SAI2041BE

NSX DMZ Anywhere: Modernizing the DMZ

n o i t ibu

n

io t a c bli

t o N nt:

te n o CProduct Wade Holmes, Sr. Manager of Technical 7 1 0 2 Management d rl o VMware Networking and Security w VM Chris Krueger, Coalfire Systems, Inc. Managing Principal, Security Architecture

#VMworld #SAI2041BE

u p r fo

tr s i d or

Disclaimer • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these

n o i t ibu

features in any generally available product.

tr

• Features are subject to change, and must not be included in contracts, r dis purchase orders, or

sales agreements of any kind.

• •

on i t a c

o

li b u p Technical feasibility and market demand will affect r final delivery. o f t o N : Pricing and packaging for any new technologies or features discussed or presented have not t n e been determined. ont C 17 0 2 ld r o VMw

#SAI2041BE CONFIDENTIAL

2

Agenda 1

Introduction and Objectives

2

Current State and Challenges

3

DMZ Anywhere

4

t Patterns o DMZ Anywhere Design N :

5

V

ld r o Mw 6

t n e t on

n o i t ibu

n

io t a c bli

tr s i d or

u p r fo

C 7 1 20Coalfire DMZ Anywhere Benchmark Additional Resources

#SAI2041BE CONFIDENTIAL

3

NSX Use Cases SOLUTION LEVEL SDDC

n

io t a c bli

PRODUCT LEVEL

n o i t ibu

tr s i d or

u p r o

f t o :N

INITIATIVE LEVEL

C 7 1 20

SECURITY

PROJECT LEVEL

V

ld r o Mw

t n e t on

AUTOMATION

NSX PLATFORM

APP CONTINUITY

Micro-segmentation

IT Automating IT

Disaster Recovery

Secure End User

Developer Cloud

Multi Data Center Pooling

DMZ Anywhere

Multi-tenant Cloud

Cross Cloud

#SAI2041BE CONFIDENTIAL

4

What is a DMZ? A segment that acts as a intermediary and boarders a trusted network and an untrusted network

n o i t ibu

External

n

io t a c bli

t o N nt:

DMZ

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V Internal

#SAI2041BE CONFIDENTIAL

5

What is a DMZ? A segment that acts as a intermediary and boarders a trusted network and an untrusted network

n o i t ibu

External

n

io t a c bli

t o N nt:

DMZ

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V Internal

#SAI2041BE CONFIDENTIAL

6

DMZ – Secure area with maximum security and visibility

n o i t ibu

n

io t a c bli

t o N nt:

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V

#SAI2041BE CONFIDENTIAL

7

Traditional DMZ Design Principles Assumption is that any infrastructure component exposed to the external network is inherently “vulnerable” and is always at risk. There is a need for isolation at the hardware, network and software layers

n

io t a c bli

t o N nt:

7

1 0 2 rld

n o i t ibu

tr s i d or

u p r fo

te n o C

o w M V

1. Purely Physical DMZ

2. Partially Collapsed DMZ with Physical Separation of Trust Zones

3. Partially Collapsed DMZ with VLAN Separation of Trust Zones #SAI2041BE CONFIDENTIAL

8

Maximum Security? n o i t ibu

External

n

io t a c bli

t o N nt:

DMZ

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V Internal

#SAI2041BE CONFIDENTIAL

9

DMZ Exposure • There is *always* a risk for an asset placed on a DMZ network

n o i t ibu

– It’s allowing incoming connections from a lower trust zone (frequently the internet)

tr s i d or

– Even if a webserver is completely patched and locked-down for allowed ports, it’s still vulnerable to

attack from other servers on the same L2 network • Backend Connections (3-tier apps) –

n

io t a c bli

u p r foor servers; allowed connections into higher-trust Many services require connections back to otheroDBs t N : networks must be closely monitored and restricted t n te n o C 7 1 0 2 d rl o w VM

#SAI2041BE CONFIDENTIAL

10

Maximum Visibility? n o i t ibu

External

n

io t a c bli

t o N nt:

DMZ

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V Internal

#SAI2041BE CONFIDENTIAL

11

DMZs in the Enterprise – Scale? n o i t ibu

External

n

io t a c bli

t o N nt:

DMZ

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V Internal

#SAI2041BE CONFIDENTIAL

12

DMZs in the Enterprise – Scale? n o i t ibu

External

n

io t a c bli

t o N nt:

DMZ

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V Internal

#SAI2041BE CONFIDENTIAL

13

DMZ in Trouble The need for secure DMZs as a part of security architecture increases Server Breaches • 81% of confirmed data breaches used weak/default/stolen credentials • 20,000 incidents of websites used to host malware, participate in DDOS, or altered to serve a phishing site r o • 2,800 website defacements n io t a • 95% confirmed web app breaches tied to criminals c li

• Cloud

ld r o Mw

r dist

b u p or

f t o :N

• Mobile Applications • End - User Computing

n o i t ibu

t n e t on

C 7 1 20

V

#SAI2041BE CONFIDENTIAL

14

A Reality Check • 53% of breaches were discovered by external parties (partner, customer, law enforcement, etc.) who then notified the victim ✓ 320 Days = Time until 3rd party detection • 47% detected internally on i t a c i l b u ✓ 56 Days = Time until Internal Detection rp

n o i t ibu

tr s i d or

o

Source: FireEye M-Trends report 2016

f t o :N

t n e t on

C 7 1 Anatomy of an Attack - Target 0 2 d rl o 1 month w M V

• •

• • •

Breach network Nov 12th First POS’ compromised Nov 15th • Warning from 2 vendors ignored • Start of data exfiltration Fully deployed and upgraded Dec 2nd DOJ contacts Target Dec 12th Breach contained Dec 15th

• 40M credit cards & 70M client records

15

Target: Even Big Organizations Get It Wrong …when a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid. But n the how would the attackers have moved from Target’s external billing system into an internal portion of o i t network occupied by point-of-sale devices? The former Target network expert has a theory: ribu

t s i d or

“I know that the Ariba system has a back end that Target administrators use tonmaintain the system and

io t a c provide vendors with login credentials, [and] I would have to speculate blithat once a vendor u p r oactive f t logs into the portal they have access to the o N : t n e server that runs the Capplication,” the source said. “Most, if not almost all, ont 7 Directory (AD) credentials and I’m sure the Ariba system was no internal applications at Target used Active 1 0 2 exception. I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD d l r o w M login to access the system from inside. This would mean the sever had V

access to the rest of the corporate network in some form or another.” #SAI2041BE CONFIDENTIAL

16

Poor DMZ Design • Network Segmentation – Too large a blast area

n o i t ibu

– Servers with differing criticality – Failure to separate from internal network

• Too many connections allowed to higher-trust networks •

• •

n

io t a c bli

tr s i d or

u p r fo DMZ servers using same resources as Internalotnetworks N : t n – Admin passwords, DNS, AD te n o C 7 1 Success of DMZ highly dependent on overall architecture/implementation 0 2 d rl o w Few generally accepted, industry-wide guidelines VM

• No one product makes a secure DMZ – require a solution along with people/process

#SAI2041BE CONFIDENTIAL

17

Who Controls the DMZ? • Network Team?

n o i t ibu

• Security Team?

n

tr s i d or

io t a • Outsourced? System Integrator and System Outsourcer (SISO)? c li b u p or

f t o :N

t n e t on

• Many times a separate0team 17 C with separate security budget - Perimeter

Team

2 d l or

VMw

#SAI2041BE CONFIDENTIAL

18

DMZ Anywhere DMZ security principles decoupled from physical infrastructure for both Network + Compute to maximize security, visibility, scalability, and efficiency of DMZs tion

u b i r t r dis

o as n Architectural options my differ depending on factors such o i t • • • •

Security stance Virtualization maturity Operational posture Target Environment

r

: t n e ont

fo t o N

DMZ Anywhere

17 C

0 2 d orl

a c i l b pu

VMw

Network Virtualization

Distributed Firewall

Service Insertion

Service Visibility

NSX + AirWatch Integration

#SAI2041BE CONFIDENTIAL

19

DMZ? Thinkpublication

n o i t ibu

tr s i d or

r

: t n e ont

fo t o N

DMZ Anywhere ld r o Mw

C 7 1 20

V

#SAI2041BE CONFIDENTIAL

20

DMZ Anywhere Design Patterns t o N nt:

7

1 0 2 rld

o w M V

© 2016 VMware Inc. All rights reserved.

te n o C

n o i t ibu

n

u p r fo

io t a c bli

tr s i d or

Existing DMZ – Three vCenter External vCenter Corp Access

Internet Edge

VPN Block

Ecommerce

Branch Block

DMZ FW,IPS and WAF

7

1 0 2 rld

o w M V

n

io t a c bli

t o N nt: Internet

Extranet

Internal Services

Internal Routing / Firewall

DMZ Routing

te n o C

n o i t ibu

tr s i d or

Developer Cloud

vCenter DB Systems

u p r fo

Internal VDI

Edge

vCenter Jump Boxes

OOB Services

MGMT Services

vCenter Services

Dedicated DMZ vSphere Hosts

Non DMZ vCenter and vSphere Hosts

OOB Network and MGMT Systems #SAI2041BE CONFIDENTIAL

22

Existing DMZ – Dual vCenter Internet vCenter

vCenter Corp Access

Internet Edge

VPN Block

Ecommerce

Branch Block

DMZ FW,IPS and WAF

7

1 0 2 rld

Dedicated DMZ vSphere Hosts

n

OOB Services

Developer Cloud

DB Systems

tr s i d or

u p r fo

Internal VDI

te n o C

Jump Boxes

n o i t ibu

Internal Services

Internal Routing / Firewall

io t a c bli

t o Internet N nt: Edge

Extranet

o w M V

DMZ Routing

MGMT Services

vCenter Services

Non DMZ vCenter and vSphere Hosts

OOB Network and MGMT Systems #SAI2041BE CONFIDENTIAL

23

Existing DMZ – Single vCenter Internet vCenter Corp Access

Internet Edge

VPN Block

Ecommerce

Branch Block

DMZ FW,IPS and WAF

DMZ Routing

n

io t a c bli

t o N nt:

Extranet

7

1 0 2 rld

o w M V

Dedicated DMZ vSphere Cluster

Jump Boxes

Internal Services

Internal Routing / Firewall

u p r fo

MGMT Services

n o i t ibu

DB Systems

tr s i d or

Internal VDI

te n o C

OOB Services

Developer Cloud

vCenter Services

Non DMZ vSphere Cluster

OOB Network and MGMT Systems #SAI2041BE CONFIDENTIAL

24

Adding DFW to a Compute / DMZ Block Internet DMZ Routing DMZ FW,IPS and WAF

Policy

t o N nt:

7 201

STOP

V

ld r o Mw

te n o C

n

io t a c bli

n o i t ibu

tr s i d or

Internal Routing / Firewall

u p r fo

Internet Edge

Stateful DFW

#SAI2041BE CONFIDENTIAL

25

Adding DFW and Advanced Services to a Compute / DMZ Block Internet DMZ Routing

Policy

t o N nt:

17 0 2 d STOP

l

r o w VM

te n o C

Stateful DFW

n

io t a c bli

n o i t ibu

tr s i d or

Internal Routing / Firewall

u p r fo

Internet Edge

#SAI2041BE CONFIDENTIAL

26

DMZ Anywhere ESG, Service Insertion, Single VC Internet STOP

Stateful DFW

n Routing o Internal i t ibu / Firewall

Traffic Steering Partner Advanced Services

n

io t a c bli

Controlled Communication

ld r o Mw

u p r fo

onte

STOP

C 7 1 20

Stateful DFW

t o N nt:

tr s i d or

Internet Edge

V

Any vSphere Host in vCenter

#SAI2041BE CONFIDENTIAL

27

DMZ Anywhere DLR, ESG, Service Insertion, Single VC Internet

vCenter

Stateful DFW

n Routing Internal o i t ibu / Firewall

STOP

Traffic Steering Partner Advanced Services

n

io t a c bli

Controlled Communication

t o N nt:

u p r fo

te n o C

7 1 0 2 rldStateful DFW STOP

tr s i d or

Internet Edge

o w M V

Any vSphere Host in vCenter

#SAI2041BE CONFIDENTIAL

28

Multi-vCenter DMZ Anywhere with Universal Logical Switch Internet DMZ FW,IPS and WAF

Internet Internal Routing / Firewall

DMZ Routing

Internal Routing / Firewall

on i t a lic

Internet Edge

vCenter 1

b u p or

ot f

STOP

N : t n nte

STOP

n o i t ibu

tr s i d or

DMZ Routing

DMZ FW,IPS and WAF

Internet Edge

vCenter 2-8

o

C 7 1 0

VMw

2 d l or

STOP

STOP

Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL

29

Multi-VC DMZ Anywhere Local Logical Switch Internet

Internet Internal Routing / Firewall

Internal Routing / Firewall

n o i t ibu

on i t a c

Internet Edge

Stateful DFW

STOP

i blStateful u p DFW or

f t o :N

t n e t onControlled

17 C Communication

VMw

0 2 d orl

tr s i d or

Internet Edge

STOP

Controlled Communication

STOP

STOP

Stateful DFW

Stateful DFW

Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL

30

ESG / DLR Design Considerations •

Can be one routing topology for all DMZ functions or multiple for DMZ functions

•

oDLRs ) for a i t Routing logic should be separated for DMZ and Core Network DC functions (min two u ib r t s i deployment. rd

•

•

n

o n o i t 1 or more ESGs for this a c Routing between DLRs must pass through an ESG. You can use i l b u p function, but with the ESG Firewall (stateful services) oinr deployment there is not support for f t o ECMP. N : t n e t on such as UDLR, as well. C Same rules apply for Universal 1Objects, 7 0 2 – Version 6.3 supports multiple ld universal sections allowing a separation of Internal and DMZ Universal rules. r o VMw

#SAI2041BE CONFIDENTIAL

31

Single Transit Zone, Dual DLR Internet Non DMZ VMs

DMZ VMs

n o i t ibu

n

Stateful DFW

io t a c bli

Internet Edge

STOP

Controlled Communication

t o N nt:

7

1 0 2 rld

u p r fo

STOP

Stateful DFW

te n o C

Controlled Communication

o w M V

STOP

tr s i d or

STOP

Stateful DFW

Stateful DFW

Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL

32

Dual Transit Zone

Internet Non DMZ Transit Zone

DMZ Transit Zone

n o i t ibu

STOP

Stateful DFW

n

Internet Edge

t o N nt:

Controlled Communication

7

1 0 2 rld

STOP

io t a c bli

u p r fo

V

STOP

Stateful DFW

Controlled Communication

te n o C

STOP

Mwo

Stateful DFW

tr s i d or

Stateful DFW

Any vSphere Host in assigned TZ

#SAI2041BE CONFIDENTIAL

33

Per Application DMZ Internet DMZ Routing

Policy

t o N nt:

17 0 2 d STOP

l

r o w VM

te n o C

Stateful DFW

n

io t a c bli

n o i t ibu

tr s i d or

Internal Routing / Firewall

u p r fo

Internet Edge

#SAI2041BE CONFIDENTIAL

34

Traffic Visibility in the Virtualized DMZ Network Capture Points • Application Rule Manager

• vRealize Network Insight

n o i t ibu

– Flow Data - vNIC

– DFW Flow Data

• Endpoint Monitor

– vSwitch Flow Data – Uplink Flow Data

– File/Binary/EXE

– Physical Switch Flow Data

– Socket

– Firewall Rule Data

• Log Insight

t o N nt:

n

io t a c bli

tr s i d or

u p r fo

te n o C ESG Syslog

– Firewall Rule Logs

o w M V

17– 0 2 – rld

NSX Manager Syslog

– NSX Controller Syslog – vSphere Syslog – vCenter Syslog

– Physical Switch Syslog – Physical Server Syslog #SAI2041BE CONFIDENTIAL

35

DMZ Anywhere Benchmark Whitepaper Preview

n o i t ibu

n

p r Coalfire Systems 2017 Benchmark of DMZ Anywhere o f

u

Chris Krueger, Coalfire Systems, Inc. Managing Principal, Security Architecture

7

o w M V

1 0 2 rld

te n o C

t o N nt:

io t a c bli

tr s i d or

Benchmark of NSX DMZ Anywhere Concept •

Coalfire 3PAO and Cyber Engineering organizations see a significant requirement in all regulations (PCI DSS, HIPAA, FedRAMP, CJIS, NERC CIP, GDPR, etc.) for strong DMZ n network o i t segmentation to “reduce scope” tribu

is d r no

•

This 2017 benchmark is the next step in independent validation oftio the NSX product

