Download - VMworld 2013: Troubleshooting and Monitoring NSX Service Composer Policies

Troubleshooting and Monitoring NSX Service

Composer Policies

Shubha Bheemarao, VMware

Mitchell Christensen, VMware

SEC5889

#SEC5889

2

Objective

• Identify specific use cases that highlight the value of advanced

visibility with simplified workflows

• Showcase why user and application visibility is essential to have

a secure datacenter policy

• Demonstrate how to use NSX Activity Monitoring provides

advanced visibility

4

Security Teams Care About Policy and Compliance

Security Architect

Regulations,

Standards,

Best Practices

• Access Control

• Segmentation

• Automation

• Audit

Infrastructure

Requirements

Common

Control

Frameworks

5

Think About Your Last Interaction With The Security Team

VI Admin / Cloud Operator

Do we have

this malicious

software

running?

PCI Auditors

in the

house… are

we

compliant?

High severity

vulnerabilities on

critical business

systems… must

patch!

6

The Cloud Operator Has to Make This All Work…But How?

VI Admin /

Cloud Operator

Yikes.

Security Policy ≠ Security Operations

Security team asks operator to implement policies that are

specified at user and application level

I need this.

Security

Architect

7

Agenda

Security Operations Is Catching Up with Policy

Prerequisites To Enforcing Policy – Visibility

NSX Activity Monitoring Provides Advanced Visibility to

Users and Applications

Demo of NSX Activity monitoring to address Common

Enterprise Security Policies

• Insider Threat

• Rogue Applications

• Malicious Software

Next Steps

8

Visibility Tools Are Required To Implement Security Policy

DEFINE Security

Architect MONITOR VI Admin /

Cloud Operator

ENFORCE

VI Admin /

Cloud Operator

9

Get Advanced Visibility Into Users and Applications

VI Admin /

Cloud

Operator

No

problem.

Allow THIS user

can access THAT

application

Security

Architect

Step 1. Security team defines policy for who is allowed

access to what applications. Then they ask the data

center operator to make it happen.

10

VI Admin /

Cloud

Operator

Easy.

Step 2. Operator monitors the system to identify right level

of application protection. Then they tune the enforcement

rules to ensure adherence to expected policy.

Security

Architect

Compliant.

✔


11

Step 3. Operator identifies non compliant activity and

informs the security team to remediate/ tune security

policies. Gets approval and applies to workloads.

I found

something

fishy.

VI Admin /

Cloud Operator

Yup. Can

you block

this

Security

Architect

Sure, No

problem


12

Agenda



NSX Provides Tools for Advanced Visibility



• Insider Threat



Next Steps

13

NSX Provides Tools To Define and Enforce Policy

MONITOR

ENFORCE

DEFINE Security

Architect VI Admin /

Cloud Operator

VI Admin /

Cloud Operator

NSX Service

Composer

NSX Service Composer

NSX Firewall

14

Built-In Services • Firewall, Identity-based Firewall

• Data Security (DLP / Discovery)

Visibility • Network traffic flows

• User access of network assets

• Active In-guest applications

• User access of in-guest applications

3rd Party Services • IDS / IPS, AV, Vulnerability Mgmt

• 2013 Vendors: Symantec, McAfee, Trend

Micro, Rapid 7

Any Application (without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

Logical

Firewall

Logical

Load Balancer

Logical L3

Logical

VPN

Any Hypervisor

Security Policies • Define policies using profiles from built-in

services and 3rd party services - HOW you

want to protect workloads

VMware NSX Service Composer Provides Policy Framework

Automation • Use security tags and other context to drive

dynamic membership of security groups –

results in IF-THEN workflows across services

15

NSX Provides Advanced Visibility Into Users and Applications

MONITOR

ENFORCE

DEFINE Security

Architect VI Admin /

Cloud Operator

VI Admin /

Cloud Operator

NSX Service

Composer NSX Activity

Monitoring

NSX Service Composer

NSX Firewall

16

Built-In Services • Firewall, Identity-based Firewall

• Data Security (DLP / Discovery)

Visibility • Network traffic flows

• User access of network assets

• Active In-guest applications

• User access of in-guest applications

3rd Party Services • IDS / IPS, AV, Vulnerability Mgmt

• 2013 Vendors: Symantec, McAfee, Trend

Micro, Rapid 7

Any Application (without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

Logical

Firewall

Logical

Load Balancer

Logical L3

Logical

VPN

Any Hypervisor

Security Policies • Define policies using profiles from built-in

services and 3rd party services - HOW you

want to protect workloads

NSX Activity Monitoring Provides Advanced Visibility

Automation • Use security tags and other context to drive

dynamic membership of security groups –

results in IF-THEN workflows across services

17

NSX Activity Monitoring Provides Advanced VIsibility

AD Group AD Group

Security

Group

Security

Group

Desktop

Pool

NSX Activity Monitoring provides

visibility into group, application

and destination activity in the

virtual environment User: Joe

• Users accessing assets

• Applications running on virtual

machines

• Server access by AD Group,

Security group or Desktop Pool

• Interactions between groups (

AD, SG or DP)

18

Agenda







• Insider Threat



Next Steps

19

Sample Security Policy

Allow only approved users access specific

applications on corporate assets. Have a policy on

WHO is allowed access to WHAT from WHERE is

critical to secure assets.

In other words..

1. Allow only authorized users to access critical

business applications

2. Allow only authorized applications on

corporate servers

3. Allow access to only required ports from

specific networks

MONITOR

ENFORCE

DEFINE

20

Challenge: Do You Trust All Your Users?

Monitor

Enforce

Define Policy Category

Regulatory / HIPAA: Access

controls should enable authorized

users to access the minimum

necessary information needed to

perform job functions.

Challenges

• Threats are not just outside

organizational boundaries

• Network level access control is

not sufficient for cloud

environments

• Controlled access for insiders

based on user identity is required

to safeguard corporate assets

21

EPIC Servers

Nurses Doctors

✔ ✔

Requirement: Allow only authorized users to access critical applications

Requirements

Find which user group needs

access to which asset

Ability to generate reports on:

Which users are connecting

to the set of applications?

What applications are the

non trusted users connecting

to?

Option to limit access based

on user identity

Monitor

Enforce

Define

Financ

e

✔

Accounting Servers

22

Demo UI Introduction

24

Demo Verify EPIC Access

26

Demo Block Finance access to EPIC Servers

28

Agenda







• Insider Threat



Next Steps

29

Challenge: Do you know what’s running on your servers?

Monitor

Enforce

Define Policy Category • Acceptable use of Information

Systems: Clear definition of what

is and is not acceptable

• Corporate Governance of IT:

Define how technology is used

and managed to support

business needs

Challenges • Visibility into all data center

applications

• Identify Rogue Applications that

either capture confidential

information or siphon sensitive

data to external sources

• Identify Vulnerable Applications

to reduce the scope of attack

30

Requirement: Allow only authorized applications corporate servers

DB Administrators

✔

HR

Requirements

Identify all applications running

on corporate servers

Create a list of acceptable,

grey listed and non permitted

applications for servers

Monitor, restrict and report

violations of all acceptable use

policies

Monitor

Enforce

Define

HTTP

WEB

APP

DATABASE

✔ ODBC ODBC

31

Demo User Access to Applications

33

Demo Inbound Application Access

35

Agenda







• Insider Threat



Next Steps

36

Challenge: Are you protected from malware?

Monitor

Enforce

Define Policy Category

• Acceptable use of

Information Systems: Clear

definition of what is and is

not acceptable

• Single use systems: for

protection of critical services

Challenges

• Identify and prevent further

spread of malware in the

network

• Regular Monitoring for rogue

or vulnerable applications to

avoid compromise

37

Requirement: Allow only required ports to be open based on expected use

HTTPS

WEB

APP

DATABASE

Requirements

Find all user and application

activity on critical servers

Ensure that only allowed

applications are running

Monitor applicable controls

regularly

✔

Monitor

Enforce

Define

HR

✔

38

Demo VM Activity

41

How Do You Deploy?

Active Directory Eric Frost

Today

Source Destination

172.16.254.1 172.16.112.2

With Activity

Monitoring

VM Tools

User AD Group App Name Originating VM

Name

Destination

VM Name

Source IP Destination IP

Eric Engineering iexplorer.exe Windows 7 Apache Server 192.168.10.75 192.168.10.78

NSX

Mgr SVM

Compute Management Gateway

42

Agenda







• Insider Threat



Next Steps

43

Back At The Office…

VI Admin /

Cloud

Operator Security

Architect

1. Point your security team to VMware NSX.

2. Partner with security team to evaluate NSX Activity Monitoring to

implement security policy

I just learned about

VMware NSX Activity

Monitoring and we could

simplify a lot of this!

No kidding.

Prove it!

I will.

✔

THANK YOU

45

Related Sessions

NET5847 - NSX: Introducing the World to VMware NSX

SEC5749 - Introducing NSX Service Composer: The New

Consumption Model for Security Services in the SDDC

SEC5820 - NSX PCI Reference Architecture Workshop

Session 2 - Privileged User Control

Troubleshooting and Monitoring NSX Service

Composer Policies

Shubha Bheemarao, VMware

Mitchell Christensen, VMware

SEC5889

#SEC5889