VMware NSX Distributed IDS/IPS Solution

from the Hydra High Council Nov 5th 2019

NSX has been around for a while now, and since its inception, we have seen some game-changing technologies emerge from VMware in the NSX lineup. When we look back around six years ago, we saw micro-segmentation come to life. This was and still is a game-changer for so many customers and will continue to bring value for many years to come.

As time moved on, we saw the Service-Defined Firewall make its way into the mix, which combined with App Defense makes deploying a zero-trust environment a much easier task.

Next, we saw NSX Intelligence which aimed to streamline and automate security rule recommendations, which in turn made the deployment of micro-segmentation a breeze!

Now we see another layer of security being added to the NSX Service Defined Firewall. That is the addition of the optional IDS/IPS offering.

From a basic concept view, IDS/IPS will look at all traffic as defined and then will determine if that traffic is malicious or not. If it is malicious, then it will depend on what actions have been configured as to what will happen. It may alert the security team but allow traffic to continue or it may attempt to block that traffic while also sending an alert to the SOC.

Customers have been running IDS/IPS security solutions for a while now, usually in the form of a separate physical appliance, bundled in with a firewall solution as a unified threat management solution (UTM), or deployed as a virtual appliance(s). This approach worked but is not as good as it could be for a few reasons. One reason- the security appliance typically does not have a full understanding of how specific applications should be functioning and is traditionally viewed as an "outsider looking in". This can lead to many issues such as false positives, which can block legitimate traffic.

With VMware's NSX IDS/IPS deployment, VMware is able to take advantage of the intrinsic understanding of the services that make up the application and then match IDS/IPS signatures. Because of this, we should see fewer false positives, while maintaining a high level of throughput. The latter is something where traditionally we saw throughput drop as we continued to add services on top of each other on security appliances. Adding to the benefits, we have the ability to granularly inspect east-west traffic at every workload level to detect lateral thread movements. This alone helps to mitigate many attacks as the average dwell time for an attacker who gains access to a customer's data-center is roughly 40-50 days! Yes, that long! If we are able to prevent a bad guy from jumping laterally, we greatly reduce the attack surface!

Comparing traditional firewalls and IDS/IPS appliances to VMware's Service-Defined Firewall with IDS/IPS we will see that traditional security appliances are often costly to deploy and can be difficult to manage and keep policy the same across the enterprise environment. With VMware's Service-Defined Firewall IDS/IPS solution, we are able to eliminate many of the pitfalls of traditional security offerings. We are able to replace traditional IDS/IPS appliances, which reduces cost as well as the physical footprint. We have the ability to easily achieve regulatory compliance by simply turning on traffic inspection and letting NSX, App Defense, Service-Defined Firewall and Distributed IDS/IPS do their magic! We can create rulesets for specific workloads and have those rules automatically applied when new workloads come up, follow those workloads as they move between one cloud or another, and also remove those rules when a workload is decommissioned. The latter greatly reduces firewall rule sprawl, which is never a fun thing to have to address in a production environment.

Currently, the distributed IDS/IPS offering from VMware is offered in beta. We are excited to see what comes down the pipeline from the Network and Security team at VMware!