•

Focus on an SDDC implementation with 3 tier workloads for

•

Using Pen Test and Exploit Methodologies nte

•

t o N nt:

a c i l b pu

o C 7 1 working with NSX DMZ 0 Service insertion partner products 2 d l r o Anywhere for L4-7M Effectiveness: Palo Alto Networks and Check Point V w

#SAI2041BE CONFIDENTIAL

44

About Coalfire • • •

Thought-leader and go-to advisor in the fast-growing cybersecurity market More than 1,600 customers in a broad set of industry sectors More than 550 employees in 14 locations in North America and Europe Coalfire Serves • 530 Cloud, SaaS and Technology Clients • 471 merchants and 241 payment service providers • 290 HIPAA covered entities and business associates • 291 clients in banks, insurance and asset management • 240 clients across federal, state and local government and higher education • 21 clients in power, water, energy and gas

n

io t a c bli

t o N nt:

7

1 0 2 rld

n o i t ibu

tr s i d or

u p r fo

te n o C

o w M V

#SAI2041BE CONFIDENTIAL

45

NSX Benchmark from 2016 •

Introduced Micro-Segmentation and VMware NSX in Sept, 2016

•

Review against NIST SP800-125B Standard

•

Overview of the NSX “Micro-Audit” of E-W Threat Mitigation

•

Network Design Patterns and Test Methodology – – –

•

Patterns 1a/b through 5a/b Stateful Firewall Validation ALG Traffic Enforcement

t o N nt:

7

1 0 2 rld

•

o w M V Conclusion and Opinion

•

Published September, 2016

n

io t a c bli

Threat Simulation Attack via Metasploit Framework Micro-Segmentation Design Patterns

Validation Exercises and Findings – – –

n o i t ibu

tr s i d or

u p r fo

te n o C

#SAI2041BE CONFIDENTIAL

46

NSX Benchmarks Past and Forthcoming •

September 2016 NSX Micro-Segmentation Cybersecurity Benchmark: First testing of NSX by a third party

•

Current presentation on NSX DMZ Anywhere today, with new benchmark results being previewed and a September 2017 release

•

n o i t ibu

n

io t a c bli

tr s i d or

New benchmark evaluation and creation of a NSX-T u p r fo whitepaper for containerized workloads also in September t o N : t 2017 n e

t

on C 17

0 2 d orl

VMw

47

Design Overview and Testing Focus •

Three design patterns based

•

Two workloads in NSX protected SDDC used to simulate customer workloads OpenEMR OpenMRS

• •

•

n

io t a c bli

n o i t ibu

tr s i d or

u p r Two vCenter multi-tenant design implementation –t Edge/Mgmt and Compute fo o N : t n Workloads reside in the compute vCenter/single vSphere cluster te n o C 7 1 Simulation of an intruder on a0vulnerable network segment of the design pattern, positioned to do 2 d maximum damage worl VM

•

Use of NSX Tools reviewed: Application Rule Manager and Endpoint Monitoring

•

Service insertion partners Check Point and Palo Alto Networks used to demonstrate L4-7 protection #SAI2041BE CONFIDENTIAL

48

Control Pattern

A “no controls” network, open without restriction between VLANs Internet vCenter

n o i t ibu

Web Tier

n

io t a c bli

App Tier

t o N :

DB Tier

V

ld r o Mw

t n e t on

u p r fo

tr s i d or

Internal Routing / Firewall

Internet Edge

C 7 1 20

Any vSphere Host in vCenter

#SAI2041BE CONFIDENTIAL

49

Pattern 1 – Distributed Firewall and DLR Micro-segmentation via a stateful Distributed Firewall (DFW) blocking east-west traffic. Intra-tier traffic protected using zero trust model (rules for desired traffic only). Distributed Logical Router (DLR) with VXLAN network overlay segmentation for tiers.

