As a Senior Consultant at Xtravirt, I recently spent time with a customer, a major European airline, to plan and oversee the deployment of VMware NSX®. In the aviation industry, a data breach could have catastrophic repercussions. Concerned about data security, the customer chose VMware NSX for its security capabilities. This is because NSX allows for micro-segmentation, a practice through which workloads are individually cordoned off to prevent any East-West movement in the event of a breach. In contrast to most IT networks, where one firewall protects the entire perimeter, a breach in a micro-segmented network can only impact a small subset of data. With the objective to increase environment security and control East-West traffic, the project was managed in five key phases:
Phase 1 – Discovery and Planning
Xtravirt kicked off the project with a 2-day planning workshop with key technical staff and subject matter experts. In this phase we confirm and capture the full scope of requirements and ensure we fully understand the current environment. This process reveals any prerequisites, potential roadblocks and validates the use case. In this instance, the customer has two data centres, one vCenter Server (version 6.5) and uses vRealize Network Insight (vRNI) to monitor their environment. During the initial discovery phase, it became apparent that vRealize Network Insight (vRNI) could be used to better understand East-West traffic and to map the customer’s applications to the security policy that could be provided by NSX Distributed Firewall (NSX DFW). Both solutions, vRNI and NSX DFW, are quite unique in the market and help solve many typical problems associated with securing workloads in modern data centres. In this instance, they helped to:- gain a better understanding of the flows of the applications, how they communicate with the outside world as well as within the application itself
- secure East-West traffic and avoid reliance on the perimeter firewall to segment those workloads.
Phase 2 – Installation and configuration of vRNI
The installation and configuration of vRNI onto the customer’s environment involved adding the “Data Sources” to the vRNI, where the data (flows) would be collected. There are many data sources supported by vRNI, including for example – vCenter, NSX-V, NSX-T, as well as third party devices like Cisco, AWS and Arista. A list of supported solutions can be found here: https://docs.vmware.com/en/VMware-vRealize-Network-Insight/3.6/com.vmware.vrni.install.doc/GUID-4BA21C7A-18FD-4411-BFAC-CADEF0050D76.html After adding the necessary sources, vRNI collected all the flows for a 30-day monitoring period. Other VMware solutions such as Application Rule Manager, allow for a maximum of 7-days monitoring and provide a great option for small applications. However, vRNI’s 30-day monitoring period is especially useful when applications in the environment are particularly active during specific times, like a payroll application.Phase 3 – Defining workloads
The next step was to define which workloads were part of which application. In this particular case, we had 4 main requirements:- micro-segmentation of Application “A” which consisted of 3 tiers. Each tier needed to talk to other tiers only on needed ports, thus securing flows within the application.
- micro-segmentation of Application “B” which consisted of 3 sub-applications. The goal here was to secure traffic between sub-applications and not within each sub-application.
- mapping of the shared services (active directory, monitoring etc.) that are necessary for the applications to function properly.
- mapping of the users that need access to those applications.