NSX 4.1 Security Lab Walkthrough

Updated on

About NSX 4.1 Security Lab

Your enterprise can now deploy VMware NSX Security as a standalone security product, deploying it in an existing environment with no changes to your network. NSX 4.1 provides strong, multi-cloud, easy-to-operationalize network defenses that secure application traffic within and across clouds. NSX 4.1 makes it easier for you to enable Zero Trust application access across multi-cloud environments—so you can secure traffic across applications and individual workloads with security controls that are consistent, automated, attached to the workload, and elastic in scale. 

In this NSX 4.1 Security Lab, you'll get hands-on experience with NSX Security Advanced Threat Prevention features such as Malware Prevention, Network Detection and Response, Intrusion Detection and Prevention System, DFW micro-segmentation, and more.  This lab is intended for intermediate to advanced-level users exploring VMware NSX security use cases, helping you to explore security concepts and plan with NSX 4.1.

How NSX Advanced Threat Prevention Combats Ransomware

This lab will use a scenario involving ransomware, which is one of the most common threats in the modern cybersecurity landscape. There are many different variants, but the purpose remains largely the same for attackers: to generate as much revenue as possible by extorting their victims.

Like other forms of malware, ransomware is delivered by cybercriminals exploiting vulnerabilities in an organization's system. For example, attackers will take advantage of systems that have already been compromised or use social engineering tactics, such as phishing emails that attempt to trick users into downloading infected files or clicking on malicious links, to gain initial access to the victim's network. Once inside, attackers follow a multi-staged approach to take over files or systems, exfiltrating or encrypting key information to render it unusable to the organization. The attacker will demand a ransom be paid in exchange for a decryption key, which will presumably return the files to their original state.

Let's now see how NSX Advanced Threat Prevention (ATP) can help prevent and protect against these attacks.

Benefits of NSX Advanced Threat Prevention

By incorporating a leading ATP solution into your security stack, you harness three critical advantages:

  • Maximum Network Threat Visibility: In using multiple threat detection techniques at once (IDS/IPS, NTA, Network Sandbox, etc), ATP delivers deep visibility into all your network traffic.
  • Advanced Malware Detection: ATP helps secure both Private and Public Cloud workloads against threats that have been engineered to evade standard security tools.
  • Lower False Positives: ATP can greatly improve the accuracy of your alerts, which means your security teams can focus on a smaller set of actual intrusions.

One of the most performant ATP solutions available today is the VMware Advanced Threat Prevention offering for the NSX Service-defined Firewall. Using a combination of network traffic analysis, intrusion detection and prevention, and advanced malware analysis with comprehensive network detection and response capabilities, the solution is purpose-built to protect data center traffic with the industry’s highest fidelity insights into advanced threats.

How Does NSX Advanced Threat Prevention Work?

Fundamentally, ATP solutions perform sophisticated detection and analysis on suspicious network traffic, often employing hardware emulation, and supervised and unsupervised machine learning models. ATP solutions attempt to identify threats early—before they can do damage—and respond quickly in the event of a breach.

The goal of this lab is to illustrate how NSX Advanced Threat Prevention security solutions help organizations to gain actionable insights into advanced threats and to defend against their attack vectors.

Section 1: Before You Begin 

1.1 Access to the Lab

To login to the environment, perform the following steps:

  • First, open a web browser of your choice (Incognito recommended) and navigate to vmtestdrive.com. Select LOG IN
  • If you are signing in for the first time and don’t have a TestDrive account, click GET STARTED and follow the instructions for creating your TestDrive portal account. See this guide.
  • Enter your TestDrive Username and Password and select ENTER.
  • Locate the VMware NSX Security product under the Intrinsic Security tab and click Launch. Make sure that you open NSX 4.1 Security Lab guide and refer it on a separate tab.

*In case of long idle or got disconnected, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox.  

  • Click LAUNCH
  • A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
  • Note: Please provide the short username (not your email ID) and password to login.
  • Click on Apps section and search for the NSX Security desktop and launch it.
  • Now you'll be on the NSX Security desktop. At this point you can begin the walk-through steps listed in the next section.
1.2 Access NSX 4.1 Manager

The console is accessed through a supported supported web browser Chrome. Login to NSX Manager:

  • Click on NSX-4.1 shortcut on the Desktop. Shortcut will open the URL to NSX: https://nsx-mgr.vmwdp.com/.
  • Username and Password to login to NSX manager are available in the Credentials file on the Desktop
1.3 Prerequisites for Ransomware lab

In the lab, to simulate an enterprise environment, the following VMs have been deployed: a VDI Desktop and a production Database server.  These two VMs are connected to NSX overlay segments.

A supplementary VM has been deployed to play the role of an attacker, an external resource from where the attacks are initiated. This VM is attached to a VLAN type port group to a virtual distributed switch. Agent operating system (OS) type and roles are as follows:

















NSX Ransomware Lab Topology

1.4   Networking and Security with NSX ATP

VMware NSX is a full-stack Integrated from Layer 2 to Layer 7 Networking Security. Complete East-West Security for Zero-Trust Ransomware and Lateral movement of threats make East-West the new battleground.

NSX DFW Distributed Firewall (01) is a hypervisor kernel-based firewall that monitors all your East-West traffic. DFW can be applied to individual workloads like VMs and enforce a Zero-Trust security model. Micro-segmentation logically divides a department or set of applications into security segments and distribute firewalls to each VM.

VMware NSX Threat Prevention (02) helps make it easier to protect your organization from ransomware. With just a few clicks, you can enable NSX features that detect and prevent malicious files from moving through North-South on your NSX Gateway Firewall (04). NSX Network Detection and Response collects traffic to uncover all threat movements, correlating and visualizing the complete campaign blueprint.

NSX Distributed Firewall and NSX Advanced Threat Prevention along with NSX Advanced Load Balancer running across Clouds offer a software-delivered, distributed architecture and advanced threat prevention. It enables Zero-Trust security, easy to deploy and automates policy while reducing overall costs.

NSX Intelligence (03) is a comprehensive security solution with AI/ML capabilities built-in that provides visibility and context to security teams both Layer 4 and Layer 7, enabling customer to quickly identify and respond to security threats. NSX ATP, on the other hand, is a set of advanced security features that can detect and prevent sophisticated attacks such as malware, ransomware, and phishing. By combining the capabilities of NSX Intelligence and NSX ATP, network security teams can detect, isolate, and remediate security threats before they cause any significant damage

Section 2: Ransomware Attack with NSX ATP Use-case

2.1 Mitigating Attacks in Your Network

VMware NSX Advanced Threat Prevention platform features (Malware Prevention, Network Detection and Response) provide visibility and protection against ransomware threats, allowing you to act  quickly to mitigate attacks in your network.

To resolve the attack scenario in this lab, you will use these features across four primary steps:

2.2 Attack Story

The lab has deployed the NSX Advanced Threat Prevention security features in detect mode only. This allows us to observe the entire multi-stage malware attack chain, from Initial access to Execution to its last phase, the Exfiltration of the stolen data. An Attacker has gained access to one of your employee’s VDI Desktop through phishing. Laterally moving through your network, the Attacker drops DarkSide executable ransomware in a customer relationship management production Database Server (CRM-DB). As a final step, the attacker exfiltrates the confidential data from the Database Server.

The following lab flow will walk you through how to navigate this scenario using the capabilities of NSX Advanced Threat Prevention.

Note: The attacks simulations are automatically generated in this lab, so you can directly start investigating the threat events.

2.3 Investigate - NSX Malware Prevention

Your first step will be to inspect the malicious files downloads captured by Malware Prevention.

NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.

Let’s start the investigation of the attack from the NSX console, using it to review the threat events.      

2.3.1. Navigate to Malware Prevention to start investigating the compromised VDI Desktop & Database workload.

  • Click on Security (1) in NSX manager
  • Click on Malware Prevention (2) under Threat Detection & Response.
  • Change the Timeline (3) to Last 14 Days.
  • Under Potential Malware, observe that a malicious file has been detected in inspected files. Click the expand icon (1) to investigate. These are the details you will find: 
    1. DarkSide malware is downloaded from Attacker to VDI Desktop and the Database Server.
    2. Attacker ( --> VDI Desktop (
    3. Attacker ( --> CRM Database Server (192.168.20.xx)

Note: IP addresses in the lab will be different from the lab guide but subnet of the each VM will be the same.

  • Click the number next to Total Inspections (2). You’ll see the malicious files activity detected by the NSX deployed on NSX Edge Nodes. The Darkside.exe file has been downloaded from the server (10.51.16..2xx) to the VDI Desktop ( and Database Server (192.168.20.x)
  • Click CLOSE (1) once you’ve reviewed the file activity.
  • The malicious file Analysis Overview provides quick access to understand the malicious file type and its threat level. In this scenario, the malicious file was delivered inside a Zip-type archive. You will see the file’s first submission time as well as different hashes calculated for the Zip archive.
  • Next, scroll down to Threat Level.
  • Under Threat Level, you’ll find the complete risk assessment including the antivirus family and class, malware family, and the maliciousness score for the identified malware. The risk score for the detected malware artifact is set to high, which indicates a critical risk and that action should be prioritized.
  • Click Report
  • With the Advanced Malware Analysis NSX Sandbox, tou can investigate the file further. The sandbox provides a dynamic analysis of the file with full-system emulation to enable accurate detection and prevention of unknown and advanced threats.
  • To access the dynamic analysis report, click on link icon as highlighted under Score details.
  • Inside the NSX Sandbox, you can access analysis of the malware artifact’s complete behavior and a list of actions observed during the dynamic analysis. The malware activity types are mapped to the MITTRE ATT&CK technique for a better understanding of the malware attack chain.
  • Click CLOSE (1) after viewing the threat level report.

2.3.2. NSX Network Detection and Response (NDR) enables you to visualize complete campaign blueprint.

A Campaign is a correlated set of incidents that affect one more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attack occurred.

To access the campaign blueprint:

  • Click Security Overview(1).
  • Under Security Overview, click Threat Detection & Response (2).
  • Select Last 2 weeks(3) from the filter drop-down menu
  • Click Go To Campaigns(4), It will open a new tab NSX NDR Network Detection and Response Tab in your browser.

2.3.3. The NSX Security campaign page displays campaign. On these cards you'll find information like Campaign ID, calculated threat score, latest attack stage, hosts affected, number of threats and status of campaign

  • Click Campaign ID(1) to explore further details.
    Note: Select the campaign that's at the EX FILTRATION stage.
2.4 Investigate - NSX Network Detection & Response

2.4.1. When you select the campaign ID, you’ll find details and an interactive graphical blueprint for that campaign.

  • View the THREATS widget (1) for current threats that NSX NDR has detected. The severity of threat is color-coded Red for High, Yellow for Medium, and Blue for Low.
  • View the HOSTS widget (2) to see current hosts affected. The severity of threat is color-coded the same as threats. Note: The host is defined as any device with an IP address, not a hypervisor in this context.
  • View the Attack Stages widget (top right) to find the current campaign attack stages mapped with the MITRE ATT&CK framework. Mouse hover on the each attack stage to view detailed information of each attack stage.

View the Campaign blueprint widget for an interactive graphical representation of the campaign. It highlights hosts involved in the campaign (both internal and external to the network) and threats that affected the hosts.

  • The NDR campaign blueprint maps each threat detection along with techniques for greater understanding key events in the campaign. 
  • Drag the icons with your mouse to match (the placement of icons suggested as above
  • Inspect it to map each step described in detail, as shown in the following table.

2.4.2. The Hosts tab (1) displays a list of hosts affected with threat information so you can observe the latest activity for attack stages

2.4.3. The Timeline view shows the threats detected by NSX Network detection and Response in Threat Cards:

  • Click Timeline(1). Each threat cards under timeline have a host that is connected to a threat, calculated Threat score, Threat name, Class, and other actions.
  • Select Sort by Earliest (by start time) (2) to arrange the threat cards in the sequence of attacks with their timeline.
  • Observe the timeline on each threat card, event date and time, and IP address.
  • Expand the icon > (3) to view the related evidence summary about the threat, as shown in the following table. To better understand the threat, note the evidence of malware identified and overview of how the malware behaved.

Once the analysis is completed, close the NSX NDR tab and switch to the NSX Manager browser window.

Next, you’ll need to determine how to prevent future incidents by following the steps in the following section to configure the IDS/IPS and Malware Prevention policies.

2.5 Attack Prevention with IDS/IPS

IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. Malware Prevention policies detect and prevent malicious file transfers.

IDS/IPS and Malware Prevention policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment,  you should change the rules to Detect and Prevent.

Note: For this lab, users aren’t allowed to publish the rules because the access level is read-only. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.

2.5.1. Validate the Mode of the rules configured in IDS/IPS & Malware Prevention.

  • Click on Security (1).
  • Under Policy Management, click on IDS/IPS (2).
  • To validate the currently configured rules, click Distributed Rules .
  • Review the Gateway rules configured for Malware Prevention.
  • Click on Gateway Rules (1). Select  Gateway NSXSecOps-T1-VDI from the drop-down.
  • Expand NSXSecOps-VDI (2) to check the mode of Gateway rules in Malware Detection-Employees. You will see that both rules are configured in Detect-only mode.

2.5.2. Change the IDS/IPS & Malware Prevention rules to Detect and Prevent mode.

  • In the same Distributed Rules view, select IDS-Employees (1).
  • Click the drop-down menu for the mode and change to Detect and Prevent.
  • Follow the same steps for the Malware Detection-Employee (2).
  • Once the changes are made, click PUBLISH (3) to apply the rules.

In the following section, you’ll learn about NSX Distributed Firewall, which provides visibility and control for virtualized workloads and networks. The section will take you through the methods to prevent attackers from moving laterally within the environment using micro-segmentation of East-West communication between workloads.

Section 3: Micro-segmentation with NSX Distributed Firewall

3.1 Introduction

NSX Distributed Firewall (DFW) is a hypervisor kernel-based firewall that monitors all your East-West traffic. DFW can be applied to individual workloads like VMs and enforce a Zero-Trust security model. Micro-segmentation logically divides a department or set of applications into security segments and distribute firewalls to each VM.

In traditional data centers, high-level segmentation is built, which can help to prevent various types of workloads from communicating. But the main challenge of the legacy security model is data centers facing a lack of lateral prevention  between workloads within a tier. In other words, traffic can traverse freely inside a network segment and access the crucial information until it reaches the physical firewall to get dropped. In addition, implementing different layers of security and firewalls can cause complexity and add costs.

The main advantages of using DFW are an orchestration of policies with security groups or tags, horizontal movement reduction in data centers to minimize the risk of security breaches, and finally, reduction of capital expenditure (CAPEX) cost. Furthermore, NSX DFW not only can operate based on layer 2 to layer 4, but it can also take advantage of Layer 7 information.

3.2 Rules for predefined categories

DFW comes with predefined categories for firewall rules, allowing you to organize security policies.

Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated from top down.

Distributed firewall comes with predefined categories for firewall rules. Categories allow you to organize security policies.

Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated top down.

NSX micro-segmentation Network Topology: Attacker --> VDI --> CRM-DB

3.2.1 Ethernet – Layer 2 policies are the first line of defense and should be considered before layer 3 rules.

  • In NSX Manager, select Security (1)
  • Navigate to Distributed Firewall (2)
  • Choose the Ethernet tab (3) to view category-specific rules.

3.2.2. Emergency – For emergency situations, you can employ temporary firewall rules.

Within the same Distributed Firewall location, choose the Emergency tab (1).

3.2.3. Infrastructure – On the Infrastructure tab, you can review non-application firewall rules like vCenter, ESXi, DNS, Active Directory and so on.

  • Choose the Infrastructure tab (1).
  • Apply the filter. Click on Basic Detail(2) , ans Select Rule Name NSXSecops-DNS-Allow(3) and click on Apply.
  • Observe here that traffic is allowed for shared services—that is, NTP and DNS to the Production group—for respective context profiles.

3.2.4. Environment – In the Environment tab, you can manage high-level policy groupings like eliminating communication for test and production environments.These policy groupings can allow for more efficient security and granular traffic control with context profiles such as SSL, TLS and more.

  • Choose the Environment tab (1).
  • Observe that traffic here is micro-segmented for multiple environments—such as Production, Development and DMZ—that consist of various groups like VDI_Contractors, VDI_Employees and so on.

3.2.5. Application – In this tab, you can apply Application policy rules between tiers. The priority to apply rules is from top-down and left to right. Meaning, if you write a rule in Infrastructure, it has priority over a rule in Application. So, you need to place the most fundamental rules at the top of the list.

  • Choose the Application tab (1).
  • Observe that distributed firewall rules are applied here for tiers serving multiple applications. By setting these rules, you can achieve app isolation as well as define inter-application tiers communication such as App to DB , Users to User Db and services like MongoDB and so on.

As shown in this section, NSX micro-segmentation provides a foundational architectural shift to enable topology-agnostic, distributed-security services to applications in the evolving data center.

To complement this security approach, you can use VMware Log Insight to help  build an infrastructure-related rule base. VMware Log Insight helps you preserve your logs and gain better visibility of what’s going on in your environment. Find out more in the next section.

Section 4: VMware Aria Operations for Logs

4.1 Inspecting Security Log

Using VMware Aria Operations for logs, you can view the security flow logs of the NSX Data Center 4.1 environment.  The following security features support flow logging:

  • DFW micro-segmentation rules
  • Ransomware attacks

All the security verticals generate and save unified security flow logs in the Unified Security Logs format in a single log file on a node. This single log is exported to syslog server, which is configured for VMware Aria Operations for logs. VMware Aria Operations for logs will then process the logs to provide further log management, analysis, and display them by using NSX Security content pack.

Navigate to the Log Insight dashboards.

  • Click the Log Insight icon (vRLI-Demo) from the desktop for auto sign-on (Active Directory login: demo1_nsxsecop).
  • Click General Overview  (1) -> Overview to view all security KPIs captured.

VMware Aria Operations for logs with NSX Operations content pack provides the collection, consolidation and correlation of NSX log data. This content pack provides dashboards with information of distributed firewall, IDS/IPS rules, audit information and errors. NSX Security dashboard sort information based on user defined time intervals and the data is presented graphically for NSX admins to view the issues.


VMware NSX Advanced Threat Prevention helps make it easier to protect your organization from ransomware. With just a few clicks, you can enable NSX features that detect and prevent malicious files from moving through North-South and East-West traffic on your gateway firewall. NSX Network Detection and Response collects traffic to uncover all threat movements, correlating and visualizing the complete campaign blueprint. Equipped with a detailed threat timeline across your network, your security teams can determine the scope of an attack and prioritize resources. By unlocking the highest possible fidelity insights, you're able to face the most challenging threats.

We hope you've enjoyed walking through NSX 4.1 Security in this TestDrive lab. Please stay tuned for future labs to learn more.

Previous Article VMware NSX Advanced Load Balancer (Avi Networks) - Quickstart
Next Article NSX 4.1 Advanced Security Lab Walkthrough