SEC5889

Troubleshooting and Monitoring NSX Service

Composer Policies
Shubha Bheemarao, VMware
Mitchell Christensen, VMware

#SEC5889

Objective
Identify specific use cases that highlight the value of advanced
visibility with simplified workflows

Showcase why user and application visibility is essential to have

a secure datacenter policy

Demonstrate how to use NSX Activity Monitoring provides

advanced visibility

Security Teams Care About Policy and Compliance

Regulations,
Standards,
Best Practices

Common
Control
Frameworks

Infrastructure
Requirements

Security Architect
4

Access Control
Segmentation
Automation
Audit

Think About Your Last Interaction With The Security Team

Do we have
this malicious
software
running?

PCI Auditors
in the
house are
we
compliant?

VI Admin / Cloud Operator

High severity
vulnerabilities on
critical business
systems must
patch!

The Cloud Operator Has to Make This All WorkBut How?

Security Policy Security Operations
Security team asks operator to implement policies that are
specified at user and application level

I need this.

Yikes.

Security
Architect

VI Admin /
Cloud Operator

Agenda
Security Operations Is Catching Up with Policy
Prerequisites To Enforcing Policy Visibility
NSX Activity Monitoring Provides Advanced Visibility to
Users and Applications

Demo of NSX Activity monitoring to address Common

Enterprise Security Policies
Insider Threat
Rogue Applications
Malicious Software

Next Steps
7

Visibility Tools Are Required To Implement Security Policy

Security
Architect

DEFINE

MONITOR

ENFORCE

VI Admin /
Cloud Operator
8

VI Admin /
Cloud Operator

Get Advanced Visibility Into Users and Applications

Step 1. Security team defines policy for who is allowed
access to what applications. Then they ask the data
center operator to make it happen.

Allow THIS user

can access THAT
application
No
problem.

Security
Architect

VI Admin /
Cloud
Operator

Get Advanced Visibility Into Users and Applications

Step 2. Operator monitors the system to identify right level
of application protection. Then they tune the enforcement
rules to ensure adherence to expected policy.

Compliant.

Easy.

VI Admin /
Cloud
Operator

10

Security
Architect

Get Advanced Visibility Into Users and Applications

Step 3. Operator identifies non compliant activity and
informs the security team to remediate/ tune security
policies. Gets approval and applies to workloads.

I found
something
fishy.

Yup. Can
you block
this

Sure, No
problem

VI Admin /
Cloud Operator

11

Security
Architect

Agenda

Security Operations Is Catching Up with Policy

Prerequisites To Enforcing Policy Visibility
NSX Provides Tools for Advanced Visibility
Demo of NSX Activity monitoring to address Common
Enterprise Security Policies
Insider Threat
Rogue Applications
Malicious Software

Next Steps

12

NSX Provides Tools To Define and Enforce Policy

Security
Architect

DEFINE

MONITOR

VI Admin /
Cloud Operator

NSX Service
Composer

ENFORCE

NSX Service Composer

VI Admin /
Cloud Operator
13

NSX Firewall

VMware NSX Service Composer Provides Policy Framework

Security Policies

Any Application

Define policies using profiles from built-in

services and 3rd party services - HOW you
want to protect workloads

(without modification)

Built-In Services

Virtual Networks

Any Cloud Management Platform

VMware NSX Network Virtualization Platform
Logical
Firewall

Logical

Logical

Load Balancer

VPN

Logical L2

Logical L3

Any Hypervisor

Any Network Hardware

Firewall, Identity-based Firewall

Data Security (DLP / Discovery)

3rd Party Services

IDS / IPS, AV, Vulnerability Mgmt

2013 Vendors: Symantec, McAfee, Trend
Micro, Rapid 7

Visibility

Network traffic flows

User access of network assets
Active In-guest applications
User access of in-guest applications

Automation

14

Use security tags and other context to drive

dynamic membership of security groups
results in IF-THEN workflows across services

NSX Provides Advanced Visibility Into Users and Applications

Security
Architect

DEFINE

VI Admin /
MONITOR Cloud
Operator

NSX Service
Composer

NSX Activity
Monitoring

ENFORCE

NSX Service Composer

VI Admin /
Cloud Operator
15

NSX Firewall

NSX Activity Monitoring Provides Advanced Visibility

Security Policies

Any Application

Define policies using profiles from built-in

services and 3rd party services - HOW you
want to protect workloads

(without modification)

Built-In Services

Virtual Networks

Any Cloud Management Platform

VMware NSX Network Virtualization Platform
Logical
Firewall

Logical

Logical

Load Balancer

VPN

Logical L2

Logical L3

Any Hypervisor

Any Network Hardware

Firewall, Identity-based Firewall

Data Security (DLP / Discovery)

3rd Party Services

IDS / IPS, AV, Vulnerability Mgmt

2013 Vendors: Symantec, McAfee, Trend
Micro, Rapid 7

Visibility

Network traffic flows

User access of network assets
Active In-guest applications
User access of in-guest applications

Automation

16

Use security tags and other context to drive

dynamic membership of security groups
results in IF-THEN workflows across services

NSX Activity Monitoring Provides Advanced VIsibility

AD Group
User: Joe

AD Group

Security
Group

Desktop
Pool

NSX Activity Monitoring provides

visibility into group, application
and destination activity in the
virtual environment
Users accessing assets
Applications running on virtual
machines
Server access by AD Group,
Security group or Desktop Pool

Security
Group

17

Interactions between groups (

AD, SG or DP)

Agenda
Security Operations Is Catching Up with Policy
Prerequisites To Enforcing Policy Visibility
NSX Activity Monitoring Provides Advanced Visibility to
Users and Applications

Demo of NSX Activity monitoring to address Common

Enterprise Security Policies
Insider Threat
Rogue Applications
Malicious Software

Next Steps
18

Sample Security Policy

Allow only approved users access specific
applications on corporate assets. Have a policy on
WHO is allowed access to WHAT from WHERE is
critical to secure assets.
DEFINE

MONITOR

In other words..

