by: VMware Senior Manager, IT Lincu Abraham
To read more about how VMware IT has implemented micro-segmentation using NSX Data Center in various applications, click here
Adobe Experience Manager (AEM) provides content authoring, workflow, archiving and an intuitive user interface that enable organizations to reduce the cost, time and risk associated with delivering content to the web. The VMware Web Marketing team makes extensive use of AEM to develop, author, review and publish content to VMware websites such as vmware.com, my.vmware.com, and vmworld.com. The majority of these websites are using AEM for static content delivery, yet there is a huge security risk if the integration is broken (as with a cross connection between production and non-production environments).
VMware NSX® micro-segmentation helps us to avoid such risk by enabling network security policies, and ensuring only authorized content is published to the websites from trusted sources.
AEM architecture—before micro-segmentation
Below is the AEM architecture before implementing micro-segmentation. Firewall rules protect external access, but east-west communications are not secured.
The micro-segmentation process
Using NSX Data Center to do micro-segmentation, we were able to implement a security model in which security services specify permitted traffic and everything else is blocked. This is also known as a Zero-Trust architecture. NSX micro-segmentation was implemented using a well-defined process, one that starts with application discovery (the process of identifying unique data flows), and is then followed by dynamic security groups and policy creation, traffic analysis, firewall review, testing, and deployment.
Here are the steps we followed:
Server identification. Captured server names and grouped them according to functionality—web, application, author, etc. We checked sys log settings and firewall exceptions, so they could be configured at the VMware ESXi™ host level. The sys logs were forwarded to log management tools such as VMware vRealize® Log Insight™. (We have since switched to vRealize Network Insight for our micro-segmentation projects.)
Server groups. Divided servers into functional groups. For example, the auth and publisher servers were assigned to separate groups. By applying firewall rules to a group instead of individual virtual machines (VMs), management was simplified and centralized.
Group security policies. Wrote separate firewall rules for each group, then mapped the security policies to the security groups.
Traffic capture/analysis. Used Log Insight to capture, identify, and analyze flows in and out of the workflows.
Firewall rules. Reviewed the firewall rules for east-west traffic with the application development teams for each module, including the usual traffic between the load balancer, application servers, and databases. We also evaluated traffic from other tools connected to the application servers or database, including AEM components and tools. Then we enabled and tested them.
Testing and deployment. The team did extensive testing in a pre-production environment to ensure AEM components functioned normally. We reviewed issues that were reported during pre-production testing, checked the relevant source-target IPs and port numbers, and made the required modifications. Pre-production testing also helped us sort out and fix many issues early. We followed the same process to implement the rules into production.
AEM after micro-segmentation
By deploying micro-segmentation, the entire application is now secured using NSX distributed firewalls that protect integrations as well as the application and database layers. Each VM acts as its own perimeter, and unauthorized traffic is blocked since security policies are aligned with logical groups.
Below is the complete rule set for the AEM micro-segmentation, excluding monitoring and security management tools.
What we learned
During the micro-segmentation process, we did extensive testing in a non-production environment to ensure it functioned normally. This helped us sort out issues before they could impact our customers. It was also easier to fix issues before the module was rolled out to production. During the implementation, a few secure shell (SSH) connections and scripts failed as source systems were not able to connect to AEM Publisher servers due to NSX. Some source and target systems had not been captured with discovery because the reports were scheduled to run monthly or quarterly. We quickly identified and allowed those IP addresses. In a few cases, application and scripts failed because http ports were blocked. Once we identified the affected data port and IP address, we were able to fix these issues, too.
Given its business-critical nature, securing AEM was a high priority. Micro-segmenting provides the granular level of security required to isolate and protect all parts of our applications from any type of threat. In turn, we have been able to reduce our organizational risk.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or firstname.lastname@example.org to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.