NSX-T ATP - Lastline/Advanced Threat/IDPS/Security with Britton Johnson

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right hello everybody good night good evening you know that's where it is where we are where we're recording this night good morning or good afternoon if you're somewhere else welcome back to v brown bag uh tonight we are going to learn more in our nsxt series with brenton johnson continuing with updates on last night advanced threat idps security lots of good stuff about advanced threat protection but before we get to the main content we're going to do a few housekeeping notes first off we want those of you who are watching this live to get in on the conversation you can use the q a right here in zoom you can tweet us at vbrownbag you can use the hashtag mebrowbag and get us your questions get us your feedback make this an interactive presentation if you're not watching this live make sure to head over to vbrownbag.combrownbags and go sign up there you can join this broadcast that happens every week at 7 30 pm central on wednesdays or you can check out our other regions or other language podcasts in fact to find the one that suits you by the way if you're watching this on youtube now you know you can join us live please come join us be part of the v brownback community i'm your host ken nalbon uh with me tonight is britain johnson at vcx vcixnv on twitter uh he's going to be giving us our update so i am going to stop talking and hand it over to you britain ready thanks ken i know my twitter handle's a mouthful but you know not that it's just i'm bad at talking [Laughter] you gotta you gotta do what you gotta do all right let me get this turned down here all right and let me do one other thing quick bear with me while i fight with my screens in the background here all good all right i think i'm good all right welcome everybody to this week's session the second session in this uh nsx tv brownback series for 2021. um i'm gonna talk over this disclaimer slide because um if if there's anything that i'm going to talk about in this series that is potentially and i quote you know highlight the word potentially um affecting future releases of the product this would be the one um and so you know take take take with this presentation what you will as the note says in the bottom there this is for informational purposes only um and so this is really just for you know our customers edification of the the direction of the security vision that secured that innocence that vmware has for nsx um and so there's you know really nothing that's not already public in this but at the same time you know being that i've you know i'm doing this in a public forum i am required to give the disclaimer so there we go so uh nsxt advanced network security so this is uh you know a not necessarily a new space for vmware but it is a space that is growing in attention and and something that you know we especially when where i am in in healthcare covering healthcare customers today you know we're seeing really just lots and lots and lots of uh you know our customers are being under attack and so this is something that you know we're really focusing a lot of attention on and getting a lot of feedback from customers that you know they need security services now more than ever i did this on the last week one but if in case you haven't watched any of that so who am i i'm britain johnson i'm a staff solutions engineer in the virtual club network uh vertical for vmware covering healthcare customers like imogen so you know i i'm you know in the v expert program still i'm also on a team called vmware hdx majors where we specialize in uh things about you know the hybrid cloud extension product suite add-on to nsx for cloud you know workload migrations and we'll talk about that even more a little bit here as we move through the series um and then i'll also host another podcast related to that as well so if you're interested in hdx you can certainly check some of that stuff out um looking through our agenda so we already did the first one on 2.5 to 3.x last two weeks ago so that should be out and available for everyone to consume at your leisure today we are looking at the nsxt advanced threat protection or prevention add-in to nsxt that you know is turning on additional security services um we'll talk a little bit about last line who that is what that is um we'll go through the advanced threat suite that last that last line is bringing to nsxt um some new stuff for for me anyways uh this this idea of miter security framework and what that is i'll go through a little bit of that we're going to talk real deeply today about the ide ids ips the intrusion detection prevention systems that are built into nsxt 3.1 today and then we will you know at the very end of this i've got uh you know ken don't laugh i've got a pre-recorded demo so it's not a live demo so i'm sorry um but you know i it's the one way that i can ensure that things are you know are 100 going to work so don't worry cross your fingers dot your eyes you know here we go um what was that not laughing just smirking okay um you know two weeks from now uh right before i ever go on vacation i'm gonna do a series on nsxt design this is a kind of a selfish one because when i went through the the vcap renewal to get my vcix renewed there wasn't a lot of you know out there content that i could find on the webs about you know the nsxt design process without taking the full vmware class which i did end up doing but and it's a great class to take but i wanted to kind of just do a recap really of what you know what the vcap nv exam you know kind of looks like you know things that are required for that um and ultimately we'll talk about the the pieces and components of that you should consider when you're going through an nsxt design so that's the next week two weeks from now um last one again of course we'll go through nsxt migration and hcx all the good stuff that that brings as i always like to do with these learning resources so i'm going to refer back to this again even this week as i did the first week uh you know if you haven't watched the 2020 v brown bag series uh deep in the heart of covid that ken and i did um you know go back and watch that there's still lots and lots and lots of valid content out there and i'm still imploring the brown bag folks to not delete it from the youtube channel because it's good stuff um and i'm still getting a lot a lot of uh you know customers and partners and people sending me messages thanking me for putting that that whole series together and really your feedback is why i'm doing this again this year um so that's that's all part of that for a second piece of this if you're looking for um information on the advanced protection suite and what that is uh really kind of one of the best places to go for that is lastline.com so you know again i'll go into that more in more details here in a moment but that's that's one kind of good resource to go start learning some things otherwise we do have now a nsxt intrinsic security course where we dive into you know uh all of the things that i'm going to talk through in great detail today so if you're you know pursuing an advanced security framework for your you know data center operations and you want training for your team about this we do have actual you know vmware official training courses this is available in the you know live online instructor-led you know five-day class format or you can do it in the subscription format where you do it at your own pace uh which is like a 30 days license where you can sit and take it at your own pace you get access to the labs and the whole bit um it's a good good thing um again i'm plugging iowan hookahdorn's books iowan is a vmware pso resource in the netherlands he did not tell me to plug his books so i'm just doing this out of