VMware Hands-on Labs - HOL-SDC-1415


Lab Overview - HOL-SDC-1415 - IT Outcomes Security Controls Native to Infrastructure

Lab Guidance


Learn how several VMware technologies work together to implement policy-based network control, configuration and compliance management, and intelligent operations management. You will use NSX for vSphere to isolate, protect, and apply security policies across virtual network workloads. Use vCenter Configuration Manager to continuously identify, assess, and remediate out-of-compliance virtual machines. Finally, you will use vCenter Operations Manager for operational insight into the health, risk, and efficiency of the virtual infrastructure.

Module 1: Policy-Based Compliance (30 Minutes)

Module 2: Policy-Based Network Security (25 Minutes)


 

Physical Lab Topology

 

vSphere Topology:

The two vSphere hypervisors in the environment are esx-01a.corp.local and esx-02a.corp.local and are configured as part of are a single Cluster.

Network Topology:

The Management Network (192.168.110.0/24) is a common network across the vSphere hypervisors, vCenter, NSX Manager, ControlCenter, vCenter Operations Manager (vCOPS) and vCenter Configuration Manger (vCM)

The vMotion Network (10.10.30.0/24) is used for vMotion traffic.

The App Network (192.168.120.0/24) is used for all Virtual Machine data traffic.

The Storage Network (10.10.20.0/24) is used to connect the Hypervisors to the NFS storage appliance.

Storage Topology:

The two vSphere hypervisors have NFS attached storage via the stgb-l-01astorage appliance.

vCenter, NSX Manager, vCOPS and vCM

vCenter is pre-configured and accessible on the Management Network on 192.168.110.22

NSX Manager pre-configured and accessible on the Management Network on 192.168.110.42

vCOPS is pre-configured and accessible on the Management Network on 192.168.110.70

vCM is pre-configured and accessible on the Management Network on 192.168.110.77

Application Virtual Machines:

In this lab we are using a simple application with 2 servers (app-l-01a and db-w8-01a) and a test server test-l-01a.

app-l-01a.corp.local is connected on 192.168.120.10

db-w8-01a.corp.local is connected on 192.168.120.11

test-l-01a.corp.local is connected on 192.168.120.12

 

Module 1 - Policy-Based Compliance

Introduction


VMware vCenter Configuration Manager (VCM) delivers capabilities fundamental to ensuring that virtualized and cloud computing environments are properly configured to meet operational, security and compliance requirements. VCM is a full-featured configuration-management solution that automates configuration management across virtual, physical and cloud environments.

Enterprises can use VCM to continuously audit the configurations of VMware infrastructure as well as Windows, Linux and UNIX operating systems. Both physical and virtual configuration compliance can be maintained against internal standards, security best practices, vendor hardening guidelines and regulatory mandates.

VCM compares your virtual or physical machines running Linux, UNIX, Mac OS X, or Windows operating systems against configuration standards that you download, or that you create, to determine if the machines meet the standards. The results of the compliance run notify you which machines meet configuration settings meet the standards and which ones do not meet the standards. In some cases, you can enforce certain settings on the machines that are not in compliance, initiating the changes from VCM.

Preset rules and templates are available that enable you to begin monitoring system compliance to regulatory (Sarbanes-Oxley, HIPAA, GLBA and FISMA) industry and Microsoft standards. You can create and manage rules and rule groups based on Active Directory (AD) objects and configuration data, or on machine data.

At a glance, vCenter Configuration Manager

  1. Improves operational effectiveness by continuously auditing configurations of the VMware infrastructure and Windows, Linux and UNIX operating systems.
  2. Speeds time to service restoration by correlating configuration changes tracked within VCM with performance and capacity issues identified by VMware vCenter Operations Manager.
  3. Accelerates the adoption of virtualization and cloud computing for business-critical applications by addressing security and compliance concerns.
  4. Reduces potential security threats through a unified approach to configuration management across physical and virtual infrastructure.
  5. Drives down the effort and cost of configuration compliance through the use of an automated solution.

 


Manage vCenter Server Virtual Machines


Add and license the virtual machines identified based on a vCenter Guests collection from your vCenter Servers. If you are managing Windows virtual machines, you can also install the VCM Agent.

