Rich Mingin (PLUG) on 7 Jul 2017 16:55:32 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Fios Quantum Gateway Router / Cabling type |
----- Original Message -----
> From: "Rich Freeman" <r-plug@thefreemanclan.net>
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Sent: Friday, July 7, 2017 7:19:50 AM
> Subject: Re: [PLUG] Fios Quantum Gateway Router / Cabling type
> On Thu, Jul 6, 2017 at 10:37 PM, Lee H. Marzke <lee@marzke.net> wrote:
>>
>> I believe VMware has government certification that verify that. The old days
>> of requiring an air-gap between
>> different security levels is long gone - and VMware NSX provides much more
>> security than air gap.
>
> I wouldn't call a firewall an "air gap." When you have an air gap
> between different security levels there is simply no way for them to
> communicate at all.
Sorry, the old method of separating workloads was to put them on separate hypervisor clusters
with no network connections between them - or an air-gap. This is in-efficient as you have
to break up clusters by security zone, and resources are wasted in each new cluster.
VMware has been advocating putting different security workloads together on the same hypervisor
with a virtual firewall around each VM that follows it wherever it moves.
>
> In any case, how can anything provide "much more security" than either
> a firewall or an air gap, especially at that level of abstraction?
Because manually written firewall rules get horribly complex, and as a rule they
are added, but never removed, so all this old cruft gets left behind. So writing
rules for each VM, each tier of a application, and separating each multi-tier app
from another ( together called micro-segmentation ) cant possibly be kept up to data
manually. However when the rules are written at a higher level, and the actual
firewall rules are auto-generated dynamically the firewall is essentially always
up to date ( to the second ). It's like the difference in programming in assembly language
or writing in Python.- the higher level abstraction is much easier for humans to understand
and the grunt work of the actual IP based firewall rules is done for you.
It isn't magic - just automating the complicated parts that people don't do well by
moving to a higher level of abstraction. A 'Blue print' graphical design documents each
3-tier application including VM's , networks, and security rules, and the design can then
be pushed out to VMware cloud on prem, VMware cloud partners, VMware on AWS, Plain AWS, or other
clouds in the future.
Then NSX uses these 4M virtual-wires over vxlan for micro-segmentation - and never needs
to touch or change any physical switch, because all the decisions are done by the firewall and router
in each hypervisor. ( NSX consists of hypervisor modules, API's and VM's to virtualize
and entire data-center, including routers, load balancer, VPN, DHCP, FW, etc )
Note that this software-defined network model is different than Cisco's Application Centric Infrastructure (ACI)
which uses split data/control plane in each switch. Cisco requires new switches, and new
SDN manager components ( that sell's more Cisco equipment ) , while the VMware
version realizes SDN in software-only using an overlay network of tunnels through existing switches. Instead
of the switch needing to make a decision on each packet, the hypervisor essentially makes the decision and sends traffic down
the correct pre-defined vxlan virtual wire. This functionality comes from VMware's purchase of Nicira a few years ago.
Kind of makes sense that SDN should be defined fully in software instead of required all new switches as in the Cisco method.
Not to say everything is perfect yet - if you have physical boxes needing access, then you need special
vxlan to Vlan gateways - Arista and others have these built into their switches.
>
> I'm not arguing that NSX isn't secure. The statement above just
> seemed to go a bit far with the claim.
The whole world of SDN and Software defined storage is rapidly changing everything. I'm sure new issues will
show up - but in general this solves the human complexity problem of managing so many firewall rules , so I think
it is quite a bit better and more secure than the old model. I believe VMware has gotten PCI certifications
with PCI / not PCI complient VM's on the same hypervisor, but not government Secret / TS VM next to unclassified.
>
> I could see the argument that an implementation of a
> firewall/network/etc that provides a more clearly defined
> infrastructure would be more secure than an implementation that does
> not, because it reduces the risk of a configuration error. Tools for
> orchestration and software-defined infrastructure can help provide
> security to ensure that every host only talks to exactly the hosts it
> needs to, for example.
OK, you just said what I was explaining above.
The security is actually much more fine-grained at the VM virtal Nic level.
and continues to work even during vMotion of the VM across hosts and/or clusters.
Lately each Virtual Nic has 'insertion points' in the data flow so it can have traffic redirected
for instance to a hardware based Palo Alto Next gen firewall , or redirected
for Anti-virus scanning by Trend Micro, or to a F5 load balancer, so it's not just
limited to VMware anymore. This all all OS agnostic - as long as you have vmxnet3 virtual Nics
so Linux has full support.
Much of the NSX design is also to reduce hair-pinning of micro-segmented traffic ( where two adjacent
VM's would need their traffic to flow out through several switches, and firewall just to get back to
the adjacent VM ). With NSX the hypervisor does the firewall functions, and the inter-VM traffic never
leaves the host.
>
> --
> Rich
> ____________________________________________________________ --_______________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
"Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos
Lee Marzke, lee@marzke.net http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
+1 800-393-5217 office +1 484-348-2230 fax
+1 252 627-9531 sms ( 252 MARZKE1 )
____________________________________________________________ _______________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug