Pages

Sunday, December 19, 2021

Key points on VMware NSX-T, NSX- Intelligence & misc

Transport node profiles are applied to all member hosts of a cluster. But if you want to limit migration of VMkernel interfaces on specific hosts, you can directly configure the host. After migration, N-VDS handles traffic on the VLAN and overlay network for those interfaces attached to the N-VDS switch.

Equal cost multi-path (ECMP) routing protocol increases the north and south communication bandwidth by adding an uplink to the tier-0 logical router and configure it for each Edge node in an NSX Edge cluster. The ECMP routing paths are used to load balance traffic and provide fault tolerance for failed paths.

The tier-0 logical router must be in active-active mode for ECMP to be available. A maximum of eight ECMP paths are supported.

IDS/IPS Profiles are used to group signatures, which can then be applied to select applications. You can create 24 custom profiles in addition to the default profile

NSX can automatically update it’s IDS signatures by checking the cloud-based service. By default, NSX manager will check once per day and VMware publishes new signature update versions every two week (with additional non-scheduled 0-day updates). NSX can also be configured to optionally automatically apply newly updated signatures to all hosts that have IDS enabled.

A Distributed Firewall (DFW) runs in the kernel as a VIB package on all the ESXi host clusters that are prepared for NSX. Host preparation automatically activates DFW on the ESXi host clusters.

As DFW is distributed in the kernel of every ESXi host, firewall capacity scales horizontally when you add hosts to the clusters. Adding more hosts increases the DFW capacity. As your infrastructure expands and you buy more servers to manage your ever-growing number of VMs, the DFW capacity increases.

IDS/IPS Profiles are used to group signatures, which can then be applied to selected applications.Signatures can be enabled based on the severity rating of the signature. A higher score indicates an increased risk associated with the intrusion event. The severity is determined based on the following:

* Severity specified in the signature itself
* CVSS (Common Vulnerability Scoring System) score specified in the signature
* Type-rating associated with the classification type

VMware NSX Network Detection and Response has the broadest set of detection capabilities that span network IDS/IPS, behavior-based network traffic analysis, as well as VMware NSX Advanced Threat Analyzer, a sandbox offering based on a full-system emulation technology that has visibility into every malware action.

NSX Network Detection and Response correlates individual detection events across multiple assets and hops into fewer security-relevant intrusions, organizing them into a timeline for rapid threat hunting and response.

Key features of NSX Network Detection and Response include:

* NSX Advanced Threat Analyzer
* Network traffic analysis
* Network intrusion detection and prevention system

NSX Service-defined Firewall is a distributed, scale-out internal firewall that protects all east-west traffic with security that’s intrinsic to the infrastructure, radically simplifying the security deployment model.

Use cases for NSX Service-defined Firewall include:

* Network Segmentation
* Zero Trust in the Data Center
* Virtual Patching for all Workloads
* Block Advanced Threats

NSX Advanced Threat Prevention, Advanced Threat Analyzer provides complete malware analysis and enables accurate detection and prevention of advanced threats

VMware Carbon Black Endpoint consolidates multiple endpoint security capabilities using one agent and console, helping you operate faster and more effectively.

VMware NSX is a network virtualization and security platform that enables the virtual cloud network, a software-defined approach to networking that extends across data centers, clouds and application frameworks.

VMware NSX delivers a complete L2-L7 networking and security virtualization platform, allowing you to manage your entire network as a single entity from a single pane of glass, enforce consistent networking and security policies, and automate and tailor the network to your needs.

vRealize Log Insight: Manage data at scale with centralized log management, deep operational visibility and intelligent analytics for troubleshooting and auditing across private, hybrid and multi-cloud environment

What are the key benefits of vRealize Network Insight?

Key benefits of vRealize Network Insight include:
* Application discovery and visibility
* Security and migration planning
* Better troubleshooting

NSX Malware Prevention requires certain microservices to be deployed in the NSX Application Platform. You must first deploy the platform, then activate the Malware Prevention feature. After this feature is activated, the microservices that are required for Malware Prevention get deployed in the platform. The status is constantly refreshing, you may want to wait to check for correct status to be reflected

Vmware has acquired Lastline which is an anti-malware and Al powered network detection response solution.  LastLine’s network traffic analysis (NTA) will help protect east-west traffic across multi-cloud environments and uses unsupervised and supervised machine learning to identify threats and reduces false positives by up to 90%.

NSX-ATP is a suite of security solutions that come together to provide advanced, comprehensive internal data center security. NSX ATP is focused on the below areas:

    * Greater Visibility 
    * Advanced Malware Protection 
    * Reduce False Positives 
    * Proactive Threat Hunting 

Signatures

Signatures are applied to IDS rules through profiles. A single profile is applied to matching traffic. By default, NSX Manager checks for new signatures once per day. New signature update versions are published every two weeks (with additional non-scheduled 0-day updates). When a new update is available, there is a banner across the page with an Update Now link. 

If Auto update new versions is selected, signatures are automatically applied to your hosts after they are downloaded from the cloud. If auto update is disabled, the signatures are stopped at the listed version. Click view and change versions to add another version, in addition to the default. Currently, two versions of signatures are maintained. Whenever there is a change in the version commit identification number, a new version is downloaded. 

VMware Private Cloud is an isolated and secure cloud environment. With ESXi Hypervisor and vCenter at the center, you can view, stop, and start your virtual machines easily. VMware stack components can be added based on your needs, such as Storage vMotion, vMotion, vSwap, vSphere HA, VMware Snapshots, DRS, EVC, and Thin Disk Provisioning.

VMware Cloud Foundation is a complete stack that integrates VMware technologies vSphere (compute virtualization), vSAN (storage virtualization), NSX (network virtualization), and vRealize Suite (cloud management and monitoring) into one software-defined data center platform, or SDDC, which can be deployed on-prem, entirely in the public cloud, or in a hybrid cloud approach.

SDDC relies on the concept called hyper-converged infrastructure (HCI), in which all the IT resources such as network, storage, CPU, and security are pooled and virtualized for provisioning.

SDDC Manager is the management and automation component of Cloud Foundation from where you can provision, manage, and control the virtualized resources of the whole stack. The vRealize Suite can be integrated into SDDC Manager to add capabilities such as:

* Performance and capacity analysis.
* Monitoring consumption costs for cloud services from AWS, GCP, and Azure.
* Automated cloud resource deployment through Infrastructure-as-a-Service.

Since VMware Cloud Foundation supports a multicloud strategy, it gives you a powerful capability to manage and integrate an entire organization's IT environment spanning on-prem and multicloud locations, bringing effectiveness and versatility to your IT deployments.

VMware Cloud Foundation has a range of services, including deployment options on AWS, Azure, Google Cloud, and some other services which allow you to consume Datacenter-as-a-Service and other hybrid architectures

VXLAN encapsulates a MAC frame in a UDP datagram for transport across an IP network,[12] creating an overlay network or tunnel.

Open vSwitch is an example of a software-based virtual network switch that supports VXLAN overlay networks

Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments

VXLAN increases scalability up to 16 million logical networks (with 24-bit VNID) and allows for layer 2 adjacency across IP networks

The VXLAN specification was originally created by VMware, Arista Networks and Cisco.

Vxlan is a tunneling protocol that tunnels ethernet L2 traffic over IP L3 network.

Extension of vlan. It encapsulate ethernet L2 frame into UDP packet and transmit it over L3 network

Vxlan is application layer protocol runs on port 4789

* VMware Virtual Cloud Network is a ubiquitous software layer that connects and protects any workload across any environment. 

* The NSX family is a portfolio of various offerings, including NSX-T Data Center, vRealize Network Insight, NSX Cloud, NSX Intelligence, NSX Distributed IDS/IPS, NSX Advanced Load Balancer, NSX Service Mesh, and VMware HCX. 

* In an NSX management cluster, each node performs the management, control, and policy roles. 

* NSX policy provides consistency in networking and security configuration across the NSX-T Data Center environment. 

* The data plane in NSX-T Data Center forwards packets based on tables populated by the control plane and reports topology information to the control plane. 

* The management plane, control plane, and policy functions are deployed in NSX Manager. 

* You can deploy the NSX Manager nodes on ESXi or KVM hosts. 

