SAI2803BU The Road to Micro- Segmentation or distribution · 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation VMworld

SAI2803BU

#VMworld #SAI2803BU

The Road to Micro- Segmentation with VMware NSX

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

CONFIDENTIAL 2



bution

Stijn VanveerdeghemGeoff Wilmington - @vWilmo

SAI2803BU

#Vmworld #SAI2803BU

The Road to Micro-segmentation with VMware NSX



bution

Agenda

4

1 Security in the Datacenter with NSX

2 Deploying NSX Micro-Segmentation

3 Micro-Segmentation Policy Creation

4 AutomationVMworld 2017 Content: N

ot for publicatio

n or distribution

Security in the DC with NSXRequirements for a Software-Defined Datacenter

Visibility ExtensibilityControl

Common Policy

Lifecycle Management and Automation



bution

NSX

Security in the DC with NSXNSX Security Platform

Visibility ExtensibilityControl

Common Policy

Lifecycle Management and Automation

Datacenter, application and host

Context-driven micro-segmentation

Best-of-breed partner integration



bution

Security in the DC with NSXWhat is Zero Trust ?

7



bution

Agenda

8





ot for publicatio

n or distribution

Deploying NSX Micro-SegmentationDeployment Options: Distributed Segmentation

• Controlled Communication or Isolation between workloads on the same or different VLAN

• Distributed Firewall applied to each vNIC

• East-West Filtering by NSX Distributed Firewall

• Existing physical firewall only handles North—South communication

• Traffic discovery to determine required flows/rules.

• Advanced Partner Services can be inserted at each vNIC

STOP

ControlledCommunication

STOP

Stateful DFW

Stateful DFW

PhysicalRouter

Policy

9



bution

Deploying NSX Micro-SegmentationDeployment Options: Distributed Segmentation and Network Overlays

• Logical Switches based on overlays to isolate/segment independent of the underlying physical network

• Distributed Logical Routers to optimize East-West Routing

• Edge Services Gateway can also be leveraged for N-S routing, N-S firewalling, load balancing, NAT, VPN

• Distributed Firewall providing Controlled Communication or Isolation between workloads on the same or different Logical Switch (overlay)

• Advanced Partner Services can be inserted at each vNIC

STOP

STOP

Stateful DFW

Stateful DFW

ControlledCommunication

Distributed Logical Router

Policy

10



bution

Deploying NSX Micro-Segmentation

• Pre-existing and Management and Compute clusters can be leveraged

• NSX Manager deployed in the Mgmt cluster and peered with the existing vCenter server

• VDS is required for all compute clusters

• Host preparation installs NSX VIB to all hosts in a cluster

• Non-disruptive operation

• Distributed Firewall is enabled on every VM with a default allow-all policy

11

Deployment Steps: Deploying NSX Manager, VDS and Host Prep

VLAN 10 VLAN 20 VLAN 30

L2

L3

VDS

Management Cluster

Compute Clusters



bution


• Policy and Grouping Methodology

• Application Discovery

• Policy Model

• Service Composer/Firewall Rule Table

Deployment Steps: Determine and Configure Appropriate Policies

12



bution


▪ Move the default GW function from the perimeter firewall to the aggregation layer or deploy NSX Distributed Routing

▪ Remove E-W Rules from the perimeter firewall

▪ Perimeter Firewall now only handles N-S flows

▪ Can be done gradually

Deployment Steps: Reduce the Scope of the Perimeter Firewall (Brownfield)

VLAN 10 VLAN 20 VLAN 30

N-S

Flo

ws

13



bution

Agenda

14





ot for publicatio

n or distribution

Micro-Segmentation Policy CreationPolicy and Grouping Methodology

15

• Choose the policy and grouping

methodology BEFORE beginning

the process.

• Will provide a clear direction on

how to tackle challenges along

the way.

NETWORK

INFRASTRUCTURE

APPLICATION



bution

Micro-Segmentation Policy CreationWhitelisting and Blacklisting

16

Whitelisting

Definition – A list of approved items. Anything not on this list is disallowed.

Advantages

• More secure

• High degree of accuracy

• Minimizes false positives

• Easy to customize

• Can be established easily in different areas of the enterprise

Disadvantages

• More time to manage

• Requires additional time to install

Blacklisting

Definition – A list of unapproved items.

Anything not on this list is allowed.

Advantages• Easy to manage

• Easy to install

• Updates quickly

Disadvantages• Exponential growth

• High rate of false positives, even

possibly blocking necessary

access

• Continual updates requires

• Hard to transition to whitelisting



bution

Micro-Segmentation Policy CreationFirewall Rule Table and Service Composer

17

Firewall Rule Table

• Analogous to typical Firewall rule table

• Provides overview of all rules in the system

• DFW Rules and Network Introspection

• Sections enable rule grouping

• UI and API Driven

Service Composer

• One or more Security policies can

be applied to Security Groups

• Policies define DFW rules and

Service Chain.

• Abstraction enables efficient

service deployment

• Independent policies are

combined specific to each

workload

• UI and API Driven



bution

VM SG

Security Group

Security PolicyVirtual MachineSecurity Tag

ST

Members (VM, vNIC) and Context (user identity, security posture)

Guest Introspection, Distributed Firewall and Network Introspection Policies

Micro-Segmentation Policy Creation

• Security Groups allow abstraction and grouping of workloads from the underlying virtual infrastructure

• End-Users and Cloud Admins are able to define application-centric security policies

• Security policies are applied to one or more security groups where workloads are members

• Security Tags are applied to Virtual Machines and can be used for dynamic Security Group membership

Policy and Grouping Methodology



bution

Micro-Segmentation Policy CreationDynamic Policy using Security Tags – Example

Requirements

• Apply differentiated policy based on

OS, Environment, …

• Automate policy application for new

appliations being provisioned

Upon vRA Blueprint deployment

• All VMs part of an application are

placed into a new Security Group

• Every VM is tagged with multiple tags

identifying: Function, Zone, OS,

Environment and Tenant

App1 –Apache

App1 -WLS

App1 -ORADB

Apache

DMZ_PROD_RHEL

WLS

TRUSTED_PROD_RHEL

ORADB

RESTRICTED_PROD_RHEL

App1 – Security Group



bution

Micro-Segmentation Policy CreationZero Trust Policy Model

20

Default Rule = Deny

Emergency Rules

Infrastructure Rules

Environment Rules

Inter-Application Rules

Intra-Application Rules

Used for Quarantine and/or Allow Rules

Global Rules – AD, DNS, NTP, DHCP, Backup, Mgmt Servers

Rules between Zones – Prod vs Dev, PCI vs Non PCI, Inter BU rules

Rules between Applications

Rules between the app tiers or the rules or between micro-services

Whitelisting / Zero Trust

VRNI /ARM / EM VMworld 2017 Content: Not fo


bution


• Leveraging Existing Firewall Policy

• vRealize Network Insight

• NSX Application Rule Manager and Endpoint Monitoring

• vRealize Log Insight – Firewall Log

Application Discovery - Methods and Tools

?

21



bution


• Mostly relevant for Infrastructure and Environment Rules

• Analyze existing zones and rules and isolate North-South rules from East–West rules.

– Determine flow patterns that are hair-pinned (East-west traffic).

– Also, helps you understand how to replace hair-pinned traffic with logical switches and routing using overlays via NSX.

• Correlate flow NSX patterns/logs with rules collected from perimeter firewalls.

Leveraging the existing FW policy

22

STOP

HR

Apps

Engineering

Apps

Shared

Services

HR-Web

Vlan 10

HR-App

Vlan 11

HR-DB

Vlan 12

ENG-Web

Vlan 20

ENG-App

Vlan 21

ENG-DB

Vlan 22



bution

Micro-Segmentation Policy CreationLeveraging the existing FW policy – Rule Migration

23



bution


1. Create Security Groups for your application

2. Create catch-all rules to log traffic

3. Monitor Logs to determine required rules

4. Create or update Shared Services rules

5. Create E-W Intra-Application Rules

6. Continue for other applications

vRealize Log Insight - Distributed Firewall Logs

Per Application

24

Web

Tier

App

Tier

DB

Tier

Application

Logging Rules

Any/Any Rule: Allow and Log

Any/Any Rule: Block and Log

DFW System Default: Allow or Block

Application Policy

Web

Tier

App

TierDB

Tier

Default Block and Log

DFW System Default: Allow or Block

Block and Log Rule

Allow App to DB

Allow Web to App

Allow Any to Web

Intra-Application Rules

Application Policy

Web

Tier

App

Tier

DB

Tier



bution

Micro-Segmentation Policy CreationNSX Micro-Segmentation Visibility and Planning Tools

• Profile applications both on the wire and on the guest. Can be used on a per application basis.

• End-to-end visibility and rule creation/enforcement

• Empowers app team = visibility and rule creation – streamlines deployment

• Drives “whitelisting” model – default deny and open up the necessities

• Fast app operationalizationVMworld 2017 Content: N

ot for publicatio

n or distribution


• Leverages flow monitoring to monitors all flows for select VNICs

• Flows are de-duplicated, correlated and filtered

• Optimized Flow tables are presented to users

• IP addresses/ports are replaced with objects

• Users can further optimize flow table

• Firewall rules are generated and can be published after review

NSX Micro-Segmentation Visibility and Planning Tools: Application Rule Manager



bution


• Micro-Segment SAP HANA using Application Rule Manager

Demo: Application Rule Manager



bution


Optimize Network

Performance with 3600

Visibility & Analytics

Ensure Best Practices,

Health and Availability of

NSX Deployment

Plan Micro-segmentation

Deployment and Ensure

Compliance

Across Virtual, Physical and Cloud

vRealize Network Insight

28



bution


Network Insight can model the appropriate security groups and firewall rules for the entire environment.

• Comprehensive net flow (IPFIX) assessment and analysis to model Security Groups and Firewall Rules

• Recommendations to make micro-segmentation easier to deploy

• Continuously monitor and audit compliance posture over time

vRealize Network Insight - Security Planning

29



bution


• Analyze flows between applications or between tiers of an application

• Quickly add VMs to an application tier using vCenter Tags or search wildcards

• Support for modeling application tiers by multiple criteria (IP, tags, IPsets, folders,…)

• Support for physical IP addresses in micro-segmentation planning and application tiers

• Export of All rules for applications, tiers, or security groups with one click

vRealize Network Insight: Application Modeling

30



bution


• Micro-Segment SAP HANA using vRNI

• VRNI to Suggest Recommended Rules

• VRNI 3.5 New functionality

– IPFIX for DFW

Demo: vRealize Network Insight



bution

Agenda

32




4 Security AutomationVMworld 2017 Content: N

ot for publicatio

n or distribution

Security Automation

• VM sprawl requires more granular security controls

• Manual configuration breaks the cloud model

• Auditing and control are harder in dynamic environment

The need for Automating Security

Security Admin

Internet

Automated Policy

Automating security configuration

reduces risk and labor



bution

Security Automation

• Provides application context to enable a policy based approach to security

• Granular security requires a mix of options:

– Existing or On-Demand Security Groups

– App Isolation to block traffic across deployments

Automating Security with vRA and NSX

web-sv-001 web-sv-002

Web Tier Security

Group

app-sv-001

App Tier Security

Group

db-sv-001

DB Tier Security

Group

App Isolation Security

Group UUID-01

Permit only

Tomcat (TCP

8443)from Web

Permit only

MySQL (TCP

3306)from App

web-sv-003 web-sv-004

Web Tier

Security Group

app-sv-002

App Tier Security

Group

db-sv-002

DB Tier Security

Group

Permit only

Tomcat (TCP

8443)from Web

Permit only

MySQL (TCP

3306)from App

App Isolation Security

Group UUID-02

External

Access

Permit only

SSH, HTTP,

HTTPS from Any



bution

Security AutomationAutomating and Scaling Security with vRA - Example

VDI Desktops

NSX Security Group - VDI

HSW

NSX Security Group - HSW

HSW

HSW

Hyperspace Web ServersClinicians Hyperspace Web Servers

HSW

HSW

NSX Security Group - HSW

VDI Desktops

NSX Security Group - VDI

Clinicians



bution

Key TakeawaysThe Road to Micro-segmentation with VMware NSX

• NSX Micro-Segmentation enables a Zero-Trust architecture

• Choosing an appropriate policy and grouping methodology is

critical

• Application discovery is key to determining the appropriate rules in

a Zero-Trust model

• NSX Application Rule Manager and vRealize Network Insight

enable a quick road to Micro-Segmenting your applications

• vRealize Automation delivers NSX micro-segmentation in a fully

automated environment.

36



bution



bution



bution

Documents

SAI2803BU The Road to Micro- Segmentation or distribution · 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation VMworld