KEMBAR78
M05 - SDDC Advanced Security | PDF | Firewall (Computing) | Cloud Computing
Scribd
Upload
7 views63 pages

M05 - SDDC Advanced Security

Uploaded by

Murali Shankar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views63 pages

M05 - SDDC Advanced Security

Uploaded by

Murali Shankar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 63

SDDC Advanced

Security
L7 Firewall, IDFW, IDPS

November 2021

Confidential │ ©2021 VMware, Inc.


Agenda
1. Security Challenges

2. NSX Advanced Firewall

3. Disabling Add-ons

Confidential │ ©2021 VMware, Inc. 2


Security Challenges

Confidential │ ©2021 VMware, Inc. 3


Confidential │ ©2021 VMware, Inc. 4
Today’s Data Center Security
Traditional Segmentation

Shared
Users
Services

Web Tier
Policies align to the
environment
App Tier
instead of the
application
DB Tier

Confidential │ ©2021 VMware, Inc. 5


Fixing Today’s Data Center Security
Zero Trust Through Context

Shared
Users
Services

Web Tier
Identify application
boundaries and
App Tier
determine intended
network traffic
DB Tier

Confidential │ ©2021 VMware, Inc. 6


Fixing Today’s Data Center Security
Zero Trust Through Context

Shared
Users
Services

Web Tier
Isolate the
application and only
App Tier
allow required
communication
DB Tier

Confidential │ ©2021 VMware, Inc. 7


NSX-T Distributed Firewall
Micro-segmentation Simplifies Network Security

Finance HR Engineering

Perimeter
firewall Zero Trust/Least Privilege
DMZ
Model
Inside
firewall Each VM can now be its
own perimeter
App
Policies align with logical
groups

DB
Prevents threats from
spreading
Network Topology
Services
Agnostic

AD NTP DHCP DNS CERT

Confidential │ ©2021 VMware, Inc. 8


NSX Advanced Firewall
Overview

Confidential │ ©2021 VMware, Inc. 9


VMware NSX Advanced Firewall for VMware Cloud on AWS
Introducing Advanced Distributed Security features as an Add-on

L7 Distributed Identity Firewall Distributed IDS/


Firewall IPS
Layer 7 AppID Profiles Active Directory based Integrated with NSX
and Distributed FQDN User ID Filtering Threat Intelligence Cloud
Filtering

Confidential │ ©2021 VMware, Inc. 10


Value Prop
Key Benefits for VMC Customers

NSX DFW with L7 AppID


NSX Distributed IDS/IPS and Distributed FQDN NSX Identity Firewall
Filtering

East-West Protection for Deep Packet Inspection for Per User/ session application
workloads Layer 7 Application access control
Detect attempts at exploiting Built-in Application IDs for DFW based enforcement at the
vulnerabilities in applications common enterprise applications source
Distributed traffic inspection FQDN based access control – AD/ LDAP integration to
scales linearly with workloads per VM automatically curate access to
applications
Context based threat detection Reduce the attack surface to
intended application/ protocols
Integrated with NSX Threat
Intelligence Cloud Service

Confidential │ ©2021 VMware, Inc. 11


Add-On Workflow
1. Cloud Admin has permissions to Add-on features related objects by default.
2. Activating NSX Advanced Firewall will push down license.
3. NSX UI starts showing NSX Advanced Firewall features.
4. Metering and Billing starts.

Confidential │ ©2021 VMware, Inc. 12


Enable Advanced Firewall
“Add Ons” tab UI with NSX Advanced Firewall disabled (default UI)

Confidential │ ©2021 VMware, Inc. 13


Enable Advanced Firewall
Pop up while activating NSX Advanced Firewall

Confidential │ ©2021 VMware, Inc. 14


Enable Advanced Firewall
After activating NSX Advanced Firewall

Confidential │ ©2021 VMware, Inc. 15


L7 – Context Aware Firewall
& FQDN Filtering

Confidential │ ©2021 VMware, Inc. 16


Layer 7 Application Identity
Port Independent Enforcement on the DFW

Built-in APP-IDs for common


Infrastructure and enterprise app

Leverages Deep Packet


Inspection Engine with App-ID
Signatures

Protocol Version support for


TLS/CIF

Cipher suite support for TLS


Used in Rules via Context-Profiles

Certain APP-IDs require the use of


Application Layer Gateways

Confidential │ ©2021 VMware, Inc. 17


Layer 7 Application Identity Security
Use Cases

Reducing the Attack Port-Independent Micro-


Compliance Zones
Surface segmentation

Enforce the use of strong Only allow the intended Allow APP-owners to run services
cryptography and secure protocols application/protocol to run across a across any port
port

TLS 1.2 MRS- MRS-


WEB-1 WEB-2

BLAST/22443

HTTP
UAG RDP/3389 RDSH
MRS-
RDP/22443 APP-1

MYSQL
MRS-
DB-1

Confidential │ ©2021 VMware, Inc. 18


NSX DFW Layer7 with Application ID
NSX Distributed Firewall with AppID / Context Profile
1. Pre-configured AppIDs for common enterprise applications
• Microsoft Active Directory
• WINS
• Kerberos
• EPIC (Healthcare Application)
• GitHub
• MySQL
• Many more...

Confidential │ ©2021 VMware, Inc. 19


Context Aware Firewall
Adding new Context Profile

Confidential │ ©2021 VMware, Inc. 20


Context Aware Firewall
Adding new Context Profile

Confidential │ ©2021 VMware, Inc. 21


Context Aware Firewall
App based Context Aware Firewall

Confidential │ ©2021 VMware, Inc. 22


Context Aware Firewall
Using the Context Profile

Confidential │ ©2021 VMware, Inc. 23


Context Aware Firewall
Using the Context Profile

Confidential │ ©2021 VMware, Inc. 24


Distributed FQDN Filtering Security
Permit list and Deny listing based on FQDN

Native Cloud Services Context-Based Cloud Service Access


• Distributed Enforcement on
DFW
• DNS snooping to map FQDN to
IPs
• FQDN context moves with
VM.
• Supports vMotion
User-based FQDN/Service Access

Confidential │ ©2021 VMware, Inc. 25


FQDN based Context Profile
FQDN based Context Profile

Confidential │ ©2021 VMware, Inc. 26


Distributed FQDN filtering
DFW rule based on FQDN rule
Note- DNS rule must come first, and then
Allow/Deny rule follows that.

Confidential │ ©2021 VMware, Inc. 27


Identity Firewall

Confidential │ ©2021 VMware, Inc. 28


Security
Identity Firewall
Per User/User Session Application Access with Identity Firewall (IDFW)

Enforcement by the DFW at the


Employee Desktop Pool Source

Finance-App-1
Session-based
Supported for both VDI and
RDSH
Granular On/Off per Cluster
Remote Desktop Session Hosts / Published Apps Requires VMware Tools/Thin

HR-App-1
agent

Web App DB

Confidential │ ©2021 VMware, Inc. 29


NSX Identity Firewall
NSX Distributed Firewall with User ID
• Integrates with AD/ LDAP
• Use Case – Protect VDI/ RDSH workloads
• Based on kernel-based Guest Introspection

Confidential │ ©2021 VMware, Inc. 30


Identity Firewall
Enable IDFW

Confidential │ ©2021 VMware, Inc. 31


Identity Firewall
Enable IDFW

Confidential │ ©2021 VMware, Inc. 32


This is in disabled state by
Identity Firewall default. When a new
cluster is added that is in
Enable IDFW disabled state as well.

Confidential │ ©2021 VMware, Inc. 33


Identity Firewall
Configure Active Directory

Confidential │ ©2021 VMware, Inc. 34


Identity Firewall
Configure LDAP Server

The user shouldn’t enter their


UPN as their username when
configuring LDAP.

Confidential │ ©2021 VMware, Inc. 35


Identity Firewall
Create Security Group with AD Members

Confidential │ ©2021 VMware, Inc. 36


Identity Firewall
AD Members

Confidential │ ©2021 VMware, Inc. 37


Identity Firewall
Create IDFW Rule with Source as AD based Group

Confidential │ ©2021 VMware, Inc. 38


Distributed IDS/IPS

Confidential │ ©2021 VMware, Inc. 39


Traditional IDS/IPS Approaches Drive up Cost & Complex
Adoption has been limited to critical / regulatory mandated segments of environment

Before NSX IDS & IPS With NSX IDS & IPS

IDPS

Hair-pin traffic
to centralized
appliances

Throughput Selective traffic Lack of vMotion


constraints inspection support, stale policies

Confidential │ ©2021 VMware, Inc. 40


Moving Analysis to Each Workload Breaks Traditional Trade-offs
New architectural approach makes it easy to analyze traffic at every workload

Before NSX IDS & IPS With NSX IDS & IPS

Inspection at
each workload

NSX IDS & IPS

NSX IDS & IPS


NSX IDS & IPS

NSX IDS & IPS

Throughput Selective traffic Lack of vMotion


constraints inspection support, stale policies

Confidential │ ©2021 VMware, Inc. 41


Moving Analysis to Each Workload Breaks Traditional Trade-offs
Operators can achieve scale & coverage, without need for massive throughput appliances

Before NSX IDS & IPS With NSX IDS & IPS

Move Inspection to
each workload

NSX IDS & IPS

NSX IDS & IPS

NSX IDS & IPS

Scale out architecture, Absolute coverage Dynamic policies move


massive throughput with no blind-spots with workloads

Confidential │ ©2021 VMware, Inc. 42


NSX Distributed IDS/IPS Security
Extending the Intrinsic Security paradigm for internal firewalling
NSX Manager

