Feature Brief: NSX Advanced security features

Introduction

VMware Cloud on AWS was designed with security in mind and takes advantage of the networking and security capabilities of VMware NSX. VMware NSX provides the Gateway Firewall to protect the perimeter of the SDDC (North-South) and separates management from workload traffic within the SDDC. But VMware NSX also includes a Distributed Firewall to secure traffic between workloads inside the SDDC (East-West). The VMware NSX Gateway Firewall and Distributed Firewall provide enterprise-class, Layer-4 security, for applications in VMware Cloud. Both Gateway Firewall and Distributed Firewall are included in every VMware Cloud on AWS SDDC. In addition to that, NSX Advanced Firewall functionalities are now included in the offering, allowing organizations to define and enforce security policies at Layer-7 and enabling deep packet inspection across all virtual networking endpoints within the SDDC. NSX Advanced Firewall includes:

  • Layer-7 Application ID Firewall
  • Distributed Firewall with Fully Qualified Domain Name (FQDN) Filtering
  • Distributed Firewall with Active Directory based User ID Identity Firewall

In this article, we will take a closer look at the NSX Advanced Firewall features and how to enable them.

Layer-7 Application ID Firewall

By employing a Layer-7 (application-level, context-aware) firewall, organizations can move further from the basic IP address and port-level Layer-4 security and gain complete stateful Layer-7 controls and filtering. The Distributed Firewall incorporates deep packet inspection (DPI) capabilities, allowing organizations to selectively permit intended applications and protocols while denying all other traffic at the virtual network interface (vNIC) on the VM.

Layer-7 Application ID Firewall consists of three pillars:

  • Compliance Zones
  • Attack Surface Reduction
  • Port-independent Micro-Segmentation

These capabilities allow isolating sensitive applications by establishing virtual zones within the SDDC. Layer-7 policies are enforced at the hypervisor level, which controls the data path of every VM. It is important to note that the Distributed Firewall, rules remain intact even when VMs migrate across hosts within the SDDC, ensuring seamless enforcement without any gaps.

To simplify the process of defining Layer-7 firewall rules for specific workloads, the Distributed Firewall is equipped with 800+ pre-built application profiles (Application IDs) for commonly used enterprise applications. This facilitates configuration of Layer-7 policies tailored to individual workloads. Through the implementation of granular micro-segmentation policies, threat protection is achieved for east-west traffic within the SDDC.

Figure 1 - Layer-7 Application ID Firewall

Figure-1 shows the Layer-7 filtering capabilities for compliance on an SSL (Secure Sockets Layer) based application, where it is possible to restrict SSL-based applications according to the version of TLS protocol used. Also with application context profiles, applications can be allowed or denied independent of the port being run to provide application owners with the flexibility to run services across any port.

Distributed Firewall with FQDN Filtering

In VMware Cloud on AWS, users can implement a controlled access approach by allow list (whitelisting) and/or deny list (blacklisting) Fully Qualified Domain Names (FQDNs). In high-security environments, outgoing traffic is often filtered using the Distributed Firewall. When attempting to connect to an external service, IP-based firewall rules are typically created. However, there are situations where the IP addresses associated with a domain are not known in advance. This is where domain filters become valuable.

With FQDN allow listing, security administrators have the capability to define firewall rules that explicitly grant access to a specific set of FQDNs. This functionality is particularly useful for micro-segmenting applications that need to interact with external SaaS/Cloud services whose IP addresses may be subject to change. Additionally, FQDN allow listing can provide precise granular access to SaaS applications or web resources for users in a Virtual Desktop Infrastructure (VDI) environment (Figure-2).

Distributed Firewall maintains the context of VMs even when they migrate (vMotion) to other hosts within the SDDC. Organizations can depend on FQDN filtering and application profiling to reduce the attack surface of their applications to specific protocols and destinations. Distributed FDQN Filtering requires DNS Snooping where NSX learns the DNS response through the DNS Context Profile, caches it and builds a Distributed Firewall policy with the currently resolved IP address.

A diagram of a cloud service Description automatically generated with medium confidence

Figure-2 - Distributed Firewall with FDQN Filtering

Distributed Firewall with Active Directory based User ID Identity Firewall

VMware NSX enables user-based or identity firewall (IDFW) with advanced firewalling. With IDFW, organizations can create firewall rules based on Active Directory user groups to provide granular per-user access to applications. The Identity Firewall feature is based on flow context, and therefore can be applied to both users accessing their applications from VDI Desktops or RDSH sessions. IDFW-based rules can also use Layer-7 and/or FQDN context-profiles to provide even more granular per-user control.

Enabling NSX Advanced Firewall

NSX Advanced Firewall can now be activated at no additional cost. Intrusion Detection and Intrusion Prevention (IDS/IPS) features remain a paid add-on. Activation of NSX Advanced Firewall is an easy process. Within a VMware Cloud on AWS SDDC, move to the “Integrated Services” Tab as shown in Figure-3.

Figure-3 – Activating NSX Advanced Firewall

In the next dialogue box, click “Activate” (Figure-4). Any warning about additional cost for NSX Advanced Firewall can be ignored; this is only valid for IDS/IPS and will be clarified shortly.

Figure-4 - Activating NSX Advanced Firewall cont.

After you have clicked on “Activate”, the NSX Advanced Firewall will indicate that it is now active (Figure-5).

Figure-5 – Status of NSX Advanced Firewall

To avoid additional cost, make sure IDS/IPS is not activated for any cluster (Figure-6).

Figure-6 – IDS/IPS should be deactivated to avoid additional cost

  • NSX Distributed IDS/IPS is NOT included in VMC Advanced.
  • NSX Distributed IDS/IPS is NOT enabled by default when NSX Advanced Firewall is activated.
  • If NSX Distributed IDS/IPS is enabled on any SDDC clusters, billing will begin.

Summary

Advanced firewall capabilities on VMware Cloud SDDC is now available at no additional charges and can be activated in addition to the default Gateway and Distributed Firewall capabilities.

You can read more about the announcement here.

More information about NSX Advanced Firewall capabilities including a demo can be found here: VMware Cloud on AWS Advanced Firewall Layer 7 Firewall (Youtube Video)

Filter Tags

General Compute VMware Cloud on AWS Document Feature Brief Overview