Introduction to VMware NSX+: This is new NSX offering that allows customers to transition to a SaaS-based Multi-Cloud operating model for networking, security, and advanced load balancing. It is a SaaS-based Multi-Cloud networking and security solution delivered as a service, offering Centralized Policy Management, NSX Intelligence and NDR Network Detection Response for both networking and security across multiple cloud environments (Private and Public Clouds).
With this new NSX+ lab, we demonstrate an innovative cloud operating model that ensures consistent networking and security for applications deployed in multiple cloud environments. This allows you to achieve consistent policies as single pane-of-glass, provides end-to-end security visibility, correlation to enhance lateral security and simplify operations across private and public cloud all managed centrally from a single VMware cloud console.
Demo Scenario: ACME Corp is a Global company now has the opportunity to expand its presence in various locations using different cloud platforms for its applications including Private Clouds, VMware Clouds, and Public Clouds. However, this diversity also presents challenges as ACME IT leaders are grappling with following key issues:
- A common customer challenge is the limited visibility into newly onboarded applications and the absence of automated methods for implementing microsegmentation rules to secure these applications effectively.
- Customers are in the need to establish robust security measures across multiple cloud platforms while also proactively identifying and addressing potential security incidents in real-time within the multi-cloud environment.
Solution: VMware introduces NSX+ Intelligence and Network Detection and Response to address these challenges with:
- VMware NSX+ Intelligence offers comprehensive application visibility across clouds. It analyzes application traffic flows, identifies baseline network behavior, and makes security policy recommendation for implementing network segmentation and micro-segmentation.
- NSX+ NDR strengthens multi-cloud security by proactively detecting and responding to potential security incidents across clouds. NSX+ NDR allows you to visualize attack chains by aggregating and correlating security events such as detected intrusions, suspicious objects, and anomalous network flows
VMware NSX+ is a new NSX offering that allows customers to transition to a SaaS-based Multi-Cloud operating model for networking, security, and advanced load balancing. NSX delivers:
1-Consistent Multi-Cloud network operations (NSX+ Policy Management).
2-Simplified cloud consumption via a centralized cloud console to manage o Premise and cloud network infrastructure with key Multi-Cloud capabilities (NSX+ Policy Management and VPC).
3-Comprehensive app visibility across clouds (NSX+ Intelligence).
4-Enterprise Guardrails with multi-tenancy running across multiple sites to simplify the creation and consumption of Multi-Cloud architectures and network constructs (NSX+ VPC).
5-Strong Multi-Cloud security across clouds with defense-in-depth via Network Detection and Response (NSX+ NDR).
To login to the environment, perform the following steps:
- Enter your TestDrive Username and Password and select ENTER.
- Click on Intrinsic Security. Locate the VMware NSX+ Advanced Lab and click Launch.
*In case of long idle or disconnected session, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox.
- A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
- Note: Please provide the short username (not your email ID) and password to login.
- Click on Apps(1) section and search for the NSX+ Advanced(2) desktop and launch the desktop(3).
NSX+ Advanced desktop is loaded. At this point you can begin the walk-through steps listed in the next section.
- Click on Lab guide Chrome icon (1) before opening the NSX+ console. Wait for the lab guide to fully open.
- Click on NSX+ Advanced icon(2) only after the lab guide is opened completely.
For the benefit of all users, we kindly ask that you use the lab responsibly. Please do not delete any object or making any change to license or subscription that could potentially disrupt this shared NSX+ lab environment.
The automatic login process will handle the login procedure without any need for manual intervention. Please don't press any keys until the login process is finished and you are logged into the VMware Cloud Services portal."
- Organization must be "ACME Org"(1) under the username.
- Click on "LAUNCH SERVICE" (2) to launch the NSX+ instance.
If you plan to onboard your On-Premise NSX Manager/ NSX Local Manager, make sure the following prerequisites are satisfied.