Distributed & Built-in Analysis –


scales linearly with workloads, no
blind-spots

Distributed Firewall + Distributed IDS/IPS Curated Signature Distribution –


NSX Virtual Distributed Switch
fewer false positives, lower
computational overhead on host

Context-based Threat Detection –,


better alert prioritization

Policy & State Mobility - simplify


operations, eliminate stale /
redundant policies

FIREWALL IDS/IPS

Firewall Manager IDS/IPS Manager

Confidential │ ©2021 VMware, Inc. 43


NSX Distributed IDS/IPS
NSX Distributed IDS/IPS
• Integrated with NSX Threat Intelligence Cloud Service
• Default set of signatures

Confidential │ ©2021 VMware, Inc. 44


Enable Advanced Firewall
Distributed IDS/IPS

Confidential │ ©2021 VMware, Inc. 45


Distributed IDS/IPS This is in disabled state by
default. When a new
Enable D-IDS/IPS cluster is added that is in
disabled state as well.

Confidential │ ©2021 VMware, Inc. 46


Distributed IDS/IPS This will ensure signatures
are updated every 24
hours from NTICS cloud
D-IDS/IPS Signatures (explained in next slide)

Confidential │ ©2021 VMware, Inc. 47


Distributed IDS/IPS
D-IDS/IPS Signatures (Contd.)

• Signatures are downloaded from NTICS


• NSX Threat Intelligence Cloud (NITCS) - is a SaaS service that is used to updated NSX Manager
with IDS/IPS signatures
• NSX Manager in an SDDC would communicate via the SDDC’s Point of Presence (POP) to the
service. No additional configuration required for the customer.
• Updated signature checks are performed every 24 hours. This is not configurable at this time.
• For customers who do not want the NSX Manager to directly access the service they can
download it and upload it to the NSX Manager via API.
• The signature set contain both Trustwave and Lastline signatures.

Confidential │ ©2021 VMware, Inc. 48


Distributed IDS/IPS
Select Signature Profile
Profiles

Confidential │ ©2021 VMware, Inc. 49


Distributed IDS/IPS
Profile Signature Management

Confidential │ ©2021 VMware, Inc. 50


Distributed IDS/IPS
Policy

Confidential │ ©2021 VMware, Inc. 51


Distributed IDS/IPS IDS Mode Only
IDPS Rules IDS + IPS Mode (Both)

Confidential │ ©2021 VMware, Inc. 52


Log Insight Dashboard for IDS/IPS

Two dashboards are available in the NSX-T Content Pack


• Policy events (creation/deletion)
• Traffic – IDS/IPS network events

Confidential │ ©2021 VMware, Inc. 53


Log Insight Dashboard for IDS/IPS
Policy Overview Page
Displays counts on policy creation, deletion and change events
• Clicking 3 button to View Log Query displays details of the logs

Confidential │ ©2021 VMware, Inc. 54


Log Insight Dashboard for IDS/IPS
Policy Overview Log Query Details Page
Details contain information on the policy, action and more

Confidential │ ©2021 VMware, Inc. 55


Log Insight Dashboard for IDS/IPS
Traffic Overview Page
Displays counts on IDS/IPS events based on multiple options
• Clicking 3 button to View Log Query displays details of the logs

Confidential │ ©2021 VMware, Inc. 56


Disabling Add-Ons

Confidential │ ©2021 VMware, Inc. 57


Disabling
NSX Advanced Firewall – Add-on
1. Customers must deactivate Add-on to stop billing.
*NOTE – Disabling specific features does not stop billing

2. Deactivating Add-on stops users from adding/ updating rules in DFW L7/ IDS.
3. Existing rules continue to persist, but not be enforced, until users delete them.

Confidential │ ©2021 VMware, Inc. 58


Disable Advanced Firewall
Disabling add-ons

Confidential │ ©2021 VMware, Inc. 59


Disable Advanced Firewall
Disabling add-ons

Confidential │ ©2021 VMware, Inc. 60


What happens when the add-on is disabled?
• Configured add-on policy is retained, but the ability to edit them is disabled.
• Add-on policy is no longer enforced.
• If add-on is re-enabled, previously configured policy becomes active.

Note that Edit operation is


disabled.

Confidential │ ©2021 VMware, Inc. 61


LAB
Lab - 6: NSX Advance Security

SDDC
1. Implement Context-aware
firewalling Demo-Net

2. Configure FQDN Filtering Route Based VPN

CGW
3. Implement Distributes Intrusion BGP Desktop-Net
detection and prevention

Edge NSX
vCenter </> HCX

MGW

Connected VPC

Confidential │ ©2021 VMware, Inc. 62


Thank You

Confidential │ ©2021 VMware, Inc.

You might also like