Mar 23, 2016 By Andrey Zhuk In Blog

Palo Alto NGFW & VMware NSX Integration- Use Cases Highlight Security Benefits

Everyone in IT has heard how Software Defined Networking (SDN) will change our world and that now, thanks to VMware and VMware’s NSX SDN solution, the Software Defined Data Center (SDDC) has become a reality.

Of course, once you enter SDDC world, you have a new set of challenges:

  • Lack of visibility into East-West (VM-to-VM) traffic
  • Manual, process-intensive networking configurations to deploy security within the virtualized environment
  • Security not keeping pace with speed of server provisioning
  • Incomplete or irrelevant feature sets within virtualized network security platforms

Many firewall vendors have stepped up with solutions to address these SDN challenges. Leading the pack is Palo Alto Networks with its NGFW tightly integrating with VMware NSX. The benefits of a virtual NGFW purpose-built for NSX are plentiful:

  • Using the VMware NSX platform’s extensible service insertion and service chaining capabilities, the virtualized NGFW is automatically and transparently deployed on every ESXi server.
  • Context is shared between VMware NSX and Palo Alto Networks’ centralized management platform, enabling security teams to dynamically apply security policies to virtualized application creation and changes.
  • Dynamic network security policies stay in sync with virtual application changes.
  • Enterprises can provision security services faster and utilize capacity of cloud infrastructures more efficiently without worrying about security.

So what are some of the actual use cases for VMware NSX and Palo Alto virtual NGFW? Let’s go over a few.

Use Case 1: VXLAN Segmentation with Advanced Protection Across Tiers

In this scenario, guest VMs are segregated using a traditional model of segmentation based on L2 domain separation: VMs are connected to dedicated VXLAN logical switches depending on their role. For instance, in a 3-tier application model, all web server VMs are connected to WEB logical switch, application logic VMs to APP logical switch, and database VMs to DB logical switch. The PAN virtual NGFW can be deployed alongside each of the logical switches and provide inter-tier security.

Use Case 2: Micro-Segmentation of a Multi-Tiered Application with Malware Protection

In this use case, we do not rely on traditional network constructs for segmentation (i.e., guest VMs segregated per L2 domain based on their role). With the integrated NSX and Palo Alto Networks solution, the segmentation is now independent of the network topology. Instead, the VMware NSX Security Groups with Panorama Dynamic Address Group Objects are leveraged for segmentation and security enforcement. A customer with an application that has a web front-end tier, an application tier, and a database tier no longer needs to create three network segments. All of these tiers and VMs can exist on one flat virtual network. NSX Security Groups, which define the micro-segmentation, align VMs with the tiers of the application.

Steering rules can then be created in NSX Service Composer/Security Policy that redirect traffic between any of the tiers to the Palo Alto Networks VM-Series firewalls. Using Panorama Dynamic Address Groups, VM-Series security policy based on the same tiers is enforced. In this way, we can ensure, for example, that only SQL traffic is allowed between the application and database tier.

Use Case 3: Enterprise Multi-Zone Security (PCI, Production and Development Zones)

In this scenario, an SDDC is created with three internal zones:

  1. Dev Zone—used for developers to create, test and validate new types of enterprise applications.
  2. Prod Zone—used for all applications running under production that are located in this part of the SDDC.
  3. PCI Zone—used for VMs that require access to customer personal information and payment card identification (compliance-driven environment).

Traffic from Dev Zone to Prod Zone is protected by NSX’s Distributed Firewall (DFW), which is the basic VMware firewall that can also forward traffic for inspection to Palo Alto VM-series firewall. For traffic between Prod Zone and PCI Zone, we require more granular protection with additional IPS and malware protection functionality. For this purpose, Palo Alto VM-series NGFW can be leveraged to provide advanced security features.

Use Case 4: Scale In/Scale Out for Elastic Applications

One major characteristic of cloud technology is its ability to dynamically adapt to user workloads. Consequently, during high activity periods, an application should be able to scale out rapidly and automatically in order to absorb all end-user traffic. In the same way, once activity goes back to a normal or even lower state, the application should be able to scale down dynamically to save energy and resources. A common name given to this type of application is “elastic application.”

For example, let’s take a 3-tier type of application with WEB, APP, and DB tiers.

In case of high activity, the WEB and APP tiers should be agile enough to expand quickly without any human intervention. Once VMs are instantiated on these tiers, consistent security policy should be enforced and, as such, overall systems always guarantee a high degree of protection, even in cases of dynamic workload creation and/or intrinsic application growth.

Starting with use case 2 (or use case 1, because the same concepts apply here), let’s consider a scale-out situation. The application must be expanded in order to support high demand at a point of time. This is practically translated by adding additional WEB VMs and APP VMs.

With Palo Alto and VMware NSX, as additional VMs are added, Palo Alto VM-series firewalls will be deployed automatically with the VMs. Moreover, existing firewall policy rules will be enforced on the two new VMs. There is absolutely no human intervention in scale out situations. The application grows organically, and both NSX and the Palo Alto Networks systems will be able to apply traffic redirection and traffic protection to the newly created VMs.

In case of a scale down scenario (i.e., WEB-VM-3 and APP-VM-2 are removed because of lower activity), both NSX and Palo Alto Networks systems behave the same way. The two new VMs will be automatically removed from their respective Security Groups and the associated Dynamic Address Groups will be immediately updated with this information. Again, no human intervention is required!