VMware Networking Community
mindspring05
Contributor
Contributor
‎09-25-2016 06:16 AM
Jump to solution

Jump Server placement in NSX Multi-Tenant Deployment

Hi ,

We have deployed a Multi-Tenant NSX Deployment and I wanted to know the ideal placement for the Jump Servers for tenants access and Management.

presently we have the Jump Server in a Shared Tenant inside NSX.


I was wondering if this is an ideal location or should we consider placing it outside the NSX, by connecting it to the perimeter firewall as a VLAN with its GW on the Firewall.

My concern on having it inside NSX is , If the Jump server is compromised then there is a possibility of someone gaining access to the whole of our NSX network since we are only using DFW doing only L4 level inspection.

If we had the Jump Server on the Perimeter firewall , then i think we may be able to do L4-L7 checks and prevent someone gaining access to our NSX network.

I don't know if my thinking is right and and would need your advice on this..

1 Solution

Accepted Solutions
chuckbell
VMware Employee
VMware Employee
‎09-26-2016 04:16 AM
Jump to solution

Your concern about placing the jump server inside NSX and possibility of someone gaining access since only L4 DFW is being used I guess depends on your use of the jump box. First, DFW runs in the kernel, so even if the jump host was compromised, the DFW rules on that host could not be modified unless the user has access to the NSX mgmt network. For enhanced inspection, 3rd party NGFW's like checkpoint, palo alto, or Fortinet can be used for L7 inspection. But as I mentioned, it depends on what the jump box has access to.

Does the jump box have access to NSX?

If, so I would consider a very secure strategy. Something like the NSX and ESX hardening guides. And making sure access to that host is very secure 2FA, encrypted, etc.

NSX-v 6.2.x - Security Hardening Guide (Published version 1.6)

Securing-NSX-vSphere v1.0.pdf

VMware Security Hardening Guides

If the jump box does not have access to NSX mgmt or ESX mgmt, then maybe using IDFW to allow tenants access to their particular VM's along the lines of this document (Securing access to and from your Jumpbox or VDI with NSX) might help.

Hopefully I understood you question properly.

Regards

View solution in original post

3 Replies
chuckbell
VMware Employee
VMware Employee
‎09-26-2016 04:16 AM
Jump to solution

Your concern about placing the jump server inside NSX and possibility of someone gaining access since only L4 DFW is being used I guess depends on your use of the jump box. First, DFW runs in the kernel, so even if the jump host was compromised, the DFW rules on that host could not be modified unless the user has access to the NSX mgmt network. For enhanced inspection, 3rd party NGFW's like checkpoint, palo alto, or Fortinet can be used for L7 inspection. But as I mentioned, it depends on what the jump box has access to.

Does the jump box have access to NSX?

If, so I would consider a very secure strategy. Something like the NSX and ESX hardening guides. And making sure access to that host is very secure 2FA, encrypted, etc.

NSX-v 6.2.x - Security Hardening Guide (Published version 1.6)

Securing-NSX-vSphere v1.0.pdf

VMware Security Hardening Guides

If the jump box does not have access to NSX mgmt or ESX mgmt, then maybe using IDFW to allow tenants access to their particular VM's along the lines of this document (Securing access to and from your Jumpbox or VDI with NSX) might help.

Hopefully I understood you question properly.

Regards

mindspring05
Contributor
Contributor
‎09-26-2016 04:56 AM
Jump to solution

Thanks for your response,

Yes, the Jump Server has access to NSX ..

The ESXi hosts are placed in a Management VLAN termination on the Perimeter firewall.

We have a common jump server that we use to Manage NSX and also for tenant clients to manage there respective tenants.

Is this advisable or should we consider having separate Jump Servers for NSX Management and for tenant clients to manage there tenants  , also would it be better to have the Jump servers placed on a VLAN termination on the perimeter firewall.

We are not going to use  3rd party NGFW's like checkpoint, palo alto and would rely of NSX DFW for all security


Regards

0 Kudos
abhilashhb
VMware Employee
VMware Employee
‎09-28-2016 05:56 AM
Jump to solution

It is advisable to have two separate jump servers for tenant related tasks and NSX management.

The hardening guide specifically talks about this point "Restrict Access to NSX manager"

"The NSX Manager should not be on a network accessible to standard virtual machine network or management network in general. Any compromise on NSX manager could potentially lead to communicating with hypervisors directly."

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

0 Kudos