For many years we used the build castle analogy to secure your environments. Is it time for a change?
In today’s world, where we have malicious actors attacking your datacenters every minute of the day with various attacks from Malware to Ransomware, to name a few, we need to protect and detect these acts before they cause harm.
NSX-T 3.2 needs to be a vital part of protecting and responding to attacks from malicious actors.
Let’s start with the outer haul of your cargo ship, your perimeter security. The haul has physical security, of course, and communication, a.k.a network security that uses a next-generation firewall (NGFW) that secures data transmission.
Special Note: Drawings are simplified
There are many techniques used to build this haul that we can cover later. Let’s stay with the analogy, keep it super simple (KISS) and add some floors to this ship. My thought process is to use hardware-based NGFW to control communication/traffic flows between the floors. Wait, I thought this was a blog on protection with NSX-T 3.2; rest assured, we are getting there. KISS right? You will not change or rebuild floors of your ship very often, if ever, so let’s create zones( AKA floors) where security enforcement at hardware-based NGFW.
Special Note: When it comes to mixing HW and SW with various protect techniques, you want to KISS and gain the advantage of looking at traffic in multiple ways and giving flexibility in protecting your most valuable assets.
Now let’s introduce NSX-T 3.2, which brings the control points closer to the applications (AKA Cargo) where you can configure or reconfigure cargo holds. Let’s think about that for a minute, the ability through automation and manual software changes can change behavior and control points. I am now thinking about Network as a Service (NaaS) or Security as a service (SecaaS). We can create a new cargo configuration in test and development before applying it to production.
With the distributed model expanding beyond Distributed Fire Walls (DFW) or Internal Segmentation Firewalls (ISFW) are now Distributed Next-Generation Firewalls (DNGFW). With the integrations from the Lastline acquisition, NSX-T 3.2 can provide distributed Advanced Threat Prevention (ATP) with malware prevention for known and zero-day malware. Distributed behavioral IDS looking for pattern matches and other anomalous traffic.
Ok, let that sync in for min; let’s talk about more distributed goodness! Network Traffic Analysis to see lateral movement anomalies. Network Detection and Response (NDR) to help provide relief from alert overload with MITRE ATT&CK visualize campaign view.
You end up with a cargo ship with disturbed security to protect and detect malicious attackers. Look at all those reconfigurable doors and control points I have negative now as a malicious attacker.
We have covered one way to protect with NSX-T; we touched on detect. We will dive deeper into detecting using telemetry and management tools soon. We will also cover using Carbon Black to respond and different recovery strategies. Stay tuned to hear more about VMware Security or reach out and ask how VMware can help secure your business.
With recent cyberattacks across the world, it is essential to have a solid design for security. VMware has recently bought multiple security solutions to help create an intrinsic security portfolio. I will always contend that security solutions should have numerous vendors, so let’s use Cisco to do the switching and routing with ACI in network-aware mode and Palo Alto firewalls with Panorama.
In today’s modern data centers, the number of physical devices is shrinking to under 3% of total servers. We still need to account for them in our design from both network and security perspectives; of course, the virtual environment will need hosts and storage to run on. Let’s start with Cisco fast switching transport underlay.
Using typical spine and leaf architecture for the switching underlay, let’s set up ACI zones with VRFs following the Purdue model.
Internet-facing DMZ – Zone 5+
User Networks – Zone 5
DataCenter – Zone 4
IDMZ – Sub Zone of 4 some will call it 3.5
OT – Zone 3 and below is not part of this design.
All traffic within a single zone will East/West traffic and have further segment and security controls via NSX. All traffic between zones with travel North/South and will pass through the Palo Alto Firewall. These zones are overlay constructs that will provide the underlay for NSX.
ACI Zone will host all physical devices, including server hardware for ESXI, NFS Storage, EUC devices, and other legacy items like LPARS. ACI is switching fabric, and the only way to secure devices is through ACLs. A good thing change rate for physical devices is tiny and is an exception to the rule that requires either manual configuration or custom-built automation. If the change rate is low, 2-3 changes a year, I recommend a well documented manual process.
Now let’s add in NSX; we will start with edge cluster and T0s for management, data center, and the IDMZ. The T0s will route traffic to the corresponding ACI Zone. The edge device can provide stateful firewall services to help further segment the workloads. If attackers were to gain access to the ACI zone, they would not have access to corresponding NSX networks.
Now we can do some exciting things; we can create multiple T1’s to create more separate and secure networks with stateful firewalls and transport zones to control who can talk to who. In this case, we will use HR, FIN, and Call center for the use case, but you could replace ACI zones or create DMZ’s all within NSX. We will generate transport zones so the HR can talk FIN but not Call Center, and Fin can talk to Call Center. We have now created smaller attack services, making it difficult for attackers to move around your network.
So I have an ACI zone that layers above my physical switch’s that can’t see the NSX network without passing through a stateful firewall. If the attacker gained access to inside T0, the T1’s would provide another control point, and beyond that, transport zones can restrict access further.
Let’s add the last layer, Microsegmentation, by using DFW. Firewall as close to source VM as possible at the hypervisor! A distributed firewall that travels with VM to secure the application. Let’s count the doors the attacker has to get through now:
That’s a lot of doors to open and a lot of firewall rules to manage. Let’s walk through how we can manage this potential operational nightmare.
Let’s simplify things to start doors, one through four rule sets should not change often. These doors rule sets only change when making changes at physical or infrastructure levels. Changes to door three and four (T0/T1) can be day two actions in vRealize Automation (vRA).
DFW is applied through security tags that can be used both on VM creation in vRA or as an onboard process. Tags are added in the cloud template and have portable ymal code for new VMs. A workflow will need to be created to add security tags to an onboarded VM.
Ok, so I can manage the addition and change though policy and tags for my VMs, how do I get a handle on all the rules I need to make? Two ways you can use vRNI to generate a report on ports and protocols for each of your applications or use NSX Intelligence that will make rule suggestions inside of NSX that you can apply. Yes, that is right, rules are given to you apply within NSX!
Ok, this sounds great, but how do I make sure network and security policies are in a known good state? How can I visual see my entire network? I need to be able to do this across virtual, physical, and even my SD-WAN.
No problem! Let me introduce you to vRNI with SD-WAN and visibility/assurance. With these two add ons, you will get a visual of the entire network! Virtual, Physical, and even SD-WAN is giving you a complete view of your network. Assurance will allow you to see changes in the whole network on 30 min intervals. An attacker or Jr network admin change an ACL in ACI? Get an alert so you can react or trigger an automation to change your configuration back to a gold standard.
vRNI has grown-up other ways it can be useful is for vRNI to tell vROPs about application groups or use HCX fling to create application move groups for migration with HCX.
You can see deep security posture and the ability to monitor and assure you are in a known good state. Now let’s talk about Advance security with IPS/IDS and Carbon Black.
To honestly say we covered 6 of 12 MITRE attacks tactics, we have to add AVI and WAF for credential access to our applications. We were now adding NSX IPS/IDS for real-time deep packet inspection, automatic signature updates, and giving you the latest defense to alert on and drop or reject traffic.
Wow! 5 doors to unlock and security to catch attackers in the act; I feel safer now. But what if someone does get through to an endpoint?
Carbon Black can help with Next Generation anti-virus with anomaly traffic detection that can stop malware, ransomware, and next-gen attacks in their tracks. EDR can provide seamless detection through threat hunting and containment. Carbon Black cloud will inspect devices and track and report on a drift. Say an attacker broke through all the security above, you have a way to see what was touched to respond appropriately.
Well, there you have intrinsic, intent-based security from VMware. The best news is this just the start with recent acquisitions, LastLine and Salt Stack. The Intrinsic and intent-based security story from VMware is only getting started.