* The NSX UI has two sections called Policy and Manager. 

* N-VDS is a software switch that provides the underlying layer 2 forwarding service on a transport node (hypervisor host or NSX Edge). 

* The ESXi hosts that are managed by vCenter Server can be configured to use VDS during the transport node preparation. 

* A transport zone defines a collection of hosts that can communicate with each other across a physical network infrastructure. Overlay and VLAN are the available types of transport zone. 

* Uplink profiles enable you to configure consistent identical capabilities for network adapters across multiple hosts or nodes. 

* A teaming policy applies to each VDS or N-VDS uplink and defines how VDS or N-VDS uses its uplinks for redundancy and load balancing. 

* VIBs install kernel modules that run in the hypervisor kernel and provide services such as distributed routing, distributed firewall, and other capabilities. 

* A segment is a representation of the L2 broadcast domain across transport nodes. 

* Each segment is assigned a VNI.

* Types of segments are overlay N-VDS and VLAN N-VDS. 

* Geneve is an IETF overlay tunneling mechanism providing L2 over L3 encapsulation of data plane packets. 

* Segment profiles provide L2 networking configuration details for segments and ports. 

* Five types of segment profiles are available: IP Discovery, MAC Discovery, SpoofGuard, Segment Security, and QoS. 

* You can apply default or custom segment profiles to segments or ports. 

* Network flow tables used in packet forwarding include TEP, ARP, and MAC table. 

* BUM traffic replication supports head mode and hierarchical two-tier mode. 

* The NSX-T Data Center routing function meets the needs of service providers and tenants. 

* Static route configuration is performed manually by an administrator. 

* Dynamic route configuration enables gateways to exchange information about the network. 

* NSX logical routing commonly implements a two-tiered topology. 

* Tier-1 gateways have downlink ports to connect to NSX segments and uplink ports to connect to Tier-0 gateways. 

* A gateway includes two optional parts: a distributed gateway and one or more service gateways. 

* You can deploy an NSX Edge node through the NSX UI, the OVF tool, and an ISO file in a PXE environment. 

* Joining NSX Edge nodes with the management plane ensures that NSX Manager and the NSX Edge nodes can communicate with one another. 

* A multinode NSX Edge cluster helps ensure that at least one NSX Edge node is always available. 

* EBGP is the interchange of autonomous system IP addresses within a particular host section of IP addresses. 

* An IP prefix list contains one or more IP addresses that are assigned access permissions for route advertisement. 

* ECMP routing increases the north-south communication bandwidth by adding an uplink to the Tier-0 gateway and configuring it for each NSX Edge node in an NSX Edge cluster. 

* Multiple edge nodes can be pooled in a cluster for scale-out and redundancy. 

* High availability supports two modes: active-active and active-standby. 

* VRF Lite enables you to configure multiple routing instances without deploying additional Tier-0 gateways and edge nodes. 

* EVPN is used to extend Telco traditional networks to NFV Clouds. 

* Tier-0 gateways and their directly connected downlink segments support multicast. 

* The NSX Edge layer 2 bridge is responsible for bridging traffic between the NSX overlay and VLAN-backed VMs or physical devices outside the NSX-T Data Center deployment. 

* A bridge profile enables an NSX Edge cluster to provide layer 2 bridging to a segment. 

* The NSX Edge layer 2 bridge uses the Data Plane Development Kit (DPDK) for high- performance forwarding. 

* The traffic bridged in and out of the NSX-T Data Center domain is subject to the NSXEdge layer 2 bridge firewall. 

* Micro-segmentation enables an organization to logically divide its data center into distinct security segments to the individual workload level. 

* Micro-segmentation defines distinct controls and security services, and attaches the centrally controlled and operationally distributed firewalls directly to each VM. 

* NSX-T Data Center micro-segmentation supports a zero-trust architecture for IT security. It establishes a security perimeter around each VM or container workload with a dynamically defined policy. 

* The distributed firewall is a hypervisor kernel-embedded stateful firewall. 

* The distributed firewall resides outside the VM guest OS, controls the I/O path to and from the vNIC, and monitors the state of active connections. The distributed firewall uses this information to determine which packets traverse the VM vNIC. 

