Post on 12-May-2019
SAI2041BU
NSX DMZ Anywhere: Modernizing the DMZ
Wade Holmes, Sr. Manager of Technical Product Management VMware Networking and Security
Chris Krueger, Coalfire Systems, Inc.
Managing Principal, Security Architecture
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 Introduction and Objectives
2 Current State and Challenges
3 DMZ Anywhere
4 DMZ Anywhere Design Patterns
5 Coalfire DMZ Anywhere Benchmark
6 Additional Resources
3
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Use Cases
4
PROJECT LEVEL
INITIATIVE LEVEL
PRODUCT LEVEL
SOLUTION LEVEL
NSX PLATFORM
APP CONTINUITY
SDDC
AUTOMATIONSECURITY
Micro-segmentation
Secure End User
IT Automating IT
Developer Cloud
Multi-tenant Cloud
Disaster Recovery
Multi Data Center Pooling
DMZ Anywhere Cross Cloud
VMworld 2017 Content: Not fo
r publication or distri
bution
What is a DMZ?
5
A segment that acts as a intermediary and boarders a trusted network and an untrusted network
External
DMZ
Internal
VMworld 2017 Content: Not fo
r publication or distri
bution
What is a DMZ?
6
External
DMZ
Internal
A segment that acts as a intermediary and boarders a trusted network and an untrusted network
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ – Secure area with maximum security and visibility
7
VMworld 2017 Content: Not fo
r publication or distri
bution
Maximum Security?
8
External
DMZ
Internal
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ Exposure
9
• There is *always* a risk for an asset placed on a DMZ network
– It’s allowing incoming connections from a lower trust zone (frequently the internet)
– Even if a webserver is completely patched and locked-down for allowed ports, it’s still vulnerable to attack from other servers on the same L2 network
• Backend Connections (3-tier apps)
– Many services require connections back to other DBs or servers; allowed connections into higher-trust networks must be closely monitored and restricted
VMworld 2017 Content: Not fo
r publication or distri
bution
Maximum Visibility?
10
External
DMZ
Internal
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZs in the Enterprise – Scale?
11
External
DMZ
Internal
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZs in the Enterprise – Scale?
12
External
DMZ
Internal
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional DMZ Design Principles
Assumption is that any infrastructure component exposed to the external network is inherently “vulnerable” and is always at risk.
There is a need for isolation at the hardware, network and software layers
1. Purely Physical DMZ 2. Partially Collapsed DMZ with Physical
Separation of Trust Zones
3. Partially Collapsed DMZ with VLAN
Separation of Trust Zones
VMworld 2017 Content: Not fo
r publication or distri
bution
Many Ways to Screw Up A DMZ Network
14
• Network Segmentation
– Too large a blast area
– Servers with differing criticality
– Failure to separate from internal network
• Too many connections allowed to higher-trust networks
• DMZ servers using same resources as Internal networks
– Admin passwords, DNS, AD
• Success of DMZ highly dependent on overall architecture/implementation
• Few generally accepted, industry-wide guidelines
• No one product makes a secure DMZ – require a solution along with people/process
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ in Trouble
15
The need for secure DMZs as a part of security architecture increases
Server Breaches
• 63% of confirmed data breaches used weak/default/stolen credentials
• Phishing!
• Let anyone on the Internet access a server?
• That should be on a DMZ, unless higher-trust
(device, 2FA, RA VPN, S2S VPN)
• 20,000 incidents of websites used to host malware,
participate in DDOS, or altered to server up a phishing site
• 2,800 website defacements
• 95% confirmed web app breaches tied to criminals
• Mobile Applications
• End - User Computing
• Cloud
VMworld 2017 Content: Not fo
r publication or distri
bution
A Reality Check
• 53% of breaches were discovered by external parties
(partner, customer, law enforcement, etc.) who then
notified the victim
✓ 320 Days = Time until 3rd party detection
• 47% detected internally
✓ 56 Days = Time until Internal Detection
Source: FireEye M-Trends report 2016
• Breach network Nov 12th
• First POS’ compromised Nov 15th
• Warning from 2 vendors ignored
• Start of data exfiltration
• Fully deployed and upgraded Dec 2nd
• DOJ contacts Target Dec 12th
• Breach contained Dec 15th
• 40M credit cards & 70M client records
1 month
Anatomy of an Attack - Target
VMworld 2017 Content: Not fo
r publication or distri
bution
Target: Even Big Organizations Get It Wrong
…when a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid. But how would the attackers have moved from Target’s external billing system into an internal portion of the network occupied by point-of-sale devices? The former Target network expert has a theory:
“I know that the Ariba system has a back end that Target administrators use to maintain the system and
provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” the source said. “Most, if not almost all, internal applications at Target used Active Directory (AD) credentials and I’m sure the Ariba system was no exception. I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD
login to access the system from inside. This would mean the sever had access to the rest of the corporate network in some form or another.”
