VMware vCloud Networking and Security App Firewall is a hypervisor-based firewall that protects applications in the virtual datacenter from network-based attacks. In this blog, let’s look at how to micro-segment a VXLAN network to deploy a 3-tier application using vCloud Networking and Security 5.1 App Firewall.
Use Case
Each application is deployed using a separate VXLAN network as shown below. To keep the diagram simple, only one application is shown below. The application has three tiers – web, app and db.
Enforce the following separation between tiers of the application using vCloud Networking and Security App Firewall.
- Isolate Web Servers from one another
- Allow HTTP/HTTPS traffic to Web Servers from any network other than Application VXLAN network.
- Allow Web Server to App Server communication on port 8080
- Allow App Server to Db Server communication on port 3036
- Block all other traffic
vCenter Network view of the Application
vCenter Network view of the Application is shown below, where all virtual machines of the application are connected to the VXLAN port group “vxw-dvs-127-virtualwire-27-sid-5001-App1-vWire” as highlighted below.
App Firewall with VXLAN
In vCloud Networking and Security 5.1 release, each VXLAN network is created with an independent namespace for App Firewall. Datacenter level firewall rules no longer apply to the virtual machines attached to the VXLAN networks. We need to use Network Virtualization –> Networks section to define the App Firewall policy objects and rules.
Clicking on VXLAN network “App1-vWire”, you will see the following.Click on “Security” tab to create the App Firewall policy objects and rules for the VXLAN segment “App1-vWire”.
Firewall Rule Policy Objects
Security Groups
Security groups can include virtual network adapters, virtual wire, and other security groups. Let’s create three security groups Web-Srvr-SG, App-Srvr-SG, and Db-Srvr-SG.
Click on “+” icon in “Grouping” section to create a Security Group as highlighted below. Give a Name to the Security Group and select the Members.
Web-Srvr-SG is created with “App1-WebServer1” and “App1-WebServer2” network adapters as members. Similarly create two other security groups – App-Srvr-SG and Db-Srvr-SG. All the three security groups created are shown below.
A service is a protocol-port combination and a service group is a combination of two or more services. Most commonly used services are pre-defined for convenience and ease of use. Create additional services and service groups from “Services” section. Services and service groups created for the application in this Use Case are highlighted below.
App Firewall Ethernet Rules
The first Ethernet rule below ensures micro-segmentation of web servers i.e. one web server cannot talk to another web server. If one of the web servers is compromised, it cannot be used to directly attack the other servers, even ARP and RARP will be denied. The second rule specifies a default Allow Ethernet rule. This is because Ethernet rules operate before General rules and a default deny Ethernet rule would not allow any traffic flow out of any virtual machine in this example. These rules satisfy the requirement 1 from the Use Case section.
The following General firewall rules are set up for the application to function properly satisfying the requirements 2 to 5 from the Use Case section.
- Rule 1 – Web-Access: Allows HTTP and HTTPS traffic to Web servers. Notice the negation used in the Source, wherein HTTP and HTTPS traffic to Web servers allowed from any network other than the “App1-vWire” VXLAN network. (Requirement 2)
- Rule 2 – Web-to-App-Access : Allow Web Server to App Server communication on App Port (Requirement 3).
- Rule 3 – App-to-Db-Access : Allow App Server to Db Server Communication on Db Port (Requirement 4).
- Rule 4 – Default Rule: Block all other traffic (Requirement 5).
Flow Monitoring dashboard for the VXLAN network is shown below. The dashboard shows the percentage of allowed flows in green and blocked flows in red.
Clicking the Details link on the Flow Monitoring dashboard shows Allowed Flows and Blocked Flows for various services. Clicking on the rule id of the Flow Monitoring Details Allowed or Blocked Flow shows the details of the rule that allowed or blocked the traffic as shown below. Use Add Rule / Edit Rule link to create/edit the firewall rule.
In summary, we looked at how to use App Firewall rules and flow monitoring with vCloud Networking and Security 5.1 VXLAN networks.
Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.