Security Practitioners guide to Micro Segmentation with VMware NSX and Log Insight
-
Upload
anthony-burke -
Category
Internet
-
view
1.919 -
download
3
Transcript of Security Practitioners guide to Micro Segmentation with VMware NSX and Log Insight
AGENDA
INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
AGENDA
INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT
GOALS
▸ Where do I start?
▸ Finding the traffic
▸ Building the rules
▸ Visualising the data
▸ Automating
▸ Example Security Architecture
PRODUCTS
▸ vSphere
▸ NSX for vSphere
▸ vRealize Log Insight
▸ PowerCLI / PowerNSX
AGENDA
INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
DISTRIBUTED FIREWALL LOGS
LOGS SOMEWHERE
APP1WEB1
▸ Firewall rules or Access lists were the point of visibility
▸ Only inter-tier communication was protected and seen
▸ Very tricky to detect and enforce workloads on the same network segment
▸ Private VLANs were used to enforce east-west communication
NETWORK
DC FIREWALL
Logs
DISTRIBUTED FIREWALL LOGS
LOGS EVERYWHERE
APP1
NETWORK
WEB1
▸ Logs can be found at the DC Firewall, NSX Edge, Distributed Firewall
▸ Logs allow the trace of an application end to end (even if NAT is used!)
DC FIREWALL
Logs
DFWDFWLogs Logs▸ DFW has both ingress and egress of source and destination workloads
▸ Logs on every device are cumbersome to collect and analyse
BOOKSTORE APPLICATION TOPOLOGY
FUNCTION IP ADDRESS
WEBLB 192.168.100.193
WEB01 10.0.1.11
WEB02 10.0.1.12
APPLB 172.16.1.6
APP01 10.0.2.11
APP02 10.0.2.12
DB01 10.0.3.11
WEB2 DB1
EXTERNAL NETWORK
DFWDFW
WEB1
DFW
APP2
DFW
APP1
DFW
WEB LS APP LS DB LS
TRANSIT LS
EDGE01
NSX
DC FIREWALL
APPLICATION A APPLICATION B APPLICATION C
BOOKSTORE APPLICATION MICRO SEGMENTATION
▸ Current security requirements are not enforced
▸ Unsure of inter-tier communication
▸ What ports are required to be opened?
▸ Not sure where to start
▸ Secure applications topologies
▸ Granular logging
▸ Visualisation / Dashboard of application security logs
▸ Repeatable process for other applications
CURRENT STATE DESIRED OUTCOME
NSX
AGENDA
INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
IOCHAINS
WHAT CAN I SEE?
DISTRIBUTED FIREWALL
▸ vNIC level firewall on every VM
▸ Rules that are created via vCenter UI are pushed to NSX Manager to be stored. API is directly against NSX Manager.
▸ Rules are pushed down to relevant hosts (Applied To) or all (Distributed Firewall)
▸ This is parsed by VSFWD on each vSphere host.
▸ VM-ID is used to apply rules to pertinent vNICs
▸ Applied To field will still resolve back to VM-ID
NSX
VM
NETWORK
…15
ESXI-FIREWALL0
USED FOR DVS ACLS
SW-SEC1
VM-IP AND ARP LEARNING
VMWARE-SFW2 DISTRIBUTED FIREWALL
ENFORCEMENTPARTNER-14
NET-X PARTER REDIRECTION POINT
VSPHERE HOST
BOOKSTORE APPLICATION MICRO SEGMENTATION
▸ Security Groups provide a logical grouping construct
▸ Intelligent grouping
▸ Usually used to group ‘like’ workloads together such as Web, App, and DB
▸ Security Group ends up as source or destination for rules
▸ Rules are used built using Security Group as source and destination
▸ Permit All means traffic to or from destined group is caught
FENCING WITH SECURITY GROUPS
NSX
BOOKSTORE APPLICATION FENCING
WEB2 DB1
DFWDFW
WEB1
DFW
APP2
DFW
APP1
DFW
SGTSWEB SGTSAPP SGTSDB
NSX
SGTSBOOKS
LOG INSIGHT
BOOKSTORE APPLICATION MICRO SEGMENTATION
DISTRIBUTED FIREWALL TAGS
▸ Arbitrary text string stamped to all logs
▸ Can be searched in any log platform
▸ Helps group rules with human friendly context
▸ Log Insight Management Pack provides RegEx expressions that can be used in conjunction with it
NSX
VISUALISING RULES
▸ Pie chart identifies source IP address and destination IP/Port
▸ Colours indicate different destination
▸ Filtered based on DFW Tag - must contain SGTSWeb
▸ Allows for quick creation of subsequent tables
BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
AGENDA
INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
DISTRIBUTED FIREWALL RULES
‣ Taking log output and creating rules
‣ Web Tier chart sees internal edge interface (172.16.1.1) talk to both Web VMs (10.0.1.11/12) within SGTSWeb on port 80. ‣ This results in rule #1 created.
BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
DISTRIBUTED FIREWALL RULES‣ Building individual
allow rules against known logs visualised
‣ Ensures application topology is logically covered
BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
WEB2 DB1
DFWDFW
WEB1
DFW
APP2
DFW
APP1
DFW
SGTSWEB SGTSAPP SGTSDB
SGTSBOOKS
‣ Final rule created is Any source, Any destination, Any service, Block and log.
‣ Applied to SGTSBooks
AGENDA
INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
CUSTOM DASHBOARDS PER APPLICATIONS
▸ Custom dashboards can be created from ANY data seen by Log Insight
▸ Known as queries
▸ Super flexible with a number of controls
▸ Creating a “Bookstore Security” dashboard
▸ Web, App, DB, and SGTSBook queries
▸ Creating SRC IP, Protocol, DST IP + PORT
▸ Add to Dashboard
▸ Populate notes!
BOOKSTORE APPLICATION MICRO SEGMENTATION NSX
AGENDA
INTRODUCTION WHERE DO I START? FINDING THE FLOWS BUILDING THE RULES VISUALISING THE DATA AUTOMATING THE STACK
SCALING APPLICATIONS AND MAINTAINING SECURITY VISIBILITY
SGT2-DMZ-PROTECTED
REPEATABLE SECURITY ARCHITECTURE
SGT3-DMZ-PROTECTED-3TA-WEB
SGT3-DMZ-PROTECTED-3TA-DB
SGT3-DMZ-PROTECTED-3TA-APP
FOUNDATION INFRASTRUCTURE APPLICATION
SGT1-TOPSECRET
SGT1-SECRET
SGT1-CONFIDENTIAL
SGT1-PROTECTEDCLASSIFICATIONS
SECU
RITY
TAG
INCL
USIO
N
SGT1-DEV
SGT1-PRODUCTION
SGT1-DMZCLUSTERS
CLUS
TER
INCL
USIO
N
CLUSTER + CLASSIFICATION
(CLUSTER+CLASSIFICATION) + TIERS
SGT1-3TA-DB
SGT1-3TA-APP
SGT1-3TA-WEBTIERS
SECU
RITY
TAG
INCL
USIO
N
SCALING APPLICATIONS AND MAINTAINING SECURITY VISIBILITY
SGT2-PROTECTED-3TA-WEB
SGT2-PROTECTED-3TA-DB
SGT2-PROTECTED-3TA-APP
REPEATABLE SECURITY ARCHITECTURE
SGT3-DMZ-PROTECTED-3TA-WEB
SGT3-DMZ-PROTECTED-3TA-DB
SGT3-DMZ-PROTECTED-3TA-APP
INFRASTRUCTURE APPLICATION
POLICYDNS
POLICYAD
POLICYWEB
POLICYAPP
POLICYDB
FOUNDATION
SGT1-TOPSECRET
SGT1-SECRET
SGT1-CONFIDENTIAL
SGT1-PROTECTED
SGT1-3TA-DB
SGT1-3TA-APP
SGT1-3TA-WEB
SGT1-DEVELOPER
SGT1-PRODUCTION
SGT1-DMZ
POLICYDNS
POLICYDNS
SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT
LOG INSIGHT
▸ 25 OSI pack included with all licensed vCenter instances
▸ Per CPU socket licensing included with all vCloud Suite
▸ Operating System Instance denotes an individual endpoint outside a vCentre domain (Network device, Physical Object, Storage array)
▸ CPU socket includes all virtual objects associated to that vSphere host (VMs, DFW, Load Balancer, NSX Edges)
SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT
FIND OUT MORE
▸ Anthony Burke - Senior Systems Engineer, VMware Network and Security Business Unit
▸ VCIX-NV, CCNP, closing in on a VCDX-NV
▸ Author at networkinferno.net
▸ An author of the upcoming VMware press title: VMware NSX 6.2 for vSphere Essentials
▸ An author of the newly released VMware NSX Fundamentals LiveLessons
▸ Find me on Twitter as @pandom_