vArmour Policy Automation: Intent-Based, Simple and Safe

vArmour Policy Automation: Intent-Based, Simple and Safe

Policy automation is a rather broad term. Both policy and automation could mean many things to many people. In network security, policy is often viewed in terms of firewall (or firewall-like) rules, which in theory are manifestations of higher-level security policies, which in turn represent business objectives in some way. Likewise, security automation could cover the entire or a portion of the security policy lifecycle—planning, review, deployment, efficacy monitoring, updates, decommissioning, etc.—across several network security enforcement points/firewalls, located in different geographic regions, business units, public cloud, etc. 

vArmour provides easy-to-use tools to facilitate the management of the entire policy lifecycle. I will dive deeper into how vArmour helps automate the implementation of network security policies in modern data center, cloud and hybrid environments.

Here’s the Problem: Implementing network security policies takes a lot of time and effort. In many enterprises, network security policy implementations involve several functional teams, and are time-consuming operations. Depending on the number of firewalls involved, all the necessary changes may not be in place for several days or weeks - even when things go according to plan.

The problem is only getting worse. The frequency of changes in modern data centers, and in private, hybrid and public cloud environments keeps growing. Developers increasingly demand near-instant deployment times that they are accustomed to in the public cloud in their enterprise IT environments.

When security can’t keep up with the pace of change, the firm’s overall security posture invariably deteriorates. We’ve all seen this - tired of waiting, app owners seek laxer security controls and indulge in activities that don’t fit a strong security posture. They might ask for access to a larger set of IP addresses than currently necessary so that they wouldn’t have to go through the gauntlet the next time. Or run their app inside already opened ports on firewalls like SSL, or worse, run their own “shadow IT” inside the public cloud. 

Let’s look into the kind of use cases increasingly common in modern enterprise data centers and hybrid cloud environments that need an increasingly agile security solution - see table below.

Use Case Description Security Requirements
Dynamic deployment of virtual machines (VMs) VMs can be spun up and down dynamically, elastically. Attach policies as workloads are brought up, and remove policies as they are brought down.
Migration of VMs (e.g., vMotion) VMs can be migrated to another hypervisor. Ensure that the policies for the workloads follow to the new host.
Short-lived applications or workloads E.g: Some virtual desktop infrastructure (VDI) workloads may serve their users only for a set period of time, and the next user of the VDI workload may not have the same rights as the previous one. Dynamically apply policies on VDI workloads based on the user identity.
User identity-based control Users are authenticated and assigned entitlements based on several factors. E.g., where they are logged on, the type of device they are using, etc. Apply policies in accordance with the currently assessed entitlement rights, which can be held on an AAA system, an identity management system, etc.
Hybrid cloud migrations Workloads are migrated between on-premises network and the public cloud. Policies need to be applied as workloads are migrated from on-prem to the cloud, and vice versa.
Public cloud workload instantiations Workloads are instantiated in the public cloud. Deploy policies as new workloads are instantiated

How does vArmour solve this?

At a high level, vArmour’s policy automation solution relies on the metadata associated with workloads (or services) to determine whether or not to apply any of the policies to the workloads/services. The metadata can be domain-specific—ranging from VM tags and attributes in VMware ESXi environments to Endpoint Groups (EPGs) in Cisco Application Centric Infrastructure (ACI) environments. Here is a list of metadata sources and metadata types that vArmour supports, or are in development. 

Metadata Source Metadata
VMware vSphere VM tags, VM name, VM FQDN, Port-group, custom attributes
Cisco Application Policy Infrastructure Controller (APIC) Endpoint Groups (EPGs)
Cisco Identity Services Engine (ISE) Security Group Tags (SGTs)
Microsoft Active Directory (AD) Username attributes
Kubernetes Labels
Microsoft Azure Tags

Sample Workflow:  Intent-Based Dynamic Deployment of Workloads 

Here’s how vArmour policy automation works - look at the sample workflow below. Let’s use “Dynamic Deployment of Workloads” in VMware ESXi environments as our example.

Step 1 - Configure the vArmour Director:

  • The VM metadata—e.g., VMs with the tag “Finance” – we support more than one tag/attribute
  • The Metadata source—e.g., the vSphere server “VS-1”
  • The address group (AG) to associate the metadata with –e.g., “AG-Finance”
  • One or more policy rules that the AG should be part of

 

Step 2 - Once the configuration is done, the vArmour Director:

  • Periodically checks in with VS-1 for all new changes with “Finance”; when new workloads are created, the Director is alerted, and checks in with the vSphere server
  • Looks for the new workloads with the tag “Finance”; the workloads previously tagged Finance but no longer are; workloads with the tag Finance that have changed their IP address.
  • Updates the address group “AG-Finance”—i.e. it adds the IP addresses of the new workloads, deletes the IPs of the workloads no longer tagged with Finance; and/or updates the IPs of workloads tagged Finance with changed IPs. Note that for new workloads, the vArmour Director will also automatically microsegment them based on the metadata.

 

Note that what the Director has done up to this point is to update the AG-Finance address group. This by itself does NOT automate any policies. Now, users must deliberate on the policies that should be associated with the Finance workloads, and compose the rules using AG-Finance.

Here is a key point with the vArmour approach: While vArmour automatically updates the address group based on the changes in the metadata membership, the actual policy decision or “intent” really belongs to the user. The user will need to decide to attach the address group in one or more policy rules. If the user does not decide to use the address group in any of the policies, no policies will be enforced specifically on the workloads tagged Finance.

Coming up with suitable policies can be a complex and tedious process without the right security tools. vArmour Policy Architect provides a suite of tools that help users develop and test suitable policies easily, accurately and safely. In this example, the user already knows the policy for AG-Finance, and has already included AG-Finance in the policy rules they configured in Step 1.

Step 3 - Once the user has attached the address group in one or more policy rules, the policy automation configuration process is complete. From this point on, any changes with the tag Finance will be reflected in the vArmour policies in place.

Now whenever a new workload with tag “Finance” is instantiated, the vArmour Director will not only microsegment the workload on the hypervisor but also update the address-group AG-Finance, which is used in one or more policies. It means that all new workloads tagged Finance will be automatically microsegmented and have those policies applied. Likewise, whenever a workload is decommissioned, vArmour will dynamically remove the workload from the policies. This eliminates the potential for holes in security rules that still allow traffic to decommissioned/dead workloads/apps.

Other Integrations

Users can use the same workflow to automate policies based on the metadata sources mentioned above. vArmour’s Application Visibility tools enable users to perform common functions, like importing metadata into the vArmour Director, managing them, visualizing application flows associated with the metadata etc,  easily and intuitively.

Benefits of Fabric-Wide Policy

In traditional environments, policies may need to be applied on different firewalls along the path of the traffic. That is, automation needs to cover not just one firewall but all the firewalls involved. This is where vArmour’s fundamental architecture shines. Because vArmour maintains the same set of policies everywhere in the vArmour DSS, policy changes take effect throughout the network. That means a traffic flow that traverses from a VM in the virtual environment to a server in the traditional physical environment can be enforced by the same consistent set of policies. Similarly, security enforcement of VM migrations is not a problem at all—the policies await the migrated VM at the destination host.

Considerations

Policy automation is a very powerful capability. When done correctly, it enables admins and app owners to dynamically enforce security policies in step with changes in the infrastructure and beyond. No longer do app owners need to go through several groups or wait several weeks to have policies updated.  At the same time, careful initial planning and oversight are needed, along with periodic reviews of the effectiveness and enforcement of the policies.

vArmour’s Policy Architect provides a suite of application visibility and policy management tools to help users keep track of their policy environment. I will be writing more about policy computation capabilities and different aspects of the policy management lifecycle and how vArmour can help. Stay tuned!

By the way, you can try out Policy Architect for free now through our trial program. It’s a 100% software download that can be installed in under an hour. You can sign up here.

Related Posts