VMware NSX Distributed IDS Walkthrough

VMware NSX Distributed IDS was introduced with NSX-T 3.0.

This feature allows you to enable intrusion detection capabilities within the hypervisor to detect vulnerable network traffic. This distributed mechanism can be enabled on a per VM and per vNIC of a VM basis with granular rule inspection. As part of this feature set, the NSX Manager is able to download the latest signature packs from the NSX Signature Service. This keeps the NSX Distributed IDS updated with the latest threat signatures in the environment.

If you are already familiar with creating NSX Firewall Rules, the process to create IDS policies is very similar. You can also leverage the same groups, tags etc that you are already leveraging for firewall polices, to define IDS rules. Nice!

Check out the Official VMware site for more details https://www.vmware.com/products/nsx-distributed-ids-ips.html

shahadat-rahman-O2MdroNurVw-unsplash

Photo by Shahadat Rahman on Unsplash

In this post I will step through

  • Enabling IDS, downloading updates and creating an IDS Profile
  • Creating a distributed IDS Security Policy
  • Validating IDS Status on the Data Plane(Optional)
  • Running a Vulnerability Scan to generate IDS Events
  • Reviewing the IDS Dashboard and Events

 

Enabling IDS, downloading updates and creating an IDS Profile

  1. Login to NSX
  2. Click Security
  3. Then click the Get Started with IDS link

    1

  4. You’ll be presented with the Getting started wizard, click Get Started

    2

  5. In my lab, the NSX Manager has access to the Internet and I can immediately  see that new intrusion detection signatures are available. So I click Update Now.

    3

    4

  6. I also enabled Auto Update new versions, which is recommended

    5

  7. Scroll down to the Enable Intrusion Detection for Cluster.  In my case I select my Compute-Cluster and click Enable and YES in the resulting window

    6

    8

  8. You can easily see which cluster have been Enabled for Intrusion Protection

    9

  9. Next step is to create an IDS Profile, Click Profiles then Add IDS Profile

    10

  10. I named mine VM_Dave Web Profile and selected  all severity levels. Note you have the flexibility to exclude signatures from the various severity levels.  Lets click Select to take a look.

    11

  11. We can filter or browse for a specific signature and click Add to exclude.  I’m just going to click Cancel in this example

    12

  12. Back on the Add IDS Profile, make sure to click Save

    13

Creating a distributed IDS Security Policy

  1. Click the Rules section, followed by Add Policy.  I named mine VM_Dave Web IDS

    14

  2. Now I select the Policy and click Add Rule

    15

  3. I already have a Groups defined for my app named VM_Dave’s App that I am leveraging within my Distributed Firewall Policy. A very cool feature of NSX is that I can leverage the same groups, tags etc to define my IDS rules. Nice!
  4. Created a very simple IDS Rule.  If you are already familiar with creating NSX Firewall Rules, the process is very similar  Select Source, Destination and Service.  Note that I can select the IDS Profile we just created.  Like a good NSX Firewall Admin I leverage the Applied To field. When finished, click Publish to update the data plane.  Created rule as follows. NOTE, this is a very simple rule for demonstration purposes only

    17
    16

Validating IDS Status on the Data Plane(Optional)

  1. I connect to one of the ESXi hosts in my Compute-Cluster via SSH and login
  2. Type nsxcli to enter the NSX CLI mode, followed by get ids status.  I can see IDS is enabled, followed by uptime

    18

  3. Enter get ids profiles to validate profile has been applied

    19

  4. Enter get ids engine stats to review various statistics

    20

Running a Vulnerability Scan to generate IDS Events

I ran a vulnerability tool to scan my web servers, in order to generate IDS events for demonstration purposes. Leveraging the Legion tool, from within a Kali Linux VM

Disclaimer: I am leveraging a fenced lab for this, I DO NOT suggest running a tool such as Legion in your environment before consulting with you management and Security Team!

Running Legion itself is out of scope for this article, but I ran a basic scan of my 3 web servers.

21

Reviewing the IDS Dashboard and Events

  1. Back within the NSX UI, I select Security Overview and I now see the IDS Summary dashboard populated with data. Note the total number of intrusion attempts, attempts by severity, trend information and intrusion attempts by VM.

    22

  2. Can click on Total Intrusion Attempts, or the VM’s to see more details about the intrusion attempts. I’m going to click on Total Intrusion Attempts

    28

  3. Within the Events view, scroll down and expand the chevron next to each Intrusion Attempts to get more information, including signature information attacker IP, protocol, attack type etc

    27

Summary

I hope you found this post useful, and that you are as excited as I am about this addition to NSX Feature Set!

2 thoughts on “VMware NSX Distributed IDS Walkthrough

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s