SDDC Advanced Security

L7 Firewall, IDFW, IDPS

May 2023

Confidential │ ©2021 VMware, Inc.

Agenda
1. Security Challenges

2. NSX Advanced Firewall

3. Disabling Add-ons

Confidential │ ©2021 VMware, Inc. 2

Security Challenges

Confidential │ ©2021 VMware, Inc. 3

Confidential │ ©2021 VMware, Inc. 4
Today’s Data Center Security
Traditional Segmentation

Shared
Users
Services

Web Tier
Policies align to the
environment instead
App Tier
of the application

DB Tier

Confidential │ ©2021 VMware, Inc. 5

Fixing Today’s Data Center Security
Zero Trust Through Context

Shared
Users
Services

Web Tier
Identify application
boundaries and
App Tier
determine intended
network traffic
DB Tier

Confidential │ ©2021 VMware, Inc. 6

Fixing Today’s Data Center Security
Zero Trust Through Context

Shared
Users
Services

Web Tier
Isolate the application
and only allow
App Tier
required
communication
DB Tier

Confidential │ ©2021 VMware, Inc. 7

NSX Distributed Firewall
Micro-segmentation Simplifies Network Security

Finance HR Engineering

Perimeter
firewall Zero Trust/Least Privilege
DMZ
Model
Inside
firewall Each VM can now be its own
perimeter
App
Policies align with logical
groups
Prevents threats from
DB
spreading
Network Topology Agnostic
Services

AD NTP DHCP DNS CERT

Confidential │ ©2021 VMware, Inc. 8

NSX Advanced Firewall Overview

Confidential │ ©2021 VMware, Inc. 9

VMware NSX Advanced Firewall for VMware Cloud on AWS
Introducing Advanced Distributed Security features as an Add-on

L7 Distributed Identity Firewall Distributed IDS/ IPS

Firewall
Layer 7 AppID Profiles and Active Directory based User Integrated with NSX Threat
Distributed FQDN Filtering ID Filtering Intelligence Cloud

Confidential │ ©2021 VMware, Inc. 10

Value Prop
Key Benefits for VMC Customers

NSX DFW with L7 AppID and

NSX Distributed IDS/IPS NSX Identity Firewall
Distributed FQDN Filtering

East-West Protection for workloads Deep Packet Inspection for Layer 7 Per User/ session application access
Application control
Detect attempts at exploiting
vulnerabilities in applications Built-in Application IDs for common DFW based enforcement at the
enterprise applications source
Distributed traffic inspection scales
linearly with workloads FQDN based access control –per AD/ LDAP integration to
VM automatically curate access to
Context based threat detection applications
Reduce the attack surface to
Integrated with NSX Threat intended application/ protocols
Intelligence Cloud Service

Confidential │ ©2021 VMware, Inc. 11

Add-On Workflow
1. Cloud Admin has permissions to Add-on features related objects by default.
2. Activating NSX Advanced Firewall will push down license.
3. NSX UI starts showing NSX Advanced Firewall features.
4. Metering and Billing starts.

Confidential │ ©2021 VMware, Inc. 12

Enable Advanced Firewall
“Add Ons” tab UI with NSX Advanced Firewall disabled (default UI)

Confidential │ ©2021 VMware, Inc. 13

Enable Advanced Firewall
Pop up while activating NSX Advanced Firewall

Confidential │ ©2021 VMware, Inc. 14

Enable Advanced Firewall
After activating NSX Advanced Firewall

Confidential │ ©2021 VMware, Inc. 15

L7 – Context Aware Firewall &
FQDN Filtering

Confidential │ ©2021 VMware, Inc. 16

Layer 7 Application Identity
Port Independent Enforcement on the DFW

• Built-in APP-IDs for common

Infrastructure and enterprise app

• Leverages Deep Packet Inspection

Engine with App-ID Signatures

• Protocol Version support for

TLS/CIF

• Cipher suite support for TLS

• Used in Rules via Context-Profiles

• Certain APP-IDs require the use of

Application Layer Gateways

Confidential │ ©2021 VMware, Inc. 17

Layer 7 Application Identity
Use Cases

Port-Independent Micro-
Compliance Zones Reducing the Attack Surface
segmentation

Enforce the use of strong cryptography Only allow the intended Allow APP-owners to run services across
and secure protocols application/protocol to run across a port any port

TLS 1.2 MRS- MRS-

WEB-1 WEB-2

BLAST/22443

HTTP
RDP/3389 RDSH
UAG MRS-
RDP/22443 APP-1

MYSQL
MRS-
DB-1

Confidential │ ©2021 VMware, Inc. 18

NSX DFW Layer7 with Application ID
NSX Distributed Firewall with AppID / Context Profile
1. Pre-configured AppIDs for common enterprise applications
• Microsoft Active Directory
• WINS
• Kerberos
• EPIC (Healthcare Application)
• GitHub
• MySQL
• Many more...

More than 700+ App IDs

https://docs.vmware.com/en/NSX-Application-IDs/index.html

Confidential │ ©2021 VMware, Inc. 19

Context Aware Firewall
Adding new Context Profile

Confidential │ ©2021 VMware, Inc. 20

Context Aware Firewall
Adding new Context Profile

Confidential │ ©2021 VMware, Inc. 21

Context Aware Firewall
App based Context Aware Firewall

Confidential │ ©2021 VMware, Inc. 22

Context Aware Firewall
Using the Context Profile

Confidential │ ©2021 VMware, Inc. 23

Context Aware Firewall
Using the Context Profile

Confidential │ ©2021 VMware, Inc. 24

Distributed FQDN Filtering Security
Permit list and Deny listing based on FQDN

Native Cloud Services Context-Based Cloud Service Access

• Distributed Enforcement on DFW
• DNS snooping to map FQDN to IPs
• FQDN context moves with VM.
• Supports vMotion

User-based FQDN/Service Access

Confidential │ ©2021 VMware, Inc. 25

FQDN based Context Profile
FQDN based Context Profile

Confidential │ ©2021 VMware, Inc. 26

Distributed FQDN filtering
DFW rule based on FQDN rule
Note- DNS rule must come first, and then
Allow/Deny rule follows that.

Confidential │ ©2021 VMware, Inc. 27

Identity Firewall

Confidential │ ©2021 VMware, Inc. 28

 Identity Firewall
Per User/User Session Application Access with Identity Firewall (IDFW)

• Enforcement by the DFW at the

Employee Desktop Pool Source

Finance-App-1
• Session-based
• Supported for both VDI and RDSH
• Granular On/Off per Cluster
• Requires VMware Tools/Thin agent
Remote Desktop Session Hosts / Published Apps

HR-App-1
Web App DB

Confidential │ ©2021 VMware, Inc. 29

NSX Identity Firewall
NSX Distributed Firewall with User ID
• Integrates with AD/ LDAP
• Use Case – Protect VDI/ RDSH workloads
• Based on kernel-based Guest Introspection

Confidential │ ©2021 VMware, Inc. 30

Identity Firewall
Enable IDFW

Confidential │ ©2021 VMware, Inc. 31

Identity Firewall
Enable IDFW

Confidential │ ©2021 VMware, Inc. 32

Identity Firewall
This is in disabled state by
default. When a new cluster is
added that is in disabled state
Enable IDFW as well.

Confidential │ ©2021 VMware, Inc. 33

Identity Firewall
Configure Active Directory

Confidential │ ©2021 VMware, Inc. 34

Identity Firewall
Configure LDAP Server

Confidential │ ©2021 VMware, Inc. 35

Identity Firewall
Create Security Group with AD Members

Confidential │ ©2021 VMware, Inc. 36

Identity Firewall
AD Members

Confidential │ ©2021 VMware, Inc. 37

Identity Firewall
Create IDFW Rule with Source as AD based Group

Confidential │ ©2021 VMware, Inc. 38

Distributed IDS/IPS

Confidential │ ©2021 VMware, Inc. 39

Traditional IDS/IPS Approaches Drive up Cost & Complex
Adoption has been limited to critical / regulatory mandated segments of environment

Before NSX IDS & IPS With NSX IDS & IPS

IDPS

Hair-pin traffic
to centralized
appliances

Throughput Selective traffic Lack of vMotion

constraints inspection support, stale policies

Confidential │ ©2021 VMware, Inc. 40

Moving Analysis to Each Workload Breaks Traditional Trade-offs
Operators can achieve scale & coverage, without need for massive throughput appliances

Before NSX IDS & IPS With NSX IDS & IPS

Move Inspection to
each workload

NSX IDS & IPS

NSX IDS & IPS

NSX IDS & IPS

Scale out architecture, Absolute coverage Dynamic policies move

massive throughput with no blind-spots with workloads

Confidential │ ©2021 VMware, Inc. 41

NSX Distributed IDS/IPS
Extending the Intrinsic Security paradigm for internal firewalling
NSX Manager

Distributed & Built-in Analysis – scales

linearly with workloads, no blind-spots

Distributed Firewall + Distributed IDS/IPS Curated Signature Distribution – fewer

NSX Virtual Distributed Switch
false positives, lower computational
overhead on host

Context-based Threat Detection –, better

alert prioritization

Policy & State Mobility - simplify

operations, eliminate stale / redundant
policies

FIREWALL IDS/IPS

Firewall Manager IDS/IPS Manager

Confidential │ ©2021 VMware, Inc. 42

NSX Distributed IDS/IPS
NSX Distributed IDS/IPS
• Integrated with NSX Threat Intelligence Cloud Service
• Default set of signatures

Confidential │ ©2021 VMware, Inc. 43

Enable Advanced Firewall
Distributed IDS/IPS

Confidential │ ©2021 VMware, Inc. 44

Distributed IDS/IPS This is in disabled state by
default. When a new cluster is
added that is in disabled state
Enable D-IDS/IPS as well.

Confidential │ ©2021 VMware, Inc. 45

Distributed IDS/IPS This will ensure signatures are
updated every 20 minutes
from NTICS cloud (explained
D-IDS/IPS Signatures in next slide)

Confidential │ ©2021 VMware, Inc. 46

Distributed IDS/IPS
D-IDS/IPS Signatures (Contd.)

• Signatures are downloaded from NTICS

• NSX Threat Intelligence Cloud (NITCS) - is a SaaS service that is used to update NSX Manager with IDS/IPS
signatures
• NSX Manager in an SDDC would communicate via the SDDC’s Point of Presence (POP) to the service. No
additional configuration is required for the customer.
• Updated signature checks are performed every 0 mins. This is not configurable at this time.
• For customers who do not want the NSX Manager to directly access the service they can download it and
upload it to the NSX Manager via API.
• The signature set contains both Trustwave and Lastline signatures.

Confidential │ ©2021 VMware, Inc. 47

Distributed IDS/IPS
Profiles Select Signature Profile

Confidential │ ©2021 VMware, Inc. 48

 Intrusion Detection and Prevention
Behavioral IDS/IPS

172.20.20.12
• Detect unusual behavior and prevent possible
zero day attacks

• I.e. high failure rate in authentication, remote

task scheduling, PsExec interaction

• Enabled by selecting “Suspicious” severity level

Suspicious in an IDPS profile
Account
Enumeration
• Implemented via signatures and Lua scripts

• About 500 behavioral signatures at VMC 1.19

release
Suspicious 172.20.20.4
Remote Task Scheduling
• Suspicious-level events received within a
specific time interval are de-duplicated to avoid
172.20.20.5 too many events on NSX Manager

Confidential │ ©2021 VMware, Inc. 49

Intrusion Detection and Prevention
Behavioral IDS/IPS

• Enabled by selecting “Suspicious” severity level

in an IDPS profile

• Detect unusual behavior and prevent possible

zero day attacks

• I.e. high failure rate in authentication, remote

task scheduling, PsExec interaction

• Implemented via signatures and Lua scripts

• About 500 behavioral signatures at VMC 1.19

release

• Suspicious-level events received within a

specific time interval are de-duplicated to avoid
too many events on NSX Manager

Confidential │ ©2021 VMware, Inc. 50

 Intrusion Detection and Prevention
Lua Scripts

Example: Behavioral Signature invoking “intraflow_beacon” Lua script

• Standard IDPS signatures do not offer ability to
alert tcp $HOME_NETWORK any -> !$HOME_NETWORK 443 (msg:"NSX - Detect potential intra-flow beaconing detect complex behavioral activity
behaviour on TCP port 443"; flow:established,to_server; target:src_ip; flowint:intraflow_beacon_disable,notset; app-
layer-protocol:!http; lua:lua/lastline/intraflow_beacon.lua; flowbits:set,LL.verifier_tcp_successful; • This is addressed by allowing for Signatures to
flowbits:set,LL.verifier_tcp_failed; flowbits:set,LL.verifier_tcp_blocked; threshold: type limit, track by_src, seconds be triggered upon matching a custom detection
43200, count 1; metadata:ll_expected_verifier default, flip_endpoints False, server_side False, threat_class_name logic (Lua scripts)
Suspicious Network Interaction, threat_name Beaconing activity, ids_mode INFO, blacklist_mode DISABLED, exploited
None, confidence 65, severity 20, detector_id 99362; reference:url,www.lastline.com; classtype:trojan-activity;
• Scripts keep state across several flows by
sid:1099362; rev:16826; priority:5;)
storing flow attributes

• Lua scripts are bundled with IDPS signature sets

• Signatures using Lua scripts generate

Suspicious – level events (and a number of
other events)

• Not all Suspicious-level signatures leverage Lua

Confidential │ ©2021 VMware, Inc. 51

 Intrusion Detection and Prevention
VMware Curated Signatures

Cloud hosted network analysis backed

Trustw • Single bundle/set based on Trustwave

ave
NSX Threat Intel and NSX Threat Intel (LL) signatures and
Signatures Cloud Lua Scripts
Curated Signature Set
NSX • Fast/Automated Signature creation
Threat
Intel NSX Signature Curator based on dynamic Malware analysis of
network behavior

• Curation ensures consistency in meta-

Curated Signature Set data

• Curated sets published to NSX Threat

NSX Manager
Intelligence Cloud for retrieval by NSX
(Manager and Edge)

D-IDPS

Confidential │ ©2021 VMware, Inc. 52

Intrusion Detection and Prevention
VMware Curated Signatures

• Single bundle/set based on Trustwave

and NSX Threat Intel (LL) signatures and
LUA Scripts

• Fast/Automated Signature creation

based on dynamic Malware analysis of
network behavior

• Curation ensures consistency in meta-

data

• “test mode” functionality on Lastline

sensors will be used for curation to
avoid false positives

• Curated sets published to NSX Threat

Intelligence Cloud for retrieval by NSX
(Manager and Edge)

Confidential │ ©2021 VMware, Inc. 53

Distributed IDS/IPS
Profile Signature Management

Confidential │ ©2021 VMware, Inc. 54

Distributed IDS/IPS
Policy

Confidential │ ©2021 VMware, Inc. 55

Distributed IDS/IPS IDS Mode Only

IDPS Rules IDS + IPS Mode (Both)

Confidential │ ©2021 VMware, Inc. 56

 Intrusion Detection and Prevention
IDPS Scores (NSX UI)

Confidence Score Risk Score Impact Score Severity

Confidence of the detection being Numeric value indicating Combined Value of Risk Score and 5 Levels indicating “badness” of a
accurate “badness” of a threat confidence score 0-100 threat

0 – 100 Risk score = 0 – 100 Also forms the base score for Critical
events in NDR High
Higher score indicates higher Factor in Impact Score Medium
confidence (lower false positives) New in VMC 1.19 Low
New in VMC 1.19
Lower score indicates increased Suspicious
proneness to false positives Based on signature_severity
Factor in Impact Score value carried in signature, CVSS
or classification type
New in VMC 1.19
Severity also available in VMC
1.16-1.18

Confidential │ ©2021 VMware, Inc. 57

Intrusion Detection and Prevention
Events

• NSX Manager keeps last 14 days of data

(up to 1.5 Million events)

• Context-based event-filtering

• Timeline with dots indicate unique types

of intrusion attempts (can be hidden)

• Event details shown below timeline

• Events are grouped per signature

Confidential │ ©2021 VMware, Inc. 58

Intrusion Detection and Prevention
Event Details

• Impact Score & Severity

• Last Detected Time and details about last
occurrence
• Signature ID/rev + Description/Details
• Users/Workloads Affected
• CVE/CVSS Details (if available)
• Attack Type
• Attack Target (if available)
• Signature Revision
• Product Affected (if available)
• Event Count
• Intrusion History
• Transport Node on which detection
happened
• Mitre Tactic and Technique (if available)

Confidential │ ©2021 VMware, Inc. 59

Aria Operations for Logs Dashboard for IDS/IPS

Two dashboards are available in the NSX Content Pack

• Policy events (creation/deletion)
• Traffic – IDS/IPS network events

Confidential │ ©2021 VMware, Inc. 60

Aria Operations for Logs Dashboard for IDS/IPS
Policy Overview Page
Displays counts on policy creation, deletion and change events
• Clicking 3 button to View Log Query displays details of the logs

Confidential │ ©2021 VMware, Inc. 61

Aria Operations for Logs Dashboard for IDS/IPS
Policy Overview Log Query Details Page
Details contain information on the policy, action and more

Confidential │ ©2021 VMware, Inc. 62

Aria Operations for Logs Dashboard for IDS/IPS
Traffic Overview Page
Displays counts on IDS/IPS events based on multiple options
• Clicking 3 button to View Log Query displays details of the logs

Confidential │ ©2021 VMware, Inc. 63

Disabling Add-Ons

Confidential │ ©2021 VMware, Inc. 64

Disabling
NSX Advanced Firewall – Add-on
1. Customers must deactivate Add-on to stop billing.
*NOTE – Disabling specific features does not stop billing

2. Deactivating Add-on stops users from adding/ updating rules in DFW L7/ IDS.
3. Existing rules continue to persist, but not be enforced, until users delete them.

Confidential │ ©2021 VMware, Inc. 65

Disable Advanced Firewall
Disabling add-ons

Confidential │ ©2021 VMware, Inc. 66

Disable Advanced Firewall
Disabling add-ons

Confidential │ ©2021 VMware, Inc. 67

What happens when the add-on is disabled?
• Configured add-on policy is retained, but the ability to edit them is disabled.
• Add-on policy is no longer enforced.
• If add-on is re-enabled, previously configured policy becomes active.

Note that Edit operation is

disabled.

Confidential │ ©2021 VMware, Inc. 68

LAB
Lab - 5: NSX Advanced Security

SDDC
1. Implement Context-aware
firewalling Demo-Net

2. Configure FQDN Filtering Route Based VPN

CGW
3. Implement Distributes Intrusion BGP Desktop-Net
detection and prevention

Edge NSX
vCenter </> HCX

MGW

Connected VPC

Confidential │ ©2021 VMware, Inc. 69

 Thank You

Confidential │ ©2021 VMware, Inc.