Category: firewall

A while ago Christer Swartz explained how a Palo Alto firewall integrates with VMware NSX. In the meantime, Palo Alto announced integration with Cisco ACI and OpenStack, and it was time for another podcast with Christer deep-diving into the technical details of these integrations.

Spoiler: It’s not OpFlex. For more details, listen to Episode 53 of Software Gone Wild

It all started with a tweet by Stephane Clavel:

@ioshints @BradHedlund I'm puzzled NSX dFW does not track connections seq #. Still true? To me this is std fw feature.

— stephaneclavel (@stephaneclavel) January 31, 2016

Trying to fit my response into the huge Twitter reply field I wrote “Tracking Seq# on FW should be mostly irrelevant with modern TCP stacks” and when Gal Sagie asked for more elaboration, I decided it’s time to write a blog post.

A long time ago in a podcast far, far away one of the hosts saddled his pony unicorn and started explaining how stateful firewalls work:

Stateful firewall is a way to imply trust… because it’s possible to hijack somebody’s flows […] and if the application changes its port numbers… my source port changes when I’m communicating with my web server - even though I’m connected to port 80, my source port might change from X to Y. Once I let the first one through, I need to track those port changes […]

WAIT, WHAT? Was that guy really trying to say “someone can change a source port number of an established TCP session”?

I got this question from one of my readers (and based on these comments he’s not the only one facing this challenge):

I was wondering if you can do a blog post on Cisco's new ASA 5585-X clustering. My company recently purchased a few of these with the intent to run their cross data center active/active firewalls but found out we cannot do this without OTV or a layer 2 DCI.

A while ago I expressed my opinion about these ideas, but it seems some people still don’t get it. However, a picture is worth a thousand words, so maybe this will work:

One of my readers wondered whether one still needs traditional firewalls in microsegmented environments like VMware NSX.

As always, it depends.

The proponents of microsegmentation are quick to explain how the per-VM-NIC traffic filtering functionality replaces the traditional role of subnets as security zones, often concluding that “you can deploy as many tenants as you wish in a flat network, and use VM NIC firewall to isolate them.”

One of my readers sent me this question:

After reading this blog post and a lot of blog posts about zero trust mode versus security zones, what do you think about replacing L3 Data Center core switches by High Speed Next Generation Firewalls?

Long story short: just because someone writes about an idea doesn’t mean it makes sense. Some things are better left in PowerPoint.

I was talking about “application-layer gateways” on firewalls and NAT boxes with a fellow engineer, and we came to an interesting conclusion: in most cases they are not gateways; they don’t add any significant functionality apart for payload fixups for those broken applications that think carrying network endpoint information in application packets is a good idea (I’m looking at you, SIP and FTP). These things should thus be called Application Layer Fixups or ALFs ;)

VM NIC firewalls have been around for years (they’re also the reason I got my first invitation to the awesome Troopers conference), but it sounds so much better when you call them Microsegmentation (not the one I talked about @ Troopers this year).

Marketing gimmicks aside, VMware NSX includes an interesting in-kernel stateful firewall, and Brad Hedlund was kind enough to explain the intricacies of that feature in Episode 27 of Software Gone Wild

Cloud builders are often using my ExpertExpress service to validate their designs. Tenant onboarding into a multi-tenant (private or public) cloud infrastructure is a common problem, and tenants frequently want to retain the existing network services appliances (firewalls and load balancers).

The Combine Physical and Virtual Appliances in a Private Cloud case study describes a typical solution that combines per-tenant virtual appliances with frontend physical appliances.

One of the interesting challenges in the Software-Defined Data Center world is the integration of network and security services with the compute infrastructure and network virtualization. Palo Alto claims to have tightly integrated their firewalls with VMware NSX and numerous cloud orchestration platforms - it was time to figure out how that’s done, so we decided to go on a field trip into the scary world of security.

Most overlay virtual networking and cloud orchestration products support security groups – more-or-less-statefulish ACLs inserted between VM NIC and virtual switch.

The lure of security groups is obvious: if you’re willing to change your network security paradigm, you can stop thinking in subnets and focus on specifying who can exchange what traffic (usually specified as TCP/UDP port#) with whom.

During one of my ExpertExpress engagements I got an interesting question: “could we replace a pair of central firewalls with iptables on the Linux server?”

Short answer: Maybe (depending on your security policy), but I’d still love to see some baseline scrubbing before the traffic hits the server – after all, if someone pwns your server, he’ll quickly turn off iptables.

Stefan de Kooter (@sdktr) sent me a follow-up question to my Going All Virtual with Virtual WAN Edge Routers blog post:

How would one interface with external Internet in this scenario? I totally get the virtual network assets mantra, but even a virtual BGP router would need to get a physical interconnect one way or another.

As always, there are plenty of solutions depending on your security needs.

Marcos Hernandez sent me a nice list of updates/errata after watching the NSX firewalls video from the VMware NSX Architecture webinar: