Table of Contents HOL-SDC-1415

Similar documents
Table of Contents HOL-SDC-1315

Table of Contents HOL-SDC-1412

Table of Contents HOL-SDC-1317

Table of Contents HOL-MBL-1661

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

Table of Contents HOL-1701-CHG-5

Cisco Virtual Application Container Services 2.0 Lab v1

vrealize Suite Lifecycle Manager 1.1 Installation, Upgrade, and Management vrealize Suite 2017

ForeScout CounterACT. Configuration Guide. Version 1.1

Table of Contents HOL-PRT-1464

Table of Contents HOL-1710-SDC-6

ForeScout Extended Module for MobileIron

ForeScout Extended Module for IBM BigFix

CounterACT VMware vsphere Plugin

ForeScout Extended Module for MaaS360

ForeScout Extended Module for VMware AirWatch MDM

ForeScout Extended Module for IBM BigFix

Table of Contents HOL CMP

CounterACT VMware vsphere Plugin

vcenter Operations Manager for Horizon View Administration

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

vshield Administration Guide

vrealize Operations Management Pack for NSX for vsphere 3.5.0

Azure for On-Premises Administrators Practice Exercises

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

Forescout. Configuration Guide. Version 2.4

Table of Contents HOL SDC

Table of Contents HOL-SDC-1422

IC121-End-to-End Virtual Security Hands-On Lab

Table of Contents HOL-PRT-1463

VMware AirWatch: Directory and Certificate Authority

Introducing VMware Validated Design Use Cases. Modified on 21 DEC 2017 VMware Validated Design 4.1

VMware vcenter Configuration Manager Administration Guide vcenter Configuration Manager 5.7

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

VMware vrealize Operations for Horizon Administration. 20 SEP 2018 VMware vrealize Operations for Horizon 6.6

VMware vrealize Operations for Horizon Administration. Modified on 3 JUL 2018 VMware vrealize Operations for Horizon 6.4

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

Oracle Enterprise Manager 11g Ops Center 2.5 Hands-on Lab

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

vrealize Operations Management Pack for NSX for vsphere 3.0

IT Systems Integration

McAfee Cloud Workload Security Product Guide

Reset the Admin Password with the ExtraHop Rescue CD

Horizon Console Administration. 13 DEC 2018 VMware Horizon 7 7.7

FlexPod Infrastructure Automation. September 2016 SL10295 Version 1.0.0

VMware vfabric Data Director 2.5 EVALUATION GUIDE

AppDefense Getting Started. VMware AppDefense

Table of Contents HOL NET

Table of Contents HOL-HBD-1301

SYMANTEC DATA CENTER SECURITY

Introducing VMware Validated Design Use Cases

NSX-T Data Center Migration Coordinator Guide. 5 APR 2019 VMware NSX-T Data Center 2.4

NetScaler Analysis and Reporting. Goliath for NetScaler Installation Guide v4.0 For Deployment on VMware ESX/ESXi

VMware vrealize Operations for Horizon Administration

VMware vsphere: What s New Lab Manual ESXi 5.5 and vcenter Server 5.5

Table of Contents HOL-PRT-1305

vrealize Operations Management Pack for NSX for vsphere 2.0

Cisco ACI vcenter Plugin

Table of Contents HOL NET

Table of Contents HOL-1757-MBL-6

How to create a System Logon Account in Backup Exec for Windows Servers

Installation. Power on and initial setup. Before You Begin. Procedure

Sophos Enterprise Console Help. Product version: 5.3

Table of Contents HOL-SDC-1635

NexentaStor VVOL

Data Protection Guide

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Trust in the Cloud. Mike Foley RSA Virtualization Evangelist 2009/2010/ VMware Inc. All rights reserved

ForeScout Amazon Web Services (AWS) Plugin

Table of Contents HOL-1708-CHG-3

vshield Quick Start Guide

Goliath Performance Monitor v11.7 POC Install Guide

Storage Replication Adapter for VMware vcenter SRM. April 2017 SL10334 Version 1.5.0

Deploying the Cisco Tetration Analytics Virtual

Installing Cisco MSE in a VMware Virtual Machine

Cisco Nexus 1000V InterCloud

MOVE AntiVirus page-level reference

RSA pro VMware. David Matějů. RSA, The Security Division of EMC

Cloud Workload Discovery 4.5.1

Monitoring and Troubleshooting

Table of Contents HOL SLN

VMware vrealize Operations for Horizon Installation

Dynamic Datacenter Security Solidex, November 2009

SnapCenter Software 4.0 Concepts Guide

VMware vrealize Operations for Horizon Administration

Introduction to Virtualization

Cisco Modeling Labs OVA Installation

VMware Adapter for SAP Landscape Management Installation Configuration and Administration Guide for VI Administrators

Disclaimer CONFIDENTIAL 2

VMware Adapter for SAP Landscape Management Installation Configuration and Administration Guide for VI Administrators

VMware vrealize Operations for Horizon Installation. VMware vrealize Operations for Horizon 6.5

WhatsConfigured v3.1 User Guide

Data Protection Guide

Table of Contents HOL-SDC-1307

ForeScout Extended Module for ServiceNow

The threat landscape is constantly

OmniVista 2500 Virtual Machine Management (VMM) edemo Script

VMware vsphere 5.5: Install, Configure, Manage Lab Addendum. Lab 3: Configuring VMware ESXi

Transcription:

Table of Contents Lab Overview - - IT Outcomes Security Controls Native to Infrastructure. 2 Lab Guidance... 3 Module 1 - Policy-Based Compliance... 5 Introduction... 6 Manage vcenter Server Virtual Machines... 7 Run and Enforce Compliance... 24 Configure vcenter Operations Manager Integration... 30 Check Initial Compliance Status in vcenter Operations Manager... 35 Resolve Noncompliant Virtual Machine Template Results... 41 Validate Final Compliance Status in vcenter Operations Manager...53 Module 2 - Policy-Based Network Security... 60 Introduction... 61 Verify Open Communication between Virtual Machines... 62 Apply Network Security Policies via NSX Distributed Firewall... 71 Test Applied Network and Security Policies... 85 Apply a Data Security Policy to Scan for Unprotected and Sensitive Data... 89 Module Summary... 98 Page 1

Lab Overview - HOL- SDC-1415 - IT Outcomes Security Controls Native to Infrastructure Page 2

Lab Guidance Learn how several VMware technologies work together to implement policy-based network control, configuration and compliance management, and intelligent operations management. You will use NSX for vsphere to isolate, protect, and apply security policies across virtual network workloads. Use vcenter Configuration Manager to continuously identify, assess, and remediate out-of-compliance virtual machines. Finally, you will use vcenter Operations Manager for operational insight into the health, risk, and efficiency of the virtual infrastructure. Module 1: Policy-Based Compliance (30 Minutes) Module 2: Policy-Based Network Security (25 Minutes) Physical Lab Topology vsphere Topology: The two vsphere hypervisors in the environment are esx-01a.corp.local and esx-02a.corp.local and are configured as part of are a single Cluster. Network Topology: The Management Network (192.168.110.0/24) is a common network across the vsphere hypervisors, vcenter, NSX Manager, ControlCenter, vcenter Operations Manager (vcops) and vcenter Configuration Manger (vcm) The vmotion Network (10.10.30.0/24) is used for vmotion traffic. The App Network (192.168.120.0/24) is used for all Virtual Machine data traffic. The Storage Network (10.10.20.0/24) is used to connect the Hypervisors to the NFS storage appliance. Storage Topology: The two vsphere hypervisors have NFS attached storage via the stgb-l-01astorage appliance. vcenter, NSX Manager, vcops and vcm vcenter is pre-configured and accessible on the Management Network on 192.168.110.22 NSX Manager pre-configured and accessible on the Management Network on 192.168.110.42 Page 3

vcops is pre-configured and accessible on the Management Network on 192.168.110.70 vcm is pre-configured and accessible on the Management Network on 192.168.110.77 Application Virtual Machines: In this lab we are using a simple application with 2 servers (app-l-01a and db-w8-01a) and a test server test-l-01a. app-l-01a.corp.local is connected on 192.168.120.10 db-w8-01a.corp.local is connected on 192.168.120.11 test-l-01a.corp.local is connected on 192.168.120.12 Page 4

Module 1 - Policy-Based Compliance Page 5

Introduction VMware vcenter Configuration Manager (VCM) delivers capabilities fundamental to ensuring that virtualized and cloud computing environments are properly configured to meet operational, security and compliance requirements. VCM is a full-featured configuration-management solution that automates configuration management across virtual, physical and cloud environments. Enterprises can use VCM to continuously audit the configurations of VMware infrastructure as well as Windows, Linux and UNIX operating systems. Both physical and virtual configuration compliance can be maintained against internal standards, security best practices, vendor hardening guidelines and regulatory mandates. VCM compares your virtual or physical machines running Linux, UNIX, Mac OS X, or Windows operating systems against configuration standards that you download, or that you create, to determine if the machines meet the standards. The results of the compliance run notify you which machines meet configuration settings meet the standards and which ones do not meet the standards. In some cases, you can enforce certain settings on the machines that are not in compliance, initiating the changes from VCM. Preset rules and templates are available that enable you to begin monitoring system compliance to regulatory (Sarbanes-Oxley, HIPAA, GLBA and FISMA) industry and Microsoft standards. You can create and manage rules and rule groups based on Active Directory (AD) objects and configuration data, or on machine data. At a glance, vcenter Configuration Manager 1. Improves operational effectiveness by continuously auditing configurations of the VMware infrastructure and Windows, Linux and UNIX operating systems. 2. Speeds time to service restoration by correlating configuration changes tracked within VCM with performance and capacity issues identified by VMware vcenter Operations Manager. 3. Accelerates the adoption of virtualization and cloud computing for businesscritical applications by addressing security and compliance concerns. 4. Reduces potential security threats through a unified approach to configuration management across physical and virtual infrastructure. 5. Drives down the effort and cost of configuration compliance through the use of an automated solution. Page 6

Manage vcenter Server Virtual Machines Add and license the virtual machines identified based on a vcenter Guests collection from your vcenter Servers. If you are managing Windows virtual machines, you can also install the VCM Agent. Using the Manage Guests wizard, you can add the virtual machines to the appropriate Available Machines data grid based on operating system, license the virtual machine based on operating system, or, for Windows machines, license and install the Agent. Run PowerShell Script Procedure: 1. Click on the Command Prompt Icon on the Task Bar. Page 7

Reboot the VCM Server using PowerShell **Note** It may take up to 2 minutes while the server reboots and initializes VCM. Procedure: 1. Type powershell in the command window. 2. Press Enter 3. On the next line type Restart-Computer vcm-01a -Force 4. Press Enter to reboot the VCM server. Page 8

Open vcenter Configuration Manager Procedure: 1. Once the VCM server comes back online, double-click the VCM icon on the desktop. Log In to vcenter Configuration Manager with Proper Credentials Procedure: Page 9

1. Log into VCM with the following credentials: Username: vcmadmin Password: VMware1! 2. Click OK. Page 10

Select the Appropriate User Level from the Drop-Down Menu vcenter Configuration Manager users can have multiple roles. In this lab, CORP\ VCADMIN is assigned three different roles in vcenter Configuration Manager: Admin: General administrator with access to all vcenter Configuration Manager functions. Server Manager: Roll with Full access to Servers Dynamic Machine Group. Workstation Manager: Roll with Full access to Workstation Dynamic Machine Group. We will be using the Admin role throughout this lab, however, roles can be created and assigned on a very granular level. Procedure: 1. Select 'Admin' User Role and click Login. Install VCM agents for the selected Windows machines Procedure: Page 11

1. Click Console. 2. Select Virtual Environments 3. Select vcenter 4. Select Guests 5. Select Summary 6. Select the Windows virtual machine (base-w7-01a) 7. Click Manage Guests. Page 12

Select Default Domain Procedure: 1. On the Default Domain page, select CORP.LOCAL from the Domain Drop- DownList, then click OK. 2. Select the Active Directory radio button for Domain Type. 3. Click Next to continue. Page 13

Edit VM Guest Machine Info Procedure: 1. On the Edit VM Guest MachineInfo page, make sure the base-w7-01a Windows virtual machine is selected. 2. Click Next. Page 14

License the VM Guests and Install the Windows Agents Procedure: 1. On the License VM Guests page, select License the selected machines. 2. Select Install VCM agents for the selected Windows machines. 3. Click Next. Page 15

Confirm your Changes Procedure: 1. On the Confirm Your Changes page, review the changes. 2. Click Finish. Page 16

Set the Options for Installation Procedure: 1. Leave the default options and Select Next Page 17

Schedule the Agent Installation Procedure: 1. Confirm that the Run Action Now radio button is selected. 2. Select Next. Page 18

Installation Confirmation Procedure: 1. Review the notice and Click Finish to deploy the Windows agents. Page 19

Watch the Progress of you Agent Installation Procedure: 1. Click on the Jobs icon on the menu bar. Page 20

Monitor the Agent Installation Procedure: **Important** The Jobs Running windowdoes notauto-refresh by default. You should set the job to auto-refresh by following the steps below. 1. You can manually refresh the job collection manually by clicking on the Refresh Icon. 2. Or you can set the job to Auto-Refresh for you. Select 30 Seconds from the drop-down menu. 3. You can also Auto-Refresh the individual steps. Select 5 seconds to monitor success or failure. **Notice** It can take several minutes for this process to complete successfully. Page 21

Jobs Running Procedure: 1. Once the job is complete, Click Close. Page 22

Verify that the Windows Agents have been successfully deployed Procedure: 1. Select Administration. 2. Select Job Manager. 3. Select History. 4. Select Other Jobs. 5. Select Past 24 Hours. 6. You should see both of your Windows virtual machines in the Job History Machine Detail Box with a Status of Succeeded. Page 23

Run and Enforce Compliance Compliance templates evaluate the data collected from virtual or physical machines in machine groups to determine if the machines meet the rules in the templates. If the property values on a machine do not meet the rule criteria, and if no exception is defined, then the machine is flagged as noncompliant. When a machine is noncompliant, the template results provide the details of the settings or configurations that do not match the rules. You can use this information to resolve the problem. Run Virtual Environment Compliance Templates Procedure: 1. Click Compliance. 2. Select Machine Group Compliance. 3. Select Templates. 4. Select the Microsoft MSS Windows 7 Hardening Template. 5. Click Run Template. Page 24

Select Template Options Procedure: 1. Select the Do not enforce noncompliant results at this time radio button. 2. Check the Check compliance alerts for this machine group check box 3. Click OK Page 25

Track Compliance Progress Procedure: 1. When the template is finished running, you should see Your compliance run completed successfully in the progress bar. 2. Click on Close. Page 26

Review Compliance Results Report Procedure: 1. Click on the Microsoft MSS Windows 7 Hardening template in the console pane to refresh and review your results. 2. The Compliance Results Report appears. The report includes the number of objects that are compliant and the number that are non-compliant. Notice that the Windows 7 virtual machine is showing up as Non-Compliant. 3. To view the results in the data grid, click View data grid. View Data Grid Results Icon description: Green check mark: Successful compliance rules. Red exclamation mark: Failed compliance rules that are not enforceable directly by vcenter Configuration Manager. Page 27

Red exclamation mark with a small yellow sign: Failed compliance rules that are enforceable directly by vcenter Configuration Manager. Page 28

Review Rules that are Out of Compliance These policies will be enforced by VCM Page 29

Configure vcenter Operations Manager Integration The integration between vcenter Operations Manager and VCM includes using the VCM compliance template results to contribute to the Risk badge score in vcenter Operations Manager. The compliance templates are included in badge mappings that are run in VCM against objects in vcenter Server instances that are managed by both VCM and vcenter Operations Manager. These objects include virtual machines, host systems, clusters, vcenter Server instances, and data stores. The compliance mapping results determine the compliance score. vcenter Operations Manager then pulls the scores into the formulas used to calculate the Risk badge scores. When you review the standards compliance in vcenter Operations Manager, you can navigate back to VCM to view the detailed results and identify any configuration changes that you must make to bring an object that is noncompliant back to compliance. Page 30

Run the Compliance Badge Mappings for vcenter Operations Manager Procedure: 1. Click Console. 2. Select Compliance. 3. Select vcenter Operations Manager Badge Mappings. 4. Select Mappings. 5. Select the MicrosoftWindows 7 Hardening mapping. 6. Click Run. Page 31

Select Mapping Options Procedure: 1. Select the Check Compliance Alerts for this Machine Group Box. 2. Click OK. Page 32

Mapping Run Results Procedure: 1. Validate that the mapping ran correctly. 2. Click Close. Page 33

Exit from vcenter Configuration Manager Procedure: 1. Close the vcenter Configuration Manager interface by clicking the red 'x' button on the General Bar. 2. Click OK to confirm you want to close the session. Page 34

Check Initial Compliance Status in vcenter Operations Manager The standards compliance score in VCM contributes a compliance score to the Risk badge score in vcenter Operations Manager. If the Risk score indicates distress for the object, you can view the compliance breakdown to determine which of the noncompliant templates are contributing to the score and determine what action to take to resolve the noncompliant results. Open Internet Explorer Procedure: 1. Double-Click the Internet Explorer icon on the Control Center Desktop Page 35

Log In to vcenter Operations Manager Procedure: 1. Click vcenter Operations Manager in the favorites bar. 2. Enter vcmadmin as the username. 3. Enter VMware1! as the password. 4. Click Login. Page 36

Expand the Virtual Infrastructure Hierarchy Procedure: 1. Click on World. 2. Select vcsa-01a. 3. Select Datacenter Site A. 4. Select Cluster Site A. 5. Select esx-02a.corp.local. 6. Select base-w7-01a. Page 37

Check the OS-Level Compliance Status using the Compliance Breakdown Note: It can several minutes for the compliance badge to appear. This is due to possible high workload in the lab environment, Overview: vcenter Operations Manager provides a color-coded badge system, which ranges from a healthy green to a health degradation status depicted in a gradual or instantaneous transition to yellow, orange or red. Inside the badge, vcenter Operations Manager also presents a score, which might reflect the desired healthy state, a potential problem, or an imminent risk, depending on the badge being observed (health, risk, optimization, or compliance). In this example, notice that the Windows 7 virtual machine (base-w7-01a) is reported non-compliant. Five conditions were evaluated and all of them failed. vcenter Operations calculated a score of 0 and set the color to Red to indicate this object needs remediation to become compliant. Procedure: 1. Select the virtual machine base-w7-01a. 2. Select Planning. 3. Select Views. 4. Select Compliance. 5. Observe the compliance information for virtual machine base-w7-01a. Page 38

Page 39

Return to vcenter Configuration Manager to Resolve Compliance Issues Procedure: 1. Click on View Details in VCM to return to vcenter Operations Manager (VCM) Note: You may have to re-authenticate if you logged out of VCM. Log into VCM with the following credentials: Username: vcmadmin Password: VMware1! Page 40

Resolve Noncompliant Virtual Machine Template Results The results for the compliance templates indicate whether the virtual or physical machine are compliant or noncompliant. If the machine is noncompliant, you can enforce noncompliant results manually or using VCM, or you can add an exception for expected noncompliant results. On the virtual machine scan, we found 5 items out of compliance for our base-w7-01a virtual machine. Page 41

Remediate Failed Compliance Rules that are Enforceable by vcenter Configuration Manager Procedure: 1. Click Compliance. 2. Select Machine Group Compliance. 3. Select Templates. 4. Select the Microsoft MSS Windows 7 Hardening Template. 5. (Click View Data Grid if necessary) Select the Enforce tab. Page 42

Enforcement Selection Procedure: 1. Select All Items in the Current Compliance Run. 2. Click Next. Page 43

Review the Enforcement Summary Notice that 5 Items will be enforced by VCM. We will manually address the other noncompliant items later in this lab. Procedure: 1. Review the number of Selected Items and the number of Enforceable Items. 2. Notice that 5 Itemswill be enforced by vcenter Configuration Manager using 4 jobs. 3. Click Finish to kick off the compliance remediation job. Watch the Compliance Job Run **Notice** It can take several minutes for this process to complete successfully. Page 44

Procedure: 1. Click on the Jobs tab in the menu bar. 2. You can refresh the job collection by clicking on the Refresh Icon. 3. Or you can set the job to Auto-Refresh for you. 4. Once the job is complete, Click Close. Page 45

View the Enforcement Results Procedure: 1. Click on the Windows 7 Template in the left pane. 2. Click on Run Template tab to Refresh the compliance results. Page 46

Select Template Options Procedure: 1. Select the Do not enforce noncompliant results at this time radio button. 2. Check the Check compliance alerts for this machine group check box 3. Click OK Page 47

Compliance Run Results Procedure: 1. When the template is finished running, you should see Your compliance run completed successfully in the progress bar. 2. Click on Close. Page 48

Review Results Procedure: 1. Click on the Microsoft MSS Windows 7 Hardening template in the console pane to refresh and review your results. 2. The Compliance Results Report appears. The report includes the number of objects that are compliant and the number that are non-compliant. Notice that the Windows 7 virtual machine is showing up as Non-Compliant. 3. To view the results in the data grid, click View data grid. Run the Compliance Badge Mappings for vcenter Operations Manager Procedure: 1. Click Compliance. 2. Select vcenter Operations Manager Badge Mappings. 3. Select Mappings Page 49

4. Select the MicrosoftWindows 7 Hardening mapping. 5. Click Run. Page 50

Select Mapping Options Procedure: 1. Select the Check Compliance Alerts for this Machine Group Box. 2. Click OK Page 51

Mapping Run Results Procedure: 1. Validate that the mapping ran correctly. 2. Click Close. Page 52

Validate Final Compliance Status in vcenter Operations Manager Finally, we will go back into vcenter Operations Manager to make sure that the compliance badge is now matching the compliance status found in VCM. Open Internet Explorer Procedure: 1. Double-Click the Internet Explorer icon on the Control Center Desktop Log In to vcenter Operations Manager Procedure: Page 53

1. Click vcenter Operations Manager in the favorites bar. 2. Enter vcmadmin as the username. 3. Enter VMware1! as the password. 4. Click Login. Page 54

Expand the Virtual Infrastructure Hierarchy Procedure: 1. Click on World. 2. Select vcsa-01a. 3. Select Datacenter Site A. 4. Select Cluster Site A. 5. Select esx-02a.corp.local. 6. Select base-w7-01a. Page 55

Compliance View Note: It can several minutes for the compliance badge to appear. This is due to possible high workload in the lab environment, Review: vcenter Operations Manager provides a color-coded badge system, which ranges from a healthy green to a health degradation status depicted in a gradual or instantaneous transition to yellow, orange or red. Inside the badge, vcenter Operations Manager also presents a score, which might reflect the desired healthy state, a potential problem, or an imminent risk, depending on the badge being observed (health, risk, optimization, or compliance). After performing remediation, notice that our Windows 7 virtual machine (basew7-01a) is now green and reporting 100% compliance. Procedure: 1. Select the virtual machine base-w7-01a. 2. Select Planning. 3. Select Views. 4. Select Compliance. 5. Observe the compliance information for virtual machine base-w7-01a. Page 56

Page 57

View Change Events Inside vcenter Operations Manager You can also track events coming from vcenter Configuration Manager. Procedure: 1. Click Events. 2. Click the Compliance shadow badge. 3. Click the bullseye icon (to show self events). 4. Click the small Compliance badge. 5. Narrow the scope to the last hour by clicking on the Calendar icon. 6. Change to Last Hour. 7. Click the small blue arrow to apply the modifications. Page 58

Review the Filtered Events Review the status of the virtual machine's compliance over time. Page 59

Module 2 - Policy-Based Network Security Page 60

Introduction In this Module we will review how the NSX Distributed Firewall and Data Security can provide network security and compliance within the SDDC. You are currently logged on the ControlCenter which can communicate with all of the Application VMs in the lab (db-w8-01a, app-l-01a and test-l-01a virtual machines). The lab virtual machines can communicate with each other because they reside on a single Layer 2 segment which is a violation of security policy at ABC Corporation. We will first verify connectivity between these virtual machines and then apply NSX distributed firewall policies to block specific communication. We will then apply Data Security policies to scan the datacenter for sensitive and unprotected data for PCI compliance check. Page 61

Verify Open Communication between Virtual Machines In this section we will verify connectivity between ControlCenter and other Application VMs. Test Remote Desktop Connection to the Production Database Server (db-w8-01a) The first task is to test connectivity from the ControlCenter to our production database machine. Double-click the db-w8-01a.rdp link on the ControlCenter desktop. Page 62

Launch a Remote Session to the Database Server (dbw8-01a) Login credentials: User: CORP\Administrator Password: VMware1! Page 63

Verify Open Connectivity to the Database Server (dbw8-01a) Confirm that you are properly connected to the db-w8-01a virtual machine by checking the background information. Disconnect the Remote Desktop Connection to db-w8-01a Server Disconnect the Remote Desktop Connection by clicking the upper right X icon. Page 64

Test Connectivity to Production Web Server (app-l-01a) 1. Launch Putty from the ControlCenter task bar and select the appl-01a.corp.local saved session. 2. Click Load. 3. Click Open. Page 65

Login to app-l-01a server Login credentials: User: root Password: VMware1! Test connectivity from app-l-01a server to db-w8-01a server 1. Run the command "ping db-w8-01a.corp.local -c 3 -q" 2. Verify that there is connectivity. Test connectivity from app-l-01a server to test-l-01a server 1. Run the command "ping test-l-01a.corp.local -c 3 -q" 2. Verify that there is connectivity. Page 66

Close the Putty session Test Connectivity to Test Server (test-l-01a) 1. Launch Putty from ControlCenter task bar and select the test-l-01a.corp.local saved session. 2. Click Load. 3. Click Open. Login to test-l-01a server Login credentials Page 67

User: root Password: VMware1! Test connectivity from test-l-01a server to db-w8-01a server 1. Run the command "ping db-w8-01a.corp.local -c 3 -q" 2. Verify that there is connectivity. Close the Putty session. Page 68

Test Connectivity to the Lab Application Launch the Firefox web browser located on the ControlCenter desktop. Click on the Lab Application bookmark. Verify that the sample web application is accessible via HTTP port 80. The web server is hosted on app-l-01a, while the database server is on db-w8-01a virtual machine. Network Connectivity Test Results We were able to verify that: The ControlCenter can open a remote desktop connection to the db-w8-01a virtual machine. The ControlCenter can open SSH connections to app-l-01a and test-l-01a virtual machines. Application virtual machines db-w8-01a and app-l-01a have IP connectivity to each other. Page 69

The test-l-01a virtual machine has IP connectivity to application virtual machines (dbw8-01a and test-l-01a) The sample Lab Application is reachable via ControlCenter. Page 70

Apply Network Security Policies via NSX Distributed Firewall. Now that you have tested the reachability of the systems and witnessed the complete lack of security in the environment, we will implement security policies in VMware NSX to block connectivity that is not required. To save time, in this lab we have already created the security policies, we will review these policies and make changes where needed. In this lab we will use the VMware NSX Distributed Firewall, which is a hypervisor kernelembedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on VMware vcenter objects like datacenters and clusters, virtual machine names and tags, network constructs like IP/ VLAN/VXLAN addresses, as well as user group identity from Active Directory. Firewall rules are enforced at the vnic level of each virtual machine to provide consistent access control even when the virtual machine gets vmotioned. The hypervisor-embedded nature of the firewall delivers close to line rate throughput to enable higher workload consolidation on physical servers. The distributed nature of the firewall provides a scaleout architecture that automatically extends firewall capacity when additional hosts are added to a datacenter. Access NSX Manager. In this section we will access the NSX Manager UI and view the pre-created security policies. Page 71

Login to vcenter Web Client Launch the Firefox browser application from the ControlCenter desktop. The browser is configured to launch the vcenter Web Client, if it does not launch then please select it from the bookmark. Login credentials: User: CORP\Administrator Password: VMware1! (Note: Selecting "Use Windows Session Authentication" will also log you in) Page 72

Access the Networking and Security Section Click on Networking and Security Page 73

Access the Distributed Firewall Rules 1. Click on the Firewall section on the left pane. 2. Expand the firewall policy by clicking on the Lab Application Policy 3. and Default Section Layer3 Page 74

Analyse Distributed Firewall Policy - L3 and L4 In this section we will analyse all the firewall policies that have been created. As you can see all the policies have been set to "Allow", we will change the appropriate policy to "Deny". Firewall Rule - Allow HTTP Access to WebServers In this policy we have configured the distributed firewall to permit HTTP connections from any source to servers in the WebServer-SecurityGroup. The security group called WebServer-SecurityGroup has been pre-created in the lab. Click on it and you will see that it contains the server app-l-01a.corp.local. Click on the "x" to close the Security Group pop-up window. Page 75

Firewall Rule - Allow Web to Database Access In this policy we have configured the distributed firewall to permit communication between the WebServer-SecurityGroup and the Database-SecurityGroup. The security group Database-SecurityGroup has been pre-created in the lab. Click on it and you will see that it contains the server db-w8-01a.corp.local. Click on the "x" to close the Security Group pop-up window. Firewall Rule - Allow ControlCenter SSH Access In this policy we have configured the distributed firewall to permit SSH communication to app-l-01a.corp.local, db-w8-01a.corp.local and test-l-01a.corp.local servers from the ControlCenter. Click on the ControlCenter link to view the configured IP 192.168.110.10. Click on the "x" to close the pop-up window. Firewall Rule - DNS and AD domain access In this policy we have configured the application servers and the test-l-01a server to communicate with the ControlCenter for DNS and Active Directory Services. Page 76

The Microsoft Active Directory Service is pre-defined in NSX, so its easy to select and deploy. Click on the "x" to close the pop-up window. Page 77

Firewall Rule - Allow vcm to Test Servers In this policy we have configured the vcenter Configuration Manager (192.168.110.77) to communicate with the test-l-01a server and the Windows 7 VM base-w7-01a (we will use this virtual machine later in the lab to show how Configuration Manager can be used to patch the operating systems for compliance). Click on the "x" to close the pop-up window. Firewall Rule - Allow Test Servers to vcm In this policy we have configured the Test Servers (test-l-01a and base-w7-01a) to initiate communication to the vcm server. Click on the TestServer-SecurityGroup (which has been pre-created) to view its membership. Click on the "x" to close the Security Group pop-up window. Page 78

Firewall Rule - Default Rule We have configured the NSX distributed firewall to Allow all traffic as a default policy, however we will now change this policy to Block all traffic. Click on the small + sign next to Allow. Change the Action to Block. Click OK. Since the security policy has been changed, we will need to Publish these changes. Click on Publish Changes. Page 79

Analyse Distributed Firewall Policy - L2 Click on Firewall, then on Ethernet. Expand the rules in the Default Layer 2 Rule Section. Ethernet Rule - Block access from Application servers to Test Servers 1. This the first firewall rule in the list. You will notice that at the moment it has been configured to allow connectivity between the Application servers and Test Servers, which is not the desired state. 2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step. 3. Click OK and proceed to the next rule. Page 80

Ethernet Rule - Block access from Test Servers to Application Servers 1. You will notice that at the moment it has been configured to allow connectivity between the Test servers and Application Servers, which is not the desired state. 2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step. 3. Click OK and proceed to the next rule. Note: The first 2 rules have been explicitly setup to block communication between the App and Test servers because the default L2 policy will be to allow communication between all other end points. Page 81

Ethernet Rule - Block communication between database servers in the same tier. In this lab there is only one database server used however in production environments there could be many provisioned and a rule like the one above can be used to block communication between the servers in the same tier. 1. Currently this rule is set to Allow communication, which is not desired. 2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step. 3. Click OK and proceed to the next step. Page 82

Ethernet Rule - Block communication between Web servers in the same tier. In this lab there is only one web server used however in production environments there could be many provisioned and a rule like the one above can be used to block communication between the servers in the same tier. 1. Currently this rule is set to Allow communication, which is not desired. 2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step. 3. Click OK. Notice that all the rule changes have to be Published. Click on Publish Changes as shown Page 83

Ethernet Default Rule Note that the default Ethernet Rule is set to Allow all other communication in the virtualized environment. This is the desired state. Page 84

Test Applied Network and Security Policies In the previous section we analysed the NSX distributed firewall security policies and made changes so as to only permit certain traffic and block the rest. In this section we will verify how the micro-segmentation security capabilities of NSX distributed firewall can be used to effectively isolate virtual machine traffic even on a shared Layer 2 segment. Verify Connectivity from ControlCenter We will first verify access to db-w8-01a, app-l-01a and test-l-01a virtual machines from the ControlCenter. Launch Remote Desktop Connection to Database Server Locate the launch the remote desktop connection link to db-w8-01a from the ControlCenter desktop. Since the firewall policy only allowed SSH access to the database server the RDP connection was denied. Launch SSH connection to Test server Locate and launch the Putty application from the ControlCenter taskbar. 1. Select test-l-01a.corp.local 2. Click Load 3. Click Open. Page 85

Access is granted since the security policy allows SSH access from the ControlCenter. Login Credentials: User: root Password: VMware1! Page 86

Test connectivity between Test Server and Application Servers. In the previous section we configured the firewall policy to block communication between the test-l-01a server and the application servers (db-w8-01a and app-l-01a). 1. Ping db-w8-01a.corp.local -c 3 -q. You will notice 100% packet loss. 2. Ping app-l-01a.corp.local -c 3 -q. You will notice 100% packet loss. In both the cases you will notice that DNS resolution is possible via the ControlCenter however all ICMP traffic to database and application servers is blocked. Close the Putty session. Test connectivity between Application Servers and Test Server. In the previous section we configured the firewall policy to allow communication from web server app-l-01a to the database server db-w8-01a while block communication to the test server test-l-01a. Locate and launch the Putty application from the ControlCenter taskbar. Launch a SSH session to app-l-01a.corp.local server. Login Credentials: User: root / Password: VMware1! 1. Ping db-w8-01a.corp.local -c 3 -q. It will report 100% packet loss because in the previous section we only allowed MySql traffic on port 3306 from the web servers to the database server. 2. Ping test-l-01a.corp.local -c 3 -q. You will notice 100% packet loss. Page 87

In both the cases you will notice that DNS resolution is possible via the ControlCenter. Page 88

Apply a Data Security Policy to Scan for Unprotected and Sensitive Data NSX Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by NSX Data Security, you can ensure that sensitive data is adequately protected and assess compliance with regulations around the world. To begin using NSX Data Security, you create a policy that defines the regulations that apply to data security in your organization and specifies the areas of your environment and files to be scanned. A regulation is composed of content blades, which identify the sensitive content to be detected. NSX supports PCI, PHI, and PII related regulations only. Data Security Policy for Database Servers In this lab, on the database server db-w8-01a.corp.local we have stored some sensitive and unprotected credit card information which makes it non PCI compliant. We will first review the configuration for Data Security in NSX that has been preconfigured to scan for credit card number violations. In the next step we will run the Data Security scan to review these violations. Page 89

Access NSX Configuration Launch the Firefox web browser and click on the vcenter Web Client bookmark. Login Credentials: 1. User: CORP\Administrator 2. Password: VMware1! 3. Click OK 4. Click Networking and Security to access NSX configuration. Access Service Composer Security Policy 1. Click Service Composer. 2. Click Security Policies. 3. Select the Database-SecurityGroup Security Policy. 4. Click the number displayed in the Applied To column. Notice that this security policy has been applied to the database server db-w8-01a.corp.local in the Database-SecurityGroup. Click on the x to close this pop-up window. Page 90

5. Click on the number displayed in the Endpoint Service column. Notice that the VMware Data Security Service has been applied for PCI Compliance check, also notice that this policy has not been set to automatically enforce since we will be running the scan manually in the next step. Click on the x to close this pop-up window. Page 91

Run Data Security Scan 1. Click on the Data Security Section 2. And then Manage. Click Edit. Page 92

Select Data Security Regulation and Standards 1. Click Select Regulations 2. Click All. This will list all the available content blades for NSX regulations 3. In the search bar type "Credit" and hit Enter 4. Select the Credit Card Numbers content blade 5. Click Next. 6. Click Finish. Once you select the regulations that you want your company data to comply with, NSX can identify files that contain information which violates these particular regulations. Page 93

Page 94

Start Data Security Scan Before we start the security scan we will need to Publish the changes. 1. Click Publish Changes. Notice that the scan for Credit Card Number regulation has been enabled and the system has been set to monito various file types. 2. Click Start. 3. Click Monitor. Page 95

Monitor Data Security Scan 1. On the Monitor tab, 2. Click Dashboard. The security scan will take approximately 3 minutes to complete. 3. Click the Refresh button on the right to view progress. Once completed, notice that the db-w8-01a server has been reported to have the violation. 4. Click on Reports, to view the violation details. Page 96

View Reports from the Data Security Scan Select Reports. Select Violating Files in the View Report menu. Notice that there are 2 files identified on db-w8-01a database server that are noncompliant with Credit Card Number PCI regulation. The data security administrator can now take corrective actions to protect sensitive data so that the application is compliant with related regulations. Page 97

Module Summary In this module we showcased how to leverage NSX Distributed Firewall (DFW) services to apply policies to provide for network micro segmentation between workloads, as well as to prevent unauthorized access to controlled machines. We also saw how NSX Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments Page 98

Conclusion Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online. Lab SKU: Version: 20150227-060149 Page 99

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback