Академический Документы
Профессиональный Документы
Культура Документы
Advanced Training
Lab Exercises Day 2
Confidential
2010 VMware Inc. All rights reserved
Confidential
Control Center
SG-WEB
Web-Tier-01
172.16.10.0/24
Websv-01a
.11
Websv-02a
.12
DBsv-01a
.1
.1
.11
.1
Ap-Tier-01
Appsv-01a
172.16.20.0/24
Distributed Logical
Router
.11
Logical Switch
SG-APP
Confidential
SG-DB
DB-Tier-01
172.16.30.0/24
HTTP
Web-Tier-01
172.16.10.0/24
Websv-01a
.11
HTTP
HTTPS
Websv-02a
.12
SSH
TCP-8443
Ap-Tier-01
NSX Edge GW
Appsv-01a
172.16.20.0/24
DBsv-01a
.1
.1
.11
.1
Distributed Logical
Router
.11
Logical Switch
SG-APP
MySQL
Confidential
SG-DB
DB-Tier-01
172.16.30.0/24
Confidential
Confidential
Confidential
Confidential
Confidential
10
Confidential
11
Confidential
12
Confidential
13
Confidential
14
Confidential
Web-sv-01a summary window should display SG-TAB-WEB in the Security Tags table as shown
below:
15
Confidential
16
Confidential
We are going to use now the Positive Security Model where allowed traffic needs to be explicitly configured
17
Confidential
Name
Source
Destination
Service
Action
Applied to
Log
WEB to WEB
SG-WEB
SG-WEB
HTTP
Allow
SG-WEB
Log
Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded
message after the publish).
18
Confidential
Note that Applied To to a Security-Group object is a new feature provided by NSX 6.1.
In the next step, we will check its application.
19
Confidential
Add the following policy rules in the section (click on + button on the section raw to add rules inside the section):
Name
Source
Destination
Service
Action
Applied to
Log
ANY to WEB
ANY
SG-WEB
HTTP
HTTPS
Allow
SG-WEB
Log
WEB to APP
SG-WEB
SG-APP
SSH
TCP-8443
Allow
SG-WEB
SG-APP
Log
APP to DB
SG-APP
SG-DB
MYSQL
Allow
SG-APP
SG-DB
Log
Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded message
after the publish).
20
Confidential
Note that Applied To to a Security-Group object is a new feature provided by NSX 6.1.
In the next step, we will check its application.
21
Confidential
Add the following policy rules in the section (click on + button on the section raw to add rules inside the section):
Name
Source
Destination
Service
Action
Applied to
Log
SSH to VM
192.168.110.
10
web-sv-01a
web-sv-02a
app-sv-01a
SSH
Allow
web-sv-01a
web-sv-02a
app-sv-01a
Log
Click on Publish Changes to enforce the new policy rules (check you get Last Publish Operation Succeeded message
after the publish).
22
Confidential
Management rules will allow SSH connectivity to WEB and APP VMs from Control Center (IP
192.168.110.10).
23
Confidential
24
Confidential
25
Confidential
Verify that each VM gets only the DFW policy rules that strictly applied to itself:
Using Applied To with Security-Group object allows to restrict the scope of DFW rule
publishing to members of the S-G only !
26
Confidential
Confidential
28
Confidential
29
Confidential
30
Confidential
31
Confidential
32
Confidential
33
Confidential
34
Confidential
35
Confidential
36
Confidential
37
Confidential
38
Confidential
39
Confidential
40
Confidential
Click on Removed Applied Filter button to see again all DFW rules:
41
Confidential
Click on SEND.
42
Confidential
43
Confidential
44
Confidential
Click on SEND button. Check that success is displayed in the Response section.
45
Confidential
46
Confidential
You should be able to see alarms related to DFW CPU/Memory/CPS threshold crossed:
47
Confidential
48
Confidential
49
Confidential
1) First as we changed the DFW default rule to Block in the previous exercise we will now allow
certain traffic for future lab exercises. Add sec-mgr-01a and big-iq-01a to the NSX DFW
Exclusion List to ensure it is not blocked by the firewall rules defined in the previous lab
exercise. Refer to the NSX Admin Guide on the desktop for details on where to configure an
exclusion
2) Create 2 DFW rules at the top of the Default Section to allow inbound and outbound access for
VM: av-win7-01a
3) Then power on Virtual Machine: sec-mgr-01a in the Management and Edge Cluster
4) Once the Windows VM has finished booting
Click to open a new tab in Firefox on the ControlCenter
Click on the Trend Micro Deep Security bookmark
Login to Trend Micro Deep Security Manager
Login with username = admin
Password = VMware1!
Click Sign In
50
Confidential
4) After logging in, you will see the Trend Micro Deep Security
dashboard as shown below.
51
Confidential
52
Confidential
IP assignment: DHCP
4
53
Confidential
Confidential
55
Confidential
56
Confidential
Notice the eicar.com executable on the desktop see if you are able to run it
No activate the VM in TrendMicros console - win7-av.corp.local to run
security tests
Click on the Computer tab, click on the vCenter and search for the VM. Right
click on the VM,
click Actions -> Activate/Reactivate.
Verify that the VM is activated and the status changes from unmanaged to
managed
57
Confidential
Create and define the SG-Protected Security Group that includes the Virtual Machine
av-win7-01a
58
Confidential
Service Profile:
Trend Micro Deep Security_Deep Security
Profile
State: Enabled
Enforce: Yes
Confidential
60
Confidential
Destination
Any
Block
2. Any
Any
Block
Service Action
Confidential
62
Confidential
63
Confidential
Click Save
In the lab exercise we will not configure a
Real-Time Scan to allow the process to be
observed (rather than having infected files
cleaned up automatically), although in
production you would typically use
real time scanning
64
Confidential
65
Confidential
66
Confidential
Go to Service
Composer ->
Canvas View and
verify the VM
membership of the
Quarantine Prod
security group
67
Confidential
Confidential
Before proceeding to the next test, update the Security Tag on avwin7-01a virtual machine manually. From Summary Tab of the avwin7-01a virtual machine in the Security Tags Pane select Manage.
69
Confidential
First test that we can use the search function of the Admin Portal by
accessing the admin page again and enter the following into the
search input: google
70
Confidential
71
Confidential
72
Confidential
73
Confidential
Protected.
74
Confidential
1. Open the Trend Micro console and double click on the avwin7-01a VM. Click on the Intrusion Prevention link on the left
pane.
75
Confidential
We will create a specific IPS signature for our test. Click on New - >
New Intrusion Prevention Rule in the IPS Rules window.
Confidential
Click Save to apply the IPS rule to the VM and to apply the policy
77
Confidential
Wait till the policy is applied, then open IE again and test searching
Again using the string: google
78
Confidential
1. In the Events tab, section Intrusion Prevention, click on Get Events at the
bottom of the screen
2. This should return a match for the Test IPS rule where the connection
that matched the google pattern was Reset
79
Confidential
80
Confidential
Control
Center
vCenter
Server A
.22
.10
.79
Log
Insight
.75
vCenter
Orchestrator
NSX
Manager
.201
.42
NSX
Controller
Node 1
.202
NSX
Controller
Node 2
.203
NSX
Controller
Node 3
F5
BIG-IQ
.91
.91
Storage
Appliance
.60
Mgmt: 192.168.110.0/24
.85
Trend
Deep
Security
F5-Mgmt: 192.168.111.0/24
.2
.2
vPod Router
.2
vCenter
Server B
.22
Mgmt Site B:
192.168.210.0/24
81
Confidential
.10
Control Center
192.168.110.0/24
.2
F5-Mgmt
192.168.111.0/24
Mgt
192.168.110.0/24
Mgmt_Edge_VDS-HQ_Uplink
192.168.100.0/24
.2
Dynamic Routing
(BGP)
.3
.1
F5 BIG-IP
VE
(LB)
.1
Pool .106/109
Dynamic Routing
(BGP)
Pool .106/109
Transit-Network-01
192.168.10.0/29
.6 (BGP)
.1
.1
Web-Tier-01
172.16.10.0/24
web-sv-01a
.11
82
web-sv-02a
.12
DB -Tier-01
172.16.30.0/24
App-Tier-01
172.16.20.0/24
app-sv-01a
.11
db-sv-01a
.11
Confidential
Distributed Firewall
83
Confidential
84
Confidential
Note:
Those port groups should have been created during Day1 on Mgmt_Edge_VDS.
If not created yet, create them:
From vCenter Home -> Networking, Create New Distributed Port Group
85
Confidential
Note: The web server hosting the BIG-IP VE OVF file is the storage server
86
Confidential
Mask:255.255.255.0
# netstat -rn
Genmask
Flags
0.0.0.0
0.0.0.0
UG
UG
MSS Window
0 0
0 0
irtt Iface
0 internal
0 eth0
Once these details are verified you can proceed with configuration of the F5
NSX Integration
87
Confidential
88
Confidential
Confidential
90
Confidential
91
Confidential
92
Confidential
HQ_Uplink
192.168.110.105-109/24
Mgt
192.168.110.105-109/24
F5-Mgt 192.168.110.105-109/24
93
Confidential
Web-Tier-01
192.168.110.105-109/24
94
Confidential
95
Confidential
96
Confidential
97
Confidential
98
Logging: Unchecked
This option doesnt apply with Service Insertion.
99
Confidential
100
Confidential
Validate the BIG-IP-VE gets its final Management IP configured via NSX
Once booted and the VMware Tools running, the F5 BIG-IP VE IP moves
from 127.3.0.0
to 192.168.1.245
to IP received by DHCP server
to final IP configured from NSX
Note: Each step can take a couple of minutes (especially the last step)
From vCenter Home -> Hosts and Clusters, click on BIG-IP VE
101
Confidential
The state Pending lasts for approximately 20 minutes ! This will be improved in a
future BIG-IQ maintenance release
102
Confidential
103
Confidential
104
Confidential
105
Confidential
106
Confidential
107
Confidential
Control Center
192.168.110.0/24
.2
Mgmt_Edge_VDS-HQ_Uplink
192.168.100.0/24
.2
Dynamic Routing
(BGP)
.3
.1
F5 BIG-IP
VE
(LB)
.106
.1
Dynamic Routing
(BGP)
Transit-Network-01
192.168.10.0/29
.6 (BGP)
.1
.106
.1
Web-Tier-01
172.16.10.0/24
Pool-01
108
web-sv-01a
.11
web-sv-02a
.12
App-Tier-01
172.16.20.0/24
app-sv-01a
.11
Confidential
DB -Tier-01
172.16.30.0/24
db-sv-01a
.11
Distributed Fire
Note: The fields Algorithm, Algorithm Parameters, Monitors, Transparent can be left as
default since they are not used (information is taken from BIG-IQ Catalog).
109
Confidential
Note: The fields Protocol, Port, Connection Limit, Connection Rate Limit can be left as
default since they are not used (information is taken from BIG-IQ Catalog).
110
Confidential
Note: The fields Protocol, Port, Connection Limit, Connection Rate Limit can be left as
default since they are not used (information is taken from BIG-IQ Catalog).
111
Confidential
112
Confidential
113
Confidential