This presentation discusses implementing agentless antivirus (AV) and intrusion detection/prevention system (IDS/IPS) security solutions with VMware NSX. It covers using NSX guest introspection for agentless AV and network introspection for IPS/IDS. The presentation demonstrates how these technologies can be tied together and automated through common security policies. It also includes a demo of using NSX features like security groups and distributed firewall to quarantine systems and enforce security policies.
1. Implementing Agentless AV and IPS/IDS Security Solutions with
NSX
Hammad Alam, VMware
Shahzad Ali, VMware
SEC8022
#SEC8022
2. • This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
Disclaimer
2
3. 1 Securing The SDDC
2 Guest Introspection For Agentless AV
3 Network Introspection for IPS/IDS
4 Demo
5 Key Take Aways / QA
Agenda
SDDC_Security_Shahzad_Hammad
5. Tying the Technologies Together
ESXi Hypervisor
OS
APP
vNIC VMTool
VM
VDS
3 Distributed
Firewall
NSX Manager
1
4
Network
Introspection
GI
SERVICE
VM (SVM)
NI
SERVICE
VM (SVM)
2
Guest
Introspection
GI NIDFW
SDDC_Security_Shahzad_Hammad
6. Policy - The Common Language
SDDC_Security_Shahzad_Hammad
8. NSX-GI Components
GI process is constantly inspecting OS and App Data
GI offloads “File Scanning Tasks” from Guest VM to a Service VM on same host
• GI Native Capabilities
• Activity Monitoring
• Identity Firewall (IDFW)
• OS/Apps: Prone to Virus attacks
• In-guest AV agents
• Hackable
• Resource intensive
OS
APP
GUEST VM
…ESXi
Host Based Security Controls
GI
SERVICE
VMs
AD Group AD Group
VDI
Security
Group
App Level
Monitoring
VMTool
VMCI IP
MUX
SDDC_Security_Shahzad_Hammad
14. Message Bus
MGMT Network
Firewall Rules
Distributed Firewall (DFW)
• Line Rate (20+ Gbps)
• Stateful
• Enforcement at both ingress and egress
• L2-L4
• Packet Capturing
• Monitoring
• Traffic between VM and vSwitch always transit
through the Firewall Kernel Module
VNIC
NSX Manager
vSwitchFirewall Kernel
Module
Rule Table
Kernel
Space
User
Space
ESXi Host
Physical switch
DFW
SDDC_Security_Shahzad_Hammad
15. Adding DFW to Security Policy - DEMO
Adding DFW to Security Policy
19. Packet Flow with DFW and NetX
ESXi
User World
KernelDFW
OS
APP
vNIC
VM
Partner
SERVICE
VM (SVM)
Redirect Rule
Table
Packet Punting
VDS
SDDC_Security_Shahzad_Hammad
28. NSX partner ecosystem
Physical Infrastructure
Security
Application Delivery
Operations and Visibility
DYNAMIC INSERTION OF
PARTNER SERVICES
29. SDDC_Security_Shahzad_Hammad
Learn
Connect & Engage
communities.vmware.com
NSX Product Page & Technical Resources
vmware.com/products/nsx
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
VMware NSX on YouTube
youtube.com/user/vmwarensx
Where to get started
Experience
70+ Unique NSX Sessions
Spotlights, breakouts, quick talks & group discussions
Visit the VMware Booth
Use case demos, chat with NSX experts
Visit NSX Technical Partner Booths
Integration demos – EPSec & NetX, Hardware VTEP,
Ops & Visibility
Test Drive NSX with free Hands-on Labs
Expert-led or Self-paced. labs.hol.vmware.com
Use
NSX Proactive Support Service
Optimize performance based on data monitoring
and analytics to help resolve problems, mitigate
risk and improve operational efficiency.
vmware.com/consulting
Take
Training and Certification
Several paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
SDDC_Security_Shahzad_Hammad
Editor's Notes
Shahzad Ali: Final ready to be uploaded to public: Sep. 19 . 2016
Shahzad.Aug.11.2016.Done
Shahzad.Aug.11.2016.Done
Shahzad.Aug.11.2016.Done
HOL-SDC-1741 – Trend Micro and NSX Integration (Agentless-AV)
Implementation: NSX GI
Implementation: Partner Integration – Recorded DEMO
Implementation: Security Groups and Security Policy – Recorded DEMO
Overall goal: VM is secured next step is the line rate firewall --- stateful – kernel level – 20GBPS
We have many sessions already – high level
Adding DFW to Security Policy
Implementation: Quarantine Group and Policy - VOD
SPO-9976 – Palo Alto Networks and NSX Integration Deep DiveHOL-1723 – Hands On Lab
NetX enables partners to integrate their solution with NSX
Host based service insertion mechanism
Utilizes the DFW framework
Implemented at vNIC level
Creates a tap-point (filter) on the vNic
Partner deploys a virtual appliance ( Partner-SVM) on each host
Based on the rule, traffic is redirected to Partner-SVM for processing
Partner-SVM does deep packet inspection (L7)
Depending on the decided action, packet is dropped or punted back into the hypervisor kernel
vSIP is a Kernel Module that has the ability to deal with multiple tap points and vms running
Vsip has taps on to the packet flow that is going in and out of the VM
There are 2 tap points shown here for vSIP in the packet flow
DFW
For SVM
======
Formerly vShield App
Stateful Firewall at vNIC layer with ALG (Reverse Proxy) capabilities.
TRUTH – ALG means that for 5 predefined services that commonly use Dynamic Ports setup during initial communciation the vSIP module becomes a Reverse Proxy that will monitor the first session setup and look into Packet Payload for first few initial packets to determine what the communication ports are that need to be opened. We will then open those ports and stop Looking into the packet payload.
Services ARE FTP, Oracle, DCRPC, SUNRPC, MSRPC.
Firewall rules and SGs stored in the PostGres database on NSX Manager.
======
SPO-9976 – Palo Alto Networks and NSX Integration Deep DiveHOL-1723 – Hands On Lab
NSX Security Policy – Recorded Demo
Combined Demo
SPO-9976 – Palo Alto Networks and NSX Integration Deep DiveHOL-1723 – Hands On Lab
Talking points:
Give audience analogy of a secure bank
Physical Security
Camera
Heat Sensors
Motion Sensor
Light Sensors
Locks
Door
Vault
Layered security model
Outside the bank
Bank Perimeter
Inside Bank
Vault is very secure security layer
------------------------------------------------------------------------------
Security is needed from all aspects
Layard Security Model – Analogy Banks
SDDC needs
Secure inside the VM (the actual data, files and OS)
Guest Introspection (Agentless-AV)
Secure IP Data leaving the VM
Firewall (Distributed)
Secure IP Data entering into the VM
Firewall (Distributed)
Provide Deep IP Packet Inspection (@L7)
Network Introspection (IDS/IPS)
With all the above we need automation, speed and high performance
Think about NSX as a platform, it is not a point product.
A true platform requires successful participation of a third-party ecosystem. NSX has developed a RICH ecosystem of partners that span across physical to virtual, operations and visibility, app delivery services, and security services categories. This extensible, distributed service platform supports the novel concept of dynamic service chain that provides multiple platform integration points and automates the deployment, orchestration, and scale-out of partner services.