17
VMworld 2017 Content: Not fo
r publication or distri
bution
Who Controls the DMZ?
• Network Team?
• Security Team?
• Outsourced? System Integrator and System Outsourcer (SISO)?
• Separate team with separate security budget - Perimeter Team
18
VMworld 2017 Content: Not fo
r publication or distri
bution
Architectural options my differ depending on factors such as• Security stance • Virtualization maturity• Operational posture• Target Environment
DMZ Anywhere
19
DMZ Anywhere
NetworkVirtualization
DistributedFirewall
Service Insertion
Service Visibility
NSX + AirWatchIntegration
DMZ security principles decoupled from physical infrastructure for both Network + Compute to maximize security, visibility, scalability, and efficiency of DMZs
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ?Think
DMZ Anywhere
20
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2016 VMware Inc. All rights reserved.
DMZ Anywhere Design Patterns
VMworld 2017 Content: Not fo
r publication or distri
bution
Existing DMZ – Three vCenter
22
Dedicated DMZ
vSphere Hosts
External
Corp Access
Branch Block
VPN Block
Ecommerce ExtranetInternet Edge
Non DMZ
vCenter
and
vSphere Hosts
DMZ
FW,IPS
and WAF
Internal Services
DBSystems
DeveloperCloud
Internal VDI
Internal Routing/ Firewall
DMZ Routing
Internet Edge
Jump Boxes
OOB Services
MGMTServices
vCenterServices
vCenter vCenter
vCenter
OOB Network and MGMT Systems
VMworld 2017 Content: Not fo
r publication or distri
bution
Existing DMZ – Dual vCenter
23
Internet
Corp Access
Branch Block
VPN Block
Ecommerce ExtranetInternet Edge
Internal Services
DBSystems
DeveloperCloud
Internal VDI
Internal Routing/ FirewallDMZ
FW,IPS
and
WAF
DMZ Routing
Internet Edge
Jump Boxes
OOB Services
MGMTServices
vCenterServices
vCenter vCenter
OOB Network and MGMT Systems
Dedicated DMZ vSphere Hosts
Non DMZ
vCenter
and
vSphere Hosts
VMworld 2017 Content: Not fo
r publication or distri
bution
Existing DMZ – Single vCenter
24
Dedicated
DMZ
vSphere Cluster
Internet
Corp Access
Branch Block
VPN Block
Ecommerce ExtranetInternet Edge
DMZ
FW,IPS
and WAF
Internal Services
DBSystems
DeveloperCloud
Internal VDI
Internal Routing/ Firewall
DMZ Routing
Non DMZ
vSphere
Cluster
OOB Network and MGMT Systems
Jump Boxes
OOB Services
MGMTServices
vCenterServices
vCenter
VMworld 2017 Content: Not fo
r publication or distri
bution
Adding DFW to a Compute / DMZ Block
25
DMZ
FW,IPS
and WAF
DMZ Routing
Internet
Internal Routing/ Firewall
Internet Edge
STOP
Policy
Stateful DFW
VMworld 2017 Content: Not fo
r publication or distri
bution
Adding DFW and Advanced Services to a Compute / DMZ Block
26
Internal Routing/ Firewall
DMZ Routing
Internet
Internet Edge
STOP
Policy
Stateful DFW
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ Anywhere ESG, Service Insertion, Single VC
27
Traffic Steering Partner Advanced
Services
Any
vSphere Host in
vCenter
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
Internal Routing/ Firewall
Internet
Internet Edge
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ Anywhere DLR, ESG, Service Insertion, Single VC
28
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
Traffic Steering Partner Advanced
Services
Any
vSphere Host in
vCenter
Internal Routing/ Firewall
Internet
Internet Edge
vCenter
VMworld 2017 Content: Not fo
r publication or distri
bution
Multi-vCenter DMZ Anywhere with Universal Logical Switch
29
vCenter 2-8vCenter 1 STOP
STOP
STOP
STOP
Any
vSphere Host in
vCenter
DMZ
FW,IPS
and
WAF
DMZ Routing
Internet
Internal Routing/ Firewall
Internet Edge
DMZ
FW,IPS
and
WAF
DMZ Routing
Internet
Internal Routing/ Firewall
Internet Edge
VMworld 2017 Content: Not fo
r publication or distri
bution
Multi-VC DMZ Anywhere Local Logical Switch
30
Any
vSphere Host in
vCenter
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
Internal Routing/ Firewall
Internet
Internet Edge
Internal Routing/ Firewall
Internet
Internet Edge
VMworld 2017 Content: Not fo
r publication or distri
bution
ESG / DLR Design Considerations
• Can be one routing topology for all DMZ functions or multiple for DMZ functions
• Routing logic should be separated for DMZ and Core N/W DC functions (min two DLRs ) for a
deployment.
