SAI2041BE
NSX DMZ Anywhere: Modernizing the DMZ
n o i t ibu
n
io t a c bli
t o N nt:
te n o CProduct Wade Holmes, Sr. Manager of Technical 7 1 0 2 Management d rl o VMware Networking and Security w VM Chris Krueger, Coalfire Systems, Inc. Managing Principal, Security Architecture
#VMworld #SAI2041BE
u p r fo
tr s i d or
Disclaimer • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these
n o i t ibu
features in any generally available product.
tr
• Features are subject to change, and must not be included in contracts, r dis purchase orders, or
sales agreements of any kind.
• •
on i t a c
o
li b u p Technical feasibility and market demand will affect r final delivery. o f t o N : Pricing and packaging for any new technologies or features discussed or presented have not t n e been determined. ont C 17 0 2 ld r o VMw
#SAI2041BE CONFIDENTIAL
2
Agenda 1
Introduction and Objectives
2
Current State and Challenges
3
DMZ Anywhere
4
t Patterns o DMZ Anywhere Design N :
5
V
ld r o Mw 6
t n e t on
n o i t ibu
n
io t a c bli
tr s i d or
u p r fo
C 7 1 20Coalfire DMZ Anywhere Benchmark Additional Resources
#SAI2041BE CONFIDENTIAL
3
NSX Use Cases SOLUTION LEVEL SDDC
n
io t a c bli
PRODUCT LEVEL
n o i t ibu
tr s i d or
u p r o
f t o :N
INITIATIVE LEVEL
C 7 1 20
SECURITY
PROJECT LEVEL
V
ld r o Mw
t n e t on
AUTOMATION
NSX PLATFORM
APP CONTINUITY
Micro-segmentation
IT Automating IT
Disaster Recovery
Secure End User
Developer Cloud
Multi Data Center Pooling
DMZ Anywhere
Multi-tenant Cloud
Cross Cloud
#SAI2041BE CONFIDENTIAL
4
What is a DMZ? A segment that acts as a intermediary and boarders a trusted network and an untrusted network
n o i t ibu
External
n
io t a c bli
t o N nt:
DMZ
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V Internal
#SAI2041BE CONFIDENTIAL
5
What is a DMZ? A segment that acts as a intermediary and boarders a trusted network and an untrusted network
n o i t ibu
External
n
io t a c bli
t o N nt:
DMZ
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V Internal
#SAI2041BE CONFIDENTIAL
6
DMZ – Secure area with maximum security and visibility
n o i t ibu
n
io t a c bli
t o N nt:
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V
#SAI2041BE CONFIDENTIAL
7
Traditional DMZ Design Principles Assumption is that any infrastructure component exposed to the external network is inherently “vulnerable” and is always at risk. There is a need for isolation at the hardware, network and software layers
n
io t a c bli
t o N nt:
7
1 0 2 rld
n o i t ibu
tr s i d or
u p r fo
te n o C
o w M V
1. Purely Physical DMZ
2. Partially Collapsed DMZ with Physical Separation of Trust Zones
3. Partially Collapsed DMZ with VLAN Separation of Trust Zones #SAI2041BE CONFIDENTIAL
8
Maximum Security? n o i t ibu
External
n
io t a c bli
t o N nt:
DMZ
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V Internal
#SAI2041BE CONFIDENTIAL
9
DMZ Exposure • There is *always* a risk for an asset placed on a DMZ network
n o i t ibu
– It’s allowing incoming connections from a lower trust zone (frequently the internet)
tr s i d or
– Even if a webserver is completely patched and locked-down for allowed ports, it’s still vulnerable to
attack from other servers on the same L2 network • Backend Connections (3-tier apps) –
n
io t a c bli
u p r foor servers; allowed connections into higher-trust Many services require connections back to otheroDBs t N : networks must be closely monitored and restricted t n te n o C 7 1 0 2 d rl o w VM
#SAI2041BE CONFIDENTIAL
10
Maximum Visibility? n o i t ibu
External
n
io t a c bli
t o N nt:
DMZ
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V Internal
#SAI2041BE CONFIDENTIAL
11
DMZs in the Enterprise – Scale? n o i t ibu
External
n
io t a c bli
t o N nt:
DMZ
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V Internal
#SAI2041BE CONFIDENTIAL
12
DMZs in the Enterprise – Scale? n o i t ibu
External
n
io t a c bli
t o N nt:
DMZ
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V Internal
