This is part 12 of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643) VCAP6-NV certification.
At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.
Previous blogs in this series:
Part 1 – Intro
Part 2 – Objective 1.1
Part 3 – Objective 1.2
Part 4 – Objective 1.3
Part 5 – Objective 2.1
Part 6 – Objective 2.2
Part 7 – Objective 2.3
Part 8 – Objective 3.1
Part 9A – Objective 3.2 IPSec VPNs
Part 9B – Objective 3.2 SSL VPNs
Part 9C – Objective 3.2 L2 VPNs
Part 10 – Objective 3.3
Part 11 – Objective 4.1
This blogs covers:
Section 4 – Secure a vSphere Data Center with VMware NSX
Objective 4.2 – Configure and Manage Service Composer
- Create/Configure Service Composer according to a deployment plan:
- Configure Security Groups
- Configure Security Policies
- Configure Activity Monitoring for a Security Policy
- Create/Edit/Delete Security Tags
- Configure Network Introspection
- Configure Guest Introspection
Create/Configure Service Composer according to a deployment plan
As per other exam objectives that mention create or configure something to a deployment plan, you have to assume that VMware are going to give a design brief or goal that you will need to implement; or resolve a broken implementation. Let’s get stuck into the technical stuff and look at how this works.
Service Composer.
This is a pretty cool feature of NSX in that it allows you to provision and assign firewall rules and 3rd party services to ‘virtual things’ in real-time. It allows you to configure event-driven security policies. I think of NSX Service Composer as the mechanism that does the security orchestration.
From the VMware documentation: Service Composer helps you provision and assign network and security services to applications in a virtual infrastructure. You map these services to a security group, and the services are applied to the virtual machines in the security group.
Service Composer helps orchestrate security services. For example you may be using a 3rd party Guest Introspection anti-virus service and it detects a virus on a virtual machine. Service Composer can move the infected VM to a dynamic Security Group that has a Security Policy applied that quarantines and resolves the infection. Once the virtual machine is clean it will then be moved back into production.
Security Groups.
Security Groups define a collection of ‘things’ and membership can either be static or dynamic based on criteria. These ‘things’ may be any of the following:
- vCenter based objects i.e. data center, cluster, port groups etc
- Security tags, IPs, MAC etc
- Active Directory groups if NSX is Active Directory integrated
- Virtual Machines
- Other Security Groups, therefore nested groups.
An example of a static Security Group might be where a VM is manually assigned to a group. Group membership never changes unless the VM is manually removed or other VMs are added.
A dynamic Security Group can expand and shrink its membership based on criteria such as ‘include all VMs that have a tag of AntiVirus.virusFound’ or ‘include all VMs that are in a specific IP subnet’. When I create Security Groups later you will see the different options available.
Security Policy.
A Security Policy is a collection of either Firewall Rules, Guest Introspection or Network Introspection Services.
Firewall Rules are applied to virtual NICs. Guest Introspection services such as 3rd-party anti-virus/malware and Network Introspection services which monitor the network are applied to virtual machines.
Security Policies have a weighting system for order of precedence. By default a new Security Policy is assigned the highest weight and this can be changed as required. The higher the weight the higher the precedence. Security Policies can be applied to multiple Security Groups.
To consume the services offered by Security Composer you need to:
- Create a Security Group
- Create a Security Policy
- Apply the Policy to the Group
So lets walk through a very simple use-case as a demonstration. I want any VM added to the Web Tier logical switch to only allow incoming HTTP port 80 traffic and deny all other traffic, even if the traffic is initiated from within the Web Tier. This will be a based on a dynamic Security Group.
Before starting I confirm that from another VM on the same or different logical switch I can ping a Web Tier VM (Web-01A 172.16.10.10), confirming that the network is currently allowing ICMP traffic and that the website is available (test will also be repeated at end of this).
Create a Security Group
I am going to create a dynamic Security Group based on any VM that is connected to the Web Tier logical switch.
Log into the vSphere Web Client.
Click on Service Composer. 
Click Security Groups, then the 
icon to Add a New Security Group.
Add a Name for the Security Group.
Define the dynamic membership. I select Entity and then click the 
icon to choose the objects to be dynamic members. I am selecting Logical Switch.
Note: you can choose from: Security Group, Cluster, Logical Switch, Legacy Port Group, vApp, Data Center, MAC Set, Security Tag, vNIC, Virtual Machine, Resource Pool and Distributed Port Group.
I can then choose my Web Tier Logical Switch.
My dynamic membership is defined.
And finally I can see my Security Group has been created and it has 2 members, both of which are VMs (web-01A & Web 02B) that are connected to the Web Tier Logical Switch.
Create a Security policy
Next I need to create and define a Security Policy. This policy will have my firewall rules which will allow HTTP web traffic on port 80 and deny all other traffic, even if that traffic originates on the Web Tier Logical Switch (yes! Micro-Segmentation COOL!)
Log into the vSphere Web Client.
Click on Service Composer.
Click on Security Policies.
Click Security Policies, then the 
icon to Create Security Policy.
I give the policy a Name, note I can also set a weighting.
I skip Guest and Network Introspection and configure the Firewall settings. I click the green + sign to Add a New Firewall Rule.
I add an allow rule to allow HTTP.
I create a second rule to deny everything else. I click Finish.
I can now see my Security Policy.
I now have to link this policy to my security group.
Link a Security Policy to a Security Group
Log into the vSphere Web Client.
Click on Service Composer.
Click on Security Policies.
Select the policy you want, click the blue cog (Actions) and click Apply Policy.
Select the Security Group to link to.
And that’s it. I now have a Security Group and Security Policy created and linked.
Test the Configuration
Lets test out the HTTP and ping access to the Web Tier. I can still browse the web service of the remote web server but I cannot ping it, even though I am on the same logical switch.
Configure Activity Monitoring for a Security Policy
Activity Monitor allows you to see what applications are running on Windows virtual machines managed by vCenter. You can use Activity Monitor to determine if your Security Policies are working correctly.
A screen shot of Activity Monitor is below: (from NSX documentation)
There are some pre-requisites for Activity Monitor to work:
- NSX must be functional.
- NSX must be linked with Active Directory.
- VMware Tools must be running on VMs.
There are a four configuration steps required for Activity Monitoring to be functional:
- Guest Introspection driver must be installed with VMware Tools on VMs to be monitored.
- The Guest Introspection VMs must be deployed.
- Activity Monitoring must be enabled for VMs.
- In vCenter, modify the objects to be monitored (option step).
Install Guest Introspection Driver
Install a complete version of VMware Tools on a VM or modify the existing install and tick the box to install the Guest Introspection Driver.
Deploy the Guest Introspection VMs
Log into the vSphere Web Client.
Click Networking and Security, then Installation, then Service Deployments.
Click the green + sign to Add a New Service Deployment.
Tick the box for Guest Introspection.
Select the cluster/s to deploy the Service VMs to.
As I do not have DHCP to assign IPs to the Service VMs, I create an IP Pool.
I can now see the Service VMs deployed to the cluster.
Enable Activity Monitoring on a Single VM
Log into the vSphere Web Client.
Locate the VM that you want to enable Activity Monitor on.
On the Summary tab, under NSX Activity Monitoring, click Edit.
Click Yes to enable Activity Monitoring for the VM. Repeat for other VMs.
This enables Activity Monitoring for one VM or more, but it’s all manual.
Enable Activity Monitoring on Multiple VMs
To enable Activity Monitoring on multiple VMs you use the default built-in Security Group called Active Monitoring Data Collection. Edit this group and add your specific Security Groups – I am adding my Web Tier Security Group.
Note: It takes at least 5 minutes before data is available to be viewed.
To View Activity Monitoring Reports
Log into the vSphere Web Client.
Click on Networking and Security.
Click on Activity Monitoring. Carry out your searches.
Create/Edit/Delete Security Tags
Security Tags are like metadata or labels that you can apply to objects i.e. a VM or a workload or workflow to describe a state.
Membership of a Security Group for example could be dynamically based off a Security Tag assigned to a VM or a group of VMs that make a workflow.
Security Tags used for 3rd party anti-virus for example might apply a tag to a VM when malware is detected on the VM and based on that tag the VM is moved out of production, remediated, the tag removed and placed back into production.
Below covers most of the steps for create/edit/apply Security Tags.
Security Tags
Log into the vSphere Web Client.
Click on Networking and Security, then NSX Managers.
Select your NSX Manager and click Security Tags.
Click the 
icon to Add a New Security Tag.
I created a Security Tag called ‘www.vZealand.com’. I then Assign the Security Tag to my Web Tier VMs.
You can create dynamic Security Groups based on Security Tags.
Configure Guest or Network Introspection
I have already above covered the steps for Guest Introspection in the Configuring Activity Monitor section. Guest Introspection is used for endpoint services such as anti-virus or malware scanners.
Network Introspection has a very similar process to Guest and you use this for services such as IDS or IPS. I don’t have an appliance to test with.
That’s all for blog 12. Pretty dry and boring content, but over half way through the series now.
Section 5 – Perform Operational Management of a VMware NSX Implementation
Objective 5.1 – Backup and Restore Network Configurations
Follow me on Twitter or LinkedIn.
Be Social; Please Share.
Musings from a past life 
[…] Blog 12 is going to cover exam Objective 4.2 which is based on Configuring and Managing Service Comp… […]
LikeLike
I have a question regarding the Guest Introspection VM deployment, looks like you have chosen MGMT port group for the network config but the IP pool is in a different subnet of 12.1.1.x
MGMT subnet is 10.0.0.x. Could please explain about this?
LikeLike
Good spotting! Wrong screen shot. Should be from the IP pool on 12.x, will update. Thanks
LikeLike
[…] Part 1 – Intro Part 2 – Objective 1.1 Part 3 – Objective 1.2 Part 4 – Objective 1.3 Part 5 – Objective 2.1 Part 6 – Objective 2.2 Part 7 – Objective 2.3 Part 8 – Objective 3.1 Part 9A – Objective 3.2 IPSec VPNs Part 9B – Objective 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part 11 – Objective 4.1 Part 12 – Objective 4.2 […]
LikeLike
[…] 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part 11 – Objective 4.1 Part 12 – Objective 4.2 Part 13 – Objective […]
LikeLike
[…] 3.2 SSL VPNs Part 9C – Objective 3.2 L2 VPNs Part 10 – Objective 3.3 Part 11 – Objective 4.1 Part 12 – Objective 4.2 Part 13 – Objective 5.1 Part 14 – Objective […]
LikeLike
[…] Objective 4.2 – Configure and Manage Service Composer […]
LikeLike
[…] To read more about Security Groups see blog 12. […]
LikeLike