Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Imad981
Explorer

Microsegmentation with Firewall Hardware

Hello Community ,

I need your help and suggestions .

Our client is adopting an SDN architecture, and we've proposed Checkpoint as a firewall that will perform microsegmentation in the fabric .
Let's assume a physical server hosting VMs at the hypervisor level connected to a leaf switch. How will we technically inspect inter-VM traffic, given that the proposed firewall is hardware-based? How can we achieve the same functionality as CloudGuard?
For information, the firewall is located in a service bridge domain, allowing it to operate within graph contract services. But we don't know how tu push the traffic outside , inspect and then back to the hypervisor to the VM at the destination .

Thanks for your help 

Imad

0 Kudos
3 Replies
Bob_Zimmerman
Authority
Authority

First, microsegmentation is a grave mistake. It's a maintenance nightmare and actively encourages people to build applications in ways which are extraordinarily difficult to reason confidently about when troubleshooting. I say this from extensive, painful experience.

If you are absolutely sure you want to wreck the datacenter, it's possible to do as long as your switches and your hypervisor platform support private VLANs. It could also be done with MPLS route distinguishers (I originally misspoke and said "descriptors") and route targets, but that's much more exotic, so you're less likely to find people who can support MPLS in this way. Give all of your VMs and physical endpoints (not the firewalls) a 32-bit (or 128-bit for IPv6) netmask and a gateway address. Give your firewalls the normal netmask. When endpoints try to go anywhere, the frame goes to the gateway's MAC. The gateway then filters it and sends it back out the same interface to the destination. The private VLANs or MPLS configuration enforce this traffic pattern, so a misconfigured VM or physical host can't talk to anything on its local network.

0 Kudos
Imad981
Explorer

Hello @Bob_Zimmerman , 

 

Thanks for your answer , but in this way can we enforce the traffic is routed out of the hypervisor (host ESXi for example) and into the hardware firewall?

0 Kudos
Bob_Zimmerman
Authority
Authority

It depends on the hypervisor's capabilities. It needs to support private VLANs, MPLS-based flow control, or an analogous feature. I haven't followed ESX development in years, but it looks like they have at least some support for private VLANs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events