Using VMware NSX, your applications can be seamlessly secured, throughout your entire environment. Whether it be on-prem or in the cloud, NSX has got you covered. The journey to application security using NSX’s micro-segmentation can be significantly accelerated by using vRealize Network Insight.
As you may know by now, Network Insight listens to everything going on inside your network and creates intelligible information out of it. You get a crystal clear donut-shaped diagram that tells you, in one view, exactly which applications and workloads communicate with each other. Furthermore, it gives you a set of recommended firewall rules that are applicable to your applications using an advanced learning engine. These recommended firewall rules can be used to create a micro-segmented environment and accelerating the security of your applications significantly.
Enriching the Application Security Journey
By default, Network Insight discovers your virtual and physical environment (vSphere infrastructure, compute systems, switches, routers, firewalls) and uses that information to present back to you. The recommended firewall rules will be generated using that information. Only when you look at an application stack, this structure is usually not explicitly defined; you have a bunch of VMs that talk to each other using networking equipment and we can guess that they are a part of an application stack. That is why you can enrich Network Insight with application stack information.
By defining an application within Network Insight, you can tag workloads as being a part of an application. You can also define tiers inside the application so you can separate out workloads with specific tasks. For example, the popular 3-tier application stack that exists of a web, application and a database tier.
When you get this application stack information into Network Insight, a whole new world opens for going from network-segments to micro-segments!
Knowing this, we need to get the application stack information into Network Insight. Now you’re thinking; “But how? I’m definitely not going to do it by hand!” – Don’t worry, all this can be automated. I’ll talk about automating this process for 2 different types of applications: greenfield (new) and brownfield (existing) applications, below.
Getting this application stack information is easy for greenfield (new) applications. You deploy the app, you know what you are deploying and can push it into Network Insight. This is especially true for applications deployed via an automation/self-service portal.
vRealize Automation (vRA) is VMware’s answer for automating all the things. Application and infrastructure deployment comes with vRA out of the box and is very easy to set up. It has a drag-and-drop canvas to design your application deployments on and that canvas has a tiered model for the application stack:
We can use this blueprint design to extract the application stack structure and automatically insert that information into Network Insight using its open API. This means that every new application that is rolled out, is instantly known within Network Insight and you can generate insights and security recommendations.
Below is a demonstration video on how this process works:
* The first 8,5 minute is around applications within Network Insight. If you want to skip to vRA, skip to 8:23
You can find the technical details behind the workflow and how to set it up, here.
Let’s not forget about brownfield applications, which is most likely the biggest bulk and application in your environment. In most micro-segmentation projects, you will have an existing environment with existing applications and workloads which needs to be secured. Network Insight is a perfect fit for brownfield environments because it can use the already available information.
In the brownfield case, you would also benefit enormously of having the application stack information available in Network Insight. The perspective of having the applications and tiers brings a lot of clarity. Here, you would want to import data from your Configuration Manager Database (CMDB) where the application information is (usually) stored.
Using the Network Insight API again, we can bridge the gap between CMDB and applications to import all existing applications, which significantly speeds up a per-application micro-segmentation approach. While there are a lot of CMDBs out there, one of the most popular is ServiceNow.
Example of a tiered application inside ServiceNow
In the video below, I set out an example to import applications from ServiceNow. Using 3-tier apps that are defined within the CMDB, an import script will find all top-level applications (filtered by having “VMworld in the name in this case) and discover the different tiers defined in ServiceNow and translates to API calls to Network Insight, using a PowerShell module called PowervRNI.
You can find the technical details behind the import and how to set it up, here.
Integration is the way forward
Enriching Network Insight with application stack information is important to get the full picture of your environment and accelerate your application security by using the network data that Network Insight collects, combined with actual applications. The open API makes it possible that any automation or CMDB can be used to extract this information in an automated way.