Stateful DFW

n o i t ibu

STOP

vCenter

Web Tier 10.0.1.0/24 Controlled Communication App Tier 10.0.2.0/24

VMw

orld

7 201

n

STOP

t o N nt:

io t a c bli

tr Internet s i d or

u p r fo

Internal Routing / Firewall

te n o C

STOP

Internet Edge

DB Tier 10.0.3.0/24

Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL

5050

Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Check Point vSEC Next Generation Firewall for L4-7 Inspection and Response

Stateful DFW

Traffic Steering Partner Advanced Services

STOP

vCenter

n

Web Tier 10.0.1.0/24

STOP

Controlled Communication App Tier 10.0.2.0/24

orld

w Tier VMDB 10.0.3.0/24

io t a c bli

C 7 1 20

t n e t on

t o N :

n o i t ibu

tr s i d Internet or

u p r fo

Internal Routing / Firewall

STOP

Internet Edge

Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL

5151

Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Palo Alto Networks VM-Series Next Generation Firewall for L4-7 Inspection and Response

Stateful DFW

Traffic Steering Partner Advanced Services

STOP

vCenter

n

Web Tier 10.0.1.0/24

STOP

Controlled Communication App Tier 10.0.2.0/24

orld

w Tier VMDB 10.0.3.0/24

io t a c bli

C 7 1 20

t n e t on

t o N :

n o i t ibu

tr s i d Internet or

u p r fo

Internal Routing / Firewall

STOP

Internet Edge

Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL

5252

Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Palo Alto Networks VM-Series Firewall Inspection and Response Stateful DFW

Traffic Steering Partner Advanced Services

STOP

n o i t ibu

vCenter

Internet

Web Tier

n

io t a c bli

STOP

Controlled Communication

t o N nt:

App Tier

7

DB Tier

1 0 2 rld

Internal Routing / Firewall

u p r fo

te n o C

STOP

tr s i d or

o w M V

Any vSphere Host in vCenter

Internet Edge

Similar to Pattern 2, except with the removal of the Distributed Logical Router. L2 VLAN segmentation was used with the Edge Gateway / DFW

#SAI2041BE CONFIDENTIAL

5353

Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Check Point vSEC Firewall Inspection and Response Stateful DFW

Traffic Steering Partner Advanced Services

STOP

n o i t ibu

vCenter

Internet

Web Tier

n

io t a c bli

STOP

Controlled Communication

t o N nt:

App Tier

7

DB Tier

1 0 2 rld

Internal Routing / Firewall

u p r fo

te n o C

STOP

tr s i d or

o w M V

Any vSphere Host in vCenter

Internet Edge

Similar to Pattern 2, except with the removal of the Distributed Logical Router. L2 VLAN segmentation was used with the Edge Gateway / DFW

#SAI2041BE CONFIDENTIAL

5454

Testing and Exploits Used As with the 2016 benchmark, we used a Kali Linux based testing VM, loaded with suite of penetration testing tools and Metasploit Framework n

o i t u riitbmost extreme t Use of Kali Linux to simulate a fully compromised, previously exploited machine at s i r d attacker. This o level of lethality. Machine positioned into design pattern networks as annoptimal o machine is denoted by this VM symbol in our Design Patterns: licati b u p or f t o N : t n e t • db_nmap reconnaissance tool – scans from the Kali VM east-west (L2) target VMs and across on C 7 targets application tiers the north-south 1(L3) 0 2 ld r o • WannaCry exploitM–wbased on EternalBlue MS17-010 (CVE-2017-0143) as cryptovirus / V ransomware candidate

•

Java AtomicReferenceArray – type violation vulnerability (CVE-2012-0507) as an applicationbased and browser/Java exploit

#SAI2041BE CONFIDENTIAL

55

TEST METHODOLOGY – Using Metasploit NSX DMZ Anywhere “Micro-audit” Simulate an actual automated or human-initiated attack, using tools and exploits that are real. n o i t uReconnaissance b i Follow the Kill-Chain model, performing the r t is d r and Exploitation steps. o n o i t confirms exploit success. a The CONTROL Test Pattern c i l b u p Test Pattern “1,2 orand 3” are with NSX DMZ Anywhere f t No securityt: principals engaged.

