Securing the SDDC with VMware NSX – Light Board Series

Is VMware the first company that springs to mind when you think about securing your software-defined data center (SDDC)? It should be.

In this new light board series, learn about the unique capabilities that VMware NSX brings to your SDDC for securing your virtualized environment.

Start out with some context on why networking and security go hand-in hand with the Network Virtualization is Inevitable video. Then, move on to the NSX as a Security Platform video, to learn why VMware can offer security options not possible in tradition environments.

But how to install NSX in an environment? Check out Hadar Freehling’s Castle Security with VMware NSX video. Curious about why the firewall in NSX is special? Watch the VMware NSX Distributed Firewall video. And finally, secure a VDI environment with Hadar’s VMware NSX and VDI video.

As your SDDC evolves, stay up-to-date with NSX and how it can help secure your assets. Any burning questions on securing your virtualized environment you don’t see addressed in the videos, and want to see? Let us know; and don’t be surprised if you see it addressed in a future video.

Julie

The post Securing the SDDC with VMware NSX – Light Board Series Continue reading

Distributed Firewall ALG

In the last post, VMware NSX™ Distributed Firewall installation and operation was verified. In this entry, the FTP (file transfer protocol) ALG (Application Level Gateway) is tested for associating data connections with originating control connections – something a stateless ACL (access control list) can’t do.

An added benefit over stateless ACLs – most compliance standards more easily recognize a stateful inspection-based firewall for access control requirements.

To check ALG support for a particular NSX version, refer to the VMware NSX Administration manual. VMware NSX version 6.2 supports FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC ALGs. Do expect additional ALG protocol support with future versions of NSX.

Assuming a default firewall rulebase for simplicity, and a basic setup:

• three ESXi vSphere 6.0 hosts in a cluster
• NSX installed, with the NSX Manager installed on the first host 
• two guest VMs running Centos: one running an FTP server, the other an FTP client

Simplified diagram, along with connections for the following test:

Previously, an ESXi host command line was used to interact with the Distributed Firewall. Here, the NSX Manager Central CLI  – a new option with NSX 6.2 – is used. Slightly different incantations, but the same results can be Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 2

In Part 1, I covered traditional segmentation options. Here, I introduce VMware NSX Distributed Firewall for micro-segmentation, showing step-by-step how it can be deployed in an existing vSphere environment.

Now, I have always wanted a distributed firewall. Never understood why I had to allow any more access to my servers than was absolutely necessary. Why have we accepted just network segmentation for so long? I want to narrow down allowed ports and protocols as close to the source/destination as I can.

Which brings me to my new favorite tool – VMware NSX Distributed Firewall. Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 1

Who saw it coming that segmentation would be a popular term in 2015?!? Gartner analyst Greg Young was almost apologetic when he kicked off the Network Segmentation Best Practices session at the last Gartner Security Summit.

As a professional with a long history in the enterprise firewall space, I know I found it odd at first. Segmentation is such a basic concept, dovetailing with how we secure networks – historically on network boundaries. Network segmentation is the basis for how we write traditional firewall rules – somehow get the traffic TO the firewall, and policy can be executed. How much more can we say about network segmentation?

But there is a problem with the reach of segmentation based on network. If traffic does not cross the firewall, you are blind. All hosts in the same network, commonly the same VLAN, can abuse each other at will. Perhaps netflow or IPS sensors are throughout your network – just to catch some of this internal network free-for-all. And the DMZ? I like to think of all these networks as blast-areas, where any one compromise could potentially take everything else on the same network down.

It’s not really network segmentation that’s all the Continue reading