Hello.
Is it dangerous to use NSXEdge instead of the dedicated FW in the following environment where a dedicated FW (Fortigaet, Paloalte, etc.) is used?
· For Internet connection
· Use global IP address
NSX Edge has acquired "ICSA".
This is the same for Fortigaet, a dedicated FW product.
https://www.icsalabs.com/product/vmware-nsx%C2%AE-vsphere-63
NSX has also acquired below.
· FIPS 140-2
· CC EAL 2+
Although NSX Edge can be prevented if it is Syn-Flood attacks, we can not prevent attacks other than Syn-Flood attacks, so we think that using NSX Edge in an environment that uses global IP addresses is dangerous.
What do you think of everyone?
Currently, Perimeter firewalls are evolving to UTM boxes where they contain Zones, L7 Application Firewall, IPS, URL Filtering. NSX dFW is generally for E-W firewall and AD integrated rules. Edge Firewall is mostly used for Inter-tenant traffic isolation or for North-South traffic filtering going to physical network and WAN.
It is possible to use Edge FW as internet facing firewall, but the requirements for Internet are mostly different and more demanding in terms of user traffic and applications. NSX edge firewall generally is not a replacement for Physical firewall, but if the requirements in terms of the Services are met with Edge (after testing all of the scenarios and applications), the throughput is generally sufficient, and from price point advantage as NSX has no restrictions on number of Edge Firewall deployed. From design perspectiveif possible it could be better to use Physical NG L7 Application Firewall (and other UTM services) alongside with NSX for Micro Segmentation and Edge Firewall.
NSX DMZ anywhere could be helpful as complementing solution on DMZ design:
Currently, Perimeter firewalls are evolving to UTM boxes where they contain Zones, L7 Application Firewall, IPS, URL Filtering. NSX dFW is generally for E-W firewall and AD integrated rules. Edge Firewall is mostly used for Inter-tenant traffic isolation or for North-South traffic filtering going to physical network and WAN.
It is possible to use Edge FW as internet facing firewall, but the requirements for Internet are mostly different and more demanding in terms of user traffic and applications. NSX edge firewall generally is not a replacement for Physical firewall, but if the requirements in terms of the Services are met with Edge (after testing all of the scenarios and applications), the throughput is generally sufficient, and from price point advantage as NSX has no restrictions on number of Edge Firewall deployed. From design perspectiveif possible it could be better to use Physical NG L7 Application Firewall (and other UTM services) alongside with NSX for Micro Segmentation and Edge Firewall.
NSX DMZ anywhere could be helpful as complementing solution on DMZ design:
Thank you.
Again, you need a special FW for the Internet