Network Security Design
With recent cyberattacks across the world, it is essential to have a solid design for security. VMware has recently bought multiple security solutions to help create an intrinsic security portfolio. I will always contend that security solutions should have numerous vendors, so let’s use Cisco to do the switching and routing with ACI in network-aware mode and Palo Alto firewalls with Panorama.
In today’s modern data centers, the number of physical devices is shrinking to under 3% of total servers. We still need to account for them in our design from both network and security perspectives; of course, the virtual environment will need hosts and storage to run on. Let’s start with Cisco fast switching transport underlay.
Using typical spine and leaf architecture for the switching underlay, let’s set up ACI zones with VRFs following the Purdue model.
Internet-facing DMZ – Zone 5+
User Networks – Zone 5
DataCenter – Zone 4
IDMZ – Sub Zone of 4 some will call it 3.5
OT – Zone 3 and below is not part of this design.
All traffic within a single zone will East/West traffic and have further segment and security controls via NSX. All traffic between zones with travel North/South and will pass through the Palo Alto Firewall. These zones are overlay constructs that will provide the underlay for NSX.
ACI Zone will host all physical devices, including server hardware for ESXI, NFS Storage, EUC devices, and other legacy items like LPARS. ACI is switching fabric, and the only way to secure devices is through ACLs. A good thing change rate for physical devices is tiny and is an exception to the rule that requires either manual configuration or custom-built automation. If the change rate is low, 2-3 changes a year, I recommend a well documented manual process.
Now let’s add in NSX; we will start with edge cluster and T0s for management, data center, and the IDMZ. The T0s will route traffic to the corresponding ACI Zone. The edge device can provide stateful firewall services to help further segment the workloads. If attackers were to gain access to the ACI zone, they would not have access to corresponding NSX networks.
Now we can do some exciting things; we can create multiple T1’s to create more separate and secure networks with stateful firewalls and transport zones to control who can talk to who. In this case, we will use HR, FIN, and Call center for the use case, but you could replace ACI zones or create DMZ’s all within NSX. We will generate transport zones so the HR can talk FIN but not Call Center, and Fin can talk to Call Center. We have now created smaller attack services, making it difficult for attackers to move around your network.
So I have an ACI zone that layers above my physical switch’s that can’t see the NSX network without passing through a stateful firewall. If the attacker gained access to inside T0, the T1’s would provide another control point, and beyond that, transport zones can restrict access further.
Let’s add the last layer, Microsegmentation, by using DFW. Firewall as close to source VM as possible at the hypervisor! A distributed firewall that travels with VM to secure the application. Let’s count the doors the attacker has to get through now:
- Perimeter Firewalls
- ACI Zone
- NSX T0
- NSX T1
- DFW (Microsegmation)
That’s a lot of doors to open and a lot of firewall rules to manage. Let’s walk through how we can manage this potential operational nightmare.
Let’s simplify things to start doors, one through four rule sets should not change often. These doors rule sets only change when making changes at physical or infrastructure levels. Changes to door three and four (T0/T1) can be day two actions in vRealize Automation (vRA).
DFW is applied through security tags that can be used both on VM creation in vRA or as an onboard process. Tags are added in the cloud template and have portable ymal code for new VMs. A workflow will need to be created to add security tags to an onboarded VM.
Ok, so I can manage the addition and change though policy and tags for my VMs, how do I get a handle on all the rules I need to make? Two ways you can use vRNI to generate a report on ports and protocols for each of your applications or use NSX Intelligence that will make rule suggestions inside of NSX that you can apply. Yes, that is right, rules are given to you apply within NSX!
Ok, this sounds great, but how do I make sure network and security policies are in a known good state? How can I visual see my entire network? I need to be able to do this across virtual, physical, and even my SD-WAN.
No problem! Let me introduce you to vRNI with SD-WAN and visibility/assurance. With these two add ons, you will get a visual of the entire network! Virtual, Physical, and even SD-WAN is giving you a complete view of your network. Assurance will allow you to see changes in the whole network on 30 min intervals. An attacker or Jr network admin change an ACL in ACI? Get an alert so you can react or trigger an automation to change your configuration back to a gold standard.
vRNI has grown-up other ways it can be useful is for vRNI to tell vROPs about application groups or use HCX fling to create application move groups for migration with HCX.
You can see deep security posture and the ability to monitor and assure you are in a known good state. Now let’s talk about Advance security with IPS/IDS and Carbon Black.
To honestly say we covered 6 of 12 MITRE attacks tactics, we have to add AVI and WAF for credential access to our applications. We were now adding NSX IPS/IDS for real-time deep packet inspection, automatic signature updates, and giving you the latest defense to alert on and drop or reject traffic.
Wow! 5 doors to unlock and security to catch attackers in the act; I feel safer now. But what if someone does get through to an endpoint?
Carbon Black can help with Next Generation anti-virus with anomaly traffic detection that can stop malware, ransomware, and next-gen attacks in their tracks. EDR can provide seamless detection through threat hunting and containment. Carbon Black cloud will inspect devices and track and report on a drift. Say an attacker broke through all the security above, you have a way to see what was touched to respond appropriately.
Well, there you have intrinsic, intent-based security from VMware. The best news is this just the start with recent acquisitions, LastLine and Salt Stack. The Intrinsic and intent-based security story from VMware is only getting started.