1. Allow only authorized users to access critical

business applications

2. Allow only authorized applications on

ENFORCE

corporate servers

3. Allow access to only required ports from

specific networks

19

Challenge: Do You Trust All Your Users?

Define

Monitor

Enforce

Policy Category

Regulatory / HIPAA: Access

controls should enable authorized
users to access the minimum
necessary information needed to
perform job functions.

Challenges

20

Threats are not just outside

organizational boundaries

Network level access control is

not sufficient for cloud
environments

Controlled access for insiders

based on user identity is required
to safeguard corporate assets

Requirement: Allow only authorized users to access critical applications

Define

Monitor

Enforce

Doctors

Nurses

Financ
e

Requirements

Find which user group needs

access to which asset

Ability to generate reports on:

Which users are connecting
to the set of applications?
What applications are the
non trusted users connecting
to?

Option to limit access based

EPIC Servers

21

Accounting
Servers

on user identity

Demo
UI Introduction

22

Demo
Verify EPIC Access

24

Demo
Block Finance access to EPIC Servers

26

Agenda
Security Operations Is Catching Up with Policy
Prerequisites To Enforcing Policy Visibility
NSX Activity Monitoring Provides Advanced Visibility to
Users and Applications

Demo of NSX Activity monitoring to address Common

Enterprise Security Policies
Insider Threat
Rogue Applications
Malicious Software

Next Steps
28

Challenge: Do you know whats running on your servers?

Define

Monitor

Policy Category

Acceptable use of Information

Enforce

Systems: Clear definition of what

is and is not acceptable

Corporate Governance of IT:

Define how technology is used
and managed to support
business needs

Challenges
Visibility into all data center
applications

Identify Rogue Applications that

either capture confidential
information or siphon sensitive
data to external sources
Identify Vulnerable Applications
to reduce the scope of attack
29

Requirement: Allow only authorized applications corporate servers

Define

Monitor

Enforce

DB Administrators

HR

Requirements
ODBC HTTP

ODBC

WEB
APP
DATABASE

30

Identify all applications running

on corporate servers
Create a list of acceptable,
grey listed and non permitted
applications for servers
Monitor, restrict and report
violations of all acceptable use
policies

Demo
User Access to Applications

31

32

Demo
Inbound Application Access

33

Agenda
Security Operations Is Catching Up with Policy
Prerequisites To Enforcing Policy Visibility
NSX Activity Monitoring Provides Advanced Visibility to
Users and Applications

Demo of NSX Activity monitoring to address Common

Enterprise Security Policies
Insider Threat
Rogue Applications
Malicious Software

Next Steps
35

Challenge: Are you protected from malware?

Define

Monitor

Policy Category

Acceptable use of
Enforce

Information Systems: Clear

definition of what is and is
not acceptable
Single use systems: for
protection of critical services

Challenges

36

Identify and prevent further

spread of malware in the
network

Regular Monitoring for rogue

or vulnerable applications to
avoid compromise

Requirement: Allow only required ports to be open based on expected use

Define

Monitor

HR
Enforce

Requirements
HTTPS

Find all user and application

activity on critical servers

WEB

APP

DATABASE

37

Ensure that only allowed

applications are running

Monitor applicable controls

regularly

Demo
VM Activity

38

How Do You Deploy?

User

AD Group
App Name
Source

Originating
VM Destination
Destination
Name
VM Name

Eric

172.16.254.1
Engineering
iexplorer.exe

Windows172.16.112.2
7
Apache Server

With
Activity
Today
Monitoring

Eric Frost

SVM
VM Tools

Compute

41

Active Directory

NSX
Mgr

Management

Gateway

Source IP

Destination IP

192.168.10.75

192.168.10.78

Agenda
Security Operations Is Catching Up with Policy
Prerequisites To Enforcing Policy Visibility
NSX Activity Monitoring Provides Advanced Visibility to
Users and Applications

Demo of NSX Activity monitoring to address Common

Enterprise Security Policies
Insider Threat
Rogue Applications
Malicious Software

Next Steps
42

Back At The Office

1. Point your security team to VMware NSX.
2. Partner with security team to evaluate NSX Activity Monitoring to
implement security policy

I just learned about

VMware NSX Activity
Monitoring and we could
simplify a lot of this!
No kidding.
Prove it!

I will.
Security
Architect

43

VI Admin /
Cloud
Operator

THANK YOU

Related Sessions
NET5847 - NSX: Introducing the World to VMware NSX
SEC5749 - Introducing NSX Service Composer: The New
Consumption Model for Security Services in the SDDC

SEC5820 - NSX PCI Reference Architecture Workshop

Session 2 - Privileged User Control

45

SEC5889
Troubleshooting and Monitoring NSX Service
Composer Policies
Shubha Bheemarao, VMware
Mitchell Christensen, VMware

#SEC5889