* The gateway firewall, also known as the perimeter firewall, protects traffic from physical environments. 

* Distributed Intrusion Detection uses Network Introspection to identify malicious intrusion attempts. 

* URL Analysis provides a mechanism to monitor access to external websites. 

* NSX-T Data Center provides the framework and APIs that allow service insertion partners to integrate their security solutions with NSX-T Data Center. 

* Network Introspection examines the network by offering services such as IDS, IPS, and next-generation firewall. 

* Endpoint Protection examines inside guest VMs by offering services such as antivirus and antimalware solutions, vulnerability management, data security, and data loss prevention solutions. 

* NAT can be configured on Tier-0 and Tier-1 gateways. 

* Typically, source translation is used to change a private address or port to a public address or port for packets leaving your network. 

* Typically, destination translation is used to redirect incoming packets with a destination of a public address or port to a private IP address or port in your network. 

* Reflexive NAT is required when a Tier-0 gateway runs in active-active mode because you cannot configure a stateful service where paths might be irregular. 

* The NAT64 mechanism translates IPv6 packets to IPv4 packets. 

* DHCP is a standard networking protocol for dynamically distributing network configuration parameters, such as IP addresses for interfaces. 

* A DNS is a computer application that implements a service for resolving a computer name to an IP address. 

* The NSX-T Data Center load balancer distributes incoming service requests among multiple servers and offers high availability for applications. 

* The load balancer must be attached to a Tier-1 gateway and can be deployed in one-arm or inline mode. 

* IPSec VPN services are available on Tier-0 gateways to interconnect different IP networks. 

* Using the GRE over IPSec, L2 VPN tunnels can be used to extend layer 2 networks 

* NSX Intelligence is a distributed analytics solution that provides visibility and dynamic security policy enforcement for NSX-T Data Center environment. 

* NSX Network Topology is a feature that enables users to have a complete view of their configured network by showing the different components, interconnections, and interactions. 

* Alarms and events help monitor and troubleshoot the NSX-T Data Center environment. 

* VMware Identity Manager provides application provisioning, conditional access controls, and SSO for SaaS, web, cloud, and native mobile applications. 

* You can integrate NSX-T Data Center with VMware Identity Manager and configure RBAC for users that VMware Identity Manager manages. 

* You can add Active Directory over LDAP or OpenLDAP identity sources to NSX-T Data Center and configure RBAC for these users. 

* Federation provides consistent policy and operational simplicity with multisite functionality for data centers. 

* GM performs onboarding for multiple sites. 

* Firewall rules must be created with at least one of the source and destination groups of the same domain. 

* GM creates stretched networks by using Tier-0 and Tier-1 routers. 

* The edge node delivers cross-location communication to avoid connecting hypervisors across sites. 

Compute Manager

A compute manager is an application that manages resources such as hosts and VMs. One example is vCenter Server.

Control Plane

Computes runtime state based on configuration from the management plane. Control plane disseminates topology information reported by the data plane elements, and pushes stateless configuration to forwarding engines.

Data Plane

Performs stateless forwarding or transformation of packets based on tables populated by the control plane. Data plane reports topology information to the control plane and maintains packet level statistics.

External Network

A physical network or VLAN not managed by NSX-T Data Center. You can link your logical network or overlay network to an external network through an NSX Edge. For example, a physical network in a customer data center or a VLAN in a physical environment.

Logical Port Egress

Outbound network traffic leaving the VM or logical network is called egress because traffic is leaving virtual network and entering the data center.

Logical Port Ingress

Inbound network traffic leaving the data center and entering the VM is called ingress traffic.

Logical Router

NSX-T Data Center routing entity.

Logical Router Port

Logical network port to which you can attach a logical switch port or an uplink port to a physical network.

Logical Switch

Entity that provides virtual Layer 2 switching for VM interfaces and Gateway interfaces. A logical switch gives tenant network administrators the logical equivalent of a physical Layer 2 switch, allowing them to connect a set of VMs to a common broadcast domain. A logical switch is a logical entity independent of the physical hypervisor infrastructure and spans many hypervisors, connecting VMs regardless of their physical location.

