EUCZero Trust 2020 Transport SecurityNSX-T based Micro-segmentation with VMware Horizon

NSX-T based Micro-segmentation with VMware Horizon

Setting up a Distributed Firewall

Introduction:

NSX-T Micro-Segmentation is one of the many features we can use to secure communication at the Transport. We will be looking at basic approaches using Micro-segmentation and the Identity Firewall in NSX-T. The objective of this exercise to ensure one understands the basics of implementing these rules and does not necessarily reflect a real world scenario.

Real World Scenarios will be vastly more complex and time consuming to configure.

Part 1

Pre-deployment check

  1. On your ControlCenter2 server
    • Select your Horizon client
    • Select your cs1-pd1 POD
    • Login as User4 with the password VMware1! and select Login
    • Select your W10INST entitlement

 

  1. On your virtual Desktop
    • Select Start > Run
    • Next to Open: type cmd
  1. In the CMD interface type ping sql.euc-livefire.com
    • Note the 192.168.110.45 IP address
    • Please NOTE! Do not close your Horizon Desktop session
  1. Implementing the Distributed Firewall
    • On your ControlCenter2 server  (which is also your landing server)
    • Open your Google Chrome Browser
    • Select the  NSX-T  from the favourites bar. (Accept the untrusted certificate to continue)
  1. On your Browser
    • Login with Username admin
    • With the password VMware1!VMware1!
    • Select LOG IN
  1. In the NSX-T admin console
    • Select the Security Tab under East West Security
    • Select Distributed Firewall
  1. In the Distributed Firewall section
    • Ensure that Application is selected
    • Select ADD POLICY
      • You will notice a Policy has been added with a default name New Policy
  1. In the Policy area you have just created
    • Under Name select New Policy under Name and replace with Desktops
  1. To left of your Desktops Policy, notice you have 3 vertical dots.
    • Select the 3 vertical dots
    • Select Add Rule
  1. In the New Rule interface,
    • Select New Rule and change to Block ICMP to SQL
  1. Under Sources
    • Select the pencil Icon next to Any
  1. In the Set Source Window
    • Select ADD GROUP
  1. In the ADD GROUP interface
    • Under Name type  Subnet 10
    • Under Compute Members select Set Members
  1. In the Select Members | Subnet 10 window
    • Select the IP Addresses tab
  1. Under ACTIONS
    1. In the Enter IP Address area, type 172.16.10.0/24 In the bottom right-hand corner,
      • Select APPLY
    2. In the Set Source window select SAVE
    3. Ensure that you select the checkbox next to Subnet 10
      • Select APPLY
  1. Under Destinations
    • Next to Any select the Pencil
  1. In the Set Destination window
    • Select ADD GROUP
  1. In the ADD GROUP area
    • Under Name type SQL in the Group Name area
  1. Under Computer Members
    • Select Set Members
  1. In the Select Members | SQL area,
    • Select the IP Addresses tab
    • In the  IP Addresses tab under Actions enter 192.168.110.45
    • In the bottom right hand corner select APPLY
  1. In the ADD GROUP area
    • Select SAVE
  1. Ensure the checkbox next to SQL is selected
    • In the bottom right-hand corner select APPLY
  1. Under Services
    • Select the Pencil next to Any
  1. In the Set Service window
    • Scroll down and select the checkbox next to ICMP ALL select APPLY
  1. In the Block ICMP to SQL row,
    • Under Applied To select the Pencil next to DFW
  1. In the Set Applied To window
    • Change the DFW radio button to Groups radio button
  1. In the Set Applied To window select the Groups radio button
    • Select ADD GROUP
  1. In the Set Applied To window
    • Under the Name area type Windows 10,
    • Under Compute Members select the Set Members
  1. In the Select Members | Windows 10
    • Select + ADD CRITERIA  
  1. In the Select Members | Windows 10 window under Criteria 1 select : -
    • Virtual Machine > Computer Name > Starts With > Type W10INST  
    • Select APPLY
  1. In the Set Applied To window in the ADD GROUP area
    • Select SAVE
  1. In the Set Applied To window
    • Select the checkbox next to Windows 10
    • In the bottom right corner select APPLY
  1. Under Action
    • Select the Drop down arrow next to Allow
    • Select Reject
  1. In the top right hand corner of the NSX-T Admin Console
    • Select PUBLISH
      • Notice that the status Uninitialized now changes to Success
  1. On your Controlcenter2 server
    • Revert back to your Horizon Client session
    • From the CMD Prompt ping sql.euc-livefire.com
      • You will notice now you get a Destination Host Unreachable message
    • Log-off from your Horizon Client session by going to Options dropdown
    • Select  Disconnect and Log Off
    • Select OK to log Off

