Objective 7.3 – Configure and Manage Service Composer

  • Identify assets that can be used with a Security Group
    Security groups may be static (including specific virtual machines) or dynamic where membership may be defined in one or more of the following ways:

    • vCenter containers (clusters, port groups, or datacenters)
    • Security tags, IPset, MACset, or even other security groups. For example, you may include a criteria to add all members tagged with the specified security tag (such as AntiVirus.virusFound) to the security group.
    • Directory Groups (if NSX Manager is registered with Active Directory)
    • Regular expressions such as virtual machines with name VM

      Note that security group membership changes constantly. For example, a virtual machine tagged with the AntiVirus.virusFound tag is moved into the Quarantine security group. When the virus is cleaned and this tag is removed from the virtual machine, it again moves out of the Quarantine security group

  • Identify services contained in a Security Policy A security policy is a collection of the following service configurations.
    • Firewall rules Rules that define the traffic to be allowed to, from, or within the security group. Applies to vNIC
    • Endpoint service Data Security or third party solution provider services such as anti-virus or vulnerability management services. Applies to virtual machines
    • Network introspection services Services that monitor your network such as IPS. Applies to virtual machines
  • Identify common Service Composer use cases
    • Orchestrating security between multiple services
    • Deploying security services on demand
    • Quarantining Infected VMs
    • Quarantining vulnerable VMs
  • Differentiate Security Groups and Security Policies
    A Security Group is what you want to protect, a Security Policy is how you want to protect it.
  • Create/Edit a Security Group in Service Composer
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Service Composer.
    • Click the Security Groups tab and then click the Add Security Group icon.
    • Type a name and description for the security group and click Next.
    • On the Dynamic Membership page, define the criteria that an object must meet for it to be added to the security group you are creating.

      For example, you may include a criteria to add all members tagged with the specified security tag (such as AntiVirus.virusFound) to the security group. Security tags are case sensitive.

      NOTE If you define a security group by virtual machines that have a certain security tag applied to them, you can create a dynamic or conditional workflow. The moment the tag is applied to a virtual machine, the virtual machine is automatically added to that security group.

      Or you can add all virtual machines containing the name W2008 AND virtual machines that are in the logical switch global_wire to the security group.

    • Click Next.
    • On the Select objects to include page, select the tab for the resource you want to add and select one or more resource to add to the security group. You can include the following objects in a security group.
      • Other security groups to nest within the security group you are creating.
      • Cluster
      • Virtual wire
      • Network
      • Virtual App
      • Datacenter
      • IP sets
      • AD groups
        NOTE The AD configuration for NSX security groups is different from the AD configuration for vSphere SSO. NSX AD group configuration is for end users accessing guest virtual machines while vSphere SSO is for administrators using vSphere and NSX.
      • MAC Sets
      • Security tag
      • vNIC
      • Virtual Machine
      • Resource Pool
      • Distributed Virtual Port Group
        The objects selected here are always included in the security group regardless of whether or not they match the dynamic criteria. When you add a resource to a security group, all associated resources are automatically added. For example, when you select a virtual machine, the associated vNIC is automatically added to the security group.
    • Click Next and select the objects that you want to exclude from the security group.
      The objects selected here are always excluded from the security group even if they match the dynamic criteria or are selected in the include list.
    • Click Finish.

      Membership of a security group is determined as follows:
      {Expression result (derived from step 4) + Inclusions (specified in step 6} – Exclusion (specified in step 7) which means that inclusion items are first added to the expression result. Exclusion items are then subtracted from the combined result.

  • Create/Edit/Delete a Security Policy
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Service Composer.
    • Click the Security Policies tab.
    • Click the Create Security Policy icon.
    • In the Add Security Policy dialog box, type a name for the security policy.
    • Type a description for the security policy.

      NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.
      Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.

    • Select Inherit security policy from specified policy if you want the policy that you are creating to receive services from another security policy. Select the parent policy.
      All services from the parent policy are inherited by the new policy.
    • Click Next.
    • In the Endpoint Services page, click the Add Endpoint Service “+” icon.
      (This is “Guest Introspection Services in NSX 6.1)

      • In the Add Endpoint Service dialog box, type a name and description for the service.
      • Specify whether you want to apply the service or block it. When you inherit a security policy, you may choose to block a service from the parent policy.
      • Select the type of service. If you select Data Security, you must have a data security policy in place. See Chapter 12, “Data Security,” on page 139.
      • If you chose to apply the Endpoint service, select the service name and service configuration. Service configuration refers to vendor templates. These configurations are defined in third party consoles and are registered along with partner services. Tagging and untagging of virtual machines depends on the service configuration selected for the security policy.
      • In State, specify whether you want to enable the selected Endpoint service or disable it. You can add Endpoint services as placeholders for services to be enabled at a later time. This is especially useful for cases where services need to be applied on-demand (for example, new applications).
      • Select whether the Endpoint service is to be enforced (i.e. it cannot be overridden). If you enforce an Endpoint service in a security policy, other policies that inherit this security policy would require that this policy be applied before the other child policies. If this service is not enforced, an inheritance selection would add the parent policy after the child policies are applied.
      • Click OK.