NIST 800.82 R2 builds an overly to NIST 800.53 R4 standard. A fundamental approach is to enable communication between an Industrial Control System (ICS), and a corporate network is through intermediate DMZ. The ICS and corporate networks should never communicate directly with each other. A typical architecture for this is the Purdue model using network zones.
General security best practice is that a single product, technology, or solution can not adequately protect ICS. Using a multi-layer strategy utilizing a minimum of two security tools is advised. With tools, we still need to have adequate security policies, incident response, and physical security. The greatest threat is still hacking the human element; security training is critical if not more critical, than any toolset.
As the technology landscape changes, so do prevalent standards to protect ICS. This year, NIST 800-207 was finalized, paving the way for Zero Trust Architecture (ZTA) to protect ICS.
To build security architecture with a multi-layer strategy based on NIST 800-82 R2 with an extra overlay of protection based on NIST 800-207 (ZTA)
One of VMware’s key building pillars is Intrestic security and a rich toolset consisting of NSX-T, NSX Advanced Security, AVI, and Carbon Black that are supported by VCF (SDDC Manager) and vRealize Suite (vRA, vLI, vIDM, vROPS). You might be asking your self where is vRealize Network Insight (vRNI). This tool is great but currently does not come with VCF or vRealize Suite; it is considered an add-on.
As complete of a vision VMware has with Intrestic security, it does not cover all use cases. Natural partners are Cisco and Palo Alto. Cisco’s rich toolset includes Cisco ACI, Cisco Stelathwatch, Cisco ISE, and Cisco DNA, with Palo Alto’s Panorama rounding out the typical solution set.
Layered Intrinsic Security:
This toolset has overlapping, and some might say competing technology. I see it more layered defense approach with best breed technology at both the physical and virtual layers.
The diagram below will capture the use case of using the toolset to achieve this blog’s stated goal.
Disclaimer: I did not depict the internet DMZ; this architecture is based on the Purdue model but is not certified by any regularity governance body.
By preventing direct communication between IT and OT systems and having a broker service in the IDMZ relay the communications, an extra layer of separation and inspection adds to the overall architecture. Systems in the lower layers are not directly exposed to attacks or compromise. If something were to compromise a system at some point in the IDMZ, the IDMZ could be shut down, the compromise could be contained, and production could continue.
This blog focused on the toolset and some of the primary controls to finish the complete design, including operational playbooks I encourage you to read:
A requirement for VMware Cloud Foundation 4.x (VCF 4.x)
This always prompts the question of why do we need VCF 4.x?
K8 deployments require NSX-T VCF 4.x is 1st version of VCF that uses NSX-T in the management and workload domains; by making VCF 4.x a requirement, VMware has validation that a customer has NSX-T deploy in a configuration that will support Kubernetes.
Ok, I have VCF 4.x deployed, I am excited to deploy Kubernetes for my development team, but I have to ask is there anything else we need to do before we start?
In the 1st blog of this series on VCF, I talked about why VCF is important to VMware and VMware customers. I will cover three use cases:
VCF 3.10.x with manual guidance for vRealize Suite 2019
Most common use cases:
Horizon, Emergency Capacity, Microsegmtation, and Deep Cisco ACI shops plan on using combination ACI Multisite, Cisco VMM, and other Cisco products.
What is a minimal install?
It is an install that provides the foundation for Management Cluster and the first workload domain (WLD). The required products are vSphere, vSAN, and NSX. Can I hear you thinking, “NSX? Thought ACI was one of the big use cases.” Correct, NSX, and ACI can be very complimentary, and we can deep dive use cases of NSX with ACI at another time.
Back to VCF, as talked about in my last blog post, the significant advantage of VCF is standardization and predictability, so yes, NSX is required to provide a predictable transport network for the management and workload clusters. The install of NSX and only the transport network are needed; you do not need setup Application Virtual networks (AVN).
