VMworld 2013: VMware NSX Extensibility: Network and Security Services from 3r...
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Viewers also liked (20)
Similar to Security Practitioners guide to Micro Segmentation with VMware NSX and Log Insight (20)
Recently uploaded (20)
Security Practitioners guide to Micro Segmentation with VMware NSX and Log Insight
- 1. MICRO SEGMENTATION SECURITY INCEPTION: A SECURITY PRACTITIONERS GUIDE TO WITH LOG INSIGHT
- 2. AGENDA INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
- 3. AGENDA INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
- 4. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT GOALS ▸ Where do I start? ▸ Finding the traffic ▸ Building the rules ▸ Visualising the data ▸ Automating ▸ Example Security Architecture PRODUCTS ▸ vSphere ▸ NSX for vSphere ▸ vRealize Log Insight ▸ PowerCLI / PowerNSX
- 5. AGENDA INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
- 6. DISTRIBUTED FIREWALL LOGS LOGS SOMEWHERE APP1WEB1 ▸ Firewall rules or Access lists were the point of visibility ▸ Only inter-tier communication was protected and seen ▸ Very tricky to detect and enforce workloads on the same network segment ▸ Private VLANs were used to enforce east-west communication NETWORK DC FIREWALL Logs
- 7. DISTRIBUTED FIREWALL LOGS LOGS EVERYWHERE APP1 NETWORK WEB1 ▸ Logs can be found at the DC Firewall, NSX Edge, Distributed Firewall ▸ Logs allow the trace of an application end to end (even if NAT is used!) DC FIREWALL Logs DFWDFWLogs Logs▸ DFW has both ingress and egress of source and destination workloads ▸ Logs on every device are cumbersome to collect and analyse
- 8. BOOKSTORE APPLICATION TOPOLOGY FUNCTION IP ADDRESS WEBLB 192.168.100.193 WEB01 10.0.1.11 WEB02 10.0.1.12 APPLB 172.16.1.6 APP01 10.0.2.11 APP02 10.0.2.12 DB01 10.0.3.11 WEB2 DB1 EXTERNAL NETWORK DFWDFW WEB1 DFW APP2 DFW APP1 DFW WEB LS APP LS DB LS TRANSIT LS EDGE 01 NSX DC FIREWALL APPLICATION A APPLICATION B APPLICATION C
- 9. BOOKSTORE APPLICATION MICRO SEGMENTATION ▸ Current security requirements are not enforced ▸ Unsure of inter-tier communication ▸ What ports are required to be opened? ▸ Not sure where to start ▸ Secure applications topologies ▸ Granular logging ▸ Visualisation / Dashboard of application security logs ▸ Repeatable process for other applications CURRENT STATE DESIRED OUTCOME NSX
- 10. AGENDA INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
- 11. IOCHAINS WHAT CAN I SEE? DISTRIBUTED FIREWALL ▸ vNIC level firewall on every VM ▸ Rules that are created via vCenter UI are pushed to NSX Manager to be stored. API is directly against NSX Manager. ▸ Rules are pushed down to relevant hosts (Applied To) or all (Distributed Firewall) ▸ This is parsed by VSFWD on each vSphere host. ▸ VM-ID is used to apply rules to pertinent vNICs ▸ Applied To field will still resolve back to VM-ID NSX VM NETWORK … 15 ESXI- FIREWALL0 USED FOR DVS ACLS SW-SEC1 VM-IP AND ARP LEARNING VMWARE- SFW2 DISTRIBUTED FIREWALL ENFORCEMENT PARTNER-14 NET-X PARTER REDIRECTION POINT VSPHERE HOST
- 12. BOOKSTORE APPLICATION MICRO SEGMENTATION ▸ Security Groups provide a logical grouping construct ▸ Intelligent grouping ▸ Usually used to group ‘like’ workloads together such as Web, App, and DB ▸ Security Group ends up as source or destination for rules ▸ Rules are used built using Security Group as source and destination ▸ Permit All means traffic to or from destined group is caught FENCING WITH SECURITY GROUPS NSX
- 13. BOOKSTORE APPLICATION FENCING WEB2 DB1 DFWDFW WEB1 DFW APP2 DFW APP1 DFW SGTSWEB SGTSAPP SGTSDB NSX SGTSBOOKS LOG INSIGHT
- 14. BOOKSTORE APPLICATION MICRO SEGMENTATION DISTRIBUTED FIREWALL TAGS ▸ Arbitrary text string stamped to all logs ▸ Can be searched in any log platform ▸ Helps group rules with human friendly context ▸ Log Insight Management Pack provides RegEx expressions that can be used in conjunction with it NSX
- 15. VISUALISING RULES ▸ Pie chart identifies source IP address and destination IP/Port ▸ Colours indicate different destination ▸ Filtered based on DFW Tag - must contain SGTSWeb ▸ Allows for quick creation of subsequent tables BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
- 16. AGENDA INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
- 17. DISTRIBUTED FIREWALL RULES ‣ Taking log output and creating rules ‣ Web Tier chart sees internal edge interface (172.16.1.1) talk to both Web VMs (10.0.1.11/12) within SGTSWeb on port 80. ‣ This results in rule #1 created. BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
- 18. DISTRIBUTED FIREWALL RULES ‣ Building individual allow rules against known logs visualised ‣ Ensures application topology is logically covered BOOKSTORE APPLICATION MICRO SEGMENTATION NSX WEB2 DB1 DFWDFW WEB1 DFW APP2 DFW APP1 DFW SGTSWEB SGTSAPP SGTSDB SGTSBOOKS ‣ Final rule created is Any source, Any destination, Any service, Block and log. ‣ Applied to SGTSBooks
- 19. AGENDA INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
- 20. CUSTOM DASHBOARDS PER APPLICATIONS ▸ Custom dashboards can be created from ANY data seen by Log Insight ▸ Known as queries ▸ Super flexible with a number of controls ▸ Creating a “Bookstore Security” dashboard ▸ Web, App, DB, and SGTSBook queries ▸ Creating SRC IP, Protocol, DST IP + PORT ▸ Add to Dashboard ▸ Populate notes! BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
- 21. THE BOOKSTORE CUSTOM DASHBOARD BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
- 22. AGENDA INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
- 23. SCALING APPLICATIONS AND MAINTAINING SECURITY VISIBILITY SGT2-DMZ-PROTECTED REPEATABLE SECURITY ARCHITECTURE SGT3-DMZ-PROTECTED-3TA-WEB SGT3-DMZ-PROTECTED-3TA-DB SGT3-DMZ-PROTECTED-3TA-APP FOUNDATION INFRASTRUCTURE APPLICATION SGT1-TOPSECRET SGT1-SECRET SGT1-CONFIDENTIAL SGT1-PROTECTED CLASSIFICATIONS SECURITYTAGINCLUSION SGT1-DEV SGT1-PRODUCTION SGT1-DMZ CLUSTERS CLUSTERINCLUSION CLUSTER + CLASSIFICATION (CLUSTER+CLASSIFICATION) + TIERS SGT1-3TA-DB SGT1-3TA-APP SGT1-3TA-WEB TIERS SECURITYTAGINCLUSION
- 24. SCALING APPLICATIONS AND MAINTAINING SECURITY VISIBILITY SGT2-PROTECTED-3TA-WEB SGT2-PROTECTED-3TA-DB SGT2-PROTECTED-3TA-APP REPEATABLE SECURITY ARCHITECTURE SGT3-DMZ-PROTECTED-3TA-WEB SGT3-DMZ-PROTECTED-3TA-DB SGT3-DMZ-PROTECTED-3TA-APP INFRASTRUCTURE APPLICATION POLICY DNS POLICY AD POLICY WEB POLICY APP POLICY DB FOUNDATION SGT1-TOPSECRET SGT1-SECRET SGT1-CONFIDENTIAL SGT1-PROTECTED SGT1-3TA-DB SGT1-3TA-APP SGT1-3TA-WEB SGT1-DEVELOPER SGT1-PRODUCTION SGT1-DMZ POLICY DNS POLICY DNS
- 25. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT LOG INSIGHT ▸ 25 OSI pack included with all licensed vCenter instances ▸ Per CPU socket licensing included with all vCloud Suite ▸ Operating System Instance denotes an individual endpoint outside a vCentre domain (Network device, Physical Object, Storage array) ▸ CPU socket includes all virtual objects associated to that vSphere host (VMs, DFW, Load Balancer, NSX Edges)
- 26. GRANULAR. REPEATABLE. SCALABLE. INTELLIGENT. Takeaways of the approach
- 27. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT FIND OUT MORE ▸ Anthony Burke - Senior Systems Engineer, VMware Network and Security Business Unit ▸ VCIX-NV, CCNP, closing in on a VCDX-NV ▸ Author at networkinferno.net ▸ An author of the upcoming VMware press title: VMware NSX 6.2 for vSphere Essentials ▸ An author of the newly released VMware NSX Fundamentals LiveLessons ▸ Find me on Twitter as @pandom_
- 28. QUESTIONS? THANK YOU