        You can add additional Endpoint services by following the above steps. You can manage the Endpoint services through the icons above the service table. You can export or copy the services on this page by clicking the icon on the bottom right side of the Endpoint Services page.

    • Click Next.
    • On the Firewall page, click the Add Firewall Rule “+” icon. Here, you are defining firewall rules for the security groups(s) that this security policy will be applied to.
      • Type a name and description for the firewall rule you are adding.
      • Select Allow or Block to indicate whether the rule needs to allow or block traffic to the selected destination.
      • Select the source for the rule. By default, the rule applies to traffic coming from the security groups to which this policy gets applied to. To change the default source, click Change and select the appropriate security groups.
      • Select the destination for the rule.

        NOTE Either the Source or Destination (or both) must be security groups to which this policy gets applied to.

        Say you create a rule with the default Source, specify the Destination as Payroll, and select Negate Destination. You then apply this security policy to security group Engineering. This would result in Engineering being able to access everything except for the Payroll server.

      • Select the services and/or service groups to which the rule applies to.
      • Select Enabled or Disabled to specify the rule state.
      • Select Log to log sessions matching this rule. Enabling logging may affect performance.
      • Click OK.

        You can add additional firewall rules by following the above steps. You can manage the firewall rules through the icons above the firewall table. You can export or copy the rules on this page by clicking the export icon on the bottom right side of the Firewall page.
        The firewall rules you add here are displayed on the Firewall table. VMware recommends that you do not edit Service Composer rules in the firewall table. If you must do so for an emergency troubleshooting, you must re-synchronize Service Composer rules with firewall rules by selecting Synchronize Firewall Rules from the Actions menu in the Security Policies tab.

      • Click Next.
        The Network Introspection Services page displays NetX services that you have integrated with your VMware virtual environment.
      • Click the Add Network Introspection Service “+ icon.
        • In the Add Network Introspection Service dialog box, type a name and description for the service you are adding.
        • Select whether or not to redirect to service.
        • Select the service name and profile.
        • Select the source and destination
        • Select the protocol.
          You can specify the protocol type, source port advanced options, and destination port.
        • Select whether to enable or disable the service.
        • Select Log to log sessions matching this rule.
        • Click OK.

          You can add additional network introspection services by following the above steps. You can manage the network introspection services through the icons above the service table. You can export or copy the services on this page by clicking the icon on the bottom right side of the Network Introspection Service page.

      • Click Finish.

        The security policy is added to the policies table. You can click the policy name and select the appropriate tab to view a summary of the services associated with the policy, view service errors, or edit a service.

  • Map a Security Policy to a Security Group
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click Service Composer.
    • Click the Security Policy tab.
    • Select a security policy and click the Apply Security Policy icon.
    • Select the security group that you want to apply the policy to.

      If you select a security group defined by virtual machines that have a certain security tag applied to them, you can create a dynamic or conditional workflow. The moment the tag is applied to a virtual machine, the virtual machine is automatically added to that security group.

    • Click the Preview Service Status icon to see the services that cannot be applied to the selected security group and the reason for the failure.

      For example, the security group may include a virtual machine that belongs to a cluster on which one of the policy services has not been installed. You must install that service on the appropriate cluster for the security policy to work as intended.

    • Click OK.
  • Add/Edit/Delete a Security Tag
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click the Security Tags tab.
    • Add:
      • Click the New Security Tag “+” icon.
      • Type a name and description for the tag and click OK.
    • Edit:
      • Select a security tag and click the Edit Security Tag (Pencil) icon.
      • Make the appropriate changes and click OK.
    • Delete:
      • Select a security tag and click the Delete Security Tag “X” icon.
  • Assign and view a Security Tag
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click the Security Tags tab.
    • Assign:
      • Select a security tag and click the Assign Security Tag “+” icon.
      • Select one or more virtual machines and click OK.
    • View:
      • A list of tags applied in your environment is displayed along with details about the virtual machines to which those tags have been applied. Note down the exact tag name if you plan on adding a security group to include virtual machines with a specific tag.
      • Click the number in the VM Count column to view the virtual machines to which that tag in that row has been applied.

Tools

  • NSX Administration Guide
  • vSphere Web Client
Advertisements

One thought on “Objective 7.3 – Configure and Manage Service Composer

  1. Pingback: VMware VCP-NV NSX Study Resources | darrylcauldwell.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s