lhc1753be case study: how vmware nsx is empowering a or distribution · case study: how vmware nsx...

Luke Huckaba, Principal Architect, RackspaceAnand Iyer, Global Product Marketing, VMware

LHC1753BE

#VMworld #LHC1753BE

Case Study: How VMware NSX Is Empowering a Service Provider to Help Customers Achieve and Maintain Industry Compliance

VMworld 2017 Content: Not fo

r publication or distri

bution

VMware Cloud Provider Name Change

3

Is Now

#LHC1753BE CONFIDENTIAL



bution

What Can a VMware Cloud Provider Do for You?

✓4500+ Cloud Providers globally

✓Seamless integration with vSphere

✓Same operational tools on-premises and in the cloud

✓Value-added services, including management and support

✓Easy on-ramp to the cloud for existing vSphere workloads

BENEFITS / RESULTS

IaaSCold and Warm

Migration

Seamless Connectivity (L2VPN Client) Value

Added

Services

Managed Hosting Disaster Recovery Desktop as a Service

SDDC + vCloud Director

#LHC1753BE CONFIDENTIAL 4



bution

Agenda

• About the case study

• VMware NSX Distributed Firewall Overview

• Planning

• Implementation

• QSA Review

• Ongoing Maintenance

5#LHC1753BE CONFIDENTIAL



bution

About the case study



bution

About the case study

• What it is: Rackspace PCI-DSS certification for management infrastructure

• What is not: Rackspace customer certification

– Customers attain their own certification

• Problem: Systems in-scope for PCI are comingled in same L2 network as non-PCI systems

– Option 1: Re-IP

– Option 2: Deploy VMware NSX Distributed Firewall for microsegmentation

• VMware’s NSX Distributed Firewall leveraged to microsegment each environment




bution

VMware NSX Distributed FirewallOverview



bution

VMware NSX Distributed Firewall Overview

• Software VIB that runs on each ESXi host

• Stateful software firewall

• Firewall rules are applied to traffic in between the vNIC and the vSphere Distributed Switch

• Layer 2, 3 & 4 firewall rules, and up to layer 7 with 3rd party vendors/integrations

• Single management plane per vCenter




bution

VMware NSX Distributed Firewall Overview

10

An NSX for vSphere network is made up of distributed network elements embedded in each hypervisor,

enabling each VM to have its own firewall

▪ Firewalls/policies provisioned

simultaneously with VMs

▪ Policies move with their VMs

▪ Retiring a VM deprovisions its

firewall – no possibility of stale rules

▪ State persistent across VMware

vMotion®

NSX for vSphere firewalling: fully distributed, embedded

in every hypervisor in the data center




bution

Planning



bution

Planning

• Documentation is king!

• Follow an “outside-to-in” approach

– Similar to a “top-down” approach

• Audit all traffic flows

– What systems access the VMs from outside of the virtual environment?

– Inter-VM communication across multiple vCenters

– Which VMs inside the virtual environment access systems outside of the environment?

– Inter-VM communication from within the same vCenter




bution

Outside to in

Outside to inInside to out

Inside to out

Planning

14

PCI

Non-PCI

vCenter

Inter-VM trafficInter-VM traffic Inter-VM traffic




bution

Planning

• Use a spreadsheet to group everything

• Four (4) key grouping objects

– IP Sets

• Group of single IPs, Subnets, IP Ranges

– Security Groups

• Group of VMs, IP Sets

– Services

• Protocol & ports

– Service Groups

• Group of services




bution

Planning




bution

Planning

17

IP Sets




bution

Planning

18

Security Groups




bution

Planning

19

Services




bution

Planning

20

Service Groups




bution

Planning

21

Security Policies




bution

Planning

22

Applied Security Policies




bution

Implementation



bution

Dynamic Security Group

Security Group

Security Group

Implementation

• Follow your documentation

• Create IP sets first

• Create Security Groups

24

IP Set10.1.0.0/24

IP Set10.2.0.0/24

IP Set10.10.7.58

IP Set10.4.0.0/2410.5.0.0/24




bution

Implementation




25

Dynamic, based on VM Name & Security Tag




bution

Implementation




26

Static, based on IP Set




bution

Implementation




27

Dynamic, based on virtual datacenter

And…Dynamically exclude based on objects




bution

Implementation


• Use Service Composer to create Security Policies

– Offering a service or consuming a service?

• Where is the traffic initiated from?

28

vCenter




bution

Implementation



– Offering a service

29

Security Group

Consumers

Service




bution

Implementation






bution

Implementation



– Consuming a service

31

Security Group

ApplicationService

Service




bution

Implementation






bution

Implementation



– Apply policies to security groups

33

Security Group

Consumers

Service

Security Group

ApplicationService

Service

Security

GroupSecurity

GroupSecurity

Group

Security

GroupSecurity

Group




bution

Security Group

Service

Security Group

Service

Security

GroupSecurity

GroupSecurity

Group

Security

GroupSecurity

Group

Implementation



– Apply policies to security groups




bution

Implementation



– Dynamically builds firewall rules for you




bution

Implementation

• After going over Service Composer, does this make better sense?




bution

QSA Review



bution

QSA Review

• Start with the spreadsheet

– Cover all communications starting with IP Sets, Security Groups, Services, and Service Groups

• Create Auditor-role user in NSX

– Provide overview and walkthrough of Service Composer & Security Policies

• Explain all firewall rules and how they’re generated through Service Composer




bution

Ongoing Maintenance



bution

Ongoing Maintenance

• Proper change control is a PCI requirement

– User A submits change request

– Member of governing group reviews and approves/denies change request

– Member of approved admins carries out change

• Maintain ‘Approved’ spreadsheet

• Ticketing system to track all changes

– Update your spreadsheet!

• Regular audits

– Quarterly, semi-annually

– Validate what’s in NSX is what’s in the ‘Approved’ spreadsheet




bution

Thank YouLuke Huckaba@ThepHuck



bution



bution

lhc1753be case study: how vmware nsx is empowering a or distribution · case study: how vmware nsx...

Documents