Micro-Segmentation on NSX!!

I recently attended a really cool presentation by Scott Lowe about the ability to do Micro-segmentation with NSX.  This is, in my opinion, the biggest use case for NSX and something that impresses me a lot.

Before we deep dive on what is NSX & Micro-Segmentation, first where do most of us stand today with our networks in regards to security.  Most environments use a Perimeter type security model.  Unfortunately, it tends to not be very resilient and can have a lot of issues.  First off if your able to breach this “shell” and get access to the interior servers you typically have a pretty open environment.  There is typically little security protecting East/West traffic between servers, coupled with the ever increasing network traffic between these servers its fairly easy to hide any rouge traffic while attacking other servers.  Once you have access and control you can then launch your attack when its best.  A perfect example of this is the recent big box stores, Target for example.  The attackers got in and waited some time before actually stealing data.

How can we best combat this today? The best option is to utilize a Least Privilege or 0-Trust security model.  This puts firewalls between everything, all servers both North/South and East/West.  I have actually seen a customer do this, not only did they spend a TON of money on both physical and virtual firewalls but it was an administrative nightmare.  They had a lot of touch points and one of the biggest problems was actually identifying rules and what they did, and why they were there.  There were rules still in place for servers and applications that had been decommissioned earlier.  It also was a nightmare to try and open up ports between applications and equipment.  They had to touch multiple firewalls all while trying to monitor the traffic to catch those ports that vendors don’t always list in their docs about “needed firewall ports”.

NSX and its Micro-Segmentation is an awesome answer to this problem!  NSX at its heart is Network Virtualization. NSX allows us to decouple the Network from the hardware and allow centralized management of this decoupled network.  With NSX we separate out the various network “planes”.  First, there is the Management plane, this is typically vCenter with the Network & Security Plugin installed.  This is where we define all the various rules and policies.  Next, the Control Plane. This is NSX Manager & NSX Controllers. This is the decision maker and controls the rules states as well as their definitions and keeps track of everything.  Finally we have the Distributed Data planes, these are all the modules loaded into all of the ESXi hypervisiors, and enables the Distributed Routers, Distributed Firewalls and switches.  This is where all the actual packet switching happens.  All of the configurations can be manually done or can use various REST APIs to do some automation, typically with vCAC.

Ok, now that we know what the basic NSX is, why is micro-segmentation so awesome?? NSXs Micro-segmentation allows us to implement a true 0-Trust Model security policy, easily and without the complication and huge costs and administration overhead that it typically takes.  We can now put an intelligent firewall and routing between every single VM!!  The part that is really cool is that we are doing this at the hypervisor level.  This allows the traffic to not have to “hairpin” to go through a firewall or router.  The traffic is typically analyzed at the originating vnic level.  (It can be done on the receive side, but isn’t recommended)  The rules are also dynamic and follow the VM wherever it goes in the environment.  The rules are removed if the VMs are off or deleted.  They are re-created when the VM is powered on, and CAN be automatically created when a VM is provisioned.

NSX Micro-Segmentation allows us to have the datacenter security sit in a “sweet spot”.  It is close enough to the VMs and workloads that it can provide intelligence of workloads and granular control.  However, unlike many agent based tools that can provide this level of intelligence and granular control, the security features are in the hypervisor and not in the VM.  This allows a compromised VM to still have all its security features intact.  In fact as we’ll see later on, NSX can potentially recognize the compromise and perform specific actions against the VM.

NSX allows for a very flexible network design.  At a very high level it is comprised of three main types of “tenants” or types of networks. We can Isolate networks from each other.   We can also Segment networks, which means we can allow certain types of traffic between various points.  Finally NSX allows us to bring in more “Advanced Services” via 3rd Party applications that plugin to NSX.  Lets dive into each more.

Isolation networks allows us to create just that, completely isolated networks.  These networks have absolutely no knowledge of each other.  They also have no knowledge of the underlying physical connections.  They could both be running over a big flat network and still not see each other.  They can have the exact same IP space as well.  This is excellent for keeping Dev, Test and Production networks separate, yet all running within the same vSphere Environment!! This is also used for multi-tenant environments, where the workloads shouldn’t ever see each other.

Segmented networks are most common types of networks, these are the traditional 3-teir App scenario. Without NSX, typically you’d have a Perimeter firewall, a DMZ then the inside firewall or firewalls that lead to various networks.  The rules are always in place on the firewalls no matter what the workload states are.  The rules also have to be manually inputted into each firewall, and moved in some cases if workloads move, depending on network design. With NSX we have some flexibility and choices.  We can create logical networks per group, app, BU, etc and then apply the rules to each VM.  We can also be a bit silly and just dump everything onto one giant logical switch and apply the rules to the VMs that way.  Either way is the same result, the rules are applied at the VMs, the logical networks can be designed however makes the most sense for the environment.

The “Advanced Services” functions of NSX brings a lot of really neat functionality and intelligence to traffic flows that weren’t really possible before at the scale and easy of administration that NSX brings. With NSX can setup the firewalls to do intelligent and dynamic routing.  We can send traffic through a Malware scanner and then based on the output of the scans, we can do different things with the traffic.  You can also send traffic to a deep packet scanner.  You can also just pass the traffic straight to its destination.  With these advanced services we can build If/Then type rules for the traffic.  For example, if traffic is sent to TrendMicro and a virus is found, NSX can quarantine it and not allow the VM to pass any traffic until its resolved.  Also, if during a scan, a big vulnerability due to old software is found, NSX can then monitor all that VMs traffic via IPS until fixed.  If a different scan is run and it finds sensitive data, we can encrypt the traffic and restrict it while its investigated.  I think this is a very very neat feature, and something that should make both network and security guys very happy! There are a bunch of vendors that are providing various plugins for this, such as, Rapid 7, McAfee, PaloAlto, Symantec & TrendMicro.

One thing that Scott mentioned that makes a ton of sense and is really cool is around Security Groups.  Security Groups allow the administrator to group VMs together logically using a variety of static and dynamic variables, such as Datacenter, Virtual Machine, vNIC, OS Type, User ID, Security Tag (applied by IPS, Malware scanner), etc.  Then various policies you create, Firewall rules, send to IPS, etc, are then applied to given security groups and tags within the group.  In reality this is the only way to really do NSX at any real scale.  It would be very time consuming to create rules for each and every VM.  By using the security groups VMs can become part of the groups and get certain policies applied to it automatically.

NSX and the Micro-Segmentation feature are all very simply managed within the vSphere Web Client. If your still using the old .NET client, you need to stop or you’ll be very very sad in the near future.  These are all under the Network & Security plugin.  This is where you can create your Security Groups along with their elements or attributes.  You also create all your various policies here.  You can also view all the events, and logs here.  There is also an area where you can View all of the traffic flows from VM to VM, and even create rules against the seen flows.  It does make it a bit easier to create the rulesets from real flows rather then trying to set them up ahead of time, if you’d like.

One thing that Scott also mentioned were a few use cases for this micro segmentation.  There was one use case that i actually will be exploring more in depth in the near future because it interested me a lot.  He mentioned that an admin can use NSX and Micro-Segmentation with VMware View.  In a very typical VMware View design there tends to be various pools for different user types, such as internal workers and external or offshore users who shouldn’t be able to access certain things, or setup of different pools for dev teams who only should be accessing their development machines.  This usually means different VLANs, with firewall and routing rules to accomplish this segmenting.  However, NSX can apply firewall & routing rules based upon a logged in User ID.  This means you could actually have a single pool for all our users on a single flat network and because NSX can apply the locked down firewall and routing rules to the VM when a “restricted user” logs in, we accomplish the same goal as the more complicated setup.  Now thats awesome!

Now Scott had a lot of really interesting slides and visualizations in his presentation that unfortunately i can’t use.  I would look for more information at VMworld.  In addition there is a good White-Paper here.