TestDrive

NSX 4.1 Advanced Security Lab Walkthrough

Updated on

About NSX 4.1 Advanced Security Lab (NSX Intelligence, NTA, DFW, IDPS, Gateway Firewall)

Your enterprise can now deploy VMware NSX Security as a standalone security product, deploying it in an existing environment with no changes to your network. NSX provides strong, multi-cloud, easy-to-operationalize network defenses that secure application traffic within and across clouds. NSX  makes it easier for you to enable Zero Trust application access across multi-cloud environments—so you can secure traffic across applications and individual workloads with security controls that are consistent, automated, attached to the workload, and elastic in scale. 

In this NSX Advanced Security Lab, you'll get hands-on experience with NSX Advanced Threat Prevention features such as Network Traffic Analysis , NSX Intelligence, Malware Prevention, Network Detection and Response, Intrusion Detection and Prevention System, DFW micro-segmentation, and more.  This lab is intended for intermediate to advanced-level users exploring VMware NSX security use cases, helping you to explore security concepts and plan with NSX 4.1.

Section 1: Lab Access

1.1 Access to the Lab

To login to the environment, perform the following steps:

  • First, open a web browser of your choice (Incognito recommended) and navigate to vmtestdrive.com. Select LOG IN
  • If you are signing in for the first time and don’t have a TestDrive account, click GET STARTED and follow the instructions for creating your TestDrive portal account. See this guide.
  • Enter your TestDrive Username and Password and select ENTER.
  • Locate the VMware NSX Security product under the Intrinsic Security tab and click Launch. Make sure that you open NSX 4.1 Security Lab guide and refer it on a separate tab.

*In case of long idle or got disconnected, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox.  

  • Click LAUNCH
  • A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
  • Note: Please provide the short username (not your email ID) and password to login.
  • Click on Apps section and search for the NSX Security desktop and launch it.
  • Now you'll be on the NSX Security desktop. At this point you can begin the walk-through steps listed in the next section.
1.2 Access NSX Manager

The console is accessed through a supported supported web browser Chrome. Login to NSX Manager:

  • Click on NSX-MGR Auto-logon shortcut on the Desktop. Shortcut will open the URL to NSX: https://nsx-mgr.vmwdp.com/
  • Username/Password: Sign in is automated, so please don't touch the keyboard/mouse during 15s of process. If you do so, please close all Chrome windows and reopen the link again.
  • In case you prefer using manual login, please click on NSX-MGR icon inside Lab Access folder. Username and Passwords are available in the Lab-Credentials file in the Desktop
1.3 Advanced Lab Topology for Ransomware Protection

In the lab, to simulate an enterprise environment, the following VMs have been deployed: a VDI Desktop , Application server and a production data base server.  These three VMs are connected to NSX overlay segments.

A supplementary VM has been deployed to play the role of an attacker, an external resource from where the attacks are initiated. This VM is attached to a VLAN type port group to a virtual distributed switch. Agent operating system (OS) type and roles are as follows:

Agents 

OS 

Role  

Location 

Main-attacker-NK-1

Ubuntu 

Attacker

External 

VDI-02

Ubuntu

Victim

Internal 

Acme-App01 Ubuntu Victim Internal

Acme-DB-1

Ubuntu

Victim 

Internal 

                                                                                    NSX Ransomware Lab Topology

1.4 Lateral Security is new Battle ground with NSX Security

The goal of the NSX Security stack is to provide visibility and enforcement across the attack chain for any workload form factor across multiple clouds. The distributed Firewall in essence is a L2 to L7 Firewall that is transparently applied to the network interface of a workload, VMs of course, but also containers and physical bare metal servers. This enables customers to implement any level of segmentation without needing to make network changes, For example isolate production from development workloads, or micro-segment a multi-tier application. NSX Advanced Threat Prevention consists of IDS/IPS, Malware Prevention, Network Traffic Analysis and Network Detection and Response. NSX Intelligence provides complete East-West flow visibility and automated Firewall rule recommendations. For North-South protection, NSX Gateway Firewall is a software-only, layer 2-7 Firewall that enables you to achieve consistent network security coverage and unified management for all of your workloads, regardless of whether they’re running on physical servers, in a private or public cloud environment or in containers.

