Principles
- Understand assets that can be used with a Security Group
- Differentiate services contained in a Security Policy
- Compare and contrast common Service Composer use cases
- Differentiate third party integration and service redirection
- Differentiate Security Groups and Security Policies
- Demonstrate the ability to redirect specific flows (e.g. 80) to network introspection services
- Differentiate between vCenter attribute based Firewall rules (including IP Sets) vs Active Directory identity-based rule
- Create/Edit a Security Group in Service Composer
- Create/Edit/Delete a Security Policy in Service Composer
- Map a Security Policy to a Security Group
- Add/Edit/Delete a Security Tag
- Assign and view a Security Tag
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
Understand assets that can be used with a Security Group
- vCenter containers (clusters, port groups, or Datacenters)
- Security tags, IPset, MACset, Security Groups
- AD Groups
- Regular expressions such as virtual machines with name VM1
Important If a VM’s VM-ID is regenerated due to move or copy, the security tags are not propagated to the new VM-ID
Differentiate services contained in a Security Policy
| Service | Description | Applies to |
| Firewall rules | Define traffic to be allowed to, from, or within a security group | vNIC |
| Endpoint service | Third party solution provider services such as anti-virus or vulnerability management services | virtual machines |
| Network introspection services | Services that monitor your network such as IPS | virtual machines |
Compare and contrast common Service Composer use cases
- Vulnerability Management
- Create policies to scan desktop VMs and automatically quarantine if infected
- Use security tags to dynamically update security groups so that infected machines are automatically have the correct security policy attached
- Network Introspection
- Direct certain traffic to a 3rd part solution for further processing
- Guest Introspection
- Direct certain traffic to Guest Introspection for inspection
Differentiate third party integration and service redirection
- 3rd party solutions such as Network Introspection Services allow network traffic to and from a VM to be further inspected e.g. Palo Alto integration provides deep packet inspection to L7
- Endpoint Services allow VMs to be inspected for vulnerabilities such as anti-virus or anti-malware
Differentiate Security Groups and Security Policies
- Security Groups define the objects to be protected and can be static or dynamic
- Security Policies defined the actual firewall rule to apply and 3rd party tools for further threat management
- Security Policies are applied to Security Groups
- A Security Policy may be applied to multiple Groups
- A Security Group may have multiple policies applied to it
- Security Groups can be nested i.e. a group given Security Group can include other Groups
Demonstrate the ability to redirect specific flows (e.g. 80) to network introspection services
- Install, register and configure the 3rd part solution e.g. Palo Alto
- Add “Network Introspection” after Firewall Rules have been defined to direct certain traffic
Differentiate between vCenter attribute-based Firewall rules (including IP Sets) vs Active Directory identity-based rule
- Attribute based firewall rules use vCenter containers such as VMs, Port Groups or NSX Security Tags
- Identity based rules rely on Active Directory integration and allow rules to be defined based AD group membership
Create/Edit a Security Group in Service Composer
- Service Composer -> Security Groups -> Add
- Add groups with desired membership (static, dynamic or both)
Create/Edit/Delete a Security Policy in Service Composer
- Service Composer -> Security Polices
- Create/Edit Policies and apply to previously defined Security Groups
- Security Policies result in a new section being created in the DFW e.g. Test Policy below
Map a Security Policy to a Security Group
- Select Policy -> Apply
- Pick Security Group
Add/Edit/Delete a Security Tag
- NSX -> Groups and Tags -> Security Tags
- Add new Tags or edit existing ones
Assign and view a Security Tag
- Tags can be manually assigned to VMs from the Security Tags page or added to Security Groups for dynamic tagging