To login to the environment, perform the following steps:

• First, open a web browser of your choice (Incognito recommended) and navigate to vmtestdrive.com. Select LOG IN. 
• If you are signing in for the first time and do not have a TestDrive account, click GET STARTED and follow the instructions for creating your TestDrive portal account. See this guide.

• Enter your TestDrive Username and Password and select ENTER.

• Click on Intrinsic Security. Locate the VMware NSX+ Advanced Lab and click Launch. 

*In case of long idle or disconnected session, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox. 

• A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
• Note: Please provide the short username (not your email ID) and password to login.

• Click on Apps(1) section and search for the NSX+ Advanced(2) desktop and launch the desktop(3).

NSX+ Advanced desktop is loaded. At this point you can begin the walk-through steps listed in the next section.

• Click on Lab guide Chrome icon (1) before opening the NSX+ console. Wait for the lab guide to fully open.
• Click on NSX+ Advanced icon(2) only after the lab guide is opened completely.

For the benefit of all users, we kindly ask that you use the lab responsibly. Please do not delete any object or making any change to license or subscription that could potentially disrupt this shared NSX+ lab environment.

The automatic login process will handle the login procedure without any need for manual intervention. Please don't press any keys until the login process is finished and you are logged into the VMware Cloud Services portal."

• Organization must be "ACME Org"(1) under the username.
• Click on "LAUNCH SERVICE" (2) to launch the NSX+ instance.

If you plan to onboard your On-Premise NSX Manager/ NSX Local Manager, make sure the following prerequisites are satisfied.

• On-Premise NSX Manager must be of version 4.1.1+
• A vSphere+ subscription
• Supported vCenter Server version is 8.0+
• Latest VMware Cloud Gateway version
• The minimum sized form factor of an NSX Manager Large node On-Premise to be onboarded on to an NSX+ instance with below subscription:

              1. NSX+ Policy Management

              2. NSX+ Intelligence

              3. NSX+ NDR

• To know how to do Onboarding your NSX Local Managers into NSX+, here is the step-by-step walkthrough (this lab will skip this step): https://engage.vmware.com/explore2023/nsx-and-vpc-8/nsx01-onboarding-nsx-demo?w=394bc

• Purchase NSX+ Subscription: VMware NSX+ is subscription-based software. No software installation is needed, and no license key is used to activate the software. You buy VMware NSX+ directly from the VMware Sales team.
• Receive an email to add NSX+ service to your organization: After buying the NSX+ service, VMware sends you a service welcome email that has a unique service activation link. Use this link and follow the on-screen prompts to apply an NSX+ subscription.
• Download, Install and Configure VMware Cloud Gateway: VMware Cloud Gateway is a secure gateway between the On-Premise NSX Local Manager and NSX+. It allows you to onboard and off-board your NSX Local Manager to NSX+ Instance.
• Launch the NSX+ Service: Assign adequate NSX+ service role based in order to work in the NSX+ UI.
• Onboard an NSX+ Instance: An NSX+ instance defines a logical grouping for the managed sites hosted in a region. Once this is defined you can onboard sites to your instance.  

ACME Corporation manages its applications across two locations: LM-NewYork and LM-London. ACME Corp CRM application is hosted in LM-NewYork. They have successfully created Distributed Firewall Rules to safeguard the CRM application in LM-NewYork, ensuring comprehensive protection for all application related traffic flows.

ACME Corp has introduced a new application, the ACME App, to its LM-London site. In this demonstration, we'll highlight how NSX+ Intelligence plays a crucial role in discovering the traffic patterns associated with this application. Furthermore, NSX+ Intelligence recommendations will be applied, demonstrating how they can be leveraged to implement automatic microsegmentation rules that secure the application's traffic flow.

• NSX+ Intelligence Dashboard offers the  Security Posture of the sites that are onboarded. It displays the percentage of unprotected flows, total number of flows, and the total external flows that were detected in last 15 minutes.
• Dashboard also displays the total number of unprotected compute workloads based on the unique unprotected flows detected.

• Click on Global (1).
• Click on ACME (2) instance .

• In the ACME instance. Navigate to Visibility & Planning(1).

Review the Dashboard under Visibility and Planning. The NSX+ Intelligence Central Dashboard is a centralized interface that provides unified security visibility across multiple cloud environments. NSX+ Intelligence Dashboard offers the  Security Posture of the sites that are onboarded. It displays the percentage of unprotected flows, total number of flows, and the total external flows that were detected in last 15 minutes.

• The Dashboard offers full view of traffic flows of all the sites onboarded to NSX+. To view the site specific Traffic information Click on All Sites(1) and change the site.

• Change the Site to LM-NewYork(1).
• In LM-NewYork site 52% flows are protected.We will now examine the microsegmented traffic flows specific to the CRM application in LM-NewYork.

• Change the Site to LM-London(1).
• We can observe in LM-London site, 100% traffic flows are unprotected. We will create NSX+ Intelligence Rule recommendation to protect the traffic flows of ACME application.
• Click on Discover & Take Action(2).

Discover & Take Action page shows the VM application groups, network flows, and flow status (“Unprotected”, “Blocked”, or “Allowed” by security policy).

• Click on Groups(1) to apply filter on CRM VMs group.
• Select the CRM application groups(2) as highlighted in the above Image.
• Click on apply(3).

• Distributed Firewall Rules have been set up for PROD CRM Application in “LM-NewYork”, ensuring that all traffic flows related to the application are fully protected.

• Navigate to "LM-London"(1) where a new application ACME is added.

• Click on Groups(1) to apply filter on ACME VMs group.
• Select the ACME application groups(2) as highlighted in the above Image.
• Select the VM groups  (ACME-Web-VMs, ACME-App-VMs, ACME-DB-VMs). Click on apply(3).

• We can observe that all the traffic flows of ACME application is unprotected.We now initiate rule recommendations for the VMs associated with the ACME application.

We've observed the ACME Application Topology, and there are numerous flows lacking protection, identifiable by the red dotted lines. This indicates that there are currently no explicit micro-segmentation policies in place to either allow or block these flows. The key feature of NSX+ Intelligence is its ability to provide recommendations for micro-segmentation policies based on network traffic data. This is done by analyzing traffic patterns and identifying potential security risks, such as unsecured communication between Virtual Machines. The system then uses this information to recommend specific micro-segmentation policies that can be implemented to mitigate those risks.

This feature is useful because it automates the process of configuring micro-segmentation policies, which can be a time-consuming and complex task. It also allows for more dynamic and adaptive security, as the system can automatically adjust policies as network traffic and security risks change. Additionally, it can help organizations to identify possible vulnerabilities on their network and allow them to take actions to minimize the risk of data breaches.

In this section. We will create a generate automatic recommendation of Distributed Firewall Rules for ACME application. ACME-Web01 --> ACME-App01 --> ACME-DB01

• Click on Visibility and Planning (1)
• Click on Recommendations(2)

• Expand the Recommendation rule(1) for observing its entities .You can see that we've run the recommendation wizard to come up with a set of rules required for application communication. Beyond reducing the attack surface by implementing segmentation and micro segmentation policies.
• Click on recommendation name PROD-ACME-Application(2) to see the published rules.

The App Connectivity Strategy depicts that the DFW policy is published by NSX Intelligence Rule recommendation. The rules are applied dynamically by analyzing the traffic patterns between the application servers.

• VDI to Web communication on port 80
• Web to App communication allowed on port 8080.
• App to DB communication allowed on MySql service.

• Click on "Discover & Take Action" (1).
• Change the highlighted filter from Groups to Computes(2).
• Change the timeline to "Last 2 Weeks" (3).

• Apply the filter on Computes. Click on "ALL" and type "DEV" in  search bar.
• Select the VMs  DEV-CRM-Web01, DEV-CRM-App01 (1) as highlighted in the image.
• Click on Apply(1).

• Right Click on the Compute DEV-CRM-Web (1)  and select  "Unique Intrusion Signatures"(2) option.
• Unique Intrusion Signatures panel will be opened  on the right side of NSX manager window. Scroll down to event with Threat score(75).

• Expand(1) the Command and Control event to view the detailed information about intrusion.
• We will navigate to Network Detection and Response to investigate about the atomic event in detail.

In conclusion, NSX+ Intelligence is a powerful security feature that provides advanced capabilities such as micro-segmentation. One of its key features is the ability to provide automated recommendations for micro-segmentation policies based on network traffic data. This feature allows organizations to quickly and easily configure micro-segmentation policies, which can be a complex and time-consuming task.

The security administrator detected an unusual command & control atomic event in Web server running in LM-NewYork . By leveraging the NSX+ NDR campaigns the admin has observed that we have detected and correlated more than a C & C activity across the environment. The attacker has laterally moved from DEV-CRM-Web01 in LM_NewYork to VDI-01 in LM-London and followed by the lateral movement to Database in LM-London. From Site LM-London, the attacker has managed to ex-filtrate the data from the primary Database.

A campaign is correlated set of incidents that affect one or more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attacks. Let’s start the investigation of the attack from the NDR console, to review the threat events. 

• Click on Threat Detection & Response(1).

• Under Threat Detection & Response Section. Click on Campaigns(1).
• We have two campaigns in LAST 7 Days. Click on "C&C after lateral movement"(2).

In overview section of the campaign we can see that that there are two Malicious activities across two different clouds.

• The Detection's view shows the threats detected by NSX+ Network Detection and Response
• Click Detection's(1). Each event under detection's have a host that is connected to a threat, calculated Threat score, Threat name , class and other actions.

• Expand the Execution(1).  After gaining the initial access. Attacker uses lateral movement to pivot the attack from LM-NewYork  to LM-London site to gain access to additional systems, escalate privileges and ex-filtrate sensitive data.

• A Command and Control activity is detected between VDI-01 virtual machine in LM-London to Attacker ans this has also been detected by means of an IDPS signature.

Finally we detected the use of DNSCAT on the network indicating exfiltration of data from the prod DEV-CRM-DB workload. This was confirmed by means of three distinct IDPS signatures.As we have analyzed  the campaign and reviewed all the intrusion events.

IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. IDS/IPS policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment,  you should change the rules to Detect and Prevent.

Note : IDS/IPS policy changes are made in NSX Local Managers individually. In this lab, access to local managers are not available.  However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.

• Click on Security (1).
• Under Policy Management, click on IDS/IPS (2).
• To validate the currently configured rules, click Distributed Rules .

• Expand the Policy Application-IDS, select .
• Click the drop-down menu for the mode and change to "Detect and Prevent"(1).
• Once the changes are made, click PUBLISH (2) to apply the rules.