VMware NSX Distributed IDS was introduced with NSX-T 3.0.
This feature allows you to enable intrusion detection capabilities within the hypervisor to detect vulnerable network traffic. This distributed mechanism can be enabled on a per VM and per vNIC of a VM basis with granular rule inspection. As part of this feature set, the NSX Manager is able to download the latest signature packs from the NSX Signature Service. This keeps the NSX Distributed IDS updated with the latest threat signatures in the environment.
If you are already familiar with creating NSX Firewall Rules, the process to create IDS policies is very similar. You can also leverage the same groups, tags etc that you are already leveraging for firewall polices, to define IDS rules. Nice!
Check out the Official VMware site for more details https://www.vmware.com/products/nsx-distributed-ids-ips.html
In this post I will step through
- Enabling IDS, downloading updates and creating an IDS Profile
- Creating a distributed IDS Security Policy
- Validating IDS Status on the Data Plane(Optional)
- Running a Vulnerability Scan to generate IDS Events
- Reviewing the IDS Dashboard and Events
Enabling IDS, downloading updates and creating an IDS Profile
- Login to NSX
- Click Security
- Then click the Get Started with IDS link
- You’ll be presented with the Getting started wizard, click Get Started
- In my lab, the NSX Manager has access to the Internet and I can immediately see that new intrusion detection signatures are available. So I click Update Now.
- I also enabled Auto Update new versions, which is recommended
- Scroll down to the Enable Intrusion Detection for Cluster. In my case I select my Compute-Cluster and click Enable and YES in the resulting window
- You can easily see which cluster have been Enabled for Intrusion Protection
- Next step is to create an IDS Profile, Click Profiles then Add IDS Profile
- I named mine VM_Dave Web Profile and selected all severity levels. Note you have the flexibility to exclude signatures from the various severity levels. Lets click Select to take a look.
- We can filter or browse for a specific signature and click Add to exclude. I’m just going to click Cancel in this example
- Back on the Add IDS Profile, make sure to click Save
Creating a distributed IDS Security Policy
- Click the Rules section, followed by Add Policy. I named mine VM_Dave Web IDS
- Now I select the Policy and click Add Rule
- I already have a Groups defined for my app named VM_Dave’s App that I am leveraging within my Distributed Firewall Policy. A very cool feature of NSX is that I can leverage the same groups, tags etc to define my IDS rules. Nice!
- Created a very simple IDS Rule. If you are already familiar with creating NSX Firewall Rules, the process is very similar Select Source, Destination and Service. Note that I can select the IDS Profile we just created. Like a good NSX Firewall Admin I leverage the Applied To field. When finished, click Publish to update the data plane. Created rule as follows. NOTE, this is a very simple rule for demonstration purposes only
Validating IDS Status on the Data Plane(Optional)
- I connect to one of the ESXi hosts in my Compute-Cluster via SSH and login
- Type nsxcli to enter the NSX CLI mode, followed by get ids status. I can see IDS is enabled, followed by uptime
- Enter get ids profiles to validate profile has been applied
- Enter get ids engine stats to review various statistics
Running a Vulnerability Scan to generate IDS Events
I ran a vulnerability tool to scan my web servers, in order to generate IDS events for demonstration purposes. Leveraging the Legion tool, from within a Kali Linux VM
Disclaimer: I am leveraging a fenced lab for this, I DO NOT suggest running a tool such as Legion in your environment before consulting with you management and Security Team!
Running Legion itself is out of scope for this article, but I ran a basic scan of my 3 web servers.
Reviewing the IDS Dashboard and Events
- Back within the NSX UI, I select Security Overview and I now see the IDS Summary dashboard populated with data. Note the total number of intrusion attempts, attempts by severity, trend information and intrusion attempts by VM.
- Can click on Total Intrusion Attempts, or the VM’s to see more details about the intrusion attempts. I’m going to click on Total Intrusion Attempts
- Within the Events view, scroll down and expand the chevron next to each Intrusion Attempts to get more information, including signature information attacker IP, protocol, attack type etc
I hope you found this post useful, and that you are as excited as I am about this addition to NSX Feature Set!