#SAI2041BE CONFIDENTIAL
13
DMZ in Trouble The need for secure DMZs as a part of security architecture increases Server Breaches • 81% of confirmed data breaches used weak/default/stolen credentials • 20,000 incidents of websites used to host malware, participate in DDOS, or altered to serve a phishing site r o • 2,800 website defacements n io t a • 95% confirmed web app breaches tied to criminals c li
• Cloud
ld r o Mw
r dist
b u p or
f t o :N
• Mobile Applications • End - User Computing
n o i t ibu
t n e t on
C 7 1 20
V
#SAI2041BE CONFIDENTIAL
14
A Reality Check • 53% of breaches were discovered by external parties (partner, customer, law enforcement, etc.) who then notified the victim ✓ 320 Days = Time until 3rd party detection • 47% detected internally on i t a c i l b u ✓ 56 Days = Time until Internal Detection rp
n o i t ibu
tr s i d or
o
Source: FireEye M-Trends report 2016
f t o :N
t n e t on
C 7 1 Anatomy of an Attack - Target 0 2 d rl o 1 month w M V
• •
• • •
Breach network Nov 12th First POS’ compromised Nov 15th • Warning from 2 vendors ignored • Start of data exfiltration Fully deployed and upgraded Dec 2nd DOJ contacts Target Dec 12th Breach contained Dec 15th
• 40M credit cards & 70M client records
15
Target: Even Big Organizations Get It Wrong …when a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid. But n the how would the attackers have moved from Target’s external billing system into an internal portion of o i t network occupied by point-of-sale devices? The former Target network expert has a theory: ribu
t s i d or
“I know that the Ariba system has a back end that Target administrators use tonmaintain the system and
io t a c provide vendors with login credentials, [and] I would have to speculate blithat once a vendor u p r oactive f t logs into the portal they have access to the o N : t n e server that runs the Capplication,” the source said. “Most, if not almost all, ont 7 Directory (AD) credentials and I’m sure the Ariba system was no internal applications at Target used Active 1 0 2 exception. I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD d l r o w M login to access the system from inside. This would mean the sever had V
access to the rest of the corporate network in some form or another.” #SAI2041BE CONFIDENTIAL
16
Poor DMZ Design • Network Segmentation – Too large a blast area
n o i t ibu
– Servers with differing criticality – Failure to separate from internal network
• Too many connections allowed to higher-trust networks •
• •
n
io t a c bli
tr s i d or
u p r fo DMZ servers using same resources as Internalotnetworks N : t n – Admin passwords, DNS, AD te n o C 7 1 Success of DMZ highly dependent on overall architecture/implementation 0 2 d rl o w Few generally accepted, industry-wide guidelines VM
• No one product makes a secure DMZ – require a solution along with people/process
#SAI2041BE CONFIDENTIAL
17
Who Controls the DMZ? • Network Team?
n o i t ibu
• Security Team?
n
tr s i d or
io t a • Outsourced? System Integrator and System Outsourcer (SISO)? c li b u p or
f t o :N
t n e t on
• Many times a separate0team 17 C with separate security budget - Perimeter
Team
2 d l or
VMw
#SAI2041BE CONFIDENTIAL
18
DMZ Anywhere DMZ security principles decoupled from physical infrastructure for both Network + Compute to maximize security, visibility, scalability, and efficiency of DMZs tion
u b i r t r dis
o as n Architectural options my differ depending on factors such o i t • • • •
Security stance Virtualization maturity Operational posture Target Environment
r
: t n e ont
fo t o N
DMZ Anywhere
17 C
0 2 d orl
a c i l b pu
VMw
Network Virtualization
Distributed Firewall
Service Insertion
Service Visibility
NSX + AirWatch Integration
#SAI2041BE CONFIDENTIAL
19
DMZ? Thinkpublication
n o i t ibu
tr s i d or
r
: t n e ont
fo t o N
DMZ Anywhere ld r o Mw
C 7 1 20
V
#SAI2041BE CONFIDENTIAL
20
DMZ Anywhere Design Patterns t o N nt:
7
1 0 2 rld
o w M V
© 2016 VMware Inc. All rights reserved.
te n o C
n o i t ibu
n
u p r fo
io t a c bli
tr s i d or
Existing DMZ – Three vCenter External vCenter Corp Access
Internet Edge
VPN Block
Ecommerce
Branch Block
DMZ FW,IPS and WAF
7
1 0 2 rld
o w M V
n
io t a c bli
t o N nt: Internet
Extranet
Internal Services
Internal Routing / Firewall
DMZ Routing
te n o C
n o i t ibu
tr s i d or
Developer Cloud
vCenter DB Systems
u p r fo
Internal VDI
Edge
vCenter Jump Boxes
OOB Services
MGMT Services
vCenter Services
Dedicated DMZ vSphere Hosts
Non DMZ vCenter and vSphere Hosts
OOB Network and MGMT Systems #SAI2041BE CONFIDENTIAL
22
Existing DMZ – Dual vCenter Internet vCenter
vCenter Corp Access
Internet Edge
VPN Block
Ecommerce
Branch Block
DMZ FW,IPS and WAF
7
1 0 2 rld
Dedicated DMZ vSphere Hosts
n
OOB Services
Developer Cloud
DB Systems
tr s i d or
u p r fo
Internal VDI
te n o C
Jump Boxes
n o i t ibu
Internal Services
Internal Routing / Firewall
io t a c bli
t o Internet N nt: Edge
Extranet
o w M V
DMZ Routing
MGMT Services
vCenter Services
Non DMZ vCenter and vSphere Hosts
OOB Network and MGMT Systems #SAI2041BE CONFIDENTIAL
23
Existing DMZ – Single vCenter Internet vCenter Corp Access
Internet Edge
VPN Block
Ecommerce
Branch Block
DMZ FW,IPS and WAF
DMZ Routing
n
io t a c bli
t o N nt:
Extranet
7
1 0 2 rld
o w M V
Dedicated DMZ vSphere Cluster
Jump Boxes
Internal Services
Internal Routing / Firewall
u p r fo
MGMT Services
n o i t ibu
DB Systems
tr s i d or
Internal VDI
te n o C
OOB Services
Developer Cloud
vCenter Services
Non DMZ vSphere Cluster
OOB Network and MGMT Systems #SAI2041BE CONFIDENTIAL
24
Adding DFW to a Compute / DMZ Block Internet DMZ Routing DMZ FW,IPS and WAF
Policy
t o N nt:
7 201
STOP
V
ld r o Mw
te n o C
n
io t a c bli
n o i t ibu
tr s i d or
Internal Routing / Firewall
u p r fo
Internet Edge
Stateful DFW
#SAI2041BE CONFIDENTIAL
25
Adding DFW and Advanced Services to a Compute / DMZ Block Internet DMZ Routing
Policy
t o N nt:
17 0 2 d STOP
l
r o w VM
te n o C
Stateful DFW
n
io t a c bli
n o i t ibu
tr s i d or
Internal Routing / Firewall
u p r fo
Internet Edge
#SAI2041BE CONFIDENTIAL
26
DMZ Anywhere ESG, Service Insertion, Single VC Internet STOP
Stateful DFW
n Routing o Internal i t ibu / Firewall
Traffic Steering Partner Advanced Services
n
io t a c bli
Controlled Communication
ld r o Mw
u p r fo
onte
STOP
C 7 1 20
Stateful DFW
t o N nt:
tr s i d or
Internet Edge
V
Any vSphere Host in vCenter
#SAI2041BE CONFIDENTIAL
27
DMZ Anywhere DLR, ESG, Service Insertion, Single VC Internet
vCenter
Stateful DFW
n Routing Internal o i t ibu / Firewall
STOP
Traffic Steering Partner Advanced Services
n
io t a c bli
Controlled Communication
t o N nt:
u p r fo
te n o C
7 1 0 2 rldStateful DFW STOP
tr s i d or
Internet Edge
o w M V
Any vSphere Host in vCenter
#SAI2041BE CONFIDENTIAL
28
Multi-vCenter DMZ Anywhere with Universal Logical Switch Internet DMZ FW,IPS and WAF
Internet Internal Routing / Firewall
DMZ Routing
Internal Routing / Firewall
on i t a lic
Internet Edge
vCenter 1
b u p or
ot f
STOP
N : t n nte
STOP
n o i t ibu
tr s i d or
DMZ Routing
DMZ FW,IPS and WAF
Internet Edge
vCenter 2-8
o
C 7 1 0
VMw
2 d l or
STOP
STOP
Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL
29
Multi-VC DMZ Anywhere Local Logical Switch Internet
Internet Internal Routing / Firewall
Internal Routing / Firewall
n o i t ibu
on i t a c
Internet Edge
Stateful DFW
STOP
i blStateful u p DFW or
f t o :N
t n e t onControlled
17 C Communication
VMw
0 2 d orl
tr s i d or
Internet Edge
STOP
Controlled Communication
STOP
STOP
Stateful DFW
Stateful DFW
Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL
30
ESG / DLR Design Considerations •
Can be one routing topology for all DMZ functions or multiple for DMZ functions
•
oDLRs ) for a i t Routing logic should be separated for DMZ and Core Network DC functions (min two u ib r t s i deployment. rd
•
•
n
o n o i t 1 or more ESGs for this a c Routing between DLRs must pass through an ESG. You can use i l b u p function, but with the ESG Firewall (stateful services) oinr deployment there is not support for f t o ECMP. N : t n e t on such as UDLR, as well. C Same rules apply for Universal 1Objects, 7 0 2 – Version 6.3 supports multiple ld universal sections allowing a separation of Internal and DMZ Universal rules. r o VMw
#SAI2041BE CONFIDENTIAL
31
Single Transit Zone, Dual DLR Internet Non DMZ VMs
DMZ VMs
n o i t ibu
n
Stateful DFW
io t a c bli
Internet Edge
STOP
Controlled Communication
t o N nt:
7
1 0 2 rld
u p r fo
STOP
Stateful DFW
te n o C
Controlled Communication
o w M V
STOP
tr s i d or
STOP
Stateful DFW
Stateful DFW
Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL
32
Dual Transit Zone
Internet Non DMZ Transit Zone
DMZ Transit Zone
n o i t ibu
STOP
Stateful DFW
n
Internet Edge
t o N nt:
Controlled Communication
7
1 0 2 rld
STOP
io t a c bli
u p r fo
V
STOP
Stateful DFW
Controlled Communication
te n o C
STOP
Mwo
Stateful DFW
tr s i d or
Stateful DFW
Any vSphere Host in assigned TZ
#SAI2041BE CONFIDENTIAL
33
Per Application DMZ Internet DMZ Routing
Policy
t o N nt:
17 0 2 d STOP
l
r o w VM
te n o C
Stateful DFW
n
io t a c bli
n o i t ibu
tr s i d or
Internal Routing / Firewall
u p r fo
Internet Edge
#SAI2041BE CONFIDENTIAL
34
Traffic Visibility in the Virtualized DMZ Network Capture Points • Application Rule Manager
• vRealize Network Insight
n o i t ibu
– Flow Data - vNIC
– DFW Flow Data
• Endpoint Monitor
– vSwitch Flow Data – Uplink Flow Data
– File/Binary/EXE
– Physical Switch Flow Data
– Socket
– Firewall Rule Data
• Log Insight
t o N nt:
n
io t a c bli
tr s i d or
u p r fo
te n o C ESG Syslog
– Firewall Rule Logs
o w M V
17– 0 2 – rld
NSX Manager Syslog
– NSX Controller Syslog – vSphere Syslog – vCenter Syslog
– Physical Switch Syslog – Physical Server Syslog #SAI2041BE CONFIDENTIAL
35
DMZ Anywhere Benchmark Whitepaper Preview
n o i t ibu
n
p r Coalfire Systems 2017 Benchmark of DMZ Anywhere o f
u
Chris Krueger, Coalfire Systems, Inc. Managing Principal, Security Architecture
7
o w M V
1 0 2 rld
te n o C
t o N nt:
io t a c bli
tr s i d or
Benchmark of NSX DMZ Anywhere Concept •
Coalfire 3PAO and Cyber Engineering organizations see a significant requirement in all regulations (PCI DSS, HIPAA, FedRAMP, CJIS, NERC CIP, GDPR, etc.) for strong DMZ n network o i t segmentation to “reduce scope” tribu
is d r no
•
This 2017 benchmark is the next step in independent validation oftio the NSX product
•
Focus on an SDDC implementation with 3 tier workloads for
•
Using Pen Test and Exploit Methodologies nte
•
