Securing the Data Center with a Data Center & perimeter firewall is not enough. Last year attacks like wannacry and other effected many data centers and brought down services. All those data Centers has all the security devices in place, Still they could spread widely due to no micro segmentation with in the same vLan or L2 broadcast domain. With NSX micro-segmentation which is indeed true segmentation every machine can be isolated and in a easy way. Most of the web servers residing on one subnet don’t talk to each other, But if one got hit all are gone. With NSX its a couple of clicks away.
As the saying goes 100% secured product cannot be used, But its not the case with NSX micro segmentation. It is 100% secured but user will never notice any impact and its easy for Security team to configure such granular level policies with few clicks and managed centrally from one place.
The distributed firewalling will be applied for every individual VM at the kernel level, So there is no change of getting bypassed like infecting other vLans and same vLan.
This post will cover the micro segmentation configuration for NSX. Please click here for NSX Manager 6.7 Installation & Configuration post if you wanted to setup NSX manager from scratch.
Create Distributed vSwitch & Add Hosts
Distributed fire walling is supported on Distributed switch only, even though in practical it works with standard switch. So our first step is to create Distributed switch , port groups , add hosts to vDS and move VM’s to distributed port group.
Creating Distributed vSwitch
Step : Login to vCenter server – Menu – Networking
Step : Right click the Distributed switch just created – Add and Manage Hosts
Now move all the VM’s to distributed port groups.
Host Preparation for NSX
NSX will install VIB’s on the ESXi hosts to prepare them, so that micro-segmentation ( distributed fire walling) will work.
Step : Menu – Network and Security
Security Group Creation with dynamic inclusion
Now we need to create security groups for virtual machines, It can be done based on Dynamic inclusion where all web, app, db is grouped automatically once they have the name as group criteria or statically.
Step : Home – network and security
Distributed Firewall Configuration
In this section will create some rules to implement micro segmentation and allow only required traffic.
- We will allow user to web server – Https.
- Web servers to app servers – SAP app port
- Web servers to web servers – Deny all ports
Step : Click on Firewall – Expand Default Section – Default rule – Block – Publish
Conclusion for Micro-Segmentation
Step : Rules can be added or deleted as shown below.
Step : All the necessary rules can be created below and this can be done with built in capabilities of NSX.
With this no web server will be able to communicate with other web server, Web to app only allowed port and User to Web server specific ports also can be opened.
Hope this post is useful, leave your comments and feedback.