VMware and Docker Deliver Greater Speeds through the Right Controls

This post was co-authored by Guido Appenzeller, CTSO of Networking and Security (@appenz), and Scott Lowe, Engineering DockerArchitect, Networking and Security Business Unit (@scott_lowe)

In today’s business environment, companies are being asked to go faster than ever before: faster time to market, faster response to customers, faster reactions to market shifts. Having a good idea isn’t enough; companies not only need to have a good idea, but they need get it to market fast, and quickly iterate on improvements to that idea. Speed is a competitive advantage.

The phenomenal success of the open source Docker project is a reflection of the pressure on companies to go faster. Companies across all industries have recognized that successful development teams can be a competitive differentiator. However, developers needed a way to simplify and accelerate the development and deployment of applications and code, and found Docker was one way to help accomplish that. Docker has won a place in the hearts and minds of many developers for its ability to help simplify the development and deployment of many different types of applications.

At the same time, companies face a bewildering array of security threats. Security and compliance remain as important as ever, if not more important. Yes, companies need to go faster—but they need to do it safely. Data must be safeguarded. Customer privacy must be maintained. Code confidentiality must be ensured. IT needs controls to protect the company’s assets, but it needs those controls to be able to move at the new speed of business: faster. Unfortunately, traditional controls typically can’t move fast enough, and this often results in friction between IT (who wants/needs to move more slowly in order to ensure the proper controls are in place) and the business (who wants/needs to move more quickly in order to keep up the pace of the market).

Here at VMware, what we’ve observed in our discussions with customers is something that, at first glance, appears to be something of a paradox. While it appears that IT controls are in opposition to allowing companies to move faster, the reality is that the right controls enable greater speed. When organizations have security controls that were expressly designed to operate at the scale and speed that businesses require, this friction between IT and the business goes away. The business is able to accelerate, confident in the fact that the security and integrity of their systems is properly safeguarded.

This is where Docker and VMware are jointly attacking the problem of providing the right security controls. Docker is approaching this from the perspective of enabling powerful networking and security functionality within the Docker Engine via the release of libnetwork. (More information about libnetwork is available in the libnetwork GitHub repository.) VMware is leveraging libnetwork to bring microsegmentation using strong, policy-driven stateful firewalling to Docker container environments via VMware NSX.

Until the release of VMware NSX, microsegmentation was a dream that simply wasn’t operationally feasible. Through the application of network virtualization technologies, VMware NSX makes true microsegmentation available to organizations of every size. It’s possible now to truly provide stateful firewalling for every workload in the data center. Using a policy-driven approach ensures security policies are automatically applied at scale. Organizations now have controls that can move at the new speed of business.

Until the release of libnetwork, companies that wanted to bring advanced networking and security functionality to Docker environments were limited in what they could do. Through libnetwork’s pluggable architecture, networking and security partners can bring new features and new functionality to Docker environments without compromising the simplified user experience that drew so many developers to Docker in the first place.

This is why VMware is excited about the work that Docker is doing with libnetwork. Libnetwork enables networking and security partners like VMware to apply our microsegmentation technologies to microservice architectures built using Docker. Through the integration of network virtualization via libnetwork, customers will have the ability to apply strong, stateful firewalling to containers and VMs alike. Initially this integration will come through VMware’s ongoing support of the open source Open vSwitch project and the related Open Virtual Network (OVN) effort.

VMware NSX enables microsegmentation. Microsegmentation enables strong, granular security controls. Docker enables streamlined microservice architectures. And libnetwork enables VMware NSX’s strong microsegmentation to integrate with Docker’s microservice architectures.

With the combination of Docker, libnetwork, and VMware NSX, developers gain the ability to adopt technologies like Docker to speed their development and deployment processes, and IT is able to continue to apply the necessary security controls to protect valuable intellectual property and customer data without slowing things down. One might say it’s the best of both worlds.

 

Using VMware NSX, Log Insight, and vRealize Orchestator to Improve Security

This post was written by Hadar Freehling, Security & Compliance Systems Engineer Specialist at VMware. The post originally appeared here on the dfudsecurity blog

***

There is a lot of power in having security controls in software.  This is what I tell my customer, not just because I work for VMware. Why is that? The reason I find it so powerful is that I can now automate a lot of the security actions that use to be very manual. No more opening tickets to get a SPAN setup on the switch. No more waiting for a firewall change window to lock down a port. Not only that, I have visibility into the VM, like what apps are running and who started them, and what’s on the wire. I can protect different assets with different policies, and these polices can be dynamic.

With the help of my good friend John Dias (vRealize Orchestrator master), we created the follow video to show some of the potential of having everything in software.

Here is the scenario of the workflow.  You are a security person and want to stop all server admins and users from launching a putty session once they have RDPed into a server since they should only be doing this from approved jump boxes or desktops. Basically, I want to stop all intra-data center putty ssh sessions. I am actually looking for putty, the application, not just ssh. This could be any application or port, but I wanted to target a specific application for this demo. Continue reading

VMware NSX Ninjas - VMware TAM Services

VMware Technical Account Managers combine deep expertise with insights from successful implementations to provide unparalleled value to Goal-SettingVMware customers' business. Curtis Miller is a Technical Account Manager for VMware and in this post, which originally appeared on The VMware TAM Blog, he outlines how to help ensure success with VMware NSX TAM Services.

For networking, VMware NSX is a game-changer in the same way VMware vSphere was for data center servers. NSX virtualizes and consolidates legacy networking functionality back into a hypervisor. As a result, adding or changing network capabilities no longer requires the costly replacement of networking gear. It’s all software based—so upgrades are now just a right-click away.

The resulting cost savings are dramatic because network hardware is replaced far less often and used more efficiently. Deployment times and scalability improve substantially because networks can be created in minutes instead of weeks; and if demand falls, those resources can just as easily be reclaimed. Enhanced security via NSX’s micro-segmentation capabilities is another important benefit as well.

Read Curtis’ full blog here: http://blogs.vmware.com/tam/2015/03/ensuring-success-vmware-nsx-tam-services.html

Roger

Deploying VMware NSX with Horizon

As part of the recent launch of Horizon 6, Tony Paikeday, senior product line manager, End-User Computing, VMware, takes a look at the value proposition of deploying the VMware NSX network virtualization platform together with Horzon.

VMware NSX

Deploying VMware NSX with Horizon

VMware NSX, deployed with Horizon, offers a better alternative to securing east-west traffic between VMs, turning data center security from a perimeter-centric view to one that gives each individual desktop VM its own virtual network container – creating if you will, a network of “one.” This approach, also known as micro-segmentation, has been an ideal for network teams, but traditionally unachievable due to the cost, and the operational complexity involved. With the number of user VM’s introduced by desktop virtualization, and the sprawl of firewall rules needing to be manually added, deleted or modified every time a new VM is introduced, this has been untenable in the past. With VMware NSX, we have a completely new model for networking and security, delivering virtualization of the network, much as we did for server virtualization – reproducing it in software, with a logical library of networking elements and services including switches, routers, firewalls, load-balancers and more that can be deployed over any existing network.

Read Tony's full blog post here at http://blogs.vmware.com/euc/2015/03/securing-virtual-desktops-east-west-threats-data-center.html

Roger

VMware NSX Webcast - Creating Agile Networks

You may have seen Joey Logano speed to his first Daytona 500 win this week. Keeping your network in racing shape takes a similar level of NSX: Wanna Go Fastpatience, stamina, and quick reflexes. Using VMware NSX network virtualization means that you can unlock the full potential of a Software-Defined Data Center, to create and run entire networks on top of existing network hardware, resulting in faster deployment of workloads, as well as greater agility in the face of increasingly dynamic data centers. Watch this overview to learn how VMware NSX reduces the time to provision multi-tier networking and security services from weeks to seconds to win your race. This one-hour overview of VMware NSX outlines how you can bring virtualization to your existing network, transforming both its operations and economics. You’ll learn how several of the largest service providers, global financial, and enterprise data centers in the world are using NSX to reduce costs and provisioning times to improve agility and establish a new model of network security.

Click here to watch this webcast and find out:

  • What the NSX architecture looks like
  • How switching, routing, firewalling, load-balancing and other services are managed with NSX
  • How overlay networks and logical networks all come together with your physical infrastructure

Roger

Network Virtualization at VMware Partner Exchange 2015

VMware Partner Exchange (PEX) is your one-stop shop when it comes to learning about network virtualization and the technology extends VMware’s vision of the software-defined data center. At this year’s event, we are offering both an executive track and a technical track to help partners build their businesses and advance their knowledge, as you take customers on the path to Virtualizing the Network.

PEX Image

If you are a partner that is new to network virtualization, we have a program/learning path where you can send two people to PEX and to achieve their network virtualization competency by attending the 3-Day NSX Install, Configure and Manage Boot Camp prior to the start of the conference. Participants can then attend the free instructor-led VSP-NV and VTSP-NV boot camps during the conference. Continue reading

VMware NSX Loves Hardware

One of the core value propositions of VMware NSX is ability to take advantage of any underlying hardware infrastructure and deliver a fully decoupled virtualized network in software. VMware NSX loves a Modern Infrastructuregood hardware fabric,.

But that’s not the only hardware VMware NSX loves.

The votes have been cast and counted, and we are pleased to announce that VMware NSX was selected as the winner in the “Best Software Defined Infrastructure” category in the 2015 Modern Infrastructure Impact Awards. The awards were judged by the Modern Infrastructure e-zine editorial staff, in conjunction with users, readers, and industry experts.

The Modern Infrastructure Impact Awards recognize the top products, technologies and services in the essential areas of technology that Modern Infrastructure covers. The award-winning tools are those helping to run enterprise businesses with efficiency and insight -- whether they're used inside the data center or out.

VMware NSX delivers secure network services to applications running in the data center, resulting in instant and programmatic provisioning, fast and highly available infrastructure, and increased security and micro segmentation capabilities.

Read about the award here and to learn more about the business value of VMware NSX visit  vmware.com/products/nsx.

Roger

Schuberg Philis Deploys VMware NSX

Summaryschuberg_philis_logo_pms298uwarmgray9u

Application Roll Out Reduced from Weeks to Minutes
• VMware NSX Enables Better Agility, Flexibility and Security

Recently I had the opportunity to speak with the team at Schuberg Philis about their successful, production deployment of VMware NSX. As background, Schuberg Philis is an innovative business technology company and an important player in the field of mission critical outsourcing services. The company serves customers across financial services, retail suppliers and utilities, and therefore must comply with the highest international risk management and corporate governance standards, while remaining flexible to evolving customer needs.

The adoption of VMware NSX based network virtualization has transformed the way Schuberg Philis runs its IT. In order to provide 100 percent functional up time of its customers’ critical applications, Schuberg Philis continuously optimizes its infrastructure and processes. However, the company increasingly saw its network as a barrier to increasing business agility.

To solve this challenge and to accelerate application roll out, the Schuberg Philis implemented a software-defined data center environment, and deployed VMware NSX. Schuberg Philis is taking advantage of the VMware NSX platform’s flexibility, security and agility to accelerate the deployment of applications to customers. Schuberg Philis customers now have easy access to the flexibility of the cloud, but within a certified, auditable environment, which includes built in controls and security.

Funs Kessen, cloud architect at Schuberg Philis, explained, “The process for spinning up new applications for customers used to take weeks to complete. Now we can do it in a little more than 18 minutes. This allows our customers to respond more quickly to business requirements and opportunities.

By fully automating the process, Kessen and team can offer Schuberg Philis customers complete access to the flexibility of the cloud within a certified environment, complete with all controls and security built in, and we’ve made it fully auditable.”

The adoption of VMware NSX based network virtualization has transformed the way Schuberg Philis runs its IT.

Kessen noted, “With VMware NSX in our software-defined data center, we can focus on applications, and not on the infrastructure,”

Follow Schuberg Philis on Facebook, Twitter, YouTube and Google+

Roger

Free Seminar – Advancing Security with the Software-Defined Data Center

We’re excited to take to the road for another edition of our VMware Software-Defined Data Center Seminar Series. Only this time, we’ll be joined by some great company.

VMware & Palo Alto Networks invite you along for a complementary, half-day educational event for IT professionals interested in learning about how Palo Alto Networks and VMware are transforming data center security.

Thousands of IT professionals attended our first SDDC seminar series earlier this year in more than 20 cities around the globe. Visit #VirtualizeYourNetwork.com to browse the presentations, videos, and other content we gathered.

This free seminar will highlight:

  • The Software-Defined Data Center approach
  • Lessons learned from real production customers
  • Using VMware NSX to deliver never before possible data center security and micro-segmentation

Who should attend?

People who will benefit from attending this session include:

  • IT, Infrastructure and Data Center Managers
  • Network professionals, including CCIEs
  • Security & Compliance professionals
  • IT Architects
  • Networking Managers and Administrators
  • Security Managers and Administrators

Agenda

  • 8:30 a.m. Registration & Breakfast
  • 9:00 a.m. VMware: Better Security with Micro-segmentation
  • 10:00 a.m. Palo Alto Networks: Next Generation Security Services for the SDDC
  • 11:00 a.m. NSX & Palo Alto Networks Integrated Solution Demo
  • 11:45 a.m. Seminar Wrap-up
  • 12:00 p.m. Hands-on Workshop
  • 1:30 p.m. Workshop Wrap-up

Check out the schedule and register. Space is limited.

