Migrating to NSX? understand the security implications for Greenfield and Brownfield applications

With VMworld 2016 fast approaching, let’s discuss a challenge facing many businesses when migrating to a virtualized platform: security.

First of all, we need to separate between two scenarios.  In a ‘Greenfield’ scenario, you’re building and deploying brand new applications into a virtualized data center. Clearly, this is an ideal situation, because you can essentially bake in security from the ground up. It is more likely, however, that you’ll have a ‘Brownfield’ scenario, where you are migrating existing business applications to a virtualized data center. In this case you need to migrate and adjust existing security policies for the new virtual environment.

In both scenarios, your security goals are the same – you want to allow authorized access to your applications and prevent unauthorized access.

One of the reasons for moving to a virtualized environment, such as VMware, is that it enables you to implement micro-segmentation.  As you know, we frequently blog about the importance of network segmentation as a key strategy of cyber-security; it reduces lateral exploration of your network by cyber criminals, and makes it significantly easier to protect applications and data. VMware NSX’s micro-segmentation essentially takes things a step further; it allows you to place a virtual firewall around every server inside your data center and control East-West traffic. This used to be prohibitively expensive and complicated, but virtualization has made it a viable option.

For Greenfield applications micro-segmentation is relatively easy to achieve. From the outset, you can plan the different datacenter zones and tiers that you need, and assign IP addresses accordingly. Assuming your virtualized datacenter is built on VMware technology, you can then create bespoke VMware NSX rules to support the segmentation architecture that you’ve created from scratch, to precisely suit your needs. It’s all very clean and logical.

Migrating Brownfield applications in a micro-segmented virtual environment is another matter. Here, the chances are that the original on-prem data center wasn’t designed with segmentation in mind – or at least, it has grown and changed far beyond its original architecture. As such, identifying and designing the zones and tiers required for micro-segmentation is far more difficult. And even if you’re able to figure out which server should live in which zone, this doesn’t help you define the necessary firewall rules, because you don’t have enough visibility into how the traffic should flow between the application components.

How, then, should you go about getting the necessary visibility into your traffic flows that you need in order to build the right  firewall rules that deliver secure connectivity throughout your virtualized datacenter?

The best option is to use a discovery solution that can identify and map existing datacenter connectivity. The basic starting point can be a traffic sniffer, whose output can be organized into “thin” flows – from IP address to IP address with some protocol and port combination. More advanced solutions help you group the “thin” flows into “thick” flows by identifying collections of addresses that have the same thin flows entering or exiting them, and/or collections of protocol+port services that always go together. Finally, intelligent solutions help you collate the flows, thin or thick, into application flows, grouping all flows related to that application together for easy identification.  For example, all flows related to payment or credit card applications can be grouped together. Once collated and identified, IT and security teams should be able to see the application-specific traffic flowing through the data center, together with their connectivity needs and interdependencies. This map can then be used in to design the zones, and to plan how to effectively and securely migrate the correct traffic filtering for migrated applications.

It’s worth mentioning here that, when you deploy NSX, the default setting for the NSX firewalls is ‘allow all’. In other words, the default NSX setting does not block traffic.  This is actually a sensible idea; it allows enables companies to deploy applications to NSX without the risk of blocking legitimate traffic and accidentally breaking connectivity for existing applications.  But clearly, for the virtual firewalls to do their traditional job of filtering and blocking traffic, these default settings need to be replaced with bespoke rules over time – a topic we covered in detail here.

***

Next Tuesday, August 23 @11am EDT, I’ll be presenting a webinar on how to migrate and manage security policies in a segmented data center. If you have the time, please join me – you can register here. 

And if you’re going to VMworld, make sure to stop by AlgoSec’s booth (#658) where we can demonstrate how we help companies discover, migrate and manage their business application connectivity to VMware NSX.