Table of Contents - VMwaredocs.hol.vmware.com/HOL-2014/hol-sdc-1415_pdf_en.pdf · hypervisors,...

Table of ContentsLab Overview - HOL-SDC-1415 - IT Outcomes Security Controls Native to Infrastructure.2

Lab Guidance .......................................................................................................... 3Module 1 - Policy-Based Compliance................................................................................. 5

Introduction............................................................................................................. 6Manage vCenter Server Virtual Machines ............................................................... 7Run and Enforce Compliance ................................................................................ 24Configure vCenter Operations Manager Integration.............................................. 30Check Initial Compliance Status in vCenter Operations Manager .........................35Resolve Noncompliant Virtual Machine Template Results .....................................41Validate Final Compliance Status in vCenter Operations Manager ........................53

Module 2 - Policy-Based Network Security ...................................................................... 60Introduction........................................................................................................... 61Verify Open Communication between Virtual Machines........................................62Apply Network Security Policies via NSX Distributed Firewall................................71Test Applied Network and Security Policies ........................................................... 85Apply a Data Security Policy to Scan for Unprotected and Sensitive Data ............89Module Summary .................................................................................................. 98

HOL-SDC-1415

HOL-SDC-1415

Lab Overview - HOL-SDC-1415 - IT OutcomesSecurity Controls Native

to Infrastructure

HOL-SDC-1415

HOL-SDC-1415

Lab GuidanceLearn how several VMware technologies work together to implement policy-basednetwork control, configuration and compliance management, and intelligent operationsmanagement. You will use NSX for vSphere to isolate, protect, and apply securitypolicies across virtual network workloads. Use vCenter Configuration Manager tocontinuously identify, assess, and remediate out-of-compliance virtual machines. Finally,you will use vCenter Operations Manager for operational insight into the health, risk,and efficiency of the virtual infrastructure.

Module 1: Policy-Based Compliance (30 Minutes)

Module 2: Policy-Based Network Security (25 Minutes)

Physical Lab Topology

vSphere Topology:

The two vSphere hypervisors in the environment are esx-01a.corp.local andesx-02a.corp.local and are configured as part of are a single Cluster.

Network Topology:

The Management Network (192.168.110.0/24) is a common network across the vSpherehypervisors, vCenter, NSX Manager, ControlCenter, vCenter Operations Manager(vCOPS) and vCenter Configuration Manger (vCM)

The vMotion Network (10.10.30.0/24) is used for vMotion traffic.

The App Network (192.168.120.0/24) is used for all Virtual Machine data traffic.

The Storage Network (10.10.20.0/24) is used to connect the Hypervisors to the NFSstorage appliance.

Storage Topology:

The two vSphere hypervisors have NFS attached storage via the stgb-l-01astorageappliance.

vCenter, NSX Manager, vCOPS and vCM

vCenter is pre-configured and accessible on the Management Network on192.168.110.22

NSX Manager pre-configured and accessible on the Management Network on192.168.110.42

HOL-SDC-1415

HOL-SDC-1415

vCOPS is pre-configured and accessible on the Management Network on 192.168.110.70

vCM is pre-configured and accessible on the Management Network on 192.168.110.77

Application Virtual Machines:

In this lab we are using a simple application with 2 servers (app-l-01a and db-w8-01a)and a test server test-l-01a.

app-l-01a.corp.local is connected on 192.168.120.10

db-w8-01a.corp.local is connected on 192.168.120.11

test-l-01a.corp.local is connected on 192.168.120.12

HOL-SDC-1415

HOL-SDC-1415

Module 1 - Policy-BasedCompliance

HOL-SDC-1415

HOL-SDC-1415

IntroductionVMware vCenter Configuration Manager (VCM) delivers capabilities fundamental toensuring that virtualized and cloud computing environments are properly configured tomeet operational, security and compliance requirements. VCM is a full-featuredconfiguration-management solution that automates configuration management acrossvirtual, physical and cloud environments.

Enterprises can use VCM to continuously audit the configurations of VMwareinfrastructure as well as Windows, Linux and UNIX operating systems. Both physical andvirtual configuration compliance can be maintained against internal standards, securitybest practices, vendor hardening guidelines and regulatory mandates.

VCM compares your virtual or physical machines running Linux, UNIX, Mac OS X, orWindows operating systems against configuration standards that you download, or thatyou create, to determine if the machines meet the standards. The results of thecompliance run notify you which machines meet configuration settings meet thestandards and which ones do not meet the standards. In some cases, you can enforcecertain settings on the machines that are not in compliance, initiating the changes fromVCM.

Preset rules and templates are available that enable you to begin monitoring systemcompliance to regulatory (Sarbanes-Oxley, HIPAA, GLBA and FISMA) industry andMicrosoft standards. You can create and manage rules and rule groups based on ActiveDirectory (AD) objects and configuration data, or on machine data.

At a glance, vCenter Configuration Manager

1. Improves operational effectiveness by continuously auditing configurations of theVMware infrastructure and Windows, Linux and UNIX operating systems.

2. Speeds time to service restoration by correlating configuration changes trackedwithin VCM with performance and capacity issues identified by VMware vCenterOperations Manager.

3. Accelerates the adoption of virtualization and cloud computing for business-critical applications by addressing security and compliance concerns.

4. Reduces potential security threats through a unified approach to configurationmanagement across physical and virtual infrastructure.

5. Drives down the effort and cost of configuration compliance through the use of anautomated solution.

HOL-SDC-1415

HOL-SDC-1415

Manage vCenter Server VirtualMachinesAdd and license the virtual machines identified based on a vCenter Guests collectionfrom your vCenter Servers. If you are managing Windows virtual machines, you can alsoinstall the VCM Agent.

Using the Manage Guests wizard, you can add the virtual machines to the appropriateAvailable Machines data grid based on operating system, license the virtual machinebased on operating system, or, for Windows machines, license and install the Agent.

Run PowerShell Script

Procedure:

1. Click on the Command Prompt Icon on the Task Bar.

HOL-SDC-1415

HOL-SDC-1415

Reboot the VCM Server using PowerShell

**Note** It may take up to 2 minutes while the server reboots and initializesVCM.

Procedure:

1. Type powershell in the command window.2. Press Enter3. On the next line type Restart-Computer vcm-01a -Force4. Press Enter to reboot the VCM server.

HOL-SDC-1415

HOL-SDC-1415

Open vCenter Configuration Manager

Procedure:

1. Once the VCM server comes back online, double-click the VCM icon on thedesktop.

Log In to vCenter Configuration Manager with ProperCredentials

Procedure:

HOL-SDC-1415

HOL-SDC-1415

1. Log into VCM with the following credentials:

• Username: vcmadmin

• Password: VMware1!

2. Click OK.

HOL-SDC-1415

HOL-SDC-1415

Select the Appropriate User Level from the Drop-DownMenu

vCenter Configuration Manager users can have multiple roles. In this lab, CORP\VCADMIN is assigned three different roles in vCenter Configuration Manager:

• Admin: General administrator with access to all vCenter Configuration Managerfunctions.

• Server Manager: Roll with Full access to Servers Dynamic Machine Group.• Workstation Manager: Roll with Full access to Workstation Dynamic Machine

Group.

We will be using the Admin role throughout this lab, however, roles can be created andassigned on a very granular level.

Procedure:

1. Select 'Admin' User Role and click Login.

Install VCM agents for the selected Windows machines

Procedure:

HOL-SDC-1415

HOL-SDC-1415

1. Click Console.2. Select Virtual Environments3. Select vCenter4. Select Guests5. Select Summary6. Select the Windows virtual machine (base-w7-01a)7. Click Manage Guests.

HOL-SDC-1415

HOL-SDC-1415

Select Default Domain

Procedure:

1. On the Default Domain page, select CORP.LOCAL from the Domain Drop-DownList, then click OK.

2. Select the Active Directory radio button for Domain Type.3. Click Next to continue.

HOL-SDC-1415

HOL-SDC-1415

Edit VM Guest Machine Info

Procedure:

1. On the Edit VM Guest MachineInfo page, make sure the base-w7-01aWindows virtual machine is selected.

2. Click Next.

HOL-SDC-1415

HOL-SDC-1415

License the VM Guests and Install the Windows Agents

Procedure:

1. On the License VM Guests page, select License the selected machines.2. Select Install VCM agents for the selected Windows machines.3. Click Next.

HOL-SDC-1415

HOL-SDC-1415

Confirm your Changes

Procedure:

1. On the Confirm Your Changes page, review the changes.2. Click Finish.

HOL-SDC-1415

HOL-SDC-1415

Set the Options for Installation

Procedure:

1. Leave the default options and Select Next

HOL-SDC-1415

HOL-SDC-1415

Schedule the Agent Installation

Procedure:

1. Confirm that the Run Action Now radio button is selected.2. Select Next.

HOL-SDC-1415

HOL-SDC-1415

Installation Confirmation

Procedure:

1. Review the notice and Click Finish to deploy the Windows agents.

HOL-SDC-1415

HOL-SDC-1415

Watch the Progress of you Agent Installation

Procedure:

1. Click on the Jobs icon on the menu bar.

HOL-SDC-1415

HOL-SDC-1415

Monitor the Agent Installation

Procedure:

**Important** The Jobs Running windowdoes notAuto-Refresh by default. Youshould set the job to auto-refresh by following the steps below.

1. You can manually refresh the job collection manually by clicking on the RefreshIcon.

2. Or you can set the job to Auto-Refresh for you. Select 30 Seconds from thedrop-down menu.

3. You can also Auto-Refresh the individual steps. Select 5 seconds to monitorsuccess or failure.

**Notice** It can take several minutes for this process to completesuccessfully.

HOL-SDC-1415

HOL-SDC-1415

Jobs Running

Procedure:

1. Once the job is complete, Click Close.

HOL-SDC-1415

HOL-SDC-1415

Verify that the Windows Agents have been successfullydeployed

Procedure:

1. Select Administration.2. Select Job Manager.3. Select History.4. Select Other Jobs.5. Select Past 24 Hours.6. You should see both of your Windows virtual machines in the Job History

Machine Detail Box with a Status of Succeeded.

HOL-SDC-1415

HOL-SDC-1415

Run and Enforce ComplianceCompliance templates evaluate the data collected from virtual or physical machines inmachine groups to determine if the machines meet the rules in the templates. If theproperty values on a machine do not meet the rule criteria, and if no exception isdefined, then the machine is flagged as noncompliant. When a machine isnoncompliant, the template results provide the details of the settings or configurationsthat do not match the rules. You can use this information to resolve the problem.

Run Virtual Environment Compliance Templates

Procedure:

1. Click Compliance.2. Select Machine Group Compliance.3. Select Templates.4. Select the Microsoft MSS Windows 7 Hardening Template.5. Click Run Template.

HOL-SDC-1415

HOL-SDC-1415

Select Template Options

Procedure:

1. Select the Do not enforce noncompliant results at this time radio button.2. Check the Check compliance alerts for this machine group check box3. Click OK

HOL-SDC-1415

HOL-SDC-1415

Track Compliance Progress

Procedure:

1. When the template is finished running, you should see Your compliance runcompleted successfully in the progress bar.

2. Click on Close.

HOL-SDC-1415

HOL-SDC-1415

Review Compliance Results Report

Procedure:

1. Click on the Microsoft MSS Windows 7 Hardening template in the consolepane to refresh and review your results.

2. The Compliance Results Report appears. The report includes the number ofobjects that are compliant and the number that are non-compliant. Notice thatthe Windows 7 virtual machine is showing up as Non-Compliant.

3. To view the results in the data grid, click View data grid.

View Data Grid Results

Icon description:

• Green check mark: Successful compliance rules.• Red exclamation mark: Failed compliance rules that are not enforceable

directly by vCenter Configuration Manager.

HOL-SDC-1415

HOL-SDC-1415

• Red exclamation mark with a small yellow sign: Failed compliance rulesthat are enforceable directly by vCenter Configuration Manager.

HOL-SDC-1415

HOL-SDC-1415

Review Rules that are Out of Compliance

These policies will be enforced by VCM

HOL-SDC-1415

HOL-SDC-1415

Configure vCenter Operations ManagerIntegrationThe integration between vCenter Operations Manager and VCM includes using the VCMcompliance template results to contribute to the Risk badge score in vCenter OperationsManager.

The compliance templates are included in badge mappings that are run in VCM againstobjects in vCenter Server instances that are managed by both VCM and vCenterOperations Manager. These objects include virtual machines, host systems, clusters,vCenter Server instances, and data stores. The compliance mapping results determinethe compliance score. vCenter Operations Manager then pulls the scores into theformulas used to calculate the Risk badge scores.

When you review the standards compliance in vCenter Operations Manager, you cannavigate back to VCM to view the detailed results and identify any configurationchanges that you must make to bring an object that is noncompliant back tocompliance.

HOL-SDC-1415

HOL-SDC-1415

Run the Compliance Badge Mappings for vCenterOperations Manager

Procedure:

1. Click Console.2. Select Compliance.3. Select vCenter Operations Manager Badge Mappings.4. Select Mappings.5. Select the MicrosoftWindows 7 Hardening mapping.6. Click Run.

HOL-SDC-1415

HOL-SDC-1415

Select Mapping Options

Procedure:

1. Select the Check Compliance Alerts for this Machine Group Box.2. Click OK.

HOL-SDC-1415

HOL-SDC-1415

Mapping Run Results

Procedure:

1. Validate that the mapping ran correctly.2. Click Close.

HOL-SDC-1415

HOL-SDC-1415

Exit from vCenter Configuration Manager

Procedure:

1. Close the vCenter Configuration Manager interface by clicking the red 'x'button on the General Bar.

2. Click OK to confirm you want to close the session.

HOL-SDC-1415

HOL-SDC-1415

Check Initial Compliance Status invCenter Operations ManagerThe standards compliance score in VCM contributes a compliance score to the Riskbadge score in vCenter Operations Manager. If the Risk score indicates distress for theobject, you can view the compliance breakdown to determine which of the noncomplianttemplates are contributing to the score and determine what action to take to resolve thenoncompliant results.

Open Internet Explorer

Procedure:

1. Double-Click the Internet Explorer icon on the Control Center Desktop

HOL-SDC-1415

HOL-SDC-1415

Log In to vCenter Operations Manager

Procedure:

1. Click vCenter Operations Manager in the favorites bar.2. Enter vcmadmin as the username.3. Enter VMware1! as the password.4. Click Login.

HOL-SDC-1415

HOL-SDC-1415

Expand the Virtual Infrastructure Hierarchy

Procedure:

1. Click on World.2. Select vcsa-01a.3. Select Datacenter Site A.4. Select Cluster Site A.5. Select esx-02a.corp.local.6. Select base-w7-01a.

HOL-SDC-1415

HOL-SDC-1415

Check the OS-Level Compliance Status using theCompliance Breakdown

Note: It can several minutes for the compliance badge to appear. This is due topossible high workload in the lab environment,

Overview: vCenter Operations Manager provides a color-coded badge system, whichranges from a healthy green to a health degradation status depicted in a gradual orinstantaneous transition to yellow, orange or red. Inside the badge, vCenter OperationsManager also presents a score, which might reflect the desired healthy state, a potentialproblem, or an imminent risk, depending on the badge being observed (health, risk,optimization, or compliance).

In this example, notice that the Windows 7 virtual machine (base-w7-01a) is reportednon-compliant. Five conditions were evaluated and all of them failed. vCenterOperations calculated a score of 0 and set the color to Red to indicate this object needsremediation to become compliant.

Procedure:

1. Select the virtual machine base-w7-01a.2. Select Planning.3. Select Views.4. Select Compliance.5. Observe the compliance information for virtual machine base-w7-01a.

HOL-SDC-1415

HOL-SDC-1415

HOL-SDC-1415

HOL-SDC-1415

Return to vCenter Configuration Manager to ResolveCompliance Issues

Procedure:

1. Click on View Details in VCM to return to vCenter Operations Manager (VCM)

Note: You may have to re-authenticate if you logged out of VCM.

Log into VCM with the following credentials:

• Username: vcmadmin• Password: VMware1!

HOL-SDC-1415

HOL-SDC-1415

Resolve Noncompliant Virtual MachineTemplate ResultsThe results for the compliance templates indicate whether the virtual or physicalmachine are compliant or noncompliant. If the machine is noncompliant, you canenforce noncompliant results manually or using VCM, or you can add an exception forexpected noncompliant results.

On the virtual machine scan, we found 5 items out of compliance for our base-w7-01avirtual machine.

HOL-SDC-1415

HOL-SDC-1415

Remediate Failed Compliance Rules that are Enforceableby vCenter Configuration Manager

Procedure:

1. Click Compliance.2. Select Machine Group Compliance.3. Select Templates.4. Select the Microsoft MSS Windows 7 Hardening Template.5. (Click View Data Grid if necessary) Select the Enforce tab.

HOL-SDC-1415

HOL-SDC-1415

Enforcement Selection

Procedure:

1. Select All Items in the Current Compliance Run.2. Click Next.

HOL-SDC-1415

HOL-SDC-1415

Review the Enforcement Summary

Notice that 5 Items will be enforced by VCM. We will manually address the other non-compliant items later in this lab.

Procedure:

1. Review the number of Selected Items and the number of Enforceable Items.2. Notice that 5 Itemswill be enforced by vCenter Configuration Manager using 4

jobs.3. Click Finish to kick off the compliance remediation job.

Watch the Compliance Job Run

**Notice** It can take several minutes for this process to completesuccessfully.

HOL-SDC-1415

HOL-SDC-1415

Procedure:

1. Click on the Jobs tab in the menu bar.2. You can refresh the job collection by clicking on the Refresh Icon.3. Or you can set the job to Auto-Refresh for you.4. Once the job is complete, Click Close.

HOL-SDC-1415

HOL-SDC-1415

View the Enforcement Results

Procedure:

1. Click on the Windows 7 Template in the left pane.2. Click on Run Template tab to Refresh the compliance results.

HOL-SDC-1415

HOL-SDC-1415

Select Template Options

Procedure:

1. Select the Do not enforce noncompliant results at this time radio button.2. Check the Check compliance alerts for this machine group check box3. Click OK

HOL-SDC-1415

HOL-SDC-1415

Compliance Run Results

Procedure:

1. When the template is finished running, you should see Your compliance runcompleted successfully in the progress bar.

2. Click on Close.

HOL-SDC-1415

HOL-SDC-1415

Review Results

Procedure:

1. Click on the Microsoft MSS Windows 7 Hardening template in the consolepane to refresh and review your results.

2. The Compliance Results Report appears. The report includes the number ofobjects that are compliant and the number that are non-compliant. Notice thatthe Windows 7 virtual machine is showing up as Non-Compliant.

3. To view the results in the data grid, click View data grid.

Run the Compliance Badge Mappings for vCenterOperations Manager

Procedure:

1. Click Compliance.2. Select vCenter Operations Manager Badge Mappings.3. Select Mappings

HOL-SDC-1415

HOL-SDC-1415

4. Select the MicrosoftWindows 7 Hardening mapping.5. Click Run.

HOL-SDC-1415

HOL-SDC-1415

Select Mapping Options

Procedure:

1. Select the Check Compliance Alerts for this Machine Group Box.2. Click OK

HOL-SDC-1415

HOL-SDC-1415

Mapping Run Results

Procedure:

1. Validate that the mapping ran correctly.2. Click Close.

HOL-SDC-1415

HOL-SDC-1415

Validate Final Compliance Status invCenter Operations ManagerFinally, we will go back into vCenter Operations Manager to make sure that thecompliance badge is now matching the compliance status found in VCM.

Open Internet Explorer

Procedure:

1. Double-Click the Internet Explorer icon on the Control Center Desktop

Log In to vCenter Operations Manager

Procedure:

HOL-SDC-1415

HOL-SDC-1415

1. Click vCenter Operations Manager in the favorites bar.2. Enter vcmadmin as the username.3. Enter VMware1! as the password.4. Click Login.

HOL-SDC-1415

HOL-SDC-1415

Expand the Virtual Infrastructure Hierarchy

Procedure:

1. Click on World.2. Select vcsa-01a.3. Select Datacenter Site A.4. Select Cluster Site A.5. Select esx-02a.corp.local.6. Select base-w7-01a.

HOL-SDC-1415

HOL-SDC-1415

Compliance View

Note: It can several minutes for the compliance badge to appear. This is due topossible high workload in the lab environment,

Review: vCenter Operations Manager provides a color-coded badge system, whichranges from a healthy green to a health degradation status depicted in a gradual orinstantaneous transition to yellow, orange or red. Inside the badge, vCenter OperationsManager also presents a score, which might reflect the desired healthy state, a potentialproblem, or an imminent risk, depending on the badge being observed (health, risk,optimization, or compliance).

After performing remediation, notice that our Windows 7 virtual machine (base-w7-01a) is now green and reporting 100% compliance.

Procedure:

1. Select the virtual machine base-w7-01a.2. Select Planning.3. Select Views.4. Select Compliance.5. Observe the compliance information for virtual machine base-w7-01a.

HOL-SDC-1415

HOL-SDC-1415

HOL-SDC-1415

HOL-SDC-1415

View Change Events Inside vCenter Operations Manager

You can also track events coming from vCenter Configuration Manager.

Procedure:

1. Click Events.2. Click the Compliance shadow badge.3. Click the bullseye icon (to show self events).4. Click the small Compliance badge.5. Narrow the scope to the last hour by clicking on the Calendar icon.6. Change to Last Hour.7. Click the small blue arrow to apply the modifications.

HOL-SDC-1415

HOL-SDC-1415

Review the Filtered Events

Review the status of the virtual machine's compliance over time.

HOL-SDC-1415

HOL-SDC-1415

Module 2 - Policy-BasedNetwork Security

HOL-SDC-1415

HOL-SDC-1415

IntroductionIn this Module we will review how the NSX Distributed Firewall and Data Security canprovide network security and compliance within the SDDC.

You are currently logged on the ControlCenter which can communicate with all of theApplication VMs in the lab (db-w8-01a, app-l-01a and test-l-01a virtual machines). Thelab virtual machines can communicate with each other because they reside on a singleLayer 2 segment which is a violation of security policy at ABC Corporation. We will firstverify connectivity between these virtual machines and then apply NSX distributedfirewall policies to block specific communication. We will then apply Data Securitypolicies to scan the datacenter for sensitive and unprotected data for PCI compliancecheck.

HOL-SDC-1415

HOL-SDC-1415

Verify Open Communication betweenVirtual MachinesIn this section we will verify connectivity between ControlCenter and other ApplicationVMs.

Test Remote Desktop Connection to the ProductionDatabase Server (db-w8-01a)

The first task is to test connectivity from the ControlCenter to our production databasemachine. Double-click the db-w8-01a.rdp link on the ControlCenter desktop.

HOL-SDC-1415

HOL-SDC-1415

Launch a Remote Session to the Database Server (db-w8-01a)

Login credentials:

User: CORP\Administrator

Password: VMware1!

HOL-SDC-1415

HOL-SDC-1415

Verify Open Connectivity to the Database Server (db-w8-01a)

Confirm that you are properly connected to the db-w8-01a virtual machine by checkingthe background information.

Disconnect the Remote Desktop Connection to db-w8-01aServer

Disconnect the Remote Desktop Connection by clicking the upper right X icon.

HOL-SDC-1415

HOL-SDC-1415

Test Connectivity to Production Web Server (app-l-01a)

1. Launch Putty from the ControlCenter task bar and select the app-l-01a.corp.local saved session.

2. Click Load.3. Click Open.

HOL-SDC-1415

HOL-SDC-1415

Login to app-l-01a server

Login credentials:

User: rootPassword: VMware1!

Test connectivity from app-l-01a server to db-w8-01aserver

1. Run the command "ping db-w8-01a.corp.local -c 3 -q"2. Verify that there is connectivity.

Test connectivity from app-l-01a server to test-l-01aserver

1. Run the command "ping test-l-01a.corp.local -c 3 -q"2. Verify that there is connectivity.

HOL-SDC-1415

HOL-SDC-1415

Close the Putty session

Test Connectivity to Test Server (test-l-01a)

1. Launch Putty from ControlCenter task bar and select the test-l-01a.corp.localsaved session.

2. Click Load.3. Click Open.

Login to test-l-01a server

Login credentials

HOL-SDC-1415

HOL-SDC-1415


Test connectivity from test-l-01a server to db-w8-01aserver

1. Run the command "ping db-w8-01a.corp.local -c 3 -q"2. Verify that there is connectivity.

Close the Putty session.

HOL-SDC-1415

HOL-SDC-1415

Test Connectivity to the Lab Application

Launch the Firefox web browser located on the ControlCenter desktop.

Click on the Lab Application bookmark.

Verify that the sample web application is accessible via HTTP port 80.

The web server is hosted on app-l-01a, while the database server is on db-w8-01avirtual machine.

Network Connectivity Test Results

We were able to verify that:

The ControlCenter can open a remote desktop connection to the db-w8-01a virtualmachine.

The ControlCenter can open SSH connections to app-l-01a and test-l-01a virtualmachines.

Application virtual machines db-w8-01a and app-l-01a have IP connectivity to eachother.

HOL-SDC-1415

HOL-SDC-1415

The test-l-01a virtual machine has IP connectivity to application virtual machines (db-w8-01a and test-l-01a)

The sample Lab Application is reachable via ControlCenter.

HOL-SDC-1415

HOL-SDC-1415

Apply Network Security Policies viaNSX Distributed Firewall.Now that you have tested the reachability of the systems and witnessed the completelack of security in the environment, we will implement security policies in VMware NSXto block connectivity that is not required.

To save time, in this lab we have already created the security policies, we will reviewthese policies and make changes where needed.

In this lab we will use the VMware NSX Distributed Firewall, which is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads andnetworks. You can create access control policies based on VMware vCenter objects likedatacenters and clusters, virtual machine names and tags, network constructs like IP/VLAN/VXLAN addresses, as well as user group identity from Active Directory. Firewallrules are enforced at the vNIC level of each virtual machine to provide consistent accesscontrol even when the virtual machine gets vMotioned. The hypervisor-embeddednature of the firewall delivers close to line rate throughput to enable higher workloadconsolidation on physical servers. The distributed nature of the firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts areadded to a datacenter.

Access NSX Manager.

In this section we will access the NSX Manager UI and view the pre-created securitypolicies.

HOL-SDC-1415

HOL-SDC-1415

Login to vCenter Web Client

Launch the Firefox browser application from the ControlCenter desktop.

The browser is configured to launch the vCenter Web Client, if it does not launch thenplease select it from the bookmark.

Login credentials:

User: CORP\Administrator

Password: VMware1!

(Note: Selecting "Use Windows Session Authentication" will also log you in)

HOL-SDC-1415

HOL-SDC-1415

Access the Networking and Security Section

Click on Networking and Security

HOL-SDC-1415

HOL-SDC-1415

Access the Distributed Firewall Rules

1. Click on the Firewall section on the left pane.2. Expand the firewall policy by clicking on the Lab Application Policy3. and Default Section Layer3

HOL-SDC-1415

HOL-SDC-1415

Analyse Distributed Firewall Policy - L3 and L4

In this section we will analyse all the firewall policies that have been created. As you cansee all the policies have been set to "Allow", we will change the appropriate policy to"Deny".

Firewall Rule - Allow HTTP Access to WebServers

In this policy we have configured the distributed firewall to permit HTTP connectionsfrom any source to servers in the WebServer-SecurityGroup.

The security group called WebServer-SecurityGroup has been pre-created in the lab.Click on it and you will see that it contains the server app-l-01a.corp.local.

Click on the "x" to close the Security Group pop-up window.

HOL-SDC-1415

HOL-SDC-1415

Firewall Rule - Allow Web to Database Access

In this policy we have configured the distributed firewall to permit communicationbetween the WebServer-SecurityGroup and the Database-SecurityGroup.

The security group Database-SecurityGroup has been pre-created in the lab. Click on itand you will see that it contains the server db-w8-01a.corp.local.


Firewall Rule - Allow ControlCenter SSH Access

In this policy we have configured the distributed firewall to permit SSH communicationto app-l-01a.corp.local, db-w8-01a.corp.local and test-l-01a.corp.local servers from theControlCenter.

Click on the ControlCenter link to view the configured IP 192.168.110.10.

Click on the "x" to close the pop-up window.

Firewall Rule - DNS and AD domain access

In this policy we have configured the application servers and the test-l-01a server tocommunicate with the ControlCenter for DNS and Active Directory Services.

HOL-SDC-1415

HOL-SDC-1415

The Microsoft Active Directory Service is pre-defined in NSX, so its easy to select anddeploy.


HOL-SDC-1415

HOL-SDC-1415

Firewall Rule - Allow vCM to Test Servers

In this policy we have configured the vCenter Configuration Manager (192.168.110.77)to communicate with the test-l-01a server and the Windows 7 VM base-w7-01a (we willuse this virtual machine later in the lab to show how Configuration Manager can be usedto patch the operating systems for compliance).


Firewall Rule - Allow Test Servers to vCM

In this policy we have configured the Test Servers (test-l-01a and base-w7-01a) toinitiate communication to the vCM server.

Click on the TestServer-SecurityGroup (which has been pre-created) to view itsmembership.


HOL-SDC-1415

HOL-SDC-1415

Firewall Rule - Default Rule

We have configured the NSX distributed firewall to Allow all traffic as a default policy,however we will now change this policy to Block all traffic.

Click on the small + sign next to Allow.

Change the Action to Block.

Click OK.

Since the security policy has been changed, we will need to Publish these changes.

Click on Publish Changes.

HOL-SDC-1415

HOL-SDC-1415

Analyse Distributed Firewall Policy - L2

Click on Firewall, then on Ethernet.

Expand the rules in the Default Layer 2 Rule Section.

Ethernet Rule - Block access from Application servers toTest Servers

1. This the first firewall rule in the list. You will notice that at the moment it has beenconfigured to allow connectivity between the Application servers and TestServers, which is not the desired state.

2. Click on the small "+" sign next to the "Allow" action to change it to "Block" asshown in the step.

3. Click OK and proceed to the next rule.

HOL-SDC-1415

HOL-SDC-1415

Ethernet Rule - Block access from Test Servers toApplication Servers

1. You will notice that at the moment it has been configured to allow connectivitybetween the Test servers and Application Servers, which is not the desired state.

2. Click on the small "+" sign next to the "Allow" action to change it to "Block" asshown in the step.

3. Click OK and proceed to the next rule.

Note: The first 2 rules have been explicitly setup to block communication between theApp and Test servers because the default L2 policy will be to allow communicationbetween all other end points.

HOL-SDC-1415

HOL-SDC-1415

Ethernet Rule - Block communication between databaseservers in the same tier.

In this lab there is only one database server used however in production environmentsthere could be many provisioned and a rule like the one above can be used to blockcommunication between the servers in the same tier.

1. Currently this rule is set to Allow communication, which is not desired.2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as

shown in the step.3. Click OK and proceed to the next step.

HOL-SDC-1415

HOL-SDC-1415

Ethernet Rule - Block communication between Web serversin the same tier.

In this lab there is only one web server used however in production environments therecould be many provisioned and a rule like the one above can be used to blockcommunication between the servers in the same tier.

1. Currently this rule is set to Allow communication, which is not desired.2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as

shown in the step.3. Click OK.

Notice that all the rule changes have to be Published. Click on Publish Changes asshown

HOL-SDC-1415

HOL-SDC-1415

Ethernet Default Rule

Note that the default Ethernet Rule is set to Allow all other communication in thevirtualized environment. This is the desired state.

HOL-SDC-1415

HOL-SDC-1415

Test Applied Network and SecurityPoliciesIn the previous section we analysed the NSX distributed firewall security policies andmade changes so as to only permit certain traffic and block the rest.

In this section we will verify how the micro-segmentation security capabilities of NSXdistributed firewall can be used to effectively isolate virtual machine traffic even on ashared Layer 2 segment.

Verify Connectivity from ControlCenter

We will first verify access to db-w8-01a, app-l-01a and test-l-01a virtual machines fromthe ControlCenter.

Launch Remote Desktop Connection to Database Server

Locate the launch the remote desktop connection link to db-w8-01a from theControlCenter desktop.

Since the firewall policy only allowed SSH access to the database server the RDPconnection was denied.

Launch SSH connection to Test server

Locate and launch the Putty application from the ControlCenter taskbar.

1. Select test-l-01a.corp.local2. Click Load3. Click Open.

HOL-SDC-1415

HOL-SDC-1415

Access is granted since the security policy allows SSH access from the ControlCenter.

Login Credentials:


HOL-SDC-1415

HOL-SDC-1415

Test connectivity between Test Server and ApplicationServers.

In the previous section we configured the firewall policy to block communicationbetween the test-l-01a server and the application servers (db-w8-01a and app-l-01a).

1. Ping db-w8-01a.corp.local -c 3 -q. You will notice 100% packet loss.2. Ping app-l-01a.corp.local -c 3 -q. You will notice 100% packet loss.

In both the cases you will notice that DNS resolution is possible via the ControlCenterhowever all ICMP traffic to database and application servers is blocked.

Close the Putty session.

Test connectivity between Application Servers and TestServer.

In the previous section we configured the firewall policy to allow communication fromweb server app-l-01a to the database server db-w8-01a while block communication tothe test server test-l-01a.

Locate and launch the Putty application from the ControlCenter taskbar.

Launch a SSH session to app-l-01a.corp.local server.

Login Credentials:

User: root / Password: VMware1!

1. Ping db-w8-01a.corp.local -c 3 -q. It will report 100% packet loss because in theprevious section we only allowed MySql traffic on port 3306 from the web serversto the database server.

2. Ping test-l-01a.corp.local -c 3 -q. You will notice 100% packet loss.

HOL-SDC-1415

HOL-SDC-1415

In both the cases you will notice that DNS resolution is possible via the ControlCenter.

HOL-SDC-1415

HOL-SDC-1415

Apply a Data Security Policy to Scanfor Unprotected and Sensitive DataNSX Data Security provides visibility into sensitive data stored within your organization'svirtualized and cloud environments. Based on the violations reported by NSX DataSecurity, you can ensure that sensitive data is adequately protected and assesscompliance with regulations around the world.

To begin using NSX Data Security, you create a policy that defines the regulations thatapply to data security in your organization and specifies the areas of your environmentand files to be scanned. A regulation is composed of content blades, which identify thesensitive content to be detected. NSX supports PCI, PHI, and PII related regulations only.

Data Security Policy for Database Servers

In this lab, on the database server db-w8-01a.corp.local we have stored some sensitiveand unprotected credit card information which makes it non PCI compliant.

We will first review the configuration for Data Security in NSX that has been pre-configured to scan for credit card number violations. In the next step we will run theData Security scan to review these violations.

HOL-SDC-1415

HOL-SDC-1415

Access NSX Configuration

Launch the Firefox web browser and click on the vCenter Web Client bookmark.

Login Credentials:

1. User: CORP\Administrator2. Password: VMware1!3. Click OK4. Click Networking and Security to access NSX configuration.

Access Service Composer Security Policy

1. Click Service Composer.2. Click Security Policies.3. Select the Database-SecurityGroup Security Policy.4. Click the number displayed in the Applied To column. Notice that this security

policy has been applied to the database server db-w8-01a.corp.local in theDatabase-SecurityGroup. Click on the x to close this pop-up window.

HOL-SDC-1415

HOL-SDC-1415

5. Click on the number displayed in the Endpoint Service column. Notice that theVMware Data Security Service has been applied for PCI Compliance check, alsonotice that this policy has not been set to automatically enforce since we will berunning the scan manually in the next step. Click on the x to close this pop-upwindow.

HOL-SDC-1415

HOL-SDC-1415

Run Data Security Scan

1. Click on the Data Security Section2. And then Manage.

Click Edit.

HOL-SDC-1415

HOL-SDC-1415

Select Data Security Regulation and Standards

1. Click Select Regulations2. Click All. This will list all the available content blades for NSX regulations3. In the search bar type "Credit" and hit Enter4. Select the Credit Card Numbers content blade5. Click Next.6. Click Finish.

Once you select the regulations that you want your company data to comply with, NSXcan identify files that contain information which violates these particular regulations.

HOL-SDC-1415

HOL-SDC-1415

HOL-SDC-1415

HOL-SDC-1415

Start Data Security Scan

Before we start the security scan we will need to Publish the changes.

1. Click Publish Changes. Notice that the scan for Credit Card Number regulationhas been enabled and the system has been set to monito various file types.

2. Click Start.3. Click Monitor.

HOL-SDC-1415

HOL-SDC-1415

Monitor Data Security Scan

1. On the Monitor tab,2. Click Dashboard. The security scan will take approximately 3 minutes to

complete.3. Click the Refresh button on the right to view progress. Once completed, notice

that the db-w8-01a server has been reported to have the violation.4. Click on Reports, to view the violation details.

HOL-SDC-1415

HOL-SDC-1415

View Reports from the Data Security Scan

Select Reports.

Select Violating Files in the View Report menu.

Notice that there are 2 files identified on db-w8-01a database server that are non-compliant with Credit Card Number PCI regulation.

The data security administrator can now take corrective actions to protect sensitive dataso that the application is compliant with related regulations.

HOL-SDC-1415

HOL-SDC-1415

Module SummaryIn this module we showcased how to leverage NSX Distributed Firewall (DFW) servicesto apply policies to provide for network micro segmentation between workloads, as wellas to prevent unauthorized access to controlled machines. We also saw how NSX DataSecurity provides visibility into sensitive data stored within your organization'svirtualized and cloud environments

HOL-SDC-1415

HOL-SDC-1415

ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-SDC-1415

Version: 20150227-060149

HOL-SDC-1415

HOL-SDC-1415

http://hol.vmware.com/

Table of Contents - VMwaredocs.hol.vmware.com/HOL-2014/hol-sdc-1415_pdf_en.pdf · hypervisors,...

Documents

Transcript of Table of Contents - VMwaredocs.hol.vmware.com/HOL-2014/hol-sdc-1415_pdf_en.pdf · hypervisors,...