t o N nt:
a c i l b pu
o C 7 1 working with NSX DMZ 0 Service insertion partner products 2 d l r o Anywhere for L4-7M Effectiveness: Palo Alto Networks and Check Point V w
#SAI2041BE CONFIDENTIAL
44
About Coalfire • • •
Thought-leader and go-to advisor in the fast-growing cybersecurity market More than 1,600 customers in a broad set of industry sectors More than 550 employees in 14 locations in North America and Europe Coalfire Serves • 530 Cloud, SaaS and Technology Clients • 471 merchants and 241 payment service providers • 290 HIPAA covered entities and business associates • 291 clients in banks, insurance and asset management • 240 clients across federal, state and local government and higher education • 21 clients in power, water, energy and gas
n
io t a c bli
t o N nt:
7
1 0 2 rld
n o i t ibu
tr s i d or
u p r fo
te n o C
o w M V
#SAI2041BE CONFIDENTIAL
45
NSX Benchmark from 2016 •
Introduced Micro-Segmentation and VMware NSX in Sept, 2016
•
Review against NIST SP800-125B Standard
•
Overview of the NSX “Micro-Audit” of E-W Threat Mitigation
•
Network Design Patterns and Test Methodology – – –
•
Patterns 1a/b through 5a/b Stateful Firewall Validation ALG Traffic Enforcement
t o N nt:
7
1 0 2 rld
•
o w M V Conclusion and Opinion
•
Published September, 2016
n
io t a c bli
Threat Simulation Attack via Metasploit Framework Micro-Segmentation Design Patterns
Validation Exercises and Findings – – –
n o i t ibu
tr s i d or
u p r fo
te n o C
#SAI2041BE CONFIDENTIAL
46
NSX Benchmarks Past and Forthcoming •
September 2016 NSX Micro-Segmentation Cybersecurity Benchmark: First testing of NSX by a third party
•
Current presentation on NSX DMZ Anywhere today, with new benchmark results being previewed and a September 2017 release
•
n o i t ibu
n
io t a c bli
tr s i d or
New benchmark evaluation and creation of a NSX-T u p r fo whitepaper for containerized workloads also in September t o N : t 2017 n e
t
on C 17
0 2 d orl
VMw
47
Design Overview and Testing Focus •
Three design patterns based
•
Two workloads in NSX protected SDDC used to simulate customer workloads OpenEMR OpenMRS
• •
•
n
io t a c bli
n o i t ibu
tr s i d or
u p r Two vCenter multi-tenant design implementation –t Edge/Mgmt and Compute fo o N : t n Workloads reside in the compute vCenter/single vSphere cluster te n o C 7 1 Simulation of an intruder on a0vulnerable network segment of the design pattern, positioned to do 2 d maximum damage worl VM
•
Use of NSX Tools reviewed: Application Rule Manager and Endpoint Monitoring
•
Service insertion partners Check Point and Palo Alto Networks used to demonstrate L4-7 protection #SAI2041BE CONFIDENTIAL
48
Control Pattern
A “no controls” network, open without restriction between VLANs Internet vCenter
n o i t ibu
Web Tier
n
io t a c bli
App Tier
t o N :
DB Tier
V
ld r o Mw
t n e t on
u p r fo
tr s i d or
Internal Routing / Firewall
Internet Edge
C 7 1 20
Any vSphere Host in vCenter
#SAI2041BE CONFIDENTIAL
49
Pattern 1 – Distributed Firewall and DLR Micro-segmentation via a stateful Distributed Firewall (DFW) blocking east-west traffic. Intra-tier traffic protected using zero trust model (rules for desired traffic only). Distributed Logical Router (DLR) with VXLAN network overlay segmentation for tiers.
