Network & Security VMUG Community

Expand all | Collapse all

NSX DFW + Network Introspection

  • 1.  NSX DFW + Network Introspection

    Posted 12-20-2018 09:57 AM
    Good morning everyone, I'd like to know if you or your customers are using NSX and a third-party solution for Network Introspection (such as Check Point CloudGuard for IaaS, Juniper vSRX for NSX or Palo Alto VM-Series for NSX).

    If so, does NSX manages the L2 @ L4 layers (DFW) and the 3rd-party the L4 @ L7 + Advanced Threat Protection (ATP)? Or does the 3rd-party solution handle all micro-segmentation traffic + ATP?

    What were your use cases?
    What is your topology (main site + n DR sites), active / active sites, VxLAN (Network Overlay), etc.
    What were your operational, administrative and governance impacts?
    What were the estimated and realized benefits?
    What were your irritants or "show stoppers"?
    Have you worked with a partner or solution manufacturer directly (Professional Services)?
    Estimated time of realization + reality?
    What is your level of satisfaction (micro-seg + Network Introspection) after deployment?

    I am trying to know and understand the market and not reinvent the wheel. This won't make of me an SME nor an expert but wil help me plan the road ahead and put the efforts at the right places.

    You can reply directly on this forum or privately to lm.astudillo@sc-aigs.com.

    By professionalism, all the answers that are addressed to me directly will not be published or made public.

    ------------------------------
    Luis Miguel Astudillo
    Conseiller en architecture TI / IT Architect
    Services Conseils AIGS Inc.
    Tel: 514-213-6270
    Email: lm.astudillo@sc-aigs.com
    ------------------------------


  • 2.  RE: NSX DFW + Network Introspection

    Posted 01-07-2019 11:32 AM
    Interesting, no replies whatsoever, is it because no ONE uses NSX and VMware is sending FAKE NEWS about having 7500 NSX clients? or no one is interested in replying ?


    ------------------------------
    Luis Miguel Astudillo
    Conseiller en architecture TI / IT Architect
    Services Conseils AIGS Inc.
    Tel: 514-213-6270
    Email: lm.astudillo@sc-aigs.com
    ------------------------------



  • 3.  RE: NSX DFW + Network Introspection

    Posted 01-08-2019 11:55 AM
    Hi Luis,

    We have NSX implemented for both Horizon Desktop Cluster and also general Compute Cluster.  Both of these environments are leveraging the DFW for Micro Segmentation and Guest Introspection for agent less AV/Malware.  Network Introspection is not being leveraged at this time due to vendor support.  Once the functionality is available from Cisco, we will look at implementing.

    Thanks,

    ------------------------------
    Chad Carter
    Enterprise Architect
    Sault Area Hospital
    Sault Ste Marie ON
    ------------------------------



  • 4.  RE: NSX DFW + Network Introspection

    Posted 01-08-2019 01:44 PM
    Thank you Chad, only one reply - doesn't bode well.  Really expected more replies.

    Cheers from Montréal.

    ------------------------------
    Luis Miguel Astudillo
    Conseiller en architecture TI / IT Architect
    Services Conseils AIGS Inc.
    Tel: 514-213-6270
    Email: lm.astudillo@sc-aigs.com
    ------------------------------



  • 5.  RE: NSX DFW + Network Introspection

    Posted 01-09-2019 12:05 PM
    I have implemented NSX before using Checkpoint and Palo Alto, but only for Firewalls not for network introspection. We have also used Symantec for the agentless AV. I know a few NSX customers, but many don't use the third party tools and don't know any that are doing network introspection at this time.

    -Manuel

    ------------------------------
    Manuel Martinez
    Engineer
    MacStadium
    Las Vegas NV
    ------------------------------



  • 6.  RE: NSX DFW + Network Introspection

    Posted 01-16-2019 09:50 AM
    THank you for the feedback Manuel.

    Cheers.

    ------------------------------
    Luis Miguel Astudillo
    Conseiller en architecture TI / IT Architect
    Services Conseils AIGS Inc.
    Tel: 514-213-6270
    Email: lm.astudillo@sc-aigs.com
    ------------------------------



  • 7.  RE: NSX DFW + Network Introspection

    Posted 01-09-2019 11:38 AM
    ​Hello Luis,

    We use NSX and had professional services help us in setting up our environment.  I would highly recommend you have someone help, makes it easier for implementation and troubleshooting any issues you might encounter.  Hope this helps.

    ------------------------------
    Julio Arevalo
    Manager, System Engineering
    Alliant Credit Union
    Chicago IL
    ------------------------------



  • 8.  RE: NSX DFW + Network Introspection

    Posted 01-11-2019 05:34 PM
    Hi Luis,
    we are a VMWARE-Partner and also doing PSO for our customers...

    Implementing third-party solutions in NSX environments is a common task on our site, both the GuestIntrospection with agentless AntiMalware same as NetworkIntrospection with virtual patching like TrendMicro DeepSecurity does...

    If you are interested in direct contact to discuss - I´ll appreciate it.

    We have mostly not the biggest implementations but very advanced configurations for our customers.

    KR Peter

    ------------------------------
    Peter Hirschbeck
    Senior Consultant & IT-Architect
    Profi Engineering Systems AG
    Munich
    ------------------------------



  • 9.  RE: NSX DFW + Network Introspection

    Posted 01-16-2019 09:50 AM
    Hi Julio, I have no issues with NSX, have my own lab and it works at my client on-prem when you follow the NSX VVD, but it is the Network Introspection part that is tricky and not many people seam to have or want to share their experience.

    Sorry for replying so late, was away on business.

    ------------------------------
    Luis Miguel Astudillo
    Conseiller en architecture TI / IT Architect
    Services Conseils AIGS Inc.
    Tel: 514-213-6270
    Email: lm.astudillo@sc-aigs.com
    ------------------------------



  • 10.  RE: NSX DFW + Network Introspection

    Posted 01-17-2019 03:59 PM
    ​Luis,

    There are new functions in 6.4 which provide some L4-7 and context aware micro-segmentation out of the box. However, there are several tools that come with some substantial cost from third parties that do contain functionality that allow you to either replace or enhance, the out of box L2-4 functions of NSX.

    We have implemented some of this in our development NSX environment and are in the process of bringing our production environment up. Whether you go with the out of box function, or go with Palo Alto, Trend Micro or the other Network Introspection enhanced services, the biggest challenges that I find we face, and all companies are facing, is operationalizing NSX management. Network engineers understand what the product SAYS it can do, but finding either the time, or having the willingness to not spend time on a Cisco or Juniper console and transfer that knowledge to NSX is difficult.

    It almost has to be a top-down push to get adoption. As an architect, this is part of the nature of the job, be progressive on new technologies, learn, understand... but often people want to twist the knobs and push the buttons as they always have and resist change.

    That being said, my first recommendation is get the idea of micro-segmentation at L2-4 and the context aware L4-7 supported out of box adopted and understood, then if that does not meet the needs you have, then look at bolting on third party. We HAVE the products, but we are only using minimal functions (AV/anti-MW) because we have to get the knob turners to adopt the new tech first.

    For what it's worth.
    PM me if you want more info...

    Michael Toney

    ------------------------------
    Michael Toney
    Architect
    Trellis Company
    Round Rock TX
    ------------------------------



  • 11.  RE: NSX DFW + Network Introspection

    Posted 01-09-2019 11:46 AM
    Hi Luis,

    To start with, many may not want to sure much about their environment for various reasons, so please don't be so judgmental.  Some details usually can't be shared for those reasons.

    I can say we have implemented NSX, as of about 4 yrs ago, in five of our datacenters.  It is used in our general compute environment and the use case was generally two-fold, help decrease the "time to market" (i.e. provisioning customer VM's faster with vRA/etc.  The thinking here was to cut down on time the network group takes to implement something new for X customer.) and DFW.  We leverage DFW micro-segmentation for a couple different applications where customers saw the benefits.

    The big plus for us was helping decrease time to market because of the time it took physical network to get things stood up for x customer.  That left it in our hands (virtualization team) to implement either automated or just through a few mouse clicks/etc., whereas network could take weeks.  In the beginning using the product was rough due to some of the bugs the earlier versions had.  Most of the customer impacting bugs were fixed and for the most part is a stable product.  There are hiccups every now and then like most things in technology.  You call support, get things corrected and then RCA is established/etc.  If I remember right, we have not had a wide-spread outage in at least 3 years.  Also, we did bring in professional services for health check purposes and a few minor things were found that were corrected.  For the most part we are happy with NSX.

    We do not do guest introspection.  In my experience, doing guest introspection makes NSX upgrades way more difficult, but with the right people that can be pulled off.

    Hope that helps answer your questions.

    Thanks,
    Raymond

    ------------------------------
    Raymond Riley
    Cloud Virtualization Engineer
    McKesson Corp.
    ------------------------------



  • 12.  RE: NSX DFW + Network Introspection

    Posted 01-16-2019 09:56 AM
    Thank you Raymond, is not the NSX part my issues, is the 3rd-party Network Introspection that bothers me.

    VMware has been excellent for their NSX solution, is the rest (3rd-party network introspection) that I find not mature.

    Also, no issues with Guest Introspection as that is within the VM and it is handled by other tools (CrowdkStrike, Symantec EDR, etc....)



    ------------------------------
    Luis Miguel Astudillo
    Conseiller en architecture TI / IT Architect
    Services Conseils AIGS Inc.
    Tel: 514-213-6270
    Email: lm.astudillo@sc-aigs.com
    ------------------------------



  • 13.  RE: NSX DFW + Network Introspection

    Posted 01-16-2019 10:06 AM
    VMware is not lying when they tout the number of NSX customers, I'd chalk the lack of response more to the VMUG forums not being highly trafficked and customers likely not wanting to talk about their environments much.

    I've personally worked and helped deploy dozens of implementations across different customers and accounts of varying sizes. Smallest was a 4 node cluster that needed PCI compliance and HIPPA compliance and the largest was a very well known bank with over 30k VM's in their VDI environment they wanted protected.

    Third party integration is often the trickiest part of the product as it depends on the third party to have implemented a quality product and many times you have to simply learn the quirks of their implementation. VMware's NetX API is standard for all of them so there's only one way to interact with VMware, it's up to each third party company to design their system and how it works.

    As others have stated it's best to deploy NSX via a PSO engagement but it absolutely can all be done in house. The documentation and blogging that exists is extensive and you could likely deploy or copy one of the VVD designs for most environments. Where PSO comes in handy is the unique quirks that each customer invariably has. Additionally PSO can help companies reorganize the workflow and streams for day to day operations or at least help companies identify where they may need to change process, ownership and organizational challenges.


    ------------------------------
    William de Marigny
    Senior VMware NSX Technical Account Specialist
    VCIX-NV, VCIX-DCV
    San Antonio TX
    ------------------------------