 

Part 2: Testing further Micro-segmentation scenarios with Distributed Firewall Rules

Introduction:

In this exercise we will look at variable options implement Micro-segmentation. Even with all the limitations we have in this lab setup. The variable options when configuring are impressive. The objective of Part 2 will be to follow on from Part 1 and we look at the variable options of the rules and how they work.

  1. On your ControlCenter2 server,
    • Switch back to your browser with  your NSX-T session.
      • If necessary login with the username Admin and the password VMware1!VMware1!
    • Ensure you have the Security tab selected and under EAST WEST Security
    • Ensure your are in the  Distributed Firewall area
  1. On the NSX-T Admin Console
    • Select the 3 dots next to Desktops
    • Select Add Rule
  1. In the New Rule interface,
    • Replace the name New Rule by selecting and typing Marketing Rule
  1. Under Sources,
    • Select the pencil icon, next to Any
  1. In the Set Source window
    • Select ADD GROUP
  1. In the ADD GROUP window
    • Under Name type Marketing
  1. Under Compute Members
    • Select Set Members
  1. In the Select Members | Marketing Group window
    • Select the AD Groups tab
  1. In the search area
    • Type Marketing,
    • Select the checkbox next to Marketing
    • Select APPLY
  1. Back to the Set Source window
    • Select SAVE
  1. In the Set Source Rule > Marketing rule window
    • Ensure the check box to the left  of Marketing is selected for this rule
    • Select APPLY
  1. Under Destinations next to Any
    • Select the Pencil
  1. In the Set Destination window
    • Select the checkbox next to RDSH
    • Select APPLY in the bottom right corner.
  1. In the Marketing Rule row
    • Under Services select the Pencil next to Any
  1. In the Set Services window
    • Under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
    • Select the HTTP and HTTPS check boxes
    • Select APPLY
  1. In the Marketing Rule row
    • Under Applied To select the Pencil next to DFW
  1. In the Set Applied To window
    • Select the radio button next to Groups
  1. In the Set Applied To window,
    • Select the check box, next to Windows 10.
    • Select APPLY
  1. Under Action. We will leave the default Action that being Allow
  1. In the NSX-T Admin Console
    • In the top right corner  PUBLISH
      • We will now create a DENY ALL Groups Rule in addition to what we have just created
  1. In the NSX-T Admin Console > Security > Distributed Firewall
    • Right-Clickthe 3 DOTS next the BLOCK ICMP to SQL checkbox
    • Select Add Rule
  1. Under your Marketing Rule
    • In the New Rule section rename New Rule to Deny All Groups
  1. In Deny All Groups rule row
    • Under Destinations select the Pencil next to Any
  1. In the Set Destination window,
    • Select the checkbox next to RDSH
    • Select APPLY
  1. In the Deny All Groups row under Services
    • Select the Pencil next to Any
  1. In the Set Services window
    1. under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
    2. Select the HTTP and HTTPS check boxes
    3. Select APPLY
  1. In the Deny All Groups row under Applied To select the Pencil next to DFW
  1. In the Set Applied To window select the Groups radio button
  1. In the Set Applied To window
    • Select the Windows 10 group checkbox
    • Select Apply
  1. In the Deny All Groups row
    • Under Action select the Dropdown
    • Select Drop
  1. In the top right corner, of the NSX-T Admin Console
    • Select PUBLISH
  • We have now completed two rules both based on the Source .
  • Our last set of Rules will Aimed at the Destination Server services
  1. NSX-T Admin Console > Security > Distributed Firewall
    • Under CATEGORY SPECIFIC RULES in the APPLICATION section select +ADD POLICY
  1. You will notice you have a New Policy .1st in the policy order. We will now re-order this policy
  1. In the NSX-T Admin Console > Security > Distributed Firewall
    • Select with a left click and hold your mouse on the 3 DOTS at the beginning of the New Policy Line
    • Drag the New Policy down till just after Desktop Policy and release your mouse
    • Your New Policy should appear in the order in the second screenshot of this image
  1. In the NSX-T Admin Console > Security > Distributed Firewall
    • In the New Rules policy, rename New Rules to Server Access
  1. In the NSX-T Admin Console > Security > Distributed Firewall
    • Select the 3 DOTS in front of your Server Access Policy and select Add rule
      • Notice you now have a new rule called New Rule that is part of the Server Access Policy
  1. In the New Rule section,
    • Rename New Rule to Permit Win 10 to RDSH
  1. In the Permit Win10 to RDSH section
    • Under Sources, select the Pencil next to Any
  1. In the Set Source window,
    • Select the checkbox next to Windows 10
    • Select APPLY
  1. In the Permit Win10 to RDSH section
    • Under Destinations, select the Pencil next to Any
  1. On the Set Destination window,
    • Select the checkbox next to RDSH
    • Select APPLY
  1. In the Permit Win 10 to RDSH   row under Services select the Pencil next to Any
  1. In the Set Services window
    1. Under Services type http. Notice you now have the HTTP and HTTPS checkboxes available to select
    2. Select the HTTP and HTTPS check boxes
    3. Select APPLY
  1. In the Permit Win 10 to RDSH row
    • Under Applied To select the Pencil next to DFW
  1. In the Set Applied To window select the Groups radio button
  1. In the Set Applied To window
    • Select the RDSH group checkbox
    • Select Apply
  1. Select PUBLISH in the top right corner
  1. Please NOTE: When Identity Based Firewall rules are applied, it is essential, to logon after the rules have been applied. Any Active VMware Horizon sessions that you are logged into,  Disconnect and Log Off before starting with Part 3

