NSX | Bit about Firewall

Types of Firewall rules based on protocols and security layer-

General Rules - These rules are applied to the L3, L4 and L7 protocols and fields such as IP addresses, TCP\UDP port numbers and APP-IDs. In addition, vCenter attributes like datacenters and resource pools can be part of the group.

Ethernet Rules - These rules can define a set of MAC addresses as source or destination and enforce policy on L2 protocols. Ethernet rules are enforced before General rules.

Partner Security Services -These rules can define traffic flows to be redirected to partner solutions for additional network introspection.

Firewall rules are managed in centralized manner. Each traffic session is checked against the top rule in firewall table before moving down the subsequent rule in the table. The first rule in the table that matches the traffic parameter is enforced

Types of Firewall rules based on where and who creates them-

  • user-defined rules : rules created by administrators
  • Internal rules : Rules that enables control traffic to flow for NSX edge services
  • Local Rules : rules specific to NSX Manager instance(In cross vcenter NSX deployment)
  • Service Composer : rules created through service composer as a part of defined security policy
  • Default distributed firewall rules : rules that deals with traffic that does not match any rule 
  • Pre-rules: rules created for the NSX edge firewall through the centralized firwall tab. Pre-rules cannot be modified at the edge level
About Reject and Deny action of firewall
  • Reject action sends the following responses:
    • RST packets for TCP connection
    • ICMP unreachable host
  • Deny action silently drop the packet just like some RTOs
Applied To field of a firewall rule

There are total 12 objects\destination on which you can apply the rules, those are as below-
  1. Datacenter
  2. Cluster
  3. DvPortgroup
  4. Virtual Machine
  5. Resource Pool
  6. Security Group
  7. vAPP
  8. vNIC
  9. IP Set
  10. IP Address
  11. Logical Switch
  12. Legacy port group.
DFW Enhancement : L7 based enforcement

L7 Firewall also called context-aware security or next generation firewall. Context aware security is intended specifically for east-west cases. However there are no changes how components interact in the next generation firewalls-

* NSX manager talk to vcenter to fetch inventory with vCenter plugin
* If AD is integrated then NSX communicates with AD with AD plugin
*NSX manager sends rules to esxi host which is received by vsfwd installed in the host and then host send these rules to applicable components.

A few components now have additional responsibility
  • The Deep packet inspection module is now used to inspect APP-IDs.
  • Message bus agent creates filters, configure rules and integrate the above components to collect context
  • VSIP module installed on esxi host creates flows based on rules and redirect traffic to the DPI user world engine
  • vDPI daemon help find context
Below snippet will explain a lot in one go. Taken from VMware e-book.

Thank you,
Team vCloudNotes


Post a Comment