19 September, 2023
November 14, 2022
Yes, it can be done!
In a recent blog, I explored VMware’s NSX-T micro-segmentation tool and discussed why I’ve had a good amount of success with it for increasing security for our clients with both data center and/or cloud environment setups of varying configurations. By establishing “zones” in data centers and cloud environments, NSX-T’s micro-segmentation isolates workloads from one another, making it possible, for example, to deny all traffic or specific services, even between VMs on the same network.
What happens, though, when companies also must contend with remote access for employees and partners and the security challenges that arise as a result? Can NSX-T be implemented when the VMs are dynamically deployed?
In VDI (virtual desktop infrastructure), a hypervisor segments servers into virtual machines that, in turn, host virtual desktops, which users access remotely from their devices. Users can access these virtual desktops from any device or location, and all processing is done on the host server. The virtual desktop is closed at the end of the day, and a new one is opened the next time the user connects again. By defining permissions for the connection based on username and password, the user gets access to everything – the desktop, his/her information, workstation, etc – even without connecting to the same exact VM every time.
As I mentioned, NSX-T can only operate when installed in the environment in question. So, how can we establish micro-segmentation with NSX-T when the list of user devices and related VMs is dynamic?
The answer is to connect NSX-T to the active directory via LDAP (Lightweight Directory Access Protocol).
But let’s back up. In VDI environments, micro-segmentation relies on the system’s active directory for mapping login IDs. The active directory is where we can find every user’s username and password. By defining security groups based on username and password, we can create a micro-segmentation policy with NSX-T, but we must have a way to connect NSX-T to the active directory. This is done with LDAP.
Connecting NSX-T to LDAP is not terribly complicated, but for anyone who is unfamiliar, it can be daunting. When I first attempted the connection, I was surprised at how long it took me to find all the pieces necessary to implement the solution. Once I compiled all of the needed items in one place, future implementations went much more quickly. To save others from the same challenge, we published a “How-To” guide on the TeraSky blog, accessed here.
My strongest recommendation for anyone looking to implement this solution for their clients is to request that the client send all of the prerequisites in advance and, if necessary, work hand-in-hand with the client to get all their “ducks in a row.” As with most projects, the more you can reduce unanticipated changes or complications, the smoother the project will go!
Written by: Aviv Shaar, Cloud Network Consultant