Beruflich Dokumente
Kultur Dokumente
Copyright
Copyright 2018 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws.
Nutanix is a trademark of Nutanix, Inc. in the United States and/or other jurisdictions. All other
marks and names mentioned herein may be trademarks of their respective companies.
Copyright | 2
Nutanix Flow
Contents
1. Executive Summary................................................................................ 4
2. Introduction..............................................................................................5
2.1. Audience........................................................................................................................ 5
2.2. Purpose..........................................................................................................................5
4. Nutanix Flow............................................................................................ 8
4.1. Architecture.................................................................................................................... 8
4.2. Enabling Flow Microsegmentation and Visualization.................................................... 9
4.3. Categories....................................................................................................................11
4.4. Security Policies.......................................................................................................... 14
4.5. Using Quarantine Policies........................................................................................... 16
4.6. Using Isolation Policies................................................................................................19
4.7. Using Application Policies........................................................................................... 23
5. Conclusion............................................................................................. 36
Appendix......................................................................................................................... 37
References.......................................................................................................................... 37
About Nutanix......................................................................................................................37
List of Figures................................................................................................................38
List of Tables................................................................................................................. 40
3
Nutanix Flow
1. Executive Summary
Flow is a software-defined networking product tightly integrated into Nutanix AHV and
Prism. Flow provides rich visualization, automation, and security for VMs running on AHV.
Microsegmentation is a component of Flow networking that simplifies policy management. Using
multiple Prism Central categories (logical groups), you can create a powerful distributed firewall
that gives administrators an application-centric policy management tool for securing VM traffic.
Categories enable flexible, attribute-based grouping of VMs to define security policies. By
using logical categories, you no longer need to base policy definitions on network addresses
or manually update policies to handle network changes. Your security policy can automatically
apply to a VM independent of its network configuration. With Flow, administrators can visualize
traffic between groups of VMs to create plain-language policies based on application behavior,
rather than defining allowed traffic in the language of IP addresses and subnets.
With Flow, Nutanix extends Prism Central’s consumer-grade simplicity and ease of use beyond
virtualization and storage infrastructure management to the world of network security.
1. Executive Summary | 4
Nutanix Flow
2. Introduction
2.1. Audience
This tech note is part of the Nutanix Solutions Library. It is intended for architects and
administrators who are responsible for VM networking and security. Readers of this document
should already be familiar with Nutanix AHV and Prism Central.
2.2. Purpose
In this document, we cover the following topics:
• Nutanix Flow.
• Flow microsegmentation.
• Flow visualization.
• Creating and managing categories.
• Creating and managing security policies.
Version
Published Notes
Number
1.0 April 2018 Original publication.
1.1 May 2018 Added Service Chain KB article.
2. Introduction | 5
Nutanix Flow
4. Nutanix Flow
Nutanix Flow delivers advanced networking and security services, providing visibility into the
virtual network, application-centric protection from network threats, and automation of common
networking operations.
Fully integrated into Nutanix AHV virtualization and the Nutanix Enterprise Cloud OS, Flow allows
organizations to deploy software-defined virtual networking without the complexity of installing
and managing additional products that have separate management and independent software
maintenance requirements.
Flow provides application-centric policies that enable complete visibility and traffic control. This
policy model allows administrators to implement fine-grained rules regarding traffic sources and
destinations, or microsegmentation. These same policies make it possible to visualize traffic
flowing within and between application VMs. This granular level of control is an important part of
a defense-in-depth strategy against modern datacenter threats.
Nutanix Flow protects against new threats that are designed to spread laterally from one system
to another within the same protected datacenter. Because perimeter-based firewalls traditionally
only protect the environment from external threats, it can be difficult to repurpose them to
protect internal traffic. Flow applies security rules between all applications and VMs within the
datacenter, thus adding internal protection behind your perimeter firewall.
4.1. Architecture
The Nutanix management plane, Prism Central, provides policy administration for Nutanix Flow.
Prism Central and the registered Nutanix clusters combine to form the control plane for Flow. The
data plane is the Nutanix AHV host Open vSwitch, which processes VM network traffic.
4. Nutanix Flow | 8
Nutanix Flow
4. Nutanix Flow | 9
Nutanix Flow
Management documentation before enabling Flow. Flow is a licensed feature, but Nutanix offers
customers a free 60-day trial period.
4. Nutanix Flow | 10
Nutanix Flow
4.3. Categories
Categories allow you to group entities such as VMs together logically. When creating a category,
you can assign it multiple potential values. The administrator selects from this list of potential
values when adding the category to an entity. For example, the Environment key could have
several values, such as Production, Development, Staging, or Test. When assigned to a VM,
each category consists of a text-based key-value pair—for example, Environment: Production,
with a key of Environment and a value of Production.
Categories are extremely flexible, and you can create new high-level key-value pairs to group
VMs based on application requirements. Categories are the building blocks of security policies,
so think carefully about what groups you may need to segment network traffic along existing
logical boundaries. For example, production may be isolated from development, or a perimeter
network may have special access from the Internet.
There are a number of system categories built into Prism Central that have a special meaning
when used in Nutanix Flow. Start with the existing categories and add your own if needed. The
following sections describe several important system categories that Flow requires for building
policies.
AppType
The category AppType defines a group of VMs that belong to the same application. You can
use AppType: Exchange, for example, to define all of the entities that belong to the Exchange
application. Nutanix recommends creating new values inside the AppType category to match the
applications running in your AHV environment.
When creating Application Security Policies, Nutanix Flow uses AppType categories to manage
traffic to and from an application, so be sure to define your applications with the appropriate
AppType values. Select AppType, then select Update to add your own custom application
names.
4. Nutanix Flow | 11
Nutanix Flow
AppTier
The category AppTier defines a set of entities that serve the same function within an application.
For example, AppTier: Exchange_Mailbox and AppTier: Exchange_Edge_Transport are two tiers
of VMs within the Exchange application, each serving a different function.
When creating application security policies, Nutanix Flow uses AppTier categories to secure
communication to, from, and between application tiers. Create custom tiers for your application
by selecting AppTier, then Update.
4. Nutanix Flow | 12
Nutanix Flow
The creation of branch office policies offers an example of the tradeoff between the number of
categories and the number of policies. Consider the categories and policies required based on
the two following approaches: one category per site type, and one category per site.
With the first approach, it’s easy to create a security policy as long as all branches have the
same relationship to the HQ application. The second approach gives more control per site, but
we must define the relationship between each site and HQ. If we have a large number of sites,
this definition process could be time consuming.
Quarantine
By default, Quarantine categories isolate a VM from all other network devices. In addition to the
standard Quarantine category—Default, which denies all traffic—a Forensic category allows
quarantined VMs access to and from a policy-defined set of destinations and sources to assist
in analyzing the quarantined VM. The Quarantine: Default and Quarantine: Forensic categories
4. Nutanix Flow | 13
Nutanix Flow
cannot be modified, and you cannot manually apply them to a VM. Nutanix Flow uses these
categories when you select the quarantine action for a VM.
With the Site category, you can define complex relationships between sites. For simpler policy
creation, you can use the SiteType category to define relationships between sites and HQ. This
flexibility demonstrates the power of categories and shows that thinking about the relationships in
an application can help you create more useful categories.
4. Nutanix Flow | 14
Nutanix Flow
to a VM. Use Forensic quarantine to allow a defined set of administrators to troubleshoot and
analyze a VM.
Isolation policies define specific categories of VMs that should be disallowed from communicating
with each other. For example, you could create an isolation policy to ensure that the development
environment can never communicate with the production environment.
Finally, application security policies allow you to define a multitiered application and control traffic
to and from as well as within the application tiers. For example, you could create an application
policy to define a mailbox and an edge tier inside the Exchange application. Furthermore, you
can then set this policy to allow sources such as Marketing and Sales access to the mailbox tier,
with both Exchange tiers allowed access to AD and Windows Update servers.
Nutanix Flow evaluates security policies in the order shown in the figure below to build traffic
rules. If traffic encounters a matching quarantine or isolation rule, Flow blocks it, and further
policy processing stops. If no quarantine or isolation rule blocks the traffic, then the application
rule evaluates it. If the traffic source or destination does not match any rules, Flow allows the
traffic.
Combining Policies
Combine multiple policies and policy types to build a complete security solution for a set of
applications. First, use quarantine policies to temporarily isolate a specific VM from all other
4. Nutanix Flow | 15
Nutanix Flow
VMs. Next, use isolation policies to define which groups of VMs must never be allowed to talk
with other groups. Finally, use application policies to control traffic allowed to, from, and within
applications. Application policies can allow traffic between two or more applications as well, but
remember to ensure that the policy of each application allows this traffic.
Policy Mode
The two selectable modes for security policies are Apply and Monitor. A policy in Monitor mode
allows traffic, even if the policy does not specifically define that traffic as allowed. In contrast,
Apply mode only allows specifically defined traffic.
Monitor mode is the default state for a newly created isolation or application policy. Use Monitor
mode in combination with flow visualization to track flows on a newly created policy, ensuring that
it contains the expected traffic.
Once you have confirmed policy accuracy, you can move policies from Monitor to Apply mode.
Use flow visualization in Apply mode to see blocked traffic.
4. Nutanix Flow | 16
Nutanix Flow
4. Nutanix Flow | 17
Nutanix Flow
Select Strict to place the VM into the default quarantine category, which restricts all traffic to and
from the VM. Select Forensic to place the VM into the forensic category, which allows a defined
set of sources and destinations.
The forensic quarantine policy controls which forensic tools have access to VMs in the forensic
category. Modify the quarantine policy to add your own tools as needed. In this example, the
security team is allowed access to the forensic quarantined VMs on specific ports. You can add
inbound sources and even outbound sources to the forensic category; however, you cannot add
any sources or destinations to the default strict category.
4. Nutanix Flow | 18
Nutanix Flow
4. Nutanix Flow | 19
Nutanix Flow
Create isolation policies by selecting Explore, then Security Policies. Click Create Security
Policy, then select Isolate Environments.
Give the isolation policy a name and select the two categories that should be separated from
each other. You can use any two categories to create an isolation policy.
4. Nutanix Flow | 20
Nutanix Flow
If you have more than two groups that require separation (for example, Production, Dev,
Staging, and Testing), then create an isolation policy for each unique pair of groups. For a large
list of groups, this list of isolation policies can grow long, so you may find application policies to
be more effective than isolation policies if you have a large number of groups to isolate.
For example, to separate four groups, you would need the following six policies.
4. Nutanix Flow | 21
Nutanix Flow
Adding one more group that required isolation, such as Environment: Backup, would require
four new isolation policies—one to isolate each of the previously existing groups from the new
group.
4. Nutanix Flow | 22
Nutanix Flow
4. Nutanix Flow | 23
Nutanix Flow
The diagram below shows the allowed inbound sources on the left and outbound destinations on
the right, with a single-tiered application in the center. The central application is labeled Your App
in the diagram, but in some contexts Nutanix also calls it the target group.
To create application policies in Prism Central, navigate to Explore, select Security Policies,
click Create Security Policy, and then select Secure an Application.
4. Nutanix Flow | 24
Nutanix Flow
Enter a name for the policy and a helpful text description. The application drop-down menu
shows a list of all available AppType categories.
Note: You can only use an AppType category to create an application policy.
4. Nutanix Flow | 25
Nutanix Flow
Add sources on the left side of the application policy (refer to the Application Policy Source,
Application, and Destination figure above) by category and IP subnet. Select Category from the
drop-down menu and use the text box to search for and select the desired category.
4. Nutanix Flow | 26
Nutanix Flow
Select Subnet/IP and enter the IPv4 network address in CIDR notation (IP/mask length). For
example, use a mask length of 24 to allow an entire Class C subnet, or a mask length of 32 to
allow only a single host IP address. Using IP subnets is helpful when the source or destination
you’re adding is external to the Nutanix cluster.
4. Nutanix Flow | 27
Nutanix Flow
After adding a source, click the plus sign to select the traffic’s destination, allowing traffic to a
specific tier within the application.
Add allowed protocols and ports such as TCP, UDP, and ICMP to the flow.
4. Nutanix Flow | 28
Nutanix Flow
Adding categories and IP subnets as destinations in an application policy works in a similar way,
but you would select the plus sign on the source tier of the application after adding a destination.
Application Tiers
Add tiers to an application that requires granular traffic control for the different VMs within the
application. In the previous example, we combined the Exchange AppType category with two
AppTier categories: Exchange_Mailbox and Exchange_Edge_Transport. To add these AppTier
categories in the application policy, select Set rules on App Tiers, instead to allow traffic to and
from individual tiers of the application.
4. Nutanix Flow | 29
Nutanix Flow
Now you can control sources and destinations at the individual tier level.
4. Nutanix Flow | 30
Nutanix Flow
To control traffic between application tiers, click Set Rules within App at the top of the screen
and select the tiers from which traffic should be allowed. Use the plus signs that appear on the
other tiers to define the allowed traffic.
To control traffic between VMs within a single application tier, select whether traffic is allowed
within the same tier. For Exchange, it is desirable to allow traffic between servers in the same
tier, but an administrator may want to disallow traffic between web VMs in the same front-end
web application tier for additional security.
4. Nutanix Flow | 31
Nutanix Flow
Follow the documentation for service chain creation in KB 5486. In Prism Central, create the
allowed inbound or outbound flow as usual, then select the desired service chain from the drop-
down menu.
4. Nutanix Flow | 32
Nutanix Flow
Flow Monitoring
Application policies provide flow visualization based on collected traffic statistics to monitor
blocked and allowed traffic flows. Nutanix AHV hosts collect traffic information and send it to
Prism Central, which builds a flow visualization view inside the application policy.
4. Nutanix Flow | 33
Nutanix Flow
When an application policy is in Monitor mode, traffic to the application that isn’t allowed in the
policy is shown in yellow. Hovering over the traffic flow shows a history of connection attempts
along with details about port and protocol. Hovering over the traffic inbound source or outbound
destination allows the administrator to add a specific flow to the policy. This flexibility helps create
an accurate policy, ensure that no traffic is missed, and see what activity is taking place.
When an application policy is in Apply mode, denied traffic displays with a red X, denoting
connection attempts that the policy blocked.
4. Nutanix Flow | 34
Nutanix Flow
4. Nutanix Flow | 35
Nutanix Flow
5. Conclusion
Nutanix Flow is a software-defined networking solution for AHV that provides visualization,
automation, and security. As part of Flow, microsegmentation uses Prism Central categories
and security policies to protect VMs. By using categories to create flexible groups of VMs, Flow
simplifies security policy definition. With security policies, administrators can protect or isolate
applications or environments and quarantine infected or rogue VMs.
Through policy- and application-centric traffic monitoring, flow visualization answers the vital
question of what VM traffic is actually sent and received in the virtual system.
The ease of creating and applying categories and policies opens the door for automation.
Security is no longer tied directly to VMs or IP addresses, and administrators can respond quickly
to datacenter changes.
Because Nutanix Flow is built into Prism Central and works natively in AHV, there are no
additional components to install or manage. Network security is now just one click away.
For feedback or questions, please contact us using the Nutanix NEXT Community forums.
5. Conclusion | 36
Nutanix Flow
Appendix
References
1. Creating Service Chains with REST KB 5486
2. Nutanix AHV Administration Guide: Integration with Network Functions
3. Nutanix Prism Central Guide: Category Management
4. Nutanix Prism Central Guide: Policies Management
About Nutanix
Nutanix makes infrastructure invisible, elevating IT to focus on the applications and services that
power their business. The Nutanix Enterprise Cloud OS leverages web-scale engineering and
consumer-grade design to natively converge compute, virtualization, and storage into a resilient,
software-defined solution with rich machine intelligence. The result is predictable performance,
cloud-like infrastructure consumption, robust security, and seamless application mobility for a
broad range of enterprise applications. Learn more at www.nutanix.com or follow us on Twitter
@nutanix.
Appendix | 37
Nutanix Flow
List of Figures
Figure 1: Nutanix Enterprise Cloud................................................................................... 6
38
Nutanix Flow
39
Nutanix Flow
List of Tables
Table 1: Document Version History.................................................................................. 5
40