IDFW

luv_nsx · ‎08-20-2016

Hello - I have a question around GI-SVM when doing IDFW. If using VDI (i.e. users logging into a VM on a ESXi cluster), do I need to install GI-SVM on the ESXi Cluster where the Desktop VMs are located OR the ESXi Cluster where the actual application (defined as a destination in a DFW rule) is running?

cnrz · ‎08-21-2016

The Purpose of the Guest Introspection SVM is to interoperate with VMTools in order to notify the dFW (NSX Manager), so that the AD Group based Rules can be converted to IP Rule Set. One other option for the Physical Machines, or machines that have no VMTools is Security Event Logging, which informs the dFW about the IP Address of the VM or Physical Machine. These 2 may work together to support each other, as well as one of them may be deployed. The destination Cluster where the APP VMs are located Guest Introspection for Identity Based Firewalling may not be needed. But if there are other Feautures deployed on the APP Cluster like Activity Monitoring, 3rd Party Services as AV, Data Security then Guest Introspection may again need to deployed for this Cluster regardless of Active Directory Identity Firewalling.

Note: The behaviour in 6.2.3 have been changed as in the following article:

http://www.i-1.nl/blog/?p=57953

You either need to have:
1) VMTools + Guest Introspection enabled / installed
AND / OR
2) Have the “Security Event Log Access” option enabled with a correct account that has the correct rights

Prior to NSX 6.2.3 the “Security Event Log Access” option was enabled by default so option 1 was not needed anyway.

An Example for VDI Environment:

NSX Active directory sync not working as expected (ver 6.1 and 6.2.1) - VDI microsegmentation

I was informed the the only reason for the security event logging was to catch devices and VM's that either do not have VMware tools installed (tools is used to capture log in and log out on VM's that its installed on). Good example would be rulesets that are applied to devices not in the virtualized world. Since they do not have tools installed some other method was needed to capture log in and log out, and security event logging provides that method. Really doesn't apply to my use case as this is micro-segmentation of a VDI environment so all VM's in scope will have tools installed....

http://www.viktorious.nl/2015/01/27/identity-based-firewalling-vmware-nsx/

https://pubs.vmware.com/NSX-62/index.jsp?topic=%2Fcom.vmware.nsx.admin.doc%2FGUID-F37BEF98-3661-447E...

Procedure

1

Configure Active Directory Sync in NSX, see Synchronize a Windows Domain with Active Directory. This is required to use Active Directory groups in Service Composer.

2

Prepare the ESXi cluster for DFW. See Prepare the Host Cluster for NSX in the NSX Installation Guide.

3

Configure Identity Firewall logon detection options. Note that you must configure one or both of these options:

■	Configure Active Directory event log access. See Register a Windows Domain with NSX Manager.
■	Windows Guest OS with guest agent installed. This comes with a complete installation of VMware Tools ™. Deploy Guest Introspection service to protected clusters. See Install Guest Introspection. For troubleshootingGuest Introspection, see Collecting Guest Introspection Troubleshooting Data

luv_nsx · ‎08-22-2016

Thank you for your response.

Based on what you said, it's my understanding that GI is NOT required on the APP VMs when using a VDI Desktop VM. That being said, would I need GI and VM Tools on the App VMs when using just physical desktops?

Here is the sequence of events I am thinking:

1. User "JoeSmith" logs into the Physical desktop

2. He tries to access a web application on an Application VM

3. DFW (running on the Application VM) sees the request coming in from the IP address of the physical desktop. Will DFW now query the NSX Manager to get the username of the user which in turn will do the Security Event Log scrapping? Also, wouldn't DFW just drop the request coming in from the Physical desktop (without even querying NSX Mgr) since there is no rule currently that is allowing that specific IP address? In other words, what I am asking is how does DFW decide that for that specific request coming in from the physical desktop, I need to query the NSX Manager.

4. Don't know what would happen next??

If you can help complete the sequence of events for physical desktop access, that would be great.

Thanks again!

cnrz · ‎08-22-2016

On the APP VM Cluster, think there is no need for GI-SVM for both VDI and Physical Desktop Scenarios. Have not tested in detail, but if understood correctly the mechanism should work like this:

1. User "JoeSmith" logs into the Physical desktop --> Since the physical desktop is a member of AD Domain, this will trigger a Security Event Log on the Domain Controller. This log includes the IP Address of the desktop. Since it is integrated wth NSX Manager, NSX Manager learns this IP Address from the DC. (It is not very clear if it is pushed by the DC to the NSX Manager at the login time, or NSX Manager periodically pulls this information from the DC like every 5 minutes, but from documentation it seems this occurs simultanously at the login time, i.e. NSX Manager don't need to wait for a couple of minutes.

1.1 Since JoeSmith user is a member of AD Group that a Security Group configured on the dFW includes, this should trigger an update on the Rule Set belonging to the VNIC of the APP VM (which is included on the Applied to Field of this Rule). Every Rule, whether it is IP Based, or Vsphere Object like Logical Switch, VM Name Cluster, or AD Group will eventually be converted to an IP Based Rule Set.

This update is possible to observe from the vsipioctl command as follows:

vsipioctl getaddrsets -f <filter-name> (Here filtername is the dFW construct applied to the VNIC of the APP VM, this can be learned with summarize-dvfilter <Name_of_APP_VM> command as below article:

http://www.virtually-limitless.com/vcix-nv-study-guide/manage-and-report-on-a-distributed-firewall-u...

From the vsipioctl getaddrsets command output, the IP Address of the Physical Desktop Should exist.

# vsipioctl getaddrsets -f nic-11164389-eth0-vmware-sfw.2

addrset ip-vm-64 {
ip 1.1.1.11, --> This IP addresses should include Physical Desktop IP Address
ip 2.2.2.123,
ip fe80::a82d:11b2:a8ab:a098,
ip fe80::e903:8cfc:1163:79a3,
}

2. He tries to access a web application on an Application VM --> Since the dFW has the Desktop IP address on the Address Set of the Rule, this session will be allowed.(If it is a permit rule). NSX Manager has already pushed this IP to the VNIC of the VM.

3. DFW (running on the Application VM) sees the request coming in from the IP address of the physical desktop. Will DFW now query the NSX Manager to get the username of the user which in turn will do the Security Event Log scrapping? Also, wouldn't DFW just drop the request coming in from the Physical desktop (without even querying NSX Mgr) since there is no rule currently that is allowing that specific IP address? In other words, what I am asking is how does DFW decide that for that specific request coming in from the physical desktop, I need to query the NSX Manager. --> As in 1.1 the IP Address should exist ont the dFW of the APP VM. If the same desktop is logged in with another user that is not a member of the AD Group that Security Group includes, then this IP should disappear from the VNIC dFW IP Address Sets, this time blocking APP. Very similar scenario is explained below links:

https://www.youtube.com/watch?v=r5B8AWeopKs

https://www.youtube.com/watch?v=ub9Rqdty4T8

All

IDFW