Step 1 – Environmental Assessment:
Understanding your environment is crucial in today’s modern world of IT – and is especially key at the early stages of identifying an easy to implement micro-segmentation plan. We’ve made this process very easy (even if you don’t have NSX in your environment yet!). VMware offers the free VMware Virtual Network Assessment that will take that identified traffic and start to make suggested firewall and security recommendations. Additionally, we provide correlated data and analysis to highlight useful metrics that are top-of-mind for network operators – such as the amount of East-West/North-South traffic present in your network, or how much data is seen on a particular application port over the measured time interval.
Step 2 – Plan and Enforcement:
In this area, NSX really shines through. Security and enforcement are two of the most important considerations by most modern operations teams. By enabling granular firewalling and security policy enforcement for every workload in the data center, NSX makes network micro-segmentation achievable for the first time. When our customer starts to implement the micro-segmentation plan from the previous step, the built-in Application Rule Manager and Endpoint Monitoring feature enables them to validate the traffic for existing applications in real-time (including “brownfield” applications that are already deployed on the infrastructure, but don’t have well defined/documented application dependencies in which to develop security and firewall policies around). Using this approach to simplify the creation of security groups and firewall rules for enforcement, also has an additional benefit: as each rule gets enabled, the customer is able to disable logging for each enabled rule. What’s remaining is essentially unneeded traffic, and can either be further examined, or a deny all can be added to the firewall rule table and secure their entire data center with just a click.
Step 3 – Continuous Monitoring:
When it comes to monitoring and troubleshooting the environment, we found a need to take a multi-faceted approach with this customer. Because our customer was quite large, and for the most part very siloed in terms of organizational alignment, different teams had different requirements for how to effectively monitor the infrastructure. We discovered that the traditional network operations team still had a preference for a command line interface:
Additionally, we showed the capability of the NSX Central CLI. This tool provides read-only commands for the CLI administrator, available centrally on the NSX Manager to query various NSX elements (Distributed Logical Routers, Logical Switches, Distributed Firewalls, Edge Services Gateways). Furthermore, for a couple of the newer members of the team, we successfully displayed the same troubleshooting information is available via an API call (POST).
From the UI perspective, the customer was also interested in the NSX Central Dashboard. It provides visibility into the overall health of NSX components in one central view. NSX central dashboard displays status of different NSX components such as NSX Manager, controllers, logical switches, host preparation, service deployment, backups, as well as edge notifications. Consistency validation of the network and routing objects created in the virtual domain, together with configuration and health checks of the NSX system components ensure an overall healthy environment and facilitate proactive discovery of critical situations.
An additional UI tool we spent some time on was Traceflow. This feature of NSX enables admins to visualize and troubleshoot data flow issues from point A to point B. Traceflow permits the injection of various types of packet types into application topologies.
But during our challenge, we absolutely didn’t want to exclude the security operations team. Our vRealize Network Insight (vRNI) tool is an intelligent security and operations management solution for any network. vRNI focuses and provides value in many key areas:
- Physical + Virtual: In a virtualized data center the connectivity between workloads spans both the virtual and the physical domain, with the hypervisor becoming the demarcation point between the two. vRNI unveils the VM to VM, VM to Physical, VM to Internet connectivity showing the hop-by-hop path across overlay (DLRs, Edge Gateways) and underlay (Physical Switches/Firewalls & VRFs).
- Micro-segmentation: Incorrect firewall rules can compromise the communication inside and across applications even if a valid routing path is available. vRNI shows effectively enforced firewall rules and security policies with a per VM granularity and can correlate with partner physical security devices (ex. Palo Alto Networks).
- Ease of use: SecOps teams are flooded with tools that require a novice user to undertake a steep learning curve before the operator can quickly understand the information he has been provided and before the tool’s most powerful capabilities can be leveraged. vRNI shows a single pane, bridging the gap between virtual & physical, and all the information is accessible via a google-like search function. The simplified interface reduces the learning curve across various teams and greatly optimizes the time-to-value. Time aware search (go back in time) and fewer clicks to find and identify issues translates to shorter mean time to resolution (MTTR) and improved business availability.
In summary, give us about ~10 minutes (maybe even less time than it takes to read this blog post), and we’ll show you not only how all this can be easily achieved with VMware, but more importantly why this customer and many more are choosing to #RunNSX with #vRNI.