Using Nutanix Security Central™ and Nutanix Flow Network Security™
Your organization deployed a Nutanix® HCI cluster in the data center, you’ve been told that it’s the latest and greatest in private cloud technology, and people are starting to use it. As part of the security team you currently don’t have much experience or knowledge as to how best to start protecting your company from threat vectors presented by these new workloads running on this “private cloud” platform… PANIC!
Note: Information on securing the Nutanix Cloud Platform itself will be available in Part 2.
User VMs are starting to be published, new applications are being built, workloads and databases are being transferred across, and a PCI DSS assessment with that really thorough Qualified Security Assessor (QSA) is rapidly approaching next month! On top of ALL of that, you still haven’t had a chance to harden these ‘Nut-a-Nix’ servers to the latest hardening guidelines.
PaNic inTensiFies.
At Nutanix, we feel your frustration. Security is multi-faceted, it’s hugely complicated and new technology often adds to your pain rather than alleviating it. But, like a used car salesman, I’m about to slap the hood of our solution, and explain how using Nutanix in certain areas of your overall security strategy may lessen your workload burden, rather than add to it. Let’s take a look!
| Section | Description | Time |
| Start with your Apps! | Getting started building a security policy | 3 mins |
| Security Central Show & Tell | Hands on with Security Central | 8 mins |
| Next Stop, Microsegmentation | Hands on with Flow Network Security | 8 mins |
| Ok I’m interested | How to configure and deploy these tools | 7 mins |
| Final thoughts | What now? | 1 min |
Start with your Apps!
So why are we starting with your applications? Applications are the prime target of compromise by hackers or “advanced persistent threats” (APT). Apps are the vehicle of business solutions, they’re critical components of revenue, they facilitate growth, drive innovation and are usually the backbone of how modern organizations function.
If we begin this journey by securing your applications’ “network security”, a process often perceived as complicated and time consuming, we can show you how, by using tools like Nutanix Security Central™ you can identify apps, and secure them with policies, while also providing insights into public cloud resource configuration issues.
But wait, there’s more!
Security Central just happens to be part of a simple, quick, and effective VM-level software firewall, built right into Nutanix AHV. We call that Flow Network Security™ (FNS).
With Security Central and FNS in place, applications can be more quickly and easily secured, monitored, audited and governed without the heavy lift of more resources or expensive third party tools.
Security Central Show and Tell
Perhaps I’ve got your attention, and if I have, we’re going to temporarily depart this blog post and navigate to an interactive playthrough experience which will show you how we use Security Central to discover a newly created application.
We’ll also use Security Central to define the proposed protection parameters for it, which can then be pushed to Prism Central for a Security manager to review and then acknowledge the policy before committing it to execution.
Ready? Great, let’s go!
Next Stop, Microsegmentation!
Congrats traveler you returned to the blog post! Your curiosity and commitment to securing your new Nutanix environment is truly great!
Now that you’ve experienced how easy and cool it is for Security Central to help identify, understand, plan for, and secure your apps, you should also be familiar with the importance of, and use within Nutanix of microsegmentation.
Nutanix has, for some time now, offered a simple solution for providing firewalling for inter-VM network traffic, aka “lateral traffic” aka “east-west traffic”, for all network packets traversing between VMs hosted on AHV. This is commonly referred to as microsegmentation, and at Nutanix we named this capability Flow Network Security (FNS).
Microsegmentation is a component of architecting Zero Trust environments, and with FNS users can define, discrete and deliberate network security written with API extensibility allowing capabilities to easily automate the process of network security.
FNS begins with categorization, we apply a metadata tag to define some kind of attribute to a virtual machine, and using that tagging mechanism we can define policies which basically look like the following:
And/or:
Using simple language reduces the potential for human error in the creative portion of policy creation, but the application of this logic and laying that over your infrastructure to derive a new security construct requires some visualization.
The end result of this effort is a purpose-built, more resilient and defensible systems architecture that is in line with Zero Trust Architecture (ZTA). Since FNS is a whitelist capability, you define what traffic is permitted and everything outside of that is prevented.
To better understand the mechanics of providing microsegmentation to your Nutanix cluster I encourage you to indulge in another short break and watch this YouTube clip on how to stop malware with FNS:
OK I’m interested, what now?
You’ve read enough and are eager to at least practice the techniques you’ve learned here in your own environment. In this section we will explore the processes of setting up a Nutanix cluster to use FNS and Security Central.
In Prism Central:
- Settings
- Microsegmentation (wait for the checks to complete)
- Enable Microsegmentation
- Save
Once that you’ve enabled Flow Network Security on your cluster you can begin assigning categories to your virtual machines, building policies and driving a more secure network environment.
Along with all this amazing inherent capability found in microsegmentation on AHV, we also provide the Security Central dashboard used in the first part of this blog post. The architecture Security Central looks like this:
A Security Central VM acts as a collector between your on-prem environment and Prism Central, sending network and VM metadata to the dashboard via a secure tunnel. The Dashboard can then sync assets found in public clouds, AWS, Azure etc. into one easy to manage interface.
The below YouTube clip shows the process involved in downloading, deploying and configuring the collector VM (FSC VM) to your NCI platform:
Final Thoughts
We set out on this journey to explore the possibility of securing the hybrid multi-cloud in less than half an hour and I think we’ve done that. You’re one step closer to realizing a more secure Nutanix private cloud platform.
There are also many technologies available through Nutanix that can be leveraged in the NCP to assist in the goal of building a ZTA solution. Today we only had time to explore some of our solutions around Application Network Security.
In Part 2 we’ll cover the recent enhancements to simplifying the process of securing the Nutanix Cloud Infrastructure, AOS, AHV and Access control methods.
So if you’d like to know more about any of these, or discuss anything you’ve read about in the blog today, reach out to your Nutanix team and ask for a meeting with one of our excellent Security Strategists.
Until next time!