Nutanix Flow: Nutanix Tech Note Version 1.2 - June 2020 - TN-2094
Nutanix Flow: Nutanix Tech Note Version 1.2 - June 2020 - TN-2094
Copyright
Copyright 2020 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws.
Nutanix is a trademark of Nutanix, Inc. in the United States and/or other jurisdictions. All other
marks and names mentioned herein may be trademarks of their respective companies.
Copyright | 2
Nutanix Flow
Contents
1. Executive Summary.................................................................................4
2. Introduction.............................................................................................. 5
2.1. Audience.........................................................................................................................5
2.2. Purpose.......................................................................................................................... 5
4. Nutanix Flow............................................................................................ 8
4.1. Architecture.................................................................................................................... 8
4.2. Enabling Flow Microsegmentation and Visualization.....................................................9
4.3. Categories.................................................................................................................... 10
4.4. Security Policies...........................................................................................................16
4.5. Using Quarantine Policies............................................................................................19
4.6. Using Isolation Policies................................................................................................ 23
4.7. Using Application Policies............................................................................................28
4.8. Using VDI Policies for Identity-Based Security............................................................43
4.9. Logging and Auditing with Syslog............................................................................... 44
4.10. Using Export and Import to Backup Policies............................................................. 47
4.11. Special Considerations...............................................................................................48
5. Conclusion..............................................................................................50
Appendix..........................................................................................................................51
References...........................................................................................................................51
About Nutanix...................................................................................................................... 51
List of Figures................................................................................................................ 52
List of Tables.................................................................................................................. 55
3
Nutanix Flow
1. Executive Summary
Flow offers policy-based network security tightly integrated into Nutanix AHV and Prism
Central. Flow provides rich visualization, automation, and security for VMs running on AHV.
Microsegmentation is a component of Flow networking that simplifies policy management. Using
multiple Prism Central categories (logical groups), you can create a powerful distributed firewall
that gives administrators an application-centric policy management tool for securing VM traffic.
Categories allow you to flexibly group VMs based on attributes to define security policies. By
using logical categories, you no longer need to base policy definitions on network addresses or
manually update policies to handle network changes. Your security policy can automatically apply
to a VM independent of its network configuration. With Flow, administrators can visualize traffic
between groups of VMs to create plain-language policies based on application behavior, rather
than defining allowed traffic in the language of IP addresses and subnets.
With Flow, Nutanix extends Prism Central’s consumer-grade simplicity and ease of use beyond
virtualization and storage infrastructure management to the world of network security.
1. Executive Summary | 4
Nutanix Flow
2. Introduction
2.1. Audience
This tech note is part of the Nutanix Solutions Library. We wrote it for architects and
administrators responsible for VM networking and security. Readers of this document should
already be familiar with Nutanix AHV and Prism Central.
2.2. Purpose
In this document, we cover the following topics:
• Nutanix Flow.
• Flow microsegmentation.
• Flow visualization.
• Creating and managing categories.
• Creating and managing security policies.
• Identity-based security with Active Directory.
• Logging and auditing.
Version
Published Notes
Number
1.0 April 2018 Original publication.
1.1 May 2018 Added Service Chain KB article.
1.2 June 2020 Updated for 5.17.
2. Introduction | 5
Nutanix Flow
4. Nutanix Flow
Nutanix Flow delivers advanced networking and security services, providing visibility into the
virtual network, application-centric protection from network threats, and automation of common
networking operations.
Fully integrated into Nutanix AHV virtualization, Flow allows organizations to deploy software-
defined virtual networking without the complexity of installing and managing additional products
that have separate management and independent software maintenance requirements.
Flow provides application-centric policies that enable complete visibility and traffic control. This
policy model allows administrators to implement fine-grained rules regarding traffic sources and
destinations, or microsegmentation. These same policies make it possible to visualize traffic
flowing within and between application VMs. This granular level of control is an important part of
a defense-in-depth strategy against modern datacenter threats.
Nutanix Flow protects against new threats designed to spread laterally from one system to
another within the same protected datacenter. Because perimeter-based firewalls traditionally
only protect the environment from external threats, it can be difficult to repurpose them to protect
internal traffic. Flow applies security rules between all applications and VMs in the datacenter,
adding internal protection behind your perimeter firewall.
4.1. Architecture
The Nutanix management plane, Prism Central, provides policy administration for Nutanix Flow.
