About NSX-T 3.2 Security Lab
Your enterprise can now deploy VMware NSX Security as a standalone security product, deploying it in an existing environment with no changes to your network. NSX-T 3.2 provides strong, multi-cloud, easy-to-operationalize network defenses that secure application traffic within and across clouds. NSX-T 3.2 makes it easier for you to enable Zero Trust application access across multi-cloud environments—so you can secure traffic across applications and individual workloads with security controls that are consistent, automated, attached to the workload, and elastic in scale.
In this NSX 3.2 Security Lab, you'll get hands-on experience with NSX Security Advanced Threat Prevention features such as Malware Prevention, Network Detection and Response, Intrusion Detection and Prevention System, DFW micro-segmentation, and more. This lab is intended for intermediate to advanced-level users exploring VMware NSX security use cases, helping you to explore security concepts and plan with NSX-T 3.2.
How NSX Advanced Threat Prevention Combats Ransomware
This lab will use a scenario involving ransomware, which is one of the most common threats in the modern cybersecurity landscape. There are many different variants, but the purpose remains largely the same for attackers: to generate as much revenue as possible by extorting their victims.
Like other forms of malware, ransomware is delivered by cybercriminals exploiting vulnerabilities in an organization's system. For example, attackers will take advantage of systems that have already been compromised or use social engineering tactics, such as phishing emails that attempt to trick users into downloading infected files or clicking on malicious links, to gain initial access to the victim's network. Once inside, attackers follow a multi-staged approach to take over files or systems, exfiltrating or encrypting key information to render it unusable to the organization. The attacker will demand a ransom be paid in exchange for a decryption key, which will presumably return the files to their original state.
Let's now see how NSX Advanced Threat Prevention (ATP) can help prevent and protect against these attacks.
NSX Malware Prevention and Network Detection and Response
NSX Advanced Threat Prevention (ATP) is a suite of analysis tools designed to defend against advanced threats that use known and unknown attack vectors. ATP augments more common security solutions aimed at repelling known intrusion strategies.
Key protection features include:
Malware Prevention detects and prevents malicious file transfers by using a combination of signature-based detections of known malware, including static and dynamic analysis of malware samples. You can configure Malware Prevention on your gateway firewall for North-South traffic. For East-West traffic, it can be configured in distributed Intrusion Detection and Prevention Service (IDPS), utilizing Guest Introspection to protect virtual machines (VMs).
Network Detection and Response (NDR) collects the traffic from the entire network infrastructure across on-premises, cloud and hybrid cloud. It uses AI techniques to analyze traffic and gain insights about advanced threats. With NDR, you can visualize the entire traffic flow, which is correlated and presented as campaign cards along with affected hosts and a detailed timeline of threats. Additionally, NDR maps to the MITRE ATT&CK tactics and techniques for resourceful understanding of key events in the campaign.
Why Do You Need NSX Advanced Threat Prevention?
Cybercriminals are continuously developing more sophisticated strategies to gain access to networks. These attacks are typically well-funded, often specifically targeted, and involve complex malware that’s designed to avoid common security defenses. Countering advanced threats requires advanced analytic tools that can provide rapid visibility, analysis, context, and response into the contents and actions of malicious network traffic.
Benefits of NSX Advanced Threat Prevention
By incorporating a leading ATP solution into your security stack, you harness three critical advantages:
Maximum Network Threat Visibility: In using multiple threat detection techniques at once, ATP delivers deep visibility into all your network traffic.
Advanced Malware Detection: ATP helps secure both Private and Public Cloud workloads against threats that have been engineered to evade standard security tools.
Lower False Positives: ATP can greatly improve the accuracy of your alerts, which means your security teams can focus on a smaller set of actual intrusions.
One of the most performant ATP solutions available today is the VMware Advanced Threat Prevention offering for the NSX Service-defined Firewall. Using a combination of network traffic analysis, intrusion detection and prevention, and advanced malware analysis with comprehensive network detection and response capabilities, the solution is purpose-built to protect data center traffic with the industry’s highest fidelity insights into advanced threats.
How Does NSX Advanced Threat Prevention Work?
Fundamentally, ATP solutions perform sophisticated detection and analysis on suspicious network traffic, often employing hardware emulation, and supervised and unsupervised machine learning models. ATP solutions attempt to identify threats early—before they can do damage—and respond quickly in the event of a breach.
The goal of this lab is to illustrate how NSX Advanced Threat Protection security solutions help organizations to gain actionable insights into advanced threats and to defend against their attack vectors.
Section 1: Before You Begin
1.1 Access to the Lab
To login to the environment, perform the following steps:
NOTE: We only support customer sign-ups with their corporate email - do not to use personal email like Gmail (if doing so, no email activation will be sent out).
If you are signing in for the first time and don’t have a TestDrive account, click GET STARTED and follow the intructions for creating your TestDrive portal account.
Enter your TestDrive Username and Password and select ENTER.
Locate the VMware NSX Security product under the Intrinsic Security tab and click Launch. Make sure that you open NSX 3.2 Security Lab guide document and refer it on a separate tab.
A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
NOTE: Please provide the username (not your email ID) and password to login.
Click on Apps section and search for the NSX Security desktop and launch it.
NOTE: *In case of long idle or got disconnected, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox.
Now you'll be on the NSX Security desktop. At this point you can begin the walkthrough steps listed in the next section.
1.2 Access NSX-T 3.2 Manager
The console is accessed through a supported supported web browser Chrome or Firefox. Login to NSX-T Manager:
Click on NSX-Mgr AutoLogon shortcut on the Desktop. Shortcut will open the URL to NSX: https://dal-nsxmgr.nsx-sdfw.local/
Username/Password: Sign-in is automated, so please don't touch the keyboard/mouse during 15s of process. If you do so, please close all Chrome windows and reopen the link again.
In case you prefer using manual login, please click on NSX icon inside Lab Access folder and enter your Testdrive email@example.com / password.
1.3 Prerequisites for Ransomware lab
In the lab, to simulate an enterprise environment, the following VMs have been deployed: a VDI Server and a production data base server. These two VMs are connected to NSX-T overlay segments.
A supplementary VM has been deployed to play the role of an attacker, an external resource from where the attacks are initiated. This VM is attached to a VLAN type port group to a virtual distributed switch. Agent operating system (OS) type and roles are as follows:
NSX Ransomware Lab Topology
Section 2: Ransomware Attack with NSX ATP Use-case
2.1 Mitigating Attacks in Your Network
VMware NSX-T Advanced Threat Prevention platform features (Malware prevention, Network Detection and Response) provide visibility and protection against ransomware threats, allowing you to act quickly to mitigate attacks in your network.
To resolve the attack scenario in this lab, you will use these features across four primary steps:
2.2 Attack Story
The lab has deployed the NSX Advanced Threat Prevention security features in detect mode only. This allows us to observe the entire multi-stage malware attack chain, from Initial access to Execution to its last phase, the Exfiltration of the stolen data. An Attacker has gained access to one of your employee’s VDI Desktop through phishing. Laterally moving through your network, the Attacker drops DarkSide executable ransomware in a customer relationship management production Database Server (CRM-DB). As a final step, the attacker exfiltrates the confidential data from the Database Server.
The following lab flow will walk you through how to navigate this scenario using the capabilities of NSX-T Advanced Threat Prevention.
NOTE: The attacks simulations are automatically generated in this lab, so you can directly start investigating the threat events.
Your first step will be to inspect the malicious files downloads captured by Malware Prevention.
NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.
Let’s start the investigation of the attack from the NSX-T console, using it to review the threat events.
1. Navigate to Malware Prevention to start investigating the compromised VDI Server & Database workload.
Click on Security (1) in NSX-T manager
Click on Malware Prevention (2) under Threat Detection & Response.
Change the Timeline (3) to Last 14 Days.
Under Potential Malware, observe that a malicious file has been detected in inspected files. Click the expand icon (1) to investigate. These are the details you will find:
-DarkSide malware is downloaded from Attacker to VDI Server and the Database Server.
-Attacker (18.104.22.168xx) --> VDI Server (192.168.100.1xx)
-Attacker (22.214.171.124xx) --> CRM Database Server (192.168.20.xx)
NOTE: IP addresses in the lab will be different from the lab guide but subnet of the each VM will be the same.
Click the number next to Total Inspections (2). You’ll see the malicious files activity detected by the NSX deployed on NSX Edge Nodes. The Darkside.exe file has been downloaded from the server (126.96.36.199xx) to the VDI Server (192.168.100.1xx) and Database Server (192.168.20.x
Select View Reports (3).
Click CLOSE (1) once you’ve reviewed the file activity.
The malicious file Analysis Overview provides quick access to understand the malicious file type and its threat level. In this scenario, the malicious file was delivered inside a Zip-type archive. You will see the file’s first submission time as well as different hashes calculated for the Zip archive.
Next, scroll down to Threat Level.
Under Threat Level, you’ll find the complete risk assessment including the antivirus family and class, malware family, and the maliciousness score for the identified malware. The risk score for the detected malware artifact is set to high, which indicates a critical risk and that action should be prioritized.
With the Advanced Malware Analysis NSX Sandbox, you can investigate the file further. The sandbox provides a dynamic analysis of the file with full-system emulation to enable accurate detection and prevention of unknown and advanced threats.
To access the dynamic analysis report, click on link icon as highlighted under Score details.
Inside the NSX Sandbox, you can access analysis of the malware artifact’s complete behavior and a list of actions observed during the dynamic analysis. The malware activity types are mapped to the MITTRE ATT&CK technique for a better understanding of the malware attack chain.
Click CLOSE (1) after viewing the threat level report.
2. NSX Network Detection and Response (NDR) enables you to visualize complete campaign blueprint.
A Campaign is a correlated set of incidents that affect one more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attack occurred.
To access the campaign blueprint:
Click Security Overview.
Under Security Overview, click Threat Detection & Response.
Select Last 2 weeks from the filter dropdown menu
Click Go To Campaigns, It will open a new tab NSX NDR Network Detection and Response Tab in your browser.
3. The NSX Security campaign page displays campaign. On these cards you'll find information like Campaign ID, calculated threat score, latest attack stage, hosts affected, number of threats and status of campaign
Click Campaign ID to explore further details.
Note: Select the campaign that's at the EXFILTRATION stage.
4. When you select the campaign ID, you’ll find details and an interactive graphical blueprint for that campaign.
View the THREATS widget (1) for current threats that NSX NDR has detected. The severity of threat is color-coded Red for High, Yellow for Medium, and Blue for Low.
View the HOSTS widget (2) to see current hosts affected. The severity of threat is color-coded the same as threats. Note: The host is defined as any device with an IP address, not a hypervisor in this context.
View the Attack Stages widget (top right) to find the current campaign attack stages mapped with the MITRE ATT&CK framework. Mouse hover on the each attack stage to view detailed information of each attack stage.
View the Campaign blueprint widget for an interactive graphical representation of the campaign. It highlights hosts involved in the campaign (both internal and external to the network) and threats that affected the hosts.
The NDR campaign blueprint maps each threat detection along with techniques for greater understanding key events in the campaign.
Drag the icons with your mouse to match (the placement of icons suggested as above
Inspect it to map each step described in detail, as shown in the following table.
A malicious file has been then downloaded to the VDI Server (192.168.100.154) and to the Database Server (192.168.20.64)
A Command-and-Control session has been established between the Attacker (188.8.131.52) to VDI Server & Database Server (192.168.100.154) through DarkSide.
A lateral movement has been detected from the VDI Server (192.168.100.154) to the Database Server (192.168.20.64) utilizing ETERNALBLUE.
As a final stage, data has beenExfiltrated from the Database Server (192.168.20.64) to the Attacker (184.108.40.206)
5. The Hosts tab (1) displays a list of hosts affected with threat information so you can observe the latest activity for attack stages.
6. The Timeline view shows the threats detected by NSX Network detection and Response in Threat Cards:
Click Timeline. Each threat cards under timeline have a host that is connected to a threat, calculated Threat score, Threat name, Class, and other actions.
Select Sort by Earliest (by start time) (2) to arrange the threat cards in the sequence of attacks with their timeline.
Observe the timeline on each threat card, event date and time, and IP address.
Expand the icon > (3) to view the related evidence summary about the threat, as shown in the following table. To better understand the threat, note the evidence of malware identified and overview of how the malware behaved.
A malicious file has been then downloaded to the VDI Server (192.168.100.154). and to the Database Server (192.168.20.64)
A Command-and-Control session has been established between the Attacker (220.127.116.11) to the VDI Server & Database Server (192.168.100.154) through DarkSide.
A lateral movement has been detected from the VDI Server (192.168.100.154) to the Database Server (192.168.20.64) utilizing ETERNALBLUE.
As a final stage Data is Exfiltrated from the Database Server (192.168.20.64) to the Attacker (18.104.22.168)
Once the analysis is completed, close the NSX NDR tab and switch to the NSX-T Manager browser window.
Next, you’ll need to determine how to prevent future incidents by following the steps in the following section to configure the IDS/IPS and Malware Prevention policies.
2.4 Attack Prevention with IDS/IPS
IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. Malware Prevention policies detect and prevent malicious file transfers.
IDS/IPS and Malware Prevention policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment, you should change the rules to Detect and Prevent.
NOTE: For this lab, users aren’t allowed to publish the rules because the access level is read-only. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.
1. Validate the Mode of the rules configured in IDS/IPS & Malware Prevention.
Click on Security.
Under Policy Management, click on IDS/IPS & Malware Prevention.
To validate the currently configured rules, click Distributed Rules (3).
Expand VDI (1) to check the mode of the rules for IDS-Employees (2) and Malware Detection-Employees (3). You will see that both rules are configured in Detect-only mode.
2. Change the IDS/IPS & Malware Prevention rules to Detect and Prevent mode.
In the same Distributed Rules view, select IDS-Employees (1).
Click the dropdown menu for the mode and change to Detect and Prevent.
Follow the same steps for the Malware Detection-Employee (2).
Once the changes are made, click PUBLISH (3) to apply the rules.
In the following section, you’ll learn about NSX-T Distributed Firewall, which provides visibility and control for virtualized workloads and networks. The section will take you through the methods to prevent attackers from moving laterally within the environment using micro-segmentation of East-West communication between workloads.
Section 3: Micro-segmentation with NSX-T Distributed Firewall
NSX-T Distributed Firewall (DFW) is a hypervisor kernel-based firewall that monitors all your East-West traffic. DFW can be applied to individual workloads like VMs and enforce a Zero-Trust security model. Micro-segmentation logically divides a department or set of applications into security segments and distribute firewalls to each VM.
In traditional data centers, high-level segmentation is built, which can help to prevent various types of workloads from communicating. But the main challenge of the legacy security model is data centers facing a lack of lateral prevention between workloads within a tier. In other words, traffic can traverse freely inside a network segment and access the crucial information until it reaches the physical firewall to get dropped. In addition, implementing different layers of security and firewalls can cause complexity and add costs.
The main advantages of using DFW are an orchestration of policies with security groups or tags, horizontal movement reduction in data centers to minimize the risk of security breaches, and finally, reduction of capital expenditure (CAPEX) cost. Furthermore, NSX-T DFW not only can operate based on layer 2 to layer 4, but it can also take advantage of Layer 7 information.
3.2 Rules for predefined categories
DFW comes with predefined categories for firewall rules, allowing you to organize security policies.
Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated from top down.
NSX micro-segmentation Network Topology: Attacker --> VDI --> CRM-DB
Ethernet – Layer 2 policies are the first line of defense and should be considered before layer 3 rules.
In NSX-T Manager, select Security (1)
Navigate to Distributed Firewall (2)
Choose the Ethernet tab (3) to view category-specific rules.
