Nutanix AHV and Next Generation Firewalls

Anyone who has followed Nutanix closely will be able to relate to Nutanix’s SDN (Software Defined Networking) approach around 4 segments — Hybrid Cloud, Application Security, DR Automation and Network Automation.

Nutanix Flow is micro-segmentation solution built into AHV’s virtualisation stack and can be easily enabled and configured via Prism Central without the need for deploying any additional component. Flow falls into the Application Security segment and is a strong contender if your organisation is considering or already using SDN in some form or the other. And the reason I say this is, if you analyse the broad spectrum of SDN, around 70–80% of it is around Software defined security.

Nutanix Flow offers L3 and L4 granular policies for securing east west traffic between virtual workloads running on Nutanix AHV. Its used by 100s of customers, protecting workloads on 1000s of AHV nodes, seen a rapid growth across all segments & verticals, be it Enterprise, Mid-market or Federal, fuelled by a large and continuously growing Alliances partner ecosystem.

But this blog is not just about Flow, but how you can design integrated solutions with industry leading Next Generation Firewalls. To name a few, PaloAlto Networks VM-Series, Juniper vSRX3.0, Fortinet’s Fortigate virtual appliance, Sophos XG, Sonicwall’s NSv etc. For a full list of supported NGFW vendors supported on Nutanix AHV, checkout the firewall vendor’s site or “Nutanix Ready” compatibility matrix. All of these virtual NGFWs come with a qcow2 form factor thats compatible with AHV and can be deployed in various modes.

The most common modes are, deploying these firewalls either as a standalone mode or as a high availability pair. Some firewalls support additional deployment modes to secure east-west traffic within the same AHV virtualisation stack/cluster or data center.

• PaloAlto Networks VM-Series supports vWire mode with AHV service chain and Nutanix FLow.
• Juniper’s vSRX3.0 supports Chassis Cluster mode and Secure Wire mode. The Secure Wire mode requires AHV service chain and Nutanix Flow.
• Fortinet’s Fortigate firewall supports virtual wire mode which needs AHV service chain and Nutanix Flow.
• Sonicwall’s NSv models can run in Wire mode (2-port wire) with Wire type Secure (Active DPI of Inline traffic) with AHV service chain and Nutanix Flow.
• Sophos’s XG firewall can run in Bridge mode and a MAC ageing value of 0 with AHV service chain and Nutanix Flow.

… and last but not least is Cisco’s FTD (Firepower Threat Defence) Interfaces in Inline-pair mode with Nutanix AHV service chain and Flow (I have a detailed post on the deployment technicalities of AHV and Cisco FTD if you are interested).

At the time of writing this article, Nutanix Flow is licensed separately from Nutanix AOS editions. What it means is a customer would require additional licenses (per node) to enable it in Prism Central, irrespective of what the AOS (Starter, Pro, Ultimate) license is applied on the cluster. However, service insertion and chaining does not require licensing and can be enabled in 2 modes — 1. Inline mode (applies to all the above firewall vendors) 2. vTap mode (applies to Network Detection and Response vendors — for a later post). The inline mode applies to firewalls when providing layer 7 security capabilities. vTap mode can also be used by the above firewall vendors but for taffic visibility and threat analysis.

Why should you care about Nutanix AHV service insertion/chaining with the choice of your firewall vendor?

I am going to leave out the marketing content and explain using use cases. Nutanix AHV is a web-scale virtualisation platform, basically addressing the scale and performance issues of a legacy SAN architecture through a though-fully designed software designed architecture. So a system admin can have a 3 node cluster with all the features and benefits of SAN and then scale out as compute and storage needs grow without disrupting the current running deployment. The same holds good with applying upgrades and patches to the current Nutanix deployment. Naturally the workloads on the cluster would also grow in number as the cluster size increases, and the network traffic going in and out of them would also increase. Now, you could certainly deploy a 3rd party firewall virtualised form factor and have all of the traffic pass through it (standalone or HA). But what if you needed to have a firewall in front of every VM running on the cluster and have the flexibility to configure L3 and L4 security policies — aka micro-segmentation. Well Nutanix Flow already provides it. So whats the big deal with service chaining or insertion? Nutanix is not a security company and do not provide layer 7 security capabilities. Flow with service insertion/chaining allows customers to leverage the full stack of security capabilities from L3 (Flow) to L7 (application layer security like URL filtering, SQL injection etc) for east-west traffic or any traffic that originates and/or terminates within the AHV cluster. This architecture takes the load away from perimeter firewalls which are primarily meant to secure the network from external threat originating from outside the trusted network.

Service chaining or insertion is not available on Nutanix AHV via Prism UI but is available only through Nutanix REST APIs. You may wonder why Nutanix product has taken this approach!!! Well the idea is to provide flexibility to Nutanix Technology Alliance partners to leverage these APIs and integrate service chain capability as per the best practises of their firewall solution. 3rd party firewalls could also create a Nutanix Calm blueprint to automate deployment and configuration of their firewalls as a Network function VM leveraging these APIs. Feel free to take a look at some of the resources for Calm blueprint that exists today for PaloAlto Networks VM-Series firewall and its integration with Flow using service insertion (https://www.nutanix.com/content/dam/nutanix/partners/technology-alliances/tech-notes/palo-alto-networks-vm-series-and-nutanix-flow-integration-guide.pdf). Please refer to this video (https://youtu.be/afagsdg9Lpk) to get an overview of what Calm is and how one can build blueprints to automate not just day 0 tasks but also complex topologies for their solutions on AHV.