1Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
NSXReferenceDesignDocument
ContentsOverview..................................................................................................................................1
VMwareSDDCApproachRedefinesDataCenterNetworkSecurity....................................1
SDNandSecuringEast-WestandNorth-SouthTraffic.........................................................2
VisibilityandSDN–Youcan’tsecurewhatyoucan’tsee........................................................4
ManagingMicro-segmentation................................................................................................5
AutomationthroughTufinOrchestrationSuite.......................................................................6
AutomationthroughintegrationwithVMWarevRealizeAutomation(vRA)...........................8
Conclusion–IntegrationKeyBenefits.....................................................................................9
Overview
VMwareSDDCApproachRedefinesDataCenterNetworkSecurityTheSoftware-DefinedDataCenter(SDDC)enablesasubstantiallyimprovedoperationalmodelthatprovidesgreaterspeedandagility,loweroperationaloverhead,andlowercapitalexpenditure.VMwareNSXdeliversnetworkvirtualizationfortheSDDC,withafullservice,programmableplatformthatprovideslogicalnetworkabstractionofthephysicalnetworkwithprogrammaticprovisioningandmanagementabilities.Followingthesuccessfulabstractionofthecomputeandstorageelements,networkvirtualizationprovidesthenextsteptowardsafullyvirtualizeddatacenter.VMwareNSXalsooffersanopportunitytoredefinethewaywesecureournetworks.Oneofthefundamentalchallengesofnetworksecurityhasbeentheinabilitytoisolatepolicyenforcementfromtheoperationalnetworkplane.WithintheSDDC,thehypervisorprovidesaperfectlyisolatedlayertoenforcesecuritypolicywhilemaintainingtheapplicationcontexttoenablebettersecuritycontrolandvisibility.NSXprovidesisolationandnetworksegmentationbydefault.Virtualnetworksrunintheirownaddressspaceandhavenocommunicationpathtoeachotherortophysicalnetworks.Nativefirewallingandpolicyenforcementatthevirtuallayerprovidessegmentation,andmicro-segmentationisachievedthroughsecuritycontrolsattheunitlevelorvirtualmachinelevel.Leveragingnetworkvirtualization
2Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
technology,theSDDCenablessecuritytobearchitectedintothenetworkitself.Thisallowssecuritycontrolstobebasedonlogicalboundariesandmakesdatacentermicro-segmentationoperationallyfeasible.
SDNandSecuringEast-WestandNorth-SouthTrafficEast-westnetworktrafficisthetransferofdatapacketsfromservertoserverwithinadatacenterinthesameSDN(NSX)environment.North-SouthindicatesnetworktrafficfromtheNSXenvironmenttothelegacydatacenterorviceversa.
Visibilityintobothtypesoftraffic–east-westandnorth-south–iscriticalfororganizationstodeterminethebestsecuritypracticesfortheirnetworksanddatacenters.Whilemanyorganizationsfocusonsecuringexternaltrafficthatenterstheirnetworks,itisincreasinglyimportantfororganizationstomonitorinternaltrafficpatternstoidentifymalwarethathasinfiltratedthenetworkandforinsiderthreats.
Micro-segmentation(greaterdetailinafollowingchapter)significantlyreducestheattacksurfaceavailableformaliciousactivity,andlessenstheimpactofanattackspreadthrougheast-westtraffic.Ifthedatacenterissegmentedintologicalunits,datacenteradministratorscantailoruniquesecuritypoliciesandrulesforeachlogicalunit.Thistightly-coupledapproacheliminatesthetedious,error-pronemanualconfigurationprocessesthatoftenleadtosecurityflawsafteramigration.
East-WestTraffic
North-Sou
thTraffic
3Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
TheTufinOrchestrationSuite™SolutionforVMwareNSXTheTufinOrchestrationSuite™isacompletesolutionforautomaticallydesigning,provisioning,analyzingandauditingnetworksecuritypolicychangesfromtheapplicationlayerdowntothenetworklayer.WiththeTufinOrchestrationSuite™,ITandsecurityorganizationscancentrallymanageandcontrolmicro-segmentation,continuouslymonitoradherenceandidentifyviolationstosecuritypolicy,andautomatechangesthroughouttheentiredata-centerviaasingleinterface.TheTufinOrchestrationSuite™providesunprecedentedvisibilityandcontrolofsecurityintheSDDCensuringaunifiedsecuritypolicymanagementacrosstheentireenterprise–includingphysicalandvirtualnetworksaswellashybridcloudplatforms.
TherearefourusecasesfortheintegrationpointsbetweenTufinOrchestrationSuiteandVMWareNSX:
1. Visibility–ViewandtrackchangestosecuritypolicyandconfigurationintheNSXenvironment.2. Micro-segmentation–defineandmanagemicro-segmentationbothwithintheNSXenvironmentas
wellaswiththeexternalDatacenter.3. Policy-drivenchangeautomation–automatechangesthroughTufinSecureChangewhileensuring
adherencetocorporatesecuritypolicy,understandthepotentialrisk,andpushchangestotherelevantdevicesinNSXandtheDFW,andoutsideofittotheappropriateFWs.
4. Integratedpolicy-drivenchangeautomation–automatechangesthroughintegrationwithVMWarevRealizeOrchestrator(vRO).
ThefollowingchapterscovertheaboveusecasesindepthwhileoutliningthebusinesschallengesandhowTufincanhelpsolvethem.
4Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
VisibilityandSDN–Youcan’tsecurewhatyoucan’tseeChallenge:Whenitcomestosecuritypolicymanagement,organizationsneedtomanagetheirpoliciescentrally—eventhoughthepoliciesmaybeenforcedondifferentplatformsfromdifferentvendorsonphysical,virtual,andcloud-basedplatforms.Securitymanagersneedbroadandunifiedvisibility,anaudittrailofallchanges,andadvancedanalysisandreportingcapabilities.ConfigurationofsecurityrulesmustbeappliedtotheDistributedFirewall(DFW)withinNSX,NGFWs,andonlegacyfirewall(e.g.CheckPoint,PaloAlto,Cisco,Fortinet)toensureconnectivityandsecurity.Securitymanagersrequirevisibilityintochangesacrossallofthesefirewalls–whatwaschangedandwhochangedit–withoutjumpingbetweendifferenttoolsordifferentdashboards.Thisbecomesanecessityasenterprisesnetworksbecomemorecomplexwithagreaternumberofsecuritydevicesinstalled.TufinSolution:TheTufinOrchestrationSuite™servesasasinglepaneofglasstomanageandcontrolsecurityacrosshybridcloudandphysicalnetworks.TheSuiteprovidessecuritymanagerswiththesamelevelofvisibilityandcontrolintheirnewsoftware-definedenvironmentthattheyareaccustomedtoinatraditionaldatacenter.Inaddition,theTufinOrchestrationSuite™retainsanaccurateaudittrailofallchangesandusesadvancedchangemonitoringandanalysisforfullaccountability.Allchangescanbetrackedandreportscanbeproducedforauditorswhennecessary.Thescreenshotbelowdemonstrateschangetrackingofasecuritypolicy,ensuringthatatanypointit'seasytoseewhodidwhat,whenandwhy,andthiscanbefullydocumentedforfuturereference.
Tufin’sSecureTrackprovidesaside-by-sidecomparisonofthepolicybeforeandafterchanges.
5Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
ManagingMicro-segmentationChallenge:Organizationsneedtobeabletodesignandeffectivelymanagemicro-segmentationbothinsideandoutsidetheNSXenvironment.Micro-segmentationprovidesbettersecuritybytighteningthesecuritycontrolsaroundaserver(virtualmachine)thantraditionalsecuritycontrolsbasedonsubnetsegmentation.Operationalizingmicro-segmentationrequireseffectiveconfigurationandmanagement.However,approachingthechallengeoftenleadswith“HowcanIensurethatmyNSXsegmentationisproperlyconfiguredtotakeadvantageofthisinnovativetechnology,thatserversarenotinadvertentlyexposed,andthatapplicationconnectivityisretained?”Managingmicrosegmentationinacomplexenvironmentisdifficult.Akeyparameteristobeabletotrackandmanagethiscomplexprocessinasimple,visualizedwaywithoutmanuallyapplyingdifferentsecurityconfigurationsandrulesacrossNSXandtherestofyourfirewalldevices.
TufinSolution:TherearethreewaysinwhichtheTufinOrchestrationSuite™enablessuccessfulmanagementofmicro-segmentationforNSX.TheTufinOrchestrationSuite™provides:
• Aunifiedandconsistentpolicyacrossbothphysicalandvirtualenvironments,withcleargraphicalvisibilityintothatpolicy.
• Acentralizedapproachtoidentifyingandmanagingviolationsandexceptions.• Automaticchecksofplannedchangesagainstasecuritypolicybeforeitisimplementedtomakesure
thatthechangeisnotintroducinganewpolicyviolation.ThefigureonthefollowingpageshowstheTufinOrchestrationSuite’s™zonesegmentationmatrixwhichisanelementoftheUnifiedSecurityPolicy(USP).Thismatrixrepresentsthedifferentnetworkzonesonboththehorizontalandverticalaxes,andthecolorsoftheblocksindicatethepermittedcommunicationbetweenthetwointersectingzonesshouldbe.Inthezonesegmentationmatrix,agreenblockrepresentsthattrafficofspecificservicesbetweentwozonesisallowed,agrayblockmeansthattrafficisnotallowed,andaredblockindicatestrafficisallowedwhichcurrentlyviolatessecuritypolicy.Eachzonerepresentsphysical,virtualorhybridcloudplatforms.
6Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
TheTufinOrchestrationSuite™zonesegmentationmatrix
IntheNSXenvironmentzonescanbeIPsorsubnets,butaremostoftenSecurityGroupsgiventhedynamicnatureoftheSDDC.AsVMsareprovisionedanddestroyedrapidly,theusageofIPslessrelevantduetounmanageability.Onceanorganizationhasdesigneditssegmentationpolicyandimplementedittoproducethevisualmatrixview,theTufinOrchestrationSuite™analyzesthenetworktoidentifythegapsbetweenthedesiredstateofsecuritypolicycomplianceandtheactualenforcementpoliciesrunningacrossnetworkfirewalls,routers,andsecuritygroups.Unlikemanualspreadsheetsthatsecurityadministratorsoftencreateandrelyon,thismatrixisconnectedtothenetworkandautomaticallydetectsandalertsfirewalladministratorsofviolations.ForNSX,thisensuresthatifaruleisaddedtotheDFWortotheperimeterFW,theimpactontherelevantzonesisknown.Operationalneedsoccasionallyrequireanexceptiontoadesiredsegmentationpolicy.Forexample,allowingaspecificbusinessapplicationnon-compliantorriskyaccessmayberequiredinordertorunproperly,eventhoughitintroducesrisktotheorganization.TheUnifiedSecurityPolicyprovidescentralizedexceptionmanagementthatallowsasecurityadministratortoidentifyandmanageexceptions,assignanexpirationdatetonon-compliantrules,andensurethattheyarere-examinedandapproved,orremoved,byaspecificdate.Thisprocessprovidesthesecurityadministratortimetotalkwiththebusinessapplicationownerandfindawaytoeitherchangehowtheapplicationworks,orchangethesegmentationpolicy.Allpolicyexceptionsareautomaticallydocumentedandauditable.
AutomationthroughtheTufinOrchestrationSuite™Challenge:NGFWs,suchasNSXDFW,andlegacyfirewallsarethefirstlineofdefense,buteffectivemanagementoffirewallsdrainspersonnelresourcesfromsecurityprogramsalreadycopingwithashortageofskilledlabor.Regardless,securitypoliciesneedtobechecked,firewallsoptimized,andcontinuouscomplianceanddemonstrablyachieved.Thesefirewallmanagementtasksaretypicallymanualprocessesthatarebothtimeconsumingandrifewithmanualerror,necessitatingasolutiontoeliminatemisconfigurationsandreturnpersonnelresourcestostrategicorimminentchallenges.WorkloadscanrundedicatedonSDNenvironmentorspanacrossNSXandon-premiseinfrastructure,henceautomationmustsupportthemultipleplatformandtechnologiesused.FailingtosupportthediversityofvendorsbeyondNSXprohibitsachievingagility,anddelaysaccesstoadatacenter’sdatabasewhenbehinddifferentfirewallsandrouters,andthetasksassociatedwithmanagingallofthem.
7Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
TufinSolution:TheTufinOrchestrationSuite™providescentralmanagementandafullyautomatedchangeprocess,providingend-to-endconnectivityacrossthehybridnetworkwhilemeetingsecuritypolicymandates.End-to-endautomationofnetworksecuritychangeswithbaked-insecurityandcomplianceenablesbothNorth-SouthandEast-WestconnectivitybyprovisioningtotheNSXDistributedFirewallaswellaslegacyfirewallsusingSecurityGroups.ThechangeprocessprovidedbytheTufinOrchestrationSuite™includesautomatedriskanalysisforbuilt-inpolicycomplianceandbestpractices,automateddesignandprovisioningforon-premfirewallsandNSX,andautomatedconnectivityverificationtoboostproductivityandacceleratedelivery.TufindeliversautomatedprovisioningforchangestoNSXsecuritygroups(orIPandIPsets)andguidesuserstoensurethattherightsecuritygroupsarechanged.TheautomatedchangedesignisbasedonthemostaccuratetopologysimulationandefficientpathanalysisacrossNSXandotherplatforms/vendorsWhileallthesecapabilitiesaresupportedthroughtheSecureChangeUI,customersoftenintegrateTufinworkflowsandprocessmanagementintotheirexistingthird-partyticketingtools(e.g.ServiceNoworRemedy)throughAPIsorintegrationapplicationstokeeptheirexistingbusinessprocessesandflowsunchanged.
8Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
AutomationthroughintegrationwithVMWarevRealizeAutomation(vRA)NSXandvRealizeAutomationaretwomajorproductsfromVMware.vRealizeAutomationcanbuildaprivatecloudenvironmentwhileNSXbuildstheunderlyingsoftwaredefinednetwork.BoththeefficiencyandsecuritycontrolovertheSDDCisrealizedwhenusingNSXandvRealizeAutomationinconcert.WithNSXyoucanbuilddynamicrouting,loadbalancing,firewallrulestocreatethevirtualizednetwork–vRealizeAutomationusesvRealizeOrchestrator(vRO)asitsunderlyingorchestrationengine.
IntegratingvROwithSecureChangeenablescustomerstoachievefullautomationfordesigningandprovisioningapplicationconnectivity.Together,vRAandvROcanbeusedtospinupamulti-layerapplicationthroughasingleclickalongwithitsnetwork,firewallrules,andloadbalancer.ApplicationsrunningwithintheSDDCandconsumingnon-SDDCresources(e.g.LDAPserverorDB),requirenorth-southconnectivity.ThiscanbeachievedbyincorporatingvROworkflowcallstoaTufinworkflowthroughAPIsfor:
1. TopologyDiscovery:findtraditionalfirewallsinfrontoftheprovisionedVMs.2. RiskAnalysis:CompliancecheckagainstTufinUSPbeforeimplementation.3. Provisioning:PushingchangestotraditionalfirewallsinfrontoftheprovisionedVMsrunningonNSX.
Atypicalflowcanbe:
1. DeploynewVMsfromvROworkflowbasedonVMtemplates(usingvCenterAPItoprovisionnewVMs).
2. CacheVMsnetworkinformationlikeIPAllocated,andPolicyTemplate3. UsetheHTTP-RESTClientfromvROtoopenaticketonSecureChange(JSONformattedquery)4. InSecureChange,runafullyautomatedworkflowforprovisioningrulesonCiscoASAandCheckPoint
firewallsandconnecttheVMstothenetwork.
9Copyright©2018Tufin
TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.
TheaboveissimilartootherITSMintegrationlikeBMCRemedy,ServiceNow,andothertools(furtheravailableintheTufinProfessionalServicesCatalogue).
Conclusion–IntegrationKeyBenefitsTheintegratedVMwareNSX™andTufinOrchestrationSuite™solutiondeliversvisibility,unifiedsecuritypolicymanagement,andcomplianceacrossphysicalandvirtualnetworks,andhybridcloud.ThestrategicintegrationenablesITorganizationsandsecurityteamsto:
• Viewandmanagesecuritypoliciesacrossthenetworkfromasinglepainofglass,therebyreducingcomplexity.
• TrackchangestosecuritypoliciesonNSXaswellasonotherleadingcloudplatforms,andpresentwhatwasthechangeandwhodidit.
• ReduceauditpreparationtimeandenablecontinuouscomplianceusingtheUnifiedSecurityPolicy• Design,implement,manage,andmonitormicro-segmentationacrossNSX,physicalandhybrid
networks• Visualizepoliciesandnetworkconnectivityacrosstheheterogeneouscorporatenetwork,enablingIT
teamstotroubleshootconnectivityissuesquicklyandeasily• Maximizeagilitywithend-to-endautomationofnetworksecuritychangeswithbaked-insecurityand
complianceproviding:o Automatedriskanalysisforbaked-insecurityandcomplianceo Automatedchangedesignbasedonaccuratetopologysimulationandpathanalysisacross
NSXandothervendor’splatformso AutomatedprovisioningforNSXtoreducecomplexity,eliminatehumanerror,andensure
connectivity