Paul Mancuso

Author Archives: Paul Mancuso

The NSX-T Gateway Firewall Secures Physical Servers

To date, our blog series on securing physical servers with NSX Data Center has covered the use of bare metal agents installed in a physical server. In this scenario, NSX bare metal agents provide management and enforcement of security policy for the physical server. For a quick recap of how NSX Data Center secures physical server traffic, please review our first and second blogs in this multi-part series. In this article, we will discuss the use of one of the NSX-T Gateway services of an NSX Edge Node. Specifically, the NSX-T Gateway Firewall secures physical servers.

What’s The NSX-T Edge?

The NSX-T Edge is a feature-rich L3-L7 gateway.  A brief review of some NSX-T Edge services:

  • Via Tier-0 Gateway, routing between the logical and the physical using dynamic routing protocols (eBGP and iBGP) as well as static routing
  • Via Tier-1 Gateway, routing between logical network segments, or from logical network segments to uplink to the Tier-0 Gateway
  • Routing for IPv4 and IPv6 addresses
  • Load Balancing via NSX-T Edge, which offers high-availability service for applications and distribution of network traffic load
  • Network Address Translation (NAT), available on tier-0 and tier-1 gateways
  • To manage IP addresses, the configuration of DNS (Domain Continue reading

NSX Secures Physical Servers with Bare Metal Agents

Our last blog on how NSX secures physical servers provided background on why physical server security is crucial. We cover the percentage share of physical servers to all workloads in the data center and the specific roles physical servers still play. Today, physical servers by percentage are playing a decreasing role in the data center. However, it’s still a vital one, as we pointed out in our last blog on Securing Physical Servers with NSX Service-defined Firewall. In this blog, we will cover a primary way VMware NSX provides secure connectivity for physical servers using a bare metal agent. VMware NSX-T can now offer secure connectivity for Linux and Windows Server physical servers.

How NSX Distributed Firewall Protects Physical Servers

There are several ways in which NSX can provide security for physical servers. Our original article, Extending the Power of NSX to Bare Metal, outlines each of these methods.

  • NSX Distributed Firewall (DFW) ingress rules for traffic from physical servers to virtual workloads
  • NSX DFW egress rules for traffic from virtual workloads to physical servers
  • The NSX Edge using centralized firewall rules to secure traffic between virtual and physical workloads
  • Use NSX agents in Physical Servers
Securing Physical Server with Bare Metal Agents

VMware NSX Continue reading

Secure Bare Metal Servers with VMware NSX Data Center

Securing workloads across an entire environment is the fundamental goal of a policy. But workloads come in a variety of form factors: virtual machines, containers, and bare metal servers. In order to protect every workload, experts recommend isolating workloads wherever possible — avoiding dependency on the host operating system and its firewall. Relying on the host firewall creates the dependency of a host to defend itself.

Securing virtual workloads is a task best handled by the hypervisor. Offering security via inspection of traffic on the virtual network interfaces of the virtual workload achieves the security you want. It also delivers isolation for security enforcement. Workloads to secure bare metal servers come in many form factors and a variety of means to achieve policy enforcement.

3 Factors to Consider when Securing Bare Metal Servers

Bare Metal Servers Still Serve A Purpose

Bare metal servers remain in use for a variety of reasons. Securing these servers remains a necessary task in today’s virtualized data center. Reasons we still use bare metal servers:

  • There may be no way to virtualize various operating systems, like AIX and Solaris.
  • Device-specific systems, such as medical equipment, or systems specific to other virtual markets may not yet have been virtualized. In some cases they may not Continue reading

Reference Guide Update: Deploying NSX Data Center on an ACI Underlay

NSX Data Center is now the de facto SDN standard for the Private Cloud. Reference guides for NSX Data Center are proven to reduce complexity in managing the physical switch infrastructure. This increases the infrastructures stability and requires a minimal set of system and service configuration to bring up the fabric. Organizations utilize NSX Data Center for a diverse set of use cases including security, a diverse application framework deployment platform, and application continuity across private and hybrid clouds.  With reference designs for any underlay, NSX Data Center is fulfilling its promise to be a platform over any infrastructure. NSX Data Center provides the cornerstone for the Virtual Cloud Network.

Overview of NSX Data Center with ACI Underlay

Ever since publishing our original design guide Deploying NSX with Cisco ACI as an Underlay, there has been an avalanche of interest in building out a more simplified Cisco infrastructure with ACI as the underlay. Most of the requests are for more detail when constructing the ACI underlay. The high-level design guidance in the original NSX reference design for ACI discussed the minimum ACI constructs necessary for an NSX Data Center deployment. These ideals have not changed.  The original paper called Continue reading