Creating a Security Audit Dashboard with vRealize Network Insight

Introduction

In this post, I’m going to walk you through step by step, how to create a Pinboard(aka Dashboard) in vRealize Network Insight(vRNI) to provide a summary of recent security related changes in your environment.

Customers initially invest in vRNI is to assist with micro-segmentation planning along with NSX.   Check out this great blog over at VMGuru for a walkthrough of that use case

An additional use case I like to enable customers on is related to operationalizing NSX.  In particular security related auditing, the pinboard we’ll walk through displays the following information;

  • Firewall Rule changes
  • Firewall Rule membership changes
  • Security Group membership changes
  • Security Tag changes

Having this information at your fingertips is very handy, here are two examples

Troubleshooting.  Imagine you get a call, VM1 is no longer able to access VM2.  It was working yesterday! You can quickly utilize this pinboard to identity any recent NSX firewall changes that may have caused this issue. e.g. Somebody removed a Security Tag from VM1.

Auditing. Your security team asks you for a report detailing NSX firewall changes over the last 30 days

Obtaining this information manually from several sources could be time consuming and possibly problematic.

My goal with this post, is to show you how to create the pinboard so you can utilize as is and/or add your own search criteria.  Note Security changes in this blog post  pertain to VMware NSX Data Center for vSphere v6.4.4, utilizing vRealize Network Insight v4.0.0.

To setup this pinboard, I’m assuming you already have vRNI deployed, and NSX Manager added as a datasource

Be aware that vRNI supports several other data sources that could also be used(Amazon Web Services,Checkpoint & Palo Alto to name a few), see complete list in the official product documentation

Sample of completed pinboard

vrni-1.png

Getting started

  1. Login to vRNI UI
  2. In the Search your Datacenter section at the top, type “Firewall rule membership change in last 30 days” followed by Enter.  Note, I’m using 30 days in this example.  Can change this to match your particular requirements

    vrni-2

  3. This will display all firewall rule membership changes over the last 30 days.  Click Push pin over near the top right, then Create New Pinboard

    vrni-3

  4. Enter a Pinboard Name, Description(optional) then click Create and Pin

    vrni-4

  5. Now we have the pinboard created, let’s run some additional searches and add them
  6. In the Search your Datacenter section at the top, type “Firewall rule change in last 30 days” followed by Enter.

    vrni-5

  7. Click Push pin over near the top right, however as we already created a pinboard(Security Changes in this example) we can now hover over it and click Pin

    vrni-6.png

  8. Repeat steps 6-8 for the following searches
    1. security group membership change in last 30 days
    2. security tag change in last 30 days

Modifying the Pinboard

  1. Now that we have created the pinboard, and added some searches lets take a look!
  2. Click the pinboard icon in the UI, and select it

    vrni-8

  3. If you want to change the layout, click the 3 vertical buttons near the top right of the pinboard and select Edit

    vrni-9.png

  4. If you now hover over a particular widget, you can drag and drop to re-order or edit the description.  Click Save or Cancel when done

Reviewing the Pinboard

  1. Now let’s review what is detailed in the dashboard.
  2. In my example under Firewall rule membership change in last 30 days, I can see 44 results, the last being 9 days ago.  If you hover over the right hand side of the widget a scroll bar will appear to review them all

    vrni-10.png

  3. Clicking the magnifying glass icon next to one of the entries, will reveal additional information. In this example a VM named fin-db-01a.corp.local was added to firewall rule IDFW-Allow

    vrni-11

  4. Spend some time exploring the pinboard, to get familiar with the information being presented

Sharing Options

  1. A new feature in vRNI 4.0.0, is the ability to set a pinboard as your homepage.
  2. Click the 3 vertical buttons near the top right of the pinboard and select Set as Homepage.  The pinboard will now be the first thing you see upon login to vRNI

    vrni-12
  3. You can also share the pinboard with other vRNI users.
  4. Click the 3 vertical buttons near the top right of the pinboard and select Share

    vrni-13

  5. In the drop down under Invite new users select existing vRNI user, click the drop down to the right to specify permission then click Add, followed by Save.  Here vm_dave@corp.local will be granted view only access to the pinboard

    vrni-14

As you have seen, the search functionality in vRNI is very intuitive. Searches begin to auto suggest and complete as you type.  Think of it as ‘googling’ your data center!  Get familiar with the various searches available to you and add ones of interest to your shiny new pinboard.

Hopefully you now have a good understanding of pinboards in vRNI and get use out of this in your own environment.  If you have any comments contact me via Twitter @VM_Dave. Thanks for reading!

 

 

 

 

 

 

 

 

 

 

 

 

One thought on “Creating a Security Audit Dashboard with vRealize Network Insight

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s