Principles
- Understand VM IP Address learning for the purposes of DFW vCenter attribute learning
- Differentiate between Layer 2 and Layer 3 rules
- Differentiate between entity-based and identity-based rules
- Understand firewall rule entities
- Determine rule processing order
- Understand rule segregation
- Demonstrate steps to Add/Delete a Distributed Firewall rule
- Demonstrate configuration of Source/Destination/Service/Action rule components
- Change the order of a Distributed Firewall rule
- Add/Merge/Delete a Distributed Firewall rule section
- Determine publishing requirements for rules in a given NSX implementation
- Demonstrate Import/Export Distributed Firewall Configuration
- Load Distributed Firewall configuration
- Determine need for excluding virtual machines from distributed firewall protection
- Describe SpoofGuard Operation and Default Policy and Actions
- Describe SpoofGuard IP Address Learning
- Determine requirements for a Spoofguard Policy
- Demonstrate how to Create and Edit a SpoofGuard Policy
- IP Local Addresses
- Approve IP addresses
- Edit/Clear IP addresses
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- Microsegmentation using NSX Distributed Firewall: Getting Started
- WhitePaper: NSX Distributed Firewalling Policy Rules Configuration Guide
- VMware NSX Network Virtualization Design Guide
http://www.vmware.com/files/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf
Understand VM IP Address learning for the purposes of DFW vCenter attribute learning
- VM IP Address association is essential for DFW
- Prior to 6.2 it relied entirely on VMWare tools
- From 6.2 onwards DHCP and/or ARP snooping can be used in addition to VMware Tools
- DHCP/ARP Snooping is enabled at a cluster level:
- NSX -> Installation and Upgrade -> Host Preparation
- Click Cluster -> Actions -> Change IP Detection Type
Differentiate between Layer 2 and Layer 3 rules
- Layer 2
- Configured in the “Ethernet” tab of the Firewall configuration
- Can be applied to source/destination MAC, Layer 2 Protocols such as ARP, CHAP, LLDP etc or vCenter objects
- Layer 3
- Configured in the “General” tab of the Firewall configuration
- Source/Destination can be IP (or vCenter objects) and TCP/UDP Port
Differentiate between entity-based and identity-based rules
- Entity based rules
- Based on vCenter objects such as IP Address, Distributed Port Group
- Identity based rules
- Requires AD Integration with NSX (from Users and Domains)
- Permits Active-Directory based DFW rules
- Firewall rules can be configured based on AD Group Membership
- AD Groups may also be used in Security Groups/Policies
- When a user logs on, the relevant Security Policy is pushed to the VM
Understand firewall rule entities
- Cluster
- Datacenter
- Distributed port group
- Legacy port group
- Logical switch
- Resource pool
- Security group
- IP Set
- vApp
- Virtual machine
- vNIC
- IP address (IPv4 or IPv6)
Determine rule processing order
- Layer 2 rules processed before layer 3
- Packets are processed on a first match basis i.e. the first rule that a packet is matched against is applied and the rest are ignored
- DFW is stateful in that is monitors active connections and maintains two tables:
- Rule Table
- Connection Tracker Table
- Layer 3 processing
- Stateful inspection based on Source/Destination IP, Port and Protocol
- Lookup packet in flow table
- If no flow identified, lookup in rule table
- If a matching rule is found and new flow is created, and the packet forwarded
- If the packet matches an existing flow it is forwarded
Understand rule segregation
- Rules can be placed in separate groups or “Section” in the DFW e.g. Marketing, Engineering
- Sections can be merged using the Merge function
- Administrative only – they have no bearing on actual security policy which is entirely dictated by the content and order of rules in the firewall
Demonstrate steps to Add/Delete a Distributed Firewall rule
- Entity rules pre-requisites:
- VM Tools installed on guest VMs
- Identity rules pre-requisites:
- 1+ AD domains with NSX Manager
- Group, User and relationships available from AD
- Security Groups with AD group members created
- AppliedTo not supported for Remote Desktop access
- ICMP not supported
- Section must have “Enable User Identity at Source” selected if using Identity Firewall for RDSH
- Rules are added in the “Firewall” section of the NSX Plugin
- Source/Destination can be a mix of entities
- If using VM/vNics as source/destination, ensure AppliedTo field contains both the source and destination VMs/vNics
Demonstrate configuration of Source/Destination/Service/Action rule components
See above
Change the order of a Distributed Firewall rule
Use “Up/Down” buttons to re-arrange rules as needed.
Add/Merge/Delete a Distributed Firewall rule section
Add Section
- Click “Add Section” to add a new Section – new sections appear at the top of the list
- Alternatively, click on an existing Section and select “Add Section Above” or “Add Section Below”
Merge Sections
- Select 1 or more sections and click section menu button
- Select Merge Section
Delete Section
- Select Section and click “Delete”
Determine publishing requirements for rules in a given NSX implementation
- Rules are automatically published at the top of the section
- If there are no other rules, it is added above the default rule
- Rules can be saved before being published and then imported and published later
- Rules can be added to a specific location in a section by clicking the menu button for a rule and selected either add above or add below
Demonstrate Import/Export Distributed Firewall Configuration
- Export: Click “More-> Export Current Configuration”
- Import: Firewall Settings -> Import
Load Distributed Firewall configuration
-
- Firewall -> More->Load Saved Configuration”
Determine need for excluding virtual machines from distributed firewall protection
- Automatically Excluded:
- NSX Manager, Controllers and Edge Appliances
- Third party security virtual appliances (SVAs) deployed via NSX
- Other key infrastructure components such as AD and DNS may also be excluded from the DFW to prevent lockout
Describe SpoofGuard Operation and Default Policy and Actions
- Maintains a list of IP Address to vNIc assignment so that changes can be tracked
- Operating separately from Firewall rules, SpoofGuard can block traffic determined to be spoofed
- If a vNIC IP changes, it can either be automatically approved or require manual approval before traffic is permitted from it
- A default Policy: applies to all port groups and logical networks not covered by another policy
Describe SpoofGuard IP Address Learning
- SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK
- Multiple IPs can be associated with a vNIC when using VMware Tools & DHCP snooping
- ARP snooping permits up to 128 addresses per vNIC.
Determine requirements for a Spoofguard Policy
- Automatically Trust IP Assignments On Their First Use
- Allows all VM traffic to pass while building vNIC-to-IP address table
- Can be reviewed to make IP-Address changes.
- Automatically approves all IPv4 and IPv6 addresses that are first seen on a vNIC
- Manually Inspect and Approve All IP Assignments Before Use
- Blocks all traffic until each vNIC-to-IP address assignment is approved
- Multiple IPv4 address can be approved
Demonstrate how to Create and Edit a SpoofGuard Policy
- Network and Security -> SpoofGuard
- Add new policy and select Mode
- Automatic
- Manual
- Select Networks
IP Local Addresses
- If a VM is unable to connect to the DHCP server, a local IP address is assigned to it
- “Allow local address as valid address in this namespace” must be selected for address to be accepted, otherwise it’s ignored and blocked
Approve IP addresses
- If policy is set to manual approval, Select Policy and then choose option:
- Active vNICs: Validated IPs
- Pending Approval vNICs: IP Addresses changes pending approval
- Inactive vNICs: Currnent IP does not match published IP
- vNICs with Duplicate IP
Edit/Clear IP addresses
- The IP address assigned to a MAC address can be changed
- Click “Add IP” for Inactive vNICs and set as appropriate
- To clear an IP, select the IP and click “Clear”