Section 2: Protect East-West Lateral Security with NSX Intelligence and NSX NDR

2.1 Protecting East-West Lateral Security

Protecting East-West lateral security is a crucial aspect of network security. NSX Intelligence provides visibility into network traffic, detects anomalies, and identifies potential threats. It leverages machine learning to create a baseline of normal behavior and then compares it to current activity to detect any deviations. NSX NDR monitors network traffic, analyzes it in real-time, and uses behavioral analysis to detect and respond to threats. It also provides continuous monitoring of network activity, detects lateral movement of threats, and provides automated responses to mitigate them. Together, NSX Intelligence and NSX NDR provide a comprehensive approach to East-West lateral security, enabling organizations to quickly detect and respond to threats, minimizing the risk of a breach, and maintaining the integrity of their networks.

2.2 Mitigating Attacks with NSX Advanced Security (Intelligence , NTA , Sandbox)

The NSX Intelligence and ATP (Advanced Threat Prevention) are two powerful features that can be used to enhance network security. NSX Intelligence is a comprehensive security solution that provides visibility and context to security teams, enabling them to quickly identify and respond to security threats. ATP, on the other hand, is a set of advanced security features that can detect and prevent sophisticated attacks such as malware, ransomware, and phishing. By combining the capabilities of NSX Intelligence and ATP, network security teams can detect, isolate, and remediate security threats before they cause any significant damage.

To Identify and Resolve the attack scenario in this lab , you will these features across five primary steps.

2.3 Attack Story

The lab has NSX Advanced Threat Prevention security features set to detect mode, enabling us to monitor the entire multi-stage malware attack chain, from initial access and execution to lateral movement and exfiltration of data

The NSX Intelligence identified a network activity with a high impact score, which was the initial detection of the malicious event. The attacker infected an employee's VDI Desktop (VDI-02) using Magnitude Exploit Kit, then moved laterally through the network, dropping the Cryptowall executable ransomware in VDI Desktop and continuing to move laterally to the Application Server, and production Database Server (ACME-DB01). Finally, the attacker exfiltrated confidential data from the Database Server

The following lab flow will walk you through how to navigate this scenario using the capabilities of NSX Advanced Threat Prevention.

Note: The attacks simulations are automatically generated in this lab, so you can directly start investigating the threat events.

Section 3: Application and Network Traffic Visibility with NSX Intelligence & NTA

3.1 Investigate - NSX Intelligence Traffic Visibility

The console is accessed through a supported supported web browser Chrome. Login to NSX Manager:

  • Click on NSX-MGR Auto Logon shortcut on the Desktop. Shortcut will open the URL to NSX: https://nsx-mgr.vmwdp.com/
  • Username/Password: Sign-in is automated, so please don't touch the keyboard/mouse during 15s of process. If you do so, please close all Chrome windows and reopen the link again.
  • In case you prefer using manual login, please click on NSX icon inside Lab Access folder and enter the below username and password.
  • Username - demo1_nsxsecop/Password - VMware1!VMware1!

1. Your first step will be to inspect the application traffic flow in NSX Intelligence.

Click on Plan & Troubleshoot(1), Here we are looking at the Plan & Troubleshoot  page and this shows a high-level overview of existing workload groups and flows between them. Green lines indicate flows that are matching an existing segmentation policy in NSX while the red dotted lines indicate unprotected flows.

