Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Practitioners guide to Micro Segmentation with VMware NSX and Log Insight

3,104 views

Published on

The term Micro-segmentation has been used by all vendors to death. So what does it mean for you? This session walks through step by step building a security architecture from nothing. Where do you start? How do you learn how an application speaks? What approach can you take that is not disruptive? What objects should I use? Security Groups, IPsets, Clusters, VMs? After deciding what is best for the right situation come and see how to apply micro segmentation with VMware NSX to VMware Log Insight. Walk away with a repeatable approach breaking down, learning, and segmenting any application on your virtualised infrastructure. Designing an applications micro segmentation policy just got a whole lot easier.

Published in: Internet
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1url.pw/2KCDj ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security Practitioners guide to Micro Segmentation with VMware NSX and Log Insight

  1. 1. MICRO SEGMENTATION SECURITY INCEPTION: A SECURITY PRACTITIONERS GUIDE TO WITH LOG INSIGHT
  2. 2. AGENDA INTRODUCTION 
WHERE DO I START? 
FINDING THE FLOWS 
BUILDING THE RULES 
VISUALISING THE DATA 
AUTOMATING THE STACK
  3. 3. AGENDA INTRODUCTION 
WHERE DO I START? 
FINDING THE FLOWS 
BUILDING THE RULES 
VISUALISING THE DATA 
AUTOMATING THE STACK
  4. 4. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT GOALS ▸ Where do I start? ▸ Finding the traffic ▸ Building the rules ▸ Visualising the data ▸ Automating ▸ Example Security Architecture PRODUCTS ▸ vSphere ▸ NSX for vSphere ▸ vRealize Log Insight ▸ PowerCLI / PowerNSX
  5. 5. AGENDA INTRODUCTION 
WHERE DO I START? 
FINDING THE FLOWS 
BUILDING THE RULES 
VISUALISING THE DATA 
AUTOMATING THE STACK
  6. 6. DISTRIBUTED FIREWALL LOGS LOGS SOMEWHERE APP1WEB1 ▸ Firewall rules or Access lists were the point of visibility ▸ Only inter-tier communication was protected and seen ▸ Very tricky to detect and enforce workloads on the same network segment ▸ Private VLANs were used to enforce east-west communication NETWORK DC FIREWALL Logs
  7. 7. DISTRIBUTED FIREWALL LOGS LOGS EVERYWHERE APP1 NETWORK WEB1 ▸ Logs can be found at the DC Firewall, NSX Edge, Distributed Firewall ▸ Logs allow the trace of an application end to end (even if NAT is used!) DC FIREWALL Logs DFWDFWLogs Logs▸ DFW has both ingress and egress of source and destination workloads ▸ Logs on every device are cumbersome to collect and analyse
  8. 8. BOOKSTORE APPLICATION TOPOLOGY FUNCTION IP ADDRESS WEBLB 192.168.100.193 WEB01 10.0.1.11 WEB02 10.0.1.12 APPLB 172.16.1.6 APP01 10.0.2.11 APP02 10.0.2.12 DB01 10.0.3.11 WEB2 DB1 EXTERNAL NETWORK DFWDFW WEB1 DFW APP2 DFW APP1 DFW WEB LS APP LS DB LS TRANSIT LS EDGE
 01 NSX DC FIREWALL APPLICATION A APPLICATION B APPLICATION C
  9. 9. BOOKSTORE APPLICATION MICRO SEGMENTATION ▸ Current security requirements are not enforced ▸ Unsure of inter-tier communication ▸ What ports are required to be opened? ▸ Not sure where to start ▸ Secure applications topologies ▸ Granular logging ▸ Visualisation / Dashboard of application security logs ▸ Repeatable process for other applications CURRENT STATE DESIRED OUTCOME NSX
  10. 10. AGENDA INTRODUCTION 
WHERE DO I START? 
FINDING THE FLOWS 
BUILDING THE RULES 
VISUALISING THE DATA 
AUTOMATING THE STACK
  11. 11. IOCHAINS WHAT CAN I SEE? DISTRIBUTED FIREWALL ▸ vNIC level firewall on every VM ▸ Rules that are created via vCenter UI are pushed to NSX Manager to be stored. API is directly against NSX Manager. ▸ Rules are pushed down to relevant hosts (Applied To) or all (Distributed Firewall) ▸ This is parsed by VSFWD on each vSphere host. ▸ VM-ID is used to apply rules to pertinent vNICs ▸ Applied To field will still resolve back to VM-ID NSX VM NETWORK … 15 ESXI- FIREWALL0 USED FOR DVS ACLS SW-SEC1 VM-IP AND ARP LEARNING VMWARE- SFW2 DISTRIBUTED FIREWALL ENFORCEMENT PARTNER-14 NET-X PARTER REDIRECTION POINT VSPHERE HOST
  12. 12. BOOKSTORE APPLICATION MICRO SEGMENTATION ▸ Security Groups provide a logical grouping construct ▸ Intelligent grouping ▸ Usually used to group ‘like’ workloads together such as Web, App, and DB ▸ Security Group ends up as source or destination for rules ▸ Rules are used built using Security Group as source and destination ▸ Permit All means traffic to or from destined group is caught FENCING WITH SECURITY GROUPS NSX
  13. 13. BOOKSTORE APPLICATION FENCING WEB2 DB1 DFWDFW WEB1 DFW APP2 DFW APP1 DFW SGTSWEB SGTSAPP SGTSDB NSX SGTSBOOKS LOG INSIGHT
  14. 14. BOOKSTORE APPLICATION MICRO SEGMENTATION DISTRIBUTED FIREWALL TAGS ▸ Arbitrary text string stamped to all logs ▸ Can be searched in any log platform ▸ Helps group rules with human friendly context ▸ Log Insight Management Pack provides RegEx expressions that can be used in conjunction with it NSX
  15. 15. VISUALISING RULES ▸ Pie chart identifies source IP address and destination IP/Port ▸ Colours indicate different destination ▸ Filtered based on DFW Tag - must contain SGTSWeb ▸ Allows for quick creation of subsequent tables BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
  16. 16. AGENDA INTRODUCTION 
WHERE DO I START? 
FINDING THE FLOWS 
BUILDING THE RULES 
VISUALISING THE DATA 
AUTOMATING THE STACK
  17. 17. DISTRIBUTED FIREWALL RULES ‣ Taking log output and creating rules ‣ Web Tier chart sees internal edge interface (172.16.1.1) talk to both Web VMs (10.0.1.11/12) within SGTSWeb on port 80. ‣ This results in rule #1 created. BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
  18. 18. DISTRIBUTED FIREWALL RULES ‣ Building individual allow rules against known logs visualised ‣ Ensures application topology is logically covered BOOKSTORE APPLICATION MICRO SEGMENTATION NSX WEB2 DB1 DFWDFW WEB1 DFW APP2 DFW APP1 DFW SGTSWEB SGTSAPP SGTSDB SGTSBOOKS ‣ Final rule created is Any source, Any destination, Any service, Block and log. ‣ Applied to SGTSBooks
  19. 19. AGENDA INTRODUCTION 
WHERE DO I START? 
FINDING THE FLOWS 
BUILDING THE RULES 
VISUALISING THE DATA 
AUTOMATING THE STACK
  20. 20. CUSTOM DASHBOARDS PER APPLICATIONS ▸ Custom dashboards can be created from ANY data seen by Log Insight ▸ Known as queries ▸ Super flexible with a number of controls ▸ Creating a “Bookstore Security” dashboard ▸ Web, App, DB, and SGTSBook queries ▸ Creating SRC IP, Protocol, DST IP + PORT ▸ Add to Dashboard ▸ Populate notes! BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
  21. 21. THE BOOKSTORE CUSTOM DASHBOARD BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
  22. 22. AGENDA INTRODUCTION 
WHERE DO I START? 
FINDING THE FLOWS 
BUILDING THE RULES 
VISUALISING THE DATA 
AUTOMATING THE STACK
  23. 23. SCALING APPLICATIONS AND MAINTAINING SECURITY VISIBILITY SGT2-DMZ-PROTECTED REPEATABLE SECURITY ARCHITECTURE SGT3-DMZ-PROTECTED-3TA-WEB SGT3-DMZ-PROTECTED-3TA-DB SGT3-DMZ-PROTECTED-3TA-APP FOUNDATION INFRASTRUCTURE APPLICATION SGT1-TOPSECRET SGT1-SECRET SGT1-CONFIDENTIAL SGT1-PROTECTED CLASSIFICATIONS SECURITYTAGINCLUSION SGT1-DEV SGT1-PRODUCTION SGT1-DMZ CLUSTERS CLUSTERINCLUSION CLUSTER + CLASSIFICATION (CLUSTER+CLASSIFICATION) + TIERS SGT1-3TA-DB SGT1-3TA-APP SGT1-3TA-WEB TIERS SECURITYTAGINCLUSION
  24. 24. SCALING APPLICATIONS AND MAINTAINING SECURITY VISIBILITY SGT2-PROTECTED-3TA-WEB SGT2-PROTECTED-3TA-DB SGT2-PROTECTED-3TA-APP REPEATABLE SECURITY ARCHITECTURE SGT3-DMZ-PROTECTED-3TA-WEB SGT3-DMZ-PROTECTED-3TA-DB SGT3-DMZ-PROTECTED-3TA-APP INFRASTRUCTURE APPLICATION POLICY
 DNS POLICY
 AD POLICY
 WEB POLICY
 APP POLICY
 DB FOUNDATION SGT1-TOPSECRET SGT1-SECRET SGT1-CONFIDENTIAL SGT1-PROTECTED SGT1-3TA-DB SGT1-3TA-APP SGT1-3TA-WEB SGT1-DEVELOPER SGT1-PRODUCTION SGT1-DMZ POLICY
 DNS POLICY
 DNS
  25. 25. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT LOG INSIGHT ▸ 25 OSI pack included with all licensed vCenter instances ▸ Per CPU socket licensing included with all vCloud Suite ▸ Operating System Instance denotes an individual endpoint outside a vCentre domain
 (Network device, Physical Object, Storage array) ▸ CPU socket includes all virtual objects associated to that vSphere host (VMs, DFW, Load Balancer, NSX Edges)
  26. 26. GRANULAR. REPEATABLE.
 SCALABLE. INTELLIGENT. 
Takeaways of the approach
  27. 27. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT FIND OUT MORE ▸ Anthony Burke - Senior Systems Engineer, VMware Network and Security Business Unit ▸ VCIX-NV, CCNP, closing in on a VCDX-NV ▸ Author at networkinferno.net ▸ An author of the upcoming VMware press title: 
 VMware NSX 6.2 for vSphere Essentials ▸ An author of the newly released VMware NSX Fundamentals LiveLessons ▸ Find me on Twitter as @pandom_
  28. 28. QUESTIONS? THANK YOU

×