lhc1753be case study: how vmware nsx is empowering a or distribution · case study: how vmware nsx...

Luke Huckaba, Principal Architect, RackspaceAnand Iyer, Global Product Marketing, VMware

LHC1753BE

#VMworld #LHC1753BE

Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry Compliance

VMworld 2017 Content: Not fo

r publication or distri

bution

VMware Cloud Provider Name Change

3

Is Now

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

What Can a VMware Cloud Provider Do for You?

✓4500+ Cloud Providers globally

✓Seamless integration with vSphere

✓Same operational tools on-premises and in the cloud

✓Value-added services, including management and support

✓Easy on-ramp to the cloud for existing vSphere workloads

BENEFITS / RESULTS

IaaSCold and Warm

Migration

Seamless Connectivity (L2VPN Client) Value

Added

Services

Managed Hosting Disaster Recovery Desktop as a Service

SDDC + vCloud Director

#LHC1753BE CONFIDENTIAL 4

VMworld 2017 Content: Not fo

r publication or distri

bution

Agenda

• About the case study

• VMware NSX Distributed Firewall Overview

• Planning

• Implementation

• QSA Review

• Ongoing Maintenance

5#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

About the case study

VMworld 2017 Content: Not fo

r publication or distri

bution

About the case study

• What it is: Rackspace PCI-DSS certification for management infrastructure

• What is not: Rackspace customer certification

– Customers attain their own certification

• Problem: Systems in-scope for PCI are comingled in same L2 network as non-PCI systems

– Option 1: Re-IP

– Option 2: Deploy VMware NSX Distributed Firewall for microsegmentation

• VMware’s NSX Distributed Firewall leveraged to microsegment each environment

7#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

VMware NSX Distributed FirewallOverview

VMworld 2017 Content: Not fo

r publication or distri

bution

VMware NSX Distributed Firewall Overview

• Software VIB that runs on each ESXi host

• Stateful software firewall

• Firewall rules are applied to traffic in between the vNIC and the vSphere Distributed Switch

• Layer 2, 3 & 4 firewall rules, and up to layer 7 with 3rd party vendors/integrations

• Single management plane per vCenter

9#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

VMware NSX Distributed Firewall Overview

10

An NSX for vSphere network is made up of distributed network elements embedded in each hypervisor,

enabling each VM to have its own firewall

▪ Firewalls/policies provisioned

simultaneously with VMs

▪ Policies move with their VMs

▪ Retiring a VM deprovisions its

firewall – no possibility of stale rules

▪ State persistent across VMware

vMotion®

NSX for vSphere firewalling: fully distributed, embedded

in every hypervisor in the data center

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

• Documentation is king!

• Follow an “outside-to-in” approach

– Similar to a “top-down” approach

• Audit all traffic flows

– What systems access the VMs from outside of the virtual environment?

– Inter-VM communication across multiple vCenters

– Which VMs inside the virtual environment access systems outside of the environment?

– Inter-VM communication from within the same vCenter

13#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Outside to in

Outside to inInside to out

Inside to out

Planning

14

PCI

Non-PCI

vCenter

Inter-VM trafficInter-VM traffic Inter-VM traffic

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

• Use a spreadsheet to group everything

• Four (4) key grouping objects

– IP Sets

• Group of single IPs, Subnets, IP Ranges

– Security Groups

• Group of VMs, IP Sets

– Services

• Protocol & ports

– Service Groups

• Group of services

15#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

16#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

17

IP Sets

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

18

Security Groups

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

19

Services

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

20

Service Groups

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

21

Security Policies

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Planning

22

Applied Security Policies

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

VMworld 2017 Content: Not fo

r publication or distri

bution

Dynamic Security Group

Security Group

Security Group

Implementation

• Follow your documentation

• Create IP sets first

• Create Security Groups

24

IP Set10.1.0.0/24

IP Set10.2.0.0/24

IP Set10.10.7.58

IP Set10.4.0.0/2410.5.0.0/24

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Create IP sets first

• Create Security Groups

25

Dynamic, based on VM Name & Security Tag

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Create IP sets first

• Create Security Groups

26

Static, based on IP Set

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Create IP sets first

• Create Security Groups

27

Dynamic, based on virtual datacenter

And…Dynamically exclude based on objects

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

– Offering a service or consuming a service?

• Where is the traffic initiated from?

28

vCenter

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

– Offering a service

29

Security Group

Consumers

Service

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

30#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

– Consuming a service

31

Security Group

ApplicationService

Service

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

32#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

– Apply policies to security groups

33

Security Group

Consumers

Service

Security Group

ApplicationService

Service

Security

GroupSecurity

GroupSecurity

Group

Security

GroupSecurity

Group

#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Security Group

Service

Security Group

Service

Security

GroupSecurity

GroupSecurity

Group

Security

GroupSecurity

Group

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

– Apply policies to security groups

34#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• Follow your documentation

• Use Service Composer to create Security Policies

– Dynamically builds firewall rules for you

35#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Implementation

• After going over Service Composer, does this make better sense?

36#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

QSA Review

VMworld 2017 Content: Not fo

r publication or distri

bution

QSA Review

• Start with the spreadsheet

– Cover all communications starting with IP Sets, Security Groups, Services, and Service Groups

• Create Auditor-role user in NSX

– Provide overview and walkthrough of Service Composer & Security Policies

• Explain all firewall rules and how they’re generated through Service Composer

38#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Ongoing Maintenance

VMworld 2017 Content: Not fo

r publication or distri

bution

Ongoing Maintenance

• Proper change control is a PCI requirement

– User A submits change request

– Member of governing group reviews and approves/denies change request

– Member of approved admins carries out change

• Maintain ‘Approved’ spreadsheet

• Ticketing system to track all changes

– Update your spreadsheet!

• Regular audits

– Quarterly, semi-annually

– Validate what’s in NSX is what’s in the ‘Approved’ spreadsheet

40#LHC1753BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Thank YouLuke Huckaba@ThepHuck

VMworld 2017 Content: Not fo

r publication or distri

bution

VMworld 2017 Content: Not fo

r publication or distri

bution

VMworld 2017 Content: Not fo

r publication or distri

bution