Part 3. Testing the results

Some background information about our setup and what we are going to test.

  • In this setup we a Horizon Instant Clone Desktop pool with 4 Virtual machines
  • The Desktop Pool has two Active Directory security groups entitled to this Desktop Pool
    • Marketing
    • IT-Support
    • Users 1 - 4 are members of the Marketing security group.
    • Users 5 - 6 are members a security group called IT support.
  • All 4 virtual Machines are running on the 172.16.10.0 / 24 subnet  and have a VLAN ID 10 for this subnet configured for its NSX-T segment.
  • As part of the test we have a server with IIS installed called RDSH-01a
  • Note this exercise is teaching Micro-segmentation  functionality and one should not read anything into the choice of group name for this exercise.

 

  • We will first Test User 4 who is a member of the Marketing group. User 4 will do a HTTP connection to the RDSH-01a server.
  • We will then test User 5 who is not a member of the Marketing Group and see what happens when attempt to do a connection request to RDSH-01a
  • We will continue editing rules to demonstrate a new supported Feature in NSX-T 3.0 with regard to the use of ping with AD groups, that being Marketing and IT Support
  • We will test and validate the associated functionality

 

Part 3 :

  1. On your ControlCenter2 desktop,
    • Launch the Horizon client
    • Launch the CS1-PD1.euc-livefire.com POD
    • On the Login window next to
      • User name: user4
      • Password : VMware1!
    • Select Login
    • Select the W10INST entitlement
  1. On your ControlCenter2 desktop, launch the Horizon client
    • Launch the CS1-PD1.euc-livefire.com POD
    • On the Login window next to
      • User name: user1
      • Password : VMware1!
    • Select Login
    • Select the W10INST entitlement
  1. On your ControlCenter2 desktop, open the Remote Desktops folder
    1. Launch the RDP client for W10Client01.RDP
    2. On the W10 client Launch the Horizon client
      • Launch the CS1-PD1.euc-livefire.com POD
      • On the Login window next to
        • User name: user5
        • Password : VMware1!
      • Select Login
      • Select the W10INST entitlement
  1. Select your User 4 Horizon client session
    • On the Desktop, select and launch the Edge Browser in the Task Bar
    • In the Edge Browser address, type http://rdsh-01a
      • As you can see we are able to connect to the web service on the server as User 4.
  1. Switch to your User 5 Horizon client session running from W10Client01
    • On the Desktop, select and launch the Edge Browser in the Task Bar
    • In the Edge Browser address, type http://rdsh-01a
      • User 5 is not a member of the Marketing Group and would therefore be denied access. Our Identity Firewall only allows for Marketing to communicate with the RDSH-01a server.
  1. On your User5   RDP/Horizon client session
    • On the Desktop, select Start > Run and type cmd.exe
    • In the CMD window type hostname and  Enter note your Hostname for this client
  1. Select your User4 Horizon client session
    • On the Desktop, select Start > Run and type cmd.exe
    • In the CMD window type hostname and  Enter note your Hostname for this client
  1. Switch back to your NSX-T admin console. Ensure you are still in Security > Distributed Firewall
    • Select 3 Dots next to Desktops Policy and select Add Rule,
    • Notice you now have a New Rule
  1. In the New Rule row replace New Rule with ICMP for IT Support
  1. In the ICMP for IT Support row under Sources
    • Select the Pencil next to ANY
  1. In the Set Source window select ADD GROUP
  1. Under the ADD GROUP area under Name type IT Support
    • Under Compute Members, select Set Members
  1. In the Select Members | IT Support window
    • Select the AD Groups tab
    • Under AD Groups start typing IT Supp
    • Select the checkbox next to IT Support
    • Select APPLY in the bottom right corner
  1. Select SAVE
    • Select APPLY to close the Set Source window
  1. In the ICMP for IT Support row under Destinations
    • Select the Pencil next to Any
  1. In the Set Destination window
    • Select the checkbox next to RDSH
    • Select Apply
  1. In the ICMP for IT Support row
    • Under Services select the Pencil next to Any
  1. In the Set Services window , type ICMP
  1. Select the checkbox next to ICMP ALL
    • Select APPLY
  1. In the ICMP for IT Support row under Applied To
    • Select the Pencil next to DFW
  1. In the Set Applied To window
    • Change the DFW radio button to the Groups radio button
  1. In the Groups Area
    • Select the checkbox next to Windows 10
    • Select APPLY
  1. In the Deny All Groups row under Services, select the Pencil next to HTTP/HTTPS
  1. In the Set Services window under Services type icmp
  1. Select the check box next ICMP ALL
    • Select APPLY
  1. Expand the Server Access Policy
    • In the Permit W10 to RDSH row under Services, select the Pencil next to HTTP/HTTPS
  1. In the Set Services window under Services type icmp
  1. Select the check box next ICMP ALL
    • Select APPLY
  1. Select PUBLISH
  1. Review your Policies and associated Rules
  1. On your Windows 10 RDP session.
    • On the Horizon Client. Ensure you disconnect and Logoff from your virtual desktop session.
    • Using the Horizon client login again as User5 with the password VMware1!
    • From the Start menu > RUN > type cmd.exe
    • Select OK
  1. In the cmd.exe window type, ping rdsh-01a.euc-livefire.com.
    • Your micro-segmentation rules using the Identity Firewall setting should ALLOW and you should get a reply.
  1. On your ControlCenter server desktop, revert back to your User4 horizon client session
    • If the session is disconnected and logged off . Log back in as User4 with the password VMware1!
    • Launch CMD.exe  window from RUN if this is closed.
    • In the cmd.exe window type, ping rdsh-01a.euc-livefire.com.
      • Your micro-segmentation rules using the Identity Firewall setting should DENY and you should not get a reply.
References
Acknowledgements

A huge thank you to Baldeep Birdy from the NSX Livefire Team.

Without his support in troubleshooting and help in the development of this session

Notes about the author Reinhart Nel

https://www.dropbox.com/s/cf32s1ddeyt5zx4/Reinhart%20Nel.pdf?dl=0

For any questions related to this session, email Reinhart at [email protected]

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.