  • Click on the filter(2) to select the Computers that makes up the acme multi-tier application

    VDI-02, acme-web01, acme-app01, acme-cart, acme-db01,acme-db02,acme-users. Click on Apply(3)

  • Change the timeline from NOW to Last 2 Weeks(4) as highlighted in the above image

 

2 Click on Apply filter and Under Suspicious Traffic Select Impact Score(1).

3.  Apply a additional filter to review the Suspicious Traffic flows with more Impact Score.

  • Click on Apply filter. Scroll down to Suspicious Traffic Section.
  • Select Impact Score as a option. In Custom Range Prompt add Min = 64 and Max = 100(2). Click on Apply(3).
3.2 Investigate - Suspicious Traffic & Initial Access

1. We can see that workloads with an exclamation mark. This indicates that we've depicted a threat affecting these workloads. Review the Threat events for a individual Virtual Machine.

  • Right click on the VM acme-db01 and select Suspicious Network Activities.

2. Find the event with Impact score 65(1) under Threat Detection. Expand the event by clicking on button > next to it. Review the suspicious activity.

  • As you can observe the Event Command and Control Domain Generation Algorithm(DGA).
  • DGAs are psuedo-random generators that construct a random sequence of characters used to form domain names. DGAs provide malware with new domains in order to evade security countermeasures.
  • Its an Anomaly in the DNS lookup performed by an internal host. The highlighted campaign in the event details indicates that it is not an individual detection instead there are multiple events across multiple assets.

NSX Advanced Threat Prevention leverages enhanced net flow data and layer 7 flow information to build a baseline of what's normal for every workload and then uses both unsupervised machine learning and supervised machine learning with threat centric models to identify deviations from normal that are securely relevant.

The detection with the highest stress score here in the case that we've detected the use of a domain generation algorithm.

Click on the campaign link(2) available in this event. It will redirect to NSX Network Detection and Response(NDR) window. We will learn more about NDR in the following sections.

Section 4: Cryptowall protection with NSX Security MITRE ATT&CK Framework

4.1 Investigate - Network Detection and Response Campaign Overview

The next step is to inspect the NSX Network Detection and Response(NDR) campaign. NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks, that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.

A Campaign is correlated set of incidents that affect one or more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attacks.

Let’s start the investigation of the attack from the NDR console, to review the threat events. 

1.You can now observe that we've detected and correlated more than just the DGA anomaly on the acme database workload. We've detected a malicious file downloads on three different workloads and a series of other threat events. The various incidents are classified according to the different phases of the MITRE ATT&CK framework.

2. Under the Campaign , you’ll find details and an interactive graphical blueprint for that campaign.

  • View the THREATS widget (1) for current threats that NSX NDR has detected. The severity of threat is color-coded Red for High, Yellow for Medium, and Blue for Low.
  • View the HOSTS widget (2) to see current hosts affected. The severity of threat is color-coded the same as threats. Note: The host is defined as any device with an IP address, not a hypervisor in this context.
  • View the Attack Stages widget (top right) to find the current campaign attack stages mapped with the MITRE ATT&CK framework. Mouse hover on the each attack stage to view detailed information of each attack stage.

3. View the Campaign blueprint widget for an interactive graphical representation of the campaign.

  • The NDR campaign blueprint maps each threat detection along with techniques for greater understanding of key events in the campaign.
  • Drag the icons with your mouse to match the placement of icons suggested as above.

4  The Hosts tab (1) displays a list of hosts affected with threat information so you can observe the latest activity for attack stages

4.2 Investigate - Exploitation and Command & Control

1. The Timeline view shows the threats detected by NSX Network Detection and Response in Threat Cards.

  • Click Timeline(1). Each threat cards under timeline have a host that is connected to a threat, calculated Threat score, Threat name , class and other actions.
  • Select Sort by Earliest (by start time)(2) to arrange the threat cards in the sequence of attacks with their timeline.
  • Observe the timeline on each threat card, event date and time and IP address.
  • Expand the icon to view the related evidence summary about the threat, as shown in the following table. To better understand the threat, not the evidence of malware identified and overview of how the malware behaved.

