VCD Roundtable: Ep. 54 – On vDefend Firewall, IDS & IPS, and Advanced Threat Protection

Hello and welcome.

This is the VCD Roundtable, episode number 54.

And the topic of the day is the vDefend Firewall, IDS / IPS,

and Advanced Threat Protection.

And let me quickly cover why we thought

this topic should be at the top of the agenda again,

not only because this is quite an interesting additional

service, which can be offered by service providers,

but also due to the latest changes in the licensing

scenarios with Usage Meter 9

and changes in the license guide,

it's now finally possible that we can actually

license the firewall features

on an overage scenario as well.

So you are no longer bound to actually make a three-year

commit if you want to use the firewall features potentially

to test it out with a customer or something else.

But Sascha is going to cover that for a bit

and Matthias is going to tell us a bit more about use cases

and everything else for the vDefend Firewall,

distributed firewalls, gateways, and whatever else.

So let me throw the ball over

to Matthias first, who can then

throw it to Sascha for the licensing piece.

And then Matthias can give us the tech dive.

Yeah, as always, I just try to take a sip,

and then I have to talk.

It's always a same.

Hello.

Welcome from my side.

Now I'm looking forward to

this more technical session again.

Sascha, what are you going to offer us?

What do you have to offer us today?

Yes.

Nice to meet you here.

I think it's important that we talk a bit about all of that

stuff from a license perspective.

What does it mean?

What options we now have also with the changes,

how we can license vDefend.

So yeah, happy to share this information with you.

Then why don't we start with the licensing part

before we get into the tech part?

Yeah, let's do it.

So, Yves told us that there were changes,

and now we can license - as a service provider -

vDefend as an overage.

So that's very important for us.

So that means with changes, Usage Meter 9...

two weeks ago, there

came the announcement that on demand

is now available for all vDefend products.

And what does it mean for us?

So there are still some open questions to be fair.

So we got this information that only 200% of license

keys can be generated.

So does that also mean that the service providers that

don't use vDefendcan use vDefend on demand?

Currently, nobody knows, but let's see.

But you are also able to say, "hey,

I want to activate or license vDefend on the host space."

That helps us a lot now, because service providers

don't need to start to say, "hey, I need to license

my complete cluster or create a dedicated cluster

for vDefend with Advanced Threat Protection or whatever."

And that is very beneficial for you,

because you can now say, "hey, create a rule

that vDefend only -- or a vDefend feature --

runs only on virtual machines on host one, two, three."

And the other hosts don't need to be licensed for vDefend.

So that will help us a lot.

And then, additional to that, that makes sense.

We can go with the commit for three hosts

and can say, "hey, if you need a fourth one,

we can go as an overage."

So that's beneficial.

That makes absolutely sense with this 200%.

So that will helps us a lot.

Other question?

What license--

But Sasha, let's stick on this one a little bit,

because... let's start with a short discussion here,

because I totally understand what you're talking about.

That introduces a ton of administrative overhead.

So it is a solution just to license only a few hosts

of a cluster.

But it's always a trade-off because, on the other hand,

you have the administrative overhead

to create the RTS groups, to stick virtual machines

or to glue virtual machines to certain hosts.

What if one host of that group fails, hardware error,

whatever?

You need to add another host to the group.

That load gets redistributed and so on and so forth.

So because we're blunt on all this stuff,

so we need to say, "guys, be careful if or if you

go down that route, you have administrative overhead.

Firstly, and secondly, if you fat-finger something,

it has a high price tag associated,

because if you accidentally add a host to that group,

thank you.

You pay overage."

So I think we should be very honest on that part.

Absolutely.

But compared to that, the other way

is to create a dedicated cluster for VCF,

if I want to start with VCF.

And then I use the complete flexibility to say,

"hey, one customer wants to test VCF

Advanced Threat Protection."

And I think that becomes more and more interesting

from a security perspective to run Advanced Threat

Protection on microsegmentation, for example.

Let's face it.

Advanced Threat Protection requires you

to actually install the Kubernetes pieces and stuff

like that for that special features in any way.

If you just want to have the baseline features,

it's not that bad.

But also, I mean, the cost is $100 per year

per core for vDefend basic.

So for the...

I think it's $120.

120, yeah.

So we are talking about $10 per core.

So even if by mistake, you put in a host

and you would not actually put that in by 120 divided

by 12 is 10.

That's easy.

Why 12?

But let's not start math here.

Why 12?

Because 12 months is in a year.

Oh, Okey-dokey.

I was thinking about cores.

How 12, right?

No, because--

You always talk 16.

So it would be per core a total cost of $10 per month.

And typically, you don't turn on the host

at the first of the month at zero or at 001

or something like that.

I think the overall, yes, if you make the mistake,

it's not going to be that bad.

Because it's not like you turn on a feature

like by mistake in Avi Load Balancer.

So that's a totally different piece.

Absolutely... but it's not $10 a month, Yves.

It's $10 times at least 16.

Yeah, that's $160.

It's not us.

Yeah, but to be fair, so we

have all the operation stuff now

included.

And it's an easy one for a service provider

to create an alert if I'm

using more licenses than expected.

For me, it's an open discussion,

because honestly, I don't get,

why should I not license vDefend?

Because I still consider vDefend being a base feature.

And as Yves mentioned, we're not talking

a big amount of money here.

So as a CSP, I should at least license one cluster

with vDefend.

And if I have only a single cluster,

I'm not that large anyway.

So we're not talking that big of an additional cost.

So that's honestly speaking.

It's easier to sell and it's higher flexibility.

And I need to compare the cost of the licenses

with the administrative overhead I have on the other hand.

Yeah, the challenge is, I think--

and that's what we got out of the meetings

with most of the service providers is

that they say,"hey, I want to start with vDefend,

but I can only start with one to three customers

and then migrate more and more customers to vDefend."

That doesn't start with day one.

And that's a challenge for service providers currently

to say, "hey, I need to license

my complete cluster on day one.

And now I need at least one or two years

until every customer is using it."

So this is an option to license only dedicated hosts.

And everyone needs to decide for themselves.

If they want to take the time to do all the configurations

and save some money, especially at the beginning,

or make the decision to go with the dedicated cluster,

or make the decision to license a complete cluster

from day zero.

But yes, maybe you can tell us

a bit more about the features

and what we can do with that protection,

with microsegmentation, and why this is important.

Why ATP?

Let's start basic with microsegmentation.

There is not always the need to have ATP on top.

So with microsegmentation, you enable a more secure

infrastructure also to protect workloads from each other

within a single tenant.

I think that's the most overseen feature

of what microsegmentation

introduces to your infrastructure.

Most people think like, "oh, I have

to protect my environment against threats

from the internet or from the bad guys sitting somewhere."

But honestly, most of the attacks are from inside,

so internally, because someone clicks a link in an email

or whatever.

And then the big question is, how fast

is a threat able to spread itself

within the infrastructure?

And that's where the whole microsegmentation kicks in.

Because if you protect workloads even

within a single layer 2 subnet, the spread rate

is a lot slower compared to no protection

within the whole environment.

I think that's one of the most important features that

the whole vDefend (DFW) brings to the table.

The vDefend, of course, the other part

is the gateway firewall.

But I consider this one being like a perimeter,

as we have always treated a firewall sitting

at the border of our environment.

It's an additional firewall sitting behind a physical

firewalling device, because I still have my opinion.

I'm not moving a micrometer off.

There is always a physical firewalling device

in front of the environment.

So vDefend is always an additional solution,

not an in-stead of solution.

So that's the whole vDefend Firewall part.

And I think it's also important that everyone is aware

that if I have two networks, two routed networks in Cloud

Director on one edge gateway, I have the default one

distributed routing enabled that there is no firewall rule.

I can create this firewall rule on the edge gateway,

but it doesn't match.

Exactly, Sascha.

So that's a very valid point you have taken.

If a tenant creates, as you said,

two router or multiple router networks

within a single tenant, they assume the gateway

protects those networks from each other, but it doesn't.

For that specific behavior, I think we typically

recommend having the CSP or instructor CSPs have

a document ready to provide guidance for their tenants

how to use those two firewalls together,

because it's not using either the gateway or the DFW.

How can I combine those two firewalls

to achieve the best solution for me as a tenant.

Absolutely.

Because, yes, you can create this firewall rules,

but they don't match.

And that's the interesting part of it.

And a lot of times, really funny, if you are doing--

And you spend hours and hours and hours of troubleshooting.

Why is the traffic still flowing?

Or they only test what's possible or what's allowed

and never test what's not possible.

Yeah.

So especially with Cloud Director,

because if we talk about a CSP environment,

it's even easier, because Cloud Director

adds some very nice gimmicks

or actually some configurations

to the DFW by default, which is not part of the base

NSX configuration.

So with Cloud Director, Cloud Director automatically

configures the DFW to create an internally any-any-any

drop-wall instead of an any-any-any block globally.

So that's a pretty cool feature.

So it protects only tenant

local flows instead of protecting

flows from or to the tenant.

So that's the big difference if you

compare the Cloud Director environment with a base

or plain NSX environment.

That's pretty cool.

And that, at least from my perspective,

makes the combination of the

two firewalls, gateway and DFW,

a lot easier, because on the DFW,

you focus on internal flows only.

And on the gateway, you focus

on flows from and to your tenant.

So that's pretty cool.

Yeah.

And let me add one part.

So please be aware, when you enable distributed

firewall in your tenant that you don't

start in a brownfield environment

with the any-any deny rule or any-any reject rule

retract rule; that will not work.

Oh, it will work.

It will work.

It works as designed.

That's right.

And to dramatically reduce unwanted traffic.

But also wanted traffic.

But I think from a business perspective of the customers,

it will not work.

So yeah.

But you know what I mean.

And I think we need to mention it.

So what you forgot to mention, that's

another unbelievable feature we have with VCF.

Because VCF contains the whole Aria Suite, which

implies we have Aria Operations for Log.

And if you configure Aria Operations for Log

being the syslog receiver for the vSphere part of VCF

and the NSX part of VCF and all the gateways,

you have the ability to feed back

the tenant-specific firewall logs into the Cloud Director

UI.

So that enables a tenant to troubleshoot their own firewall

rule set.

That's amazing.

But there was one point, or there is one point,

with the IP addresses.

If you have overlapping IP ranges, is this fixed?

As far as I know, it should be fixed.

Okay.

I don't know.

We need to look it up.

Yeah, maybe we should do it.

Because I heard it again from one service provider

that it is not fixed.

But I never tested it myself.

Let's move forward to IDS/IPS.

I was just about to say.

So now there are some prerequisites

you need to fulfill for IDS/IPS.

It's not just a turn-on feature.

Isn't it?

Yeah, you need this crazy Kubernetes cluster.

But it should be no longer.

Not for basic IDS/IPS.

You need the Kubernetes for all the other ATP features.

Yeah, you're right.

So IDS/IPS... so ATP contains

four features, as far as I have,

out of my head.

One is IDS/IPS.

There is the mobile protection.

The-- help me out.

It's mobile protection, mobile prevention.

It's the whole visualization thingy,

the flow visualization, and that part.

And there is a fourth feature.

IDS/IPS is the only feature of ATP,

which is not dependent on the Kubernetes.

Yeah, that part.

But, Yves is right somehow, because the big thing

with IDS/IPS from a CSP standpoint of view

is it's not a self-service feature.

It still is not.

It can only be consumed as a managed service.

But the amazing thing is if

you think about Gateway IDS/IPS,

it can be enabled on a per T1 base.

So I can enable it only for a single tenant.

But a T1 runs on an Edge Gateway,

and the Edge Gateway needs to be licensed for IDS/IPS.

That's the ATP license.

Or if you're aiming for the Distributed IDS/IPS

implementation, you need to license all the hosts with ATP.

But Sascha, can you license ATP also,

as you have mentioned, for the vDefend Firewall

on a dedicated host perspective in a single cluster?

Or do you need to license the whole cluster with ATP?

No, that's the same rule like vDefend.

OK, cool.

That's important to know.

Because for IDS/IPS--

Sorry?

If I run it on a gateway, I can also

run the vDefend Advanced Threat Protection licenses

on the same regulations like we have it for normal gateway

firewalls.

Yeah, cool.

So the only thing what we need to be aware of

is with IDS/IPS, deploy at least extra large Edge

transport nodes.

Otherwise, you might have issues with the throughput.

Yes.

Speaking of IDS/IPS, there is

another very important prerequisite,

and this is internet connection of the NSX managers.

Because they need to download all the patterns

and those are downloaded from a cloud service.

So the NSX manager needs to have internet access.

A proxy can be configured, and Broadcom

provides a proper documentation which of URLs

need to be allowed to access.

If you're not able to provide an internet connectivity,

I think you can do an air gap installation as well.

But then you need to ship all

the patterns and all the stuff

you need manually via USB stick or whatever.

And I think with IDS/IPS, it's an amazing feature,

especially the distributed implementation.

