NSX Reference Design Document - Tufin · 2018-01-24 · NSX Reference Design Document Contents ... Automation through integration with VMWare vRealize Automation (vRA) ... , Palo

1Copyright©2018Tufin

TufinandSecureChangeareregisteredtrademarksofTufin.UnifiedSecurityPolicy,TufinOrchestrationSuite,SecureTrack,andSecureApparetrademarksofTufin.Allotherproductnamesmentionedhereinaretrademarksorregisteredtrademarksoftheirrespectiveowners.

NSXReferenceDesignDocument

ContentsOverview..................................................................................................................................1

VMwareSDDCApproachRedefinesDataCenterNetworkSecurity....................................1

SDNandSecuringEast-WestandNorth-SouthTraffic.........................................................2

VisibilityandSDN–Youcan’tsecurewhatyoucan’tsee........................................................4

ManagingMicro-segmentation................................................................................................5

AutomationthroughTufinOrchestrationSuite.......................................................................6

AutomationthroughintegrationwithVMWarevRealizeAutomation(vRA)...........................8

Conclusion–IntegrationKeyBenefits.....................................................................................9

Overview

VMwareSDDCApproachRedefinesDataCenterNetworkSecurityTheSoftware-DefinedDataCenter(SDDC)enablesasubstantiallyimprovedoperationalmodelthatprovidesgreaterspeedandagility,loweroperationaloverhead,andlowercapitalexpenditure.VMwareNSXdeliversnetworkvirtualizationfortheSDDC,withafullservice,programmableplatformthatprovideslogicalnetworkabstractionofthephysicalnetworkwithprogrammaticprovisioningandmanagementabilities.Followingthesuccessfulabstractionofthecomputeandstorageelements,networkvirtualizationprovidesthenextsteptowardsafullyvirtualizeddatacenter.VMwareNSXalsooffersanopportunitytoredefinethewaywesecureournetworks.Oneofthefundamentalchallengesofnetworksecurityhasbeentheinabilitytoisolatepolicyenforcementfromtheoperationalnetworkplane.WithintheSDDC,thehypervisorprovidesaperfectlyisolatedlayertoenforcesecuritypolicywhilemaintainingtheapplicationcontexttoenablebettersecuritycontrolandvisibility.NSXprovidesisolationandnetworksegmentationbydefault.Virtualnetworksrunintheirownaddressspaceandhavenocommunicationpathtoeachotherortophysicalnetworks.Nativefirewallingandpolicyenforcementatthevirtuallayerprovidessegmentation,andmicro-segmentationisachievedthroughsecuritycontrolsattheunitlevelorvirtualmachinelevel.Leveragingnetworkvirtualization



technology,theSDDCenablessecuritytobearchitectedintothenetworkitself.Thisallowssecuritycontrolstobebasedonlogicalboundariesandmakesdatacentermicro-segmentationoperationallyfeasible.

SDNandSecuringEast-WestandNorth-SouthTrafficEast-westnetworktrafficisthetransferofdatapacketsfromservertoserverwithinadatacenterinthesameSDN(NSX)environment.North-SouthindicatesnetworktrafficfromtheNSXenvironmenttothelegacydatacenterorviceversa.

Visibilityintobothtypesoftraffic–east-westandnorth-south–iscriticalfororganizationstodeterminethebestsecuritypracticesfortheirnetworksanddatacenters.Whilemanyorganizationsfocusonsecuringexternaltrafficthatenterstheirnetworks,itisincreasinglyimportantfororganizationstomonitorinternaltrafficpatternstoidentifymalwarethathasinfiltratedthenetworkandforinsiderthreats.

Micro-segmentation(greaterdetailinafollowingchapter)significantlyreducestheattacksurfaceavailableformaliciousactivity,andlessenstheimpactofanattackspreadthrougheast-westtraffic.Ifthedatacenterissegmentedintologicalunits,datacenteradministratorscantailoruniquesecuritypoliciesandrulesforeachlogicalunit.Thistightly-coupledapproacheliminatesthetedious,error-pronemanualconfigurationprocessesthatoftenleadtosecurityflawsafteramigration.

East-WestTraffic

North-Sou

thTraffic



TheTufinOrchestrationSuite™SolutionforVMwareNSXTheTufinOrchestrationSuite™isacompletesolutionforautomaticallydesigning,provisioning,analyzingandauditingnetworksecuritypolicychangesfromtheapplicationlayerdowntothenetworklayer.WiththeTufinOrchestrationSuite™,ITandsecurityorganizationscancentrallymanageandcontrolmicro-segmentation,continuouslymonitoradherenceandidentifyviolationstosecuritypolicy,andautomatechangesthroughouttheentiredata-centerviaasingleinterface.TheTufinOrchestrationSuite™providesunprecedentedvisibilityandcontrolofsecurityintheSDDCensuringaunifiedsecuritypolicymanagementacrosstheentireenterprise–includingphysicalandvirtualnetworksaswellashybridcloudplatforms.

TherearefourusecasesfortheintegrationpointsbetweenTufinOrchestrationSuiteandVMWareNSX:

1. Visibility–ViewandtrackchangestosecuritypolicyandconfigurationintheNSXenvironment.2. Micro-segmentation–defineandmanagemicro-segmentationbothwithintheNSXenvironmentas

wellaswiththeexternalDatacenter.3. Policy-drivenchangeautomation–automatechangesthroughTufinSecureChangewhileensuring

adherencetocorporatesecuritypolicy,understandthepotentialrisk,andpushchangestotherelevantdevicesinNSXandtheDFW,andoutsideofittotheappropriateFWs.

4. Integratedpolicy-drivenchangeautomation–automatechangesthroughintegrationwithVMWarevRealizeOrchestrator(vRO).

ThefollowingchapterscovertheaboveusecasesindepthwhileoutliningthebusinesschallengesandhowTufincanhelpsolvethem.



VisibilityandSDN–Youcan’tsecurewhatyoucan’tseeChallenge:Whenitcomestosecuritypolicymanagement,organizationsneedtomanagetheirpoliciescentrally—eventhoughthepoliciesmaybeenforcedondifferentplatformsfromdifferentvendorsonphysical,virtual,andcloud-basedplatforms.Securitymanagersneedbroadandunifiedvisibility,anaudittrailofallchanges,andadvancedanalysisandreportingcapabilities.ConfigurationofsecurityrulesmustbeappliedtotheDistributedFirewall(DFW)withinNSX,NGFWs,andonlegacyfirewall(e.g.CheckPoint,PaloAlto,Cisco,Fortinet)toensureconnectivityandsecurity.Securitymanagersrequirevisibilityintochangesacrossallofthesefirewalls–whatwaschangedandwhochangedit–withoutjumpingbetweendifferenttoolsordifferentdashboards.Thisbecomesanecessityasenterprisesnetworksbecomemorecomplexwithagreaternumberofsecuritydevicesinstalled.TufinSolution:TheTufinOrchestrationSuite™servesasasinglepaneofglasstomanageandcontrolsecurityacrosshybridcloudandphysicalnetworks.TheSuiteprovidessecuritymanagerswiththesamelevelofvisibilityandcontrolintheirnewsoftware-definedenvironmentthattheyareaccustomedtoinatraditionaldatacenter.Inaddition,theTufinOrchestrationSuite™retainsanaccurateaudittrailofallchangesandusesadvancedchangemonitoringandanalysisforfullaccountability.Allchangescanbetrackedandreportscanbeproducedforauditorswhennecessary.Thescreenshotbelowdemonstrateschangetrackingofasecuritypolicy,ensuringthatatanypointit'seasytoseewhodidwhat,whenandwhy,andthiscanbefullydocumentedforfuturereference.

Tufin’sSecureTrackprovidesaside-by-sidecomparisonofthepolicybeforeandafterchanges.



ManagingMicro-segmentationChallenge:Organizationsneedtobeabletodesignandeffectivelymanagemicro-segmentationbothinsideandoutsidetheNSXenvironment.Micro-segmentationprovidesbettersecuritybytighteningthesecuritycontrolsaroundaserver(virtualmachine)thantraditionalsecuritycontrolsbasedonsubnetsegmentation.Operationalizingmicro-segmentationrequireseffectiveconfigurationandmanagement.However,approachingthechallengeoftenleadswith“HowcanIensurethatmyNSXsegmentationisproperlyconfiguredtotakeadvantageofthisinnovativetechnology,thatserversarenotinadvertentlyexposed,andthatapplicationconnectivityisretained?”Managingmicrosegmentationinacomplexenvironmentisdifficult.Akeyparameteristobeabletotrackandmanagethiscomplexprocessinasimple,visualizedwaywithoutmanuallyapplyingdifferentsecurityconfigurationsandrulesacrossNSXandtherestofyourfirewalldevices.

TufinSolution:TherearethreewaysinwhichtheTufinOrchestrationSuite™enablessuccessfulmanagementofmicro-segmentationforNSX.TheTufinOrchestrationSuite™provides:

• Aunifiedandconsistentpolicyacrossbothphysicalandvirtualenvironments,withcleargraphicalvisibilityintothatpolicy.

• Acentralizedapproachtoidentifyingandmanagingviolationsandexceptions.• Automaticchecksofplannedchangesagainstasecuritypolicybeforeitisimplementedtomakesure

thatthechangeisnotintroducinganewpolicyviolation.ThefigureonthefollowingpageshowstheTufinOrchestrationSuite’s™zonesegmentationmatrixwhichisanelementoftheUnifiedSecurityPolicy(USP).Thismatrixrepresentsthedifferentnetworkzonesonboththehorizontalandverticalaxes,andthecolorsoftheblocksindicatethepermittedcommunicationbetweenthetwointersectingzonesshouldbe.Inthezonesegmentationmatrix,agreenblockrepresentsthattrafficofspecificservicesbetweentwozonesisallowed,agrayblockmeansthattrafficisnotallowed,andaredblockindicatestrafficisallowedwhichcurrentlyviolatessecuritypolicy.Eachzonerepresentsphysical,virtualorhybridcloudplatforms.



TheTufinOrchestrationSuite™zonesegmentationmatrix

IntheNSXenvironmentzonescanbeIPsorsubnets,butaremostoftenSecurityGroupsgiventhedynamicnatureoftheSDDC.AsVMsareprovisionedanddestroyedrapidly,theusageofIPslessrelevantduetounmanageability.Onceanorganizationhasdesigneditssegmentationpolicyandimplementedittoproducethevisualmatrixview,theTufinOrchestrationSuite™analyzesthenetworktoidentifythegapsbetweenthedesiredstateofsecuritypolicycomplianceandtheactualenforcementpoliciesrunningacrossnetworkfirewalls,routers,andsecuritygroups.Unlikemanualspreadsheetsthatsecurityadministratorsoftencreateandrelyon,thismatrixisconnectedtothenetworkandautomaticallydetectsandalertsfirewalladministratorsofviolations.ForNSX,thisensuresthatifaruleisaddedtotheDFWortotheperimeterFW,theimpactontherelevantzonesisknown.Operationalneedsoccasionallyrequireanexceptiontoadesiredsegmentationpolicy.Forexample,allowingaspecificbusinessapplicationnon-compliantorriskyaccessmayberequiredinordertorunproperly,eventhoughitintroducesrisktotheorganization.TheUnifiedSecurityPolicyprovidescentralizedexceptionmanagementthatallowsasecurityadministratortoidentifyandmanageexceptions,assignanexpirationdatetonon-compliantrules,andensurethattheyarere-examinedandapproved,orremoved,byaspecificdate.Thisprocessprovidesthesecurityadministratortimetotalkwiththebusinessapplicationownerandfindawaytoeitherchangehowtheapplicationworks,orchangethesegmentationpolicy.Allpolicyexceptionsareautomaticallydocumentedandauditable.

AutomationthroughtheTufinOrchestrationSuite™Challenge:NGFWs,suchasNSXDFW,andlegacyfirewallsarethefirstlineofdefense,buteffectivemanagementoffirewallsdrainspersonnelresourcesfromsecurityprogramsalreadycopingwithashortageofskilledlabor.Regardless,securitypoliciesneedtobechecked,firewallsoptimized,andcontinuouscomplianceanddemonstrablyachieved.Thesefirewallmanagementtasksaretypicallymanualprocessesthatarebothtimeconsumingandrifewithmanualerror,necessitatingasolutiontoeliminatemisconfigurationsandreturnpersonnelresourcestostrategicorimminentchallenges.WorkloadscanrundedicatedonSDNenvironmentorspanacrossNSXandon-premiseinfrastructure,henceautomationmustsupportthemultipleplatformandtechnologiesused.FailingtosupportthediversityofvendorsbeyondNSXprohibitsachievingagility,anddelaysaccesstoadatacenter’sdatabasewhenbehinddifferentfirewallsandrouters,andthetasksassociatedwithmanagingallofthem.



TufinSolution:TheTufinOrchestrationSuite™providescentralmanagementandafullyautomatedchangeprocess,providingend-to-endconnectivityacrossthehybridnetworkwhilemeetingsecuritypolicymandates.End-to-endautomationofnetworksecuritychangeswithbaked-insecurityandcomplianceenablesbothNorth-SouthandEast-WestconnectivitybyprovisioningtotheNSXDistributedFirewallaswellaslegacyfirewallsusingSecurityGroups.ThechangeprocessprovidedbytheTufinOrchestrationSuite™includesautomatedriskanalysisforbuilt-inpolicycomplianceandbestpractices,automateddesignandprovisioningforon-premfirewallsandNSX,andautomatedconnectivityverificationtoboostproductivityandacceleratedelivery.TufindeliversautomatedprovisioningforchangestoNSXsecuritygroups(orIPandIPsets)andguidesuserstoensurethattherightsecuritygroupsarechanged.TheautomatedchangedesignisbasedonthemostaccuratetopologysimulationandefficientpathanalysisacrossNSXandotherplatforms/vendorsWhileallthesecapabilitiesaresupportedthroughtheSecureChangeUI,customersoftenintegrateTufinworkflowsandprocessmanagementintotheirexistingthird-partyticketingtools(e.g.ServiceNoworRemedy)throughAPIsorintegrationapplicationstokeeptheirexistingbusinessprocessesandflowsunchanged.