the goodwill of my own heart because i let you know i want as a friend and does he did an amazing job putting these books together if you if you're a reader and you want to read about how nsxt works check out iowans books they are well worth looking into so this is there's actually a little animation here with sound so i don't know if you're going to pick this up or not this is this is something that that you know we see day in day out so this is kind of the you know email comes in the users are you know questioning what is it you know is it a virus is it an invoice you know this this problem crosses international borders industries devices threat vectors you know i mean there's lots of different things but ultimately the user ends up getting eaten by the virus because that's just what happens and then you know the punch line here at the end is great [Laughter] i like that but this is what we're facing right it's you know is it is it a virus is it an invoice is a thing i remember back uh in my you know assisted administrator days with a small insurance company where so you know all all of a sudden all of us got the email of you know the with the subject line daily report and of course it was a virus and of course somebody opened it because oh there's a daily report that i've never received before you know i probably should look at that so it proceeded to you know lock down half of the company's systems and it was it was a bad day um but but ultimately this is the thing that the problem is the problem that never goes away um and and this the proof in this is that yeah we've been talking about this in earnest since you know the adobe breach in 2013 or the yahoo breach in 2013 or you know all of these things you know yeah the heartland payment says in 2008 i mean these these are really old data breaches you know i mean the the department uh was the one of the federal one of those federal breaches department of defense or somebody had one day where there was multiple government branches that were breached not even on this list um i mean it's it just never ending um with with even through to the modern day things of like you know the the meat packing outfit that was hacked in those the the gas pipeline and the east coast here that was that was hacked i mean these things just don't seem to be stopping and there's you know many different reasons and excuses for this there's lots of finger pointing going on politically to say who you know maybe it's this country maybe it's that country but realistically it's just bad actors who are after things and you know as long as there are open systems and things that are vulnerable that have potential ways of being exploited they're going to be exploited um and you know i remember there's there's a really good joke from the guy on the who did the cbs late night show about the yahoo breach where he's just like you know yahoo is going to let all of their 3 billion users know that they've been breached as soon as they google how to do that but you know that this is what we're facing and this is why you know advanced threat has become a big thing for vmware as as a strategy for us going forward and this is you know part of when we talk about network security um this is sort of the the other piece that we're peeling back the onion and the layers of you know the the network security personas and the people that you know we as vmware even are talking to because you know vmware people you know who work for the company you know we're used to talking to data center administrators and engineers and architects um and we're you know as an nsx and you know engineer you know i'm used to talking to you know network people but there's but the network security teams you know they kind of tend to be even yet another separate silo that that you know kind of go off on their own tangents and sometimes and they have their own things that they're concerned about and so now we're trying to get around to you know crafting you know the things that we're talking about in in language that they understand um and you know this is a thing that i'm learning as a as a you know a converted vsphere admin to an nsx admin to an sx you know engineer for vmware you know the the the network security space is even a little bit new to me in terms of how we talk about this thing so you know as we learn more about this you know the thing that i'm finding you know like yeah is is there some common language is there you know industry speak as it comes along with stuff and the answer is yes there is um there's this thing called the miter attack framework so then you know attack you know stands for adverse adversarial tactics techniques and common knowledge and this is the overall structure that the network security world uses to communicate amongst themselves to help determine you know uh you know and then emulate you know adversarials and validate their controls you know and enables you know standardized framework for evaluating their solutions you know it's good for gap analysis and security controls and it's you know globally accessible and continually updated there's lots of different versions of miter that are out there and you can you know map your security strategy to the various versions of the miter attack framework i've heard it also described as though a it's kind of like the osi network model on steroids because there are so many different ways and means that you can look at mitre from a strategic view and we'll just look at a couple of these things but really we're just going to focus on the tactics side of it because there's just too much to go into this i mean once you break it out there's something like 500 various techniques that bad actors can use to attack a network um and it's it's quite detailed in the way that the way that and how deep you know mitre goes and so it's almost impossible to try to get all through so if you're looking for more specific information and just about minor you can go to attack.mitre.org to get the specific you know information from them directly they are their own organization that manages how this communicates so as we kind of look look through this you know this is sort of the the tactics framework of of what you know mitre um stands for and works with with relation to you know uh where we're going with this and why why this is important is we actually build a lot of this particular framework is being built into you know the nsx advanced threat protection strategy overall and so oh yeah our our big deal is you know we want to break down we know what they're trying to do so yeah that you know with their initial access they're trying to get into your network and then everything leads to another thing and so and you know they're they're going to do malicious code they're going to you know trying to get a foothold they're going to avoid detection of other tools and other systems that you have in your network you know and ultimately you know yeah it's to gain things or to move through or to get your data or to just ultimately take you down and destroy you so depending upon who who it is that's knocking on the door and and trying to you know get into your network is is ultimately gonna start to determine this the path that they can take once they can breach in the inside um you know as they say like once once you break the crunchy exterior and get to the chewy center you know that's what they're really all after um and there's oh there's just too many ways that we can go about this um let me break out of this for a moment here so and this is so part part of what i want to look at quickly too is the last line uh website and part we have they're just just you know when vmware acquired last line you know last year um you know and so we've started kind of the integration of them into our organization um you know there's a lot of good you know you