introduce performance penalties for each feature enabled due to repeatedly processing traffic for each one, Palo Alto Networks performs all networking, policy lookup, application identification and signature matching for all threats and content in a single pass. This means performance remains steady even as additional features are enabled. NSX Architecture Components VMware NSX Virtual Components Virtual Network Services Distributed switching Distributed routing Distributed firewalling Distributed load balancing Data Plane NSX Controller Control Plane NSX Controller Physical workloads and LANs Rest API Consumption Cloud management platform Management Plane NSX Manager Figure 2: VMware network virtualization solution components Consumption Platform Typically, end users tie in network virtualization to their cloud management platform for deploying applications. NSX provides a rich set of integration points for virtually any cloud management platform via the REST API. In a vsphere environment, NSX is integrated with the vsphere web UI itself, providing an out-of-the-box experience for deployment and consumption of the services. Management Platform The NSX management plane is built by the NSX Manager. The NSX Manager provides a single point of configuration and exposes REST API entry points. Control Plane The NSX control plane enables multicast-free virtual extensible LAN VXLAN control plane programming of distributed logical routers. The control plane is managed centrally through the NSX controller. The controller is highly resilient and failure-tolerant, and runs independently of the data path that runs under the vsphere Distributed Switch, or VDS. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 5

6 Data Plane The NSX data plane consists of the NSX vsphere Distributed Switch with add-on components, such as distributed routing, distributed firewall and VXLAN bridging support. These services run as kernel modules, providing scalable and line-rate performance. The NSX VDS abstracts the physical network and provides access-level switching in the hypervisor. Key functions central to network virtualization and decoupling logical networks from the underlying physical components include: VXLAN protocol-based support for overlay networks and centralized network configuration. Overlay networking enables extension of a Layer 2 segment anywhere in the fabric, without physical network design constraints. Distributed L3 routing optimizes the forwarding of logical network segment traffic laterally while maintaining isolation between tenants. Distributed firewall security enforced at the kernel and vnic level itself. This enables firewall rule enforcement in a highly scalable manner without creating bottlenecks onto physical appliances. The firewall is distributed in the kernel, allowing minimal CPU overhead and line-rate performance. Traditional network features port mirroring, NetFlow/IPFIX, configuration backup and restore, network health check, QoS, LACP, etc. Logical load balancing support for L4 L7 load balancing. NSX Distributed Firewalling The VMware NSX platform includes distributed, kernel-enabled firewalling with line-rate performance, virtualization and identity aware with activity monitoring, among other network security features native to network virtualization. Network Isolation Isolation is the foundation of most network security, whether for compliance, containment or simply keeping development, test and production environments from interacting. Traditionally, virtual route forwarding, access control lists, physically separated stacks (e.g., network and compute) and physical firewall rules/contexts have been used to establish and enforce isolation. In network virtualization, virtual networks are isolated from one another and from the underlying physical network by default, delivering the security principle of least privilege. Virtual networks are created in isolation and remain isolated unless specifically connected. No physical subnets, VLANs, ACLs or firewall rules are required to enable this isolation. An isolated virtual network can be made up of workloads distributed anywhere in the data center. Workloads in the same virtual network can reside on the same or separate hypervisors. Additionally, workloads in multiple isolated virtual networks can reside on the same hypervisor. Case in point, isolation between virtual networks allows for overlapping IP addresses, making it possible to have isolated development, test and production virtual networks, each with different application versions, but with the same IP addresses, all operating simultaneously on the same underlying physical infrastructure. Virtual networks are also isolated from the underlying physical infrastructure. Because traffic between hypervisors is encapsulated, physical network devices operate in a completely different address space from the workloads connected to the virtual networks. For example, a virtual network could support IPv6 application workloads on top of an IPv4 physical network. This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network, independent from any VLANs, ACLs or firewall rules that would traditionally be required. Network Segmentation Network isolation is between discrete entities. Network segmentation, however, applies to homogeneous entities to, for instance, provide protection within a group or three-tiered application. Traditionally, network segmentation is a function of a physical firewall or router, designed to allow or deny traffic between network segments or tiers, such as a web tier, application tier and database tier. Traditional processes for defining and configuring segmentation are time-consuming and prone to human error, contributing to the success of many security breaches. Implementation requires deep, specific expertise in device configuration syntax, network addressing, application ports and protocols. Network segmentation, like isolation, is a core capability of VMware NSX network virtualization. A virtual network can support a multi-tier network environment, meaning multiple L2 segments with L3 segmentation or micro-segmentation on a single L2 segment using distributed firewall rules. In a virtual network, network services (L2, L3, ACL, firewall, QoS, etc.) provisioned with a workload are programmatically created and distributed to the hypervisor vswitch. Network services, including L3 segmentation and firewalling, are enforced at the virtual interface. Isolation and segmentation require identifying application flows and enforcing security policies, which can be created programmatically or through a template-based process. Integrating virtual isolation and segmentation with physical firewall functions and workflow has been the Achilles heel of securing virtual data centers. Integration of Palo Alto Networks physical and virtual next-generation firewall services with the NSX native security capabilities gives cloud administration a powerful method to manage the risk associated with integration between the physical and virtual domains. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 6

7 Palo Alto Networks Integration Components The following are key elements of the on VMware NSX integrated offering: Virtualized Next-Generation Firewall firewalls extend safe application enablement to virtualized and cloud environments using the same PAN-OS feature set available in Palo Alto Networks hardware firewalls. This means when applied to a virtualized and cloud environment, the can use App-ID technology to precisely identify the application traffic traversing VMs and subsequently apply coordinated threat prevention policies to the allowed traffic to block known malware sites and prevent vulnerability exploits, viruses, spyware, and malicious DNS queries using Content-ID technology. Unknown malware is analyzed and identified by executing the files and directly observing their malicious behavior in a sandbox environment via WildFire. firewall models 100, 300/1000-HV and 500 are optimized to deliver between 1 and 6 Gbps of App-ID-enabled firewall performance. They also offer the flexibility of deploying secure multi-tenant-ready workloads and horizontal scaling, with support for multiple firewalls on a single hypervisor host. Dynamic Address Groups In a virtualized and cloud environment where virtual machines often change functions and can move from server to server, building security policies based on static IP addresses alone can have limited value. The Dynamic Address Groups feature introduced in PAN-OS 6.0 allows you to create policies using tags as identifiers for virtual machines instead of static object definitions. Multiple tags representing VM attributes, such as IP address and operating system, can be resolved within a Dynamic Address Group, allowing you to dynamically apply policies to VMs as they are created or travel across your network. Panorama Centralized Management Security appliances in virtual and cloud environments should be managed in the same manner as physical security appliances. Panorama network security management enables you to centrally manage device configuration, policy deployment, forensic analysis and report generation across your entire network of next-generation firewalls. Panorama automatically registers the Palo Alto Networks as a service to NSX. Once registered, it can be deployed to one or more clusters. Each host on the cluster will automatically have a firewall deployed, licensed, registered and configured. Cloud admin NSX Manager 1. Register as available security service 5. Update with real-time context of VM changes PN Security admin 2. Automatically deploy on all hosts 3. Register to receive licenses and intial policy 4. Install hypervisor rules to firewall service insertion Figure 3: on VMware NSX integration workflow How the VMware NSX and Integration Works Advanced Security Service Insertion and Traffic Steering The VMware NSX network virtualization platform provides L2 L4 stateful firewalling features to deliver segmentation within virtual networks. Environments that require advanced, application-level network security capabilities can leverage VMware NSX to distribute, enable and enforce advanced network security services in a virtualized network context. NSX distributes network services into the VM s virtual network interface card, or vnic, to form a logical pipeline of services applied to virtual network traffic. The firewall integrates directly into this logical pipeline to provide visibility and safe enablement of VM traffic and applications as well as complete threat prevention. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 7

8 Another powerful benefit of VMware NSX and integration is the ability to build policies that leverage NSX service insertion, chaining and steering to drive service execution in the logical services pipeline, based on the result of other services, making it possible to coordinate otherwise unrelated network security services from multiple vendors. Panorama Service Registration and Deployment The first step in deploying the integrated offering is to define NSX Manager information, i.e., IP/hostname and credentials, in Panorama so the firewall may be registered as an advanced NSX service. Registration provides the necessary data to deploy PAN-OS as a service and allows NSX to update Panorama with dynamic changes to the SDDC. With the Panorama plugin architecture introduced in PAN-OS 8.0, NSX integration components within Panorama can be updated asynchronously without a software update of PAN-OS version itself. Figure 4: Service registration with NSX from Panorama The second step is to deploy the Palo Alto Networks NGFW service on each host of the cluster. Once the deployment process for a cluster begins, NSX will automatically load the defined OVF on each host, boot the firewall, and provide it with addressing and Panorama information. Then Panorama will license each firewall as well as push the shared policies and configuration elements. If a new host is added to a cluster, these steps will be performed automatically, and the new host will be ready to enforce your security policy. Figure 5: Successful deployment of Palo Alto Networks Palo Alto Networks is instantiated with only one vnic for management purposes. This interface enables communication with Panorama to retrieve policy rule configuration and exchange real-time information, such as traffic logs and policy updates. When these two steps have been completed, the Palo Alto Networks firewall service is ready for consumption. Deployments on each cluster can now have different licenses, policies, PAN-OS software versions on the service VMs, etc. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 8

9 Figure 6: Service definition of Palo Alto Networks Service Composer/Security Groups and Dynamic Address Groups The integration leverages VMware Service Composer to create logical groups of the assets to be protected, including VM, vnic, clusters and users. NSX and Panorama can do a dynamic exchange of the protected policy objects in two ways: The integration workflows between NSX and Panorama can be achieved by leveraging VMware s Service Composer. In this approach, a Security Group is created under NSX, and the information is transmitted to Panorama. The security administrator can link NSX Security Groups with Panorama Dynamic Address Groups to identify which workloads need to be protected. Subsequently, PAN-OS security policies referencing these Dynamic Address Groups will be applied to the traffic flows. With PAN-OS 8.0, Panorama offers an alternative approach for managing the security policy lifecycle that further simplifies the configuration steps and synchronization needed between security and network administrators. Security admins can create Dynamic Address Groups with NSX-specific match criteria, utilize them in security policies and auto-generate traffic-steering rules within Panorama. Security policy creation within Panorama populates all necessary NSX components, such as Security Groups and firewall policies, without requiring them to be reconfigured in NSX. Figure 7: Security Group definition of Palo Alto Networks Figure 8: Dynamic Address Groups within Panorama Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 9

10 Figure 9: Automated mapping of Dynamic Address Groups to NSX Security Groups Any VM added or removed inside a Security Group is immediately reflected within its Dynamic Address Group, and the relevant security policies take effect without a need to reconfigure the firewalls or Panorama. In addition, updates to NSX Security Groups can be forwarded to other Palo Alto Networks firewalls using the Notify Device Groups feature in PAN-OS. This is specified during the registration process in Panorama. A physical data center perimeter firewall may also have Dynamic Address Groups, which can be linked to NSX Security Groups with Notify Device Groups. This enables physical firewalls to dynamically enforce security policy for traffic entering the data center, so that as VMs join and leave your NSX Security Groups, the perimeter firewall will dynamically learn about those addresses just as the firewalls do. This also helps in replicating Dynamic Address Groups across multiple Panorama management systems as NSX security tags are mapped to Dynamic Address Group tags internally by Panorama. Figure 10: Notify device groups Traffic Steering Traffic steering from a guest VM to a firewall is performed internally, at the hypervisor level, using shared memory space. Traffic steering can be accomplished in two ways. The new approach (available from PAN-OS 8.0 onward) for security administrators is to auto-generate traffic steering rules based on security policy configurations within Panorama. Traffic steering rules define policy for redirection of traffic flows to firewalls for advanced inspection. All NSX-related configurations, such as Security Groups, policies and traffic redirection rules, can now be derived from the corresponding objects in Panorama and automatically pushed to NSX Manager. Once the configurations are committed, Panorama pushes them to NSX Manager and keeps the objects in sync between the two systems. After the configuration is initiated from Panorama, the address groups get translated to security groups in NSX, and the corresponding redirection rules will be applied to VMs that match the security group criteria defined by NSX administrators. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 10

