Skip to main content

Micro-Segmentation

 According to VMware, “Micro-segmentation enables organizations to logically divide its data center into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment.” (Lawrence Miller, CISSP and Joshua Soto, 2015, p. 21) The benefit of micro-segmentation is that it denies an attacker the opportunity to pivot laterally within the internal network, even after the perimeter has been breached.

VMware NSX-T supports micro-segmentation as it allows for a centrally controlled, yet distributed firewall to be attached directly to workloads within an organization’s network. The distribution of the firewall for the application of security policy to protect individual workloads is effective as rules can be applied that are specific to the requirements of each workload. The additional value that NSX-T provides is that the capabilities of NSX are not limited to homogenous vSphere environments, but support the heterogeneity of platforms and infrastructure that is more commonly used with many organizations today. Figure 7 depicts micro-segmentation capabilities of NSX, where each workload is virtual secured with its own distributed firewall.




Micro-segmentation provided by NSX-T better supports a Zero Trust architecture for IT security such that it allows for perimeters to be established around each workload. The Zero Trust architecture was introduced by analyst firm Forrester Research as an alternative approach to IT security architecture. Conventional security models assume that everything on the inside of an organization’s network can be trusted, whereas the Zero Trust model assumes the opposite: that nothing can be trusted and everything should be verified. The Zero Trust model for IT security is a principle that addresses the increased sophistication of network attacks and insider threats. 

Rather than simply placing firewalls at the edge of the organization’s network to prevent attacks from external networks, the Zero Trust model looks at ways to better control and manage network traffic within the organization’s network. The intent is that for each system in an organization’s network, trust of the underlying network is completely removed. To do this, organizations can define perimeters within the network to limit the possibility of lateral (east-west)movement of an attacker. Implementation of a Zero Trust model of IT security with traditional network security solutions designed primarily to protect the organization’s edge can be costly and complex. 

Moreover, the lack of visibility for organization’s internal networks can slow down implementation of a Zero Trust architecture and possibly leave gaps that may only be discovered during a breach. Additionally, internal perimeters may only have granularity down to a VLAN or subnet, as is common with many traditional DMZs. However, network virtualization solutions like NSX and NSX-T can provide a more cost effective and efficient means to implement a Zero Trust network

Comments

Post a Comment

Popular posts from this blog

Changing the FQDN of the vCenter appliance (VCSA)

This article states how to change the system name or the FQDN of the vCenter appliance 6.x You may not find any way to change the FQDN from the vCenter GUI either from VAMI page of from webclient as the option to change the hostname always be greyed out. Now the option left is from the command line of VCSA appliance. Below steps will make it possible to change the FQDN of the VCSA from the command line. Access the VCSA from console or from Putty session. Login with root permission Use above command in the command prompt of VCSA : /opt/vmware/share/vami/vami_config_net Opt for option 3 (Hostname) Change the hostname to new name Reboot the VCSA appliance.   After reboot you will be successfully manage to change the FQDN of the VCSA . Note: Above step is unsupported by VMware and may impact your SSL certificate and face problem while logging to vSphere Web Client. If you are using self-signed certificate, you can regenerate the certificate with the
2 comments
Read more

Issue : Configure Management Network option is Grayed out into ESXi

Last week I got into an issue of one of my client into Vsphere environment where one of its ESXi went done out of the network. Issue was IP address was showing 0.0.0.0 on main Esxi screen and when I tried to change the network configuration, its " Configure Management network option was greyed out.  I tried to gid into it and try to analyis its vmKernal and vmwarning logs. What I found is its VMkernal switch got removed due to unexpected reason. So to resolve the issue I tried to reconfigure its vswitch0 (vmk0) by going into Tech Mode of that Exi. Below are the steps which I followed to resolve the issue. 1) Login to ESXi 2) Press F2, Check if you " Configure Management network " is greyed out or not" if yes,    follow below 3) Press ALT+F1 to move the ESXi screen to tech mode   ( This is command line like dos) 4) login with root account 5) Run the following command into it esxcli network ip interface add --interface-name= vmk0
2 comments
Read more

Collecting Logs from NSX-T Edge nodes using CLI

  This article explains how to extract the logs from NSX-T Edge nodes from CLI. Let's view the steps involved: 1) Login to NSX-T  Edge node using CLI from admin credentials. 2) Use of  " get support-bundle " for Log extraction. get support-bundle command will extract the complete logs from NSX-T manager/Edge nodes. nsx-manager-1> get support-bundle file support-bundle.tgz 3) Last step is to us e of " copy file support-bundle.tgz url " command. copy file will forward your collected logs from the NSX-T manager to the destination(URL) host from where you can download the logs. copy file support.bundle.tgz url scp://root@192.168.11.15/tmp Here, the URL specified is the ESXi host ( 192.168.11.15) under /tmp partition where logs will be copied and from there one can extract it for further log review. Happy Learning.  :)
Post a Comment
Read more