The term Micro-segmentation has been used by all vendors to death. So what does it mean for you? This session walks through step by step building a security architecture from nothing. Where do you start? How do you learn how an application speaks? What approach can you take that is not disruptive? What objects should I use? Security Groups, IPsets, Clusters, VMs? After deciding what is best for the right situation come and see how to apply micro segmentation with VMware NSX to VMware Log Insight. Walk away with a repeatable approach breaking down, learning, and segmenting any application on your virtualised infrastructure. Designing an applications micro segmentation policy just got a whole lot easier.
4. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT
GOALS
▸ Where do I start?
▸ Finding the traffic
▸ Building the rules
▸ Visualising the data
▸ Automating
▸ Example Security Architecture
PRODUCTS
▸ vSphere
▸ NSX for vSphere
▸ vRealize Log Insight
▸ PowerCLI / PowerNSX
6. DISTRIBUTED FIREWALL LOGS
LOGS SOMEWHERE
APP1WEB1
▸ Firewall rules or Access lists were the
point of visibility
▸ Only inter-tier communication was
protected and seen
▸ Very tricky to detect and enforce
workloads on the same network
segment
▸ Private VLANs were used to enforce
east-west communication
NETWORK
DC
FIREWALL
Logs
7. DISTRIBUTED FIREWALL LOGS
LOGS EVERYWHERE
APP1
NETWORK
WEB1
▸ Logs can be found at the DC Firewall,
NSX Edge, Distributed Firewall
▸ Logs allow the trace of an application
end to end (even if NAT is used!)
DC
FIREWALL
Logs
DFWDFWLogs Logs▸ DFW has both ingress
and egress of source
and destination
workloads
▸ Logs on every device
are cumbersome to
collect and analyse
8. BOOKSTORE APPLICATION TOPOLOGY
FUNCTION IP ADDRESS
WEBLB 192.168.100.193
WEB01 10.0.1.11
WEB02 10.0.1.12
APPLB 172.16.1.6
APP01 10.0.2.11
APP02 10.0.2.12
DB01 10.0.3.11
WEB2 DB1
EXTERNAL NETWORK
DFWDFW
WEB1
DFW
APP2
DFW
APP1
DFW
WEB LS APP LS DB LS
TRANSIT LS
EDGE
01
NSX
DC
FIREWALL
APPLICATION A APPLICATION B APPLICATION C
9. BOOKSTORE APPLICATION MICRO SEGMENTATION
▸ Current security requirements are
not enforced
▸ Unsure of inter-tier
communication
▸ What ports are required to be
opened?
▸ Not sure where to start
▸ Secure applications topologies
▸ Granular logging
▸ Visualisation / Dashboard of
application security logs
▸ Repeatable process for other
applications
CURRENT STATE DESIRED OUTCOME
NSX
11. IOCHAINS
WHAT CAN I SEE?
DISTRIBUTED FIREWALL
▸ vNIC level firewall on every VM
▸ Rules that are created via vCenter UI are pushed
to NSX Manager to be stored. API is directly
against NSX Manager.
▸ Rules are pushed down to relevant hosts
(Applied To) or all (Distributed Firewall)
▸ This is parsed by VSFWD on each vSphere host.
