Simplifying Security Operations for Dell HCI Platforms with NSX
Thu, 08 Sep 2022 16:58:04 -0000|
Read Time: 0 minutes
Today, most technology companies in the IT space work to offer customers not only the best technology innovations but also those that help simplify their day-to-day lives.
One example of this is the new vCenter plug-in for NSX-T, introduced with vSphere 7.0 Update 3c and NSX-T 3.2. Through this new deployment method for NSX-T, management and operations users can now use NSX-T as a plug-in for vCenter, similar to how earlier versions of NSX were configured. Through wizard-assisted operations, security policies can easily be configured, deployed, and operated within vCenter.
Figure 1. The new vCenter plug-in for NSX-T simplifies security deployment and operations
For Dell HCI platforms such as VxRail, vSAN Ready Nodes, and PowerEdge servers hosting vSAN-based workloads, NSX becomes an optimal network and security engine.
Figure 2. Dell HCI platforms such as VxRail or vSAN Ready Nodes become the perfect targets for the new vCenter plug-in
The whole process is simple. It can be completed by following these steps:
- Install NSX-T Manager and provide a license key.
- Install the new method to configure and operate NSX security, the vCenter plugin for NSX.
- Configure the distributed firewall policies for the HCI cluster:
a. Define infrastructure services as needed (DNS, DHCP, custom…).
b. Create the environment to consume the defined infrastructure services.
- Define how the elements in the environment can communicate with each other.
- Define communication strategies for applications in the environment.
- Review and verify the defined security policies before they are published and effective.
Figure 3. Defined NSX security rules can be reviewed before going live
If you want to learn more about how simple security operations can become with the new vCenter plug-in for NSX, take a look at this video.
Author: Inigo Olcoz
- VxRail Info Hub
- vSAN Ready Nodes Info Hub
- HCI Security Simplified: Protecting Dell VxRail with VMware NSX Security
- Simplifying Security Deployment and Operations for Dell HCI Platforms
- Video: Simplifying HCI Security with the New vCenter Plug-in for NSX
Related Blog Posts
Enhancing your Data Center Security with VxRail
Fri, 28 Jul 2023 22:16:57 -0000|
Read Time: 0 minutes
In addition to providing operational efficiency, VxRail fundamentally sets up a secure foundation for your organization’s data center. This blog post provides a high-level overview of VxRail security. For a complete understanding of VxRail security features, read the VxRail Comprehensive Security by Design white paper or view the three-part video series VxRail Security: A Secure Foundation for your Data Center:
The white paper and videos provide a complete picture of how security begins with VxRail design and extends through VxRail deployment in your IT infrastructure.
As an introduction to what you can expect to learn from the videos, here’s the first of the three:
The integrated components of VxRail are designed to help secure your data center, starting from the PowerEdge server layer running on Intel or AMD processors, to the VMware vSphere (ESXi) layer integrated with vSAN for virtual storage, to the VxRail HCI system software layer that provides life cycle management through VxRail Manager (which is accessed through the vCenter plug-in), and to other add-ons from Dell and VMware, such as RecoverPoint for Virtual Machines. The video series and security by design white paper provide information about data protection and how VxRail creates a stable environment to ensure business continuity.
VxRail is engineered to employ functions of the NIST framework: protect, detect, and recover to boost cyber resiliency. VxRail includes integrated features to protect VxRail BIOS, firmware, and your organization’s data stored in vSAN. The VxRail system built on the PowerEdge server has a system lockdown feature that prevents configuration changes that may lead to security vulnerabilities. The PowerEdge hardware of the VxRail system verifies the integrity of software update files moving through the integrated stack through the embedded UEFI Secure Boot feature, which ensures that the files are from vetted sources.
Furthermore, the VxRail nodes are protected through Intel’s Trusted Execution Technology (TXT). The TXT prevents the introduction of malware into the VxRail nodes is prevented by the TXT by verifying the cryptographically signed PowerEdge server firmware, BIOS, and hypervisor version. Also, VxRail devices deployed in open environments are protected using bezel locks, preventing the introduction of malware-infected USB drives. With the bezel locks, the ports can be disabled and enabled. In addition to using bezel locks on VxRail in an open environment, VxRail satellite nodes are protected from theft and the compromise of data privacy by self-encrypting drives (SEDs).
To secure your organization’s workloads, VxRail is designed to protect data and VMs using the VxRail Manager, VMware vSphere, and vSAN. FIPS 140-2 Level 1 encrypts data in use, data at rest, and data in transit. These keys are carefully stored using Dell BSAFE Crypto-C Micro Edition and two FIPS-validated cryptographic modules using AES 256-bit.
Dell provides hardening packages for your VxRail using the Security Requirement Guide published by the Defense Information Systems Agency (DISA) for customers seeking additional security that meets their industry or sector requirements. For more information about hardening your IT infrastructure, see the resource links at the end of this post.
If you have not already watched the VxRail security video series or read the white paper, I hope this short summary of features gives you some insight into the tremendous features of VxRail security. To learn more about how VxRail provides a secure foundation for your data center through a carefully vetted supply chain, secure development life cycle, and many other features provided by VxRail, see the following resources:
- Dell VxRail: Comprehensive Security by Design
- Dell VxRail Documentation Quick Reference List—For links to the Product Security Configuration Guide, STIG Hardening Guides, and other useful support documentation)
- VxRail Info Hub—For additional technical guides, white papers, blogs, and videos
- Dell VxRail Hyperconverged Infrastructure (Dell Technologies product page)
Olatunji Adeyeye, Product Manager
100 GbE Networking – Harness the Performance of vSAN Express Storage Architecture
Wed, 05 Apr 2023 12:48:50 -0000|
Read Time: 0 minutes
For a few years, 25GbE networking has been the mainstay of rack networking, with 100 GbE reserved for uplinks to spine or aggregation switches. 25 GbE provides a significant leap in bandwidth over 10 GbE, and today carries no outstanding price premium over 10 GbE, making it a clear winner for new buildouts. But should we still be continuing with this winning 25 GbE strategy? Is it time to look to a future of 100 GbE networking within the rack? Or is that future now?
This question stems from my last blog post: VxRail with vSAN Express Storage Architecture (ESA) where I called out VMware’s 100 GbE recommended for maximum performance. But just how much more performance can vSAN ESA deliver with 100GbE networking? VxRail is fortunate to have its performance team, who stood up two identical six-node VxRail with vSAN ESA clusters, except for the networking. One was configured with Broadcom 57514 25 GbE networking, and the other with Broadcom 57508 100 GbE networking. For more VxRail white papers, guides, and blog posts visit VxRail Info Hub.
When it comes to benchmark tests, there is a large variety to choose from. Some benchmark tests are ideal for generating headline hero numbers for marketing purposes – think quarter-mile drag racing. Others are good for helping with diagnosing issues. Finally, there are benchmark tests that are reflective of real-world workloads. OLTP32K is a popular one, reflective of online transaction processing with a 70/30 read-write split and a 32k block size, and according to the aggregated results from thousands of Live Optics workload observations across millions of servers.
One more thing before we get to the results of the VxRail Performance Team's testing. The environment configuration. We used a storage policy of erasure coding with a failure tolerance of two and compression enabled.
When VMware announced vSAN with Express Storage Architecture they published a series of blogs all of which I encourage you to read. But as part of our 25 GbE vs 100 GbE testing, we also wanted to verify the astounding claims of RAID-5/6 with the Performance of RAID-1 using the vSAN Express Storage Architecture and vSAN 8 Compression - Express Storage Architecture. In short, forget the normal rules of storage performance, VMware threw that book out of the window. We didn’t throw our copy out of the window, well not at first, but once our results validated their claims… it went out.
Let’s look at the data: Boom!
Figure 1. ESA: OLTP32KB 70/30 RAID6 25 GbE vs 100 GbE performance graph
Boom! A 78% increase in peak IOPS with a substantial 49% drop in latency. This is a HUGE increase in performance, and the sole difference is the use of the Broadcom 57508 100 GbE networking. Also, check out that latency ramp-up on the 25 GbE line, it’s just like hitting a wall. While it is almost flat on the 100 GbE line.
But nobody runs constantly at 100%, at least they shouldn’t be. 60 to 70% of absolute max is typically a normal day-to-day comfortable peak workload, leaving some headroom for spikes or node maintenance. At that range, there is an 88% increase in IOPS with a 19 to 21% drop in latency, with a smaller drop in latency attributable to the 25 GbE configuration not hitting a wall. As much as applications like high performance, it is needed to deliver performance with consistent and predictable latency, and if it is low all the better. If we focus on just latency, the 100 GbE networking enabled 350K IOPS to be delivered at 0.73 ms, while the 25 GbE networking can squeak out 106K IOPS at 0.72 ms. That may not be the fairest of comparisons, but it does highlight how much 100GbE networking can benefit latency-sensitive workloads.
Boom, again! This benchmark is not reflective of real-world workloads but is a diagnostic test that stresses the network with its 100% read-and-write workloads. Can this find the bottleneck that 25 GbE hit in the previous benchmark?
Figure 2. ESA: 512KB RAID6 25 GbE vs 100 GbE performance graph
This testing was performed on a six-node cluster, with each node contributing one-sixth of the throughput shown in this graph. 20359MB/s of random read throughput for the 25 GbE cluster or 3393 MB/s per node. Which is slightly above the theoretical max throughput of 3125 MB/s that 25 GbE can deliver. This is the absolute maximum that 25 GbE can deliver! In the world of HCI, the virtual machine workload is co-resident with the storage. As a result, some of the IO is local to the workload, resulting in higher than theoretical throughput. For comparison, the 100 GbE cluster achieved 48,594 MB/s of random read throughput, or 8,099 MB/s per node out of a theoretical maximum of 12,500 MB/s.
But this is just the first release of the Express Storage Architecture. In the past, VMware has added significant gains to vSAN, as seen in the lab-based performance analysis of Harnessing the Performance of Dell EMC VxRail 7.0.100. We can only speculate on what else they have in store to improve upon this initial release.
What about costs, you ask? Street pricing can vary greatly depending on the region, so it's best to reach out to your Dell account team for local pricing information. Using US list pricing as of March 2023, I got the following:
Broadcom 57414 dual 25 Gb
S5248F-ON 48 port 25 GbE
25 GbE Passive Copper DAC
Broadcom 57508 dual 100Gb
S5232F-ON 32 port 100 GbE
100 GbE Passive Copper DAC
Total per port
Overall, the per-port cost of the 100 GbE equipment was 2.04 times that of the 25 GbE equipment. However, this doubling of network cost provides four times the bandwidth, a 78% increase in storage performance, and a 49% reduction in latency.
If your workload is IOPS-bound or latency-sensitive and you had planned to address this issue by adding more VxRail nodes, consider this a wakeup call. Adding dual 100Gb came at a total list cost of $42,648 for the twelve ports used. This cost is significantly less than the list price of a single VxRail node and a fraction of the list cost of adding enough VxRail nodes to achieve the same level of performance increase.
Reach out to your networking team; they would be delighted to help deploy the 100 Gb switches your savings funded. If decision-makers need further encouragement, send them this link to the white paper on this same topic Dell VxRail Performance Analysis (similar content, just more formal), and this link to VMware's vSAN 8 Total Cost of Ownership white paper.
While 25 GbE has its place in the datacenter, when it comes to deploying vSAN Express Storage Architecture, it's clear that we're moving beyond it and onto 100 GbE. The future is now 100 GbE, and we thank Broadcom for joining us on this journey.