PowerNSX: NSX Security Tags, Security Groups, Distributed Firewall Sections and Distributed Firewall Rules with external CSV files and File:Nsx-universal-sec-06.png: Difference between pages

From Iwan
(Difference between pages)
Jump to: navigation, search
(Import pages from iwan.wiki)
 
(== Summary == Uplaoding files from nsx.ninja and iwan.wiki)
Tag: Server-side upload
 
Line 1: Line 1:
Last week I blogged about how to get started with PowerNSX.
== Summary ==
 
Uplaoding files from nsx.ninja and iwan.wiki
Reason for me to dive into the wonderful world of PowerNSX was because I needed to implement Application Fencing.
More about Application Fencing wan be found [https://www.youtube.com/watch?v=CEIc8GCnD6g here] and [http://networkinferno.net/achieving-micro-segmentation-with-log-insight here].
 
The whole purpose of implementing Application Fencing is to get visibility what VM / Application is talking to what VM / Application with what protocol and port.
 
This information can be used to implement an [https://networkinferno.net/implementing-a-zero-trust-security-architecture Zero Trust Security Architecture]
 
I will write a separate blog about Application Fencing in the future but in order to get there there are some steps that needs to be done.
 
In my example I will use the traditional 3-tier Bookstore App.
This vApp has the following VM's:
# Web01
# Web02
# App01
# App02
# DB01
 
Right now we only have 5 VM's so creating the Security Tags, Security Groups, Assigning the tags to specific VM's and Creating the Distributed Firewall Rules is done pretty fast.
 
BUT WHAT IF ... you need to implement Application Fencing in an infrastructure with more than 1000 VM's with 500 security tags and 500 security groups and the corresponding firewall rules?
 
This could take a while right?
 
You can speed this up with the use of PowerNSX!
Below you will find a method to run PowerNSX in combination with external Comma Separated Value (CSV) files.
This will save you a lot of time!
 
The steps to implement Application Fencing are:
 
# Add Security Tags and Tier based Security Groups (and statically make the security tag an member of the tier security group)
# Assign the Security Tags to the correct VM's (so that the VM's are placed in the correct tier group)
# Add separate Application based Security Groups (so that the Tier based Security Groups can be nested inside an Application Security Group)
# Nest the Tier based Security Groups into the Application Security Group
# Add Distributed Firewall Sections to add in the Distributed Firewall Rules
# Add in the Tier based Distributed Firewall Rules
# Add in the Application based Distributed Firewall Rules
 
{{note|This example will only have 5 VM's spread across 3 tiers all forming 1 application so this approach looks like its a bit overkill, but when you need to implement this in an organisation with a lot of VM's and a lot of applications that are segmented into different tenants then you will love it!}}
 
The scripts and CSV files that I used for this exercise are found below.
 
== Add Security Tags and Tier based Security Groups (and statically make the security tag an member of the tier security group) ==  
 
The script {{f|/script.ps1}}:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
#This will create the security tags and the groups based on a CSV.
#Note that the tags and groups will need to be UNIQUE as this script does not do error handling.
 
#import the CSV file content and place the content in a loop
import-csv .\CSV.csv <nowiki>|</nowiki> % {
 
#Create security tag based on field in CSV
$st = New-NsxSecurityTag -name $_.SECTAG
 
#Create security group based on field in CSV and makes the security tag a member of the new security group
$sg = New-NsxSecurityGroup -name $_.SECGROUP -includemember ($st)
}
}}
 
The CSV:
 
{{file|name=/CSV.csv|desc=The CSV.csv file|body=
SECTAG,SECGROUP
ST-WEB,SG-TIER-WEB
ST-APP,SG-TIER-APP
ST-DB,SG-TIER-DB
}}
 
Executing the Script:
 
{{console|body=
PowerCLI C:\new> ##b####y##.\script.ps1
}}
 
Result:
 
[[File:sddfnmxc-01.png|800px]]
 
[[File:sddfnmxc-02.png|800px]]
 
== Assign the Security Tags to the correct VM's (so that the VM's are placed in the correct tier group) ==
 
The script {{f|/script.ps1}}:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
#This will go trough the list of VM's and apply the tag that is on the same line of the VM
import-csv .\CSV.csv<nowiki>|</nowiki>% {
 
#Read security tag from a field in the CSV
$st = Get-NsxSecurityTag -name $_.SECTAG
 
#Read VM Name from a field in the CSV
$vm = Get-Vm -name $_.VMNAME
 
#Assign security tag to the VM Name
$vm = Get-Vm -name $_.VMNAME<nowiki>|</nowiki>New-NsxSecurityTagAssignment -ApplyTag $st
}
}}
 
The CSV:
 
{{file|name=/CSV.csv|desc=The CSV.csv file|body=
VMNAME,SECTAG
Web01,ST-WEB
Web02,ST-WEB
App01,ST-APP
App02,ST-APP
DB01,ST-DB
}}
 
Executing the Script:
 
{{console|body=
PowerCLI C:\new> ##b####y##.\script.ps1
}}
 
Result:
 
[[File:sddfnmxc-06.png|800px]]
 
[[File:sddfnmxc-07.png|800px]]
 
[[File:sddfnmxc-03.png|800px]]
 
[[File:sddfnmxc-04.png|800px]]
 
[[File:sddfnmxc-05.png|800px]]
 
== Add separate Application based Security Groups (so that the Tier based Security Groups can be nested inside an Application Security Group) ==
 
The script {{f|/script.ps1}}:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
#This will create the security groups.
#Note that the tags and groups will need to be UNIQUE as this script does not do error handling.
 
#Create security groups
New-NsxSecurityGroup -name SG-APP-BOOKSTORE
}}
 
Executing the Script:
 
{{console|body=
PowerCLI C:\new> ##b####y##.\script.ps1
 
objectId          : securitygroup-31
objectTypeName    : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId            : c1afd25d-49fe-4259-bd07-f4508a80d472
revision          : 1
type              : type
##b####bl##name              : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle      :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
}}
 
Result:
 
[[File:sddfnmxc-08.png|800px]]
 
== Nest the Tier based Security Groups into the Application Security Group ==
 
The script {{f|/script.ps1}}:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
#This will read the security groups from the CSV and will nest the groups into other groups in the CSV.
 
import-csv .\CSV.csv<nowiki>|</nowiki>% {
 
#Read the TIER Security Group
$app = Get-NsxSecurityGroup -name $_.SECTIERGROUP
 
#Read the APP Security Group
$ags = Get-NsxSecurityGroup -name $_.SECAPPGROUP
 
#Nest one group into another
$ags<nowiki>|</nowiki>Add-NsxSecurityGroupMember -member $app
}
}}
 
The CSV:
 
{{file|name=/CSV.csv|desc=The CSV.csv file|body=
APPNAME,SECTIERGROUP,SECAPPGROUP
BOOKSTORE,SG-TIER-WEB,SG-APP-BOOKSTORE
BOOKSTORE,SG-TIER-APP,SG-APP-BOOKSTORE
BOOKSTORE,SG-TIER-DB,SG-APP-BOOKSTORE
}}
 
Executing the Script:
 
{{console|body=
PowerCLI C:\new> ##b####y##.\script.ps1
 
objectId          : securitygroup-31
objectTypeName    : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId            : c1afd25d-49fe-4259-bd07-f4508a80d472
revision          : 2
type              : type
name              : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle      :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
##b####bl##member            : member
 
objectId          : securitygroup-31
objectTypeName    : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId            : c1afd25d-49fe-4259-bd07-f4508a80d472
revision          : 3
type              : type
name              : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle      :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
##b####bl##member            : {SG-TIER-APP, SG-TIER-WEB}
 
objectId          : securitygroup-31
objectTypeName    : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId            : c1afd25d-49fe-4259-bd07-f4508a80d472
revision          : 4
type              : type
name              : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle      :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
##b####bl##member            : {SG-TIER-DB, SG-TIER-APP, SG-TIER-WEB}
 
PowerCLI C:\new>
}}
 
Result:
 
[[File:sddfnmxc-09.png|800px]]
 
== Add Distributed Firewall Sections to add in the Distributed Firewall Rules ==
 
The script {{f|/script.ps1}}:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
#This will only add 1 new Distributed Firewall Section.
New-NsxFirewallSection FWS-APP-BOOKSTORE
}}
 
Executing the Script:
 
{{console|body=
PowerCLI C:\new> ##b####y##.\script.ps1
 
id              : 1012
##b####bl##name            : FWS-APP-BOOKSTORE
generationNumber : 1470349159308
timestamp        : 1470349159308
type            : LAYER3
}}
 
Result:
 
[[File:sddfnmxc-10.png|800px]]
 
== Add in the Tier based Distributed Firewall Rules ==
 
The script {{f|/script.ps1}:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
#This will go trough the list of Firewall Rules
import-csv .\CSV.csv<nowiki>|</nowiki>% {
 
#Collect the varables from the CSV file
$tn = $_.TIERNAME
$sg = get-nsxsecuritygroup $_.SECGROUP
$sec = get-nsxfirewallsection $_.FWSECTION
$fwt = $_.FWT
 
#Add rule to Firewall section
$sec<nowiki>|</nowiki>new-nsxfirewallrule -name $tn -Action allow -position bottom -appliedto $sg -Tag $fwt -EnableLogging
}
}}
 
The CSV:
 
{{file|name=/CSV.csv|desc=The CSV.csv file|body=
TIERNAME,SECGROUP,FWSECTION,FWT
WEB,SG-TIER-WEB,FWS-APP-BOOKSTORE,FWT-TIER-WEB
APP,SG-TIER-APP,FWS-APP-BOOKSTORE,FWT-TIER-APP
DB,SG-TIER-DB,FWS-APP-BOOKSTORE,FWT-TIER-DB
}}
 
Executing the Script:
 
{{console|body=
PowerCLI C:\new> ##b####y##.\script.ps1
 
id              : 1012
name            : FWS-APP-BOOKSTORE
generationNumber : 1470349548233
timestamp        : 1470349548233
type            : LAYER3
##b####bl##rule            : rule
 
id              : 1012
name            : FWS-APP-BOOKSTORE
generationNumber : 1470349548784
timestamp        : 1470349548784
type            : LAYER3
##b####bl##rule            : {WEB, APP}
 
id              : 1012
name            : FWS-APP-BOOKSTORE
generationNumber : 1470349549337
timestamp        : 1470349549337
type            : LAYER3
##b####bl##rule            : {WEB, APP, DB}
}}
 
Result:
 
[[File:sddfnmxc-11.png|800px]]
 
== Add in the Application based Distributed Firewall Rules ==
 
The script {{f|/script.ps1}}:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
 
 
#This will set the variables
$sec = $_.FWSECTION
$arn = $_.APPNAME
$sg = "$_.SECGROUP
$fwt = $_.FWT
 
#Here we create a new Distributed Firewall Rule with the variables set above
$sec<nowiki>|</nowiki>new-nsxfirewallrule -name $arn -Action allow -position bottom -appliedto $sg -Tag $fwt -EnableLogging
}}
 
The CSV:
 
{{file|name=/CSV.csv|desc=The CSV.csv file|body=
APPNAME,SECGROUP,FWSECTION,FWT
BOOKSTORE,SG-APP-BOOKSTORE,FWS-APP-BOOKSTORE,FWT-APP-BOOKSTORE
}}
 
Executing the Script:
 
{{console|body=
PowerCLI C:\new> ##b####y##.\script.ps1
 
id              : 1012
name            : FWS-APP-BOOKSTORE
generationNumber : 1470353361332
timestamp        : 1470353361332
type            : LAYER3
##b####bl##rule            : {WEB, APP, DB, BOOKSTORE}
}}
 
If you want to run the script without an CSV file your can use this:
 
{{file|name=/script.ps1|desc=The script.ps1 file|body=
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#--------------------------------------------------
# ____  __  _  _  ____  ____  __ _  ____  _  _
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )  //    /\___ \ )  (
# (__)  \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#    PowerShell extensions for NSX for vSphere
#--------------------------------------------------
 
$an = "BOOKSTORE"
$sg = get-nsxsecuritygroup "SG-APP-BOOKSTORE"
$sec = get-nsxfirewallsection "FWS-APP-BOOKSTORE"
$fwt = "FWT-APP-BOOKSTORE"
 
#Add rule to Firewall section
$sec<nowiki>|</nowiki>new-nsxfirewallrule -name $an -Action allow -position bottom -appliedto $sg -Tag $fwt -EnableLogging
}}
 
Result:
 
[[File:sddfnmxc-12.png|800px]]
 
Thanks [https://www.linkedin.com/in/kmruddy Kyle] for pointing out how to work with PowerShell and external CSV's and [https://www.linkedin.com/in/anthony-burke-b989b713 Anthony] for finetuning this.
And thanks [https://www.linkedin.com/in/nick-bradford-6349ba1 Nick] for this awesome PowerNSX!
 
<br />
[[Category:Articles]]
[[Category:VMware]]

Latest revision as of 15:14, 12 January 2024

Summary

Uplaoding files from nsx.ninja and iwan.wiki

Retrieved from "http://www.iwanhoogendoorn.nl/index.php?title=PowerNSX:_NSX_Security_Tags,_Security_Groups,_Distributed_Firewall_Sections_and_Distributed_Firewall_Rules_with_external_CSV_files&oldid=788"