▸ VM-ID is used to apply rules to pertinent vNICs
▸ Applied To field will still resolve back to VM-ID
NSX
VM
NETWORK
…
15
ESXI-
FIREWALL0
USED FOR DVS ACLS
SW-SEC1
VM-IP AND ARP
LEARNING
VMWARE-
SFW2 DISTRIBUTED FIREWALL
ENFORCEMENT
PARTNER-14
NET-X PARTER
REDIRECTION POINT
VSPHERE HOST
12. BOOKSTORE APPLICATION MICRO SEGMENTATION
▸ Security Groups provide a logical
grouping construct
▸ Intelligent grouping
▸ Usually used to group ‘like’
workloads together such as
Web, App, and DB
▸ Security Group ends up as source
or destination for rules
▸ Rules are used built using Security
Group as source and destination
▸ Permit All means traffic to or from
destined group is caught
FENCING WITH SECURITY GROUPS
NSX
14. BOOKSTORE APPLICATION MICRO SEGMENTATION
DISTRIBUTED FIREWALL TAGS
▸ Arbitrary text string stamped to all logs
▸ Can be searched in any log platform
▸ Helps group rules with human friendly context
▸ Log Insight Management Pack provides RegEx
expressions that can be used in conjunction
with it
NSX
15. VISUALISING RULES
▸ Pie chart identifies source IP address and
destination IP/Port
▸ Colours indicate different destination
▸ Filtered based on DFW Tag - must contain
SGTSWeb
▸ Allows for quick creation of subsequent tables
BOOKSTORE APPLICATION MICRO SEGMENTATION
NSX
17. DISTRIBUTED FIREWALL RULES
‣ Taking log output and creating rules
‣ Web Tier chart sees internal edge interface
(172.16.1.1) talk to both Web VMs
(10.0.1.11/12) within SGTSWeb on port 80.
‣ This results in rule #1 created.
BOOKSTORE APPLICATION MICRO SEGMENTATION
NSX
18. DISTRIBUTED FIREWALL RULES
‣ Building individual
allow rules against
known logs visualised
‣ Ensures application
topology is logically
covered
BOOKSTORE APPLICATION MICRO SEGMENTATION
NSX
WEB2 DB1
DFWDFW
WEB1
DFW
APP2
DFW
APP1
DFW
SGTSWEB SGTSAPP SGTSDB
SGTSBOOKS
‣ Final rule created is Any source, Any
destination, Any service, Block and log.
‣ Applied to SGTSBooks
20. CUSTOM DASHBOARDS PER APPLICATIONS
▸ Custom dashboards can be created from ANY
data seen by Log Insight
▸ Known as queries
▸ Super flexible with a number of controls
▸ Creating a “Bookstore Security” dashboard
▸ Web, App, DB, and SGTSBook queries
▸ Creating SRC IP, Protocol, DST IP + PORT
▸ Add to Dashboard
▸ Populate notes!
BOOKSTORE APPLICATION MICRO SEGMENTATION
NSX
24. SCALING APPLICATIONS AND MAINTAINING SECURITY VISIBILITY
SGT2-PROTECTED-3TA-WEB
SGT2-PROTECTED-3TA-DB
SGT2-PROTECTED-3TA-APP
REPEATABLE SECURITY ARCHITECTURE
SGT3-DMZ-PROTECTED-3TA-WEB
SGT3-DMZ-PROTECTED-3TA-DB
SGT3-DMZ-PROTECTED-3TA-APP
INFRASTRUCTURE APPLICATION
POLICY
DNS
POLICY
AD
POLICY
WEB
POLICY
APP
POLICY
DB
FOUNDATION
SGT1-TOPSECRET
SGT1-SECRET
SGT1-CONFIDENTIAL
SGT1-PROTECTED
SGT1-3TA-DB
SGT1-3TA-APP
SGT1-3TA-WEB
SGT1-DEVELOPER
SGT1-PRODUCTION
SGT1-DMZ
POLICY
DNS
POLICY
DNS
25. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT
LOG INSIGHT
▸ 25 OSI pack included with all licensed vCenter
instances
▸ Per CPU socket licensing included with all
vCloud Suite
▸ Operating System Instance denotes an
individual endpoint outside a vCentre domain
(Network device, Physical Object, Storage array)
▸ CPU socket includes all virtual objects
associated to that vSphere host (VMs, DFW,
Load Balancer, NSX Edges)
27. SECURITY INCEPTION: SECURITY PRACTITIONERS GUIDE TO MICRO SEGMENTATION WITH LOG INSIGHT
FIND OUT MORE
▸ Anthony Burke - Senior Systems Engineer,
VMware Network and Security Business Unit
▸ VCIX-NV, CCNP, closing in on a VCDX-NV
▸ Author at networkinferno.net
▸ An author of the upcoming VMware press title:
VMware NSX 6.2 for vSphere Essentials
▸ An author of the newly released VMware NSX
Fundamentals LiveLessons
▸ Find me on Twitter as @pandom_