I have a firewall in my DataCenter, Isn’t it enough?

Do you have a firewall in the Data Center? Great.

Is that enough to give you peace of mind? Probably not.

The firewall works as a control based on static rules. It behaves similarly to police who works based on particular regulation or policy. A stateful firewall is a firewall that maintains the state of connections between two endpoints and enforces the set of rules configured. You can have a more advanced firewall feature that can work at the application level, often called Layer 7 (L7) Firewall. L7 Firewall allows you to set more granular rules like putting a restriction on the encryption method, TLS certificate, or filter based on URL. L7 Firewall is performing firewall function at the application layer; hence it is called Application Firewall.

A firewall is excellent, but what about an unknown kind of threat? Malicious activities through legitimate communication?

Online network threats multiply each day and evolve at rapid speed. Enterprise cybersecurity teams need more than just firewalls to address rapid threat evolution. Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) solution is vital to strengthen defense capability in the data center. IPS/IDS works based on a database of behavior or pattern called a signature. It behaves similarly to the Anti Virus, which uses signature detection. As the name suggested, IDS only detects intrusion behavior and report it. There is no action taken by the system. On the other hand, IPS takes action (allow or reject) against the connection.

A stateful firewall and threat prevention/detection system is the first line of defense combination in the data center. A firewall is the frontline defense, and its job is to separate bad traffic from legitimate traffic. Threat prevention scans legitimate traffic to inspect its behavior furthermore. The combination of firewall and threat prevention system is the basic building block of cybersecurity.

I like to travel by air, and I hate queueing in the security clearance. Putting firewalls and threat prevention/detection system in the front gate is like doing a body scanner in the airport before you board the flight. The problem arises when the number of people increases. Long queue in the security clearance is a sign of this bottleneck. Adding more body scanner surely add capacity and shorten the queue. But what do you want to do with these scanners in the low season period where there are fewer passengers in the airport? How can we potentially provide a “body scanner as a service” consumption model?

A similar problem happens in the data center where an enterprise commonly deploy Next-Generation Firewall (firewall with threat prevention/detection and other security services within a single box). People who are familiar with the firewall knows how difficult it is to scale the capacity of a firewall. Both scale-up and scale-out have their challenges. Due to these capacity constraints, selective scanning is commonly used as a method to preserve capacity for critical traffic. Selective scanning is done by selectively choose good traffic to be scanned. For example, the threat prevention system only does scanning against traffic from a particular source or particular application traffic. Selective scan potentially results in blindspots as the system is not able to scan all the traffic.

To address the security concerns of a distributed system, an enterprise needs a distributed approach when doing threat prevention. The distributed threat prevention not only provides inline capacity (the system grows and shrinks as the number of nodes) but also simplifies the network architecture. This model allows efficient use of the budget to protect the data center workload. With the distributed threat prevention system, an enterprise could scan all the traffic without blind spots.

NSX Distributed IDS/IPS

The intrusion detection and prevention system (IDS/IPS) functionality released with NSX-T 3.0 enhances the security capabilities of the service-defined firewall, enabling operators to address several additional use cases:

  • Quickly Achieve Regulatory Compliance: Many data centers host sensitive applications that are required to meet HIPAA[1], PCI-DSS[2], or SOX[3] . Using NSX, network and security operators can now achieve compliance by enabling IDS/IPS, in addition to the firewall for any workload that needs to meet compliance.
  • Replace Discrete IDS/IPS Appliances: Operators virtualizing their data center networks can now replace discrete, centralized IDS/IPS appliances with NSX’s distributed implementation. In the process, with NSX they also consolidate firewall and IDS/IPS management. Since NSX’s security capabilities are in the hypervisor isolated from the workloads, attackers can’t tamper with them.
  • Implement Virtual Security zones: Some organizations need to establish direct network connections with partners or treat business units and subsidiaries as tenants of a central IT department. Operators can now use NSX’s firewall and IDS/IPS to implement virtual security zones at organizational boundaries while consolidating these workloads on the same physical hypervisor clusters.
  • Detect lateral threat movement: Attackers use lateral movement within the data center in order to get to their objective. Similar to the Distributed Firewall, the NSX Distributed IDS/IPS is applied to the logical port of every workload, enabling customers to detect every stage of an attack regardless of network connectivity.

You can find out more about the technical benefits of NSX Distributed IDS/IPS here

Enable NSX Distributed IDS on Hosts

Intrusion detection feature has to be enabled on specific host. It can be enabled for standalone host or host which is part of a cluster in vCenter.

In this lab environment, I have multiple cluster and I enable intrusion detection on my Compute cluster which hosts my workload VM.

How to Update Signatures

NSX can automatically update it’s IDS signature by downloading from VMware cloud-based service. The default setting is to check once per day and VMware publish new signature update versions every two weeks. There is an option to upload signature manually into NSX.

IDS Profile

IDS profile is a group of signatures which is applied to selected application/traffic.

There is an option to exclude certain signature from the profile. For example a particular IDS profile is applied to the web server traffic (apache, nginx, etc). You can exclude signature that is related with sql and you can optimize the signature lookup.

IDS Rule

IDS rules are used to apply the profile to selected application/traffic.

Verify that IDS is Enabled in the Host

In order to confirm IDS is enabled on the host, ssh into host and issue nsxcli command as follow:

esxcomp-01a> get ids status
                  NSX IDS Status
    status: enabled
    uptime: 509871 (5 days 21:37:51)

To check which profile has been applied to the host:

esxcomp-01a> get ids profile
                 NSX IDS Profiles
Profile count: 2
         1. 86e80483-65e1-4c11-ab94-797ba5edca4f
         2. de968917-a537-457f-9a1e-ea4d2929fd59

To check statistics about the IDS engine, including rules loaded and information of evaluated packet/sessions:

esxcomp-01a> get ids engine stats
            NSX IDS Engine Statistics
    uptime: 510021 (5 days 21:40:21)

                  dns_udp: 20
               failed_udp: 40
                     http: 35433
                  dns_udp: 20
                     http: 35433
                   alerts: 0
                       id: 5
              last_reload: 2020-04-14T08:07:07.339005+0000
         packets_incoming: 365320
         packets_outgoing: 365320
                prof-uuid: 86e80483-65e1-4c11-ab94-797ba5edca4f
             rules_failed: 0
             rules_loaded: 11303

                   alerts: 0
                       id: 4
              last_reload: 2020-04-14T08:07:03.645662+0000
         packets_incoming: 365320
         packets_outgoing: 365320
                prof-uuid: de968917-a537-457f-9a1e-ea4d2929fd59
             rules_failed: 0
             rules_loaded: 11202

                   memuse: 2867200
                  overlap: 46
        reassembly_memuse: 804864
                      rst: 4134
                 sessions: 39543
                      syn: 39548
                   synack: 35442

Let’s See the Results

I have a 3-Tier application consists of Web(apache2), App(apache2), and Database(MySQL). I grouped them together in Project01 using security tags applied to the virtual machine.

The IDS rules created above is to do scanning against ingress/egress traffic to/from Project01 application.

I generate some http request through curl with this commend:

for ((i=1;i<=100;i++)); do   curl -I; done is the VIP of NSX-T Load Balancer which manages the load between web server as well as app server.

And we got something:

Key Takeaways

NSX IPS/IDS is an additional protection to distributed firewall. Distributed firewall looks at L4 and L7 header while IDS is looking deeper into the behavior of the traffic.

NSX IPS/IDS is distributed and makes it able to scale along the environment. When the number of nodes in the datacenter increases, so does the protection of it. In short: no blindspots