Objective 7.2 – Configure Distributed Firewall services

Principles

  1. Understand VM IP Address learning for the purposes of DFW vCenter attribute learning
  2. Differentiate between Layer 2 and Layer 3 rules
  3. Differentiate between entity-based and identity-based rules
  4. Understand firewall rule entities
  5. Determine rule processing order
  6. Understand rule segregation
  7. Demonstrate steps to Add/Delete a Distributed Firewall rule
  8. Demonstrate configuration of Source/Destination/Service/Action rule components
  9. Change the order of a Distributed Firewall rule
  10. Add/Merge/Delete a Distributed Firewall rule section
  11. Determine publishing requirements for rules in a given NSX implementation
  12. Demonstrate Import/Export Distributed Firewall Configuration
  13. Load Distributed Firewall configuration
  14. Determine need for excluding virtual machines from distributed firewall protection
  15. Describe SpoofGuard Operation and Default Policy and Actions
  16. Describe SpoofGuard IP Address Learning
  17. Determine requirements for a Spoofguard Policy
  18. Demonstrate how to Create and Edit a SpoofGuard Policy
    1. IP Local Addresses
    2. Approve IP addresses
    3. Edit/Clear IP addresses

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

  1. Microsegmentation using NSX Distributed Firewall: Getting Started

https://communities.vmware.com/servlet/JiveServlet/downloadBody/27706-102-1-37096/NSXv-Microsegment-GSG.pdf

  1. WhitePaper: NSX Distributed Firewalling Policy Rules Configuration Guide

https://communities.vmware.com/servlet/JiveServlet/downloadBody/27964-102-3-38025/WhitePaper-DFW%20Policy%20Rules%20Configuration%20Guide-v1.pdf

  1. VMware NSX Network Virtualization Design Guide

http://www.vmware.com/files/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf

Understand VM IP Address learning for the purposes of DFW vCenter attribute learning

  • VM IP Address association is essential for DFW
  • Prior to 6.2 it relied entirely on VMWare tools
  • From 6.2 onwards DHCP and/or ARP snooping can be used in addition to VMware Tools
  • DHCP/ARP Snooping is enabled at a cluster level:
    • NSX -> Installation and Upgrade -> Host Preparation
    • Click Cluster -> Actions -> Change IP Detection Type

Differentiate between Layer 2 and Layer 3 rules

  • Layer 2
    • Configured in the “Ethernet” tab of the Firewall configuration
    • Can be applied to source/destination MAC, Layer 2 Protocols such as ARP, CHAP, LLDP etc or vCenter objects

  • Layer 3
    • Configured in the “General” tab of the Firewall configuration
    • Source/Destination can be IP (or vCenter objects) and TCP/UDP Port

Differentiate between entity-based and identity-based rules

  • Entity based rules
    • Based on vCenter objects such as IP Address, Distributed Port Group
  • Identity based rules
    • Requires AD Integration with NSX (from Users and Domains)
    • Permits Active-Directory based DFW rules
    • Firewall rules can be configured based on AD Group Membership
    • AD Groups may also be used in Security Groups/Policies
    • When a user logs on, the relevant Security Policy is pushed to the VM

Understand firewall rule entities

  • Cluster
  • Datacenter
  • Distributed port group
  • Legacy port group
  • Logical switch
  • Resource pool
  • Security group
  • IP Set
  • vApp
  • Virtual machine
  • vNIC
  • IP address (IPv4 or IPv6)

Determine rule processing order

  • Layer 2 rules processed before layer 3
  • Packets are processed on a first match basis i.e. the first rule that a packet is matched against is applied and the rest are ignored
  • DFW is stateful in that is monitors active connections and maintains two tables:
    • Rule Table
    • Connection Tracker Table
  • Layer 3 processing
    • Stateful inspection based on Source/Destination IP, Port and Protocol
    • Lookup packet in flow table
    • If no flow identified, lookup in rule table
      • If a matching rule is found and new flow is created, and the packet forwarded
    • If the packet matches an existing flow it is forwarded

Understand rule segregation

  • Rules can be placed in separate groups or “Section” in the DFW e.g. Marketing, Engineering
  • Sections can be merged using the Merge function
  • Administrative only – they have no bearing on actual security policy which is entirely dictated by the content and order of rules in the firewall

Demonstrate steps to Add/Delete a Distributed Firewall rule

  • Entity rules pre-requisites:
    • VM Tools installed on guest VMs
  • Identity rules pre-requisites:
    • 1+ AD domains with NSX Manager
    • Group, User and relationships available from AD
    • Security Groups with AD group members created
    • AppliedTo not supported for Remote Desktop access
    • ICMP not supported
    • Section must have “Enable User Identity at Source” selected if using Identity Firewall for RDSH

  • Rules are added in the “Firewall” section of the NSX Plugin
  • Source/Destination can be a mix of entities
  • If using VM/vNics as source/destination, ensure AppliedTo field contains both the source and destination VMs/vNics

Demonstrate configuration of Source/Destination/Service/Action rule components

See above

Change the order of a Distributed Firewall rule

Use “Up/Down” buttons to re-arrange rules as needed.

Add/Merge/Delete a Distributed Firewall rule section

Add Section

  • Click “Add Section” to add a new Section – new sections appear at the top of the list

  • Alternatively, click on an existing Section and select “Add Section Above” or “Add Section Below”

Merge Sections

  • Select 1 or more sections and click section menu button
  • Select Merge Section

Delete Section

  • Select Section and click “Delete”

Determine publishing requirements for rules in a given NSX implementation

  • Rules are automatically published at the top of the section
  • If there are no other rules, it is added above the default rule
  • Rules can be saved before being published and then imported and published later

  • Rules can be added to a specific location in a section by clicking the menu button for a rule and selected either add above or add below

Demonstrate Import/Export Distributed Firewall Configuration

  • Export: Click “More-> Export Current Configuration”

  • Import: Firewall Settings -> Import

Load Distributed Firewall configuration

    • Firewall -> More->Load Saved Configuration”

Determine need for excluding virtual machines from distributed firewall protection

  • Automatically Excluded:
    • NSX Manager, Controllers and Edge Appliances
    • Third party security virtual appliances (SVAs) deployed via NSX
  • Other key infrastructure components such as AD and DNS may also be excluded from the DFW to prevent lockout

Describe SpoofGuard Operation and Default Policy and Actions

  • Maintains a list of IP Address to vNIc assignment so that changes can be tracked
  • Operating separately from Firewall rules, SpoofGuard can block traffic determined to be spoofed
  • If a vNIC IP changes, it can either be automatically approved or require manual approval before traffic is permitted from it
  • A default Policy: applies to all port groups and logical networks not covered by another policy

Describe SpoofGuard IP Address Learning

  • SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK
  • Multiple IPs can be associated with a vNIC when using VMware Tools & DHCP snooping
  • ARP snooping permits up to 128 addresses per vNIC.

Determine requirements for a Spoofguard Policy

  • Automatically Trust IP Assignments On Their First Use
    • Allows all VM traffic to pass while building vNIC-to-IP address table
    • Can be reviewed to make IP-Address changes.
    • Automatically approves all IPv4 and IPv6 addresses that are first seen on a vNIC
  • Manually Inspect and Approve All IP Assignments Before Use
    • Blocks all traffic until each vNIC-to-IP address assignment is approved
    • Multiple IPv4 address can be approved

Demonstrate how to Create and Edit a SpoofGuard Policy

  • Network and Security -> SpoofGuard
  • Add new policy and select Mode
    • Automatic
    • Manual

  • Select Networks

IP Local Addresses

  • If a VM is unable to connect to the DHCP server, a local IP address is assigned to it
  • “Allow local address as valid address in this namespace” must be selected for address to be accepted, otherwise it’s ignored and blocked

Approve IP addresses

  • If policy is set to manual approval, Select Policy and then choose option:
    • Active vNICs: Validated IPs
    • Pending Approval vNICs: IP Addresses changes pending approval
    • Inactive vNICs: Currnent IP does not match published IP
    • vNICs with Duplicate IP

Edit/Clear IP addresses

  • The IP address assigned to a MAC address can be changed
  • Click “Add IP” for Inactive vNICs and set as appropriate
  • To clear an IP, select the IP and click “Clear”