7

V

Mwo

1 0 2 rld

n e t n Co VMware vSphere and NSX SDDC “Test-bed” with:

• Kali Linux “Exploited” machine launching attacks via Metasploit, db_nmap, hping3, etc. • OpenEMR and OpenMRS workloads • Windows 2008 R2 and 2012 R2 Enterprise for OpenEMR • Debian 4 Linux w/ Apache/MySQL for OpenMRS #SAI2041BE CONFIDENTIAL

56

Test Results – Recon and the Design Patterns 1 - 3 •

db_nmap used to probe and test

•

Tested using a “Control” and “Test Protection” NSX DMZ Anywhere event

•

•

n

o recon i t Control – Open, NSX Rules turned “down” using allow policy or policy removed. Confirm u rib t s i success rd on i t a c

o

Test Protection – NSX Rules enabled to Block and Reject bli Nmap scan report for 10.0.1.2 Host is up (0.00044s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l) |_http-favicon: Unknown favicon MD5: 4EF9F480B52CD52B5831077127502FDE | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l |_http-title: Apache Haus Distribution Installation Test 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l |_http-title: Apache Haus Distribution Installation Test | ssl-cert: Subject: organizationName=Apache Haus Distribution Test Certificate/stateOrProvinceName=Some-State/countryName=DE | Issuer: organizationName=Apache Haus Distribution Test Certificate/stateOrProvinceName=Some-State/countryName=DE

7

o w M V

1 0 2 rld

te n o C

t o N nt:

u p r fo

Action

Description

Block

Block silently the traffic

Allow

Allow the traffic

Reject (introduced since NSX 6.1)

Reject action will send back to initiator: • RST packets for TCP connections • ICMP unreachable with network administratively prohibited code for UDP, ICMP, and other IP connections

#SAI2041BE CONFIDENTIAL

57

Test Results – Sample of Attacks Successful EternalBlue exploit results in the machine being “popped” and being dropped into the MS Command Shell with Administrator privileges

n o i t ibu

n

io t a c bli

t o N nt:

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V

Successful Java ARA exploit delivers a “mock penetration” payload JAR file to the browser, and confirmation of that event on the Kali exploitation machine #SAI2041BE CONFIDENTIAL

58

Test Results – Methods Used to Benchmark Service Insertion Partner Firewalls with NSX DMZ Anywhere •

Identical testing model for Check Point and Palo Alto Networks next generation firewalls. Both firewall suites are provided as SVM utilizing NSX NetX extensibility framework on

i

•

• •

•

•

t u b i istr

Tested a “Control” and “Test Protection” scenario with Patterns 2 and 3 as r din previous tests

o n o i tPatterns 2/3 a c db_nmap used to recon, and recon is ALWAYS successful with i l b u p r o f t Service insertion for L7 by Check Point and Palo oAlto Networks where traffic steering is managed N : t n by the NSX network flow e t on C 17 policy not applied. Confirmed exploit was successful without 0 Control – NSX service insertion 2 d l r o service insertion and inspection by partner solution VMw Test Protection – NSX service insertion policy applied to insert next generation application firewall into the attack flow

#SAI2041BE CONFIDENTIAL

59

Test Results – EternalBlue Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere 1.Deploy service with NSX

n o i t ibu

2.Service Composer to

n

io t a c bli

Set up Rules

t o N nt:

3.Apply Policy to Security

Groups

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o

4.Confirm Attack viaVMw

Event Logging

#SAI2041BE CONFIDENTIAL

60

Test Results – Java ARA Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere 1.Deploy service with NSX

n o i t ibu

2.Service Composer to

Set up Rules

n

io t a c bli

3.Apply Policy to Security

Groups

t o N nt:

4.Confirm Attack via

7

1 0 2 rld

Event Logging

tr s i d or

u p r fo

te n o C

o w M V

#SAI2041BE CONFIDENTIAL

61

Test Results – EternalBlue Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere n o i t ibu

1. Deploy service with NSX

n

io t a c bli

2. Panorama to Define and

Set up Security Groups 3. Use Steering rules and

t o N nt:

7

1 0 2 rld

apply Security Policy

tr s i d or

u p r fo

te n o C

o w M V

4. Confirm Attack via

Event Logging

#SAI2041BE CONFIDENTIAL

62

Test Results – Java ARA Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere n o i t ibu

1. Deploy service with NSX

n

io t a c bli

2. Panorama to Define and

Set up Security Groups 3. Use Steering rules and

t o N nt:

7

apply Security Policyld 201 r o w VM

tr s i d or

u p r fo

te n o C

4. Confirm Attack via

Event Logging

63

Application Rule Manager– Demonstrated with OpenEMR review •

How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere?

