NSX-V: Security Framework implementation script

This Powershell script is used as an example for deploying a NSX Security Framework as described in this blog.

Installing PowerNSX is a prerequisites, and before running this script connect to a greenfield NSX Environment, with the cmdlet: “connect-nsxserver”.
This script modifies the default rule to a deny rule, creating a zero trust environment. So don’t use this script in you brownfield environment (you are warned!)

#define variables
$nssharedservicegroups = @{
"DNS Servers"="APP_DNS";
"DHCP servers"="APP_DHCP";
"Domain Controllers"=@("APP_LDAP","APP_KERBEROS","LDAP Global Catalog","Active Directory Server","Active Directory Server UDP");
"FTP servers"="APP_FTP";
"SNMP servers"="APP_SNMP";
"SMTP servers"="APP_SMTP";
}
$nsjumphostgroups = @("Jumphosts")
$nsisolationgroups = @("finance","HR","LoB","BCA","Drupal","Wordpress")
$nssegmentationgroups = @("Tier-0","Tier-1","Tier-2")
$nsfilteringgroup = @{
"Web service"=@("HTTP","HTTPS");
"MSSQL service"="MS-SQL-S";
"MySQL service"="MySQL";
"PostgreSQL service"="PostgreSQL"}
$DFWrule =@()

Function creatensobjects ($objects)
{
$NSXGroups = @()
foreach ($object in $objects){
    write-host "creating NSX Security Tag: $object"
    $NSXSecTag = New-NsxSecurityTag -Name $object
    write-host "creating NSX Security Group: $object"
    $NSXGroup = New-NsxSecurityGroup -Name $object -IncludeMember $NSXSecTag
    $NSXGroups += $NSXGroup
    }
return $NSXGroups
}

#create NS-objects
$nsxsharedservicegroups = @()
$nssharedservicegroups.keys | % {$nsxsharedservicegroups += creatensobjects $_ } 
$nsxjumphostgroups = creatensobjects $nsjumphostgroups
Add-NsxSecurityGroupMember -SecurityGroup $nsxjumphostgroups -Member (get-vm -name "jumphost")
$nsxisolationgroups = creatensobjects $nsisolationgroups
$nsxsegmentationgroups = creatensobjects $nssegmentationgroups
$nsxfilteringgroups = @()
$nsfilteringgroup.keys | % {$nsxfilteringgroups += creatensobjects $_ }

write-host "create NSX Security Framework"
#Creating Shared Service firewall rules
$dfwsection = New-NsxFirewallSection -Name "NSX DFW Firewall Rules - Shared Services"
foreach ($key in $nssharedservicegroups.keys) {
$NSXServices = @() ; $nssharedservicegroups[$key] | % {$NSXServices += Get-NsxService -Name $_ -LocalOnly} 
$DFWrule += New-NsxFirewallRule -Name $key -Section (Get-NsxFirewallSection -objectId $dfwsection.id) -Destination (Get-NsxSecurityGroup $key) -Service $NSXServices -Action allow -Position Bottom }

#Creating Jump Host firewall rules
$dfwsection = New-NsxFirewallSection -Name "NSX DFW Firewall Rules - Jump Hosts" -position after -anchorId $dfwsection.id
foreach ($nsxjumphostgroup in $nsxjumphostgroups) {
$DFWrule += New-NsxFirewallRule -Name $nsxjumphostgroup.name -Section (Get-NsxFirewallSection -objectId $dfwsection.id) -Destination $nsxjumphostgroup -Service ("APP_RDP" | % {Get-NsxService -name $_ -LocalOnly}) -Action allow -Position Bottom
$DFWrule += New-NsxFirewallRule -Name $nsxjumphostgroup.name -Section (Get-NsxFirewallSection -objectId $dfwsection.id) -Source $nsxjumphostgroup -Action allow -Position Bottom}

#Creating Isolation firewall rules
$dfwsection = New-NsxFirewallSection -Name "NSX DFW Firewall Rules - Isolation" -position after -anchorId $dfwsection.id
foreach ($nsxisolationgroup in $nsxisolationgroups) {$DFWrule += New-NsxFirewallRule -Name $nsxisolationgroup.name -Section (Get-NsxFirewallSection -objectId $dfwsection.id) -Source $nsxisolationgroup -Destination $nsxisolationgroup -NegateDestination -Action deny -Position Bottom}

#Creating Segmentation firewall rules
$dfwsection = New-NsxFirewallSection -Name "NSX DFW Firewall Rules - Segmentation " -position after -anchorId $dfwsection.id
$source = Get-NsxSecurityGroup -name "campus"
foreach ($nsxsegmentationgroup in $nsxsegmentationgroups) {
$DFWrule += New-NsxFirewallRule -Name $nsxsegmentationgroup.name -Section (Get-NsxFirewallSection -objectId $dfwsection.id) -Source $source -Destination $nsxsegmentationgroup -NegateDestination -Action deny -Position Bottom 
$source = $nsxsegmentationgroup}

#Creating Filtering firewall rules
$dfwsection = New-NsxFirewallSection -Name "NSX DFW Firewall Rules - Filtering " -position after -anchorId $dfwsection.id
foreach ($key in $nsfilteringgroup.keys) {
$NSXServices = @() ; $nsfilteringgroup[$key] | % {$NSXServices += Get-NsxService -Name $_ -LocalOnly} 
$DFWrule += New-NsxFirewallRule -Name $key -Section (Get-NsxFirewallSection -objectId $dfwsection.id) -Destination (Get-NsxSecurityGroup $key) -Service $NSXServices -Action allow -Position Bottom}
write-host "set zero trust policy"
get-nsxfirewallrule -RuleId 1001 | Set-NsxFirewallRule -action Deny

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top