How to Get Firewall Rule Recommendation in the Virtual Network Environment

This article originally posted in my Personal Blog

What is Happening?

Firewalls that protect enterprise network plays a crucial role in the first line of defense. The people who administer these firewalls have much responsibility in making sure that only the right kind of traffic gets through when it should and separate from the bad one. The stakes are high, with little room for error. Imagine a castle which has 4 big walls on the perimeter. In a traditional enterprise IT environment, a data center looks like a castle. In the modern enterprise network, a distributed data center makes the perimeter more seamless and hard to define.

Managing Firewall rules is a daunting task, especially dealing with multiple firewall appliances. For more often than not, you have to manage redundant rules or duplicates across multiple appliances. Another challenge that the firewall administrator facing is how to keep the rule table effective. Deleting firewall rule imposed risks such as application access and communications, hence this process requires thorough analysis and testing.

Microsegmentation causes an explosion of Firewall rules, as you have to create a rule for each vNIC in each Virtual Machine. This situation increases the number of tasks for the security team that manages firewalls. The firewall administrator has to deal with new way of object group and security tagging. It declines in the later phase as firewall administrator has created security groups and other objects. The situation depicted in the diagram below.

The time your organization takes to saturate the new firewall rule model is impacting the security operation. The longer it takes, the worsts the effect. The process of adding new firewall rules also involved an application test. So the longer the project dragged, the longer the firewall operation team has to bear the load.

Can we do something to shorten the time required to saturate the firewall rules? It does not only affect the day-to-day operation of the firewall team but also maintains the firewall rules hygiene in the highest standard possible.

Automate the Frequent Processes

In order to create effective and accurate firewall rules, there are few data points need to be captured. The first data points come from an application architect. When an application architect designs an application, there are sets of communication protocol defined in the architecture. This communication has to be secured in multiple ways, a firewall rule is basic protection. The second data points come from the real flow of that particular application. When the application is implemented, the system has to constantly monitor the behavior of the application communication and adhere to the intended system design.

NSX Intelligence is a distributed analytics engine that provides continuous data-center wide visibility for network and application security teams, helping deliver a more granular and dynamic security posture, simplify compliance analysis, and streamline security operations. NSX Intelligence helps to automate the collection of data points from the real flow of a particular application, provides insight, and actionable tasks to actively secure the communication flow.

Traditional approaches involve sending extensive packet data into analytic engines for analysis. This approach increases not only the cost but also the operational complexity and requires high centralized processing power. In contrast, NSX Intelligence built natively within NSX platform with the distributed analytics platform within the hypervisor on each host.

NSX sits on a strategic location in the environment. It is far enough from the workload so you can isolate the policy enforcement from the application, but it is close enough to get contextual information from the application. All the network traffic passing through NSX platform contains useful information such as who the user is and what kind of protocol used. By collecting this information along a certain period, we can get insight into how the application behaves, benchmark the performance over time, and map the dependencies. All executions are done without copying the packet out of the fabric, makes it a unique solution in the market for network and security analytics.

NSX Intelligence Setup

Installing NSX Intelligence is straight-forward. The complete guide can be found here.

The first step is to download the bundles and unpack the tar file. Then the unpacked files have to be put into a web server. I have used a few web servers, but I can only make it works using the Nginx web server on a Linux platform.

In NSX Manager, navigate to System > Appliances and click Add NSX Intelligence Appliance. This will start the appliance deployment wizard:

Enter URL to the OVF file and the network configuration. I deploy a small appliance in my lab environment. A large appliance is recommended for a production environment.

In the next step, I configure the Compute Manager (vCenter) details for the virtual appliance:

Configure appliance credential at the final step:

Click on Install Appliance to start the installation. You can grab a coffee while waiting for the installation to finish.

You can monitor the appliance utilization under System > Appliances

Traffic Flow Visualization

NSX Intelligence UI is integrated into NSX Manager UI. It can be found under Plan & Troubleshoot > Discover & Take Action.

The bubble that you see in the UI represents an object group, and the color represents the protection. Red color means the security policy does not protect the flow. Green color means there is a firewall rule to protect the flow. Since this is a new lab setup, I didn't have any rules in it.

Policy Recommendation

One of the powerful features is to recommend a firewall policy to be enforced. NSX Intelligence collecting the flow metric over time, and from that information, it can recommend what rules need to be installed. You can click the Magic Wand icon to start recommendation

I want to create a policy for my Openshift Cluster that I created before. I can choose the VMs to be included in this recommendation:

It will take some time for NSX Intelligence to collect relevant metrics and once ready, the status will change into Ready to Publish

Take a look at the recommendation and here is the magic

We can adjust the group membership and give it a proper name (instead of a default name) and then arrange the rules as you wish to.

I also adjust the group into:

After I satisfied with the policy and groups, I put the policy in the correct section:

Click Publish to commit the firewall rules.

Distributed Firewall Policy

After few seconds, the firewall policies are installed in the Distributed Firewall section and it is enforced.

Summary

NSX Intelligence opens a new possibility in how you can operate networking and security in the Data Center environment. NSX Intelligence helps security operation team to catalyst the journey into zero-trust environment by recommending and applying security policy.

The Virtual Cloud Network is the ultimate destination for customers, supported by NSX-T to enable consistent networking and intrinsic security for workloads of any type (VM, container, BareMetal) in any location (data center, cloud, edge).