NSX Network Detection and Response (NDR) Deployment

Introduction

IDPS, Network Sandbox and NTA all produce alerts that are related to individual hosts. NDR aggregation engine collects signals from individual detection technologies. It combines them to reach a verdict (malicious or benign) on network activities. The correlation engines combine multiple related alerts into an “intrusion campaign.” The context engines collect data from various sources (including sources outside NSX) to add helpful context to the information provided to security analysts.  The NDR (Network Detection and Response) component pulls all these alerts together and aggregates alerts across multiple assets and provides SOC or a security analyst with a high level picture of all ongoing intrusions.

VMware NSX NDR constitutes of:

  1. Manager – Correlation & Orchestration
  2. Engine(S) – Deep content inspection
  3. Data Node – Anomaly detection
  4. Sensor(S) – IDPS, Netflow, detection
High level diagram below:

Its a network based solution, so no need to mention its agent less. Sensor inspects the traffic with sniffing/tap/inline mode.

NDR Manager will keep itself updated with Near-real-time feed of detection models from Global Threat Intelligence Network, synced to Sensor. Based on ongoing traffic, Sensor sends alerts, traffic anomalies, metadata and incoming traffic to Manager. And Manager forwards and checks with Engine for forensics and will get alerted from Engine. Manager checks with Data Node for anomalies. If it found malicious will block the traffic and will send TCP RESET DNS NX reply to source User/Server.

This product is licensed based on number of CPU’s in Engine or through subscription.

Requirements

  • This feature requires NAPP to be deployed in the environment
  • Requires additional ATP licensing

Deployment of NSX Network Detection and Response

  • Check NAPP Health
  • Activate NDR

Login to NSX Manager

  • Enter User name
  • Enter Password
  • Click Log In

Check NAPP Health

  • Click System
  • Click NSX Application Platform
  • Check that the Platform is Stable, you may also have a green banner that NSX Application Platform deployed successfully
  • Click the Scrollbar to navigate down to the different services you can enable now

Activate Network Detection and Response

Run Prechecks for Network Detection and Response

  • Click the United States Cloud Region (Based on your location you can choose other Cloud Regions)
  • Use the Scrollbar to move down the configuration window
  • Click Run Prechecks
  • Once prechecks complete, click Activate

It will take sometime to activate NDR. Once its activated you should be able to see Activated Successfully! message and Status show UP.

You can go to NDR page by clicking GO TO NSX NETWORK DETECTION AND RESPONSE  button or by clicking Grid Icon in top right corner of NSX page and click on NSX NETWORK DETECTION AND RESPONSE.

The default view of NDR is the Dashboard. This dashboard gives a great visual of all detected events, threats and correlated campaigns.
Your dashboard may not look exactly like this.

Please refer how to do threat hunting in NSX Advanced Threat Prevention (ATP) Demo blog post. Thank you!

Related Posts

Scroll to Top