Network Security

Performance of VMware NSX Gateway Firewall on 3rd Gen Intel Xeon Scalable Processors

Introduction

Over the past year, pandemic-related uncertainties, the rise of remote work, and a surge in ransomware attacks have added to security professionals’ challenges. Given the extent of the demands faced by security teams, the need to secure organizational networks in ways that are consistent, comprehensive, and easy to administer is greater than ever. Networks must be appropriately architected and segmented to prevent lateral movement by attackers.  Robust threat detection capabilities must be in place.  Compliance must be maintained.  Security policies must be enforced.  Access to on-premises and cloud-hosted resources must be securely enabled. All without placing an undue burden on security practitioners.

Enterprises can make great strides towards achieving these objectives by applying the right firewall strategy which involves both internal and zone firewalls. Internal firewalls are important because they protect communication between workloads within the enterprise environment like private cloud.  VMware NSX Distributed Firewall is ideal for inspecting and protecting the traffic that travels within the enterprise. For workloads that run directly on an operating system without an intermediate hypervisor, to ensure that there’s complete protection of all workloads in the private cloud—both physical and virtualized—security teams must secure all east-west traffic.

With NSX version 3.2, VMware introduced VMware NSX Gateway Firewall for security zones in conjunction with the NSX Distributed Firewall . This makes it possible to extend the same unified, consistent access control and threat protection capabilities that the NSX Distributed Firewall provides across all workloads in the private cloud. This comprehensive protection within a single management console and software defined solution portfolio reduces the administrative burden that security teams face while empowering them to deliver consistent protection everywhere.

Intel launched the 3rd Gen Intel Xeon Scalable processors in 2021. These processors are infused with Intel Crypto Acceleration that significantly boosts the data protection and privacy by increasing the performance of encryption-intensive workloads including SSL web serving, 5G infrastructure, and VPN/firewalls, while reducing the performance impact of pervasive encryption, including Intel Secure Guard Extensions (Intel SGX) facilitating confidential computing and Intel Total Memory Encryption (Intel TME) for memory encryption. These processors offer a balanced architecture with built-in acceleration and advanced security capabilities, designed through decades of innovation for the most in-demand workload requirements.

In this blog post, we will discuss VMware NSX Gateway Firewall performance on running on 3rd Gen Intel Xeon Scalable Platform was purpose built to extend.

For more information on these technologies:

VMware NSX Gateway Firewall: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmware-nsx-gateway-firewall.pdf

NSX Firewalls

3rd Gen Intel Xeon Scalable processors:  https://www.intc.com/news-events/press-releases/detail/1423/intel-xeon-scalable-platform-built-for-most-sensitive

Intel Architecture for VMware NSX Datacenter, Cloud and SD-WAN Platform

 

VMware NSX Gateway Firewall with Intel Hyperscan Technology

NSX Gateway IDS/IPS Firewall is powered by Intel’s Hyperscan technology running on Intel Xeon Scalable Processors.

Hyperscan provides a flexible, easy to use library that enables you to match large numbers of patterns simultaneously with high performance and good scalability, as well as providing unique functionality for network packets processing. Hyperscan presents a flexible C API and different modes of operation to ensure its applicability in real networking scenarios. Strong focus on efficient algorithms and the use of Intel Streaming SIMD Extensions (Intel SSE) enables Hyperscan to achieve high matching performance.

The integration of Hyperscan and the DPDK also provides mature and efficient solutions for Deep Packet Inspection (DPI), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and other related products. Hyperscan is released as open-source software under a BSD license.

Performance Considerations

VMware NSX Gateway Firewall delivers robust network security with a software defined, Layer-7 firewall deployed at zone boundaries to protect physical workloads, private clouds, and the public cloud edge. One of the key performance factors is the hardware used and the offloads it provides.  In our testing, Intel’s 3rd Gen Xeon Scalable Processors outperformed Intel’s 2nd Gen Xeon Scalable Processor. VMware ran performance tests on NSX Gateway IDS/IPS functionality on Large and X-Large VM form factors. As you can see in the below chart that NSX Gateway IDS/IPS performance had a 10%to 26% increase in performance with the 3rd Gen Intel Xeon Scalable processors compared to 2nd Gen Intel Xeon Scalable Processor.

 

Recommended Intel Processors for VMware NSX Gateway Firewall

Intel Xeon Platinum 8380 2.3G, 40C/80T, 11.2GT/s, 60M Cache, Turbo, HT (270W) DDR4-3200

Intel Xeon Gold 6338N 2.2G, 32C/64T, 11.2GT/s, 48M Cache, Turbo, HT (185W) DDR4-2666

For detailed hardware recommendations for Bare Metal Edge, please check https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-14C3F618-AB8D-427E-AC88-F05D1A04DE40.html

For VM Edge Form factor, consider the size of the VM Edge used to plan the required specs for the ESXi host.  For example, if deploying 2x X-Large VM Edges, ESXi host should have atleast 32 cores at a minimum.  For more details, please refer https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-22F87CA8-01A9-4F2E-B7DB-9350CA60EA4E.html

Conclusion

3rd Gen Intel Xeon Scalable Processors has extensive security features to help secure sensitive workloads and enable new opportunities in the network security area. The VMware NSX Gateway Firewall on Intel Xeon Scalable Platform was purpose built to extend the capabilities of the VMware NSX Distributed Firewall across all workloads in your organization, including those running on physical servers. With a tightly integrated firewall portfolio, security teams can accelerate operations and effectively mitigate risk, without increasing costs.