- On-Premise NSX Manager must be of version 4.1.1+
- A vSphere+ subscription
- Supported vCenter Server version is 8.0+
- Latest VMware Cloud Gateway version
- The minimum sized form factor of an NSX Manager Large node On-Premise to be onboarded on to an NSX+ instance with below subscription:
1. NSX+ Policy Management
2. NSX+ Intelligence
3. NSX+ NDR
- To know how to do Onboarding your NSX Local Managers into NSX+, here is the step-by-step walkthrough (this lab will skip this step): https://engage.vmware.com/explore2023/nsx-and-vpc-8/nsx01-onboarding-nsx-demo?w=394bc
- Purchase NSX+ Subscription: VMware NSX+ is subscription-based software. No software installation is needed, and no license key is used to activate the software. You buy VMware NSX+ directly from the VMware Sales team.
- Receive an email to add NSX+ service to your organization: After buying the NSX+ service, VMware sends you a service welcome email that has a unique service activation link. Use this link and follow the on-screen prompts to apply an NSX+ subscription.
- Download, Install and Configure VMware Cloud Gateway: VMware Cloud Gateway is a secure gateway between the On-Premise NSX Local Manager and NSX+. It allows you to onboard and off-board your NSX Local Manager to NSX+ Instance.
- Launch the NSX+ Service: Assign adequate NSX+ service role based in order to work in the NSX+ UI.
- Onboard an NSX+ Instance: An NSX+ instance defines a logical grouping for the managed sites hosted in a region. Once this is defined you can onboard sites to your instance.
VMware NSX+ Intelligence provides Comprehensive Application visibility across Clouds. It is a distributed analytics engine that leverages granular workload and network context unique to NSX+ to deliver security policy management and security analytics running across Clouds..
NSX+ Intelligence allows you to gain comprehensive visibility into your network across multiple clouds. NSX+ Intelligence provides Centralized data analysis dashboard. This helps to understand the traffic flow data and provide recommendations for network and security policies across multi-cloud deployments.
ACME Corporation manages its applications across two locations: LM-NewYork and LM-London. ACME Corp CRM application is hosted in LM-NewYork. They have successfully created Distributed Firewall Rules to safeguard the CRM application in LM-NewYork, ensuring comprehensive protection for all application related traffic flows.
ACME Corp has introduced a new application, the ACME App, to its LM-London site. In this demonstration, we'll highlight how NSX+ Intelligence plays a crucial role in discovering the traffic patterns associated with this application. Furthermore, NSX+ Intelligence recommendations will be applied, demonstrating how they can be leveraged to implement automatic microsegmentation rules that secure the application's traffic flow.
- NSX+ Intelligence Dashboard offers the Security Posture of the sites that are onboarded. It displays the percentage of unprotected flows, total number of flows, and the total external flows that were detected in last 15 minutes.
- Dashboard also displays the total number of unprotected compute workloads based on the unique unprotected flows detected.
- Click on Global (1).
- Click on ACME (2) instance .
- In the ACME instance. Navigate to Visibility & Planning(1).
Review the Dashboard under Visibility and Planning. The NSX+ Intelligence Central Dashboard is a centralized interface that provides unified security visibility across multiple cloud environments. NSX+ Intelligence Dashboard offers the Security Posture of the sites that are onboarded. It displays the percentage of unprotected flows, total number of flows, and the total external flows that were detected in last 15 minutes.
- The Dashboard offers full view of traffic flows of all the sites onboarded to NSX+. To view the site specific Traffic information Click on All Sites(1) and change the site.
- Change the Site to LM-NewYork(1).
- In LM-NewYork site 52% flows are protected.We will now examine the microsegmented traffic flows specific to the CRM application in LM-NewYork.
- Change the Site to LM-London(1).
- We can observe in LM-London site, 100% traffic flows are unprotected. We will create NSX+ Intelligence Rule recommendation to protect the traffic flows of ACME application.
