vRNI and Micro-segmentation with NSX.
One of the biggest use cases I personally come across with NSX Datacenter is focused around security, in particular the use of Micro-segmentation to secure virtual machines and get to the desired goal of a zero trust security model. If you’re not sure what this is then have a quick read of VMware
Part of my day job involves discussions with clients around how they secure their environment, applications and data. The conversation usually begins at the perimeter where there’s a firewall, they paid a lot of money for it and it has a ton of funky features that helps to protect their environment against threats etc. When the conversation moves inwards to the next layer we discuss how virtual machines are protected and the topics of conversations include VLANs, Access Control Lists, DMZs and with some client, separate hardware platforms or clusters. After 10 minutes or so I usually ask what protection they have between virtual machines or what visibility they have of the type of traffic flows and most of the time the conversation comes to a halt. At this point I tend to get a white board going and start to map some of these things out. Having had these conversations many times there are always two key moments that stand out. The first is the realisation that the majority of east-west traffic is not inspected or secured, the second is a further look of horror on how we identify what ports or rules to allow the server or application to function securely.
I think it’s fair to say that most environments have some sort of business critical legacy application that was written by someone who left the company years ago, in this story I’ll call him him Bob. This application is sometimes so important that no one dares touch it and the up time can be measured in years rather than days or weeks. Bob never paid much attention to documentation either as at the time it was his pet project and something he just developed on the side. Also this was in the days when virtualisation was not mainstream and everything existed on physical servers. Moving forward a couple of decades the entire company relies on this legacy application but it’s never patched or secured, and no one knows anything about what it communicates with or on what port.
You may be wondering where I’m going with this – bear with me as I’m going to introduce a product called vRealize Network Insight (vRNI) that can help with exact problem. In a nutshell what this tool allows you to do at scale is provide very detailed analytics on the traffic flows within the environment. With this level of information you begin to create application groups to see what is communicating with Bob’s application, and over what port. When it comes to planning and implementing Micro-segmentation most of the unknowns have been captured by this tool, allowing you to map out the rules needed to secure it. Whilst this tool is very in depth there is a really nice dashboard that gives a good high level overview. I’ve lifted the image below from the VMware HOL lab guide but in summary the breakdown shows the percentage of traffic that is east-west, VM to VM, routed, switched and north-south. To find out more detail you can click the doughnut to dive in to a particular flow.
The best thing is it will also suggest what rules to create with the ports and protocols required.
All of this data is exactly what you need to plan out a successful deployment of NSX. To learn more about vRNI the best place to start is the latest lab on VMWare HOL. As of May 2019 this is HOL-1902-02-CMP https://labs.hol.vmware.com/HOL/catalogs/lab/4698
At the time of writing the latest release of vRNI is 4.1 and the release notes can be found here