VMware Networking Community
networlddsg
Enthusiast
Enthusiast
‎05-24-2018 03:20 AM
Jump to solution

On the risk of using NSX Edge instead of dedicated FW (Fortigaet, Paloalte, etc.)

Hello.

Is it dangerous to use NSXEdge instead of the dedicated FW in the following environment where a dedicated FW (Fortigaet, Paloalte, etc.) is used?

· For Internet connection

· Use global IP address

NSX Edge has acquired "ICSA".

This is the same for Fortigaet, a dedicated FW product.

https://www.icsalabs.com/product/vmware-nsx%C2%AE-vsphere-63

NSX has also acquired below.

· FIPS 140-2

· CC EAL 2+

Although NSX Edge can be prevented if it is Syn-Flood attacks, we can not prevent attacks other than Syn-Flood attacks, so we think that using NSX Edge in an environment that uses global IP addresses is dangerous.

What do you think of everyone?

pastedImage_4.png

Preview file
86 KB
0 Kudos
1 Solution

Accepted Solutions
cnrz
Expert
Expert
‎05-24-2018 06:24 AM
Jump to solution

Currently, Perimeter firewalls are evolving to UTM boxes where they contain Zones, L7 Application Firewall, IPS, URL Filtering. NSX dFW is generally for E-W firewall and AD integrated rules. Edge Firewall is mostly used for Inter-tenant traffic isolation or for North-South traffic filtering going to physical network and WAN.

It is possible to use Edge FW as internet facing firewall, but the requirements for Internet are mostly different and more demanding in terms of user traffic and applications. NSX edge firewall generally is not a replacement for Physical firewall, but if the requirements in terms of the Services are met with Edge (after testing all of the scenarios and applications), the throughput is generally sufficient, and from price point advantage as NSX has no restrictions on number of Edge Firewall deployed. From design perspectiveif possible  it could be better to use Physical  NG L7 Application Firewall (and other UTM services) alongside with NSX for Micro Segmentation and Edge Firewall.

NSX DMZ anywhere could be helpful as complementing solution on DMZ design:

VMware NSX DMZ Anywhere Cybersecurity Benchmark

https://vwilmo.wordpress.com/2017/04/21/the-vmware-nsx-platform-healthcare-series-part-5-dmz-anywher...

View solution in original post

0 Kudos
2 Replies
cnrz
Expert
Expert
‎05-24-2018 06:24 AM
Jump to solution

Currently, Perimeter firewalls are evolving to UTM boxes where they contain Zones, L7 Application Firewall, IPS, URL Filtering. NSX dFW is generally for E-W firewall and AD integrated rules. Edge Firewall is mostly used for Inter-tenant traffic isolation or for North-South traffic filtering going to physical network and WAN.

It is possible to use Edge FW as internet facing firewall, but the requirements for Internet are mostly different and more demanding in terms of user traffic and applications. NSX edge firewall generally is not a replacement for Physical firewall, but if the requirements in terms of the Services are met with Edge (after testing all of the scenarios and applications), the throughput is generally sufficient, and from price point advantage as NSX has no restrictions on number of Edge Firewall deployed. From design perspectiveif possible  it could be better to use Physical  NG L7 Application Firewall (and other UTM services) alongside with NSX for Micro Segmentation and Edge Firewall.

NSX DMZ anywhere could be helpful as complementing solution on DMZ design:

VMware NSX DMZ Anywhere Cybersecurity Benchmark

https://vwilmo.wordpress.com/2017/04/21/the-vmware-nsx-platform-healthcare-series-part-5-dmz-anywher...

0 Kudos
networlddsg
Enthusiast
Enthusiast
‎05-24-2018 05:06 PM
Jump to solution

Thank you.

Again, you need a special FW for the Internet

0 Kudos