Secure Home Lab DMZ network with VMware NSX firewall

With the recent announcement from VMUG that Advantage subscribers now have access to VMware NSX, it opens up a lot of possibilities for the VMware home lab environments out there.  VMware NSX has a ton of network security benefits that we can utililize in our home labs to not only learn but also gain real world lab security benefits especially if you have VMs that may be forward facing, etc.  Let’s take a quick look at how to secure home lab DMZ network with VMware NSX firewall.

Secure Home Lab DMZ network with VMware NSX firewall

Here we aren’t going to go through the ins and outs of deploying VMware NSX as there are plenty of posts out there detailing this process.  In short, it requires that we deploy the NSX Manager OVA file, integrate with vCenter, setup our hosts, VTEPS, segment IDs, and transport zones.  Then we are able to start moving forward with NSX.

As soon as we get to the point of being deployed, we can start making use of the host firewall capabilities.  These NSX firewall rules are extremely powerful since they happen at the kernel level before they even hit the wire which is much more efficient than ACLs on a switch or even router as traffic first has to traverse the wire for the ACL to apply.  In a previous post, we detailed how if you are using a single switch for a home lab and want to secure your DMZ environment from your management network, you can use a DMZ VLAN and ACLs.

Let’s look at how easy it is with VMware NSX to secure DMZ traffic.  We will step through the simple steps of creating an NSX rule that blocks source traffic from our DMZ to our destination Management network.  Both of these are VLAN backed and routed at the switch level via intervlan routing.  Instead of the cumbersome ACLs applied at the switch level, the NSX GUI interface is much easier and intuitive.

Creating NSX Firewall rules

To get to the Firewall section, we navigate to Networking & Security >> Firewall.  We will see the Default Section Layer 3 Rule (Rule 1-3) already in place.  This is a default rule that basically exits with a default allow any any rule.

We can either add to this rule or as I like to do, add a new section for us to work with.  The add section allows you to group specified rules together.

When we click to add a section we are asked to name it.  I am calling this section “DMZ Traffic Block” for something intuitive.

Notice immediately we get the green ribbon appear that gives us the options to Publish Changes, Revert Changes, or Save Changes.  We can either disregard doing anything here for now or we can Publish changes, etc.  Publishing the changes means it actually puts the section/rules in place to process traffic.  Of course at this point we don’t really have anything in the section so publishing wouldn’t really do anything.  Reverting does what you would think.  Save Changes saves the changes you are making but doesn’t put them in place to process traffic.

Also, note we now need to click the little “green plus” symbol in our section to start adding rules.

Once we click the green plus symbol, we get a basically blank (allow any any) rule without a name.

The way editing the rule works, is you simply hover over the section and there will appear a little “pencil icon” in the corner of the respective box, such as the name.  Here I give the first rule a name.

We do the same for the Source, Destination, and Action columns for a simple block rule.

For source and destination we can utilize layer 3 IP sets to create our source and destinations.  Note I had already gone through the wizard before creating rules, so I already have the DMZ Network and Mgmt Network IP sets.  If you don’t already have anything defined, you can simply click the New IP Set… link at the lower left hand corner to define these.  For source, here I am selecting the DMZ Network.

A quick note here as well, you have access to all kinds of powerful Object Types including vSphere cluster, datacenter, distributed port group, legacy port group, logical switch, resource pool, security group, vApp, virtual machine, and vNIC – many powerful options and combinations can be configured using these.

For the destination I selected my Mgmt Network IP set.

For the Action change from Allow to Block.

Now we can test our changes here.  First we need to make sure now we Publish Changes to actually have the rule start processing traffic.

Testing

After logging into a server VM in my home DMZ network, I started a ping of the gateway IP address for the Mgmt network.  As you can see with the rule already published, my pings started failing.  I then went into the NSX rule and changed the action to Allow to make sure the rule was causing the ping timeouts.  As you can see next, pings started succeeding.  Then after seeing the successful pings, I changed back to the Block action and pings once again started timing out.

Thoughts

It is super easy and intuitive to secure Home Lab DMZ network with VMware NSX firewall.  Using the process detailed above, we can create all kinds of powerful rules based on our VMware vSphere environment.  NSX is a power tool for any environment.  We have only scratched the surface on the possibilities.  Be sure to grab a copy of NSX for your home lab by signing up for the VMUG Advantage subscription.