In the previous blog, we looked at how to install vCloud Networking and Security App Firewall. In this blog, let’s take a look at how to configure firewall policies to protect applications in the virtual datacenter by using a simple use case.
Use Case
Two applications are deployed on a shared network segment – “App-PortGroup” as shown below. Each application has three tiers – web, app and db.
Enforce the following separation between applications and tiers of each application using vCloud Networking and Security App Firewall.
- Complete isolation between Application 1 and Application 2
- Isolate one Web Server from another in each application
- Allow HTTP/HTTPS traffic to Web Servers from any network other than “App-PortGroup”
- Allow Web Server to App Server communication on port 8080
- Allow App Server to Db Server communication on port 3036
- Block all other traffic
Network view of the Applications
vCenter Network view of the Applications is shown below, where all virtual machines are connected to the same port group “App-PortGroup”.
Hosts and Clusters view of the Applications
vCenter Hosts and Clusters view of the Applications is shown below, where nested vApp containers are used to represent Applications and tiers.
Firewall Rule Policy Objects
There are many ways we can define App Firewall Rules to accomplish the requirements of this Use Case. Here, I am going to show the App Firewall rules using vCenter vApp containers and security groups. Use of vCenter containers (vApps, Resource pools, port groups, etc.) and security groups (grouping of vApps, Resource pools, port groups, vNICs, etc.) instead of IP Addresses for policy enforcement allows creating security policies that can follow virtual machines during the vMotion process and are completely transparent to IP address changes and network renumbering. In addition, the use of vCenter containers and security groups enable rules to be dynamic. When a new virtual machine joins the container or security group, the rules setup are applied automatically and not required to define new rules.
Security Groups
Security groups can include other groupings, such as datacenters, clusters, vApps and resource pools, as well as other objects, such as virtual machines, virtual network adapters, port groups, IP addresses and MAC addresses. Let’s create three security groups Web-Server-SG, App-Server-SG, and Db-Server-SG. Click on “+” icon in “General –> Grouping” section to create a Security Group as highlighted below.
Give a Name to the Security Group and select the Members.
Web-Server-SG created with “App1-WebTier” and “App2-WebTier” vApps as members. All virtual machines in “App1-WebTier” and “App2-WebTier” vApps are now part of the Web-Server-SG.
Similarly create two other security groups – App-Server-SG and Db-Server-SG.
A service is a protocol-port combination and a service group is a combination of two or more services. Most commonly used services are pre-defined for convenience and ease of use. Create additional services and service groups from “General –> Services” section as shown below.
Creating a service named “App-Port” with protocol as TCP and port as 8080 as shown below.
Similarly, creating a service named “Db-Port” with protocol as TCP and port as 3306 as shown below.
Creating a service group named “Web-Ports” combining HTTP and HTTPS services.
Services and service groups created are highlighted below.
Firewall Rule Management
The vCloud Networking and Security App firewall offers multiple sets of configurable rules – Ethernet rules and General rules. Ethernet rules control which higher-level protocols (like ARP, IPv6, PPP and so on) can communicate over Layer 2. General rules control the specific Layer 3 traffic based on IP addresses, as well as Layer 4 traffic based on TCP and UDP ports, and therefore related higher-layer application traffic, such as DHCP, HTTP, FTP and so on. By assessing what communication is required between applications and each tier of the application, it is possible to create Ethernet rules that block all unnecessary traffic. After locking down unnecessary traffic, General rules can restrict necessary traffic channels to required ports and protocols.
App Firewall Ethernet Rules
The first two Ethernet rules shown below illustrate total isolation between Application 1 and Application 2 using vApp containers. All traffic originating from one application to another is blocked by these vCloud Networking and Security App Firewall rules. The third rule ensures micro-segmentation of web servers i.e. one web server cannot talk to another web server. If one of the web servers is compromised, it cannot be used to directly attack the other servers, even ARP and RARP will be denied. The last rule specifies a default Allow Ethernet rule. This is because Ethernet rules operate before General rules and a default deny Ethernet rule would not allow any traffic flow out of any virtual machine in this example. These rules satisfy the requirements 1 and 2 from the Use Case section.
The vCloud Networking and Security App Firewall can segment each of the application tiers using General rules by opening only the required ports and protocols between the tiers. The following General firewall rules are set up for the two applications to function properly satisfying the requirements 3 to 6 from the Use Case section.
- Rule 1 – Web-Access: Allows HTTP and HTTPS traffic to Web servers. Notice the negation used in the Source, wherein HTTP and HTTPS traffic to Web servers allowed from any network other than the “App-PortGroup” network. (Requirement 3)
- Rule 2 – Web-to-App-Access : Allow Web Server to App Server communication on App Port 8080 (Requirement 4).
- Rule 3 – App-to-Db-Access : Allow App Server to Db Server Communication on Db Port (Requirement 5).
- Rule 4 – Default Rule: Block all other traffic (Requirement 6).
In summary, we looked at how to create vCloud Networking and Security App Firewall Ethernet and General rules using vApps, security groups, port-groups, services and service groups.
Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.