Distributed Firewall – Providing tiered security policy through distributed firewall for Micro segmentation
Summary
This use case demonstrates the use of NSX’s distributed firewall with the aim to restrict lateral compromise of an application tier. Many internet facing assets are vulnerable to machines existing in the same application tier or subnet and creating a Microsegment with VMware NSX can reduce this attack surface.
Pre Conditions
- vCenter and NSX manager configured.
- NSX host and cluster preparation complete.
- IP connectivity between hosts.
- (Optional) Applications to ensure firewall service policies are enforced.
Post Conditions
Success End Condition
- Set firewall policy is distributed throughout environment to relevant end points requiring enforcement.
- Lateral enforcement across a tier ensures VM’s are isolated.
Failure End Condition
- Distributed Firewall fails to update due to communication plane error.
- Incorrect ruleset applied to end point resulting in no enforcement.
Minimal Guarantee
- Distributed Firewall delivers a partial match against ruleset due to operator error.
- Service Composer object does not match against criteria due to operator error.
Trigger(s)
- Virtual Machines initiate communication with desired end point. As a packet leaves the VM’s vNIC the distributed firewall function, residing between the vNIC and vSwitch, enforcement occurs based on defined security policy.
Use Case Expected Flow
- Log into Networking and Security plugin of vCenter
- Configure the Firewall section of NSX.
- Create Service Composer policies
- Populate desired rulesets through applying business requirements.
- Commit and save the firewall change.
Use Case Variations
- NSX Distributed Firewall function can be replicated with an NSX edge device although the enforcement is not within the hypervisor kernel.
- The vCenter object that is being used to provide the match criteria can be altered.
Integration Points
Nil
Suggested Test Metrics
- Test application availability after permitting or denying the service port.
- Confirm expected behaviour to ensure no communication can occur within an micro segment between logical security tiers.
- Confirm rulesets are being distributed to hosts via VSIP through the command line.
We are working on this exact use case internally, would be happy to share our efforts.
Sure. Feel free to reach out and let me know how you are going. aburke vmware com