NSX IDS/IPS Deployment

Introduction

NSX Intrusion Detection System / Intrusion Prevention System (IDS/IPS) technology inspects all traffic that enters or leaves the network, detecting and preventing known threats from gaining access to the network, critical systems, and data. IDS/IPS looks for known malicious traffic patterns to hunt for attacks in the traffic flow. When it finds such attacks, it generates alerts for use by security analysts. Alerts are also logged for post-incident investigation. IDS/IPS uses accurate signatures, tailored to the applications that we protect. This allows to effectively protect applications against wide range of known attacks and exploits.

Requirements

Healthy NSX deployment
Requires additional TP licensing

Deployment of NSX IDS/IPS

Enable IDS/IPS Signature Auto-Updates

Click Settings
Click IDS/IPS
Click the Toggle for Auto Update Signatures

NSX has the ability to get updated signature threats from VMware’s database on a regular basis. IDS/IPS signatures update every 20 minutes to ensure that even the most recent threats are being watched for within the NSX environment. This connection is live within your environment, so the exact number of intrusion signatures in your lab may differ from the screenshots here.

Advanced Settings

Note at the bottom of the screen are some advanced options.

Oversubscription is the action NSX should take with traffic if the IDS/IPS engine is overwhelmed. If so much traffic is passing that the IDS/IPS engine cannot handle it all, this is what NSX will do: drop the overflow traffic or let it pass without inspection. The default selection is Bypass, and we’ll leave it that way for the lab.
Syslog can be enabled to alert you when traffic has hit the oversubscription threshold

View Signature Set (Optional)

If you’d like, you can view the Intrusion Signatures that NSX has downloaded and see what kind of traffic patterns it will be on the
lookout for.

Click View and Manage Signature Set

Review Global Intrusion Signature Management (Optional)

Here you can review the extensive list of signatures NSX is watching for in the environment. You can sort here by criticality, CVSS or CVE Number. You can filter the list to specific products affected (Windows/Linux/Oracle/log4j/Apache/Web Browser/Open SSL and many more). You can sort or filter by attack type to look for common DOS signatures or find signatures that attack specific targets like Active Directory or DNS. You can also click the arrow next to any Signature ID to get more detail about that specific threat.
Feel free to explore this list and find signatures that could impact your environment that could be prevented with NSX distributed IDS/IPS.

Click Cancel when you’re done

Navigate to Shared IDS/IPS and Malware Prevention Settings

Click Shared
Use the Scrollbar to navigate down

Enable Distributed IDS/IPS for RegionA01-COMP01

Click the Toggle to enable IDS/IPS on RegionA01-COMP01
All the VMs part of our attack sequence live in this specific cluster. In a production environment, you may want to enable Distributed IDS/IPS on other locations as well.

Confirm IDS/IPS Enable. Click Yes

Enable Gateway IDS/IPS for Tier-1-gateway-01

Use the Scrollbar to navigate further down the page
Click the Toggle to enable Gateway IDS/IPS on Tier-1-gateway-01

Confirm IDS/IPS Enable. Click Yes

Enable Gateway IDS/IPS for Tier-1-VDI

Click the Toggle to enable Gateway IDS/IPS on Tier-1-VDI

Confirm IDS/IPS Enable. Click Yes

Scroll to the Top of IDS/IPS and Malware Prevention Page

Use the Scrollbar to return to the top of the page
Click Profiles

Add IDS/IPS Profile

Click Add Profile
Click Enter Name and type All IDS Profile
Click Save

Note: I have left all signature selected in this use case. It is recommended to select applicable targeted signatures by using Severities, Attack types, targets, CVSS or Products Affected options. Remember this feature is inline to traffic and all traffic will be check aganist all selected signatures. So reducing signatures will enhance performance.

Check Signature Inclusion

Click the Arrow to expand the newly built Profile
Confirm the IDS Signatures Included equals the Total
Your numbers may not match the screenshot, since the database is always being updated for valid threats. What is important is that the
Included and Total match in value.

Add Distributed IDS/IPS Policy

Click Distributed Rules
Click Add Policy
Click New Policy, type All Distributed IDS Policy and hit Enter to rename the Policy

Add Distributed IDS/IPS Rule

Click the 3 Dots
Click Add Rule

Configure Distributed IDS/IPS Rule

Click New Rule, type All Distributed IDS, and hit Enter
Click the Pencil Icon under Security Profiles to edit the profile for the Rule

Select Security Profile

Click the Radio Button by All IDS Profile
Click Apply

Edit Distributed IDS/IPS Rule

Click the Pencil Icon under Applied To

Select ATP Demo Group

Click the Groups Radio Button
Use the Scrollbar to move down the list of groups
Click the Checkbox next to ATP Demo
Click Apply
Since this is such a small environment, we’ve left source and destination blank. Best practice would have you be more prescriptive in your selection and specify source, destination, applied to and even services.

Publish Distributed IDS/IPS Policy and Rule

Create Gateway Rules

Use the Scrollbar to return to the top of the page
Click Gateway Rules

Create Shared Gateway Policy

Click All Shared Rules
Click Add Policy
Click New Policy and Type Gateway ATP and hit Enter

Add Rule to Gateway ATP Policy

Click the 3 Dots next to Gateway ATP Policy
Click Add Rule

Rename Gateway IDS/IPS Rule

Click New Rule and Type Gateway IDS and hit Enter
Click the Pencil Icon under Security Profile

Select IDS/IPS Profile

Click the Radio Button for All IDS Profile
Click Apply

Edit Applied To for Gateway IDS Rule

Click the Pencil Icon under Applied To

Select Both Tier-1 Gateways

Click the Checkbox at the top left to select both Tier-1 Gateways at once
Click Apply

Check Gateway ATP Policy and Rules

Check that your Policy and Rules look like the screenshot. It’s important that the Malware Rule is above the IDS Rule, and both T1
Gateways are selected for Applied To for both rules.