• Routing between DLRs must pass through an ESG. You can use 1 or more ESGs for this
function, but with the ESG Firewall in deployment there is not support for ECMP.
• Same rules apply for Universal Objects, such as UDLR, as well.
– Version 6.3 supports multiple universal sections allowing a separation of Internal and DMZ Universal rules.
31
VMworld 2017 Content: Not fo
r publication or distri
bution
Single Transit Zone, Dual DLR
32
Internet
Internet Edge
Any
vSphere Host in
vCenter
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
DMZ VMs Non DMZ VMs
VMworld 2017 Content: Not fo
r publication or distri
bution
Dual Transit Zone
33
Internet
Internet Edge
Any
vSphere Host in
assigned TZ
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
STOP
ControlledCommunication
STOP
Stateful DFW
Stateful DFW
DMZ Transit Zone Non DMZ Transit Zone
VMworld 2017 Content: Not fo
r publication or distri
bution
Per Application DMZ
34
Internal Routing/ Firewall
DMZ Routing
Internet
Internet Edge
STOP
Policy
Stateful DFW
VMworld 2017 Content: Not fo
r publication or distri
bution
Traffic Visibility in the Virtualized DMZ Network
Capture Points
• vRealize Network Insight
– DFW Flow Data
– vSwitch Flow Data
– Uplink Flow Data
– Physical Switch Flow Data
– Firewall Rule Data
• Application Rule Manager
– Flow Data - vNIC
• Endpoint Monitor
– File/Binary/EXE
– Socket
• Log Insight
– Firewall Rule Logs
– ESG Syslog
– NSX Manager Syslog
– NSX Controller Syslog
– vSphere Syslog
– vCenter Syslog
– Physical Switch Syslog
– Physical Server Syslog
35
VMworld 2017 Content: Not fo
r publication or distri
bution
VM Connectivity Options
Single vNIC
36
• Policy Applied via the following locations
– Data Center
– Cluster
– VM
– Security Group
– VNIC
– Logical Switch
STOP
STOP
Security Enforcement Point - vNIC
Stateful DFW
VMworld 2017 Content: Not fo
r publication or distri
bution
VM Connectivity Options – Dual vNIC
37
STOP
STOP
Security Enforcement Point - vNIC
Stateful DFW
• Policy Applied via the following locations
– Data Center
– Cluster
– VM
– Security Group
– VNICs
– Logical Switch
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX and AirWatch
38
Stateful DFW
Distributed Segmentation with Network Overlay Isolation
STOP
ControlledCommunication Edge Services
Gateway
Distributed Logical RouterPolicy
SG1 SG2 SG3
LogicalSwitch
LogicalSwitch
VLAN backedDVS
TransitNetwork
NSX Edge Services Gateway LB,
SSL Pass-through,Sticky Session
AW Tunnel 1(Unified GW)
AW Tunnel 2(Unified GW)
NSX Manager
NSX for AirWatchAdmin Console
VMware Enterprise Systems Connector
SG-web
VMworld 2017 Content: Not fo
r publication or distri
bution
DMZ Anywhere Benchmark Whitepaper PreviewCoalfire Systems 2017 Benchmark of DMZ Anywhere
Chris Krueger, Coalfire Systems, Inc.