- Click on Discover & Take Action(2).
Discover & Take Action page shows the VM application groups, network flows, and flow status (“Unprotected”, “Blocked”, or “Allowed” by security policy).
- Click on Groups(1) to apply filter on CRM VMs group.
- Select the CRM application groups(2) as highlighted in the above Image.
- Click on apply(3).
- Distributed Firewall Rules have been set up for PROD CRM Application in “LM-NewYork”, ensuring that all traffic flows related to the application are fully protected.
- Navigate to "LM-London"(1) where a new application ACME is added.
- Click on Groups(1) to apply filter on ACME VMs group.
- Select the ACME application groups(2) as highlighted in the above Image.
- Select the VM groups (ACME-Web-VMs, ACME-App-VMs, ACME-DB-VMs). Click on apply(3).
- We can observe that all the traffic flows of ACME application is unprotected.We now initiate rule recommendations for the VMs associated with the ACME application.
We've observed the ACME Application Topology, and there are numerous flows lacking protection, identifiable by the red dotted lines. This indicates that there are currently no explicit micro-segmentation policies in place to either allow or block these flows. The key feature of NSX+ Intelligence is its ability to provide recommendations for micro-segmentation policies based on network traffic data. This is done by analyzing traffic patterns and identifying potential security risks, such as unsecured communication between Virtual Machines. The system then uses this information to recommend specific micro-segmentation policies that can be implemented to mitigate those risks.
This feature is useful because it automates the process of configuring micro-segmentation policies, which can be a time-consuming and complex task. It also allows for more dynamic and adaptive security, as the system can automatically adjust policies as network traffic and security risks change. Additionally, it can help organizations to identify possible vulnerabilities on their network and allow them to take actions to minimize the risk of data breaches.
In this section. We will create a generate automatic recommendation of Distributed Firewall Rules for ACME application. ACME-Web01 --> ACME-App01 --> ACME-DB01
- Click on Visibility and Planning (1)
- Click on Recommendations(2)
- Expand the Recommendation rule(1) for observing its entities .You can see that we've run the recommendation wizard to come up with a set of rules required for application communication. Beyond reducing the attack surface by implementing segmentation and micro segmentation policies.
- Click on recommendation name PROD-ACME-Application(2) to see the published rules.
The App Connectivity Strategy depicts that the DFW policy is published by NSX Intelligence Rule recommendation. The rules are applied dynamically by analyzing the traffic patterns between the application servers.
- VDI to Web communication on port 80
- Web to App communication allowed on port 8080.
- App to DB communication allowed on MySql service.
- Click on "Discover & Take Action" (1).
- Change the highlighted filter from Groups to Computes(2).
- Change the timeline to "Last 2 Weeks" (3).
- Apply the filter on Computes. Click on "ALL" and type "DEV" in search bar.
- Select the VMs DEV-CRM-Web01, DEV-CRM-App01 (1) as highlighted in the image.
- Click on Apply(1).
- Right Click on the Compute DEV-CRM-Web (1) and select "Unique Intrusion Signatures"(2) option.
- Unique Intrusion Signatures panel will be opened on the right side of NSX manager window. Scroll down to event with Threat score(75).
- Expand(1) the Command and Control event to view the detailed information about intrusion.
- We will navigate to Network Detection and Response to investigate about the atomic event in detail.
In conclusion, NSX+ Intelligence is a powerful security feature that provides advanced capabilities such as micro-segmentation. One of its key features is the ability to provide automated recommendations for micro-segmentation policies based on network traffic data. This feature allows organizations to quickly and easily configure micro-segmentation policies, which can be a complex and time-consuming task.
NSX+ Network Detection and Response (NDR) provides scalable threat detection and response for workloads deployed in private and/or public clouds. The NDR correlation engine will analyze IDPS, malware, and anomaly events based on threat campaigns, which helps in preventing alert overload and simplifying SOC monitoring processes. This service provides simplified threat triage, scoping, and threat hunting aligned to the ATT&CK framework.
