VMware NSX Micro-Segmentation Only Deployment

Reading Time: 7 minutes

When we talk about VMware NSX (formerly VMware NSX-T Data Center), most of us think about abstracting management of the network away from the physical fabric thanks to NSX’s magic sauce and overlay networking capability via Geneve encapsulation. However, overlay networking isn’t always the primary use case, with a high volume of customers only opting for micro-segmentation only.

Some customers, for example, are quite happy to allow management of the network, as well as their physical gateways, to remain within the physical stack. Perhaps their organisation already has an alternative software-defined networking product in play or they simply don’t make that many changes within their network. So, how then, can customers use micro-segmentation via the NSX Distributed Firewall (DFW)? Simply put, by utilising currently existing vSphere environments and VDSs in conjunction with the NSX DFW.

Continue reading → VMware NSX Micro-Segmentation Only Deployment

Securing Physical Workloads via the VMware NSX-T Gateway Firewall and Service Interface

Reading Time: 5 minutes

Where the NSX-T Distributed Firewall (DFW) provides stateful protection to workloads at the vNIC level from within for micro-segmentation of east-west traffic, the Gateway Firewall (GFW) provides centralised stateful protection of north-south traffic for perimeter firewalling. Depending on the use case, the GFW might secure traffic between physical and virtual servers, physical to physical servers, and within multi-tenant environments, DMZ’s or could be utilised for, for example, PCI compliance.

The GFW can be implemented per Gateway and is supported on both Tier-0 and Tier-1 Gateways. The GFW is also independent of the NSX-T DFW as it holds its own configuration and enforcement policies. Excitingly, we can also leverage the GFW to secure physical workloads housed on VLAN-backed networks via the Service Interface. This is particularly useful where customers are unable to utilise the VMware NSX-T Kernel Agent (think proprietary appliances/servers).

In this article, we take a look at the process of securing physical server workloads housed on VLAN-backed networks.

Continue reading → Securing Physical Workloads via the VMware NSX-T Gateway Firewall and Service Interface

VMware NSX-T Micro-Segmentation via vRealize Log Insight

Reading Time: 6 minutes

I work with a lot of customers to design and deploy secure, zero-trust environments utilising VMware NSX-T Data Center and, specifically, by using its Distributed Firewall (DFW). I’ve also spoken at several VMUGs where I’ve discussed the realities of micro-segmentation using both NSX for vSphere (NSX-v) and NSX-T and the tools that can be utilised to aid in the identification of application dependencies, traffic flows, services, etc.

I also understand that not all customers are able to utilise some of the more advanced VMware toolings such as NSX Intelligence and vRealize Network Insight, however, there is another tool that we can use to identify our application dependencies and, best of all, if you’re a licensed NSX-T customer, you’re also licensed for…vRealize Log Insight (vRLI).

In this article, we explore how we can utilise vRLI to identify and visualise application traffic flows so that we can more effectively secure our applications.

Continue reading → VMware NSX-T Micro-Segmentation via vRealize Log Insight

Securing Workloads on Bare-Metal Windows Servers via the VMware NSX-T Agent (Kernel Module)

Reading Time: 6 minutes

Software-defined data centres, software-defined networks, software-defined storage – they are all great, aren’t they? They enable us to abstract software-defined-X from the physical and allows us to scale at speed via automation. However, physical servers, the elephant in the room, still exist, and they likely will for some time.

So then, can we integrate physical devices into a software-defined world? Yes. But, NSX-T micro-segmentation is only available to virtual machines, right? No. By using the VMware NSX-T Agent/kernel module, we can provide connectivity to bare-metal workloads and enable them to participate and leverage the same security functions as those enjoyed by virtual machines.

In this article, we deploy the NSX-T Agent to a Windows Server 2019 webserver hosting IIS and secure the physical, bare-metal server utilising the NSX-T Distributed Firewall (DFW).

Continue reading → Securing Workloads on Bare-Metal Windows Servers via the VMware NSX-T Agent (Kernel Module)

London VMUG - LonVMUG

London VMUG – 15th July 2021

Reading Time: < 1 minute

Earlier this month, I was honoured to have been able to present at the London VMware User Group. My session focussed on a discussion and demonstration around how we can leverage VMware vRealize Network Insight (vRNI) to visualise applications, their dependencies, and their application traffic flows to effectively micro-segment an application using the VMware NSX-T Distributed Firewall (DFW).

Continue reading → London VMUG – 15th July 2021

BANNER-vGareth Lewis-VMware-vRealize-Network-Insight-vRNI-On-Prem-Install-and-Configure

VMware vRealize Network Insight (vRNI) – Part 6 – Importing Recommended Firewall Rules into NSX-T via Python Script

Reading Time: 5 minutes

As the holiday season is almost upon us (just two days), why not finish with one final article in my vRNI series and an article that will likely finalise my blog posts for the year.

