Thursday 16 October 2014

Integrating NSX with Active Directory and creating Identify-Based Firewall Rules

NSX has the ability to integrate with Active Directory and allow you to create security groups based on user identity, create identity-based firewall rules, and run Activity Monitoring reports.  In this post I'm going to show you how you can integrate NSX with Active Directory and then create a security group within NSX that only allows users to SSH into all Linux VM's that are in the Allow SSH Active Directory Security group.  First step is to configure NSX to query Active Directory for user / group information as well as query the security logs to map usernames to IP addresses.  Browse to the NSX Manager plugin, select your NSX Manager and click on the Domains tab:

Click on the green plus icon to add a new domain.  Specify the name of the domain and the NetBios name and click Next:

Specify your domain controller name and a username and password that can query LDAP information and click Next:

Specify the username and password for an account that has access to view the event logs and click Next (for testing purposes I'm using a domain admin account):

Finally verify your settings are correct and click Finish:

NSX should now start pulling in user and group information from Active Directory and also monitoring the security logs for logon / logoff events.  It may take a few minutes for the refresh to take place, take this time to grab a coffee and a few biscuits:

Now I'm going to create a few user account and security groups within AD for testing purposes.  The security groups and user accounts are called:

Allow SSH - SG - D (Domain Local Security Group)
Allow SSH - SG - G (Global Security Group)

The Allow SSH - SG - G is going to be a member of the Allow SSH - SG - D as I like to follow best practises for multi-domain environments.  The Allow_SSH_User is going to be a member of Allow SSH - SG - G which means he is also going to be a member of Allow SSH - SG - D.  I will then add the Allow SSH - SG - D to a security group object within NSX which I can then add to a firewall rule but we will cover that off later.  The No_SSH_User will not be a member of any groups.  Once everything is in place the idea is that when I log into a domain member workstation as Allow_SSH_User I should be able to SSH into my linux VM's, when I log in as No_SSH_User I should NOT be able to SSH into my linux VM's.

Here are my security groups and user accounts:

It's best to quickly update the Active Directory objects within NSX by going back to the Domains tab and clicking on the double cog icon and verifying the update has occurred by checking the last sync status:

Now we need to create the security group within NSX that will point to the Active Directory group called Allow SSH - SG - D (Which contains Allow SSH - SG - G and thus the Allow_SSH_User).  Within the NSX Manager configuration screen select the Grouping Objects tab.  I already have some groups that dynamically adds VM's to specific groups.  Click on the green plus arrow to create a new group:

Give the new group a name and click Next:

Remove the dynamic membership criteria as we will be statically assigning the resource and click Next:

Change the object type to Directory Group and select the group you require and click Next.  In my case its Allow SSH - SG - D:

We don't want to exclude any resources so just click Next

Finally verify everything is correct and click Finish:

We can now see the newly created NSX group:

Finally we need to edit the ruleset to only allow the Allow SSH NSX security group permission to SSH to the Linux VM's.  My current ruleset allows anything to SSH into the Linux VM's:

If you hover over the source field a plus icon will appear.  Click it and then change the Object Type to Security Group (Remember these are NSX Security groups) and click the arrow to move it across to the Selected Objects box and click OK:

Publish the changes and the ruleset is now active:

Time for testing.  I logged into my jumpbox workstation as Allow_SSH_User and successfully opened a putty session to WEB01:

I then logged in as No_SSH_User and was unable to connect to WEB01:

How impressive is that.  Stay tuned for the next thrilling installment

No comments:

Post a Comment