Stateful DFW
n o i t ibu
STOP
vCenter
Web Tier 10.0.1.0/24 Controlled Communication App Tier 10.0.2.0/24
VMw
orld
7 201
n
STOP
t o N nt:
io t a c bli
tr Internet s i d or
u p r fo
Internal Routing / Firewall
te n o C
STOP
Internet Edge
DB Tier 10.0.3.0/24
Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL
5050
Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Check Point vSEC Next Generation Firewall for L4-7 Inspection and Response
Stateful DFW
Traffic Steering Partner Advanced Services
STOP
vCenter
n
Web Tier 10.0.1.0/24
STOP
Controlled Communication App Tier 10.0.2.0/24
orld
w Tier VMDB 10.0.3.0/24
io t a c bli
C 7 1 20
t n e t on
t o N :
n o i t ibu
tr s i d Internet or
u p r fo
Internal Routing / Firewall
STOP
Internet Edge
Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL
5151
Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Palo Alto Networks VM-Series Next Generation Firewall for L4-7 Inspection and Response
Stateful DFW
Traffic Steering Partner Advanced Services
STOP
vCenter
n
Web Tier 10.0.1.0/24
STOP
Controlled Communication App Tier 10.0.2.0/24
orld
w Tier VMDB 10.0.3.0/24
io t a c bli
C 7 1 20
t n e t on
t o N :
n o i t ibu
tr s i d Internet or
u p r fo
Internal Routing / Firewall
STOP
Internet Edge
Any vSphere Host in vCenter #SAI2041BE CONFIDENTIAL
5252
Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Palo Alto Networks VM-Series Firewall Inspection and Response Stateful DFW
Traffic Steering Partner Advanced Services
STOP
n o i t ibu
vCenter
Internet
Web Tier
n
io t a c bli
STOP
Controlled Communication
t o N nt:
App Tier
7
DB Tier
1 0 2 rld
Internal Routing / Firewall
u p r fo
te n o C
STOP
tr s i d or
o w M V
Any vSphere Host in vCenter
Internet Edge
Similar to Pattern 2, except with the removal of the Distributed Logical Router. L2 VLAN segmentation was used with the Edge Gateway / DFW
#SAI2041BE CONFIDENTIAL
5353
Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Check Point vSEC Firewall Inspection and Response Stateful DFW
Traffic Steering Partner Advanced Services
STOP
n o i t ibu
vCenter
Internet
Web Tier
n
io t a c bli
STOP
Controlled Communication
t o N nt:
App Tier
7
DB Tier
1 0 2 rld
Internal Routing / Firewall
u p r fo
te n o C
STOP
tr s i d or
o w M V
Any vSphere Host in vCenter
Internet Edge
Similar to Pattern 2, except with the removal of the Distributed Logical Router. L2 VLAN segmentation was used with the Edge Gateway / DFW
#SAI2041BE CONFIDENTIAL
5454
Testing and Exploits Used As with the 2016 benchmark, we used a Kali Linux based testing VM, loaded with suite of penetration testing tools and Metasploit Framework n
o i t u riitbmost extreme t Use of Kali Linux to simulate a fully compromised, previously exploited machine at s i r d attacker. This o level of lethality. Machine positioned into design pattern networks as annoptimal o machine is denoted by this VM symbol in our Design Patterns: licati b u p or f t o N : t n e t • db_nmap reconnaissance tool – scans from the Kali VM east-west (L2) target VMs and across on C 7 targets application tiers the north-south 1(L3) 0 2 ld r o • WannaCry exploitM–wbased on EternalBlue MS17-010 (CVE-2017-0143) as cryptovirus / V ransomware candidate
•
Java AtomicReferenceArray – type violation vulnerability (CVE-2012-0507) as an applicationbased and browser/Java exploit
#SAI2041BE CONFIDENTIAL
55
TEST METHODOLOGY – Using Metasploit NSX DMZ Anywhere “Micro-audit” Simulate an actual automated or human-initiated attack, using tools and exploits that are real. n o i t uReconnaissance b i Follow the Kill-Chain model, performing the r t is d r and Exploitation steps. o n o i t confirms exploit success. a The CONTROL Test Pattern c i l b u p Test Pattern “1,2 orand 3” are with NSX DMZ Anywhere f t No securityt: principals engaged.