In a multi-tenant cloud, many logical switches might exist side-by-side on the same hypervisor hardware, with each Layer 2 segment isolated from the others. Logical switches can be connected using logical routers, and logical routers can provide uplink ports connected to the external physical network.

Logical Switch Port

Logical switch attachment point to establish a connection to a virtual machine network interface or a logical router interface. The logical switch port reports applied switching profile, port state, and link status.

Management Plane

Provides single API entry point to the system, persists user configuration, handles user queries, and performs operational tasks on all of the management, control, and data plane nodes in the system. Management plane is also responsible for querying, modifying, and persisting use configuration.

NSX Edge Cluster

Collection of NSX Edge node appliances that have the same settings as protocols involved in high-availability monitoring.

NSX Edge Node

Component with the functional goal is to provide computational power to deliver the IP routing and the IP services functions.

NSX Managed Virtual Distributed Switch or KVM Open vSwitch

The NSX managed virtual distributed switch (N-VDS, previously known as hostswitch)or OVS is used for shared NSX Edge and compute cluster. N-VDS is required for overlay traffic configuration.

An N-VDS has two modes: standard and enhanced datapath. An enhanced datapath N-VDS has the performance capabilities to support NFV (Network Functions Virtualization) workloads.

NSX Manager

Node that hosts the API services, the management plane, and the agent services. NSX Manager is an appliance included in the NSX-T Data Center installation package. You can deploy the appliance in the role of NSX Manager or nsx-cloud-service-manager. Currently, the appliance only supports one role at a time.

NSX Manager Cluster

A cluster of NSX Managers that can provide high availability.

Open vSwitch (OVS)

Open source software switch that acts as a virtual switch within XenServer, Xen, KVM, and other Linux-based hypervisors.

Overlay Logical Network

Logical network implemented using Layer 2-in-Layer 3 tunneling such that the topology seen by VMs is decoupled from that of the physical network.

Physical Interface (pNIC)

Network interface on a physical server that a hypervisor is installed on.

Segment

Entity that provides virtual Layer 2 switching for VM interfaces and Gateway interfaces. A segment gives tenant network administrators the logical equivalent of a physical Layer 2 switch, allowing them to connect a set of VMs to a common broadcast domain. A segment is a logical entity independent of the physical hypervisor infrastructure and spans many hypervisors, connecting VMs regardless of their physical location. A segment is also known as a logical switch.

In a multi-tenant cloud, many segments might exist side-by-side on the same hypervisor hardware, with each Layer 2 segment isolated from the others. Segments can be connected using gateways, which can provide connectivity to the external physical network.

Tier-0 Gateway or Tier-0 Logical Router

The Tier-0 Gateway in the Networking tab interfaces with the physical network and can be realized as an active-active or active-standby cluster. The Tier-0 gateway runs BGP and peers with physical routers. In active-standby mode the gateway can also provide stateful services.

Tier-1 Gateway or Tier-1 Logical Router

The Tier-1 Gateway in the Networking tab connects to one Tier-0 gateway for northbound connectivity and one or more overlay networks for southbound connectivity. A Tier-1 gateway can be an active-standby cluster that provides stateful services.

Transport Zone

Collection of transport nodes that defines the maximum span for logical switches. A transport zone represents a set of similarly provisioned hypervisors and the logical switches that connect VMs on those hypervisors. It also has been registered with the NSX-T Data Center management plane and has NSX-T Data Center modules installed. For a hypervisor host or NSX Edge to be part of the NSX-T Data Center overlay, it must be added to the NSX-T Data Center transport zone.

Transport Node

A node capable of participating in an NSX-T Data Center overlay or NSX-T Data Center VLAN networking. For a KVM host, you can preconfigure the N-VDS, or you can have NSX Manager perform the configuration. For an ESXi host, NSX Manager always configures the N-VDS.

Uplink Profile

Defines policies for the links from hypervisor hosts to NSX-T Data Center logical switches or from NSX Edge nodes to top-of-rack switches. The settings defined by uplink profiles might include teaming policies, active/standby links, the transport VLAN ID, and the MTU setting. The transport VLAN set in the uplink profile tags overlay traffic only and the VLAN ID is used by the TEP endpoint.

