To login to the environment, perform the following steps:

• First, open a web browser of your choice (Incognito recommended) and navigate to vmtestdrive.com. Select LOG IN.
  If you do not already have an account please reference the instructions found here.                   
  Note: we only support customer sign up with their corporate email - do not to use personal email like Gmail (if doing so, no email activation will be sending out).
• If you are signing in for the first time and don’t have a TestDrive account, click GET STARTED and follow the instructions for creating your TestDrive portal account.
  

• Enter your TestDrive Username and Password and select ENTER.
  

• Locate the Multi-Cloud Security product under the Intrinsic Security tab and click Launch. Make sure that you open Multi-cloud Application Security Lab and refer it on a separate tab.

• A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
  Note: Please provide the short username (not your email ID) and password to login.
  

• Go to Apps tab.

• Search for the NSXSM desktop and launch it.

• Now you'll be on the Multi-Cloud Security desktop. At this point you can begin the walkthrough steps listed in the next section.

Double click on the TSM-Autologon icon in the desktop to launch Tanzu Service Mesh

While Tanzu Service Mesh Launches, do not press any key or click mouse. It may take 10 to 15 seconds to load.

Global namespace, a unique concept in Tanzu Service Mesh, defines an application boundary. A    global namespace connects the resources and workloads that make up the application into one virtual unit to provide consistent traffic routing, connectivity, resiliency, and security for applications across multiple clusters and clouds

Let's start reviewing the ACME Global Namespace in the TSM console.

1.  Click on Home -> Under GNS Overview ,                                                                                        

• Click on three dots and select Edit  "Global Namespace"

2. Review the ‘GNS Name’ and Domain name for GNS. Domain provides automatic service   discovery and manages service identities within that Global namespace. Click on Next

3. Observe Namespace Mapping Rules - It defines the services included in Global namespace.

• prod-tanzu-tkg-dc01 is the first On-Prem Kubernetes cluster and Name space mapped is  acme-app. The front-end of the application with shopping micro service is deployed on this cluster.

• prod-tanzu-tkg-dc02 is the second On-Prem Kubernetes cluster and Name space mapped is acme-app.The backend application Database with catalog micro service is deployed on this cluster

4. Click on Next to navigate to Auto Discovery.

• API Discovery - Tanzu Service Mesh API discovery is the capability that allows auto-discovery of APIs signatures between microservices running inside or outside the mesh
• PII Data Discovery - Tanzu Service Mesh learns the APIs with PII between the microservices deployed in the application environment.

5. Public Services  It is a way to expose a service outside its Global Namespace to enable external users to access the services.

• Service Name  It is the service we want to expose it to the external users for accessing the application
• Service Port  Port number where application service uses for connection
• Public URLs  Url available for external users to make a request to the application

6. GSLB & Resiliency  Defines Global Load Balancing Scheme, Health checks & High availability for public services in the GNS.

1. Click on Home. Under GNS Overview click on acmegns

2. Observe the properties of Global Namespace like health status and security type. After that   scroll down to GNS Topology

3. TSM generates a topology graph dynamically by observing the traffic flow between services in the GNS. The topology shows three key metrics of services.

• The Services incoming requests per second(rps)
• The Error rate, that is percentage of failed requests to the service
• The 99^th percentile latency of requests processed by the service.

Prod-tanzu-tkg-dc01  On-Prem Kubernetes cluster with frontend services of ACME Shopping Application.

Prod-tanzu-tkg-dc02 - On-Prem Kubernetes cluster with backend catalog services of ACME Shopping Application.

The connection between the shopping service in cluster01(Prod-tanzu-tkg-dc01) and the catalog service (Prod-tanzu-tkg-dc02) shows the traffic flows between them.

A service group is a collection of services in the Global Namespace. We can observe the aggregated metrics for the services in the group or consistently enforce policies across the service group.

Service groups serves two main purposes:

• To monitor relevant metrics such as ‘requests per second’, ‘latency’ & ‘error rate’ across the services in the group.
• We can also define & apply consistent Access control polices to the entire service group.

1. Click on Security under GNS Topology.

• An access control policy is applied between shopping service group and catalog service group.

2. Click on frontend-catalog to review the policy.

• Shopping service added to the frontend group and Catalog service added to the catalog group.
• Click on edit policy to view the detailed Access Control Policy configuration

3. Review the Access Rules of Access Control Policy between the service groups.

• Policy Name  Name of the policy for Access rule.
• GNS Scope  Global namespace scope, under which service groups are created
• Source and Destination Services  Drop down will list all the services groups created under specified GNS scope, Service group can be selected as per the requirement.
• Policy Intent  Define the type (Allow/Deny) of traffic using drop down All Traffic, Specific TCP Connections, Specific HTTP Requests. Click on cancel after reviewing.

Note: For creating service group navigate to Inventory -> Service Groups

1. Click on APIs, select shopping service and open it to view all the APIs.

2. Observe the shopping service topology under service dependencies.  

• Service Topology depicts the traffic flow between the Shopping service to all other connected services via APIs.
• Under APIs & Connections, All the incoming API methods and Path are listed.

Click on any API(/products). All the API data like Schema and logs are available

3. You can use the topology to understand about all the APIs involved and to determine the key security events.

• API Overview  Contains Key security events, Top errors, latency information.
• API Schema consists of Request information, API Response code and JSON data of Schema.
• All the API traffic logs data is recorded between source and destination services.

   Click on back button twice to navigate GNS Topology under acmegns namespace

Tanzu Service Mesh discovers the components of the application, APIs, PII data and application users. It then learns the behavior of application and creates a baseline of normal behavior.

1. Click on PIIs, we can see GNS topology with no PII data detected. Let’s place an order in ACME shopping application to visualize how PII data is automatically captured and presented within the topology.

2. Open the ACME fitness shopping application in chrome.

• Open google chrome and access the application and place the order of an item of your choice.
• http://shopping.vmware-demo.net
• Select any item from catalog and add to cart
• Click on Item s IN CART on top right corner of the window.
• In shopping cart, click on Proceed to Checkout.

• Under Checkout-Address, Provide the required information as shown below and click on Continue to Delivery Method

• Continue to Payment Method and populate the payment information as shown below and click on continue to order review
• Card Type - Mastercard
• Credit Card Number - 5105105105105100
• CCV - 123
• Expiration Month - 01
• Expiration Year -2023

• Under order review, proceed to place an order as a final step to complete the order placement

3. Navigate to TSM console to review PII data under GNS Topology.

• In the GNS topology the data flow between the services is highlighted
• The PII data traffic in each microservice from beginning to the end is captured.
• How the application handles sensitive PII data, which services are involved in total transaction is shown.

1. Click on Attacks under GNS Topology.

2. Click on shopping service to view the detailed overview of security events and APIs involved in the attack.

• Under service dependencies select Attacks.
• Under Incoming APIs click on /Products API to navigate to security events.

• Under API Overview security analytics provides total security events with PII and Attacks detected data.

• Scroll down to security events. Observe the Timestamp, severity, Event title, Destination Service and Attack information for each attack.
• Post reviewing the events, Click on Home.

3. API security policies are to secure and segment the applications against API and deep payload layer threats. TSM’s Global Namespace construct, to offer discovery, detection and behavioral security and observability capabilities across multi-cloud environments.

• Under Home Expand Policies > Click on API security under Policies
• In API Security, under acmegns, Click on three dots next to shopping and select Edit Configuration

• API security policies offers to enforce consistent policies with Access control, PII Data Security, Attack defense and schema validation.
• Observe the type of actions allowed for each security policy.

2.7 TSM Security Threat Remediation (tbd)

Tanzu Service Mesh helps teams overcome the performance and security visibility gaps resulting from distributed microservices architectures and adoption of multiple platforms and clouds. Operations teams have access to rich troubleshooting tools, including multi-cloud topology maps and traffic flows, performance and health metrics, and application-to-infrastructure correlation.

SQL injection attacks of data-driven web apps, also simply called SQLi attacks, have been a serious problem of late. A SQLi attack happens when an attacker exploits a vulnerability in the web app’s SQL implementation by submitting a malicious SQL statement via a fillable field. In other words, the attacker will add code to a field to dump or alter data or access the backend. A successful malicious SQL statement could give an attacker administrator access to a database, allowing them to select data such as employee ID/password combinations or customer records, and delete, modify, or data dump anything in the database they choose. The right SQL injection attack can allow access to a hosting machine’s operating system and other network resources, depending on the nature of the SQL database.

For this demo, the real question is, how do we prevent it to the best of our ability?

First, we must understand how to prevent SQL Injection Attacks.

The Open Web Application Security Project OWASP provides an overview of how to avoid SQL injection attacks. While there are various SQL injection attack tools on the market, there is no substitute for implementing best practices for preventing these attacks. Here are some of the OWASP top strategies for preventing SQLi attacks.

• Prepared statements/parameterization
• Stored procedures
• Input validation
• Escape user-supplied input
• Limit privileges
• Update and patch regularly
• Web application firewall (WAF): is an important part of a larger security solution that detects SQLi along with other threats. WAFs typically do this in part by relying on detailed lists of signatures that are constantly updated, so they can surgically excise threats, including malicious SQL queries.

So, let us focus on WAF and how Avi WAF can help.

AviWAFprotects web applications from OWASP Top 10 threats such as SQL Injection Attacks and Cross-site Scripting (XSS) and other common security vulnerabilities while offering customizable rule sets for each application.

The architectural advantages of the Avi platform power Avi’s WAF, gaining real-time application security insights thanks to the platform’s strategic location in theapplication trafficpath. This architectural advantage and the platform’smulti-cloudcapabilities extend to WAF network security

Majority of the SQLi exploits are successful when CRS rules and signatures are not updated.

The biggest advantage of Avi WAF is that it can subscribe to the latest updates on WAF signatures and CRS rules.

Now let us see how WAF protects the application from an SQLi attack

https://avinetworks.com/docs/21.1/waf-monitoring/

Access to Avi Controller

The console is accessed through a supported supported web browser Chrome. Login to Avi Controller:

• Click on Avi-Controller Auto Logon shortcut on the Desktop. Shortcut will open the URL to NSX: https://dal-avictrl01.nsx-sdfw.local/
• Username/Password: Sign in is automated, so please don't touch the keyboard/mouse during 15s of process. If you do so, please close all Chrome windows and reopen the link again.

Avi WAF protects web applications from OWASP Top 10 threats such as SQL Injection Attacks and Cross-site Scripting (XSS) and other common security vulnerabilities while offering customization rule sets for each application.

1. Click on cloud services as an admin to subscribe to the latest updates  on WAF signatures and CRS rules
2. Click on Edit
3. Click to enable the updates
4. Click Save
5. Let us now change the tenant to "Demo"
6. Click on the Demo tenant
7. Next up, we will see how Avi WAF automatically protects the application from SQL Injection threats. 
8. For this demo, we will consider the WAF_Demo_VS virtual service. The shield icon around the virtual service indicates the application is protected by the Avi WAF. Let us click on it to application details and other details including security logs and WAF policies.
9. Notice the application details including the end to end timings. It is a great way to understand the application behavior and instantly detect if the application behavior is sub-optimal or if it not responsive. For this demo, let us look at the logs.
10. Click on logs
11. Notice certain requests are rejected by the WAF. One particular request that is of interest to us for this demo is the SQL Injection.
12. We notice the request ended abnormally because of a WAF policy match. To learn more abou the response code 4xx, let us scroll down a bit more.
13. Notice the WAF is suggesting the match with a signature called CRS_942_Application_Attack_SQLi
14. Notice the CRS rule 942100
15. We can further learn about this signature by editing the signatures settings in the WAF policy section.
16. Click on signatures
17. Click to expand
18. Click to show the rule
19. Notice the CRS version CRS-2021-4 which is the latest release from OWASP that is protecting the application. We can scroll down further to notice the exact policy match and understand why the request was rejected in the first place.
20. Notice the exact reason for the request being rejected. Avi WAF proactively provided application security by syncing with the latest releases from OWASP. 
21. We can confirm the latest AVI release including the Avi CRS which is the default signature based protection for Avi WAF is consistent and up to date with the OWASP releases.
22. Finally we can confirm the same from the OWASP website as well.

Access NSX 3.2 Manager.

The console is accessed through a supported supported web browser Chrome. Login to NSX Manager:

• Click on NSX-Mgr AutoLogon shortcut on the Desktop. Shortcut will open the URL to NSX: https://ns-nsxmgr01.nsx-sdfw.local/
• Username/Password: Signin is automated, so please don't touch the keyboard/mouse during 15s of process. If you do so, please close all Chrome windows and reopen the link again.
• In case you prefer using manual login, please click on NSX icon inside Lab Access folder and enter your Testdrive credential@vmtestdrive.com / password.

Multi-cloud Networking with Antrea Demo Steps

In this demo we will demonstrate to manage network policies across multiple K8s cluster and NSX also provides central policy management, visibility, and network troubleshooting for these multi-cloud K8s clusters.

We have two K8s clusters onprem and aws all are running on Antrea CNI and clusters are registered with NSX .

1. Click on Inventory Overview and Validate the Containers section.
2. Click on Containers and select clusters , Review the K8s-Cluster01 & 02.
3. Click on Namespaces to see all the deployed namespaces.
4. Click on Security, Under Policy  Management Select Distributed Firewall.
5. The DFW rules are applied to two container clusters deployed on prem and aws cloud.
6. These are application DFW rules configured as per the application services.
7. Select the rule frontend to appsvc  and click on Action select Drop
8. Access the acme fitness application from URL http://shopping.vmware-demo.local
9. You can observe the application is accessible but all the catalog items are not available in the website
10. Navigate to NSX manger
11. Select Plan & Troubleshoot
12. Click on Traceflow , Select Antrea Traceflow
13. Fill in the below details to start Traceflow and Click on Trace

      Cluster - k8s-cluster01

      Protocol Type - TCP

      Source Port - 3000 Destination Port - 8082

      Source Pod - shopping Destination Pod - cart

14.   Observe the Traffic dropped by Cluster Network Policy.

15.   Click on Security, Under Policy  Management Select Distributed Firewall.

16.   Select the rule frontend to appsvc  and click on Action select Allow

17.   You can observe the application accessibility is restored completely.

Antrea with NSX provides Multi cloud , multi-cluster Kubernetes cluster central policy management, visibility, and network troubleshooting

1. Click on Inventory Overview from the NSX Manage and Navigate to Container Section. Click on Clusters as shown in the below image.

2. Observe the k8s-cluster information from the NSX UI.  Expand the K8s-Cluster5  and click on each section "Nodes", "Pods", Kubernetes Services and view the detailed information.

3. Click on Namespaces and scroll down to find the Namespace "yelb" running on cluster k8s-cluster5. Click on pods to see the running pods in Yelb namespace.

We have familiarized with the Containers inventory section. We can get the detailed information about the K8s clusters, Pods and Kubernetes services running in the cluster.

You can create Antrea groups when the NSX has one or more Antrea container clusters registered to it. An Antrea can include static IP address, membership criteria, or both.      IP address can be Pod or Service IP addresses.

Currently supported member types for creating Antrea group  are Name space , Service & Pod.

1.  In Inventory section, Click on Groups . List of existing groups are shown under groups section. Check the groups starting with name yelb. For demo we will edit one group called yelb_frontend to view the membership criteria.  Click on 3 dots next to yelb_frontend and click on edit.

2.  Click on criteria to view the Antrea Group Membership Criteria. Click on Cancel

You can create Distributed Firewall policies (security policies) in NSX and apply them to registered Antrea container clusters to secure traffic between Pods within a container cluster.

An NSX security policy can be applied to multiple Antrea container clusters. However, the policy can secure traffic between Pods within a single Antrea container cluster. The following traffic is not protected:

• Pod-to-Pod traffic between Antrea container clusters.
• Traffic between Pods in an Antrea container cluster and VMs on hosts in the NSX environment.

1. Click on Security and Distributed Firewall under Policy Management. DFW rules has been configured under the Yelb_App Policy. These rules establish the connectivity between all the pods that makes the yelb application.

2. Access the yelb application. Open a new tab in the chrome browser and type the url http://yelb-ui.vmware-demo.local/ to view the application. You can interact with application by clicking on vote button.