Centralized Policy Management with NSX+: In this session, you will be able to manage networking and security policies centrally across all their clouds. NSX+ provides consistent networking and security controls and policies across Multi-Site and multi-region deployments.

NSX+ Policy Management also comes with built-in networking and security operations and troubleshooting. In this demo, we will illustrate how you can use NSX+ Policy Management to seamlessly scale a CRM application from On-Premise site LM-Dallas to a LM-Paris instance. We have on-boarded two sites (LM-Dallas, LM-Paris) to NSX+. The DB workload of CRM application has to be scaled to LM-Paris site for enhancing application performance and scalability. With NSX+ Policy Management we will apply consistent Security Policies across cloud through centralized cloud console.

For the benefit of all users, we kindly ask that you use the lab responsibly. Please do not delete any object or making any change to license or subscription that could potentially disrupt this shared NSX+ lab environment.

ACME Corporation operates its PROD-CRM application across two sites: the primary site located at their headquarters in LM-Dallas, the secondary site situated in LM-Paris. To ensure consistency and keep the CRM databases up to date across both locations, ACME’s team has a plan to scale the CRM database to LM-Paris site to enhance the service availability across clouds.

By leveraging NSX+, ACME Corporation now can easily achieve goal to simplify cloud consumption with high availability, consistency, and security for their application across both their Dallas and Paris sites.

The following lab flow will walk you through how to navigate this scenario using the Capabilities of NSX+ Policy Management.

• We've created two inventory groups: one for the Web group and the other for the DB group. The Web VM's in Dallas site are members of  Web Group, while the DB VM's in the Paris site belong to the DB Group.
• Click on Security (1) and Click on Groups (2) under Inventory.
• Review the NSX+ Groups, Web Group and DB Group. Click on "View Members" to review the "Effective Members" and "Group Definition".
• The inventory groups we set up will be included in the Distributed Firewall Rules that we have configured for the CRM application.

• After creating networking and inventory groups, the next step is to enhance the security of the CRM application VM's. To achieve this, we have implemented the Global Distributed Firewall policies across two sites.
• Click on Distributed Firewall (1) under Policy Management to view the Global policies configured under "APPLICATION".
• We have configured the Distributed Firewall Rules to micro-segment the Two-Tier application.
• "Allow Web rule" permits the HTTP connections from any source to Web VMs in On-Premise (LM-Dallas).
• "Allow Web to DB" rule permits traffic from Web server in LM-Dallas to the Database server in LM-Paris.

• NSX+ offers the ability to use Distributed IDS/IPS functionality across sites while creating IDS/IPS policies in a single pane of glass.
• Click (1) on IDS/IPS . Change the timeline to Last 7 days(2).

ACME Corp has several applications in multiple cloud environments and has various departments. They aim to create a multi tenancy where each department's application Virtual Machines  run in isolated environments. Additionally, ACME Corp wants the application owners to have the ability to add their own subnets and security policies for their application.

To address this challenge, we can leverage NSX+ VPC. NSX+ VPC's operate under Projects. A project in NSX+ is similar to a tenant. By creating projects, we can isolate security and networking objects across tenants in a single NSX deployment. Project Admins can assign access to the projects for Application owners. Application owners can add the subnets inside the VPC and configure security policies for their workloads. The security policies impact only the workloads within the NSX+VPC and not outside the NSX+ VPC.

To set up a VPC in NSX+, you need to follow a series of steps. Here are the main steps, and we will go into detail on each step in the following sections.

• Enterprise Admin : Creates project called Project01-Finance  in NSX+. Assigns Project Admin roles to users.
• Project Admin : Adds NSX+ VPC, VPC1-Finance inside a project and defines VPC settings, such as IP assignment, DHCP configuration, edge cluster and so on.
• Project Admin : Assigns roles to users in the NSX+ VPC.
• Project Admin: Defines quota or limits for the number of objects that users can create within the NSX+ VPC.
• VPC Admin or Network Admin: Adds subnets in the NSX+ VPC. Connects workloads to these subnets based on business requirements.
• VPC Admin or Security Admin: Adds security policies in the NSX+ VPC to meet the security requirements of the workloads that are connected to the subnets in the VPC.

NSX+ projects are similar to tenants. By creating projects, you can isolate security and networking objects across tenants in a single NSX+ deployment. By creating a project called Project01-Finance , ACME corp can isolate the networking and security configurations from its other departments.

• Click on default--ACME_instance(1).
• We have created two projects called VPC-Site2-ACME-Fitness-Application and Project01-Finance.
• Click on MANAGE(2).

• Expand(1) Project01-Finance to review the project configuration. Observe the each highlighted RED box to see the the config required to create a new NSX+ project.
• Sites: The project Project01-Finance has been created for the LM-Dallas site. The Tier-0 Gateway, Edge cluster, and External IPv4 blocks are all associated with the LM-Dallas site.
• The associated Tier-0 Gateway T0-GW-Dallas-01 that the workloads in the project can use for north-south connectivity. you can select multiple gateways if required, If no gateway is selected the workloads in the project will not have north-south connectivity.
• An Edge Cluster is selected to associate with this project. These edge clusters can be consumed inside the project for running centralized services like NAT, Gateway Firewall and DHCP.
• External IPv4 Blocks are available to add public subnets in the NSX+ VPC's within the project.The system will assign CIDR blocks to the public subnets in the NSX+ VPCs from these external IPv4 blocks. VPC users can also use the external IP blocks for adding NAT rules in the NSX+ VPCs.
• Click on close(2).

In this lab workflow, we've created a VPC using the Enterprise Admin. Once a project is set up, users can be designated as Project Admins, and these Project Admins have the privilege to create NSX+ VPCs.

• NSX+ VPC provides an isolated space for application owners to host applications and consume networking and security objects by using a self service consumption model.
• We have created NSX+ VPC (VPC1-Finance) with Enterprise Admin.

• Click(1) on drop down next to default--ACME_instance.
• Click on Project01-Finance(2) to navigate to the project. you will be navigated from default view  to Project view.

• A subset of NSX+ networking features are available in the projects view.
• Click on VPCs(1) to navigate to the VPCs section.

• We have created a VPC called VPC1-Finance under project Project01-Finance. Expand(1) the VPC to review the configuration.
• Sites: The VPC VPC1-Finance has been created for the LM-Dallas site.
• IP Assignment settings:  The External IPV4 blocks filed, Select the IPv4 blocks that the system can use for public subnets in the NSX VPC. The external IP blocks that are assigned to the project are available for selection in the NSX+ VPC. These IPv4 blocks must be routable from outside the NSX+ VPC.
• The Private IPv4 Blocks field, select the IPv4 blocks that the system can use for private subnets in this NSX+ VPC. The IPv4 blocks that are added in the project with visibility set to Private are available for selection in the NSX+ VPC
• Service Settings: By default "N-S Services" and "Default Outbound" NAT are turned on. This option is only available when N-S services option is turned on for the NSX+ VPC.

When an NSX+ VPC is created successfully, the system implicitly creates a gateway. However, this implicit gateway is exposed to the Project Admin in a read-only mode and is not visible to the NSX+ VPC users.

In the following section, you'll explore NSX+ Intelligence, that offers in-depth visibility into applications behavior across cloud environments. This part of the guide will walk you through the steps of examining virtual machine traffic patterns and implementing NSX+ Intelligence's rule recommendations to automatically create micro-segmentation for your applications.

This is easy, no need to install any big data analytic component on the new site as our NSX+ Intelligence is now running as SaaS like the other NSX+ services. This gives ACME a unified view of Applications and flows into a Central dashboard.  

Data stream between the On-Premise location and NSX+ Intelligence instance is highly optimized, while we discover applications and see every packet, we only send a digest of the essential information that is required to be tracked, so it’s not a massive amount of data.

The ACME Networking Team wants to focus on the new ACME App first, as it needs to be integrated. So, let’s search for it within the NSX+ Intelligence discovered Apps and Flows.

We see the ACME Application Topology. We have a problem many of the flows are unprotected, you can recognize them from the red dotted lines. This mean no policy to explicit allow or block these flows is implemented yet. This is now easy to fix with NSX+ Rule Recommendation.

Let’s start a new policy recommendation through NSX+ Intelligence. The impact on Our ACME app is immediately visible. Now the Security posture is corrected and the Application is fully protected, blocking non-legitimate transactions within the Chicago site and across sites.  

Security admin detected an unusual command-and-control atomic event in Web server running in Virginia. By leveraging the NSX+ NDR campaign view the admin has observed that we have detected and correlated more than a C and C activity across the environment. The attacker has laterally moved from ACME_Web to ACME_DB in Virginia and followed by the lateral movement to Database in Dallas. From Site Dallas, the attacker has dropped a Malware in PROD-CRM-DB running in Dallas and finally ex-filtrated data from the primary Database.

Mitre ATT&CK stands for  Adversarial Tactics, Techniques, and Common Knowledge. The  ATT&CK framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's attack lifecycle and the platforms they are known to target. With VMware NSX+ NDR, we fully applied  Mitre ATT&CK into our solution. The Threat Actors start moving laterally and attempt to reach the CRM database in SDDC Paris to exfiltrate data and deploy ransomware.  

The ACME SoC team can Triage the Campaigns based on the Severity and impact to our applications.

The CRM App Database needs to be protected because of the sensitive sales data it contains. We see here an attempt to exfiltrate data from the CRM database.  

The ACME SoC Team can also analyze the IDS/IPS logs and alarms across sites to construct a timeline of the attack and root-cause the initial event.

In this case one key event was the exploit of a vulnerability that allowed for remote Code Execution on the Chicago site. The ACME security Team can now remediate quickly turning the specific IDS signature in blocking mode on all the vulnerable servers and prevent further exploit attempts.

Threat actors lurk undetected for over 9 months, using your binaries, ports, and protocols to target users and applications to ransom data. This is the end state without visibility…

With VMware, you have visibility into every packet, process and application across the entire ransomware attack chain, from the workloads, through the networks, to recovery. Let me show you how we see it.

Correlated campaigns provide timelines of the threat actors attack chain. NSX + NDR has network visibility into the initial access, a drive-by download on the Developers VDI of ACME app.

However, once in, threat actors leverage your internal network and live off your protocols. The Threat Actor discovers the Bastian host and takes a few hops laterally, across sites, landing on the Order/Checkout workload.

NSX can detect lateral movement across the same cluster or across multiple sites without the need to span or hairpin traffic.   A top protocol for threat actors’ lateral movement is remote desktop protocol (RDP).  Through RDP from the Paris, the threat actor logged in, just like an administrator, to the DB in LM-Dallas and LM-Paris. Once there, they enumerate,  finding a remote code execution vulnerability they exploit the production ACME payment workload, gains root access. This enables the installation of ransomware and ransomware command and control communications. Ransom of data is the goal.  

NSX+ NDR has visibility of the lateral exploit and the and the threat actors communications. There is no silver bullet in security. A strong ransomware defense includes detection, prevention and recovery measures.

To summarize NSX+ NDR: the goal is using NSX+ NDR to prevent lateral movement, the solution includes push-button VM network isolation capabilities based on NSX.  This prevents reinfection of the production environment and helps expose dormant ransomware.