7
V
Mwo
1 0 2 rld
n e t n Co VMware vSphere and NSX SDDC “Test-bed” with:
• Kali Linux “Exploited” machine launching attacks via Metasploit, db_nmap, hping3, etc. • OpenEMR and OpenMRS workloads • Windows 2008 R2 and 2012 R2 Enterprise for OpenEMR • Debian 4 Linux w/ Apache/MySQL for OpenMRS #SAI2041BE CONFIDENTIAL
56
Test Results – Recon and the Design Patterns 1 - 3 •
db_nmap used to probe and test
•
Tested using a “Control” and “Test Protection” NSX DMZ Anywhere event
•
•
n
o recon i t Control – Open, NSX Rules turned “down” using allow policy or policy removed. Confirm u rib t s i success rd on i t a c
o
Test Protection – NSX Rules enabled to Block and Reject bli Nmap scan report for 10.0.1.2 Host is up (0.00044s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l) |_http-favicon: Unknown favicon MD5: 4EF9F480B52CD52B5831077127502FDE | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l |_http-title: Apache Haus Distribution Installation Test 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l |_http-title: Apache Haus Distribution Installation Test | ssl-cert: Subject: organizationName=Apache Haus Distribution Test Certificate/stateOrProvinceName=Some-State/countryName=DE | Issuer: organizationName=Apache Haus Distribution Test Certificate/stateOrProvinceName=Some-State/countryName=DE
7
o w M V
1 0 2 rld
te n o C
t o N nt:
u p r fo
Action
Description
Block
Block silently the traffic
Allow
Allow the traffic
Reject (introduced since NSX 6.1)
Reject action will send back to initiator: • RST packets for TCP connections • ICMP unreachable with network administratively prohibited code for UDP, ICMP, and other IP connections
#SAI2041BE CONFIDENTIAL
57
Test Results – Sample of Attacks Successful EternalBlue exploit results in the machine being “popped” and being dropped into the MS Command Shell with Administrator privileges
n o i t ibu
n
io t a c bli
t o N nt:
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V
Successful Java ARA exploit delivers a “mock penetration” payload JAR file to the browser, and confirmation of that event on the Kali exploitation machine #SAI2041BE CONFIDENTIAL
58
Test Results – Methods Used to Benchmark Service Insertion Partner Firewalls with NSX DMZ Anywhere •
Identical testing model for Check Point and Palo Alto Networks next generation firewalls. Both firewall suites are provided as SVM utilizing NSX NetX extensibility framework on
i
•
• •
•
•
t u b i istr
Tested a “Control” and “Test Protection” scenario with Patterns 2 and 3 as r din previous tests
o n o i tPatterns 2/3 a c db_nmap used to recon, and recon is ALWAYS successful with i l b u p r o f t Service insertion for L7 by Check Point and Palo oAlto Networks where traffic steering is managed N : t n by the NSX network flow e t on C 17 policy not applied. Confirmed exploit was successful without 0 Control – NSX service insertion 2 d l r o service insertion and inspection by partner solution VMw Test Protection – NSX service insertion policy applied to insert next generation application firewall into the attack flow
#SAI2041BE CONFIDENTIAL
59
Test Results – EternalBlue Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere 1.Deploy service with NSX
n o i t ibu
2.Service Composer to
n
io t a c bli
Set up Rules
t o N nt:
3.Apply Policy to Security
Groups
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o
4.Confirm Attack viaVMw
Event Logging
#SAI2041BE CONFIDENTIAL
60
Test Results – Java ARA Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere 1.Deploy service with NSX
n o i t ibu
2.Service Composer to
Set up Rules
n
io t a c bli
3.Apply Policy to Security
Groups
t o N nt:
4.Confirm Attack via
7
1 0 2 rld
Event Logging
tr s i d or
u p r fo
te n o C
o w M V
#SAI2041BE CONFIDENTIAL
61
Test Results – EternalBlue Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere n o i t ibu
1. Deploy service with NSX
n
io t a c bli
2. Panorama to Define and
Set up Security Groups 3. Use Steering rules and
t o N nt:
7
1 0 2 rld
apply Security Policy
tr s i d or
u p r fo
te n o C
o w M V
4. Confirm Attack via
Event Logging
#SAI2041BE CONFIDENTIAL
62
Test Results – Java ARA Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere n o i t ibu
1. Deploy service with NSX
n
io t a c bli
2. Panorama to Define and
Set up Security Groups 3. Use Steering rules and
t o N nt:
7
apply Security Policyld 201 r o w VM
tr s i d or
u p r fo
te n o C
4. Confirm Attack via
Event Logging
63
Application Rule Manager– Demonstrated with OpenEMR review •
How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere?
•
o i t Application Rule Manager: A helpful NSX tool to visualize and understand the communication u ib r t s i between tiers and among endpoints. rd
n
on i t a c
o
li
b u p or
f t o :N
t n e t on
ld r o Mw
C 7 1 20
V
64
Endpoint Monitoring How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere, from the perspective of endpoint application process network activity?
n o i t ibu
Endpoint Monitoring:
n
io t a c bli
t o N nt:
7
1 0 2 rld
tr s i d or
u p r fo
te n o C
o w M V
65
Use Case: De-scoping for Regulatory Compliance Regulated data at rest and in motion must avoid being on the same network with nonregulated data VMs. Moving IPs or to a DMZ is difficult, costly and often impossible. DMZ Anywhere can apply the DFW rules to these VMs in place, and generate the n the CHD. zero-trust rules to tioprotect
on i t a c
u b i r t r dis
o
li
b u p or
f t o :N
t n e t on
ld r o Mw
C 7 1 20
V
In this PCI DSS example, machines in RED are in-scope and store, process or transmit cardholder data (CHD). 66
NSX DMZ Anywhere Benchmark Conclusions Coalfire’s objective was to determine if VMware NSX DMZ Anywhere can prevent E-W/N-S threats by performing a “micro audit” using representative malware and kill-chain methods, and scientifically measure the results. Testing focused on DMZ Anywhere in a stand-alone configuration and when used in a service insertion scenario with Palo Alto Networks and Check Point next-generation firewalls. tion Coalfire’s findings were: •
•
on i t a c
u b i r t r dis
o
NSX DMZ Anywhere provided significant and real distributed firewall bli (DFW) protections against E-W u p threats and in inter-segment DMZ transfers between tiersfo ofrour test Windows and Linux three-tier t o workloads N : t
n e t n o constructs, tight integration with VMware objects/meta-data, C Policy-based controls, nested service group 7 1 / Endpoint Monitoring, etc.) of NSX DMZ Anywhere satisfied NIST 0 2 the completeness/utility of tools (ARM d l r o SP 800-125B Requirements VMw
•
Specific testing of Application Rule Manager/ Endpoint Monitoring confirmed an easy deployment path to zero trust implementation can be realized with NSX for DMZs
•
Third-party service insertion was verified with the Palo Alto Networks and Check Point next-generation firewalls to support L4-L7 threat mitigation in L2 and L3 DMZ designs #SAI2041BE CONFIDENTIAL
67
More info - Whitepaper Coming Soon n o i t ibu
n
io t a c bli
tr s i d or
• Publication of Whitepaper for pu t o N – September 2017 ntent: o
C 7 1 0
2 d l or
VMw
#SAI2041BE CONFIDENTIAL
68
Key Takeaways n o • DMZ Anywhere optimizes the DMZ, increasing security i t u b i r t is d and saving capex and opex r o n o i t a • There are a number of DMZ deployment models enhanced by NSX c i l b u p r o fpartners to secure the DMZ • NSX provides a platform to allow t o N : t n te more efficiently n o C 7 1 • Customers arerlbuilding DMZs with NSX today organically 20 d o w M • NSX provides the necessary visibility and granular security needed to V modernize the DMZ for today’s application deployments
#SAI2041BE CONFIDENTIAL
69
n o i t ibu
n
io t a c bli
t o N nt:
7
o w M V
1 0 2 rld
te n o C
u p r fo
tr s i d or
n o i t ibu
n
io t a c bli
t o N nt:
7
o w M V
1 0 2 rld
te n o C
u p r fo
tr s i d or