By Derek Mitchell, Senior Technical Advisor, VMware vCloud Air Network
Many organizations are wrapping up the transition to version 3.1 of PCI DSS compliance. Though much of the focus of v3.1 has been around the security concerns regarding SSL and early versions of TLS, a couple of the VMware vCloud Air Network cloud providers I work with have taken the opportunity to review their entire PCI DSS certification.
As our cloud provider partners make the transition to v3.1, one of them, Rackspace, stands out because of the approach they took. Rackspace made the decision to leverage VMware NSX as the vehicle to get them to their destination. All of us who are familiar with NSX can rattle off the use cases off the top of our head: security, automation, compliance, etc. Compliance, although a powerful use case, is often less “sexy” and as a result, less discussed than the others. Let’s do it some justice today.
Rackspace has data centers all over the globe, and as they were preparing to transition to v3.1, they decided to revisit their internal network architecture. In a nutshell, the legacy network was built on a flat L2. Previously, there wasn’t a ton of attention paid to this by the QSA, but it now raised a flag. This was a significant concern as their L2 spanned 8 datacenters across 4 continents. Obviously, this was going to be a major undertaking for them to address. As in most organizations, they are resource constrained and by the time they could free up the appropriate personnel, it was early April (remember June 30 was the deadline). As they assessed the risks and the scope, they realized they had 2 options:
Option 1 – Re “IP” the secured systems
Option 2 – Software Defined Network (SDN) solution
Option 1 would require new VLANs and a possible firewall upgrade in order to accommodate the additional traffic that was expected. The firewalls are deployed in HA pairs and this would’ve required 2 per datacenter. As they just upgraded to the current firewalls approximately a year ago, this was not a popular option amongst leadership. Not to mention, the original upgrade took several months and was prone to error as much of the process was done manually. Based on several factors including capital/operational expenditures, time, and the propensity for missteps, option 2 was more feasible.
Once the decision was made to go the SDN route, the choice was between VMware NSX and a competitive offering. They chose NSX distributed firewall (DFW) because they had already deployed NSX edges and they have a really good relationship with one of VMware’s top networking architects. He’s built a level of trust with them and they were encouraged by the fact that he would be working side by side with them throughout the process.
The discussions began in mid-April with the bulk of the work, including planning, taking place in the month of May. After assessing the environment, they realized they had to migrate from vSphere standard switches to distributed switches. Since the switches needed upgrading, they leveraged the opportunity to also migrate to the latest release of vSphere. Defining the rules and policies was done in parallel with the upgrade activities. After some lab testing and monitoring traffic for rules (I’m told by one of our architects that VMware’s latest acquisition would’ve helped here, but I digress).
Once satisfied with the results of the testing phase, they rolled out a pilot in one of the lesser utilized datacenters. They then rolled out DFWs to 2 additional datacenters and subsequently deployed them to all 8. For the most part, things went extremely well considering, but there were a couple of minor hiccups. Most of them were related to things like outdated versions of software that needed upgrading, misconfigured rules and the typical problems that arise when a significant change is made to any infrastructure while working within a severely compressed timeline.
In summary, Rackspace planned, designed and implemented a non-disruptive network re-architecture that spanned 8 datacenters, 4 continents, 24 virtual switches, 8 vCenters in ~5 weeks. Most importantly, they were able to meet their PCI DSS 3.1 compliance requirements but they also saved months of operational expenses by not upgrading 16 firewalls and avoided the corresponding capital expenditures. They were also able to protect the investment they made 12 months earlier in the current firewall infrastructure while simultaneously deploying a foundation that will scale and evolve with the organizational requirements.
If you want to learn more, read the full case study, Rackspace Meets New PCI DSS Compliance with VMware NSX Network Virtualization.