AutomationthroughintegrationwithVMWarevRealizeAutomation(vRA)NSXandvRealizeAutomationaretwomajorproductsfromVMware.vRealizeAutomationcanbuildaprivatecloudenvironmentwhileNSXbuildstheunderlyingsoftwaredefinednetwork.BoththeefficiencyandsecuritycontrolovertheSDDCisrealizedwhenusingNSXandvRealizeAutomationinconcert.WithNSXyoucanbuilddynamicrouting,loadbalancing,firewallrulestocreatethevirtualizednetwork–vRealizeAutomationusesvRealizeOrchestrator(vRO)asitsunderlyingorchestrationengine.

IntegratingvROwithSecureChangeenablescustomerstoachievefullautomationfordesigningandprovisioningapplicationconnectivity.Together,vRAandvROcanbeusedtospinupamulti-layerapplicationthroughasingleclickalongwithitsnetwork,firewallrules,andloadbalancer.ApplicationsrunningwithintheSDDCandconsumingnon-SDDCresources(e.g.LDAPserverorDB),requirenorth-southconnectivity.ThiscanbeachievedbyincorporatingvROworkflowcallstoaTufinworkflowthroughAPIsfor:

1. TopologyDiscovery:findtraditionalfirewallsinfrontoftheprovisionedVMs.2. RiskAnalysis:CompliancecheckagainstTufinUSPbeforeimplementation.3. Provisioning:PushingchangestotraditionalfirewallsinfrontoftheprovisionedVMsrunningonNSX.

Atypicalflowcanbe:

1. DeploynewVMsfromvROworkflowbasedonVMtemplates(usingvCenterAPItoprovisionnewVMs).

2. CacheVMsnetworkinformationlikeIPAllocated,andPolicyTemplate3. UsetheHTTP-RESTClientfromvROtoopenaticketonSecureChange(JSONformattedquery)4. InSecureChange,runafullyautomatedworkflowforprovisioningrulesonCiscoASAandCheckPoint

firewallsandconnecttheVMstothenetwork.



TheaboveissimilartootherITSMintegrationlikeBMCRemedy,ServiceNow,andothertools(furtheravailableintheTufinProfessionalServicesCatalogue).

Conclusion–IntegrationKeyBenefitsTheintegratedVMwareNSX™andTufinOrchestrationSuite™solutiondeliversvisibility,unifiedsecuritypolicymanagement,andcomplianceacrossphysicalandvirtualnetworks,andhybridcloud.ThestrategicintegrationenablesITorganizationsandsecurityteamsto:

• Viewandmanagesecuritypoliciesacrossthenetworkfromasinglepainofglass,therebyreducingcomplexity.

• TrackchangestosecuritypoliciesonNSXaswellasonotherleadingcloudplatforms,andpresentwhatwasthechangeandwhodidit.

• ReduceauditpreparationtimeandenablecontinuouscomplianceusingtheUnifiedSecurityPolicy• Design,implement,manage,andmonitormicro-segmentationacrossNSX,physicalandhybrid

networks• Visualizepoliciesandnetworkconnectivityacrosstheheterogeneouscorporatenetwork,enablingIT

teamstotroubleshootconnectivityissuesquicklyandeasily• Maximizeagilitywithend-to-endautomationofnetworksecuritychangeswithbaked-insecurityand

complianceproviding:o Automatedriskanalysisforbaked-insecurityandcomplianceo Automatedchangedesignbasedonaccuratetopologysimulationandpathanalysisacross

NSXandothervendor’splatformso AutomatedprovisioningforNSXtoreducecomplexity,eliminatehumanerror,andensure

connectivity

NSX Reference Design Document - Tufin · 2018-01-24 · NSX Reference Design Document Contents ... Automation through integration with VMWare vRealize Automation (vRA) ... , Palo

Documents

NSX Reference Design Document - Tufin · 2018-01-24 · NSX Reference Design Document Contents ... Automation through integration with VMWare vRealize Automation (vRA) ... , Palo