know general resources and case studies and solution guides and you know videos and webinars and all kinds of good stuff on the last line site so if you again if you want more specific security centralized information and even specifically um information regarding you know the miter framework itself that's all out here as well um so just you know keep keep keep the last line resources in your mind because you know as things move forward and as things roll with with you know adding you know last line on board um you know we're going to see in here and more kind of this type of things from vmware as we move forward so talking about the the last line acquisition what they are bringing to the table and it's this is the stuff that kind of was missing from nsx as a solution um you know the first piece of this being file analysis um you know what what file analysis to to us to this is is really just sandboxing um and then with sandboxing you know we take a file that's on your network they execute it you know inside a secure location so they can determine if it's a you know the sandbox can determine if it's a threat they can they can play with it and learn about it um and really just kind of make the the virus or the malware you know kind of think it's talking to something when it's really not and we kind of in a virtual space we'll safely you know detonate these files and help understand more about them in a safe method so that we're not you know doing this in production necessarily [Music] the second piece that that brings this is the network traffic analysis part um you know and this is really the ability to look for anomalies so we're looking for anomalies in user space when what kind of activities users are doing they're looking for anomalies and data looking for anomalies in the network um you know why is something suddenly trying to upload 20 gigs versus something that you know didn't do last week um and you know what would a wise something access you know specific ports and protocols that maybe they weren't doing yesterday we're going to look for those kind of network trends and do and do analysis and comparison on that and all those kinds of things add up to a specific security score that is maintained and and operationalized by you know what what the last line sensors bring into the network and like kind of the third third leg to this is the ids ips piece of it um and this is fed you know by file analysis you know this analysis creates signatures based on the cerakata data source that gets distributed to all of our customers so they can have access to the latest security threats before they become widespread um so if you're you know again if you're not very super familiar with the security world of things um surikata is one of a couple independent open source um threat detection engines so the the the two that are probably the most popular is surakada and another one popular one is called snort and these are you know sort of community driven organizations open source organizations that collaborate on intrusion detection detection and prevention and feed that data back out to vendors so that they can you know include them into their products for doing um you know network uh analysis and an understanding of where the threats are coming from so you know when you when you have a product like you know last line or like nsx with you know ids ips enabled um it's not uh it's not like like a standalone one-off product like the nsx distributed firewall where you just turn on the service and suddenly you have a secured thing this is an ongoing thing that needs constant feeding and care and updating um and so for like for the for this type of stuff to do the file analysis you know we get five million samples a day of just bits of information about malware that we include in as part of the service so this is really a subscription service that you subscribe to that you know we're constantly able to do data analysis against and understand these are the latest threats that are coming out it's not unlike you know an antivirus service where you're getting constant you know fed kind of you know you're getting access to a source of information that's you know going to help you avoid those threats in the future so of those five million samples you get a day in britain at vmware are they coming from customers like or is it a ratio of like other sources versus customers what does that look like uh so the the in general the sources for for like cerakata i mean yeah they're coming from um so so yes when you when when you any any this is across vendor lines so because because like cerakot is an open source platform you know it's going to accept things from you know any other security vendor that uses their data source feed they'll feed that information back to them so same same thing for us and when we use them as our data source you know when when we get information and we discover a piece of malware that maybe hasn't been seen before we're going to feed that back into the day into the into the feed as it were so that other organizations can learn about it and then start to see it as well so the the last kind of couple of pieces of this i mean the the the you know we're doing you know user focus networking so again this is you know end user security for routers firewalls span ports and taps very traditional you know data center network security focused solutions um you know we we have various cloud sensors that will plug into public clouds so that you can you know have have these types of security services turned on in public clouds as well um you know we're doing this you know just in the general data center on prem as well and then really we're helping kind of bring together this you know cohesive ability to manage the attack chain between all of the locations and that's that's really the long and short of what we're after with this so i've gone through this kind of track a bit with and i may even recover this slide in the last episode but it's just kind of talking through this again um you know there's it's we i break it down then this kind of simple three-step process but which it overly simplifies it but it is kind of necessary to talk about it um you know first whenever we talk about security we're doing you know basic segmentation and we're going to use you know the you know the leverage of the layer 7 stateful firewall to provide segmentation of traffic and workloads and then work on you know creating that zero trust um you know footprint throughout the data center um you know you create a simple segmentation rule like you know this web app can talk to this this database server but this other segment can't you know it gives guard rails in the environment and it prevails helps prevent that lateral movement between things you know this the second piece of it here is you know layering in the ids ips to protect the applications and analyze traffic between the workloads to look for those known vulnerabilities and then you're we're essentially creating virtual patching for the application here so so when we have this turned on and i'll go through this in the demo later you know when we know about vulnerabilities in an application that have not been patched yet we can see those vulnerabilities on the wire recognize them for what they are and then turn them off and effectively make them patched without actually patching the workload um and it's it's just kind of a you know it's still a best practice to patch those those workloads but it because that's a time-consuming process this is sort of the way around that where you can shut off those vulnerabilities that are known and then later give your teams a chance to go back and patch the actual things so that they're not an open threat ongoing third and the last piece you know the the network detection and response portion of it you know this is you