lhc1753be case study: how vmware nsx is empowering a or distribution · case study: how vmware nsx...
TRANSCRIPT
Luke Huckaba, Principal Architect, RackspaceAnand Iyer, Global Product Marketing, VMware
LHC1753BE
#VMworld #LHC1753BE
Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry Compliance
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud Provider Name Change
3
Is Now
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
What Can a VMware Cloud Provider Do for You?
✓4500+ Cloud Providers globally
✓Seamless integration with vSphere
✓Same operational tools on-premises and in the cloud
✓Value-added services, including management and support
✓Easy on-ramp to the cloud for existing vSphere workloads
BENEFITS / RESULTS
IaaSCold and Warm
Migration
Seamless Connectivity (L2VPN Client) Value
Added
Services
Managed Hosting Disaster Recovery Desktop as a Service
SDDC + vCloud Director
#LHC1753BE CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
• About the case study
• VMware NSX Distributed Firewall Overview
• Planning
• Implementation
• QSA Review
• Ongoing Maintenance
5#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
About the case study
VMworld 2017 Content: Not fo
r publication or distri
bution
About the case study
• What it is: Rackspace PCI-DSS certification for management infrastructure
• What is not: Rackspace customer certification
– Customers attain their own certification
• Problem: Systems in-scope for PCI are comingled in same L2 network as non-PCI systems
– Option 1: Re-IP
– Option 2: Deploy VMware NSX Distributed Firewall for microsegmentation
• VMware’s NSX Distributed Firewall leveraged to microsegment each environment
7#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Distributed FirewallOverview
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Distributed Firewall Overview
• Software VIB that runs on each ESXi host
• Stateful software firewall
• Firewall rules are applied to traffic in between the vNIC and the vSphere Distributed Switch
• Layer 2, 3 & 4 firewall rules, and up to layer 7 with 3rd party vendors/integrations
• Single management plane per vCenter
9#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Distributed Firewall Overview
10
An NSX for vSphere network is made up of distributed network elements embedded in each hypervisor,
enabling each VM to have its own firewall
▪ Firewalls/policies provisioned
simultaneously with VMs
▪ Policies move with their VMs
▪ Retiring a VM deprovisions its
firewall – no possibility of stale rules
▪ State persistent across VMware
vMotion®
NSX for vSphere firewalling: fully distributed, embedded
in every hypervisor in the data center
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
• Documentation is king!
• Follow an “outside-to-in” approach
– Similar to a “top-down” approach
• Audit all traffic flows
– What systems access the VMs from outside of the virtual environment?
– Inter-VM communication across multiple vCenters
– Which VMs inside the virtual environment access systems outside of the environment?
– Inter-VM communication from within the same vCenter
13#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Outside to in
Outside to inInside to out
Inside to out
Planning
14
PCI
Non-PCI
vCenter
Inter-VM trafficInter-VM traffic Inter-VM traffic
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
• Use a spreadsheet to group everything
• Four (4) key grouping objects
– IP Sets
• Group of single IPs, Subnets, IP Ranges
– Security Groups
• Group of VMs, IP Sets
– Services
• Protocol & ports
– Service Groups
• Group of services
15#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
16#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
17
IP Sets
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
18
Security Groups
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
19
Services
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
20
Service Groups
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
21
Security Policies
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Planning
22
Applied Security Policies
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
VMworld 2017 Content: Not fo
r publication or distri
bution
Dynamic Security Group
Security Group
Security Group
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
24
IP Set10.1.0.0/24
IP Set10.2.0.0/24
IP Set10.10.7.58
IP Set10.4.0.0/2410.5.0.0/24
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
25
Dynamic, based on VM Name & Security Tag
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
26
Static, based on IP Set
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Create IP sets first
• Create Security Groups
27
Dynamic, based on virtual datacenter
And…Dynamically exclude based on objects
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Offering a service or consuming a service?
• Where is the traffic initiated from?
28
vCenter
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Offering a service
29
Security Group
Consumers
Service
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
30#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Consuming a service
31
Security Group
ApplicationService
Service
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
32#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Apply policies to security groups
33
Security Group
Consumers
Service
Security Group
ApplicationService
Service
Security
GroupSecurity
GroupSecurity
Group
Security
GroupSecurity
Group
#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Security Group
Service
Security Group
Service
Security
GroupSecurity
GroupSecurity
Group
Security
GroupSecurity
Group
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Apply policies to security groups
34#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• Follow your documentation
• Use Service Composer to create Security Policies
– Dynamically builds firewall rules for you
35#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementation
• After going over Service Composer, does this make better sense?
36#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
QSA Review
VMworld 2017 Content: Not fo
r publication or distri
bution
QSA Review
• Start with the spreadsheet
– Cover all communications starting with IP Sets, Security Groups, Services, and Service Groups
• Create Auditor-role user in NSX
– Provide overview and walkthrough of Service Composer & Security Policies
• Explain all firewall rules and how they’re generated through Service Composer
38#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Ongoing Maintenance
VMworld 2017 Content: Not fo
r publication or distri
bution
Ongoing Maintenance
• Proper change control is a PCI requirement
– User A submits change request
– Member of governing group reviews and approves/denies change request
– Member of approved admins carries out change
• Maintain ‘Approved’ spreadsheet
• Ticketing system to track all changes
– Update your spreadsheet!
• Regular audits
– Quarterly, semi-annually
– Validate what’s in NSX is what’s in the ‘Approved’ spreadsheet
40#LHC1753BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Thank YouLuke Huckaba@ThepHuck
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution