In this section we will learn about Micro-segmentation with NSX-T Distributed Firewall
Micro-segmentation with NSX-T Distributed Firewall
NSX-T Distributed Firewall (DFW) is a hypervisor kernel-based firewall that monitors all your East-West traffic. DFW can be applied to individual workloads like VMs and enforce a Zero-Trust security model. Micro-segmentation logically divides a department or set of applications into security segments and distribute firewalls to each VM.
In traditional data centers, high-level segmentation is built, which can help to prevent various types of workloads from communicating. But the main challenge of the legacy security model is data centers facing a lack of lateral prevention between workloads within a tier. In other words, traffic can traverse freely inside a network segment and access the crucial information until it reaches the physical firewall to get dropped. In addition, implementing different layers of security and firewalls can cause complexity and add costs.
The main advantages of using DFW are an orchestration of policies with security groups or tags, horizontal movement reduction in data centers to minimize the risk of security breaches, and finally, reduction of capital expenditure (CAPEX) cost. Furthermore, NSX-T DFW not only can operate based on layer 2 to layer 4, but it can also take advantage of Layer 7 information.
Rules for predefined categories
DFW comes with predefined categories for firewall rules, allowing you to organize security policies.
Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated from top down.
Distributed firewall categories
Distributed firewall comes with predefined categories for firewall rules. Categories allow you to organize security policies.
Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated top down.
Ethernet – Layer 2 policies
- Ethernet Layer 2 policies are the first line of defense and should be considered before layer 3 rules.
- In NSX-T Manager, select Security (1)
- Navigate to Distributed Firewall (2)
- Choose the Ethernet tab (3) to view category-specific rules.
2. Emergency For emergency situations, you can employ temporary firewall rules.
Within the same Distributed Firewall location, choose the Emergency tab (1).
3. Infrastructure On the Infrastructure tab, you can review non-application firewall rules like vCenter, ESXi, DNS, Active Directory and so on.
- Choose the Infrastructure tab (1).
- Observe here that traffic is allowed for shared servicesthat is, NTP and DNS to the Production groupfor respective context profiles.
4. Environment In the Environment tab, you can manage high-level policy groupings like eliminating communication for test and production environments.These policy groupings can allow for more efficient security and granular traffic control with context profiles such as SSL, TLS and more.
- Choose the Environment tab (1).
- Observe that traffic here is micro-segmented for multiple environmentssuch as Production, Development and DMZthat consist of various groups like VDI_Contractors, VDI_Employees and so on.
5. Application In this tab, you can apply Application policy rules between tiers. The priority to apply rules is from top-down and left to right. Meaning, if you write a rule in Infrastructure, it has priority over a rule in Application. So, you need to place the most fundamental rules at the top of the list.
- Choose the Application tab (1).
- Observe that distributed firewall rules are applied here for tiers serving multiple applications. By setting these rules, you can achieve app isolation as well as define inter-application tiers communication such as web, app and database with related services/ports like Oracle DB, MySQL and so on.
As shown in this section, NSX micro-segmentation provides a foundational architectural shift to enable topology-agnostic, distributed-security services to applications in the evolving data center.
To complement this security approach, you can use VMware Log Insight to help build an infrastructure-related rule base. VMware Log Insight helps you preserve your logs and gain better visibility of whats going on in your environment. Find out more in the next section.