Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0

0

Today, perhaps arguably one of the most difficult things that administrators must deal with is compliance regulations. On top of technical troubleshooting, and other duties, today’s compliance regulations can be difficult to implement and maintain successfully. The PCI-DSS compliance regulation is something that organizations who deal with credit card transactions are subject to. It maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data. There are many aspects to this compliance regulation, including aspects that affect network communication and security. In this post we will see how with VMware’s NSX virtualized network infrastructure one can scan PCI-DSS network security compliance with VMware vRealize Network Insight 4.0.

Advantages of Network Virtualization for Compliance

There are many advantages of network virtualization that can be mentioned. However, one advantage of software-defined networking that often may get missed when considering implementation advantages is compliance regulations. With network virtualization, the very constructs of the software-defined network architecture allow the capability to be able to gather information about traffic flows, firewall rules, logical switching, VXLAN communication etc. This can provide tremendous visibility when compared to traditional physical network tooling and other means of having visibility to traffic flows and other network information.

On the flip side, network virtualization can provide a challenge for those without the proper tooling to be able to gather these types of information or know where to look for it. VMware’s vRealize Network Insight 4.0 is a powerful tool that among other things, allows effectively gathering and being able to analyze a wealth of network related information that is pulled from the VMware NSX environment. With vRNI, you can see a tremendous amount of information regarding traffic characteristics in the environment and how traffic is currently flowing between hosts, guests, to the Internet, etc. This includes traffic that is north/south bound as well as east/west traffic. Having this kind of visibility is an important first step in understanding how traffic needs to be secured. The vRNI 4.0 dashboards allow easily seeing these kinds of details. Below is the Plan Security dashboard showing key statistics in the environment. You can group this by a variety of viewpoints including VLAN, VXLAN, etc. As you can see also, you can see the percentage of traffic and how it is flowing, and which directions. What about ports used? This is easily gathered with vRNI 4.0.

Viewing-Traffic-Distribution-ports-and-micro-segments-with-vRNI-4.0 Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Viewing Traffic Distribution, ports, and micro-segments with vRNI 4.0

VMware vRNI 4.0 allows visibility that allows drilling down to individual elements such as VMs to see traffic flows, etc. Notice the links that allow easily viewing the flows as well as the automatically rendered topology, showing how the virtual machine network communication is flowing through the NSX overlay environment.

Viewing-details-of-network-flows-at-the-VM-level-with-vRNI-4.0 Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Viewing details of network flows at the VM level with vRNI 4.0

In the Events section of viewing a VM, you can see powerful auditing metrics that show changes made from a network perspective to the virtual machine.

Virtual-Machine-Events-showing-easily-auditable-changes-from-Network-layer-for-PCI Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Virtual Machine Events showing easily auditable changes from Network layer for PCI

Which flows to/from the VM are allowed and which are denied? You can see this in the Flows section.

Allowed-and-Denied-Flows-auditing-from-a-VM-level-in-vRNI-4.0 Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Allowed and Denied Flows auditing from a VM level in vRNI 4.0

Metrics provides several tabs that allow viewing various important metrics including neighbors, performance, paths to TOR, and many others. VMware vRNI 4.0 queries based on VMware Tools to be able to pull various VM metrics in for analysis.

Gathering-VM-Key-Metrics-using-vRNI-4.0 Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Gathering VM Key Metrics using vRNI 4.0

Which VMs are adjacent to the VM you have focus on? The VM Neighbors tab allows seeing this information quickly and easily. You can drill in further on those particular VM as needed as well.

VM-Neighbors-analysis-using-vRNI-4.0-allows-easily-seeing-VMs-adjacency Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
VM Neighbors analysis using vRNI 4.0 allows easily seeing VMs adjacency

One of the tremendously powerful capabilities of vRNI 4.0 is the ability to Scan PCI-DSS network security compliance with VMware vRealize Network Insight 4.0 purpose-built PCI dashboard.

Let’s see how this functionality is implemented in vRealize Network Insight 4.0, which PCI objectives it helps to have visibility to, and the specific dashboards that allow viewing PCI-DSS related information as pulled from VMware NSX traffic flows and other information.

Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0

To get to the built-in PCI analysis in vRealize Network Insight 4.0, navigate to the Security > PCI Compliance node. This will launch the dashboard for checking PCI compliance. I have collapsed the various nodes in this dashboard to show the different aspects of PCI-compliance you can see with the analysis. These include:

  • Scope
  • Network flows
  • Firewall rules
  • Security Changes
  • My view
Viewing-the-various-PCI-compliance-nodes Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Viewing the various PCI compliance nodes

Let’s look at the scope node first and what is contained there. The scope section contains the actual PCI compliance areas that are allowed visibility within the vRNI PCI Compliance dashboard. These include the following:

  • Section 1.1.1 – A formal process for approving and testing all network connections and changes to the firewall and router configurations
  • Section 1.1.2 – Network diagram that identifies all connections between the data environment and other networks
  • Section 1.1.3 – Network diagram that shows all data from across systems and networks
  • Section 1.1.4Requires for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
  • Section 1.3.1Implement a DMZ to limit inbound traffic to only system conponents that provide authorized publicly accessible services, protocols, and ports
  • Section 2.3 – Encrypt all non-console administrative access using strong cryptography
  • Section 6.4 – Follow change control processes and procedures for all changes to system components
Showing-the-PCI-Scope-contained-in-vRNI-4.0 Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Showing the PCI Scope contained in vRNI 4.0

The network flows section shows valuable information, including the specific PCI sections that are addressed with the information displayed. Notice the Clear text protocol flows which helps to drill in on clear text transmission of data.

VMware-vRealize-Network-Insight-Network-Flows-analysis-for-PCI-DSS Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
VMware vRealize Network Insight Network Flows analysis for PCI-DSS

I didn’t have any firewall rules in place when gathering the information in the lab, however, notice the easily viewing of Firewall rules applied on Internet traffic and Firewall rules applied incoming traffic, and also Firewall rules applied on outgoing traffic.

Firewall-rules-analysis-for-PCI-compliance-using-vRNI-4.0 Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Firewall rules analysis for PCI compliance using vRNI 4.0

The Security changes section allows easily auditing changes made in the environment for change control purposes.

Security-changes-analysis-allows-auditing-change-control-in-the-NSX-environment-using-vRNI-4.0 Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0
Security changes analysis allows auditing change control in the NSX environment using vRNI 4.0

All in all, the information gathered, analyzed, and displayed in vRealize Network Insight 4.0 is a great resource for successfully complying with the required regulations such as PCI-DSS.

Final Thoughts

VMware vRealize Network Insight 4.0 is a powerful tool for VMware NSX administrators. It makes the gathering, analysis, and viewing of information pulled from the NSX environment very easy. An often overlooked value provided is the ability to Scan PCI-DSS Network Security Compliance with VMware vRealize Network Insight 4.0. This process is extremely easy as well as vRNI 4.0 has a purpose-built dashboard for PCI compliance. Additionally, much of the default information you see when drilling into various resources provides the information needed for granulary understanding how network traffic is flowing in and out of the vSphere environment, especially for VMs that are in the scope of PCI.