NSX+ NDR :
- Deliver Network security capabilities against advanced threats running across Clouds.
- Provide scalable threat detection and response for workloads deployed in multi-cloud environment.
- Strengthen multi-cloud security by proactively detecting and responding to potential security incidents across Clouds.
- Allow to visualize attack chains by aggregating and correlating security events such as detected intrusions, suspicious objects, and anomalous network flows. Then it ombines multiple detection technologies IDS/IPS, Sandboxing, and NTA with NDR context engines correlation to offer end-to-end cohesive defensive running across Clouds.
Full demo of NSX+ NDR is in here https://engage.vmware.com/explore2023/nsx-and-vpc-8/nsx04-ndr-demo-for-ransomware-protection?w=394bc
The security administrator detected an unusual command & control atomic event in Web server running in LM-NewYork . By leveraging the NSX+ NDR campaigns the admin has observed that we have detected and correlated more than a C & C activity across the environment. The attacker has laterally moved from DEV-CRM-Web01 in LM_NewYork to VDI-01 in LM-London and followed by the lateral movement to Database in LM-London. From Site LM-London, the attacker has managed to ex-filtrate the data from the primary Database.
A campaign is correlated set of incidents that affect one or more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attacks. Let’s start the investigation of the attack from the NDR console, to review the threat events.
- Click on Threat Detection & Response(1).
- Under Threat Detection & Response Section. Click on Campaigns(1).
- We have two campaigns in LAST 7 Days. Click on "C&C after lateral movement"(2).
In overview section of the campaign we can see that that there are two Malicious activities across two different clouds.
- The Detection's view shows the threats detected by NSX+ Network Detection and Response
- Click Detection's(1). Each event under detection's have a host that is connected to a threat, calculated Threat score, Threat name , class and other actions.
- Expand the Execution(1). After gaining the initial access. Attacker uses lateral movement to pivot the attack from LM-NewYork to LM-London site to gain access to additional systems, escalate privileges and ex-filtrate sensitive data.
- A Command and Control activity is detected between VDI-01 virtual machine in LM-London to Attacker ans this has also been detected by means of an IDPS signature.
Finally we detected the use of DNSCAT on the network indicating exfiltration of data from the prod DEV-CRM-DB workload. This was confirmed by means of three distinct IDPS signatures.As we have analyzed the campaign and reviewed all the intrusion events.
IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. IDS/IPS policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment, you should change the rules to Detect and Prevent.
Note : IDS/IPS policy changes are made in NSX Local Managers individually. In this lab, access to local managers are not available. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.
- Click on Security (1).
- Under Policy Management, click on IDS/IPS (2).
- To validate the currently configured rules, click Distributed Rules .
- Expand the Policy Application-IDS, select .
- Click the drop-down menu for the mode and change to "Detect and Prevent"(1).
- Once the changes are made, click PUBLISH (2) to apply the rules.
NSX+ is evolution from NSX as we are now delivering NSX+ Policy Management, Intelligence, NDR, and Advanced Load Balancing so you can achieve consistent policies, unified visibility, stronger lateral security, and simpler operations - all centrally managed from a single cloud console providing you full control while allowing your applications to run on the cloud that best fits their needs.
Deploying NSX+ Intelligence across clouds and implementing NSX+ NDR ensures enhanced visibility, consistent security policies, efficient network management, rapid threat detection, and Multi-Cloud flexibility, thereby bolstering the overall security and performance of your network infrastructure.
NSX+ now is working with your On-Premise NSX and VMware Cloud on AWS and short later Native Public Cloud environments- can helps you extend the benefits to your Multi-Cloud environments. Truly centralized, end-to-end management is achievable with NSX+, which makes the true cloud operating model attainable through a distributed, scale-out software architecture.