Managing Principal, Security Architecture
VMworld 2017 Content: Not fo
r publication or distri
bution
Benchmark of NSX DMZ Anywhere Concept
• Coalfire 3PAO and Cyber Engineering organizations see a significant requirement in all
regulations (PCI DSS, HIPAA, FedRAMP, CJIS, NERC CIP, GDPR, etc.) for strong DMZ network
segmentation to “reduce scope”
• This 2017 benchmark is the next step in independent validation of the NSX product
• Focus on an SDDC implementation with 3 tier workloads
• Using Pen Test and Exploit Methodologies
• Service insertion partner products working with NSX DMZ
Anywhere for L4-7 Effectiveness: Palo Alto Networks and Check Point
44
VMworld 2017 Content: Not fo
r publication or distri
bution
About Coalfire
• Thought-leader and go-to advisor in the fast-growing cybersecurity market
• More than 1,600 customers in a broad set of industry sectors
• More than 550 employees in 14 locations in North America and Europe
Coalfire Serves
• 530 Cloud, SaaS and Technology Clients
• 471 merchants and 241 payment service providers
• 290 HIPAA covered entities and business associates
• 291 clients in banks, insurance and asset management
• 240 clients across federal, state and local government and higher education
• 21 clients in power, water, energy and gas
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Benchmark from 2016
• Introduced Micro-Segmentation and VMware NSX in Sept, 2016
• Review against NIST SP800-125B Standard
• Overview of the NSX “Micro-Audit” of E-W Threat Mitigation
• Network Design Patterns and Test Methodology– Threat Simulation
– Attack via Metasploit Framework
– Micro-Segmentation Design Patterns
• Validation Exercises and Findings– Patterns 1a/b through 5a/b– Stateful Firewall Validation– ALG Traffic Enforcement
• Conclusion and Opinion
• Published September, 2016
46
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Benchmarks Past and Forthcoming
• September 2016 NSX Micro-Segmentation Cybersecurity
Benchmark: First testing of NSX by a third party
• Current presentation on NSX DMZ Anywhere today, with new
benchmark results being previewed and a September 2017
release
• New benchmark evaluation and creation of a NSX DMZ-T
whitepaper for containerized workloads also in September
2017
47
VMworld 2017 Content: Not fo
r publication or distri
bution
Design Overview and Testing Focus
• Three design patterns based
• Two workloads in NSX protected SDDC used to simulate customer workloads
OpenEMR
OpenMRS
• Two vCenter multi-tenant design implementation – Edge/Mgmt and Compute
• Workloads reside in the compute vCenter/single vSphere cluster
• Simulation of an intruder on a vulnerable network segment of the design pattern, positioned to do maximum damage
• Use of NSX Tools reviewed: Application Rule Manager and Endpoint Monitoring
• Service insertion partners Check Point and Palo Alto Networks used to demonstrate L4-7 protection
48
VMworld 2017 Content: Not fo
r publication or distri
bution
Control Pattern A “no controls” network, open without restriction between VLANs
49
Internal Routing/ Firewall
Internet Edge
Internet
App Tier
Web
Tier
DB Tier
Any vSphere
Host in
vCenter
vCenter
VMworld 2017 Content: Not fo
r publication or distri
bution
Pattern 1 – Distributed Firewall and DLRMicro-segmentation via a stateful Distributed Firewall (DFW) blocking east-west traffic. Intra-tier traffic protected using zero trust model (rules for desired traffic only). Distributed Logical Router (DLR) with VXLAN network overlay segmentation for tiers.
Internal Routing/ Firewall
Internet Edge
Internet
App Tier
10.0.2.0/24
Web Tier
10.0.1.0/24
DB Tier
10.0.3.0/24
Any vSphere
Host in
vCenter
STOP
STOP
STOP
ControlledCommunication
Stateful DFW
vCenter
50
VMworld 2017 Content: Not fo
r publication or distri
bution
Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Check Point vSEC Next Generation Firewall for L4-7 Inspection and Response
Internal Routing/ Firewall
Internet Edge
Internet
App Tier
10.0.2.0/24
Web Tier
10.0.1.0/24
DB Tier
10.0.3.0/24
Any vSphere
Host in
vCenter
STOP
STOP
STOP
ControlledCommunication
Stateful DFWTraffic Steering Partner Advanced Services
vCenter
51
VMworld 2017 Content: Not fo
r publication or distri
bution
Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Palo Alto Networks VM-Series Next Generation Firewall for L4-7 Inspection and Response
Internal Routing/ Firewall
Internet Edge
Internet
App Tier
10.0.2.0/24
Web Tier
10.0.1.0/24
DB Tier
10.0.3.0/24
Any vSphere
Host in
vCenter
STOP
STOP
STOP
ControlledCommunication
Stateful DFW
vCenter
52
Traffic Steering Partner Advanced Services
VMworld 2017 Content: Not fo
r publication or distri
bution
Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Palo Alto Networks VM-Series Firewall Inspection and Response
Internal Routing/ Firewall
Internet Edge
Internet
Any vSphere
Host in
vCenter
STOP
STOP
STOP
Stateful DFW
App Tier
Web Tier
DB Tier
ControlledCommunication
Similar to Pattern 2, except with
the removal of the Distributed
Logical Router. L2 VLAN
segmentation was used with the
Edge Gateway / DFW
vCenter
53
Traffic Steering Partner Advanced Services
VMworld 2017 Content: Not fo
r publication or distri
bution
Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Check Point vSEC Firewall Inspection and Response
Internal Routing/ Firewall
Internet Edge
Internet
Any vSphere
Host in
vCenter
STOP
STOP
STOP
Stateful DFW
App Tier
Web Tier
DB Tier
ControlledCommunication
Similar to Pattern 2, except with
the removal of the Distributed
Logical Router. L2 VLAN
segmentation was used with the
Edge Gateway / DFW
vCenter
54
Traffic Steering Partner Advanced Services
VMworld 2017 Content: Not fo
r publication or distri
bution
Testing and Exploits Used
As with the 2016 benchmark, we used a Kali Linux based testing VM, loaded with suite of penetration testing tools and Metasploit Framework
Use of Kali Linux to simulate a fully compromised, previously exploited machine at it most extreme level of lethality. Machine positioned into design pattern networks as an optimal attacker. This machine is denoted by this VM symbol in our Design Patterns:
• db_nmap reconnaissance tool – scans from the Kali VM east-west (L2) target VMs and across application tiers the north-south (L3) targets
• WannaCry exploit – based on EternalBlue MS17-010 (CVE-2017-0143) as cryptovirus / ransomware candidate
• Java AtomicReferenceArray – type violation vulnerability (CVE-2012-0507) as an application-based and browser/Java exploit
55
VMworld 2017 Content: Not fo
r publication or distri
bution
TEST METHODOLOGY – Using MetasploitNSX DMZ Anywhere “Micro-audit”
56
Simulate an actual automated or human-initiated attack, using tools and exploits that are real.
Follow the Kill-Chain model, performing the Reconnaissanceand Exploitation steps.
The CONTROL Test Pattern confirms exploit success.
Test Pattern “1,2 and 3” are with NSX DMZ Anywhere security principals engaged.
VMware vSphere and NSX SDDC “Test-bed” with:
• Kali Linux “Exploited” machine launching attacks via Metasploit, db_nmap, hping3, etc.
• OpenEMR and OpenMRS workloads
• Windows 2008 R2 and 2012 R2 Enterprise for OpenEMR
• Debian 4 Linux w/ Apache/MySQL for OpenMRS
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results – Recon and the Design Patterns 1 - 3
• db_nmap used to probe and test
• Tested using a “Control” and “Test Protection” NSX DMZ Anywhere event
• Control – Open, NSX Rules turned “down” using allow policy or policy removed. Confirm recon
success
• Test Protection – NSX Rules enabled to Block and Reject
57
Nmap scan report for 10.0.1.2
Host is up (0.00044s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l)
|_http-favicon: Unknown favicon MD5: 4EF9F480B52CD52B5831077127502FDE
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l
|_http-title: Apache Haus Distribution Installation Test
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l
|_http-title: Apache Haus Distribution Installation Test
| ssl-cert: Subject: organizationName=Apache Haus Distribution Test
Certificate/stateOrProvinceName=Some-State/countryName=DE
| Issuer: organizationName=Apache Haus Distribution Test
Certificate/stateOrProvinceName=Some-State/countryName=DE
Action Description
Block Block silently the traffic
Allow Allow the traffic
Reject
(introduced
since NSX
6.1)
Reject action will send back to initiator:
• RST packets for TCP connections
• ICMP unreachable with network
administratively prohibited code for UDP, ICMP,
and other IP connections
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results – Sample of Attacks
Successful EternalBlue exploit results in the machine being “popped” and being dropped into the MS Command Shell with Administrator privileges