11 Figure 11: Auto-generated traffic steering rules in Panorama In another well-known approach to traffic steering, the NSX administrator specifies VM attributes, such as DVS port-group or logical switch, that need to be served by the firewall in the relevant security groups. Using security policies within the Service Composer, the security team can granularly define traffic flows to be redirected to the firewall for inspection and enforcement. Traffic allowed by the firewall is then returned to the NSX virtual switch for delivery to its final destination the guest VM or physical device. Traffic redirection, defined within the Network Introspection Service window, can be defined in the following ways: From Security Group (e.g., SG-1) to Security Group (e.g., SG-2) From ANY* to Security Group (e.g., SG-1) From Security Group (e.g., SG-1) to ANY* *ANY means any source or destination IP address, respectively. VMware NSX and Integration Use Cases Use Case 1: VXLAN Segmentation With Advanced Protection Across Tiers In this scenario, guest VMs are segregated using a traditional model of segmentation based on L2 domain separation. VMs are connected to dedicated VXLAN logical switches based on role. For instance, in a three-tier application model, all web server VMs are connected to the WEB logical switch (VXLAN ID 5000), application logic VMs to the APP logical switch (VXLAN ID 5001) and database VMs to the DB logical switch (VXLAN ID 5002). Guest VMs can be instantiated in any ESXi host as long as VXLAN reachability is extended to these hosts in other words, if the clusters belong to same transport zone. Figure 12: Security policies within NSX Service Composer Figure 14 shows this example topology. In this topology, compute clusters 1 and 2 belong to the same transport zone, meaning any logical switch (VXLAN ID 5000 to 5002) can be expanded to any host. Even if WEB-1 and WEB-2 are created on different hosts, they are connected to the same L2 domain. To enable communication between WEB, APP and DB tiers, the logical routing function of NSX is leveraged so that a single logical router instance connects all three logical switches. Note that ESXi hosts in this topology have had all NSX kernel modules successfully installed so the Distributed Firewall, or DFW, module can run and operate. DFW is a key element for traffic redirection to the Palo Alto Networks firewall. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 11

12 Figure 13: Auto-generated traffic steering rules in Panorama In terms of traffic steering, the following configurations will be applied: Traffic from the INTERNET tier to the WEB tier is redirected by the guest VM and processed by the firewall. Traffic from the WEB tier to the APP tier is redirected by the guest VM and processed by the firewall. Traffic from the APP tier to the DB tier is redirected by the guest VM and processed by the firewall. This list is not exhaustive and depends on the customer s traffic engineering. SG-PA-WEB SG-PA-APP SG-PA-DB SG-PA-WEB WEB-1 APP-1 DB-1 WEB-2 VDS Compute cluster 1 Compute cluster 2 L2/L3 switch MGMT port-group WEB logical switch (VXLAN) APP logical switch (VXLAN) DB logical switch (VXLAN) Figure 14: Physical view of Use Case 1 topology Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 12

13 Once traffic reaches the Palo Alto Networks firewall, security policies defined on Panorama will dictate the enforcement action for the identified application. Figure 15 shows a logical view of traffic redirection and processing for this use case. SG-PA-WEB SG-PA-APP SG-PA-DB WEB-1 WEB-2 APP-1 User Palo Alto Networks FW Palo Alto Networks FW Palo Alto Networks FW DFW and filtering module Figure 15: Logical view of traffic flows in Use Case 1 To implement this, we first need to create the following Security Groups: Security Group Name Inclusion SG-PA-WEB WEB logical switch (VXLAN ID 5000) SG-PA-APP APP logical switch (VXLAN ID 500) SG-PA-DB DEB logical switch (VXLAN ID 5002) A Security Group is a dynamic construct by nature. As defined in the table above, any new or existing VM connected to the WEB logical switch will automatically be part of SG-PA-WEB. The same behavior applies to VMs connected to the APP logical switch or the DB logical switch. Secondly, we need to configure the following security policies: Security Policy Name Network Introspection Policy SP Applied to Comments SP-PA-INTERNET-to-WEB SG-PA-WEB-to-APP SG-PA-APP-to-DB Source: any Destination: policy s Security Group Protocol: any Action: rederect to PA NGFW Source: SG-PA-WEB Destination: policy s Security Group Protocol: any Action: redirect to PA NGFW Source: SG-PA-APP Destination: policy s Security Group Protocol: any Action: redirect to PA NGFW SG-PA-WEB SG-PA-APP SG-PA-DB Any traffic from INTERNET tier to WEB tier is redirected to firewall Any traffic from WEB tier to APP tier is redirected to firewall Any traffic from APP tier to DB tier is redirected to firewall Note that security policies allow for more granular configuration in traffic redirection. Instead of redirecting all traffic, it is possible to define specific traffic to redirect using the TCP/UDP destination port and/or, optionally, the source port. As an example, if only HTTPS traffic needs to be redirected to the firewall, you would use destination TCP port 443. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 13

14 After completing the NSX configuration, the next step is to define a Dynamic Address Group on Panorama. One-to-one mapping exists between a Dynamic Address Group and a Security Group: Dynamic Address Group DAG-PA-WEB DAG-PA-APP DAG-PA-DB Security Group Name SG-PA-WEB SG-PA-APP SG-PA-DB The last step is to define security policy rules on Panorama. At this level, the security administrator can define which applications are authorized or forbidden from the internet and between tiers of the application. For instance, in this use case, HTTP and HTTPS are allowed at the WEB tier for traffic coming from the internet. Message Bus applications are permitted at the APP tier, and the SQL protocol is authorized at the DB tier. All other applications are denied by default. The following table shows an example of policy rules defined on Panorama: Source Destination Application Action Any DAG-PA-WEB HTTP, HTTPS Permit DAG-PA-WEB DAG-PA-APP RabbitMQ Permit DAG-PA-APP DAG-PA-DB SQL Permit Use Case 2: Micro-Segmentation of a Multi-Tiered Application With Malware Protection In this next use case, we do not rely on traditional network constructs for segmentation (i.e., guest VMs segregated per L2 domain based on role). Using the integrated VMware NSX and Palo Alto Networks offering, the segmentation is now independent of the network topology, and the NSX Security Groups with Panorama Dynamic Address Group objects can be used for segmentation and security enforcement. For example, a customer with an application that has web front-end, application and database tiers no longer needs to create three network segments all these tiers and VMs can exist on one flat virtual network. NSX Security Groups, which define the micro-segmentation, align VMs with the tiers of the application. Steering rules can be created in NSX Service Composer/Security Policy to redirect traffic between any of the tiers to the firewalls. Using Panorama Dynamic Address Groups, security policies based on the same tiers are enforced. This can ensure, for example, that only SQL traffic is allowed between the application and database tiers. Figure 16 shows the topology for Use Case 2. SG-PA-WEB SG-PA-APP SG-PA-DB SG-PA-WEB WEB-1 APP-1 DB-1 WEB-2 VDS Compute cluster 1 Compute cluster 2 L2/L3 switch MGMT port-group VM port-group or logical switch Figure 16: Physical view of Use Case 2 topology Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 14

15 When inspecting traffic between these tiers, the firewall will perform deep packet inspection first to ensure the application is valid and contains no threats. The will prevent viruses, botnet traffic, malware and other threats from flowing between the tiers. This gives visibility and protection in the SDDC east-west traffic that isn t available on the perimeter firewall. Dynamic signature updates from Panorama guarantee the firewall is always armed with intelligence from the latest threat and application databases. SG-PA-WEB SG-PA-DB SG-PA-DB WEB-1 WEB-2 APP-1 User Palo Alto Networks FW Palo Alto Networks FW Palo Alto Networks FW DFW and filtering module Figure 17: Logical view of traffic flows in Use Case 2 Figure 17 shows a logical view of traffic redirection and processing for this use case. The only difference in terms of configuration between this use case and the previous one (VXLAN segmentation) is the way Security Groups needs to be configured. Security Group Name SG-PA-WEB SG-PA-APP SG-PA-DB Inclusion WEB-1, WEB-2 APP-1 DB-1 Instead of using logical switches for the inclusion field, we need to explicitly select the appropriate guest VM. Note: If using standardized guest VM naming conventions, you can use the Security Group dynamic inclusion feature. For instance, if all WEB VMs start with WEB, APP VM names start with APP, and so on, we can use the following Security Group definitions: Security Group Name SG-PA-WEB SG-PA-APP SG-PA-DB Inclusion (Dynamic) VM name contains WEB VM name contains APP VM name contains DB This way, when a new WEB, APP or DB VM is instantiated using the same naming conventions, the new VM will automatically be integrated into the corresponding Security Group, which will trigger an update to the associated Panorama Dynamic Address Group. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 15

16 Use Case 3: Enterprise Multi-Zone Security PCI, Production and Development Zones In this scenario, an SDDC is created with three internal zones: Dev Zone: Developers use this zone to create, test and validate new types of enterprise applications. Prod Zone: All applications running under production are located in this part of the SDDC. PCI Zone: This zone is for VMs that require access to customer personal information and payment card identification (compliance-driven environment). User PN Dev Zone Prod Zone PCI Zone SDDC DFW Figure 18: Multi-zone software-defined data center Traffic from the Dev Zone to the Prod Zone is protected by DFW. Traffic from the Prod Zone to the PCI Zone is redirected and enforced by the firewall with the advanced security features of PAN-OS, such as the intrusion prevention system and malware prevention. Palo Alto Networks provides critical functionality when dealing with PCI compliance. Please refer to the link in the reference section to learn more about it. To implement this use case, we need to create the following three Security Groups: Security Group Name SG-DEV-ZONE SG-PROD-ZONE SG-PCI-ZONE Inclusion All logical switches used in Dev Zone (or all virtual switches port-group) All logical switches used in Prod Zone (or all virtual switches port-group) All logical switches used in PCI zone (or all virtual switches port-group) You can use the following Security Policy to redirect traffic between the Prod Zone and the PCI Zone to the firewall: Security Policy Name Network Introspection Policy SP Applied to SP-PA-DEV-to-PROD-ZONE Source: Policy s Security Group Destination: SG-PROD-ZONE Protocol: any Action: do not redirect SG-DEV-ZONE Source: Policy s Security Group SP-PA-PROD-to-PCI-ZONE Destination: SG-PCI-Zone Protocol: any SG-PROD-ZONE Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 16

17 In Panorama, make sure Dynamic Address Groups are mapped one-to-one with Security Groups: Dynamic Address Group DAG-PA-PROD-ZONE DAG-PA-PCI-ZONE Security Group Name SG-PROD-ZONE SG-PCI-ZONE Finally, on Panorama, define policy rules for applications/protocols permitted or denied between Prod Zone and PCI Zone: Source Destination Application Action DAG-PA-PROD-ZONE DAG-PA-PCI-ZONE SQL, HTTPS, LDAP Any Permit Use Case 4: Scale-In/Scale-Out for Elastic Applications One major characteristic of cloud technology is its ability to dynamically adapt to user workload. During high activity periods, an application should be able to scale out rapidly and automatically to absorb end-user traffic. In the same way, once activity returns to a normal or lower state, the application should be able to scale down dynamically to save energy and resources. Such applications are commonly called elastic applications. Let s take a three-tier type of application with WEB, APP and DB tiers as an example. In case of high activity, the WEB and APP tiers should be able to expand quickly without human intervention. Once VMs are instantiated on these tiers, enforcement of consistent security policy will guarantee protection even in cases of dynamic workload creation and/or intrinsic application growth. WEB-1 APP-1 WEB-3 DB-1 APP-2 WEB-2 VDS Compute cluster 1 Compute cluster 2 L2/L3 Switch MGMT port-group VM port-group or logical switch Figure 19: Physical view of Use Case 4 topology Starting with Use Case 2 though the same concepts apply to Use Case 1 let s consider a scale-out situation. An application must be expanded to support high demand. This is practically translated by adding additional WEB VMs and APP VMs. As depicted in Figure 19, WEB-3 and APP-2 have been added dynamically to the WEB and APP tiers, respectively. Notice that WEB-3 has been added to ESXi Host 2 not Host 1, where WEB-1 resides, or Host 4, where WEB-2 resides. There is no requirement that VMs belonging to the same tier should reside on the same ESXi host. Existing policy rules defined on Panorama will be enforced for the two new VMs. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 17

18 Figure 20 shows a logical view of traffic redirection and processing for this use case: SG-PA-WEB SG-PA-WEB SG-PA-DB WEB-1 WEB-2 APP-1 User Palo Alto Networks FW Palo Alto Networks FW Palo Alto Networks FW DFW and filtering module Figure 20: Logical view of traffic flows in Use Case 4 Upon completing the boot process, WEB-3 and APP-2 will register to vcenter and NSX via VMware tools. WEB-3 will be automatically added to SG-PA-WEB, and APP-2 will be automatically added to SG-PA-APP using dynamic inclusion based on naming conventions. All traffic redirection enforced for the Security Groups will be applied to the new VMs. Because there is a dynamic relationship between a Security Group on NSX and a Dynamic Address Group on Panorama, the IP addresses of the two new VMs will be automatically transmitted from NSX to Panorama, which will in turn update all firewalls in the cluster. As shown above, there is absolutely no human intervention in case of scale-out; the application still grows organically, and both NSX and the firewalls will be able to apply traffic redirection and traffic protection adequately for the newly created VMs. Further, PAN-OS security policy will be seamlessly, automatically applied to WEB-3 and APP-2. In case of a scale-down scenario for instance, removal of WEB-3 and APP-2 because of lower activity NSX and firewalls behave the same way: both new VMs will be automatically removed from their respective Security Groups, and associated Dynamic Address Groups will be immediately updated with this information automatically. Traffic Visibility and Operational Efficiency Using next-generation firewall features, such as App-ID and Threat Prevention, you can safely enable applications. Figure 21 shows a sample security policy rule dictating which applications are allowed between the application servers and the database servers. Figure 21: Security policies in Panorama Only the required applications are allowed, and the firewall inspects packets to verify they come from allowed applications, and not from malicious applications using standard ports. PAN-OS also inspects the traffic for threats, including vulnerability exploits, viruses and other malware. Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 18

19 Canvas view in Service Composer (see Figure 22) provides a quick view of all Security Groups defined on NSX as well as characteristics per Security Group. Figure 22: Service Composer s Canvas view Let s take SG-PA-WEB as an example, as shown in Figure 23. The 2 at bottom left tells you the number of VMs included in this Security Group, while the 2 in the upper right tells you the number of security policies attached. The 1 in the right column indicates the number of NSX firewall rules created for this Security Group. And finally, the 2 in the bottom right indicates the number of traffic redirection rules instantiated. As seen in Figure 23, clicking on any of these numbers will display related details. Figure 23: Guest VM within a security group Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 19

20 The ESXi host provides a CLI to check traffic redirection configuration at the VM layer and some associated statistics. You can connect to the ESXi host using SSH assuming access service is enabled on the host itself by typing the following commands: ~ # summarize-dvfilter <snip> world vmm0:web-1 vcuuid: cd de a5 08 a6-fe c1 ce e2 94 ce port WEB-1.eth0 vnic slot 2 name: nic eth0-vmwaresfw.2 agentname: vmware-sfw state: IOChain Attached vmstate: Detached failurepolicy: failclosed slowpathid: none filter source: Dynamic Filter Creation vnic slot 4 agentname: serviceinstance- 1 state: IOChain Attached vmstate: Attached failurepolicy: failopen slowpathid: 1 filter source: Dynamic Filter Creation <snip> ~ # vsipioctl getrules -f nic eth0-serviceinstance-1.4 ruleset 1441 { # Filter rules rule 4952 at 2 out protocol any from addrset ip-securitygroup-35 to addrset ip-securitygroup-36 punt with log; rule 4956 at 3 out protocol any from addrset ip-securitygroup-36 to addrset ip-securitygroup-35 punt with log; rule 4960 at 4 in protocol any from any to addrset ip-securitygroup-16 punt with log; } ~ # vsipioctl getaddrsets -f nic eth0-serviceinstance-1.4 addrset ip-securitygroup-16 { ip , ip , ip fe80::54bd:5144:2bde:f58c, ip fe80::a450:d96f:26c0:b5fe, } addrset ip-securitygroup-35 { ip , ip fe80::a450:d96f:26c0:b5fe, } addrset ip-securitygroup-36 { ip , ip fe80::54bd:5144:2bde:f58c, } ~ # vsipioctl getrules -f nic eth0-serviceinstance-1.4 -s rule 4952: evals, in 0 out 0 pkts, in 0 out 0 bytes rule 4956: evals, in 0 out 0 pkts, in 0 out 0 bytes rule 4960: evals, in out 497 pkts, in out bytes Palo Alto Networks Next-Generation Security With VMware NSX and Palo Alto Networks White Paper 20