About the digram:
You can see from the picture below can you will have run NSX-V with ESG in the management cluster and either NSX-V ESG or NSX-T T0/T1 with vTEPs and transport layer. You do not need to configure routing.
VCF 3.10.x with manual guidance for vRealize Suite 2019:
Usecase: VCF 3.10.x with vRealize Suite 2019
Due to direct customer feedback, this use case where customers needed to start with vRealize Suite 2019 to harness all the new features of vRealize Automation 8 (vRA, 8.x) and vRealize Operations Manager 8 (vROps 8.x).
I can see you asking me, ” Wait, why can’t I install base VCF and then vRealize 2019?” You can! That the actual manual guidance for this deployment. Yes, I said manual guidance, let me walk you through why.
VCF is automated installation services that deploy VMware Validated Design (VVD); with set Bill of Materials (BOM). In 3.9x, the automation would deploy vRealize Log Insight (vRLI) and the vRealize 7 suite. VCF 3.10.x is an update to 3.9.x, not a BOM change. Still, customers demanded the support of vRealize Suite 2019, so VMware created the manual guidance to install vRealize Suite 2019 outside of VCF automation with the deployment of LCM that could support vRealize Suite 2019. In this case, you should have two LCM’s instance on to support vRLI and one to support vRealize Suite 2019.
About the digram:
In the first diagram, the focus was at the NSX level, for this digram I wanted, to show and focus two key items. The fact you need two LCM managers, and you will wish to setup log forwarding from Loginishgt 4.8 to 8.x. Remember,you will deploy vRealize suite 2019 from LCM 8.x that you manual deploy. The other item of note is vXRail manager for each WLD, remember that for future designs and blogs.
Usecase: Greenfield with no technical debt and is ready for CI/CD upgrades.
VCF 4.0 brought some significant changes, vSphere 7.0, automated install of vRealize Suite 2019, and NSX-T 3.0 in both the Management and workload domains. 4.0 release date April 2020 was before VCF 3.10.x in May of 2020. Please be mindful of these days as End of General Support for VCF products is one year after release.
VCF 4.0 is 1st release of VCF where almost all technical debt had to be removed, and every product was working on Photon OS. Now that VMware is ready to start the CI/CD journey with VCF!
You will see VMware coming out with releases much faster with goal launch new release every four months. That is faster than many customers are used to but still slower than a two-week release cycle for VMware SAS offerings.
It is critical to building a new greenfield data center with VCF from today in the future, that starts with VCF 4.x in mind.
About the digram:
4.x has few significant changes, one, of course, is the BOM that includes vSphere 7. The other is NSX-T in both the MGMT and WLDs! I also want my reads to note that included Spines in this diagram. I want every to start to think where you would peer NSX at ToRs? At that Spine? Somewhere else? In my next blog, we begin to explore this subject and build up to how NSX and ACI work together.
Daily I get asked what makes Vmware Cloud Foundation (VCF) imported? Customers love standardization as it gives them many advantages like stability, time to market, and Vmware Validated Design (VVD) VVD-guidelines. In a follow-up blog, I will discuss how VMware made course correction on VCF 4.0 to move past using vvd-guidelines to deploy a full VVD.
Ok, so that is it? That is the starting point; to see actual value to VMware customers, you need to look at how VMware embraces a continuous integration/continuous delivery CI/CD strategy!
To start to achieve CI/CD, one first thing VMware needed to do was to reduce technical debt and standardize product line! This move to Photon OS and creating applications with microservices was paramount. Ok, nothing new here; this strategy has been preached for a decade.
The second key component to CI/CD is the ability to work with predictable and standard infrastructure, as we see from cloud providers. VMware is already proving that with SAS offerings of VMware products, they have the ability to introduce new features at a much faster pace.
Ok, what does this have to VCF or the VVD for that manner? The next step is to extend the rapid release to the on-prem cloud. Cloud providers ran data centers that have The same hardware, the same software, and the same configurations. Ok, require everyone to use the same hardware is the answer?
