VMware Networking Community
TheVMinator
Expert
Expert
‎09-16-2015 07:28 AM
Jump to solution

NSX and DMZ

I currently have NSX distributed firewall controlling east-west traffic and using security groups to define where traffic can and cannot flow.  I currently have a physical firewall that currently is being used to define my DMZ.  If I want to move my DMZ zone so that it is defined by NSX, how should traffic between internal VMs not in the DMZ, and internal VMs in the DMZ be isolated?  Will it have to flow through the Edge firewall or will it only be separated by security groups and the distributed firewall?

0 Kudos
1 Solution

Accepted Solutions
larsonm
VMware Employee
VMware Employee
‎09-16-2015 09:56 AM
Jump to solution

Typically, the Edge Appliance acts as the North/South gateway and firewall.  There are many approaches that can be taken:

While the physical world often relies on physical separation, NSX allows building a collapsed DMZ environment utilizing micro-segmentation and advanced firewall services to restrict and inspect traffic flow, accomplishing the same goals accomplished by traditional approaches of physical separation with physical firewalls. 

Of course, security administrators may take time to adjust to the new cloud model of the collapsed DMZ, and may still require some level of separation.  It is not uncommon to create a DMZ off of interfaces directly connected to the Edge Appliance servicing North-South traffic.

NSX components can be configured in many ways to facilitate both physical and logical isolation.  Transport zones can be used to ensure protected VXLAN networks reside only on specific hosts.  Logical switches can be created based on application profile, and rules put in place to secure based on logical switch.  It's even possible to place all VMs on the same logical switch and apply rules at the group or VM level.  Regardless of approach, the rules applied will result in the same level of security.

View solution in original post

0 Kudos
2 Replies
larsonm
VMware Employee
VMware Employee
‎09-16-2015 09:56 AM
Jump to solution

Typically, the Edge Appliance acts as the North/South gateway and firewall.  There are many approaches that can be taken:

While the physical world often relies on physical separation, NSX allows building a collapsed DMZ environment utilizing micro-segmentation and advanced firewall services to restrict and inspect traffic flow, accomplishing the same goals accomplished by traditional approaches of physical separation with physical firewalls. 

Of course, security administrators may take time to adjust to the new cloud model of the collapsed DMZ, and may still require some level of separation.  It is not uncommon to create a DMZ off of interfaces directly connected to the Edge Appliance servicing North-South traffic.

NSX components can be configured in many ways to facilitate both physical and logical isolation.  Transport zones can be used to ensure protected VXLAN networks reside only on specific hosts.  Logical switches can be created based on application profile, and rules put in place to secure based on logical switch.  It's even possible to place all VMs on the same logical switch and apply rules at the group or VM level.  Regardless of approach, the rules applied will result in the same level of security.

0 Kudos
TheVMinator
Expert
Expert
‎09-16-2015 12:19 PM
Jump to solution

OK great - thanks for the information

0 Kudos