Using the Manage Guests wizard, you can add the virtual machines to the appropriate Available Machines data grid based on operating system, license the virtual machine based on operating system, or, for Windows machines, license and install the Agent.


 

Run PowerShell Script

 

Procedure:

  1. Click on the Command Prompt Icon on the Task Bar.

 

 

Reboot the VCM Server using PowerShell

 

**Note**  It may take up to 2 minutes while the server reboots and initializes VCM.

Procedure:

  1. Type powershell in the command window.
  2. Press Enter
  3. On the next line type Restart-Computer vcm-01a -Force
  4. Press Enter to reboot the VCM server.

 

 

Open vCenter Configuration Manager

 

Procedure:

  1. Once the VCM server comes back online, double-click the VCM icon on the desktop.

 

 

Log In to vCenter Configuration Manager with Proper Credentials

 

Procedure:

  1. Log into VCM with the following credentials:

2. Click OK.

 

 

Select the Appropriate User Level from the Drop-Down Menu

 

vCenter Configuration Manager users can have multiple roles. In this lab, CORP\VCADMIN is assigned three different roles in vCenter Configuration Manager:

We will be using the Admin role throughout this lab, however, roles can be created and assigned on a very granular level.

Procedure:

  1. Select 'Admin' User Role and click Login.

 

 

Install VCM agents for the selected Windows machines

 

Procedure:

  1. Click Console.
  2. Select Virtual Environments
  3. Select vCenter
  4. Select Guests
  5. Select Summary
  6. Select the Windows virtual machine (base-w7-01a)
  7. Click Manage Guests.

 

 

Select Default Domain

 

Procedure:

  1. On the Default Domain page, select CORP.LOCAL from the Domain Drop-DownList, then click OK.
  2. Select the Active Directory radio button for Domain Type.
  3. Click Next to continue.

 

 

Edit VM Guest Machine Info

 

Procedure:

  1. On the Edit VM Guest MachineInfo page, make sure the base-w7-01a Windows virtual machine is selected.
  2. Click Next.

 

 

License the VM Guests and Install the Windows Agents

 

Procedure:

  1. On the License VM Guests page, select License the selected machines.
  2. Select Install VCM agents for the selected Windows machines.
  3. Click Next.

 

 

Confirm your Changes

 

Procedure:

  1. On the Confirm Your Changes page, review the changes.
  2. Click Finish.

 

 

Set the Options for Installation

 

Procedure:

  1. Leave the default options and Select Next

 

 

Schedule the Agent Installation

 

Procedure:

  1. Confirm that the Run Action Now radio button is selected.
  2. Select Next.

 

 

Installation Confirmation

 

Procedure:

  1. Review the notice and Click Finish to deploy the Windows agents.

 

 

Watch the Progress of you Agent Installation

 

Procedure:

  1. Click on the Jobs icon on the menu bar.

 

 

Monitor the Agent Installation

 

Procedure:

**Important** The Jobs Running windowdoes notAuto-Refresh by default. You should set the job to auto-refresh by following the steps below.

  1. You can manually refresh the job collection manually by clicking on the Refresh Icon.
  2. Or you can set the job to Auto-Refresh for you. Select 30 Seconds from the drop-down menu.
  3. You can also Auto-Refresh the individual steps. Select 5 seconds to monitor success or failure.

**Notice** It can take several minutes for this process to complete successfully.

 

 

Jobs Running

 

Procedure:

  1. Once the job is complete, Click Close.

 

 

Verify that the Windows Agents have been successfully deployed

 

Procedure:

  1. Select Administration.
  2. Select Job Manager.
  3. Select History.
  4. Select Other Jobs.
  5. Select Past 24 Hours.
  6. You should see both of your Windows virtual machines in the Job History Machine Detail Box with a Status of Succeeded.

 

Run and Enforce Compliance


Compliance templates evaluate the data collected from virtual or physical machines in machine groups to determine if the machines meet the rules in the templates. If the property values on a machine do not meet the rule criteria, and if no exception is defined, then the machine is flagged as noncompliant. When a machine is noncompliant, the template results provide the details of the settings or configurations that do not match the rules. You can use this information to resolve the problem.


 

Run Virtual Environment Compliance Templates

 

Procedure:

  1. Click Compliance.
  2. Select Machine Group Compliance.
  3. Select Templates.
  4. Select the Microsoft MSS Windows 7 Hardening Template.
  5. Click Run Template.

 

 

Select Template Options

 

Procedure:

  1. Select the Do not enforce noncompliant results at this time radio button.
  2. Check the Check compliance alerts for this machine group check box
  3. Click OK

 

 

Track Compliance Progress

 

Procedure:

  1. When the template is finished running, you should see Your compliance run completed successfully in the progress bar.
  2. Click on Close.

 

 

Review Compliance Results Report

 

Procedure:

  1. Click on the Microsoft MSS Windows 7 Hardening template in the console pane to refresh and review your results.
  2. The Compliance Results Report appears. The report includes the number of objects that are compliant and the number that are non-compliant. Notice that the Windows 7 virtual machine is showing up as Non-Compliant.
  3. To view the results in the data grid, click View data grid.

 

 

View Data Grid Results

 

Icon description:

 

 

Review Rules that are Out of Compliance

 

These policies will be enforced by VCM

 

Configure vCenter Operations Manager Integration


The integration between vCenter Operations Manager and VCM includes using the VCM compliance template results to contribute to the Risk badge score in vCenter Operations Manager.

The compliance templates are included in badge mappings that are run in VCM against objects in vCenter Server instances that are managed by both VCM and vCenter Operations Manager. These objects include virtual machines, host systems, clusters, vCenter Server instances, and data stores. The compliance mapping results determine the compliance score. vCenter Operations Manager then pulls the scores into the formulas used to calculate the Risk badge scores.

When you review the standards compliance in vCenter Operations Manager, you can navigate back to VCM to view the detailed results and identify any configuration changes that you must make to bring an object that is noncompliant back to compliance.


 

Run the Compliance Badge Mappings for vCenter Operations Manager

 

Procedure:

  1. Click Console.
  2. Select Compliance.
  3. Select vCenter Operations Manager Badge Mappings.
  4. Select Mappings.
  5. Select the MicrosoftWindows 7 Hardening mapping.
  6. Click Run.

 

 

Select Mapping Options

 

Procedure:

  1. Select the Check Compliance Alerts for this Machine Group Box.
  2. Click OK.

 

 

Mapping Run Results

 

Procedure:

  1. Validate that the mapping ran correctly.
  2. Click Close.

 

 

Exit from vCenter Configuration Manager

 

Procedure:

  1. Close the vCenter Configuration Manager interface by clicking the red 'x' button on the General Bar.
  2. Click OK to confirm you want to close the session.

 

Check Initial Compliance Status in vCenter Operations Manager


The standards compliance score in VCM contributes a compliance score to the Risk badge score in vCenter Operations Manager. If the Risk score indicates distress for the object, you can view the compliance breakdown to determine which of the noncompliant templates are contributing to the score and determine what action to take to resolve the noncompliant results.


 

Open Internet Explorer

 

Procedure:

  1. Double-Click the Internet Explorer icon on the Control Center Desktop

 

 

Log In to vCenter Operations Manager

 

Procedure:

  1. Click vCenter Operations Manager in the favorites bar.
  2. Enter vcmadmin as the username.
  3. Enter VMware1! as the password.
  4. Click Login.

 

 

Expand the Virtual Infrastructure Hierarchy

 

Procedure:

  1. Click on World.
  2. Select vcsa-01a.
  3. Select Datacenter Site A.
  4. Select Cluster Site A.
  5. Select esx-02a.corp.local.
  6. Select base-w7-01a.

 

 

Check the OS-Level Compliance Status using the Compliance Breakdown

 

Note: It can several minutes for the compliance badge to appear. This is due to possible high workload in the lab environment,

Overview: vCenter Operations Manager provides a color-coded badge system, which ranges from a healthy green to a health degradation status depicted in a gradual or instantaneous transition to yellow, orange or red. Inside the badge, vCenter Operations Manager also presents a score, which might reflect the desired healthy state, a potential problem, or an imminent risk, depending on the badge being observed (health, risk, optimization, or compliance).

In this example, notice that the Windows 7 virtual machine (base-w7-01a) is reported non-compliant. Five conditions were evaluated and all of them failed. vCenter Operations calculated a score of 0 and set the color to Red to indicate this object needs remediation to become compliant.

Procedure:

  1. Select the virtual machine base-w7-01a.
  2. Select Planning.
  3. Select Views.
  4. Select Compliance.
  5. Observe the compliance information for virtual machine base-w7-01a.

 

 

Return to vCenter Configuration Manager to Resolve Compliance Issues

 

Procedure:

  1. Click on View Details in VCM to return to vCenter Operations Manager (VCM)

Note: You may have to re-authenticate if you logged out of VCM.

Log into VCM with the following credentials:

 

Resolve Noncompliant Virtual Machine Template Results


The results for the compliance templates indicate whether the virtual or physical machine are compliant or noncompliant. If the machine is noncompliant, you can enforce noncompliant results manually or using VCM, or you can add an exception for expected noncompliant results.

On the virtual machine scan, we found 5 items out of compliance for our base-w7-01a virtual machine.


 

Remediate Failed Compliance Rules that are Enforceable by vCenter Configuration Manager

 

Procedure:

  1. Click Compliance.
  2. Select Machine Group Compliance.
  3. Select Templates.
  4. Select the Microsoft MSS Windows 7 Hardening Template.
  5. (Click View Data Grid if necessary) Select the Enforce tab.

 

 

Enforcement Selection

 

Procedure:

  1. Select All Items in the Current Compliance Run.
  2. Click Next.

 

 

Review the Enforcement Summary

 

Notice that 5 Items will be enforced by VCM. We will manually address the other non-compliant items later in this lab.

Procedure:

  1. Review the number of Selected Items and the number of Enforceable Items.
  2. Notice that 5 Itemswill be enforced by vCenter Configuration Manager using 4 jobs.
  3. Click Finish to kick off the compliance remediation job.

 

 

Watch the Compliance Job Run

 

**Notice** It can take several minutes for this process to complete successfully.

Procedure:

  1. Click on the Jobs tab in the menu bar.
  2. You can refresh the job collection by clicking on the Refresh Icon.
  3. Or you can set the job to Auto-Refresh for you.
  4. Once the job is complete, Click Close.

 

 

View the Enforcement Results

 

Procedure:

  1. Click on the Windows 7 Template in the left pane.
  2. Click  on Run Template tab to Refresh the compliance results.

 

 

Select Template Options

 

Procedure:

  1. Select the Do not enforce noncompliant results at this time radio button.
  2. Check the Check compliance alerts for this machine group check box
  3. Click OK

 

 

Compliance Run Results

 

Procedure:

  1. When the template is finished running, you should see Your compliance run completed successfully in the progress bar.
  2. Click on Close.

 

 

Review Results

 

Procedure:

  1. Click on the Microsoft MSS Windows 7 Hardening template in the console pane to refresh and review your results.
  2. The Compliance Results Report appears. The report includes the number of objects that are compliant and the number that are non-compliant. Notice that the Windows 7 virtual machine is showing up as Non-Compliant.
  3. To view the results in the data grid, click View data grid.

 

 

Run the Compliance Badge Mappings for vCenter Operations Manager

 

Procedure:

  1. Click Compliance.
  2. Select vCenter Operations Manager Badge Mappings.
  3. Select Mappings
  4. Select the MicrosoftWindows 7 Hardening mapping.
  5. Click Run.

 

 

Select Mapping Options

 

Procedure:

  1. Select the Check Compliance Alerts for this Machine Group Box.
  2. Click OK

 

 

Mapping Run Results

 

Procedure:

  1. Validate that the mapping ran correctly.
  2. Click Close.

 

Validate Final Compliance Status in vCenter Operations Manager


Finally, we will go back into vCenter Operations Manager to make sure that the compliance badge is now matching the compliance status found in VCM.


 

Open Internet Explorer

 

Procedure:

  1. Double-Click the Internet Explorer icon on the Control Center Desktop

 

 

Log In to vCenter Operations Manager

 

Procedure:

  1. Click vCenter Operations Manager in the favorites bar.
  2. Enter vcmadmin as the username.
  3. Enter VMware1! as the password.
  4. Click Login.

 

 

Expand the Virtual Infrastructure Hierarchy

 

Procedure:

  1. Click on World.
  2. Select vcsa-01a.
  3. Select Datacenter Site A.
  4. Select Cluster Site A.
  5. Select esx-02a.corp.local.
  6. Select base-w7-01a.

 

 

Compliance View

 

Note: It can several minutes for the compliance badge to appear. This is due to possible high workload in the lab environment,

Review: vCenter Operations Manager provides a color-coded badge system, which ranges from a healthy green to a health degradation status depicted in a gradual or instantaneous transition to yellow, orange or red. Inside the badge, vCenter Operations Manager also presents a score, which might reflect the desired healthy state, a potential problem, or an imminent risk, depending on the badge being observed (health, risk, optimization, or compliance).

After performing remediation, notice that our Windows 7 virtual machine (base-w7-01a) is now green and reporting 100% compliance.

Procedure:

  1. Select the virtual machine base-w7-01a.
  2. Select Planning.
  3. Select Views.
  4. Select Compliance.
  5. Observe the compliance information for virtual machine base-w7-01a.

 

 

View Change Events Inside vCenter Operations Manager

 

You can also track events coming from vCenter Configuration Manager.

Procedure:

  1. Click Events.
  2. Click the Compliance shadow badge.
  3. Click the bullseye icon (to show self events).
  4. Click the small Compliance badge.
  5. Narrow the scope to the last hour by clicking on the Calendar icon.
  6. Change to Last Hour.
  7. Click the small blue arrow to apply the modifications.

 

 

Review the Filtered Events

 

Review the status of the virtual machine's compliance over time.

 

Module 2 - Policy-Based Network Security

Introduction


In this Module we will review how the NSX Distributed Firewall and Data Security can provide network security and compliance within the SDDC.

You are currently logged on the ControlCenter which can communicate with all of the Application VMs in the lab (db-w8-01a, app-l-01a and test-l-01a virtual machines). The lab virtual machines can communicate with each other because they reside on a single Layer 2 segment which is a violation of security policy at ABC Corporation. We will first verify connectivity between these virtual machines and then apply NSX distributed firewall policies to block specific communication. We will then apply Data Security policies to scan the datacenter for sensitive and unprotected data for PCI compliance check.


Verify Open Communication between Virtual Machines


In this section we will verify connectivity between ControlCenter and other Application VMs.


 

Test Remote Desktop Connection to the Production Database Server (db-w8-01a)

 

The first task is to test connectivity from the ControlCenter to our production database machine. Double-click the db-w8-01a.rdp link on the ControlCenter desktop.

 

 

Launch a Remote Session to the Database Server (db-w8-01a)

 

Login credentials:

User: CORP\Administrator

Password: VMware1!

 

 

Verify Open Connectivity to the Database Server (db-w8-01a)

 

Confirm that you are properly connected to the db-w8-01a virtual machine by checking the background information.

 

 

Disconnect the Remote Desktop Connection to db-w8-01a Server

 

Disconnect the Remote Desktop Connection by clicking the upper right X icon.

 

 

Test Connectivity to Production Web Server (app-l-01a)

 

  1. Launch Putty from the ControlCenter task bar and select the app-l-01a.corp.local saved session.
  2. Click Load.
  3. Click Open.

 

 

Login to app-l-01a server

 

Login credentials:

User: root
Password: VMware1!

 

 

Test connectivity from app-l-01a server to db-w8-01a server

 

  1. Run the command "ping db-w8-01a.corp.local -c 3 -q"
  2. Verify that there is connectivity.

 

 

Test connectivity from app-l-01a server to test-l-01a server

 

  1. Run the command "ping test-l-01a.corp.local -c 3 -q"
  2. Verify that there is connectivity.

Close the Putty session

 

 

Test Connectivity to Test Server (test-l-01a)

 

  1. Launch Putty from ControlCenter task bar and select the test-l-01a.corp.local saved session.
  2. Click Load.
  3. Click Open.

 

 

Login to test-l-01a server

 

Login credentials

User: root
Password: VMware1!