Learn more at http://info.vmware.com/content/26338_nsx_series

Roger

Talking Tech Series: VMware NSX Edge Scale Out with Equal-Cost Multi-Path Routing

This post was written by Roie Ben Haim and Max Ardica, with a special thanks to Jerome Catrouillet, Michael Haines, Tiran Efrat and Ofir Nissim for their valuable input.

****

The modern data center design is changing, following a shift in the habits of consumers using mobile devices, the number of new applications that appear every day and the rate of end-user browsing which has grown exponentially. Planning a new data center requires meeting certain fundamental design guidelines. The principal goals in data center design are: Scalability, Redundancy and High-bandwidth.

In this blog we will describe the Equal Cost Multi-Path functionality (ECMP) introduced in VMware NSX release 6.1 and discuss how it addresses the requirements of scalability, redundancy and high bandwidth. ECMP has the potential to offer substantial increases in bandwidth by load-balancing traffic over multiple paths as well as providing fault tolerance for failed paths. This is a feature which is available on physical networks but we are now introducing this capability for virtual networking as well. ECMP uses a dynamic routing protocol to learn the next-hop towards a final destination and to converge in case of failures. For a great demo of how this works, you can start by watching this video, which walks you through these capabilities in VMware NSX.

Scalability and Redundancy and ECMP

To keep pace with the growing demand for bandwidth, the data center must meet scale out requirements, which provide the capability for a business or technology to accept increased volume without redesign of the overall infrastructure. The ultimate goal is avoiding the “rip and replace” of the existing physical infrastructure in order to keep up with the growing demands of the applications. Data centers running business critical applications need to achieve near 100 percent uptime. In order to achieve this goal, we need the ability to quickly recover from failures affecting the main core components. Recovery from catastrophic events needs to be transparent to end user experiences.

ECMP with VMware NSX 6.1 allows you to use upto a maximum of 8 ECMP Paths simultaneously. In a specific VMware NSX deployment, those scalability and resilience improvements are applied to the “on-ramp/off-ramp” routing function offered by the Edge Services Gateway (ESG) functional component, which allows communication between the logical networks and the external physical infrastructure.

ECMP Image 1

External user’s traffic arriving from the physical core routers can use up to 8 different paths (E1-E8) to reach the virtual servers (Web, App, DB).

In the same way, traffic returning from the virtual server’s hit the Distributed Logical Router (DLR), which can choose up to 8 different paths to get to the core network.

How is the path determined:

NSX for vSphere Edge Services Gateway device:

When a traffic flow needs to be routed, the round robin algorithm is used to pick up one of the links as the path for all traffic of this flow. The algorithm ensures to keep in order all the packets related to this flow by sending them through the same path. Once the next-hop is selected for a particular Source IP and Destination IP pair, the route cache stores this. Once a path has been chosen, all packets related to this flow will follow the same path.

There is a default IPv4 route cache timeout, which is 300 seconds. If an entry is inactive for this period of time, it is then eligible to be removed from route cache. Note that these settings can be tuned for your environment.

Distributed Logical Router (DLR):

The DLR will choose a path based on a Hashing algorithm of Source IP and Destination IP.

What happens in case of a failure on one of Edge Devices?

In order to work with ECMP the requirement is to use a dynamic routing protocol: OSPF or BGP. If we take OSPF for example, the main factor influencing the traffic outage experience is the tuning of the OSPF timers.

OSPF will send hello messages between neighbors, the OSPF “Hello” protocol is used and determines the Interval as to how often an OSPF Hello is sent.

Another OSPF timer called “Dead” Interval is used, which is how long to wait before we consider an OSPF neighbor as "down". The OSPF Dead Interval is the main factor that influences the convergence time. Dead Interval is usually 4 times the Hello Interval but the OSPF (and BGP) timers can be set as low as 1 second (for Hello interval) and 3 seconds (for Dead interval) to speed up the traffic recovery.

ECMP Image 2

In the example above, the E1 NSX Edge has a failure; the physical routers and DLR detect E1 as Dead at the expiration of the Dead timer and remove their OSPF neighborship with him. As a consequence, the DLR and the physical router remove the routing table entries that originally pointed to the specific next-hop IP address of the failed ESG.

As a result, all corresponding flows on the affected path are re-hashed through the remaining active units. It’s important to emphasize that network traffic that was forwarded across the non-affected paths remains unaffected.

Troubleshooting and visibility

With ECMP it’s important to have introspection and visibility tools in order to troubleshoot optional point of failure. Let’s look at the following topology.

ECMP Image 3

A user outside our Data Center would like to access the Web Server service inside the Data Center. The user IP address is 192.168.100.86 and the web server IP address is 172.16.10.10.

This User traffic will hit the Physical Router (R1), which has established OSPF adjacencies with E1 and E2 (the Edge devices). As a result R1 will learn how to get to the Web server from both E1 and E2 and will get two different active paths towards 172.16.10.10. R1 will pick one of the paths to forward the traffic to reach the Web server and will advertise the user network subnet 192.168.100.0/24 to both E1 and E2 with OSPF.

E1 and E2 are NSX for vSphere Edge devices that also establish OSPF adjacencies with the DLR. E1 and E2 will learn how to get to the Web server via OSPF control plane communication with the DLR.

From the DLR perspective, it acts as a default gateway for the Web server. This DLR will form an OSPF adjacency with E1 and E2 and have 2 different OSPF routes to reach the user network.

From the DLR we can verify OSPF adjacency with E1, E2.

We can use the command: “show ip ospf neighbor”

 

ECMP Image 4

 

From this output we can see that the DLR has two Edge neighbors: 198.168.100.3 and 192.168.100.10.The next step will be to verify that ECMP is actually working.

We can use the command: “show ip route”

 

ECMP Image 5

 

The output from this command shows that the DLR learned the user network 192.168.100.0/24 via two different paths, one via E1 = 192.168.10.1 and the other via E2 = 192.168.10.10.

Now we want to display all the packets which were captured by an NSX for vSphere Edge interface.

In the example below and in order to display the traffic passing through interface vNic_1, and which is not OSPF protocol control packets, we need to type this command: “debug packet display interface vNic_1 not_ip_proto_ospf”

We can see an example with a ping running from host 192.168.100.86 to host 172.16.10.10

 

ECMP Image 6

 

If we would like to display the captured traffic to a specific ip address 172.16.10.10, the command capture would look like: “debug packet display interface vNic_1 dst_172.16.10.10”

 

ECMP Image 7

 

Useful CLI for Debugging ECMP

  • To check which ECMP path is chosen for a flow
    • debug packet display interface IFNAME
  • To check the ECMP configuration
    • show configuration routing-global
  • To check the routing table
    • show ip route
  • To check the forwarding table
    • show ip forwarding

Useful CLI for Dynamic Routing

  • show ip ospf neighbor
  • show ip ospf database
  • show ip ospf interface
  • show ip bgp neighbors
  • show ip bgp

ECMP Deployment Consideration

ECMP currently implies stateless behavior. This means that there is no support for stateful services such as the Firewall, Load Balancing or NAT on the NSX Edge Services Gateway. The Edge Firewall gets automatically disabled on ESG when ECMP is enabled. In the current NSX 6.1 release, the Edge Firewall and ECMP cannot be turned on at the same time on NSX edge device. Note however, that the Distributed Firewall (DFW) is unaffected by this.

For more in-depth information, you can also read our VMware® NSX for vSphere (NSX-V) Network Virtualization Design Guide

About The Authors

VMware-Roie Ben HaimRoie Ben Haim works as a professional services consultant at VMware, focusing on design and implementation of VMware’s software-defined data center products.  Roie has more than 12 years in data center architecture, with a focus on network and security solutions for global enterprises. An enthusiastic M.Sc. graduate, Roie holds a wide range of industry leading certifications including Cisco CCIE x2 # 22755 (Data Center, CCIE Security), Juniper Networks JNCIE - Service Provider #849, and VMware vExpert 2014, VCP-NV, VCP-DCV. Follow his personal blog at http://roie9876.wordpress.com/

VMware-Max ArdicaMax Ardica is a senior technical product manager in VMware’s networking and security business unit (NSBU). Certified as VCDX #171, his primary task is helping to drive the evolution of the VMware NSX platform, building the VMware NSX architecture and providing validated design guidance for the software-defined data center, specifically focusing on network virtualization. Prior to joining VMware, Max worked for almost 15 years at Cisco, covering different roles, from software development to product management. Max owns also a CCIE certification (#13808).