An edge/perimeter firewall is a network security system, either hardware or software-based, that controls incoming and outgoing traffic based on a set of predetermined security rules. The NSX Edge firewall provides stateful perimeter defense for north-south traffic flows between the virtual and physical networks. It’s used on the logical router and provides network address translation (NAT) as well as site-to-site IPsec and SSL VPN functionality. The NSX Edge firewall is available for virtual machines and has a high availability mode.
The Edge firewall can be managed with the same management tools as for the distributed firewall. ESG also provides a multiple management model whereby, for example, individual teams within an organization can configure their own firewalls without needing access to the entire network.
NSX Logical Firewall
NSX logical firewalls provide security mechanisms for dynamic virtual data centers and consist of two components to address different uses. The centralized Edge firewall offered by NSX Edge Services Gateway (ESG) focuses on the north-south traffic enforcement at the data center perimeter. And the Distributed Firewall (DFW) is enabled in the kernel on the ESXi host and focuses on east-west traffic controls. Together, these two components address the firewall needs of virtual data centers.
These security technologies can be deployed independently or together. Ideally, they’ll be used together as part of a broader security strategy.
The NSX distributed firewall is a stateful firewall, meaning that it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. Data packets flowing through the network are identified by the following:
- source address
- source port
- destination address
- destination port
A distributed firewall on an ESXi host (one instance per virtual machine vNIC) contains two tables: a rule table to store all policy rules, and a connection tracker table to temporarily store (or cache) traffic flow entries for rules with a permit action. DFW rules are enforced in a top-to-bottom order. Traffic that needs to go through a firewall is first matched against a firewall rules list. Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. The last rule in the table is the DFW default policy rule: packets not matching any rule above the default rule will be enforced by the default rule.