know when you're ready to kind of step into this advanced game of thing of where things are for security this is where the rover really meets the road because now we can you know do the real detection and prevention of even more sophisticated threats and anomalies so this is you know where you know organizations like you know you have financial institutions and banks and um you know insurance companies and healthcare organizations are all after this kind of stuff because this is where you know the the large money is this is you know for for the bad guys because if they could get in and avoid you know the ndr systems that keep that are keeping them out you know those those systems that are not protected by ndr are the ones that are the real honey pots that people are going after um and so it's this is why you know as vmware as we evolve as a security organization we're going to talk more and more and more and more about this kind of stuff and you'll see a lot of content about this i predict around vmworld time this year there's going to be a lot of security focused conversations all right so i want to quickly walk through kind of what a you know attack simulation looks like um and this is kind of a sort of animated view from the last line tool and what it what it looks like and i'll break out into the last line portal to kind of show you a little bit of what this looks like live um but but in general it's the same kind of thing you know a user gets an email it's got a bad attachment on it and still um something you know like four to five percent of successful malware attempts today are still coming in via email um if you you know do a little looking online the the vmware uh threat analysis unit released a report um beginning of this year based on information from 2020 uh it's like a almost 30-page report that you can get the details all of the different ways that that you know organizations are being attacked so you know again if you're looking for more information go pull the the vmware 2020 threat analysis report um it's it's quite interesting reading um but you know yeah somebody gets an email with it with a bad piece of malware on it it attacks that that an end point yeah if we have segmentation with a distributed firewall enabled you know we're at least limiting how then how far then that that piece of malware can get so that's sort of you know step one is that having the distributed firewall turned on step two of that is the advanced threat pretend for prevention where with the ids ips we can detect the movement of this piece of malware in your environment and start to cut it off and block it and then really you know three with the ndr response we can ultimately really cut it off and completely stop it from getting anywhere um and that's the overall view of again where we're trying to run with this and go um to this so what this looks like this is the last line you know i mean user interface at this point um today it is a standalone installation we can do this you know as is as a you know last line delivery uh for customers and also if you if you a customer buys the advanced threat protection suite they get access to last line today um so this is something that we can deliver for customers today and it's it's actually not overly difficult to stand up it's just released you know putting in a couple of sensors in your environment allowing them to feed data back out so that we can read information that's happening in your environment and part of the thing that to note here is when we talk about the miter attack framework when we break down an attack inside of the last line ui itself we're actually following the miter attack framework right through this whole process and understanding the various things and that are getting hit you know as an attacker is working its way through your organization and then so that's where it becomes you know important to understand the the terminology in the that you know the the side the security speaks of the the the people in the security silos of the i.t world you know they've you know they understand this kind of kind of things but you know as i've been you know um surveying my own customer base who was you know yeah network admins vsphere admins you know miter and and this kind of terminology is all new to them and so that's part of why the reason i wanted to bring bring some of this into this particular talk is just to just start to educate the general ad you know and vsphere nsx admin population about this framework and about how these things are looked at because you know we've been so busy just doing other things we haven't really kept up on what what the security state is of the world so again as as an attack comes in i mean you know we're gonna call out all of these bits and pieces of the of this um you know as they you know start to show information and give us um you know threat information on on who's talking to what and where where the threat is going so again it's this same kind of thing user received an email that has malicious document attached to it it suddenly did some suspicious remote task scheduling that you know all of a sudden spread over to this other machine now now we've got a detected ammo ted outbreak you know and it's you know feeding information up and now we've got you know a suspicious you know kerberos login encryption attention a little bit it just goes from one thing to the next to the next to the next and this is what you know is happening on a daily and minute by minute basis in customers organizations today and because all it takes is one you know workload to not be patched properly to have a vulnerable thing that somebody finds and they exploit it and all of a sudden they're in your environment and they can do whatever they want in a lot of cases these kinds of initial attacks and attempts you know when they sit in the environment they can be sitting there for sometimes up to 200 days before they do anything and go completely undetected and under the radar for that you know whole period of time and then you know in most cases you know most organizations don't really realize they've been breached you know two three four five six months ago um but because there's so many vulnerabilities and there's you know so a certain number of you know bad actor groups out there they just haven't been hit yet um and that that's why we're kind of seeing this wave after wave after wave of major outbreaks is because they've been breached they just haven't haven't been you know exploited about him yet all right so that's kind of the the quick overview of you know what we're looking at from a security strategy you know what last line is and what it's bringing to the organization um you know last line was founded by you know a group of you know really smart stanford phds these guys are malware scientists um and so the the the amount of just general knowledge and smarts that they're bringing into vmware about malware is immense um and it's and it's really you know rounding out nsx and it's in its security capabilities to another level really the next piece of this that we're going to talk about um is the the ids ips functionality that is available today in nsxt 3.1 um and then this is you know the the stuff that you know when you when you enable these services um you're you're taking your security strategy you know kind of from just basic firewalling and networking and routing and all those kinds of things and segmenting your networks out from um you kind of level one security up to level two three four five ten um and really give giving yourself you know an additional kind of leg to stand on for security so as we kind of look at the typical traditional data center edius ips infrastructure i mean this is stuff that we've looked at for a while i mean it's you know you've got you know you know virtual workloads up on the hypervisor hosts they have to do their networking down through the physical stack you know the the firewall rules get processed on a physical firewall they they also have to then punt traffic over to the physical device for physical traffic inspection and you know those have their own you know management planes and management agents to take care of these physical devices you know they're you know it's difficult because every time you know a piece of traffic comes through it's got to be hair pinned you know through the physical firewall it's then also got to be hairpinned you know through the ids ips and come back up and it's just you know it's it's kind of inefficient in the way that it works if you have you know workloads spread across hosts you're going to run into you know issues where you'll have inconsistent security policies applied because maybe you know one thing gets applied here but it doesn't get applied somewhere else um you know it it it's inadequate for that kind of ability to scale applications across multiple platforms um you know there's there's lots of you know attention and there you know just requires teams of people to manage these things it's just you know not really well thought out in the in the architecture that we have so this is where you know vmware and nsx you know we kind of take our strategy of you know laying out the the distributed firewall and the distributed ids ips on top of the nsx virtual tripod switch and so because we're doing this all in kernel space you know all on the hypervisor level you know we can we can enable these services you know right on the vm virtual machine nick right outside the workload so we're not having to install an agent you know we don't need to mess with that we can just do it right inside the kernel space right outside the workload in the most efficient place possible to do this um and that's you know that that that's that's the the beauty part of and really the unfair advantage of what nsx has is you know yeah you can figure this stuff inside the nsx manager it gets pushed down to the hosts and then turned on turns on that services within the hypervisor itself and it's just there um and it you know it scales out you know nicely as things move forward um you know and we get to you know to as well this um you know ability to have you know yeah curated signatures that that help uh you know when they're in i mean with false positives and then the overhead of distributing these things throughout the different hosts um you know we'll look at some of that too in a little bit here um you know and really just having that you know ability of creating the the security policy state that's mobile that moves with the workload so you know it's the same type of idea where you create your distributed firewall policy that exists on one host if the workload moves to another host then you know then the workload moves with it and and there's the security moves with the workload so when it comes over here you know it's available there um and it's it's really just you know again this might be an overly simplistic explanation of it but but realistically you know this is where what we're doing is is trying to again enable these services for for customers to be able to you know provide higher levels and better levels of security for your organization so good question uh i've always loved the uh distributed firewall uh since its inception it's great technology i think it's cool that uh ids ips is being distributed now too so we don't have that hairpinning you know keep the traffic local as a host as always uh just kind of curious what kind of overhead that's going to add to the host like what should be accounted for for customers who want to enable that in their club yep it's it's you're getting ahead of me so [Laughter] it's i mean it's part of their simple answer quick answer of course on all these things is go to configmax the configmax vmware site um so if you pull up the you know configuration maximums page for vm just google it on vmware on google you'll find it and you can plug in you know the nsxt uh product that you're on until then it'll basically give you all of the you know maximums and things that you need to consider in terms of throughput levels number of firewall rules per host number firewall rules per v-neck um you know there's all those kinds of things out there i have some of that built into the decks here that i'll go through but but i didn't i didn't have i've been just been so crazy i didn't have enough time to validate that the numbers in the deck match was on config max so always go with what's on configmax because what's in this deck might not be accurate um this is you know something some of these slides are you know a few a couple months old and things change rapidly here so yeah that's a good nose like you said you want that original nsx series to stay up on youtube we're going to keep this content up as long as youtube exists so folks who may be watching this in the future uh don't listen to whatever we say on this go look at config max on vmware right exactly that that's that's ultimately the the source of truth as far as i'm concerned when it comes to those kinds of things so cool all right so again if you watched the 2020 nsx view brown bag series which you know i'm going to keep plugging that through this whole one so that people watching this will go back and watch that one um you know this might look slightly familiar because this packet flow is extremely similar to how the distributed firewall works um you know from from a configuration path i mean so yeah we're going to start with you know the nsx manager um you know with inside of the s nsx manager we set up profiles again very similar to what we do with nsxt distributed firewalls and just nsxt in general you know there's a whole section i did on profiles and profiles in this context we're talking about sets of signatures and signatures relate to information that we get from those sources like sarakata and you know those those signatures refer to you know vulnerabilities within applications vulnerabilities within products and you know various uh common you know [Music] attack scores and things like that um those then are trans are mapped to rules which are basically applied just like a firewall rule um and you know then those then get mapped into the rule table from the you know from the local control plane so you know if you're following this down um so yeah we we come from the nsx manager to the control plane you know the rules then get applied you know at the rule table or you know based on address set and then you know from the item and that's the distributed firewall path but that's also very similar for how things go through the ids ips path except for some of the ideas put parts of this will go straight to the idps engine and again that that idps engine effectively is surikana but we'll talk about that more in a minute here all right so so when we look at the general flow of this so as this kind of slide animation works it works its way through here um i'm gonna back back up a couple times and do this a couple times just to repeat this piece of it so when up a um a packet comes in from the to from a vm you know it's gonna then go over to the flow table the flow table is going to look at this you know and say you know is this an existing flow yes or no um if it's not um it's going to check it on the rule table from then the rule table will process it and check that on the distributed firewall and then if it's valid it's going to proceed and pass it on to the ids ips engine so this you know logically means that the distributed ids ips sits behind the distributed firewall in terms of order of process as we're processing these packets so you know it's important to know that bit of it especially as you're learning you know the inner workings of nsx for exams and things that i'll ask you these kinds of questions um and then after that you know if the traffic pattern matches and you know if it's a valid distributed firewall rule so you know it's something that the distributed firewall is not going to block immediately then it's going to punt that information from the flow table out to the ids ips engine once we get into the you know then then we're into this thing called the slow path where it's going to verify the traffic on the radius ips slow path for processing and the packet gets inspected if if they match it to an ids rule [Music] if the rule action is set to detect and prevent you know then we're going to update the flow table to drop that traffic and then any subsequent packets that match this are going to follow that same path as well you know if if it's something that we're set to detect only um you know that then at that point we're going to you know just alert based on what we've seen and the traffic will go through but you'll at least be getting some sort of notification within v within nsx to say this is happening um a bit of the uh important information part of this is you know because of the way that traffic is flowing you know from the distributed firewall up into the ids ips engine and back out even if you are in the [Music] detect only mode effectively the ids ips engine is in line with the traffic flow so you know if you have uh ids ips turned on and it's you've got some rules enabled and then some things turned on even if you're or you're not doing any enforcement with yodas ips there is uh you know load constraints and traffic constraints and things that you need to keep be aware of so that you you can understand you know the like as we can refer to the overhead that's going to start to happen on the front of the host itself for me for processing these things so even in detect mode we need to pay attention to throughput and scale as you go through this so a little more detail on audio's ips architecture you know we have two engines uh you know in the user space and your dv filter in the kernel space the db filter is really you know effectively you know the main piece of distributed firewall um and then we have then we lay on this shared memory space and then the shared memory region contains the user world library the you know the shared memory region can also be um used by the the vdpi agent to read packets that are punted up into the into there by the kernel module this also enables a common library that both engines can consume the packets that are sent up into them and only after these engines process and release the packets that are sent to them can they be forwarded on to their destination um and so it's you know again it's it's kind of you know sitting you know again really right next to um you know the the heart of the distributed firewall so that's how all these things are kind of baked together so you know and and here you know is kind of the cerakata engine that it's at it's open source you know finest where you know the window packet you know flows in um you know this piece uh from going backwards a little bit the the secure dot the circada engine is deployed on every esxi host so again it's you know part of the kernel framework that nsxt uses for processing traffic on the hosts um if if a host has one you know kind of important bit of detail on this particular slide is you know uh the the maximum host memory that this thing gets allocated to just the audio pc engine is one gig um so if you know basically with the security engine is turned on on a host it's going to take a gig except for if the host has less than 64 gigs of ram on the host then it's going to use less than a gig but you know for most hosts we see deployed in customer declines today they're well beyond 64 gigs in their ram um and so it's generally speaking not an issue but if you have a smaller deployment um you know you need to kind of plan accordingly again for scale and performance you know best practices but overall you know this is kind of what the six the idps engine architecture is built on all right moving quickly here so the overall configuration workflows is really you know not much different from what we do again on the distributed firewall side of things um it's really just you know yeah turning on the service and in terms of enabling the edius ips capabilities it is oh i don't have that page up there wrong screen in here so it's really just you know coming in and turning the service on um you know there's just you know a couple of quick toggles to turn on the idps services in general um you know the the signatures will be automatically updated you can push these signatures directly to the hosts on an automatic basis so as they periodically go out and sync themselves from the cloud you know then they can come down and automatically be pushed down to the host level um but so it's really just you know turning on the service you know setting up the global signature management creating profiles you know it's to group those relevant signatures together and then setting up um yes setting up the rule structure or for how how you know how it's going to process everything and then over over time then you need to you know continue to monitor things monitor events monitor stuff that's happening and then really the next part is fine-tuning and adjusting to make sure that you're not you know making things too tightly you know locked down and clamped down and really giving you that ability to sort of um you know you don't you know you know you don't want so much processing that you hamper the performance of your hosts but you want enough that you know you're you're not leaving yourself vulnerable to potential exploits and vulnerabilities so as we move through this you know kind of some of the highlight stuff that n63.1 brings you know we we went from having detect only united ids ips prior to 3.1 to detected prevent um you know and then giving us then the the drop and reject options for the per signature action um you know signature management you know we were able to manage these things globally now and then um you know with the various different attack types and targets um and pieces and components that make up you know what what really the idps engine is and we'll go through some more of the stuff here in a second with the demo um and realistically you know yeah it is it is sort of this ability to you know turn on uh the rules and in a per rule mode so certain things if you only want you know detect only in your vdi environment you can do that and if you want the applications to be detect and prevent to protect those you can do that so there's flexibility here in terms of how you build um you know your securities environment based on zones or groups or however you want to break it out important thing to highlight those for an attack to be blocked both the mode it must be to detect and prevent and the signature action must be drop or reject so there's kind of two components of things to be turned on here um we know when you're enabling this and you ultimately want you know real action to happen um and again you know even in detect only mode you know we are still in line um and so we've got to understand you know where um what we're putting on the hosts in these environments and then this is again just going through you know the different per signature drop action so again you know there's drop and reject or just plain alert based on the actual signature activity itself from the signature settings so you see you have things that to detect only detect and prevent and then when you get actually into the signatures there's actions in the city so there's kind of two levels of signatures and there are selections that you need to turn on some of these signatures do by default have um you know the the drop setting as as default because it's a known massive vulnerability and something that we want to prevent immediately and so you know when we turn those particular signatures on for those particular workloads the default setting from our you know signature setup is going to be to drop that traffic so if there's things that you know legacy workloads where you wouldn't want that to happen you'd have to kind of opt out of that to have that default drop enabled and we already kind of went through a little bit of the global scenario management um again profiles you know again this is very similar to setting up you know the profiles piece inside of nsxt in general um you know it's really just grouping together the signature signatures that you want to apply it into your rules and understanding you know what's going to be the critical you know severity structures within your organization um and how the how your application security strategy ultimately gets planned out a lot of these are based on specific products or even specific you know product types um you know so we'll have rules based around yeah wordpress apache drupal sql databases you know the the profiles are kind of pre-writ written and pre-configured in the environment for a lot of things and you know and it just kind of adds to the the simplicity of deploying these things for for environments and then this is this is not really not a lot of new stuff for for security you know admins they've done this in other tools for a long time this is you know how you would do it inside of nsx um on the event side this is a common common question is okay you know we have nsx advanced threat protection you know and for the security admins that you know look at this stuff their kind of big big you know first question is okay that's great but how do i get this stuff um how do i get notified about these events so you you know you you can you know view the events within the tool themselves um you know there's event filtering based on the signature actions and attack types um you know we'll give you the intrusion details within the ui itself as well um you can kind of kind of dive deeper into the intrusion history and see you know what happened in the last you know number of days um and then real really kind of you know continue diving through this you know you can look at you know the which vm filter v-neck the attack was seen on um then you know the user logged into the affected vm you know to understand who this thing was uh you know ultimately executed by um you know details about the last occurrence for that signature um you know where did the attack originate from where did the flow originate from um and again you could dive deeper into the history and then you know part of the history is actually seeing what nsx did to react to it um and so in this case you know we drop a rejected or prevented you know the the intrusion attack um or in another case you know we only just we alerted only because we detected it but since the policy was set to you know alert we're just gonna alert only on it once we see it in the environment and then you know we're gonna count as well um you know the number of attempts on this based on five double the other pieces of this eventing information so you know the the security admins best friend is their sim um and and their their external logging tool these come in multiple various forms you know and bringing them out of our tool into another tool is fully supported so if you have centralized logging as a security admin and you want to be able to consume this information in your centralized logging tool will be supported and this is something that is very much industry standard when it comes to security applications and feeding that data out [Music] to external sources and then you know just being able to do simple filtering on on the data that comes out so you can dive into those issues and figure out where they're coming from and then you know and then like the next piece of this thing is you know creating alarms based on these things and we'll do alarms within the ui itself of nsx or you know as most probably your security organization will do they'll be they'll do you know alarms a lot of times right out of their sim um so it just depends on what what it is and how they're configuring these things scale and performance side so back to ken's question um you know so this is some of the um you know things to consider um so yeah we're looking in this particular performance test environment you know 256 nodes 25 pro profiles a thousand ids ips rules um you know and we can store up to 1.5 million events over 14 days um you know and again that event storage piece gets bigger as you export it out to an external sim because then the storage requirement is based on what the sim can hold not necessarily what nsx can hold um and you know so this is you know where we start to see um you know performance things in this and you know there's um so as it relates to performance and scale i mean yeah again like i said go back to the config max page to understand where things are at today if you're watching this in the future um but in general the you know the way that there's multiple multiple things to consider when it comes to scale and performance on this um and that's really down to um you know number of rules in place number of signatures in place and then and ultimately the number of rules and signatures and distributed firewall rules in addition to ids ips distributed readiness ips rules per v-neck in some cases so as as of today the the rule the the capped rule per v-neck is about 3 000 rules so you know if you've got you know a distributed firewalling strategy that you're starting to hit that many rules um you know we might need to kind of take a look at your overall strategy to figure out maybe we can do things more efficiently but in general um you know that's that's kind of the highest cap i've seen and and though the one place i've seen some people you know raise concern about you know what's the ceiling really on this um all right again any questions before i roll through the demo none from me uh so let's go ahead hey and no shame in a recorded demo by the way all right i used to do it a lot in a previous job [Laughter] yeah i mean it's there's there's just so much in this um and i i have to give uh props to our security product manager his name is stein i'm not going to try to pronounce his last name on recording because it's you know very much german um and but you know he's a he's a really good guy really smart um he put this demo together for i believe for vmworld uh last year so in general this is you know full fully accredited design and in his amazing uh capabilities of building these things out so as we roll through this in this example we have a multi-tier application and we're going to see how an attacker is able to exploit a drug web front end of one of these apps and then laterally move within the network um you know they're going to exploit the database tier of other apps as well and this is a you know quite a common attack sequence that attackers use to gain entry and then move laterally within a network by executing a reverse shell and then you know it's this is their kind of standard mode of operation where they access one exploited application get inside the door you know pivot to another machine and then pivot to another machine and then keep exploiting things as they roll through so in this he's running a meta split script against a vulnerable drupal server and this is used as the pivot point to then attack a couch database and from there pivot again to another database and this can watching you know attacks happen in these kind of scripts is always fascinating to me too so from it then inside the nsxt ids ips ui we can see a real-time overview of the attempted reverse shell attacks against the two vm zap one and app2 and then you know so this little spike is those two attempts that just happened so then from here you know again we're going to turn on the ids ips features which is really just as simple as flipping flipping the toggle switch and then nsx manager is going to automatically download the latest signatures and we're going to we'll have those deployed down to your hosts in nsx transport notes then we're going to start and set up some profiles so bring in profiles group relevant signatures that we want applied and here we're going to we're enabling one for the application servers and another profile for the database servers when we edit the profile we can select the signatures to include based on severity of the common vulnerability scoring system um you know it's the price specific products that are affected again but you know wordpress or apache or drupal um and you know would for this very overturn around the specific product threats for like drupal and couchdb for this app so now we need to you know apply the profile to the workloads and you know we're going to do that with with with the groups that we've created and then the the assignment of those rules are ultimately going to be determined by tags that we've set up in the environment ahead of time so because we have a tag created on this workload already it's been automatically attached to this group and therefore because the tag is in existence and it's part of a part of the group the workload gets attached to the rule and then then in the first example the the attack was successful because it was set to detect only and looking at the events we could see that a signature fired showing the drupal exploit that was used we can see that app one and the app tier was the target of the attack we could bring up additional details you know about the vulnerability bring up additional details by expanding the event as well and then moments after that first one there was another signature that fired off with the remote code execution we can see that app one and and two the app and one and two db tiers were used as a pivot point and then you know [Music] exploited into the other two vms and we can see the intrusion history graph to see you know that full attack sequence and the action there if you noted is you know detect only all right for the second part of this demo we're going to look at how the distributed firewall plays into the security strategy so you know most organizations have a mandate to separate production and development workloads this is nothing new you know we can achieve this simply enough by adding tags to the respective workloads and then creating the appropriate isolation policy to these groups with a distributed firewall um so this is kind of basic macro segmentation just cordoning off um you know production from development and not enabling them to just speak to each other even if they're on the same network with the distributed firewall we can block them off and and have them have that happen again really with no changes to your networking and no changes to the overall you know strategy of how you're building your networks and that's one of the nsx's main advantages is you can do this without having to re-ip your applications so once customers have achieved the high level segmentation you know the next piece is going down into the micro segmentation level to work towards a you know zero trust architecture or that application and only allow flows in and out and in between that are required for the application to function and again we can do this with a tagging strategy so with those tags covering these additional services they again they get mapped to groups and there should be firewall and then that and then adding that to the default deny anything outside of that is permit you know that permitted traffic is denied and in this example the attacker would not be allowed to establish the reverse shell needed to continue the exploit because we have that default deny applied with the micro segmentation strategy so that's before we even get in the door of turning on the edius ips that's just basic security from just from the nsx distributed firewall so taking a look at the environmental and distributed firewall policy you know here we're just looking at yeah cutting off access from prada dev and turning that piece on we'll publish that rule and then going into the application section we can see the rules that the microseg the microsegs off the two applications you know looking at the group itself we can see how the virtual machines are automatically added you know due to those tags that are assigned to the workloads and again we've got these predefined services you know for those specific workloads to say you know what what they need to protect as part of that overall strategy so we're going to enable all these rules publish them out and that turns on our micro segmentation strategy so then we'll try this you know everywhere after we apply the rules we can see that the attack started again no reverse shell is allowed the attack cannot continue um and when we look at the ids ips we can see the signature fired and no further exploits were detected so you know again the idea ips is in line and attacking um but with the distributed firewall by itself you know we're blocking that attack and then we're alerting on it with it with the detection features of the ids ips the last piece of this is changing the ids ips mode to detect and prevent and this is without the distributed firewall in play and without the distributed firewall segmentation policy enabled with just the end of the you know ids ips in detect and prevent mode nsx will detect the offending flow and stop it dead in its tracks and so this is kind of that virtual patching piece of it where um you know as you know at the end there the action is dropped or drop and prevent you know or reject and so it prevented the attack before was able to do anything just based on you know what we know about these vulnerabilities that are out there um and so that's you know kind of the the the where the rubber meets the road and the type of security and strategy that we're you know embarking on here and building out for customers so that you know ultimately we can have more more secure environment that is what i had today and i thank you for your attention and your time and i'm looking forward to continuing this series over the next couple of weeks ken back to you awesome stuff thanks very much britain tons of content i'm sure folks are watching this on youtube you've been rewinding anytime i'm probably going to go back and have to watch re-watch this stuff if people found this after the fact on youtube um one more time britain let's remind them where can they find you where can they reach out if they have questions i muted myself um if they want to reach out to me for questions is that yeah yeah you're a friendly guy right yeah yeah yeah you can you can hit me on the twitters i'm adv's at vcix and v um you know that's probably the easiest way to find me um and so yeah for for anything nsx related i'm generally you know reachable on there um otherwise um you know as i always like to say you know contact your friendly neighborhood uh vcnse like myself or whoever is in your territory talk to your vmware rep um you know we're generally always to be able to answer questions um you know or talk to your local vmug leader like mr ken and he'll hook up with somebody as well there you go if you're in the indianapolis area you can ask me as well um thanks very much britain we'll talk to you on the next episode in this series and see you then thanks again

Info

Channel: vBrownBag

Views: 373

Rating: 5 out of 5

Keywords: IT Education, NSX, VMware, vBrownBag, vSphere

Id: dc_t4YM7xwg

Channel Id: undefined

Length: 66min 37sec (3997 seconds)

Published: Tue Aug 03 2021