In my previous article (VMware vRealize Network Insight (vRNI) – Part 5 – Data Flow Analysis & Micro-Segmentation), we analysed collected data flows in vRNI to manually micro-segment an application utilising the VMware NSX-T Distributed Firewall (DFW). However, what if we want to automate this process? After all, applications that require a small number of firewall rules (such as the application used in the previous article) are rare.

This article looks at Martijn Smit‘s great script, which imports vRNI recommended firewall rules into VMware NSX-T Data Center via a Python script.

Continue reading → VMware vRealize Network Insight (vRNI) – Part 6 – Importing Recommended Firewall Rules into NSX-T via Python Script

BANNER-vGareth Lewis-VMware-vRealize-Network-Insight-vRNI-On-Prem-Install-and-Configure

VMware vRealize Network Insight (vRNI) – Part 5 – Data Flow Analysis & Micro-Segmentation

Reading Time: 6 minutes

In the previous articles of this series, we covered the installation (VMware vRealize Network Insight (vRNI) – Part 1 – Installation) and configuration (VMware vRealize Network Insight (vRNI) – Part 2 – Configuration) of vRealize Network Insight, before integrating vRNI with Microsoft Active Directory via LDAP (VMware vRealize Network Insight (vRNI) – Part 3 – Identity & Access Management via LDAP).

In the most recent article (VMware vRealize Network Insight (vRNI) – Part 4 – Application Discovery), we delved into application discovery. We defined four applications via several options – manual creation of an application, as well as automated discovery based on vSphere Tags/Custom Attributes and VM naming conventions.

In this final article of the series, we will explore and analyse the collected data flows of one of the previously defined applications. The goal here is to identify all valid traffic flows required to secure the application utilising the NSX-T Distributed Firewall (DFW). My friends, today we look at micro-segmentation.

Continue reading → VMware vRealize Network Insight (vRNI) – Part 5 – Data Flow Analysis & Micro-Segmentation

BANNER-vGareth Lewis-VMware-vRealize-Network-Insight-vRNI-On-Prem-Install-and-Configure

VMware vRealize Network Insight (vRNI) – Part 4 – Application Discovery

Reading Time: 9 minutes

In the previous articles in this series, we covered the installation (VMware vRealize Network Insight (vRNI) – Part 1 – Installation) and configuration (VMware vRealize Network Insight (vRNI) – Part 2 – Configuration) of vRealize Network Insight, before integrating vRNI with Microsoft Active Directory via LDAP (VMware vRealize Network Insight (vRNI) – Part 3 – Identity & Access Management via LDAP).

In this article, we will dive a little deeper and begin looking at how we can define our applications and, in Part 5 (VMware vRealize Network Insight (vRNI) – Part 5 – Data Flow Analysis & Micro-Segmentation), begin analysing the collected data flows to implement micro-segmentation via the NSX-T Distributed Firewall.

Continue reading → VMware vRealize Network Insight (vRNI) – Part 4 – Application Discovery

20190320 VMUG Presentation Welcome Slide

South West UK VMUG – March 2019 – VMware NSX and Micro-Segmentation from the Field

Reading Time: 3 minutes

That was a blast! On Wednesday 20th March I had the pleasure of speaking at the South West UK VMUG, held at the Bristol and Bath Science Park. My biggest thanks to VMUG Leaders Jeremy Bowman, Simon Eady, Barry Coombs, and Megan Warren for such a great opportunity, and to all who attended my session. This was my first time speaking at a VMUG, and despite the nerves, I really enjoyed it.

Focusing on VMware NSX Data Centre for vSphere and, more specifically, the micro-segmentation of applications with the aid of the NSX Application Rule Manager (based around my previous article). I opted not to perform a live demo during my very first speaking slot, but instead produced a live recording, for which I walked the group through how to utilise the NSX Application Rule Manager to identify application dependencies, endpoints, and service/ports/protocols when implementing a zero-trust environment.

Continue reading → South West UK VMUG – March 2019 – VMware NSX and Micro-Segmentation from the Field

VMware NSX Data Centre – Application Rule Manager

Reading Time: 7 minutes

With the release of VMware NSX 6.3.0 back in February 2017, we saw the introduction of the Application Rule Manager (ARM). The Application Rule Manager allows us to a) simplify the process of creating grouping objects and distributed firewall rules for the micro-segmentation of existing workloads, and b) deploy applications within a zero-trust environment with greater speed and efficiency.

Continue reading → VMware NSX Data Centre – Application Rule Manager