SAI2041BE NSX DMZ Anywhere: Modernizing the DMZ or ... · DMZ / Firewall FW,IPS and WAF DMZ Routing...

Wade Holmes, Sr. Manager of Technical Product Management VMware Networking and Security

Chris Krueger, Coalfire Systems, Inc.Managing Principal, Security Architecture

SAI2041BE

#VMworld #SAI2041BE

NSX DMZ Anywhere: Modernizing the DMZ

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#SAI2041BE CONFIDENTIAL



bution

Agenda

1 Introduction and Objectives

2 Current State and Challenges

3 DMZ Anywhere

4 DMZ Anywhere Design Patterns

5 Coalfire DMZ Anywhere Benchmark

6 Additional Resources




bution

NSX Use Cases

4

PROJECT LEVEL

INITIATIVE LEVEL

PRODUCT LEVEL

SOLUTION LEVEL

NSX PLATFORM

APP CONTINUITY

SDDC

AUTOMATIONSECURITY

Micro-segmentation

Secure End User

IT Automating IT

Developer Cloud

Multi-tenant Cloud

Disaster Recovery

Multi Data Center Pooling

DMZ Anywhere Cross Cloud

#SAI2041BE CONFIDENTIAL



bution

What is a DMZ?

5

A segment that acts as a intermediary and boarders a trusted network and an untrusted network

External

DMZ

Internal




bution

What is a DMZ?

6

External

DMZ

Internal

A segment that acts as a intermediary and boarders a trusted network and an untrusted network




bution

DMZ – Secure area with maximum security and visibility




bution

Traditional DMZ Design Principles

Assumption is that any infrastructure component exposed to the external network is inherently “vulnerable” and is always at risk.

There is a need for isolation at the hardware, network and software layers

1. Purely Physical DMZ 2. Partially Collapsed DMZ with Physical

Separation of Trust Zones

3. Partially Collapsed DMZ with VLAN

Separation of Trust Zones

#SAI2041BE CONFIDENTIAL 8



bution

Maximum Security?

9

External

DMZ

Internal




bution

DMZ Exposure

10

• There is *always* a risk for an asset placed on a DMZ network

– It’s allowing incoming connections from a lower trust zone (frequently the internet)

– Even if a webserver is completely patched and locked-down for allowed ports, it’s still vulnerable to attack from other servers on the same L2 network

• Backend Connections (3-tier apps)

– Many services require connections back to other DBs or servers; allowed connections into higher-trust networks must be closely monitored and restricted




bution

Maximum Visibility?

11

External

DMZ

Internal




bution

DMZs in the Enterprise – Scale?

12

External

DMZ

Internal




bution

DMZs in the Enterprise – Scale?

13

External

DMZ

Internal




bution

DMZ in Trouble

14

The need for secure DMZs as a part of security architecture increases

Server Breaches

• 81% of confirmed data breaches used weak/default/stolen credentials

• 20,000 incidents of websites used to host malware,

participate in DDOS, or altered to serve a phishing site

• 2,800 website defacements

• 95% confirmed web app breaches tied to criminals

• Mobile Applications

• End - User Computing

• Cloud




bution

A Reality Check

• 53% of breaches were discovered by external parties

(partner, customer, law enforcement, etc.) who then

notified the victim

✓ 320 Days = Time until 3rd party detection

• 47% detected internally

✓ 56 Days = Time until Internal Detection

Source: FireEye M-Trends report 2016

• Breach network Nov 12th

• First POS’ compromised Nov 15th

• Warning from 2 vendors ignored

• Start of data exfiltration

• Fully deployed and upgraded Dec 2nd

• DOJ contacts Target Dec 12th

• Breach contained Dec 15th

• 40M credit cards & 70M client records

1 month

Anatomy of an Attack - Target

15



bution

Target: Even Big Organizations Get It Wrong

…when a work order for an external vendor is created, the payment is collected through the Ariba system: Vendors log into Ariba, complete the necessary steps to close out the work order and they are later paid. But how would the attackers have moved from Target’s external billing system into an internal portion of the network occupied by point-of-sale devices? The former Target network expert has a theory:

“I know that the Ariba system has a back end that Target administrators use to maintain the system and

provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application,” the source said. “Most, if not almost all, internal applications at Target used Active Directory (AD) credentials and I’m sure the Ariba system was no exception. I wouldn’t say the vendor had AD credentials but that the internal administrators would use their AD

login to access the system from inside. This would mean the sever had access to the rest of the corporate network in some form or another.”




bution

Poor DMZ Design

17

• Network Segmentation

– Too large a blast area

– Servers with differing criticality

– Failure to separate from internal network

• Too many connections allowed to higher-trust networks

• DMZ servers using same resources as Internal networks

– Admin passwords, DNS, AD

• Success of DMZ highly dependent on overall architecture/implementation

• Few generally accepted, industry-wide guidelines

• No one product makes a secure DMZ – require a solution along with people/process




bution

Who Controls the DMZ?

• Network Team?

• Security Team?

• Outsourced? System Integrator and System Outsourcer (SISO)?

• Many times a separate team with separate security budget - Perimeter

Team




bution

Architectural options my differ depending on factors such as• Security stance • Virtualization maturity• Operational posture• Target Environment

DMZ Anywhere

19

DMZ Anywhere

NetworkVirtualization

DistributedFirewall

Service Insertion

Service Visibility

NSX + AirWatchIntegration

DMZ security principles decoupled from physical infrastructure for both Network + Compute to maximize security, visibility, scalability,and efficiency of DMZs




bution

DMZ?Think

DMZ Anywhere




bution

© 2016 VMware Inc. All rights reserved.

DMZ Anywhere Design Patterns



bution

Existing DMZ – Three vCenter

22

Dedicated DMZ

vSphere Hosts

External

Corp Access

Branch Block

VPN Block

Ecommerce ExtranetInternet Edge

Non DMZ

vCenter

and

vSphere Hosts

DMZ

FW,IPS

and WAF

Internal Services

DBSystems

DeveloperCloud

Internal VDI

Internal Routing/ Firewall

DMZ Routing

Internet Edge

Jump Boxes

OOB Services

MGMTServices

vCenterServices

vCenter vCenter

vCenter

OOB Network and MGMT Systems




bution

Existing DMZ – Dual vCenter

23

Internet

Corp Access

Branch Block

VPN Block


Internal Services

DBSystems

DeveloperCloud

Internal VDI

Internal Routing/ FirewallDMZ

FW,IPS

and

WAF

DMZ Routing

Internet Edge

Jump Boxes

OOB Services

MGMTServices

vCenterServices

vCenter vCenter


Dedicated DMZ vSphere Hosts

Non DMZ

vCenter

and

vSphere Hosts




bution

Existing DMZ – Single vCenter

24

Dedicated

DMZ

vSphere Cluster

Internet

Corp Access

Branch Block

VPN Block


DMZ

FW,IPS

and WAF

Internal Services

DBSystems

DeveloperCloud

Internal VDI


DMZ Routing

Non DMZ

vSphere

Cluster


Jump Boxes

OOB Services

MGMTServices

vCenterServices

vCenter




bution

Adding DFW to a Compute / DMZ Block

25

DMZ

FW,IPS

and WAF

DMZ Routing

Internet


Internet Edge

STOP

Policy

Stateful DFW




bution

Adding DFW and Advanced Services to a Compute / DMZ Block

26


DMZ Routing

Internet

Internet Edge

STOP

Policy

Stateful DFW




bution

DMZ Anywhere ESG, Service Insertion, Single VC

27

Traffic Steering Partner Advanced

Services

Any

vSphere Host in

vCenter

STOP

ControlledCommunication

STOP

Stateful DFW

Stateful DFW


Internet

Internet Edge




bution

DMZ Anywhere DLR, ESG, Service Insertion, Single VC

28

STOP


STOP

Stateful DFW

Stateful DFW

Traffic Steering Partner Advanced

Services

Any

vSphere Host in

vCenter


Internet

Internet Edge

vCenter




bution

Multi-vCenter DMZ Anywhere with Universal Logical Switch

29

vCenter 2-8vCenter 1 STOP

STOP

STOP

STOP

Any

vSphere Host in

vCenter

DMZ

FW,IPS

and

WAF

DMZ Routing

Internet


Internet Edge

DMZ

FW,IPS

and

WAF

DMZ Routing

Internet


Internet Edge




bution

Multi-VC DMZ Anywhere Local Logical Switch

30

Any

vSphere Host in

vCenter

STOP


STOP

Stateful DFW

Stateful DFW

STOP


STOP

Stateful DFW

Stateful DFW


Internet

Internet Edge


Internet

Internet Edge




bution

ESG / DLR Design Considerations

• Can be one routing topology for all DMZ functions or multiple for DMZ functions

• Routing logic should be separated for DMZ and Core Network DC functions (min two DLRs ) for a

deployment.

• Routing between DLRs must pass through an ESG. You can use 1 or more ESGs for this

function, but with the ESG Firewall (stateful services) in deployment there is not support for

ECMP.

• Same rules apply for Universal Objects, such as UDLR, as well.

– Version 6.3 supports multiple universal sections allowing a separation of Internal and DMZ Universal rules.




bution

Single Transit Zone, Dual DLR

32

Internet

Internet Edge

Any

vSphere Host in

vCenter

STOP


STOP

Stateful DFW

Stateful DFW

STOP


STOP

Stateful DFW

Stateful DFW

DMZ VMs Non DMZ VMs




bution

Dual Transit Zone

33

Internet

Internet Edge

Any

vSphere Host in

assigned TZ

STOP


STOP

Stateful DFW

Stateful DFW

STOP


STOP

Stateful DFW

Stateful DFW

DMZ Transit Zone Non DMZ Transit Zone




bution

Per Application DMZ

34


DMZ Routing

Internet

Internet Edge

STOP

Policy

Stateful DFW




bution

Traffic Visibility in the Virtualized DMZ Network

Capture Points

• vRealize Network Insight

– DFW Flow Data

– vSwitch Flow Data

– Uplink Flow Data

– Physical Switch Flow Data

– Firewall Rule Data

• Application Rule Manager

– Flow Data - vNIC

• Endpoint Monitor

– File/Binary/EXE

– Socket

• Log Insight

– Firewall Rule Logs

– ESG Syslog

– NSX Manager Syslog

– NSX Controller Syslog

– vSphere Syslog

– vCenter Syslog

– Physical Switch Syslog

– Physical Server Syslog




bution

DMZ Anywhere Benchmark Whitepaper PreviewCoalfire Systems 2017 Benchmark of DMZ Anywhere

Chris Krueger, Coalfire Systems, Inc.

Managing Principal, Security Architecture



bution

Benchmark of NSX DMZ Anywhere Concept

• Coalfire 3PAO and Cyber Engineering organizations see a significant requirement in all

regulations (PCI DSS, HIPAA, FedRAMP, CJIS, NERC CIP, GDPR, etc.) for strong DMZ network

segmentation to “reduce scope”

• This 2017 benchmark is the next step in independent validation of the NSX product

• Focus on an SDDC implementation with 3 tier workloads

• Using Pen Test and Exploit Methodologies

• Service insertion partner products working with NSX DMZ

Anywhere for L4-7 Effectiveness: Palo Alto Networks and Check Point




bution

About Coalfire

• Thought-leader and go-to advisor in the fast-growing cybersecurity market

• More than 1,600 customers in a broad set of industry sectors

• More than 550 employees in 14 locations in North America and Europe

Coalfire Serves

• 530 Cloud, SaaS and Technology Clients

• 471 merchants and 241 payment service providers

• 290 HIPAA covered entities and business associates

• 291 clients in banks, insurance and asset management

• 240 clients across federal, state and local government and higher education

• 21 clients in power, water, energy and gas




bution

NSX Benchmark from 2016

• Introduced Micro-Segmentation and VMware NSX in Sept, 2016

• Review against NIST SP800-125B Standard

• Overview of the NSX “Micro-Audit” of E-W Threat Mitigation

• Network Design Patterns and Test Methodology– Threat Simulation

– Attack via Metasploit Framework

– Micro-Segmentation Design Patterns

• Validation Exercises and Findings– Patterns 1a/b through 5a/b– Stateful Firewall Validation– ALG Traffic Enforcement

• Conclusion and Opinion

• Published September, 2016




bution

NSX Benchmarks Past and Forthcoming

• September 2016 NSX Micro-Segmentation Cybersecurity

Benchmark: First testing of NSX by a third party

• Current presentation on NSX DMZ Anywhere today, with new

benchmark results being previewed and a September 2017

release

• New benchmark evaluation and creation of a NSX-T

whitepaper for containerized workloads also in September

2017

47



bution

Design Overview and Testing Focus

• Three design patterns based

• Two workloads in NSX protected SDDC used to simulate customer workloads

OpenEMR

OpenMRS

• Two vCenter multi-tenant design implementation – Edge/Mgmt and Compute

• Workloads reside in the compute vCenter/single vSphere cluster

• Simulation of an intruder on a vulnerable network segment of the design pattern, positioned to do maximum damage

• Use of NSX Tools reviewed: Application Rule Manager and Endpoint Monitoring

• Service insertion partners Check Point and Palo Alto Networks used to demonstrate L4-7 protection




bution

Control Pattern A “no controls” network, open without restriction between VLANs

49


Internet Edge

Internet

App Tier

Web

Tier

DB Tier

Any vSphere

Host in

vCenter

vCenter




bution

Pattern 1 – Distributed Firewall and DLRMicro-segmentation via a stateful Distributed Firewall (DFW) blocking east-west traffic. Intra-tier traffic protected using zero trust model (rules for desired traffic only). Distributed Logical Router (DLR) with VXLAN network overlay segmentation for tiers.


Internet Edge

Internet

App Tier

10.0.2.0/24

Web Tier

10.0.1.0/24

DB Tier

10.0.3.0/24

Any vSphere

Host in

vCenter

STOP

STOP

STOP


Stateful DFW

vCenter

50#SAI2041BE CONFIDENTIAL 50



bution

Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Check Point vSEC Next Generation Firewall for L4-7 Inspection and Response


Internet Edge

Internet

App Tier

10.0.2.0/24

Web Tier

10.0.1.0/24

DB Tier

10.0.3.0/24

Any vSphere

Host in

vCenter

STOP

STOP

STOP


Stateful DFWTraffic Steering Partner Advanced Services

vCenter

51#SAI2041BE CONFIDENTIAL 51



bution

Pattern 2 – Distributed Firewall, DLR and Service Insertion Adding Palo Alto Networks VM-Series Next Generation Firewall for L4-7 Inspection and Response


Internet Edge

Internet

App Tier

10.0.2.0/24

Web Tier

10.0.1.0/24

DB Tier

10.0.3.0/24

Any vSphere

Host in

vCenter

STOP

STOP

STOP


Stateful DFW

vCenter

52

Traffic Steering Partner Advanced Services




bution

Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Palo Alto Networks VM-Series Firewall Inspection and Response


Internet Edge

Internet

Any vSphere

Host in

vCenter

STOP

STOP

STOP

Stateful DFW

App Tier

Web Tier

DB Tier


Similar to Pattern 2, except with

the removal of the Distributed

Logical Router. L2 VLAN

segmentation was used with the

Edge Gateway / DFW

vCenter

53





bution

Pattern 3 – Distributed Firewall with Service Insertion L4-7 Protection Using Check Point vSEC Firewall Inspection and Response