 

 

Test connectivity from test-l-01a server to db-w8-01a server

 

  1. Run the command "ping db-w8-01a.corp.local -c 3 -q"
  2. Verify that there is connectivity.

Close the Putty session.

 

 

Test Connectivity to the Lab Application

 

Launch the Firefox web browser located on the ControlCenter desktop.

Click on the Lab Application bookmark.

Verify that the sample web application is accessible via HTTP port 80.

The web server is hosted on app-l-01a, while the database server is on db-w8-01a virtual machine.

 

 

Network Connectivity Test Results

We were able to verify that:

The ControlCenter can open a remote desktop connection to the db-w8-01a virtual machine.

The ControlCenter can open SSH connections to app-l-01a and test-l-01a virtual machines.

Application virtual machines db-w8-01a and app-l-01a have IP connectivity to each other.

The test-l-01a virtual machine has IP connectivity to application virtual machines (db-w8-01a and test-l-01a)

The sample Lab Application is reachable via ControlCenter.

 

Apply Network Security Policies via NSX Distributed Firewall.


Now that you have tested the reachability of the systems and witnessed the complete lack of security in the environment, we will implement security policies in VMware NSX to block connectivity that is not required.

To save time, in this lab we have already created the security policies, we will review these policies and make changes where needed.

In this lab we will use the VMware NSX Distributed Firewall, which is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on VMware vCenter objects like datacenters and clusters, virtual machine names and tags, network constructs like IP/VLAN/VXLAN addresses, as well as user group identity from Active Directory. Firewall rules are enforced at the vNIC level of each virtual machine to provide consistent access control even when the virtual machine gets vMotioned. The hypervisor-embedded nature of the firewall delivers close to line rate throughput to enable higher workload consolidation on physical servers. The distributed nature of the firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts are added to a datacenter.


 

Access NSX Manager.

In this section we will access the NSX Manager UI and view the pre-created security policies.

 

 

Login to vCenter Web Client

 

Launch the Firefox browser application from the ControlCenter desktop.

The browser is configured to launch the vCenter Web Client, if it does not launch then please select it from the bookmark.

Login credentials:

User: CORP\Administrator

Password: VMware1!

(Note: Selecting "Use Windows Session Authentication" will also log you in)

 

 

Access the Networking and Security Section

 

Click on Networking and Security

 

 

Access the Distributed Firewall Rules

 

  1. Click on the Firewall section on the left pane.
  2. Expand the firewall policy by clicking on the Lab Application Policy
  3. and Default Section Layer3

 

 

Analyse Distributed Firewall Policy - L3 and L4

 

In this section we will analyse all the firewall policies that have been created. As you can see all the policies have been set to "Allow", we will change the appropriate policy to "Deny".

 

 

Firewall Rule - Allow HTTP Access to WebServers

 

In this policy we have configured the distributed firewall to permit HTTP connections from any source to servers in the WebServer-SecurityGroup.

The security group called WebServer-SecurityGroup has been pre-created in the lab. Click on it and you will see that it contains the server app-l-01a.corp.local.

Click on the "x" to close the Security Group pop-up window.

 

 

Firewall Rule - Allow Web to Database Access

 

In this policy we have configured the distributed firewall to permit communication between the WebServer-SecurityGroup and the Database-SecurityGroup.

The security group Database-SecurityGroup has been pre-created in the lab. Click on it and you will see that it contains the server db-w8-01a.corp.local.

Click on the "x" to close the Security Group pop-up window.

 

 

Firewall Rule - Allow ControlCenter SSH Access

 

In this policy we have configured the distributed firewall to permit SSH communication to app-l-01a.corp.local, db-w8-01a.corp.local and test-l-01a.corp.local servers from the ControlCenter.

Click on the ControlCenter link to view the configured IP 192.168.110.10.

Click on the "x" to close the pop-up window.

 

 

Firewall Rule - DNS and AD domain access

 

In this policy we have configured the application servers and the test-l-01a server to communicate with the ControlCenter for DNS and Active Directory Services.

The Microsoft Active Directory Service is pre-defined in NSX, so its easy to select and deploy.

Click on the "x" to close the pop-up window.

 

 

Firewall Rule - Allow vCM to Test Servers

 

In this policy we have configured the vCenter Configuration Manager (192.168.110.77) to communicate with the test-l-01a server and the Windows 7 VM base-w7-01a (we will use this virtual machine later in the lab to show how Configuration Manager can be used to patch the operating systems for compliance).

Click on the "x" to close the pop-up window.

 

 

Firewall Rule - Allow Test Servers to vCM

 

In this policy we have configured the Test Servers (test-l-01a and base-w7-01a) to initiate communication to the vCM server.

Click on the TestServer-SecurityGroup (which has been pre-created) to view its membership.

Click on the "x" to close the Security Group pop-up window.

 

 

Firewall Rule - Default Rule

 

We have configured the NSX distributed firewall to Allow all traffic as a default policy, however we will now change this policy to Block all traffic.

Click on the small + sign next to Allow.

Change the Action to Block.

Click OK.

Since the security policy has been changed, we will need to Publish these changes.

Click on Publish Changes.

 

 

Analyse Distributed Firewall Policy - L2

 

Click on Firewall, then on Ethernet.

Expand the rules in the Default Layer 2 Rule Section.

 

 

Ethernet Rule - Block access from Application servers to Test Servers

 

  1. This the first firewall rule in the list. You will notice that at the moment it has been configured to allow connectivity between the Application servers and Test Servers, which is not the desired state.
  2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step.
  3. Click OK and proceed to the next rule.

 

 

Ethernet Rule - Block access from Test Servers to Application Servers

 

  1. You will notice that at the moment it has been configured to allow connectivity between the Test servers and Application Servers, which is not the desired state.
  2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step.
  3. Click OK and proceed to the next rule.

Note: The first 2 rules have been explicitly setup to block communication between the App and Test servers because the default L2 policy will be to allow communication between all other end points.

 

 

Ethernet Rule - Block communication between database servers in the same tier.

 

In this lab there is only one database server used however in production environments there could be many provisioned and a rule like the one above can be used to block communication between the servers in the same tier.

  1. Currently this rule is set to Allow communication, which is not desired.
  2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step.
  3. Click OK and proceed to the next step.

 

 

 

Ethernet Rule - Block communication between Web servers in the same tier.

 

In this lab there is only one web server used however in production environments there could be many provisioned and a rule like the one above can be used to block communication between the servers in the same tier.

  1. Currently this rule is set to Allow communication, which is not desired.
  2. Click on the small "+" sign next to the "Allow" action to change it to "Block" as shown in the step.
  3. Click OK.

Notice that all the rule changes have to be Published. Click on Publish Changes as shown

 

 

Ethernet Default Rule

 

Note that the default Ethernet Rule is set to Allow all other communication in the virtualized environment. This is the desired state.

 

Test Applied Network and Security Policies


In the previous section we analysed the NSX distributed firewall security policies and made changes so as to only permit certain traffic and block the rest.

In this section we will verify how the micro-segmentation security capabilities of NSX distributed firewall can be used to effectively isolate virtual machine traffic even on a shared Layer 2 segment.


 

Verify Connectivity from ControlCenter

We will first verify access to db-w8-01a, app-l-01a and test-l-01a virtual machines from the ControlCenter.

 

 

Launch Remote Desktop Connection to Database Server

 

Locate the launch the remote desktop connection link to db-w8-01a from the ControlCenter desktop.

Since the firewall policy only allowed SSH access to the database server the RDP connection was denied.

 

 

Launch SSH connection to Test server

 

Locate and launch the Putty application from the ControlCenter taskbar.

  1. Select test-l-01a.corp.local
  2. Click Load
  3. Click Open.

Access is granted since the security policy allows SSH access from the ControlCenter.

Login Credentials:

User: root
Password: VMware1!

 

 

 

Test connectivity between Test Server and Application Servers.

 

In the previous section we configured the firewall policy to block communication between the test-l-01a server and the application servers (db-w8-01a and app-l-01a).

  1. Ping db-w8-01a.corp.local -c 3 -q. You will notice 100% packet loss.
  2. Ping app-l-01a.corp.local -c 3 -q. You will notice 100% packet loss.

In both the cases you will notice that DNS resolution is possible via the ControlCenter however all ICMP traffic to database and application servers is blocked.

Close the Putty session.

 

 

Test connectivity between Application Servers and Test Server.

 

In the previous section we configured the firewall policy to allow communication from web server app-l-01a to the database server db-w8-01a while block communication to the test server test-l-01a.

Locate and launch the Putty application from the ControlCenter taskbar.

Launch a SSH session to app-l-01a.corp.local server.

Login Credentials:

User: root / Password: VMware1!
  1. Ping db-w8-01a.corp.local -c 3 -q. It will report 100% packet loss because in the previous section we only allowed MySql traffic on port 3306 from the web servers to the database server.
  2. Ping test-l-01a.corp.local -c 3 -q. You will notice 100% packet loss.

In both the cases you will notice that DNS resolution is possible via the ControlCenter.

 

Apply a Data Security Policy to Scan for Unprotected and Sensitive Data


NSX Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by NSX Data Security, you can ensure that sensitive data is adequately protected and assess compliance with regulations around the world.

To begin using NSX Data Security, you create a policy that defines the regulations that apply to data security in your organization and specifies the areas of your environment and files to be scanned. A regulation is composed of content blades, which identify the sensitive content to be detected. NSX supports PCI, PHI, and PII related regulations only.


 

Data Security Policy for Database Servers

In this lab, on the database server db-w8-01a.corp.local we have stored some sensitive and unprotected credit card information which makes it non PCI compliant.

We will first review the configuration for Data Security in NSX that has been pre-configured to scan for credit card number violations. In the next step we will run the Data Security scan to review these violations.

 

 

Access NSX Configuration

 

Launch the Firefox web browser and click on the vCenter Web Client bookmark.

Login Credentials:

  1. User: CORP\Administrator
  2. Password: VMware1!
  3. Click OK
  4. Click Networking and Security to access NSX configuration.

 

 

Access Service Composer Security Policy

 

  1. Click Service Composer.
  2. Click Security Policies.
  3. Select the Database-SecurityGroup Security Policy.
  4. Click the number displayed in the Applied To column. Notice that this security policy has been applied to the database server db-w8-01a.corp.local in the Database-SecurityGroup. Click on the x to close this pop-up window.
  5. Click on the number displayed in the Endpoint Service column. Notice that the VMware Data Security Service has been applied for PCI Compliance check, also notice that this policy has not been set to automatically enforce since we will be running the scan manually in the next step. Click on the x to close this pop-up window.

 

 

Run Data Security Scan

 

  1. Click on the Data Security Section
  2. And then Manage.

Click Edit.

 

 

Select Data Security Regulation and Standards

 

  1. Click Select Regulations
  2. Click All. This will list all the available content blades for NSX regulations
  3. In the search bar type "Credit" and hit Enter
  4. Select the Credit Card Numbers content blade
  5. Click Next.
  6. Click Finish.

Once you select the regulations that you want your company data to comply with, NSX can identify files that contain information which violates these particular regulations.

 

 

Start Data Security Scan

 

Before we start the security scan we will need to Publish the changes.

  1. Click Publish Changes. Notice that the scan for Credit Card Number regulation has been enabled and the system has been set to monito various file types.
  2. Click Start.
  3. Click Monitor.

 

 

Monitor Data Security Scan

 

  1. On the Monitor tab,
  2. Click Dashboard. The security scan will take approximately 3 minutes to complete.
  3. Click the Refresh button on the right to view progress. Once completed, notice that the db-w8-01a server has been reported to have the violation.
  4. Click on Reports, to view the violation details.

 

 

View Reports from the Data Security Scan

 

Select Reports.

Select Violating Files in the View Report menu.

Notice that there are 2 files identified on db-w8-01a database server that are non-compliant with Credit Card Number PCI regulation.

The data security administrator can now take corrective actions to protect sensitive data so that the application is compliant with related regulations.

 

Module Summary


In this module we showcased how to leverage NSX Distributed Firewall (DFW) services to apply policies to provide for network micro segmentation between workloads, as well as to prevent unauthorized access to controlled machines. We also saw how NSX Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-SDC-1415

Version: 20150227-055939