Because you can, again, filter the traffic internally

so that the different flows you have between the stages

of an application or the layers of an application.

But always keep in mind, do not try

to filter every traffic you find in your infrastructure

with IDS/IPS.

That's just consuming so many CPU cycles,

so you will barely run any workloads anymore, because

of just traffic filtering.

So before doing IDS/IPS, build a proper design,

think about which traffic flows to analyze,

and configure the redirect rules accordingly.

Yes, redirect rules.

So you redirect certain traffic

flows to the IDS/IPS analysis.

But that's the same on the physical firewalls.

So you're not able to run every traffic

through the IDS/IPS filters.

Well, you can, but throughput will suffer.

Yeah, and the memory and CPU

will also go higher and higher.

And then there will be a stop.

Yeah, but that's, again, a very important thing.

And that's also good that IDS/IPS can only

be consumed as a managed service because the CSP

has a perfect overview how much CPU is left,

how much throughput is an Edge transport node still

able to handle if we talk about gateway IDS.

Especially in shared environments.

So there is a lot of stuff to consider,

not only licensing also, infrastructure.

Yeah, but that's like with every other product.

So you need to have a proper design before you

start with the implementation.

So you have the right size of Edge nodes rolled out,

decide which firewall rules make sense

to be routed over IDS/IPS.

Yeah.

Good.

So I think when we sum it all up, so on one end,

we have the licensing changes which

make it easier to play around with it

or try it out or deploy it at the customer

or for individual customers.

We have the uncertainty that it's

unclear how to deal with customers where we have--

or for service providers who don't have any customer

commit for NSX so far or for vDefend so far

because NSX is always included.

So that's the vDefend part that you

need to license specifically.

So that is still outstanding.

Maybe we get some answers on that in the upcoming weeks.

But I think there is a huge opportunity

not only from additional features

which we have in the system,

but also how to actually charge

customers for that.

And as we discussed last week

at the Service Provider Summit

as well, it's like the importance for service

providers to provide

additional services you can charge for.

So not only technology services, but also

manual consulting, architecture, et cetera, services

you can charge for is becoming more and more important

because the other thing which happened due to the Broadcom

change is that everybody has now the same license package

more or less except for the add-ons

is that the space for VCSPs or for VMware Cloud Service

Providers to take it the long road has become more

competitive, because it's much easier to compare.

Previously, customers were like, "oh, I have a future ABC

included with this provider.

I don't have it with that one."

That is actually far more leveled.

So that is going to be quite interesting.

So I think overall, it's definitely something

service providers should look into.

It's definitely something which can open the market

for additional features.

And potentially from a lot of the other add-ons,

it's the one which is the easiest for service providers

to monetize.

So that being--

To be fair...

Go on.

Yeah, so what I want to mention additionally to that

is, with the end of life of Cloud Director and all

of this information, so we will not

expect that we will get new features out of Cloud

Director in the next one, two, three years,

until the end of life.

But your customers will expect that you

have new features in your products

or in your offerings as a service provider.

And I think now we need to take a look what products

are included now, what can we use,

and then offer these products to your customers

to show your customers, hey, we are still working.

We have still more products available for you.

I think that's an important part.

Nice closing word, I would say.

Matthias, anything to add?

Yeah, come up with proper product and packaging.

Sell it.

It's easy to sell, easy to use, easy to consume.

Good.

So I would say thank you all

for listening in today's episode

of our VCD Roundtable number 54.

55 is going to come out in approximately two weeks.

That is going to be from Palo Alto, I think, Sascha?

Yes.

As far as my head actually is correct.

So maybe you have some fantastic news

from the VMware mothership and can share them with you.

Hopefully we get something.

And yeah, that being said, thank

you all for watching live today.

As always, if you watch us live, which is typically

recorded every other Thursday,

you can always throw in some questions.

Otherwise, thank you for listening to us

on all the usual podcast platforms

and hope to see you, hear you again soon.

Good day.

Perfect.

Bye.

Bye.

Creators and Guests

Yves Sandfort
Host
Yves Sandfort
Yves Sandfort - VMware cloud and infrastructure architect and evangelist, CEO comdivision group. VCDX-CMA,VCIX-CMA, VCIX-DCV, vExpert, Nutanix NTC, pilot
VCD Roundtable: Ep. 54 – On vDefend Firewall, IDS & IPS, and Advanced Threat Protection
Broadcast by