VM Interface (vNIC)

Network interface on a virtual machine that provides connectivity between the virtual guest operating system and the standard vSwitch or vSphere distributed switch. The vNIC can be attached to a logical port. You can identify a vNIC based on its Unique ID (UUID).

Virtual Tunnel Endpoint

Each hypervisor has a Virtual Tunnel Endpoint (VTEP) responsible for encapsulating the VM traffic inside a VLAN header and routing the packet to a destination VTEP for further processing. Traffic can be routed to another VTEP on a different host or the NSX Edge gateway to access the physical network.

Operating system 

Software designed to allocate physical resources to applications - Microsoft Windows, Linux

Application 

Software that runs on an operating system, consuming physical resources - Microsoft Office, Chrome 

Virtual machine 

Specialized application that abstracts hardware , resources into software 

Guest 

The operating system that runs in a VM (also called the guest operating system) - Microsoft Windows, Linux 

Hypervisor 

Specialized operating system designed to run VMs - ESXi, Workstation, Fusion 

Host 

Physical computer that provides resources to the, ESXi hypervisor 

Open Virtual Machine Format (OVF) 

Container 

An application packaged with dependencies 

Container engine 

A runtime engine that manages the containers 

Docker 

The most recognized runtime engine for container support, and it is often used as a synonym for many aspects of container technologies 

Container host 

A virtual machine or physical machine on which the containers and container engine run 

Kubernetes 

Google-developed orchestration for containers 

A container is an encapsulation of an application and dependent binaries and libraries. The 

application is decoupled from the operating system and becomes a serverless function. 

Types of Virtual Switches

A virtual network supports standard and distributed switches. Both switch types are elastic: 

Ports are created and removed automatically. • Standard switch: 

— Virtual switch that is configured for a single host. • Distributed switch: 

* —  Virtual switch that is configured for an entire data center. 
* —  Up to 2,000 hosts can be attached to the same distributed switch. 
* —  The configuration is consistent across all attached hosts.
* —  Hosts must either have an Enterprise Plus license or belong to a vSAN cluster. 

* Virtual switches can have the following connection types: VM port group, VMkernel port, and physical uplinks. 

The NSX Intelligence visualization is composed of the groups or compute entities, and the network traffic flows that occurred with those groups or compute entities during the selected time period. 

Understanding NSX Intelligence Recommendations 

The micro-segmentation recommendations that NSX Intelligence generates include security policies, policy security groups, and services for applications. 

The NSX Intelligence recommendations are based on the network traffic flow patterns that occurred between the compute members of a selected policy group, VMs, or physical servers. The recommendations can assist you with enforcing a more dynamic security policy by correlating traffic patterns of communication that have occurred within your NSX-T Data Center environment. 

The security policy recommendations are of the East-West distributed firewall (DFW) security policies in the application category. 

The security group recommendations consist of the VMs or physical servers, whose traffic flows were analyzed for the time period and the boundary you had specified. 

The service recommendations are service objects that were used by applications in the VMs or physical servers that you had specified, but the services are not yet defined in the NSX-T Data Center inventory. 

When you take a backup, NSX Intelligence only backs up the configuration files used by all the services that comprise the NSX Intelligence appliance. There is no visualization or recommendation data included in the backup. 

There are two backup methods available: 

Manual - You perform a one-time backup at any time. 

Automated - You create backups that are run based on a schedule that you set. To ensure that you have up-to-date backups, set automated backups. 

The backup is encrypted, compressed, and stored at the remote server defined during the backup configuration. When you create a backup, the date and time the backup is taken are appended to the backup filename so that each backup file is unique. For example, config- backup-2020-03-21T21_06_07UTC.tar. 

You can restore an NSX Intelligence configuration back to the state when a particular backup was captured. You must restore the backup to an NSX Intelligence appliance that is running the same version as the NSX Intelligence appliance from which the backup file was created.

Restore NSX Intelligence Backups 

When you restore a backup, you are restoring the state of the NSX Intelligence configuration files at the time the backup was made. You restore a backup using the NSX Manager user interface. 

You must restore a backup on an installation of the NSX Intelligence appliance that is the same version as the backup you are restoring. 



 

No comments:

Post a Comment