Notes on VMware NSX Firewall and Security Services

Its been a little bit since ive posted. Ive been busy trying to broaden my python skill, study for my route/switch CCNA as well as build out some automation at work. All in all its been busy, but here is a bit more of my notations. Ive got one last chapter of hand notes to clean up and post in hopes it will assist someone else as it did me.

8.1

  • SDDC Security Overview
  • Challenges
    • Context vs isolation
    • Managing In-guest agents
      • Agent is need per vm per service
      • Adding services requires manual deployment
      • Scheduled scans hit infrastructure at the same time
    • Inability to orchestrate policy across controls
    • Challenges with workload mobility
  • Goldilocks Zone
    • Just right
  • Distributed Model
    • Security follows vm
    • Avoid single point of failure
    • Provides micro segmentations
  • In kernel model
    • If traffic is denied within kernel no snooping
    • If not traffic must egress host then come back ot host, but with this it stays on host
    • Filtering closest to vm
  • Data Center Use Cases
    • DFW endpoint
    • Advanced Malware protection
    • Vulnerability Management
    • Log management

8.2 Overview NSX Firewall

  • Virtual Appliance
  • North south traffic flows
  • Can be used to route between networks
  • Distributed firewall ensures
    • Consistent application of policy rules
    • Traffic optimization
    • Enforce policy rules
    • Throughput scales as hosts are added
    • Kernel has one instance per vnic
  • Virtualization aware rules
    • Vm name
    • Os name
    • Data center
    • Cluster
    • Resource pool
    • Port group
    • Logical switch
    • Vapp
    • Distributed port group
  • 6.2 no longer needs vmware tools can use dhcp and arp
  • Spoofguard
    • Prevents spoofing by associating an IP with a vnic
    • Disabled by default
    • Allows dhcp requests regardless of modes
    • Modes
      • Auto Trust IP assignment on first use
        • Allows all traffic while vnic to IP address table is built
      • Manually inspect and approve al IP assignments before use
      • Manually IP

8.3

  • User defined
  • Internal
  • Local
  • Universal Rules
  • Service Composer
  • Default Rules
  • PreRules
  • Ethernet Rule L2
  • General L3 or L4
  • Identity based firewall considerations
    • Prerequisites
      • AD must be deployed
      • Endpoint service vm must be deployed to cluster to be monitored
      • Vmware tools must be deployed on client desktop vm – complete mode
      • Activity motioning must be enabled
    • Limitations
      • WIN only supported desktop
      • Terminal and shared desktop not supported

8.4 Service Composer

  • Group Criteria
    • Dynamic inclusion – added auto based on vm name computer name, vm name, security tag, entity
    • Static inclusion – security group, cluster, logical switch, network, vapp, DC, IP sets and AD
    • Static exclusion from group -mac sets, security tag, vnic vm, resource pool disport group
    • Security Policy is rule, weight (determine what needs to apply first) and inheritance
    • GUEST INTROSPECTION not deployed by default
      • Antivirus
      • Data security
      • File integrity
    • NETWORK INTROSPECTION
      • IDS IPS
      • Firewall
      • Define traffic that is steered to PAN/VM FW
      • Source or destination
      • action

8.5 Data Security

  • NSX Supports for:
    • 100 file formats
    • ABA routing numbers,HIPAA, DL numbers
    • Windows vms only
    • Allows you address compliance

plasebikan