A Distributed Firewall (DFW) runs in the kernel as a VIB package on all the ESXi host clusters that are prepared for NSX. Host preparation automatically activates DFW on the ESXi host clusters.

The fundamental constraints of traditional perimeter-centric security architecture impact both security posture and application scalability in modern data centers. For example, hair-pinning of traffic through physical firewalls at the perimeter of the network creates an extra latency for certain applications.

DFW complements and enhances your physical security by removing unnecessary hair-pinning from the physical firewalls and reduces the amount of traffic on the network. Rejected traffic is blocked before it leaves the ESXi host. There is no need for the traffic to traverse the network, only to be stopped at the perimeter by the physical firewall. Traffic destined to another VM on the same host or another host does not have to traverse through the network up to the physical firewall, and then go back down to the destination VM. Traffic is inspected at the ESXi level and delivered to the destination VM.

Figure shows flow of traffic in a network with and without DFW.

NSX DFW is a stateful firewall, meaning it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. DFW is implemented in the hypervisor and applied to virtual machines on a per-vNIC basis. That is, the firewall rules are enforced at the vNIC of each virtual machine. Inspection of traffic happens at the vNIC of a VM just as the traffic is about to exit the VM and enter the virtual switch (egress). Inspection also happens at the vNIC just as the traffic leaves the switch but before entering the VM (ingress).

NSX Manager virtual appliance, NSX Controller VMs, and NSX Edge Service Gateways are automatically excluded from DFW. If a VM does not require DFW service, you can manually add it to the exclusion list.

As DFW is distributed in the kernel of every ESXi host, firewall capacity scales horizontally when you add hosts to the clusters. Adding more hosts increases the DFW capacity. As your infrastructure expands and you buy more servers to manage your ever-growing number of VMs, the DFW capacity increases.

DFW Policy Rules

DFW policy rules are created by using the vSphere Web Client, and the rules are stored in the NSX Manager database. With DFW, you can create Ethernet rules (L2 rules) and General rules (L3 to L7 rules). The rules are published from NSX Manager to ESXi cluster and then from ESXi host down to VM level. All ESXi hosts in the same cluster have the same DFW policy rules.

A distributed firewall instance on an ESXi host contains the following two tables:
  • Rules table to store all security policy rules.
  • Connection Tracker table to cache flow entries for rules with an “allow” action.

DFW rules are run in a "top-down" order. Traffic that must go through a firewall is first matched against a firewall rules list. Each packet is checked against the top rule in the rule table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. The last rule in the table is the DFW default rule. Packets not matching any rule above the default rule are enforced by the default rule.

Each VM has its own firewall policy rules and context. During vMotion, when VMs move from one ESXi host to another host, the DFW context (Rules table, Connection Tracker table) moves with the VM. In addition, all active connections remain intact during vMotion. In other words, DFW security policy is independent of VM location.

Micro-Segmentation Using DFW

Micro-segmentation makes the data center network more secure by isolating each related group of virtual machines onto a distinct logical network segment. Micro-segmentation allows the administrator to firewall traffic traveling from one logical segment of the data center to another logical segment (east-west traffic). So, firewalling of east-west traffic limits the attacker’s ability to move laterally in the data center.

Micro-segmentation is powered by the Distributed Firewall (DFW) component of NSX. The power of DFW is that the network topology is no longer a barrier to security enforcement. The same degree of traffic access control can be achieved with any type of network topology.

For a detailed example of micro-segmentation use case, see the "Micro-Segmentation with NSX DFW and Implementation" section in the NSX Network Virtualization Design Guide at https://communities.vmware.com/docs/DOC-27683.

DFW Policy Rules Based on User Identity

Distributed firewall can help in creating identity-based rules too. Security administrators can enforce access control based on the user identity and the user's group memberships as defined in the enterprise Active Directory. For example, identity-based distributed firewall rules can be used in the following scenarios:
  • Users want to virtual applications using a laptop or mobile device where Active Directory is used for user authentication.
  • Users want to access virtual applications using VDI infrastructure where the virtual machines are running Microsoft Windows operating system.

For more information about Active-Directory user-based DFW rules, see Identity Firewall Overview.