2. Emergency – For emergency situations, you can employ temporary firewall rules.
Within the same Distributed Firewall location, choose the Emergency tab (1).
3. Infrastructure – On the Infrastructure tab, you can review non-application firewall rules like vCenter, ESXi, DNS, Active Directory and so on.
Choose the Infrastructure tab (1).
Observe here that traffic is allowed for shared services—that is, NTP and DNS to the Production group—for respective context profiles.
4. Environment – In the Environment tab, you can manage high-level policy groupings like eliminating communication for test and production environments.These policy groupings can allow for more efficient security and granular traffic control with context profiles such as SSL, TLS and more.
Choose the Environment tab (1).
Observe that traffic here is micro-segmented for multiple environments—such as Production, Development and DMZ—that consist of various groups like VDI_Contractors, VDI_Employees and so on.
5. Application – In this tab, you can apply Application policy rules between tiers. The priority to apply rules is from top-down and left to right. Meaning, if you write a rule in Infrastructure, it has priority over a rule in Application. So, you need to place the most fundamental rules at the top of the list.
Choose the Application tab (1).
Observe that distributed firewall rules are applied here for tiers serving multiple applications. By setting these rules, you can achieve app isolation as well as define inter-application tiers communication such as web, app and database with related services/ports like Oracle DB, MySQL and so on.
As shown in this section, NSX micro-segmentation provides a foundational architectural shift to enable topology-agnostic, distributed-security services to applications in the evolving data center.
To complement this security approach, you can use VMware Log Insight to help build an infrastructure-related rule base. VMware Log Insight helps you preserve your logs and gain better visibility of what’s going on in your environment. Find out more in the next section.
Section 4: VMware Log Insight for Deep Inspection Security Log
4.1 Inspecting Security Log
Using VMware vRealize Log Insight, you can view the security flow logs of the NSX-T Data Center 3.2 environment. The following security features support flow logging:
DFW micro-segmentation rules
All the security verticals generate and save unified security flow logs in the Unified Security Logs format in a single log file on a node. This single log is exported to syslog server, which is configured for VMware vRealize Log Insight. VMware vRealize Log Insight will then process the logs to provide further log management, analysis, and display them by using NSX-T Security content pack.
Navigate to the Log Insight dashboards.
Click the Log Insight icon (vRLI-Demo) from the desktop for auto sign-on (Active Directory login: demo1_nsxsecop).
Click NSX Dashboards (1) -> Overview to view all security KPIs captured.
Select the 2/1/2022 to current date as a time range, hit Refresh to update data:
Now you can view insights over this timeframe by selecting the respective dashboards in the left navigation pane.
1.NSX Security dashboard, including security audit logs:
2. NSX Micro-segmentation dashboard:
3. NSX DFW Firewall rules dashboard:
4. NSX IDPS dashboard:
VMware NSX Advanced Threat Protection helps make it easier to protect your organization from ransomware. With just a few clicks, you can enable NSX features that detect and prevent malicious files from moving through North-South and East-West traffic on your gateway firewall. NSX Network Detection and Response collects traffic to uncover all threat movements, correlating and visualizing the complete campaign blueprint. Equipped with a detailed threat timeline across your network, your security teams can determine the scope of an attack and prioritize resources. By unlocking the highest possible fidelity insights, you're able to face the most challenging threats.
We hope you've enjoyed walking through NSX-T 3.2 Security in this TestDrive lab. Please stay tuned for future labs to learn more.
VMware Security on Tech Zone and Hands-on Lab
Pitch NSX ATP demo: https://www.youtube.com/watch?v=jzLz7MiEYwc
Deepdive NSX Security Reference Design: https://nsx.techzone.vmware.com/resource/nsx-security-reference-design-guide#nsx-t-security-reference-guide
Try NSX 3.1 SecOps HOL 2226-SEC: https://pathfinder.vmware.com/v3/activity/nsx_secops_adv_hol
Master NSX on Techzone: https://nsx.techzone.vmware.com/understand-nsx-t