21 Integrated Offering Benefits VMware NSX and Palo Alto Networks integration provides the following benefits: Independence from networking topology: Security policies are applied regardless of where or when a VM connects. This works with any network overlay and with traditional VLAN networking. Automated deployment and provisioning: Next-generation security is in lockstep with the fluid virtual compute layer. Panorama communicates with the NSX Manager to register as a security management platform, providing information about the firewall. The NSX Manager then automates the deployment of next-generation security services on every VMware ESXi server. Each firewall deployed then communicates directly with Panorama for automated licensing and provisioning. Seamless traffic steering to next-generation security: Within the VMware virtualized server environment, application traffic is steered to the via ESXi kernel module without the need to manually make configuration changes to virtual networking elements. Dynamic security policies based on application, user, content: and Security Group: Next-generation firewall security policies can be defined based on applications, users, content and VM containers. Virtualized applications are instantiated and placed in logical containers called Security Groups, which are mapped to Dynamic Address Groups in Panorama. Full context sharing between VMware and Palo Alto Networks management platforms ensures Dynamic Address Groups are updated with the latest information representing the VM container instead of having to manually track hundreds or thousands of IP addresses. This makes it incredibly easy to apply security to virtualized applications, no matter when they are created or moved across the network. Next-generation security protection for virtualized applications and data: Because firewalls support PAN-OS, comprehensive next-generation security features can be deployed to identify, control and safely enable data center applications while inspecting all content for threats. Safe application enablement means you can build firewall policies based on application, application feature, users, user groups and content as opposed to port, protocol and IP address transforming your traditional firewall policies into business-friendly elements. Threat prevention capabilities address the whole attack lifecycle, featuring protection against exploits, viruses, spyware, malware and targeted unknown threats. Linear scaling with the number of hypervisors: IT administrators no longer need to guess how much network security capacity is needed. Anytime a new hypervisor is added, security capacity is automatically added. Conclusion The VMware network virtualization offering addresses current challenges with physical network infrastructure and brings flexibility, agility and scale through VXLAN-based logical networks. Along with the ability to create on-demand logical networks using VXLAN, the vcloud Networking and Security Edge gateway helps users deploy various logical network services, such as firewall, DHCP, NAT and load balancing on these networks. The VMware NSX and Palo Alto Networks integrated offering extends the basic firewall services delivered by the NSX virtualization platform. The joint offering provides an integrated data center solution that allows IT organizations to unlock all the benefits of an SDDC, from greater flexibility and agility to optimized capacity utilization and operational efficiencies, without compromising security. IT administrators can now automate the delivery of leading next-generation security services from Palo Alto Networks in lockstep with the fluid virtual compute layer to provide comprehensive visibility and safe enablement of all data center traffic, including intraserver virtual machine communications. References Palo Alto Networks on VMware NSX (datasheet) VMware Compatibility Guide for on NSX on NSX: Implementation and Traffic Steering Guidelines Next-Generation Data Center Security Implementation Guidelines Securing the Virtualized Data Center With Next-Generation firewalls Palo Alto Networks Documentation 3000 Tannery Way Santa Clara, CA Main: Sales: Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. next-generationsecurity-with-vmware-nsx-and-palo-alto-networks-vm-series-wp