SAI2803BU The Road to Micro- Segmentation with VMware NSX #VMworld #SAI2803BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. CONFIDENTIAL 2
SAI2803BU The Road to Micro-segmentation with VMware NSX Stijn Vanveerdeghem Geoff Wilmington - @vwilmo #Vmworld #SAI2803BU
Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Automation 4
Security in the DC with NSX Requirements for a Software-Defined Datacenter Visibility Lifecycle Management and Automation Common Policy Control Extensibility
Security in the DC with NSX NSX Security Platform Visibility Datacenter, application and host NSX Lifecycle Management and Automation Common Policy Control Context-driven micro-segmentation Extensibility Best-of-breed partner integration
Security in the DC with NSX What is Zero Trust? 7
Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Automation 8
Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation Controlled Communication or Isolation between workloads on the same or different VLAN Distributed Firewall applied to each vnic East-West Filtering by NSX Distributed Firewall Existing physical firewall only handles North South communication Traffic discovery to determine required flows/rules. VMworld 2017 Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW Physical Router Content: Not for publication 9
Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation and Network Overlays Logical Switches based on overlays to isolate/segment independent of the underlying physical network Distributed Logical Routers to optimize East-West Routing Edge Services Gateway can also be leveraged for N-S routing, N-S firewalling, load balancing, NAT, VPN Distributed Firewall providing Controlled Communication or Isolation between workloads on the same or different Logical Switch (overlay) VMworld 2017 Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication Content: Not for publication STOP STOP Stateful DFW Distributed Logical Router 10
Deploying NSX Micro-Segmentation Deployment Steps: Deploying NSX Manager, VDS and Host Prep Pre-existing and Management and Compute clusters can be leveraged NSX Manager deployed in the Mgmt cluster and peered with the existing vcenter server VDS is required for all compute clusters Host preparation installs NSX VIB to all hosts in a cluster Non-disruptive operation VMworld 2017 Distributed Firewall is enabled on every VM with a default allowall policy Content: Not for publication Management Cluster VDS Compute Clusters VLAN 10 VLAN 20 VLAN 30 L3 L2 11
Deploying NSX Micro-Segmentation Deployment Steps: Determine and Configure Appropriate Policies Policy and Grouping Methodology Application Discovery Policy Model Service Composer/Firewall Rule Table 12
Deploying NSX Micro-Segmentation Deployment Steps: Reduce the Scope of the Perimeter Firewall (Brownfield) Move the default GW function from the perimeter firewall to the aggregation layer or deploy NSX Distributed Routing Remove E-W Rules from the perimeter firewall Perimeter Firewall now only handles N-S flows Can be done gradually VMworld 2017 Content: Not for publication N-S Flows VLAN 10 VLAN 20 VLAN 30 13
Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Automation 14
Micro-Segmentation Policy Creation Policy and Grouping Methodology Choose the policy and grouping methodology BEFORE beginning the process. Will provide a clear direction on how to tackle challenges along the way. APPLICATION INFRASTRUCTURE NETWORK 15
Micro-Segmentation Policy Creation Whitelisting and Blacklisting Whitelisting Definition A list of approved items. Anything not on this list is disallowed. More secure Advantages High degree of accuracy Minimizes false positives Easy to customize Can be established easily in different areas of the enterprise Disadvantages More time to manage Requires additional time to install Blacklisting Definition A list of unapproved items. Anything not on this list is allowed. Advantages Easy to manage Easy to install Updates quickly Disadvantages Exponential growth High rate of false positives, even possibly blocking necessary access Continual updates requires Hard to transition to whitelisting 16
Micro-Segmentation Policy Creation Firewall Rule Table and Service Composer Firewall Rule Table Analogous to typical Firewall rule table Provides overview of all rules in the system DFW Rules and Network Introspection Sections enable rule grouping UI and API Driven Service Composer One or more Security policies can be applied to Security Groups Policies define DFW rules and Service Chain. Abstraction enables efficient service deployment Independent policies are combined specific to each workload UI and API Driven 17
Micro-Segmentation Policy Creation Policy and Grouping Methodology Security Groups allow abstraction and grouping of workloads from the underlying virtual infrastructure End-Users and Cloud Admins are able to define application-centric security policies Security policies are applied to one or more security groups where workloads are members Security Tags are applied to Virtual Machines and can be used for dynamic Security Group membership Security Tag ST Virtual Machine VM Security Group SG Security Policy Members (VM, vnic) and Context (user identity, security posture) Guest Introspection, Distributed Firewall and Network Introspection Policies
Micro-Segmentation Policy Creation Dynamic Policy using Security Tags Example Requirements Apply differentiated policy based on OS, Environment, Automate policy application for new appliations being provisioned Upon vra Blueprint deployment All VMs part of an application are placed into a new Security Group Every VM is tagged with multiple tags identifying: Function, Zone, OS, Environment and Tenant App1 Apache App1 - WLS App1 - ORADB App1 Security Group DMZ_ PROD_ RHEL Apache TRUSTED_ PROD_ RHEL WLS RESTRICTED_ PROD_ RHEL ORADB
Micro-Segmentation Policy Creation Zero Trust Policy Model Emergency Rules Infrastructure Rules Environment Rules Inter-Application Rules Intra-Application Rules Default Rule = Deny VMworld 2017 Used for Quarantine and/or Allow Rules Global Rules AD, DNS, NTP, DHCP, Backup, Mgmt Servers Rules between Zones Prod vs Dev, PCI vs Non PCI, Inter BU rules Content: Not for publication Rules between Applications Rules between the app tiers or the rules or between micro-services VRNI /ARM / EM Whitelisting / Zero Trust 20
Micro-Segmentation Policy Creation Application Discovery - Methods and Tools Leveraging Existing Firewall Policy vrealize Network Insight NSX Application Rule Manager and Endpoint Monitoring vrealize Log Insight Firewall Log VMworld 2017 Content: Not for publication? 21
Micro-Segmentation Policy Creation Leveraging the existing FW policy Mostly relevant for Infrastructure and Environment Rules Analyze existing zones and rules and isolate North-South rules from East West rules. Determine flow patterns that are hair-pinned (East-west traffic). Also, helps you understand how to replace hair-pinned traffic with logical switches and routing using overlays via NSX. Correlate flow NSX patterns/logs with rules collected from perimeter firewalls. HR-Web Vlan 10 HR-App Vlan 11 HR-DB Vlan 12 HR Apps STOP Engineering Apps ENG-Web Vlan 20 ENG-App Vlan 21 ENG-DB Vlan 22 Shared Services 22
Micro-Segmentation Policy Creation Leveraging the existing FW policy Rule Migration 23
Micro-Segmentation Policy Creation vrealize Log Insight - Distributed Firewall Logs 1. Create Security Groups for your application 2. Create catch-all rules to log traffic 3. Monitor Logs to determine required rules 4. Create or update Shared Services rules 5. Create E-W Intra-Application Rules 6. Continue for other applications VMworld 2017 Per Application DB Tier DB Tier App Tier Application Policy DB Tier App Tier Intra-Application Rules Application Web Tier Application Policy Allow Any to Web Web Tier Allow Web to App Logging Rules Allow App Web to DB Tier Any/Any Rule: Allow and Log Block and Log Rule App Tier Any/Any Rule: Block and Log Default Block and Log Content: Not for publication DFW System Default: Allow or DFW System Default: Block Allow or Block 24
Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools Profile applications both on the wire and on the guest. Can be used on a per application basis. End-to-end visibility and rule creation/enforcement Empowers app team = visibility and rule creation streamlines deployment Drives whitelisting model default deny and open up the necessities Fast app operationalization VMworld 2017 Content: Not for publication
Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools: Application Rule Manager Leverages flow monitoring to monitors all flows for select VNICs Flows are de-duplicated, correlated and filtered Optimized Flow tables are presented to users IP addresses/ports are replaced with objects Users can further optimize flow table Firewall rules are generated and can be published after review
Micro-Segmentation Policy Creation Demo: Application Rule Manager Micro-Segment SAP HANA using Application Rule Manager
Micro-Segmentation Policy Creation vrealize Network Insight Plan Micro-segmentation Deployment and Ensure Compliance Optimize Network Performance with 360 0 Visibility & Analytics Across Virtual, Physical and Cloud Ensure Best Practices, Health and Availability of NSX Deployment 28
Micro-Segmentation Policy Creation vrealize Network Insight - Security Planning Network Insight can model the appropriate security groups and firewall rules for the entire environment. Comprehensive net flow (IPFIX) assessment and analysis to model Security Groups and Firewall Rules Recommendations to make microsegmentation easier to deploy Continuously monitor and audit compliance posture over time VMworld 2017 Content: Not for publication 29
Micro-Segmentation Policy Creation vrealize Network Insight: Application Modeling Analyze flows between applications or between tiers of an application Quickly add VMs to an application tier using vcenter Tags or search wildcards Support for modeling application tiers by multiple criteria (IP, tags, IPsets, folders, ) Support for physical IP addresses in microsegmentation planning and application tiers Export of All rules for applications, tiers, or security groups with one click VMworld 2017 Content: Not for publication 30
Micro-Segmentation Policy Creation Demo: vrealize Network Insight Micro-Segment SAP HANA using vrni VRNI to Suggest Recommended Rules VRNI 3.5 New functionality IPFIX for DFW
Agenda 1 Security in the Datacenter with NSX 2 Deploying NSX Micro-Segmentation 3 Micro-Segmentation Policy Creation 4 Security Automation 32
Security Automation The need for Automating Security VM sprawl requires more granular security controls Manual configuration breaks the cloud model Auditing and control are harder in dynamic environment Automating security configuration reduces risk and labor Internet Security Admin Automated Policy
Security Automation Automating Security with vra and NSX Provides application context to enable a policy based approach to security Granular security requires a mix of options: Existing or On-Demand Security Groups App Isolation to block traffic across deployments VMworld 2017 web-sv-001 web-sv-002 Web Tier Security Group app-sv-001 App Tier Security Group Permit only MySQL (TCP 3306)from App db-sv-001 Permit only Tomcat (TCP 8443)from Web DB Tier Security Group External Access Permit only SSH, HTTP, HTTPS from Any web-sv-003 web-sv-004 Web Tier Security Group app-sv-002 App Tier Security Group Permit only MySQL (TCP 3306)from App db-sv-002 Permit only Tomcat (TCP 8443)from Web Content: Not for publication DB Tier Security Group App Isolation Security Group UUID-01 App Isolation Security Group UUID-02
Security Automation Automating and Scaling Security with vra - Example Clinicians VDI Desktops NSX Security Group VDI NSX Security Group - VDI VMworld 2017 Content: Not for Hyperspace Web Servers NSX Security Group - HSW publication HSW HSW HSW HSW HSW
Key Takeaways The Road to Micro-segmentation with VMware NSX NSX Micro-Segmentation enables a Zero-Trust architecture Choosing an appropriate policy and grouping methodology is critical Application discovery is key to determining the appropriate rules in a Zero-Trust model NSX Application Rule Manager and vrealize Network Insight enable a quick road to Micro-Segmenting your applications vrealize Automation delivers NSX micro-segmentation in a fully automated environment. VMworld 2017 Content: Not for publication 36