2.  Expand the Magnitude EK(1). Magnitude exploits various java and adobe flash vulnerabilities to compromise the victim's computer in order to install malware. This was also detected from the VDI desktop.

Click on Network Interactions and Network IOCs IP address(3) to get additional context.We can also click on the detector, and in this case an IDPS signature (2), to learn more about this detection.

Click on the IP address of the affected workload.we can see that this is associated with the VDI-02 desktop

3. Expand the Malicious File Download event and click on the file name to get additional context. You can see that this file has been identified as containing the cryptowall ransomware and has performed suspicious Geo-location queries.

Cryptowall is a ransomware malware that encrypts files on an infected computer using and demands a ransom in exchange for a decryption key. Cryptowall is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.

Click on the Analyst Report to find more details

4. You can see some of the key characteristics we've observed when we've dynamically analyzed this file in our sandbox. Click on close to go back to the timeline view.

5. Above events are sequentially detected in the VDI Desktop where the attacker attempted Initial Exploitation in to the environment.

6.  Expand Cryptowall(1) and DGA Activity(2) to see that we've observed command and control activity associated with cryptowall and this has also been detected by means of an IDPS signature.

4.3 Investigate - Lateral Movement and Data Exfiltration

After gaining the initial access , Attackers use lateral movement to gain access to additional systems, escalate privileges and ex-filtrate sensitive data. Lets review the Lateral movement and Data Exfiltration events detected by NDR.

1. Expand Anomalous Psexec Interaction (1) , that was followed by the detection of an anomalous interaction between our VDI desktop and another workload in our environment.

This activity was mapped to the lateral movement technique of the MITRE Attack Framework and was used by the malicious actor to pivot the attack from the VDI desktop to the target workload with the IP address of Acme-App-01 VM.

2. Expand the DGA Activity, We have detected the Domain generation algorithm anomaly that we looked at earlier from the discovery and planning view in NSX This is the atomic event we started our investigation.This indicates that suspicious domains used by malware were running on our infected machine.

Click on Anomaly dga to find more details. These domains were identified using anomaly detection techniques that characterize domain and resolution patterns that are typical of malware using the main generation algorithms

3. Expand Empire Agent and you will see that around the same time by means of an IDPS detector we identified network activity related to the empire agent on the compromised acme-app01 workload.

Empire is a post-exploitation framework offering a wide array of modules. It can be used to perform a variety of malicious activities on a compromised host. This was followed by the download of the same malicious file containing Cryptowall on the acme-app01 workload

4. The next phase of the attack, where the attacker used windows remote task scheduling to pivot the attack once more and target another workload in our environment the production database VM. Click on the Expand icon to find more details. Around the same time we observed an attempt at credential harvesting using Kerberos ticket granting tickets initiated from acme-app01  VM to acme-db workload. On the workload we saw additional remote task scheduling after that followed by the same domain generation algorithm, empire agent and cryptowall detection's.

5. Scroll down to see same set of Command and Control activities are detected in the acme-db01 VM. Finally we detected the use of DNSCAT on the network indicating exfiltration of data from the prod acme-db workload. This was confirmed by means of three distinct IDPS signatures.As we have analyzed  the campaign and reviewed all the intrusion events, We can review the IDS/IPS & DFW rules to reduce the attack surface and to mitigate the risk of intrusions in the production environment.

Navigate back to NSX Manager. We will proceed further to learn about NSX Intelligence  Micro-Segmentation Rule Recommendations.

Section 5: Micro-segmentation with NSX Intelligence Rule Recommendations

Micro-segmentation with NSX Intelligence is a security technique that allows for the division of a network secure segments. This is achieved by creating logical boundaries within the network, which can then be assigned different security policies. This allows for granular control over the flow of traffic within the network, making it more difficult for attackers to move laterally and access sensitive data.

One key feature of NSX Intelligence is its ability to provide recommendations for micro-segmentation policies based on network traffic data. This is done by analyzing traffic patterns and identifying potential security risks, such as unsecured communication between devices or the presence of malicious traffic. The system then uses this information to recommend specific micro-segmentation policies that can be implemented to mitigate those risks.

This feature is useful because it automates the process of configuring micro-segmentation policies, which can be a time-consuming and complex task. It also allows for more dynamic and adaptive security, as the system can automatically adjust policies as network traffic and security risks change. Additionally, it can help organizations to identify possible vulnerabilities on their network and allow them to take actions to minimize the risk of data breaches.

In this section we will generate an automatic recommendation of DFW rules for East-West traffic for ACME application Virtual Machines.

acme-web01 --> acme-app01 -->  acme-db01

1. Click on Plan & Troubleshoot and select Recommendations from the left panel.

2. Expand the Recommendation rule for observing its entities.

 You can see that we've run the recommendation wizard to come up with a set of rules required for application communication. Beyond reducing the attack surface by implementing segmentation and micro segmentation policies we can also prevent the download and transfer of malware as well as exploit and other threat-related network traffic.

3. Click on Security from the main tab and select Distributed Firewall from the left panel. In order to protect our workloads we have created multiple segmentation policies. We will review the App Connectivity Strategy created by NSX Intelligence.

4. Expand the Policy named Prod_acme,. The App Connectivity Strategy depicts that the DFW policy is published by NSX Intelligence Rule recommendation. The rules are applied dynamically by analyzing the traffic patterns between the application servers.

  • Web to App communication allowed on port 8080.
  • Cart service to application service configured on Oracle DB
  • Users to UserDB allowed service is Mongo DB.

In conclusion, NSX Intelligence is a powerful security feature of VMware NSX that provides advanced capabilities such as micro-segmentation, Firewall, and intrusion detection and prevention. One of its key features is the ability to provide automated recommendations for micro-segmentation policies based on network traffic data. This feature allows organizations to quickly and easily configure micro-segmentation policies, which can be a complex and time-consuming task. Additionally, it enables a more dynamic and adaptive security approach, as the system can automatically adjust policies as network traffic and security risks change. With this feature, organizations can enhance their network security and reduce the risk of data breaches, making it an important tool for any organization looking to protect their sensitive data

Section 6 : NSX Gateway Firewall

NSX Gateway Firewall is a security feature of VMware NSX that provides network-level Firewall capabilities for virtualized environments. It allows organizations to enforce security policies at the edge of their virtual networks, helping to protect against external threats and unauthorized access. It is integrated with other security features of NSX, such as microsegmentation and intrusion detection and prevention, to provide a comprehensive security solution for virtualized environments.

The Firewall uses a stateful inspection model, which means it tracks the state of network connections and can make intelligent decisions about whether to allow or block traffic based on that information. The Firewall also provides advanced features such as Application Recognition, which allows for granular control over the types of traffic that are allowed to pass through the Firewall, and User-ID, which allows for policies to be applied based on the identity of the user or device. These capabilities allow organizations to secure their virtual networks and protect against a wide range of security threats.

6.1 Attack Story

Network Topology Diagram

  • Click on Networking(1) and Select Network Topology(2).
  • Click on Apply filter(3) and Select Segment Name and Mark the segments as shown the above image.  
  • Click on Security(1), and Select Gateway Firewall(2) under Policy Management.
  • In Gateway Firewall, Click on Gateway Specific Rules(3) and Select the Gateway NSXSecOps-T1-Prod | Tier-1 (4) .
  • Expand the  NSXSecOps-T1-Prod | Tier-1  GATEWAY  to view the rules and Click on statistics(5) to see the Rule Hit Statistics.

1. The T1-Gateways,  T1_Production and T1_VDI are activated with IDS/IPS Malware prevention features for North South Traffic.

In this demo we will observe how the Malware File download events in Virtual Machines are Detected and Prevented in the environment.

The Firewall uses sandboxing techniques to analyze traffic and detect malware. Sandboxing allows the Firewall to run suspicious traffic in a controlled environment, where it can be observed and analyzed for malicious behavior

2. We will Activate IDS/IPS and Malware Prevention features on the T1 Gateways for North South Traffic.

  • Click on Security and Select IDS/IPS & Malware Prevention under Policy Management.
  • Click on Settings and Scroll to the end to see the available settings.

3.  We can find that T1_VDI & T1_Production T1 Gateways are Activated with features IDS/IPS and Malware Prevention.

4. Once the features are activated on the T1 Gateway. Gateway Specific rules has to be configured with Security profiles for Malware Detection & Prevention.

  • Click on Gateway Rules and Select Gateway Specific rules
  • Click on Drop down and Select Gateway T1_VDI
  • A policy has been added for the Gateway with Default Malware Profile. For the demo purpose the Mode is configured as Detect Only. It can be changed Detect & Prevent to block the Malware traffic.

5. To review the Malware Prevention alerts detected by the NSX Gateway Firewall.

  • Click on Security(1).
  • Navigate to Malware Prevention(2) under Threat Detection & Response Section.
  • Change the timeline to Last 14 days (3)
  • Expand the Malware with crytodef Malware Family.  Click on the Total Inspections (4) to see the detection's on Gateway Firewall.

Malicious events are captured by the Gateway Firewall. At this point we can see the Event Verdict , Source server and destination client where Malware is downloaded. Click on close(1) after reviewing the events.

The NSX Gateway Firewall is an essential tool for any organization looking to protect their virtualized environments and sensitive data. It provides a comprehensive security solution that can be tailored to the unique needs of the organization, and can help to protect against a wide range of security threats. With this feature, organizations can secure their virtual networks and protect against a wide range of security threats, making it an important tool for any organization looking to protect their sensitive data.

Section 7: VMware Aria Operations for Logs for NSX

7.1 Inspecting Security Log

Using VMware vRealize Log Insight, you can view the security flow logs of the NSX Data Center 4.1 environment.  The following security features support flow logging:

  • DFW micro-segmentation rules
  • IDS/IPS
  • Ransomware attacks

All the security verticals generate and save unified security flow logs in the Unified Security Logs format in a single log file on a node. This single log is exported to syslog server, which is configured for VMware vRealize Log Insight. VMware vRealize Log Insight will then process the logs to provide further log management, analysis, and display them by using NSX Security content pack.

Navigate to the Log Insight dashboards.

  • Click the Log Insight icon (vRLI-Demo) from the desktop for auto sign-on (Active Directory login: demo1_nsxsecop).
  • Click NSX Dashboards (1) -> Overview to view all security KPIs captured.
  • Select the 2/1/2022 to current date as a time range, hit Refresh to update data:

Now you can view insights over this timeframe by selecting the respective dashboards in the left navigation pane.

1.NSX Security dashboard, including security audit logs:

2. NSX Micro-segmentation dashboard:

3. NSX DFW Firewall rules dashboard:

4. NSX IDPS dashboard:

Conclusion

This NSX Advanced Security Lab walk us through the advanced ransomware protection with scaling in production journey. We start with NSX Intelligence to see full Application and Network traffic visibility (Day 1 Ops), then showing how we can easily apply NSX DFW Rule Recommendations and IDPS for full micro-segmentation thus protecting east-west traffic (day 2 Ops) then bringing all latest technologies of NSX ATP Advanced Threat Prevention (NTA, NDR, Sandboxing) along with NSX plugin for Aria Operations for Logs to strengthen Ransomware protection running across Clouds. We finish lab with full North/south protection with NSX Gateway Firewall.

We hope you've enjoyed walking through NSX 4.1 Security in this Test Drive lab. Please stay tuned for future labs to learn more.

Previous Article NSX 4.1 Security Lab Walkthrough