Objective 7.3 – Configure and manage Service Composer

Principles

  1. Understand assets that can be used with a Security Group
  2. Differentiate services contained in a Security Policy
  3. Compare and contrast common Service Composer use cases
  4. Differentiate third party integration and service redirection
  5. Differentiate Security Groups and Security Policies
  6. Demonstrate the ability to redirect specific flows (e.g. 80) to network introspection services
  7. Differentiate between vCenter attribute based Firewall rules (including IP Sets) vs Active Directory identity-based rule
  8. Create/Edit a Security Group in Service Composer
  9. Create/Edit/Delete a Security Policy in Service Composer
  10. Map a Security Policy to a Security Group
  11. Add/Edit/Delete a Security Tag
  12. Assign and view a Security Tag

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

Understand assets that can be used with a Security Group

  • vCenter containers (clusters, port groups, or Datacenters)
  • Security tags, IPset, MACset, Security Groups
  • AD Groups
  • Regular expressions such as virtual machines with name VM1

Important If a VM’s VM-ID is regenerated due to move or copy, the security tags are not propagated to the new VM-ID

Differentiate services contained in a Security Policy

Service Description Applies to
Firewall rules Define traffic to be allowed to, from, or within a security group vNIC
Endpoint service Third party solution provider services such as anti-virus or vulnerability management services virtual machines
Network introspection services Services that monitor your network such as IPS virtual machines

Compare and contrast common Service Composer use cases

  • Vulnerability Management
    • Create policies to scan desktop VMs and automatically quarantine if infected
    • Use security tags to dynamically update security groups so that infected machines are automatically have the correct security policy attached
  • Network Introspection
    • Direct certain traffic to a 3rd part solution for further processing
  • Guest Introspection
    • Direct certain traffic to Guest Introspection for inspection

Differentiate third party integration and service redirection

  • 3rd party solutions such as Network Introspection Services allow network traffic to and from a VM to be further inspected e.g. Palo Alto integration provides deep packet inspection to L7
  • Endpoint Services allow VMs to be inspected for vulnerabilities such as anti-virus or anti-malware

Differentiate Security Groups and Security Policies

  • Security Groups define the objects to be protected and can be static or dynamic
  • Security Policies defined the actual firewall rule to apply and 3rd party tools for further threat management
  • Security Policies are applied to Security Groups
  • A Security Policy may be applied to multiple Groups
  • A Security Group may have multiple policies applied to it
  • Security Groups can be nested i.e. a group given Security Group can include other Groups

Demonstrate the ability to redirect specific flows (e.g. 80) to network introspection services

  • Install, register and configure the 3rd part solution e.g. Palo Alto
  • Add “Network Introspection” after Firewall Rules have been defined to direct certain traffic

Differentiate between vCenter attribute-based Firewall rules (including IP Sets) vs Active Directory identity-based rule

  • Attribute based firewall rules use vCenter containers such as VMs, Port Groups or NSX Security Tags
  • Identity based rules rely on Active Directory integration and allow rules to be defined based AD group membership

Create/Edit a Security Group in Service Composer

  • Service Composer -> Security Groups -> Add
  • Add groups with desired membership (static, dynamic or both)

Create/Edit/Delete a Security Policy in Service Composer

  • Service Composer -> Security Polices
  • Create/Edit Policies and apply to previously defined Security Groups

  • Security Policies result in a new section being created in the DFW e.g. Test Policy below

Map a Security Policy to a Security Group

  • Select Policy -> Apply
  • Pick Security Group

Add/Edit/Delete a Security Tag

  • NSX -> Groups and Tags -> Security Tags
  • Add new Tags or edit existing ones

Assign and view a Security Tag

  • Tags can be manually assigned to VMs from the Security Tags page or added to Security Groups for dynamic tagging