Internet Edge

Internet

Any vSphere

Host in

vCenter

STOP

STOP

STOP

Stateful DFW

App Tier

Web Tier

DB Tier


Similar to Pattern 2, except with

the removal of the Distributed

Logical Router. L2 VLAN

segmentation was used with the

Edge Gateway / DFW

vCenter

54





bution

Testing and Exploits Used

As with the 2016 benchmark, we used a Kali Linux based testing VM, loaded with suite of penetration testing tools and Metasploit Framework

Use of Kali Linux to simulate a fully compromised, previously exploited machine at it most extreme level of lethality. Machine positioned into design pattern networks as an optimal attacker. This machine is denoted by this VM symbol in our Design Patterns:

• db_nmap reconnaissance tool – scans from the Kali VM east-west (L2) target VMs and across application tiers the north-south (L3) targets

• WannaCry exploit – based on EternalBlue MS17-010 (CVE-2017-0143) as cryptovirus / ransomware candidate

• Java AtomicReferenceArray – type violation vulnerability (CVE-2012-0507) as an application-based and browser/Java exploit




bution

TEST METHODOLOGY – Using MetasploitNSX DMZ Anywhere “Micro-audit”

56

Simulate an actual automated or human-initiated attack, using tools and exploits that are real.

Follow the Kill-Chain model, performing the Reconnaissanceand Exploitation steps.

The CONTROL Test Pattern confirms exploit success.

Test Pattern “1,2 and 3” are with NSX DMZ Anywhere security principals engaged.

VMware vSphere and NSX SDDC “Test-bed” with:

• Kali Linux “Exploited” machine launching attacks via Metasploit, db_nmap, hping3, etc.

• OpenEMR and OpenMRS workloads

• Windows 2008 R2 and 2012 R2 Enterprise for OpenEMR

• Debian 4 Linux w/ Apache/MySQL for OpenMRS




bution

Test Results – Recon and the Design Patterns 1 - 3

• db_nmap used to probe and test

• Tested using a “Control” and “Test Protection” NSX DMZ Anywhere event

• Control – Open, NSX Rules turned “down” using allow policy or policy removed. Confirm recon

success

• Test Protection – NSX Rules enabled to Block and Reject

57

Nmap scan report for 10.0.1.2

Host is up (0.00044s latency).

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l)

|_http-favicon: Unknown favicon MD5: 4EF9F480B52CD52B5831077127502FDE

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l

|_http-title: Apache Haus Distribution Installation Test

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

443/tcp open ssl/http Apache httpd 2.4.27 ((Win64) PHP/5.6.31 OpenSSL/1.0.2l)

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.27 (Win64) PHP/5.6.31 OpenSSL/1.0.2l

|_http-title: Apache Haus Distribution Installation Test

| ssl-cert: Subject: organizationName=Apache Haus Distribution Test

Certificate/stateOrProvinceName=Some-State/countryName=DE

| Issuer: organizationName=Apache Haus Distribution Test

Certificate/stateOrProvinceName=Some-State/countryName=DE

Action Description

Block Block silently the traffic

Allow Allow the traffic

Reject

(introduced

since NSX

6.1)

Reject action will send back to initiator:

• RST packets for TCP connections

• ICMP unreachable with network

administratively prohibited code for UDP, ICMP,

and other IP connections




bution

Test Results – Sample of Attacks

Successful EternalBlue exploit results in the machine being “popped” and being dropped into the MS Command Shell with Administrator privileges

Successful Java ARA exploit delivers a “mock penetration” payload JAR file to the browser, and confirmation of that event on the Kali exploitation machine




bution

Test Results – Methods Used to Benchmark Service Insertion Partner Firewalls with NSX DMZ Anywhere

• Identical testing model for Check Point and Palo Alto Networks next generation firewalls. Both

firewall suites are provided as SVM utilizing NSX NetX extensibility framework

• Tested a “Control” and “Test Protection” scenario with Patterns 2 and 3 as in previous tests

• db_nmap used to recon, and recon is ALWAYS successful with Patterns 2/3

• Service insertion for L7 by Check Point and Palo Alto Networks where traffic steering is managed

by the NSX network flow

• Control – NSX service insertion policy not applied. Confirmed exploit was successful without

service insertion and inspection by partner solution

• Test Protection – NSX service insertion policy applied to insert next generation application

firewall into the attack flow




bution

Test Results – EternalBlue Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere

1.Deploy service with NSX

2.Service Composer to

Set up Rules

3.Apply Policy to Security

Groups

4.Confirm Attack via

Event Logging




bution

Test Results – Java ARA Impacts using Check Point vSEC Firewalls and Management with NSX DMZ Anywhere

1.Deploy service with NSX

2.Service Composer to

Set up Rules

3.Apply Policy to Security

Groups

4.Confirm Attack via

Event Logging




bution

Test Results – EternalBlue Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere

62

1. Deploy service with NSX

2. Panorama to Define andSet up Security Groups

3. Use Steering rules andapply Security Policy

4. Confirm Attack via Event Logging




bution

Test Results – Java ARA Impacts using Palo Alto VM-Series Firewalls and Panorama with NSX DMZ Anywhere

63

1. Deploy service with NSX

2. Panorama to Define andSet up Security Groups

3. Use Steering rules andapply Security Policy

4. Confirm Attack via Event Logging



bution

Application Rule Manager– Demonstrated with OpenEMR review

• How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere?

• Application Rule Manager: A helpful NSX tool to visualize and understand the communication

between tiers and among endpoints.

64



bution

Endpoint Monitoring

How best to re-engineer the conventional DMZ architecture with NSX DMZ Anywhere, from the

perspective of endpoint application process network activity?

Endpoint Monitoring:

65



bution

Use Case: De-scoping for Regulatory Compliance

Regulated data at rest and in motion must avoid being on the same network with non-

regulated data VMs. Moving IPs or to a DMZ is difficult, costly and often impossible.

66

In this PCI DSS example, machines in

RED are in-scope and store, process or

transmit cardholder data (CHD).

DMZ Anywhere can apply the DFW rules

to these VMs in place, and generate the

zero-trust rules to protect the CHD.



bution

NSX DMZ Anywhere Benchmark Conclusions

Coalfire’s objective was to determine if VMware NSX DMZ Anywhere can prevent E-W/N-S threats by

performing a “micro audit” using representative malware and kill-chain methods, and scientifically measure the

results. Testing focused on DMZ Anywhere in a stand-alone configuration and when used in a service insertion

scenario with Palo Alto Networks and Check Point next-generation firewalls.

Coalfire’s findings were:

• NSX DMZ Anywhere provided significant and real distributed firewall (DFW) protections against E-W

threats and in inter-segment DMZ transfers between tiers of our test Windows and Linux three-tier

workloads

• Policy-based controls, nested service group constructs, tight integration with VMware objects/meta-data,

the completeness/utility of tools (ARM / Endpoint Monitoring, etc.) of NSX DMZ Anywhere satisfied NIST

SP 800-125B Requirements

• Specific testing of Application Rule Manager/ Endpoint Monitoring confirmed an easy deployment path to

zero trust implementation can be realized with NSX for DMZs

• Third-party service insertion was verified with the Palo Alto Networks and Check Point next-generation

firewalls to support L4-L7 threat mitigation in L2 and L3 DMZ designs




bution

More info - Whitepaper Coming Soon

• Publication of Whitepaper

– September 2017




bution

Key Takeaways

• DMZ Anywhere optimizes the DMZ, increasing security

and saving capex and opex

• There are a number of DMZ deployment models enhanced by NSX

• NSX provides a platform to allow partners to secure the DMZ

more efficiently

• Customers are building DMZs with NSX today organically

• NSX provides the necessary visibility and granular security needed to

modernize the DMZ for today’s application deployments




bution



bution

SAI2041BE NSX DMZ Anywhere: Modernizing the DMZ or ... · DMZ / Firewall FW,IPS and WAF DMZ Routing...

Documents

Transcript of SAI2041BE NSX DMZ Anywhere: Modernizing the DMZ or ... · DMZ / Firewall FW,IPS and WAF DMZ Routing...