Holodeck: Getting Started with NSX Microsegmentation
Module 2: Changing the Security Game with Microsegmentation
Over the past 10+ years traffic in a datacenter has changed. More and more traffic remains within the datacenter, moving between distributed application components. This traffic, known as East-West, is difficult to secure using traditional perimeter firewalls, which were predominantly designed for traditional North-South traffic.
Microsegmentation enables administrators to increase the agility and efficiency of the datacenter while maintaining an acceptable security posture. Microsegmentation decreases the level of risk and increases the security posture of the modern data center.
Microsegmentation with NSX in VCF is applied at the vNIC to VDS interface. Packets are inspected as they enter and leave each virtual machine. Microsegmentation is effectively a centralized packet filtering solution that acts on every machine.
Lab 1: Tagging VMs and Grouping Workloads based on Tags
This lab explores the use of tagging to create groups of VMs to apply specific distributed firewall rules to. In small environments, creating groups based on VM name may suffice. However, as an environment grows, tagging may be a better alternative.
Terminology and definitions:
- Tags – A virtual machine is not directly managed by NSX, however, NSX allows attachment of tags to a virtual machine. This tagging enables tag-based grouping of objects. For example, a tag called AppServer can be associated to all application servers).
- Security Groups – A security group is a collection of assets or grouping objects from your vSphere inventory.
Security Groups are containers that can contain multiple object types including logical switch, vNIC, IPset, and Virtual Machine (VM). Security groups can have dynamic membership criteria based on security tags, VM name or logical switch name. For example, all VMs that have the security tag web will be automatically added to a specific security group destined for Web servers. After creating a security group, a security policy is applied to that group.
- Security Policies – A security policy is a set of Guest Introspection, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy. Policies can be stateful or stateless.
Note: Tagging in NSX is distinct from tagging in vCenter Server. At this time, vCenter Server tags cannot be used to create groupings in NSX. In larger, more automated environments, customers use a solution such as vRealize Automation to deploy virtual machines and containers with security tagging set at time of creation.
Given that the OpenCart application used in this lab only has two web servers and one database server, we’re going to create two tags as criteria for two groups. This might seem somewhat redundant, creating one tag per group, however it’s essential to remember:
- This is a small sample two-tier application. For applications leveraging micro-services, you’ll be able to group more than one machine under one tag, and better leverage the security groups
- The advantage of using tags and groups is also an operational one. Once you create your infrastructure around Security Groups that contain tags, the moment you tag a machine with a specific tag, it immediately inherits the specific Security Group, firewall rules and so on. This brings us closer to the cloud delivery model.
- The downside is that a certain level of caution needs to be implemented when working with tags and Security Groups, meaning that it’s just as easy to add a machine to an existing Security Group and avoid the complication that comes with setting up the firewall rules, but it is also just as easy to evade good security by giving the new machine too many permissions due to old tags/security group configurations.
To show the capability of tags we will set up OC-Apache-A with the appropriate Tags and Security Group. And then we’ll have OC-Apache-B inherit the web tag and see how easy it is to apply all the appropriate rules to a new machine. The VM->Tag->Group mapping is as follows
VM | IP Address | Tag | Security Group |
OC-MySQL | 10.1.1.50 | OC-DB-Tag | OC-DB-Group |
OC-Apache-A | 10.1.1.18 | OC-Web-Tag | OC-Web-group |
OC-Apache-B | 10.1.1.19 | OC-Web-Tag | OC-Web-Group |
[Step 1] Create Tags
- On the Holo-Console, open a new tab in the Chrome browser
- Click the Managed bookmarks folder in the bookmark bar then select Mgmt Domain->Mgmt NSX
- Log into NSX Manager as the user admin with the password VMware123!VMware123!
- Navigate to Inventory->Tags
- Click on ADD TAG
- We will first create a new tag for the web servers. Add the name OC-Web-Tag in the Tag field. Don’t hit save yet. As you can see, the note says the tag must be assigned to at least one object first.
- Assign this tag to the OC-Apache-A virtual machine. Click on the Set Virtual Machines link field and select the OC-Apache-A virtual machine (you may need to scroll). For now, do not select OC-Apache-B as it will added later
- Click APPLY
- Note the “Assigned To” value has incremented to 1
- Click SAVE to save the new tag
- Click Add Tag
- Add the name “OC-DB-Tag”
- Click Set Virtual Machines then select OC-MySQL
- Click Apply
- Click Save
Step 2: Verify Tags
- Click on Inventory->Tags->Filter by Name, Path and more
- Click Tag
- Search for Tags with the string “OC” in the name and click OK
- Verify the two tags created earlier are displayed
Step 3: Verify virtual machines are mapped to tags.
- Select Inventory->Virtual Machines and click in the Filter area
- Scroll down in Basic Detail and select Tag
- Select our two tags and click Apply
- Verify OC-Apache-A and OC-MySQL are present
Step 4: Create Groups
Group mapping is as follows
Tag | Security Group |
OC-DB-Tag | OC-DB-Group |
OC-Web-Tag | OC-Web-Group |
Step 5: Create OC-Web-Group
- Click Inventory->Groups->ADD GROUP
- Add group name OC-Web-Group
- Click on “Set” in the Compute Members column to add group members. In this example we will use the tags we just created to populate the group.
- Click Add Criterion
- Select Virtual Machine, that filters on Tag Equals “OC-Web-Tag”
- Click Apply
- Click Save
Step 6: Create OC-DB-Group
- Click Inventory->Groups->ADD GROUP
- Add group name OC-DB-Group
- Click on Set to add group members. In this example we will use the tags we just created to populate the group
- Click Add Criterion
- Click on the Scope and select the OC-DB-Tag tag
- Click Apply
- Click Save
Step 7: Verify Groups
- On the Inventory->Groups panel click in the Filter by Name, Path and More field
- Click on Name in the Basic Detail column
- Type OC to filter for our group names
- Select the OC-Web-Group and OC-DB-Group groups
- Click Apply
- Click View Members for each group
- Each group should have a single VM as a member (we can ignore IP addresses, Ports and VIF for now).
The following example shows the view when looking at the View Members details for the OC-DB-Group
- At this point we have implemented the following:
VM | Tag | Group | Configured |
OC-Apache-A 10.1.1.18 | OC-Web-Tag | OC-Web-Group | Yes |
OC-Apache-B 10.1.1.19 |
|
| No |
OC-MySQL 10.1.1.50 | OC-DB-Tag | OC-DB-Group | Yes |
[Lab 1 Summary]
Lab 1 shows how to create tagging and grouping in NSX. This capability allows creation and management of a scalable set of distributed firewall rules.
Lab 2: Applying Distributed Firewall Rules Based on Tagging on a segment
This lab will show configuring the distributed firewall to limit access in our Opencart Application. For the purposes of this lab, we will create the following rules.
Name | Source | Destination | Port/Protocol | Allowed | Notes |
Inbound-web-80 | Any | OC-Web-Group | HTTP (80) | Allow | Outside to web port 80 |
Inbound-web-8080 | Any | OC-Web-Group | HTTP (8080) | Reject | Outside to web port 8080 |
Web-DB | OC-Web-Group | OC-DB-Group | 3306 (MySQL) | Allow | Web to DB comms |
ssh-admin | 10.0.0.0/24 | OC-DB-Group OC-Web-Group | SSH | Allow | SSH from lab console only |
ICMP-Admin | 10.0.0.0/24 | OC-DB-Group OC-Web-Group | ICMP ALL | Allow | Allow ICMP only from lab console |
Deny-All-Inbound | Any | OC-DB-Group OC-Web-Group | Any | Reject | Reject all else inbound |
Keep in mind that this all happening at the distributed firewall level, where firewall rules are implemented at the VM switch port versus needing the services of a routed (perimeter) firewall to implement. Since we have created groups in the previous lab, now we can create access rules based on these groups.
Step 1: Create New Policy
- If necessary, open a new tab in the Chrome browser
- Click the Management NSX-T shortcut in the bookmark bar (click advanced / proceed to nsx-mgmt.vcf.sddc.lab, if required to accept the certificate
- )
- Log into NSX Manager as user: admin with the password: VMware123!VMware123!
- Navigate to Security > Distributed Firewall in the NSX-T Console
- Click on Add Policy > New policy, Name the policy “Opencart”
- Hover over DFW in the Opencart policy row, then click the pencil twice.
- Note the default is the entire distributed firewall, however we want this rule to apply to the groups we created in the previous labs.
- Click the Groups radio button
- Search for OC then select OC-DB-Group and OC-Web-Group
- Click Apply
Step 2: Add inbound-web-80 rule
- Click on the three vertical dots on the left of the Opencart policy.
- Click Add Rule
- Click on Add Rule and change name to inbound-web-80
- Hover over Destinations, then click the pencil icon twice
- This brings up the Set Destination pop-up. Type OC in the search box then click on OC-Web-Group checkbox, then apply
- Hover over Services, then click the pencil icon
- Type HTTP in the services area then select HTTP
- Click Apply
- The result should be the following:
Step 3: Add inbound-web-8080 rule (clone inbound-web-80)
- Click on the three vertical dots on the left of the inbound-web-80 rule.
- Click Clone Rule
- Click on Copy of inbound-web-80 and change name to inbound-web-8080
- Hover over Services, then click the pencil icon
- Uncheck the box for the HTTP service
- Click on Raw Port Protocols
- Click Add Service Entry
- Set Service Type TCP and Destinations Port 8080
- Click Apply
- The result should be the following:
Step 4: Test inbound-web-XX rules
- Notice at this point we have two rules in place that are defaulted to Allow, and we have not yet published the rule changes. Leave this as is for the moment. Next, we will test that both ports are currently active on our web server
- Open a tab on the browser and connect to OC-Apache-A 10.1.1.18
- Open a second tab and connect to OC-Apache-A 10.1.1.18:8080
- Return to the NSX Manager tab. Click the arrow next to Allow on inbound-web-8080 and select Reject
- Click PUBLISH to make the rules active
- Notice that the Publish button is greyed out, showing there are no uncommitted changes. The green Success indicator is set at the policy level, and our two rules now have ID numbers showing they have been activated. You may need to click the refresh icon next to In Progress to show success.
- Go to the OC-Apache-A 10.1.1.18 browser tab and refresh. The web page should load normally
- Go to the OC-Apache-A 10.1.1.18:8080 browser tab and refresh. The web page should fail to load
Step 5: Extend security policies to new VM based on tag
- Test operations of the OC-Apache-B 10.1.1.19 webserver on port 80
- Test operations of the OC-Apache-B 10.1.1.19 webserver on port 8080
- Observe that the Reject rule on port 8080 does not extend to OC-Apache-B.
- Return to the NSX tab and click on Inventory then Tags
- Click on Filter, select Tag and search for by Name and type OC-Web
- Click the 3 dots next to OC-Web-Tag, then click Edit
- Click on the number 1 under Assigned To
- Search for OC-Apache and select OC-Apache-B then click Apply
- Click Save
- Test operations of the OC-Apache-B 10.1.1.19 webserver on port 8080
- Notice that as soon as the tag was applied to OC-Apache-B VM, it immediately became a part of the Opencart Policy, because it became a member of the web-group that the rules applied to
Step 6: Implement Web-DB rule
The step will Allow communications from only the Apache web servers to MySQL
- On the NSX Manager tab, go to Security -> Distributed Firewall
- Click on the 3 dots next to OpenCart and Add Rule
- Name the rule Web-DB.
- Set Sources to OC-Web-Group and click Apply
- Set Destinations to OC-DB-Group and click Apply
- Set Services to MySQL and click Apply
- Your rule should look like this
- Click Publish
- Test access to OC-Apache-A on 10.1.1.18. You should get a normal web page load
- Return to the NSX tab and set the Web-DB rule to Reject and click Publish (this will allow us to see the impact of the firewall blocking access from Apache to MySQL which will be useful later in the lab)
- Test access to OC-Apache-A on 10.1.1.18. Your web page load should fail
- Reset the Web-DB rule to Allow and Publish before moving on to the next step
Step 7: Implement Deny All Inbound rule
The step will implement a Deny All Inbound rule which will deny all inbound traffic we have not explicitly allowed. This step will also show the order of rule evaluation within a security policy
- On the NSX Manager tab, go to Security -> Distributed Firewall
- Click on the 3 dots next to OpenCart and Add New Rule
- Name the rule Deny-All-Inbound.
- Leave Sources at Any
- Set Destinations to groups OC-DB-Group and OC-Web-Group (Hint: Type OC- and enter to quickly show OC groups) Check the two groups and then Apply
- Set Action to Reject, then click Publish
- Test access to OC-Apache-A on 10.1.1.18. Your web page load should fail. This is because the Deny-All rule is evaluated prior to our Allow rules
- Return to the NSX tab
- Move the deny-all rule down by clicking the mouse and holding down with the cursor anywhere on the Deny-All rule line and dragging the rule to below our inbound-web-80 rule then clicking Publish
- Test access to OC-Apache-A on 10.1.1.18. You should get a normal web page load
- Return to the NSX tab
- Click on the tree dots to the left of the inbound-web-8080 line and Delete Rule (since we have a hard Deny-All, unless port 8080 is explicitly allowed, it will be blocked, rendering this rule no longer needed.)
- Publish the rules. You may need to click Refresh on the bottom of the policy screen
- Go to the OC-Apache-A 10.1.1.18:8080 The web page should fail to load.
Step 8: Implement ssh rule
The step will implement a rule to allow ssh connections to our Apache and MySQL VM’s, but only from our inside admin network (10.0.0.0/24)
- Attempt to SSH to OC-Apache-A. Click on PuTTY and connect to 10.1.1.18
- Your connection should time out
- Return to the NSX tab
- Click on the three dots to the left of the Opencart policy and Add Rule
- Name the rule ssh-admin
- Click on the pencil for Sources. Then IP Addresses. Set to 10.0.0.0/24, then click Apply
- Click on the pencil for Services. Select SSH, then click Apply
- Publish your new rule
- Attempt to SSH to OC-Apache-A. Click on PuTTY and connect to 10.1.1.18
- Your connection should succeed.
- Login as ocuser, password VMware123!
- Attempt to ssh from OC-Apache-A to OC-Apache-B 10.1.1.19
- Your connection should be refused
- Observe that we have blocked ssh within the Web servers but allow between our admin network and the web servers.
Step 9: Implement ICMP-Admin rule
The step will implement a rule to allow ICMP (Ping) to our Apache and MySQL VM’s, but only from our inside admin network (10.0.0.0/24), as Ping is used to determine host accessibility in many security threat situations.
- Open a command prompt on the Windows desktop by clicking the window icon -> Windows System -> Command Prompt
- Attempt to ping to OC-Apache-A 10.1.1.18. Your connection should time out
- On the NSX Manager tab, go to Security -> Distributed Firewall
- Click on the 3 dots next to Opencart and Add New Rule
- Name the rule ICMP-Admin
- Click on the pencil for Sources. Then IP Addresses. Set to 10.0.0.0/24, then click Apply
- Click on the pencil for Services. Select ICMP-ALL, then click Apply
- Publish your new rule
- Return to your Windows command prompt
- Attempt to ping to OC-Apache-A 10.1.1.18. Your connection should succeed
- From the NSX-T Manager interface click the Plan & Troubleshoot tab
- Click Traceflow in the left navigation panel
- Configure Traceflow from OC-Apache-A to OC-MySQL and click Trace
- Traceflow should show the ICMP packet dropped at the first firewall point (OC-Apache-A) before being placed on the segment
- Review the observations panel and notice the packet was dropped at OC-Apache A between the VM NIC and OC-Web-Segment
- On the Traceflow screen, click EDIT to reconfigure the trace then click Proceed on the warning pop up
- Change Protocol Type from ICMP to TCP, with Destination Port 3306
- Click Trace. Your Traceflow should succeed
- In the Observations panel, review the following
- We show 1 packet delivered
- The packet was injected at the network adapter for OC-Apache-A virtual machine
- It is then received at the distributed firewall at the VDS port for OC-Apache-A
- With no rule blocking, the packet is then forwarded on from the sending VDS port
- The packet then hits OC-T1 router and gets forwarded to the OC-DB-Segment
- Since OC-Apache-A and OC-MySQL are running on different ESXi hosts, you notice the physical hop between TEP’s
- The packet is then received on the distributed firewall at the receiving VDS port for OC-MySQL
- With no rule blocking forwarding, the packet is then forwarded to the destination, the last step shows the packet being delivered to the network adapter for the OC-MySQL VM
- Notice the flexibility of Traceflow to allow us to troubleshoot our distributed firewall and distributed routing using appropriate communications protocols.
[Lab 2 Summary]
Lab 2 shows the power of the distributed firewall capability in NSX. Using tagging a grouping, we were able to create a scalable set of rules for our Opencart application that only allow necessary communications for application operation, while blocking all other traffic. This was all done directly at the vSphere VDS switch port level, versus a piece of hardware elsewhere in the datacenter.