Network Security Blog

Topology Diagram:


NSX Edge:
It is the communication between NSX world and physical world.
NSX Edge is a gateway service that provides access to physical and virtual networks for VMs. NSX Edge can be installed as a distributed virtual router or as a services gateway.
It can be used as DHCP server , VPN , Loadbalancer , NAT, Firewall.

Following are the Steps to Install NSX Edge:

Step1:Use Installation Type as Edge Service Gateway. for quick installation you can uncheck "Deploy NSX Edge" if this is checked you need to manually configure each settings.


Step3:Specify the Installation host details. here Im Installing in ESXi Host1 through shared datastore via iSCSI interface.



Step4: Create Internal and uplinks
Internal links are links which are connected to virtual world, with interface ip address: 192.168.10.1/29

Step5:  You can enable or disable firewall policies with action as accept or deny.


Final Step: Verify the configuration and click on Finish option to complete the installation

Installation is in Progress:-












Logical Router:
It is the communication within NSX world. via Logical switches.

Following are the Steps to Install NSX Logical Router:

Step2:Specify the Installation host details. here Im Installing in ESXi Host1 through shared datastore via iSCSI interface.


Step3: Create Internal and uplinks
Internal links are links which are connected to virtual world server side, with interface ip address:
a)WEB Servers:172.16.60.0/24 ------------>INTERNAL
b)Windows O.S : 172.16.70.0/24----------->INTERNAL
c)Transit link: 192.168.10.0/29  ----------->UPLINK

Step4:  Since we created uplink we can specify default gateway which acts as default route to that ip address. Here our NSX Edge router will be our default gateway.




















VERIFICATION:-

From windows PC(172.16.70.0/24)  we are able to ping to fin-web01(172.16.60.20) and fin-db01(172.16.60.22)




ISSUE:
From fin-db01(172.16.60.22) we are able to ping 192.168.10.2 however we are unable to ping  192.168.10.1. 

From fin-db01(172.16.60.22) we are able to ping 192.168.10.1  Successfully!!

we can also use our NSX edge as inbuilt Load balancer. Following is the sample topology diagram:

Source is my windows XP meachine IP address: 172.16.70.11 and there are two destination servers
a)fin-web01a(172.16.60.20)
b)hr-web01a(172.16.60.10)

Now we are going to loadbalance the traffic between these to servers.

Step1: Create a vNIC IP address to the NSX edge. in this case i used 172.16.99.99 as my Virtual IP address.

Step2: Goto NSX Edge>Manage>Loadbalancer>
enable LoadBalance option as shown

Step3: Create Server PoolFarm with service port:443, with ROUNDROBIN Algorithm
a)fin-web01a(172.16.60.20)
b)hr-web01a(172.16.60.10)


Step4: Now create Virtual Server IP address with the above Pool.

TESTING:- 
Browse: https://172.16.99.99/

The NSX Distributed firewall is a stateful firewall, meaning it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
A flow is identified by the following:
Source address
Source port
Destination address
Destination port
Protocol

Lets consider following topology:


Source: 172.16.70.11
Destination: 172.16.60.20

Now by default NSX Distributed firewall allows all the traffic. Im creating a rule to block above traffic.

Firewall source/destinations can be defined in following ways:
1)Cluster
2)Datacenter
3)IP Sets
4)Logical Switch
5)Port Group
6)Distributed Virtual Port Group

Security Groups:
1)Dynamic Inclusion:
Example: Computer OS name, Computer Name, VM Name, Security TAG.

2)Static Inclusion/Exclusion:
Example:Cluster,Datacenter,IP Sets,Logical Switch,AD Groups,MAC Sets,DVS Port Groups,vNIC.

From NSX 6.1 onwards we have a new feature called "Partner Security Services"
here we can redirect the policy to 3rd party firewalls like PaloAlto.

In our example Im using source as Static Inclusion(Logical Switch Name) and destination as Static Inclusion(IP sets)

Before Block Rule : -
Im able to access the webserver as shown below:


Create Source, here Im using Logical switch name:Windows_Tier as my source address.
Any VM which is connected to this logical switch will be acting as my source.

Following are the list of object Types we can use, here Im using IPSETS as my destination


Create New IP set as my destination IP address in format <IP address/subnetmask> or range


After creating IP sets, select and bring it to right side and click on SAVE.


Below is the Rule created with source as Logical switch: Windows_Tier and destination address: 172.16.60.20 with service: https and Action:BLOCK


After Enabling the Block Rule:

Create a Segment ID, A Segment ID in NSX means number of Logical switches that can be created. Segment ID's are like VLAN ID.
but VLAN can be from 1 to 4094, whereas Segment ID can be from 1 to 16,777,215. here we are using 5000 to 6000

1. Log in to the vSphere Web Client.
2. Navigate to Home > Networking & Security > Logical Switches.
3. Click Add or the New Logical Switch ( + ) icon.
4. Type a name and optional description for the logical switch.
5. Select the transport zone in which you want to create the logical switch.
   By default, the logical switch inherits the control plane replication mode from the transport zone.

As you can see in above diagram, we have 3 different VM's connected to same Logical switch.
Which means All the 3 VM's has to be in same Network and All these 3VM's will be communicated via Logical switch.

++A transport zone controls to which hosts a logical switch can reach. It can span one or more vSphere clusters. Transport zones dictate which clusters and, therefore, which VMs can participate in the use of a particular network.
Here Im using Global transport zone with replication mode as Unicast.

Multicast: Multicast will send a single packet from a source device to multiple destinations. This option requires Protocol Independent Multicast (PIM) to be enabled on your environment as well as IGMP. The documentation states it’s only recommended when you are upgrading from older VXLAN deployments.
&nbsp
Unicast: The NSX controller handles the control plane.
Hybrid: Hybrid is a combination of both multicast and unicast.

Once the Logical Switch is added, double click the newly created logical switch and start assigning the Virtual Machines to it as shown below.
Example: Logical switch Name: Windows_Tier

Each logical switch that you create receives an ID from the segment ID pool, and a virtual wire is created. The virtual wire descriptor contains the name of the logical switch and the logical switch's segment ID.

NOTE: You need a PC running with atleast 32GB of RAM which can be divided into following

Things required are
1.VMware Workstation 15.0 or above.
2.Windows server 2012 R2 used as DNS and AD server in it (2GB RAM enough)
3.vCenter Server installed in Vmware workstation directly with minimum 10GB RAM, Total Processors cores=2
4.ESXi Host1 installed in VMware Workstation directly with 16GB RAM and total Processors cores=12
5.ESXi Host2  installed in VMware Workstation directly with 6GB RAM and total Processors cores=2
6.NSX Manager will be installed in ESXi Host 1 with 4GB RAM while deploying .ova.
7.NSX Controller will also be installed in ESXi Host1 with 2.5GB RAM.
8.For testing purposes you can install Windows O.S or  Linux O.S in both ESXi Host1 and Host2