Road to VCAP6-NV: Objective 4.2 – Configure and Manage Service Composer

VMwareNSX
In this blog post I will cover section 4 objective 4.2 of the VCAP6-NV Deploy exam.

Objective 4.2 – Configure and Manage Service Composer

Skills and Abilities

  • Create/configure Service Composer according to a deployment plan:
    • Configure Security Groups
    • Configure Security Policies
    • Configure Activity Monitoring for a Security Policy
  • Create/edit/delete Security Tags
  • Configure Network Introspection
  • Configure Guest Introspection

Create/configure Service Composer according to a deployment plan

Service Composer is an orchestration tool used to provision security services to applications and servers in a virtual environment. Through the use of a combination of security groups and security policies, service composer can cut down the number of DFW rules that you need to create in a virtual environment. Security groups are used to define the assets that you wish to protect. Security groups can be built by using static memberships, dynamic memberships or a combination of both to define your assets. Security groups can be built using a number of parameters such as clusters, security tags, port groups, IP sets, MAC sets and a number of other groupings. Security policies list the services and rules that are assigned to the members of the security group. You map security policies to security groups. If you have a VM that is a member of more than one security group, then the services that are applied to it depend on the precedence of the security policy.

Configure Security Groups

Security groups are a way to define objects that you want to group together to protect. They can be statically defined or defined dynamically. Security groups can be defined using some of the following vCenter objects:

  • Clusters, port groups, resource pools
  • Security tags, IP Sets, MAC Sets, other security groups
  • Active Directory groups – If the NSX Manager is registered with Active Directory
  • VMs, vNICs, Logical Switch

Group objects together can make the application of firewall rules that much easier and cut down on the amount of rules that need to be generated in NSX

To create a security group, navigate to Networking & Security > Service Composer > Security Groups. Click the “New Security Group” icon.

sg01

Enter a name for the security group. Click Next.

sg02

Here, we define any dynamic memberships. Since I want anything that is connected to my Tenant A logical switch to be included, I will select that. Click OK.

sg03

Click Next

sg04

You can also select static objects to include in your security group. While dynamic memberships can change, these static ones won’t. Click Next.

sg05

You can also select objects to statically exclude from a security group. Click Next.

sg06

Click Finish.

sg07

Now we see the new security group has been created.

sg08

Since I created a dynamic security group, we see the two VMs that were connected ahead of time to the Tenant A switch are included in my newly created security group.

sg09

 Configure Security Policies

A security policy can be a set of firewall rules and guest/network introspection services that are applied to a security group. You assign weights to security policies in order to determine which policy is applied first. By default, the newest policy is assigned the highest weight so that is falls at the top of the list.

To create a security policy, click the Create Security Policy icon

sp01

Enter in a name for the security policy and you can define a weight for the policy. Click Next.

sp02

You can add Guest Introspection. I’m not going to at this point. Click Next to move on to the firewall rules section where I will create a rule that will be applied to our security group later.

sp03

Under the Firewall Rules section, click the green + to add a new rule

sp04

I’m going to create a simple rule to block ping. So I will leave the source and destination as they are. One thing to keep in mind, either the source or the destination or both has to be set to “Policy’s Security Groups” when applying the policy. To add the proper services for ping, click Change next to Service.

sp05

Select the services. Click OK.

sp06

Now that we have the rule setup, click OK.

sp07

Click Next.

sp08

We could also all Network Introspection Services to the security policy. At this time we will not. Click Next.

sp09

Click Finish.

sp10

Now we have our newly created Security Policy. The only thing left to do is to apply it to a security group.

sp11

Under the Canvas tab, locate the Security Group that was created earlier. Click the Apply Security Policy Icon.

sp12

Select the Security Policy. Click OK.

sp13

Now I jump on to VM01 and test pinging. As you can see, I can’t ping inside or outside of the logical switch that. I was able to prior to applying the security policy.

sp17

Configure Activity Monitoring for a Security Policy

As of NSX 6.3, Activity Monitoring has been deprecated. VMware recommends using Endpoint Monitoring. So in this section I will be going over configuring endpoint monitoring. Endpoint monitoring enables you to be able to map specific processes inside the guest OS to the network connections the processes are using. In order to use Endpoint Monitoring, you must first have Guest Introspection services deployed in your environment and have the complete install of VMware tools installed on your VMs.

dfw14

Once that is done, navigate to Networking & Security > Tools > Endpoint Monitoring. Click Start Collecting Data.

endpoint01

Click Select you security group here

endpoint02

Select the Security Group you want to perform data collection on. Click OK.

endpoint03

Switch data collection on. Click OK.

endpoint04

Now we see that data collection is enabled. It can take some time for actual data to start appearing in the different sections, so give it some time.

endpoint05

Below are a few screenshots of the various views and information that it provides. The summary gives us a overview of the number of VMs running and how many processes are generating traffic on those VMs.

endpoint06

Under the VM Flows tab you can see various other traffic flows between a member in my security group and other devices.

endpoint07

If you click the bubble of the VM in the chart, you will see a list of the processes that are generating traffic

endpoint08

If you click on the lines between the VM and another devices, you will see what traffic is happening between those two devices

endpoint09

 

Create/edit/delete Security Tags

Security tags are labels that can be associated with a VM to identify workloads or for grouping purposes.  Adding and removing security tags can be done dynamically based off certain criteria. You can also create static or dynamic security groups based off security tags.

To create a security tag navigate to Networking & Security > Security > Groups and Tags. Click the new security tag icon.

tags01

 

Enter in a name for the security tag

tags02

If you want to assign the tag to a VM, simple right click the tag and click Assign Security Tag…

tags03

Select the VM you want to assign the tag too and click OK.

tags04

As seen in the third screenshot, you can also edit the tag or delete it.

Configure Network Introspection/Configure Guest Introspection

Guest Introspection offloads antivirus and anti-malware agent processing to a dedicated virtual appliance. It continuously updates antivirus signatures to give protection to the virtual machines on the host. Any new virtual machines are will come up and already have the latest virus definitions since their is no agent to install on the virtual machine for this.

Installation was partially covered in the endpoint monitoring section. It involves doing a complete install of the VMware tools on the VMs and deploying the Guest Introspection appliances on all the hosts in a cluster.

To deploy Guest Introspection, navigate to Networking & Security > Installation and Upgrade > Service Deployments. Click the green +.

guest01

Select Guest Introspection. Click Next.

guest02

Select the cluster you want to deploy it in. Click Next.

guest03

Select the datastore and network that you want to deploy the appliances on. For IP assignment, you can allow it to grab an IP address from DHCP or you can use a IP Pool. I will use a IP Pool that I created. Click Change to go to the list of IP Pools.

guest04

Select the IP Pool. Click OK.

guest05

Click Finish.

guest06

Now we can see that Guest Introspection services are up and running.

guest07

I can go to my cluster and verify this by the two appliances that are located there, one for each host.

guest08

Once you have Guest Introspection in place and a full VMware tools install on your VMs, you will be able to take advantage of the services it provides.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s