VMware has celebrated the choice of working with the broad ecosystem of partners, so requiring the same hardware is not a choice.
Ensuring that the best practice of the management domain uses the same software, the same configuration allows VMware customers to have standardized and predictable landing spots for VMware products.
Now VMware can extend CI/CD strategy past the public cloud into private clouds of their customers. BOOM! Now VMware can provide customers with features at rapid past and simpler upgrades to smaller changes that are delivered more often.
Center of Advanced Learning (Advanced Architecture)
Two weeks in Palo Alto went fast! Es war sehr aufregend! Meeting great folk from around the world, including Germany, India, UAE, Sweden, and others, was amazing. The Campus and the turtles are truly amazing.
The content was incredible; the focus on soft skills and presentation skills are invaluable for leading customer engagements. Well, we are keeping a sharp focus on business outcomes helping our customers and partners with digital transformation. Always remember Digital transformation is human transformation.
The coaching from VMware rock starts like Henry Villar, Howard Shoobe, Carsten Schaefer and Theresa Stone was top notch!
Honestly, the best part of two weeks was the people from hearing stories from Triple VCDX and Staff Architect Safouh Kharrat to Sr TAM Sridharan Santhanakrishnan and great partners like Yves Sandfort at Comdivision.
Now on to the team:
The first week we hit the ground running even with two of the members dealing with significant jet lag Fabian Lenz (Germany) and Elina Krassotina (UAE). We decided early on that we need to take an approach where we collaborate well-keeping work-life balance in place by taking an agile approach.
The agile approach also helped Selvakumar Jaganathan and myself handling escalations and some prior commitments. As judgment day came, “Presentation day.” we made sure to take time off for ice cream.
The agile approach with the team’s first thought process kept everyone so sharp that Fabian won the best Partner Participant, and Elina won the most improved “Rising Star.” and we won the coveted Team Award for best presentation.
I could not have hand-picked a better team that worked hard had some fun, well keeping our eyes on the end goal.
I have been hearing back from customers about our vast Operations Profile that includes vRealize Operations Manager (vROps), Wavefront, and Cloud Health.
These products have a lot of overlapping features, but together they provide a holistic solution. So why do we need three products to produce a comprehensive solution for Operations?
I can use a couple of buzz words here “Persona,” ” Focus Lens,” Etc but let’s state it as merely Cloud Admins Teams, Application Teams, and C level teams need to view and consume data differently.
vROps is the tool every Cloud Admin needs, and it provides deep analytics, infrastructure costing, capacity planning, alerting, performance troubleshooting for your private cloud. You can use vROPS for some application data, but that data is driven from an infrastructure point of view. The vROps lense is infrastructure focus looking up at the application.
So how do I gather data and provide analytics for my applications that are part of my multi-cloud initiative?
Wavefront will provide analytic data for cross clouds gathering data that can be analyzed and correlated each second to help troubleshoot performance gaps in applications. Sounds great! Why do I need vROps?
Wavefront gathers data at the application level and looks down the stack to infrastructure, the view down into infrastructure with data that derived from an application point of view would not tell you the full story of what is happening in the infrastructure.
What about costs for multiple clouds with a full cost structure for C-Level Teams?
Cloud Health can deliver full cost insight to multiple public clouds like AWS, Azure, GPC, VMC and private clouds. Cloud Health includes optimation, rightsizing to help trim spending waste in the public cloud and private clouds alike. The costing data is immersive with spend tracking and budget reporting.
So why would still need to do costing with vROps?
Cloud Health’s focus on costing metrics at the C-Level/Accounting level, where vROps can provide more of department level show back, chargeback model for private cloud and few public clouds like AWS and Azure.
So three key takeaways are:
vROps –> Infrastructure Operations/Analytics and Costing
WaveFront –> Application Analytics for multi-cloud
CloudHealth –> Multi-cloud C-Level costing