Successful Java ARA exploit delivers a “mock penetration” payload JAR file to the browser, and confirmation of that event on the Kali exploitation machine
58
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results – Methods Used to Benchmark Service Insertion Partner Firewalls with NSX DMZ Anywhere
• Identical testing model for Check Point and Palo Alto Networks next generation firewalls. Both
firewall suites are provided as SVM utilizing NSX NetX extensibility framework
• Tested a “Control” and “Test Protection” scenario with Patterns 2 and 3 as in previous tests
• db_nmap used to recon, and recon is ALWAYS successful with Patterns 2/3
• Service insertion for L7 by Check Point and Palo Alto Networks where traffic steering is managed
by the NSX network flow
• Control – NSX service insertion policy not applied. Confirmed exploit was successful without
service insertion and inspection by partner solution
• Test Protection – NSX service insertion policy applied to insert next generation application
firewall into the attack flow
59
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results – EternalBlue Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere
1.Deploy service with NSX
2.Service Composer to
Set up Rules
3.Apply Policy to Security
Groups
4.Confirm Attack via
Event Logging
60
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results – Java ARA Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere
1.Deploy service with NSX
2.Service Composer to
Set up Rules
3.Apply Policy to Security
Groups
4.Confirm Attack via
Event Logging
61
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results – EternalBlue Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere
62
1. Deploy service with NSX
2. Panorama to Define andSet up Security Groups
3. Use Steering rules andapply Security Policy
4. Confirm Attack via Event Logging
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results – Java ARA Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere
63
1. Deploy service with NSX
2. Panorama to Define andSet up Security Groups
3. Use Steering rules andapply Security Policy
4. Confirm Attack via Event Logging
VMworld 2017 Content: Not fo
r publication or distri
bution
Application Rule Manager– Demonstrated with OpenEMR review
• How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere?
• Application Rule Manager: A helpful NSX tool to visualize and understand the communication
between tiers and among endpoints.
CONFIDENTIAL64
VMworld 2017 Content: Not fo
r publication or distri
bution
Endpoint Monitoring
How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere, from the
perspective of endpoint application process network activity?
Endpoint Monitoring:
65
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: De-scoping for Regulatory Compliance
Regulated data at rest and in motion must avoid being on the same network with non-
regulated data VMs. Moving IPs or to a DMZ is difficult, costly and often impossible.
In this PCI DSS example, machines in
RED are in-scope and store, process or
transmit cardholder data (CHD).
DMZ Anywhere can apply the DFW rules
to these VMs in place, and generate the
zero-trust rules to protect the CHD.
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX DMZ Anywhere Benchmark Conclusions
Coalfire’s objective was to determine if VMware NSX DMZ Anywhere can prevent E-W/N-S threats by
performing a “micro audit” using representative malware and kill-chain methods, and scientifically measure the
results. Testing focused on DMZ Anywhere in a stand-alone configuration and when used in a service insertion
scenario with Palo Alto Networks and Check Point next-generation firewalls.
Coalfire’s findings were:
• NSX DMZ Anywhere provided significant and real distributed firewall (DFW) protections against E-W
threats and in inter-segment DMZ transfers between tiers of our test Windows and Linux three-tier
workloads
• Policy-based controls, nested service group constructs, tight integration with VMware objects/meta-data,
the completeness/utility of tools (ARM / Endpoint Monitoring, etc.) of NSX DMZ Anywhere satisfied NIST
SP 800-125B Requirements
• Specific testing of Application Rule Manager/ Endpoint Monitoring confirmed an easy deployment path to
zero trust implementation can be realized with NSX for DMZs
• Third-party service insertion was verified with the Palo Alto Networks and Check Point next-generation
firewalls to support L4-L7 threat mitigation in L2 and L3 DMZ designs
67
VMworld 2017 Content: Not fo
r publication or distri
bution
More info - Whitepaper Coming Soon
• Publication of Whitepaper– September 2017
68
VMworld 2017 Content: Not fo
r publication or distri
bution
Key Takeaways
• DMZ Anywhere optimizes the DMZ, increasing security
and saving capex and opex
• There are a number of DMZ deployment models enhanced by NSX
• NSX provides a platform to allow partners to secure the DMZ
more efficiently
• Customers are building DMZs with NSX today organically
• NSX provides the necessary visibility and granular security needed to
modernize the DMZ for today’s application deploymentsVMworld 2017 Content: N
ot for publicatio
n or distribution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution