Healthcare organizations are being asked to expose Internet-based services and applications to their patients more than ever. With Healthcare, exposure of PHI and PII is of the utmost concern. With the perimeter of the Healthcare organization needing to be as secure as possible, exposing external systems and applications to the Internet falls under this scope as well. Traditional DMZ approaches are hardware-centric, costly, and operationally difficult to use in most modern datacenters. With VMware NSX, we can take the concept of the DMZ, and augment a current DMZ approach, or even collapse the DMZ back inside the data center while still providing a robust security posture necessary for Internet-facing applications.
Let’s revisit the nine NSX use cases we identified previously.
DMZ Anywhere is a use case that our customers are looking at that augments traditional hardware-based approaches and leverages the Distributed Firewall capabilities to segment how traffic is allowed to flow between systems anywhere in the data center. Let’s be clear, VMware NSX is not in the business of replacing a hardware perimeter firewall system. But with NSX, you can fundamentally change how you design the DMZ environment once you’re inside the perimeter firewall to provide a much easier to manage and scalable solution overall. You can review previous posts on how to Micro-segmentation works here. https://vwilmo.wordpress.com/category/micro-segmentation/
Let’s take a quick look at traditional approaches to building a DMZ environment with physical devices.
Traditional hardware-based approaches can leverage either Zone-based logical firewalling or actual physically independent firewalls to separate out a specific section called the DMZ for Internet-facing applications to sit in. These zones are built to only allow specific sets of communication flows from the Internet-facing systems to their backend components. The systems are typically on their own separate networks. Typical applications exposed to the Internet are web-based applications for major systems. These types of systems can comprise of several Web servers, all of which can be used to provide multi-user access to the application.
If customers want to keep the same traditional approaches using zone-based Firewalling, NSX can help block movement for the virtual systems that reside within the DMZ from East-West movement. In most cases, the systems that sit in the DMZ are Web-based systems. These types of systems typically do not require communications between the Web servers, or even between disparate applications.
In the above examples, all the DMZ Servers can instantiate a conversation bi-directionally with each other. This is inherently insecure and the only way to secure these is to send all the East-West traffic through the firewall. When you add more systems, you add more rules. This problem continues to compound itself the larger the DMZ gets. What if you have multiple networks and systems in the DMZ? That will require significantly more rules and more complexity. If you need to scale out this environment, it becomes even more operationally difficult. How can NSX plug into this scenario and help reduce this complexity and also provide a similar level of security?
With NSX, we can provide the East-West firewalling capabilities in both scenarios to secure the applications from each other from compromise. If one system is breached, the attack surface for movement laterally, is removed as the systems don’t even know the other systems exist.
Putting in NSX, we’re now blocking the systems from talking to each other without changing any aspect of the underlying infrastructure to do so. We’re placing an NSX firewall at the virtual machine layer and blocking traffic. As you can see, NSX can be made to fit nearly any DMZ infrastructure architecture.
Here we have our Electronic Medical Records application that has an Internet-facing Patient Access Portal. With a traditional approach, the Patient Portal may be on separate hardware, situated between two sets of hardware Firewalls, or one set of Internally Zoned, Firewalls, and on a completely different logical network. The backend systems that are required for the DMZ EMR systems are situated behind another internal firewall along with the rest of the systems in the data center, in this case, share infrastructure systems and the EMR backend database system. Neither of these systems should have contact with the Internal HR Web or DB Server. If they did, compromise from the DMZ environment could allow an attacker access to other sensitive internal systems like the HR system.
Now let’s look how NSX can change the traditional design of a DMZ and collapse it back into the data center but will allow the same levels of security as traditional methods, but with a software-based focus.
Using NSX in this approach, we’re doing the same thing we did when we augmented the existing hardware approach by placing a software-based Firewall on each Virtual Machine in the data center. This fundamentally means, that every VM, has its own perimeter and we can programmatically control how each of those VM’s talk or don’t talk to each other. This approach could enable a Healthcare organization to pull back the hardware isolation for their DMZ back into their data center compute clusters and apply DMZ-level security to those specific workloads hereby collapsing the isolation into software constructs versus hardware ones. In the collapsed DMZ model, we have no separate infrastructure to support a DMZ environment, we simply control the inbound traffic from the perimeter through the physical firewall as we would normally do, but apply VM-level security using NSX between the systems that would’ve been separated out. The DMZ EMR Web Servers are still restricted access to the HR system even though they technically live next to each other within the Internal data center.
Let’s contrast a software-based approach versus traditional hardware methods.
- For Zone-based firewalling leveraging a single hardware appliance, this is much less of an issue. Some organizations purchase at multiple Firewalls at the perimeter for HA configurations. If they leverage a separation of their DMZ using two sets of Firewalls, that means they’ll need to purchase at least 4 Firewalls to perform this configuration.
- New features and functions with hardware products can be tied to the hardware itself. Want these new items? That could require a new hardware purchase.
- Hardware-based scaling is generally scale-up. If the Firewall runs out of resources or begins to be over-utilized, it could require moving to larger Firewalls overall to accommodate. This means a rip and replace of the existing equipment.
- A hardware-based DMZ is very static. It doesn’t move within the data center and the workloads have to be positioned in accordance to the network functions it provides. In modern data centers, workloads can exist anywhere and on any host in the data center. They can even exist between data centers. Uptime is critical for Healthcare providers as is maintaining data security. Wherever the workload may end up, it requires the same, consistent security policy.
- Buying multiple hardware Firewalls is not cheap. If the organization needs to scale up, ripping and replacing the existing Firewalls for new ones can be costly and incur downtime. For Healthcare organizations, downtime affects patient care. Some DMZ architectures have separate hardware to run only the workloads in the DMZ environment. This separates out the Management of that environment from the internal data center environment. It also means that, when architecting a hardware-based DMZ, you may end up with compute resources that costly and underutilized. A concept that totally goes against virtualization in general and leads to higher operating costs in the data center and wasted resources.
- Operationally difficult
- If the customer is going with the multiple Firewall method, this means that to configure the allowed and disallowed traffic, the customer would need to go into two sets of Firewalls to do this. Hardware Firewalls for the DMZ will require MAC addresses for all the workloads going into them. DMZ networks may be a few networks, but usually Web Servers exist on the same logical network. Healthcare systems can have massive Internet-facing infrastructures to provide for their patients.
- By placing the Firewall capabilities within the ESXi kernel, we’re able to ensure security simply by virtue of the workload residing on any host that is running the vSphere hypervisor. When it comes to new features and functions, where you might need to upgrade proprietary Firewall hardware, NSX is tied to any x86 hardware and new features simply require an update to the software packages reducing the possibility of ripping and replacing hardware. For Healthcare customers, this reduces or eliminates the downtime required to keep systems up-to-date where downtime is a premium.
- The nature of NSX being in every hypervisor means Firewall scales linearly as you add more hypervisors to a customer environment. It also means, that instead of having to purchase large physical Firewalls for all your workloads, the DFW will provide throughput and functionality for whatever your consolidation ratio is on your vSphere hosts. Instead of a few physical devices supporting security for 100s-1000s of virtual machines, each host with the vSphere hypervisor supports security for the VMs residing on it. With a distributed model that scales as you add hosts, this creates a massive scale platform for security needs. Physical Firewalls with high bandwidth ports are very expensive, and generally don’t have nearly as many ports as you can have in a distributed model across multiple x86 hardware platforms.
- Hardware-based appliances are generally static. They don’t move in your data center although the workloads you’re trying to protect may. These workloads, when virtualized, can moved to any number of hosts within the data center and even between data centers. With NSX, the Firewall policy follows the virtual workload no matter the location. Healthcare providers care about uptime, the ability to move sensitive data systems around to maintain uptime, while maintaining security, is crucial.
- Software-based solution only need to be licensed for the hosts that the workloads will reside on. No need to purchase licensing for hosts where protected workloads may never traverse to. With Healthcare organizations, they can focus on the workloads that house their patient’s sensitive data and the systems that interact with them.
- No need to spend money on separate hardware just for a DMZ. Collapse the DMZ workloads back to the compute environments and reduce wasted resources.
- Operationally easier
- By removing another configuration point within the security model, NSX can still provide the same level of security around DMZ workloads even if they sat on the same host as a non-DMZ workload. All of this, while keeping them logically isolated versus physically isolated. With NSX, there’s no reason to use multiple networks to segment DMZ traffic and the workloads on those segments. NSX resolves the IP and MAC addresses so that rule and policy creation is much simpler and can be applied programmatically versus traditional manual methods.
When it comes to DMZ architecture, traditional hardware approaches that have been followed in the past, can be too static and inflexible for modern workloads. Healthcare customers need uptime and scale as medical systems that house patient data are not getting smaller and patient requirements for access to their information continues to grow. With NSX, we can augment a current DMZ strategy, or even collapse their physical DMZ back into their virtual compute environment and still provide the same levels of security and protection as hardware-based approaches, at a lower cost and easier to maintain.