How to Get Firewall Rule Recommendation in the Virtual Network Environment

How to Get Firewall Rule Recommendation in the Virtual Network Environment

This article originally posted in my Personal Blog

What is Happening?

Firewalls that protect enterprise network plays a crucial role in the first line of defense. The people who administer these firewalls have much responsibility in making sure that only the right kind of traffic gets through when it should and separate from the bad one. The stakes are high, with little room for error. Imagine a castle which has 4 big walls on the perimeter. In a traditional enterprise IT environment, a data center looks like a castle. In the modern enterprise network, a distributed data center makes the perimeter more seamless and hard to define.

Managing Firewall rules is a daunting task, especially dealing with multiple firewall appliances. For more often than not, you have to manage redundant rules or duplicates across multiple appliances. Another challenge that the firewall administrator facing is how to keep the rule table effective. Deleting firewall rule imposed risks such as application access and communications, hence this process requires thorough analysis and testing.

Microsegmentation causes an explosion of Firewall rules, as you have to create a rule for each vNIC in each Virtual Machine. This situation increases the number of tasks for the security team that manages firewalls. The firewall administrator has to deal with new way of object group and security tagging. It declines in the later phase as firewall administrator has created security groups and other objects. The situation depicted in the diagram below.

No alt text provided for this image

The time your organization takes to saturate the new firewall rule model is impacting the security operation. The longer it takes, the worsts the effect. The process of adding new firewall rules also involved an application test. So the longer the project dragged, the longer the firewall operation team has to bear the load.

Can we do something to shorten the time required to saturate the firewall rules? It does not only affect the day-to-day operation of the firewall team but also maintains the firewall rules hygiene in the highest standard possible.

Automate the Frequent Processes

In order to create effective and accurate firewall rules, there are few data points need to be captured. The first data points come from an application architect. When an application architect designs an application, there are sets of communication protocol defined in the architecture. This communication has to be secured in multiple ways, a firewall rule is basic protection. The second data points come from the real flow of that particular application. When the application is implemented, the system has to constantly monitor the behavior of the application communication and adhere to the intended system design.

NSX Intelligence is a distributed analytics engine that provides continuous data-center wide visibility for network and application security teams, helping deliver a more granular and dynamic security posture, simplify compliance analysis, and streamline security operations. NSX Intelligence helps to automate the collection of data points from the real flow of a particular application, provides insight, and actionable tasks to actively secure the communication flow.

Traditional approaches involve sending extensive packet data into analytic engines for analysis. This approach increases not only the cost but also the operational complexity and requires high centralized processing power. In contrast, NSX Intelligence built natively within NSX platform with the distributed analytics platform within the hypervisor on each host.

NSX sits on a strategic location in the environment. It is far enough from the workload so you can isolate the policy enforcement from the application, but it is close enough to get contextual information from the application. All the network traffic passing through NSX platform contains useful information such as who the user is and what kind of protocol used. By collecting this information along a certain period, we can get insight into how the application behaves, benchmark the performance over time, and map the dependencies. All executions are done without copying the packet out of the fabric, makes it a unique solution in the market for network and security analytics.

NSX Intelligence Setup

Installing NSX Intelligence is straight-forward. The complete guide can be found here.

The first step is to download the bundles and unpack the tar file. Then the unpacked files have to be put into a web server. I have used a few web servers, but I can only make it works using the Nginx web server on a Linux platform.

In NSX Manager, navigate to System > Appliances and click Add NSX Intelligence Appliance. This will start the appliance deployment wizard:

No alt text provided for this image

Enter URL to the OVF file and the network configuration. I deploy a small appliance in my lab environment. A large appliance is recommended for a production environment.

No alt text provided for this image

In the next step, I configure the Compute Manager (vCenter) details for the virtual appliance:

No alt text provided for this image

Configure appliance credential at the final step:

No alt text provided for this image

Click on Install Appliance to start the installation. You can grab a coffee while waiting for the installation to finish.

No alt text provided for this image

You can monitor the appliance utilization under System > Appliances

No alt text provided for this image

Traffic Flow Visualization

NSX Intelligence UI is integrated into NSX Manager UI. It can be found under Plan & Troubleshoot > Discover & Take Action.

No alt text provided for this image

The bubble that you see in the UI represents an object group, and the color represents the protection. Red color means the security policy does not protect the flow. Green color means there is a firewall rule to protect the flow. Since this is a new lab setup, I didn't have any rules in it.

Policy Recommendation

One of the powerful features is to recommend a firewall policy to be enforced. NSX Intelligence collecting the flow metric over time, and from that information, it can recommend what rules need to be installed. You can click the Magic Wand icon to start recommendation

No alt text provided for this image

I want to create a policy for my Openshift Cluster that I created before. I can choose the VMs to be included in this recommendation:

No alt text provided for this image

It will take some time for NSX Intelligence to collect relevant metrics and once ready, the status will change into Ready to Publish

No alt text provided for this image

Take a look at the recommendation and here is the magic

No alt text provided for this image

We can adjust the group membership and give it a proper name (instead of a default name) and then arrange the rules as you wish to.

No alt text provided for this image

I also adjust the group into:

No alt text provided for this image

After I satisfied with the policy and groups, I put the policy in the correct section:

No alt text provided for this image

Click Publish to commit the firewall rules.

No alt text provided for this image

Distributed Firewall Policy

After few seconds, the firewall policies are installed in the Distributed Firewall section and it is enforced.

No alt text provided for this image

Summary

NSX Intelligence opens a new possibility in how you can operate networking and security in the Data Center environment. NSX Intelligence helps security operation team to catalyst the journey into zero-trust environment by recommending and applying security policy.

The Virtual Cloud Network is the ultimate destination for customers, supported by NSX-T to enable consistent networking and intrinsic security for workloads of any type (VM, container, BareMetal) in any location (data center, cloud, edge).

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics