VMware vDefend

  • 1.  NSX Edge as perimeter firewall

    Posted Mar 23, 2021 05:31 AM

    Hi Team,

    I have one concern/feasibility check request from customer to consider VMware edge as perimeter firewall for their IT private cloud.

     

    Afaik, above theory is not recommended as Edge firewall lacks advanced features such as IDS,IPS etc,. (At least I’m not aware if they are supported)

    My queries are below

    1. Can Gateway firewall supports IDS ? (For North-south traffic)

    2. Let's say if I use gateway firewalls in cluster, will there be stateful information sync between them. For example, if one gateway firewall is down then do clients need to re-establish their connection?

    3. If I integrate 3rd party service firewalls, can they work as Active/Active cluster? I see there is a limitation of running Active/Standby services in NSX for stateful services. Is this citation applicable to 3rd party services as well?

    Thanks in advance.

     



  • 2.  RE: NSX Edge as perimeter firewall

    Posted Mar 23, 2021 06:26 AM

    As far as I am aware IDS/IPS is enabled at the hypervisor level and not at the edge, if you are going to be using an SVM / service insertion then the t0 gateway has to be in Active-Standby. https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-53D6C480-7AD3-4B23-922D-430C89992B57.html

    Have you had a look at the security reference design guide https://nsx.techzone.vmware.com/resource/nsx-security-reference-design-guide.

    Also the reference design guide https://communities.vmware.com/t5/VMware-NSX-Documents/VMware-NSX-T-Reference-Design/ta-p/2778093.

    This blog my be of use as well. https://blogs.vmware.com/networkvirtualization/2020/08/the-nsx-t-gateway-firewall-secures-physical-servers.html/#:~:text=We%20can%20use%20the%20NSX,any%20site%2C%20and%20any%20cloud.

    Just trying to dig up some information regarding states for you.



  • 3.  RE: NSX Edge as perimeter firewall

    Posted Mar 23, 2021 06:36 AM

    Does that mean we can't have IDS at Edge firewall for North-South traffic



  • 4.  RE: NSX Edge as perimeter firewall

    Posted Mar 23, 2021 08:33 AM

    IDS is currently not supported on the Edge, you can youse introspection / SVM's to inspect traffic if you'd like.



  • 5.  RE: NSX Edge as perimeter firewall

    Posted Mar 24, 2021 01:22 AM

    Hi,

    As you see, distributed IDS/IPS is a new feature for East-West traffics. Otherwise, you could enable NSX Edge Firewall rules or the other stateful services on T1 level, so that you may deploy T0 in active-active mode.