Prism Central and the registered Nutanix clusters combine to form the control plane for Flow. The
data plane is the Nutanix AHV host Open vSwitch, which processes VM network traffic.
4. Nutanix Flow | 8
Nutanix Flow
4. Nutanix Flow | 9
Nutanix Flow
4.3. Categories
Categories can group entities like VMs together logically. Each category consists of two parts,
a key and a value. For example, the Environment key may have several values, such as
Production, Development, Staging, or Test. When assigned to a VM, each category consists
of a text-based key-value pair. For example, you assign Environment: Production—a key of
Environment and a value of Production—to a VM in the production environment.
4. Nutanix Flow | 10
Nutanix Flow
Categories are extremely flexible, and you can create new key-value pairs to group VMs based
on application requirements. Categories are the building blocks of security policies, so think
carefully about what labels you need to segment network traffic along existing logical boundaries.
For example, production may be isolated from development, or a proxy application may require
special access from the Internet.
There are a number of system categories built into Prism Central that have a special meaning
when used in Nutanix Flow. You must use these system categories to take advantage of security
policies. Start with the existing categories and add your own if needed. The following sections
describe several important system categories that Flow requires for building policies.
4. Nutanix Flow | 11
Nutanix Flow
When creating Application Security Policies, Nutanix Flow uses AppType categories to manage
traffic to and from an application, so define your applications with the appropriate AppType
values. Select AppType, then select Update to add your own custom application names.
If the VM is part of the production environment, it may also have an environment category
assigned, as shown here.
4. Nutanix Flow | 12
Nutanix Flow
When creating application security policies, Nutanix Flow uses the AppTier values to secure
communication to, from, and between application tiers. Create custom tiers for your application
by selecting AppTier, then Update from the Virtual Infrastructure, Categories menu in Prism
Central.
4. Nutanix Flow | 13
Nutanix Flow
You can create new category keys as needed for inbound and outbound endpoints and isolation
policies, but Nutanix recommends keeping things as simple as possible while still achieving the
desired result. Creating the smallest possible number of categories helps ensure that policy
creation is quick and easy for the administrator.
The creation of Exchange policies for branch offices offers an example of the tradeoff between
the number of categories and the number of policies. Consider the categories and policies
required based on the two following approaches: one category per site type and one category per
site. The result of each policy is the same but the effort required is greater in the second policy.
4. Nutanix Flow | 14
Nutanix Flow
The previous policy creates a single category called SiteType: Branch and applies this category
to all VMs at all branches. That means the security policy to connect to Exchange requires just
a single entry for all branch VMs. In the next policy, a category is created for Site: Branch-001
through Site: Branch-004 and now four inbound rules are required in this policy.
With the first approach, it’s easy to create a security policy as long as all branches have the same
relationship to the HQ application. The second approach gives more control per site, but we
must define the relationship between each site and HQ. If we have a large number of sites, this
definition for every site could be time consuming.
4. Nutanix Flow | 15
Nutanix Flow
With the Site category, you can define complex relationships between sites by the individual site
number. For simpler policy creation, you can use the SiteType category to define relationships
between all sites and HQ. This flexibility demonstrates the power of categories and shows that
thinking about the relationships in an application can help you create more useful categories.
4. Nutanix Flow | 16
Nutanix Flow
policy to define a mailbox and an edge tier inside the Exchange application. Furthermore, you
can then set this policy to allow sources such as Marketing and Sales access to the mailbox tier,
with both Exchange tiers allowed access to AD and Windows Update servers.
Finally, a VDI policy uses Microsoft Active Directory integration to categorize VMs based on
the AD group of the logged-in user. The VDI policy looks just like an application policy, with the
protected desktops at the center and sources and destinations on the side. Each AD group
becomes a tier of the policy. The big difference between VDI policies and application policies is
that when a user belongs to more than one AD group, the tiers of a VDI policy matching those
groups are combined as a union. The corresponding combined whitelist is used to determine
allowed traffic.
Nutanix Flow evaluates security policies in the order shown in the next figure to build traffic rules.
If traffic encounters a matching rule, Flow applies the action in that policy and further policy
processing stops. If no quarantine or isolation rule matches the traffic, then the application rule
evaluates it for a match. If no application rules match the traffic, it is evaluated for a VDI policy
match. If the traffic source or destination does not match any rules, Flow allows the traffic.
Traffic is matched both as it leaves VMs and as it is sent to VMs. Matches are made using both
source and destination IP addresses as well as protocol and destination port. Even VMs on the
same AHV host that send traffic to each other are protected by these rules.
Forensic quarantine policies, application policies, and VDI policies are all matched based on
the combination of a source or destination whitelist and target group (TG), which is the item at
the center of the security policy. Strict quarantine policies contain only a target group with no
whitelist. Isolation policies contain only a source and destination category and are matched by
the source and destination IP addresses of traffic.
4. Nutanix Flow | 17
Nutanix Flow
4. Nutanix Flow | 18
Nutanix Flow
Combining Policies
The evaluation order allows you to combine multiple policies and policy types to build a complete
security solution for a set of applications. First, use quarantine policies to temporarily isolate a
specific VM from all other VMs. Next, use isolation policies to define which groups of VMs must
never be allowed to talk with other groups. Use application policies to control traffic allowed
to, from, and within applications. Application policies can allow traffic between two or more
applications as well but remember to ensure that the policy of each application allows this traffic.
One application policy’s outbound connection may be another policy’s inbound connection.
Finally, VDI policies control traffic to and from VMs based on the Active Directory user group of
the logged in user.
Policy Mode
The two selectable modes for security policies are Apply and Monitor. A policy in Monitor mode
allows traffic, even if the policy does not specifically define that traffic as allowed. In contrast,
Apply mode only allows specifically defined traffic.
Monitor mode is the default state for a newly created policy. Use Monitor mode in combination
with flow visualization to track flows on a newly created policy and ensure that it contains the
expected traffic. Once you have confirmed policy accuracy, you can move policies from Monitor
to Apply mode. Use flow visualization in Apply mode to see blocked traffic.
All policies except strict quarantine have a monitor mode. Pay careful attention to the policy
evaluation order, since traffic that matches a policy in monitor mode is allowed and all further
policy processing stops. For example, a matching Isolation policy in Monitor mode allows traffic
that an Application policy further down the processing order may have otherwise blocked.
4. Nutanix Flow | 19
Nutanix Flow
4. Nutanix Flow | 20
Nutanix Flow
Select Strict to place the VM into the default quarantine category, which restricts all traffic to and
from the VM. Select Forensic to place the VM into the forensic category, which allows a defined
set of sources and destinations.
Modify the quarantine policy to add your own tools as needed. In this example, the security
team is allowed access to the forensic quarantined VMs on specific ports. You can add inbound
sources and even outbound destinations to the forensic category; however, you cannot add any
sources or destinations to the default strict category.
4. Nutanix Flow | 21
Nutanix Flow
4. Nutanix Flow | 22
Nutanix Flow
4. Nutanix Flow | 23
Nutanix Flow
Create isolation policies by navigating to Policies and Security Policies. Click Create Security
Policy, then select Isolate Environments (Isolation Policy).
4. Nutanix Flow | 24
Nutanix Flow
Give the isolation policy a name and select the two categories that should be separated from
each other. You can use any two categories to create an isolation policy.
4. Nutanix Flow | 25
Nutanix Flow
4. Nutanix Flow | 26
Nutanix Flow
If you have more than two groups that require separation (for example, Production, Dev,
Staging, and Testing), create an isolation policy for each unique pair of groups. For a large
number of groups, this list of isolation policies can grow long, so you may find application policies
to be more effective than isolation policies in this instance. For example, to separate four groups,
you would need the following six policies.
Adding one more group that required isolation, such as Environment: Backup, would require
four new isolation policies—one to isolate each of the previously existing groups from the new
group.
4. Nutanix Flow | 27
Nutanix Flow
4. Nutanix Flow | 28
Nutanix Flow
To create application policies in Prism Central, select Policies, Security Policies, click Create
Security Policy, then select Secure an Application.
4. Nutanix Flow | 29
Nutanix Flow
Enter a name for the policy and a helpful text description. The application drop-down menu
shows the list of available AppType categories.
Note: You can only use an AppType category to create an application policy.
4. Nutanix Flow | 30
Nutanix Flow
4. Nutanix Flow | 31
Nutanix Flow
The application policy definition page also controls whether IPv6 traffic is allowed for this policy.
Nutanix recommends blocking IPv6 traffic within security policies; otherwise, all IPv6 traffic is
allowed to and from the target group, with no restrictions.
You can also enable policy hit log creation for the specified policy. When this is selected, traffic
sessions to and from the protected application generate syslog messages to the configured
syslog server.
4. Nutanix Flow | 32
Nutanix Flow
Add inbound sources on the left side of the application policy by category or IP subnet. Select
Category from the drop-down menu and use the text box to search for and select the desired
category. All VMs tagged with this category are added as an allowed source.
Select Subnet/IP and enter the IPv4 network address in CIDR notation (IP/mask length). For
example, use a mask length of 24 to allow an entire Class C subnet, or a mask length of 32 to
allow only a single host IP address. Using IP subnets is helpful when the source or destination
you’re adding is external to the Nutanix cluster.
After clicking Add to add a source, click the plus sign to select the traffic’s destination, allowing
traffic to a specific tier within the application.
4. Nutanix Flow | 33
Nutanix Flow
Add allowed protocols and ports such as TCP, UDP, and ICMP to the flow.
4. Nutanix Flow | 34
Nutanix Flow
Adding categories and IP subnets as destinations in an application policy works in a similar way,
but you select the plus sign on the source tier of the application after adding a destination on the
right.
Application Tiers
Add tiers to an application that requires granular traffic control for the different VMs in the
application. In the previous example, we combined the Exchange AppType category with two
AppTier categories: Exchange_Mailbox and Exchange_Edge_Transport. To add these AppTier
categories in the application policy, select Set rules on App Tiers, instead to allow traffic to and
from individual tiers of the application.
4. Nutanix Flow | 35
Nutanix Flow
Now you can control sources and destinations at the individual tier level.
4. Nutanix Flow | 36
Nutanix Flow
To control traffic between application tiers, click Set Rules within App at the top of the screen
and select the tiers from which traffic should be allowed. Use the plus signs that appear on the
other tiers to define the allowed traffic.
4. Nutanix Flow | 37
Nutanix Flow
To control traffic between VMs in a single application tier, select whether traffic is allowed within
the same tier. For Exchange, it is desirable to allow traffic between servers in the same tier,
but an administrator may want to disallow traffic between web VMs in the same front-end web
application tier for additional security. This additional specification is also very useful between
desktop VMs to prevent the spread of malware.
4. Nutanix Flow | 38
Nutanix Flow
Nutanix partners with companies that provide NFVs. The deployment workflow of these partner
applications can automate the creation of a service chain directly from a Calm blueprint or other
orchestration tool. To manually create a service chain, follow the documentation for service chain
creation in KB 5486.
Once the service chain is created, it's available to use in Flow right away. In Prism Central, use
Flow to create the allowed inbound or outbound rule as usual, then select the desired service
chain from the drop-down menu.
4. Nutanix Flow | 39
Nutanix Flow
Flow Monitoring
Application policies provide flow visualization based on collected traffic statistics to monitor
blocked and allowed traffic flows. Nutanix AHV hosts collect traffic information and send it to
Prism Central, which builds a flow visualization view inside the policy. The traffic display may take
a few minutes for processing and presentation. Flow monitoring and visualization is meant to
simplify policy creation and should not be used as a traffic auditing tool. Instead use syslog as the
source of truth for audit purposes.
4. Nutanix Flow | 40
Nutanix Flow
When an application policy is in Monitor mode, traffic to the application that isn’t allowed in the
policy is shown in yellow. Hovering over the traffic flow shows details about port and protocol.
Clicking on the detected flow shows a list of all the ports and protocols. When you edit the policy,
hovering over the traffic inbound source or outbound destination allows you to add a specific flow
to the policy. This flexibility helps create an accurate policy, ensure that no traffic is missed, and
see what activity is taking place.
When an application policy is in Apply mode, denied traffic displays with a red block symbol,
denoting connection attempts that the policy blocked.
4. Nutanix Flow | 41
Nutanix Flow
Each of these visual displays of traffic also generates a syslog entry sent to the configured syslog
server if you enable hit logs for the policy.
4. Nutanix Flow | 42
Nutanix Flow
Using the filter allows you to protect applications in different environments with different security
policies.
4. Nutanix Flow | 43
Nutanix Flow
The tiers of matching ADGroups are evaluated as a union and the resulting combined whitelist
is applied to the VM. For example, if a user belongs to ADGroup: Marketing and ADGroup:
Engineering, the rules for both Marketing and Engineering are applied to the VM. A user who logs
on to a VM that belongs to the engineering and marketing groups has access to Oracle and Files
because of the combination of policies.
Use the default intratier settings of the VDI policy to block traffic between VMs in the same tier.
This setting helps prevent the spread of malware from one desktop to another.
In Prism Central 5.17, VDI policies do not allow visualization, so refer to hit logs in the SIEM to
track traffic in the policy.
4. Nutanix Flow | 44
Nutanix Flow
Policy hit logs track network flows and whether they were allowed or denied by a specific policy.
Use policy hit logs to determine if specific traffic is present on the network and how a security
policy affects the traffic. Use Flow policy hit logs as the definitive tool for tracking connections to
secured VMs.
Audit logs are enabled by default and capture all changes related to Flow made in Prism Central.
Policy hit logs are enabled for each Flow policy and are disabled by default. Policy hit logs may
generate a large amount of data. To analyze the data from policy hit logs, use an external remote
syslog server or SIEM (Security Information and Event Management) system to collect these
events. Audit logs are sent from Prism Central to the remote syslog server and can also be
viewed in Prism Central. Policy hit logs are sent directly from each AHV host to the syslog server
but generate too much data to consume inside Prism, so you must do policy hit log analysis on
the external SIEM.
4. Nutanix Flow | 45
Nutanix Flow
Ensure that the remote syslog server or SIEM expects traffic sourced from both Prism Central
and each individual AHV host. Configure a remote syslog server in Prism Central and select the
desired port and protocol.
4. Nutanix Flow | 46
Nutanix Flow
Select the desired modules such as Audit and Flow to collect audit and policy hit logs and set
the severity level to 6 - Informational. You must set the level to at least 6 to receive policy hit
logs.
The API Audit and Audit modules capture changes to the policy made through REST API or
Prism, respectively. The Flow module corresponds to a policy hit log. The API Audit module
captures any changes to policy or category made directly through the REST API endpoint in
Prism Central.
4. Nutanix Flow | 47
Nutanix Flow
An export captures all security policies and the categories used to build them. An import replaces
all existing security policies with the policies from the imported file. Any missing categories are
also created at the time of import.
4. Nutanix Flow | 48
Nutanix Flow
IPv6 Addresses
Nutanix Flow security policies are based on layer 3 IPv4 addresses and do not support rules
based on IPv6 addresses. Nutanix recommends configuring Block IPv6 for all configured
security policies so that all IPv6 traffic to and from a protected VM is dropped. If you allow IPv6 in
a Flow security policy, all possible IPv6 sources and destinations are allowed to and from this VM
on all ports.
4. Nutanix Flow | 49
Nutanix Flow
5. Conclusion
Nutanix Flow is a software-defined networking solution for AHV that provides visualization,
automation, and security. As part of Flow, microsegmentation uses Prism Central categories
and security policies to protect VMs. By using categories to create flexible groups of VMs, Flow
simplifies security policy definition. With security policies, administrators can protect or isolate
applications or environments and quarantine infected or rogue VMs.
Through policy- and application-centric traffic monitoring, flow visualization answers the vital
question of what VM traffic is sent and received in the virtual system.
The ease of creating and applying categories and policies opens the door for automation.
Security is no longer tied directly to VMs or IP addresses, and administrators can respond quickly
to datacenter changes.
Because Nutanix Flow is built into Prism Central and works natively in AHV, there are no
additional components to install or manage. Network security is now just one click away.
For feedback or questions, please contact us using the Nutanix NEXT Community forums.
5. Conclusion | 50
Nutanix Flow
Appendix
References
1. Creating Service Chains with REST (KB 5486)
2. Nutanix Prism Central Guide: Category Management
3. Nutanix Prism Central Guide: Policies Management
About Nutanix
Nutanix makes infrastructure invisible, elevating IT to focus on the applications and services that
power their business. The Nutanix Enterprise Cloud OS leverages web-scale engineering and
consumer-grade design to natively converge compute, virtualization, and storage into a resilient,
software-defined solution with rich machine intelligence. The result is predictable performance,
cloud-like infrastructure consumption, robust security, and seamless application mobility for a
broad range of enterprise applications. Learn more at www.nutanix.com or follow us on Twitter
@nutanix.
Appendix | 51
Nutanix Flow
List of Figures
Figure 1: Nutanix Enterprise Cloud OS Stack................................................................... 7
52
Nutanix Flow
53
Nutanix Flow
54
Nutanix Flow
List of Tables
Table 1: Document Version History................................................................................... 5
55