Overview Identity
based firewall in NSX-V

This first part of blog posts about the identity based firewall (IDFW), will provide an overview of the identity based firewall in NSX-v. In the next session the IDFW will be installed, configured and demonstrated.

With the introduction of NSX in the vSphere environment companies got the opportunity to implement micro segmentation within the virtualized datacenters. NSX makes it possible to implement a firewall between every virtual network adapter and the distributed switch within the vSphere ESXi server. Many companies have since successfully introduced NSX into their datacenters to secure their server workload. But many are still struggling to implement the NSX distributed firewall based on identity of the user logging on to the desktop or remote desktop session.
Before the identity of a User can be used to apply a firewall rule with, the identity needs to be learned. NSX provides two methods of learning the user’s identity, thru Guest Introspection or thru Log Scrapping. Since the NSX identity based firewall rules are created based on Active Directory user groups the group member ship of each user must also be known. The NSX Manager requires read access to Active directory for this.

Guest introspection

With this option the user’s identity is determined with the use of Guest Introspection. This is a Service VM (GI SVM) that needs to be running on each of the ESXi hosts in the NSX/vSphere environment. Therefor this option can only be used for servers or desktops running within the NSX environment. Within the virtual desktop or server, the VMTools with Guest Introspection needs to be installed, for the virtual machine to supply the user’s identity to the GI SVM. The following picture provides an overview of how the users identity is learned with Guest Introspection:

Foto bijschrift voorbeeld
  1. The user logs on to a virtual desktop (or server).
  2. The VMware tools (thin agent) detect the logon event and supply the information to the GI SVM.
  3. The GI SVM reports the user / IP address combination to the NSX Manager.
  4. The NSX Manager combines this information with the group membership information from active directory.
  5. The NSX Manager creates a firewall rule with the source IP-address of the desktop or server and updates this information in the distributed firewall.
  6. The user is allowed or denied access to specific resources in the datacenter.

 

Log scrapping

With this option the user’s identity is learned by monitoring or scrapping the security logs on Active Directory Domain Controllers. For this option a user doesn’t to log on to a desktop or server that is part of an NSX environment. The NSX Manager needs to be able to see the logon event in Active Directory. The following picture provides an overview of how the users identity is learned with Log Scrapping:

Foto bijschrift voorbeeld
  1. The user logs on to a virtual desktop (or server).
  2. A logon event is registered on the Domain Controller.
  3. The NSX Manager reads the logon event in the security log and learns which user is logged on to which IP-address.
  4. The NSX Manager combines this information with the group membership information from active directory.
  5. The NSX Manager creates a firewall rule with the source IP-address of the desktop or server and updates this information in the distributed firewall.
  6. The user is allowed or denied access to specific resources in the datacenter.

In the next post the installation steps for installing the identity based firewall with the Guest Introspection option in NSX-V.

Overview Identity
based firewall in NSX-V

This first part of blog posts about the identity based firewall (IDFW), will provide an overview of the identity based firewall in NSX-v. In the next session the IDFW will be installed, configured and demonstrated.

With the introduction of NSX in the vSphere environment companies got the opportunity to implement micro segmentation within the virtualized datacenters. NSX makes it possible to implement a firewall between every virtual network adapter and the distributed switch within the vSphere ESXi server. Many companies have since successfully introduced NSX into their datacenters to secure their server workload. But many are still struggling to implement the NSX distributed firewall based on identity of the user logging on to the desktop or remote desktop session.
Before the identity of a User can be used to apply a firewall rule with, the identity needs to be learned. NSX provides two methods of learning the user’s identity, thru Guest Introspection or thru Log Scrapping. Since the NSX identity based firewall rules are created based on Active Directory user groups the group member ship of each user must also be known. The NSX Manager requires read access to Active directory for this.