Your enterprise can now deploy VMware NSX Security as a standalone security product, deploying it in an existing environment with no changes to your network. NSX-T 3.2 provides strong, multi-cloud, easy-to-operationalize network defenses that secure application traffic within and across clouds. NSX-T 3.2 makes it easier for you to enable Zero Trust application access across multi-cloud environments—so you can secure traffic across applications and individual workloads with security controls that are consistent, automated, attached to the workload, and elastic in scale.

In this NSX 3.2 Security Lab, you'll get hands-on experience with NSX Security Advanced Threat Prevention features such as Malware Prevention, Network Detection and Response, Intrusion Detection and Prevention System, DFW micro-segmentation, and more. This lab is intended for intermediate to advanced-level users exploring VMware NSX security use cases, helping you to explore security concepts and plan with NSX-T 3.2.

This lab will use a scenario involving ransomware, which is one of the most common threats in the modern cybersecurity landscape. There are many different variants, but the purpose remains largely the same for attackers: to generate as much revenue as possible by extorting their victims.

Like other forms of malware, ransomware is delivered by cybercriminals exploiting vulnerabilities in an organization's system. For example, attackers will take advantage of systems that have already been compromised or use social engineering tactics, such as phishing emails that attempt to trick users into downloading infected files or clicking on malicious links, to gain initial access to the victim's network. Once inside, attackers follow a multi-staged approach to take over files or systems, exfiltrating or encrypting key information to render it unusable to the organization. The attacker will demand a ransom be paid in exchange for a decryption key, which will presumably return the files to their original state.

Let's now see how NSX Advanced Threat Prevention (ATP) can help prevent and protect against these attacks.

NSX Advanced Threat Prevention (ATP) is a suite of analysis tools designed to defend against advanced threats that use known and unknown attack vectors. ATP augments more common security solutions aimed at repelling known intrusion strategies.

Key protection features include:

Malware Prevention detects and prevents malicious file transfers by using a combination of signature-based detections of known malware, including static and dynamic analysis of malware samples. You can configure Malware Prevention on your gateway firewall for North-South traffic. For East-West traffic, it can be configured in distributed Intrusion Detection and Prevention Service (IDPS), utilizing Guest Introspection to protect virtual machines (VMs).

Network Detection and Response (NDR) collects the traffic from the entire network infrastructure across on-premises, cloud and hybrid cloud. It uses AI techniques to analyze traffic and gain insights about advanced threats. With NDR, you can visualize the entire traffic flow, which is correlated and presented as campaign cards along with affected hosts and a detailed timeline of threats. Additionally, NDR maps to the MITRE ATT&CK tactics and techniques for resourceful understanding of key events in the campaign.

Cybercriminals are continuously developing more sophisticated strategies to gain access to networks. These attacks are typically well-funded, often specifically targeted, and involve complex malware that’s designed to avoid common security defenses. Countering advanced threats requires advanced analytic tools that can provide rapid visibility, analysis, context, and response into the contents and actions of malicious network traffic.

By incorporating a leading ATP solution into your security stack, you harness three critical advantages:

One of the most performant ATP solutions available today is the VMware Advanced Threat Prevention offering for the NSX Service-defined Firewall. Using a combination of network traffic analysis, intrusion detection and prevention, and advanced malware analysis with comprehensive network detection and response capabilities, the solution is purpose-built to protect data center traffic with the industry’s highest fidelity insights into advanced threats.

Fundamentally, ATP solutions perform sophisticated detection and analysis on suspicious network traffic, often employing hardware emulation, and supervised and unsupervised machine learning models. ATP solutions attempt to identify threats early—before they can do damage—and respond quickly in the event of a breach.

The goal of this lab is to illustrate how NSX Advanced Threat Protection security solutions help organizations to gain actionable insights into advanced threats and to defend against their attack vectors.

To login to the environment, perform the following steps:

The console is accessed through a supported supported web browser Chrome or Firefox. Login to NSX-T Manager:

In the lab, to simulate an enterprise environment, the following VMs have been deployed: a VDI Server and a production data base server. These two VMs are connected to NSX-T overlay segments.

A supplementary VM has been deployed to play the role of an attacker, an external resource from where the attacks are initiated. This VM is attached to a VLAN type port group to a virtual distributed switch. Agent operating system (OS) type and roles are as follows:

NSX Ransomware Lab Topology

VMware NSX-T Advanced Threat Prevention platform features (Malware prevention, Network Detection and Response) provide visibility and protection against ransomware threats, allowing you to act quickly to mitigate attacks in your network.

To resolve the attack scenario in this lab, you will use these features across four primary steps:

The lab has deployed the NSX Advanced Threat Prevention security features in detect mode only. This allows us to observe the entire multi-stage malware attack chain, from Initial access to Execution to its last phase, the Exfiltration of the stolen data. An Attacker has gained access to one of your employee’s VDI Desktop through phishing. Laterally moving through your network, the Attacker drops DarkSide executable ransomware in a customer relationship management production Database Server (CRM-DB). As a final step, the attacker exfiltrates the confidential data from the Database Server.

The following lab flow will walk you through how to navigate this scenario using the capabilities of NSX-T Advanced Threat Prevention.

NOTE: The attacks simulations are automatically generated in this lab, so you can directly start investigating the threat events.

Your first step will be to inspect the malicious files downloads captured by Malware Prevention.

NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.

Let’s start the investigation of the attack from the NSX-T console, using it to review the threat events.

NOTE: IP addresses in the lab will be different from the lab guide but subnet of the each VM will be the same.

A Campaign is a correlated set of incidents that affect one more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attack occurred.

To access the campaign blueprint:

Once the analysis is completed, close the NSX NDR tab and switch to the NSX-T Manager browser window.

Next, you’ll need to determine how to prevent future incidents by following the steps in the following section to configure the IDS/IPS and Malware Prevention policies.

IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. Malware Prevention policies detect and prevent malicious file transfers.

IDS/IPS and Malware Prevention policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment, you should change the rules to Detect and Prevent.

NOTE: For this lab, users aren’t allowed to publish the rules because the access level is read-only. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.

In the following section, you’ll learn about NSX-T Distributed Firewall, which provides visibility and control for virtualized workloads and networks. The section will take you through the methods to prevent attackers from moving laterally within the environment using micro-segmentation of East-West communication between workloads.

NSX-T Distributed Firewall (DFW) is a hypervisor kernel-based firewall that monitors all your East-West traffic. DFW can be applied to individual workloads like VMs and enforce a Zero-Trust security model. Micro-segmentation logically divides a department or set of applications into security segments and distribute firewalls to each VM.

In traditional data centers, high-level segmentation is built, which can help to prevent various types of workloads from communicating. But the main challenge of the legacy security model is data centers facing a lack of lateral prevention between workloads within a tier. In other words, traffic can traverse freely inside a network segment and access the crucial information until it reaches the physical firewall to get dropped. In addition, implementing different layers of security and firewalls can cause complexity and add costs.

The main advantages of using DFW are an orchestration of policies with security groups or tags, horizontal movement reduction in data centers to minimize the risk of security breaches, and finally, reduction of capital expenditure (CAPEX) cost. Furthermore, NSX-T DFW not only can operate based on layer 2 to layer 4, but it can also take advantage of Layer 7 information.

DFW comes with predefined categories for firewall rules, allowing you to organize security policies.

Categories are evaluated from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and the distributed firewall rules within the category are evaluated from top down.

NSX micro-segmentation Network Topology: Attacker --> VDI --> CRM-DB

2. Emergency – For emergency situations, you can employ temporary firewall rules.

Within the same Distributed Firewall location, choose the Emergency tab (1).

3. Infrastructure – On the Infrastructure tab, you can review non-application firewall rules like vCenter, ESXi, DNS, Active Directory and so on.

4. Environment – In the Environment tab, you can manage high-level policy groupings like eliminating communication for test and production environments.These policy groupings can allow for more efficient security and granular traffic control with context profiles such as SSL, TLS and more.

5. Application – In this tab, you can apply Application policy rules between tiers. The priority to apply rules is from top-down and left to right. Meaning, if you write a rule in Infrastructure, it has priority over a rule in Application. So, you need to place the most fundamental rules at the top of the list.

As shown in this section, NSX micro-segmentation provides a foundational architectural shift to enable topology-agnostic, distributed-security services to applications in the evolving data center.

To complement this security approach, you can use VMware Log Insight to help build an infrastructure-related rule base. VMware Log Insight helps you preserve your logs and gain better visibility of what’s going on in your environment. Find out more in the next section.

Using VMware vRealize Log Insight, you can view the security flow logs of the NSX-T Data Center 3.2 environment. The following security features support flow logging:

All the security verticals generate and save unified security flow logs in the Unified Security Logs format in a single log file on a node. This single log is exported to syslog server, which is configured for VMware vRealize Log Insight. VMware vRealize Log Insight will then process the logs to provide further log management, analysis, and display them by using NSX-T Security content pack.

Navigate to the Log Insight dashboards.

3. NSX DFW Firewall rules dashboard:

VMware NSX Advanced Threat Protection helps make it easier to protect your organization from ransomware. With just a few clicks, you can enable NSX features that detect and prevent malicious files from moving through North-South and East-West traffic on your gateway firewall. NSX Network Detection and Response collects traffic to uncover all threat movements, correlating and visualizing the complete campaign blueprint. Equipped with a detailed threat timeline across your network, your security teams can determine the scope of an attack and prioritize resources. By unlocking the highest possible fidelity insights, you're able to face the most challenging threats.

We hope you've enjoyed walking through NSX-T 3.2 Security in this TestDrive lab. Please stay tuned for future labs to learn more.