•

o i t Application Rule Manager: A helpful NSX tool to visualize and understand the communication u ib r t s i between tiers and among endpoints. rd

n

on i t a c

o

li

b u p or

f t o :N

t n e t on

ld r o Mw

C 7 1 20

V

64

Endpoint Monitoring How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere, from the perspective of endpoint application process network activity?

n o i t ibu

Endpoint Monitoring:

n

io t a c bli

t o N nt:

7

1 0 2 rld

tr s i d or

u p r fo

te n o C

o w M V

65

Use Case: De-scoping for Regulatory Compliance Regulated data at rest and in motion must avoid being on the same network with nonregulated data VMs. Moving IPs or to a DMZ is difficult, costly and often impossible. DMZ Anywhere can apply the DFW rules to these VMs in place, and generate the n the CHD. zero-trust rules to tioprotect

on i t a c

u b i r t r dis

o

li

b u p or

f t o :N

t n e t on

ld r o Mw

C 7 1 20

V

In this PCI DSS example, machines in RED are in-scope and store, process or transmit cardholder data (CHD). 66

NSX DMZ Anywhere Benchmark Conclusions Coalfire’s objective was to determine if VMware NSX DMZ Anywhere can prevent E-W/N-S threats by performing a “micro audit” using representative malware and kill-chain methods, and scientifically measure the results. Testing focused on DMZ Anywhere in a stand-alone configuration and when used in a service insertion scenario with Palo Alto Networks and Check Point next-generation firewalls. tion Coalfire’s findings were: •

•

on i t a c

u b i r t r dis

o

NSX DMZ Anywhere provided significant and real distributed firewall bli (DFW) protections against E-W u p threats and in inter-segment DMZ transfers between tiersfo ofrour test Windows and Linux three-tier t o workloads N : t

n e t n o constructs, tight integration with VMware objects/meta-data, C Policy-based controls, nested service group 7 1 / Endpoint Monitoring, etc.) of NSX DMZ Anywhere satisfied NIST 0 2 the completeness/utility of tools (ARM d l r o SP 800-125B Requirements VMw

•

Specific testing of Application Rule Manager/ Endpoint Monitoring confirmed an easy deployment path to zero trust implementation can be realized with NSX for DMZs

•

Third-party service insertion was verified with the Palo Alto Networks and Check Point next-generation firewalls to support L4-L7 threat mitigation in L2 and L3 DMZ designs #SAI2041BE CONFIDENTIAL

67

More info - Whitepaper Coming Soon n o i t ibu

n

io t a c bli

tr s i d or

• Publication of Whitepaper for pu t o N – September 2017 ntent: o

C 7 1 0

2 d l or

VMw

#SAI2041BE CONFIDENTIAL

68

Key Takeaways n o • DMZ Anywhere optimizes the DMZ, increasing security i t u b i r t is d and saving capex and opex r o n o i t a • There are a number of DMZ deployment models enhanced by NSX c i l b u p r o fpartners to secure the DMZ • NSX provides a platform to allow t o N : t n te more efficiently n o C 7 1 • Customers arerlbuilding DMZs with NSX today organically 20 d o w M • NSX provides the necessary visibility and granular security needed to V modernize the DMZ for today’s application deployments

#SAI2041BE CONFIDENTIAL

69

n o i t ibu

n

io t a c bli

t o N nt:

7

o w M V

1 0 2 rld

te n o C

u p r fo

tr s i d or

n o i t ibu

n

io t a c bli

t o N nt:

7

o w M V

1 0 2 rld

te n o C

u p r fo

tr s i d or