What Is an Intrusion Detection System (IDS)
Intrusion Detection (ID) is the process of monitoring for and identifying attempted unauthorized system access or manipulation. An ID system gathers and analyzes information from areas within the network to identify possible security breaches which include both intrusions (attack from outside the organization) and misuse (attack from within the organization).
What would a typical IDS deployment look like?
IDS reviews and monitors multiple network flows. IDS appliances gain access to network traffic by connecting to a switch, gateway or firewall configured for port mirroring, or a network tap. This sort of configuration can be commonly found in DMZs.
The above diagram shows an example of IDs deployment, traffic to and from the internet is monitored by IDS appliances, it also demonstrates the need for multiple IDS appliances at key choke points within the infrastructure.
So what makes NSX-T IDS different?
NSX-T IDS is hypervisor-based and sits in front of the vNIC on the ESXi host (See above picture). The deployment is based on the same concept as the NSX DFW (Distributed Firewall). No agent is necessary, the communication is realized via VMware tools. A VMware VIB (vSphere Installation Bundle) will be rolled out for the host preparation. With this implementation, you avoid hair-pin because instead of a traditional firewall with IPS/IDS the function is covered directly on the host level without any dependency to the network or any IP address ranges.
The signatures are provided from the cloud service provider Trustwave directly to the NSX Manager or via a proxy, there is a manual method, which ill explain in a later post. The signature updates can be provided immediately, daily or bi-weekly.
What are the use cases for IDS with NSX?
DMZ (Demilitarized Zone)
NSX IDS has the possibility to establish a DMZ (Demilitarized Zone) in software. One approach could be to realize this completely on the virtualization level or another choice could be to use dedicated ESXi Hosts for the DMZ. The NSX Distributed Firewall (DFW) and the Distributed IDS allow customers to run workloads centralized for different tenants.
Detecting Lateral Threat Movement
Usually, the initial attack is not the actual objective. Attackers try to move through the environment to reach the real target. The NSX Distributed Firewall (DFW) with Layer-7 App-ID features helps there a lot that the attacker could not exploit the attack. For example, the ransomware attack “WannaCry” is based on port 445 and 139 with SMB and could not be avoided with NSX DFW. With IDS technology the attack could be detected and new firewall policy could be put in place to protect the remaining machines.
Replace physical IDS Systems
Another use case could be to remove the physical firewalls or IDS systems and replace it with NSX.
Meet regulatory compliance
Many data centre workloads have Intrusion Detection System (IDS) requirements for regulatory compliance, i.e. sensitive Health Insurance Portability and Accountability Act (HIPAA) for healthcare, and the Payment Card Industry Data Security Standard (PCI DSS) or the Sarbanes-Oxley Act (SOX) for finance.
How do you configure NSX-T IDS?
You first need to go into the Distributed IDS settings page, to do this click on Security at the top of menu NSX-T manager and then Distributed IDS which is highlighted in the below screenshot
Configure IDS Settings
The NSX-T Manager needs internet access to download the signatures. It could be done with auto-updates or manual. It is also possible to define an Internet Proxy (HTTP/HTTPS).
By default the NSX-T IPS VIBS are deployed when the transport nodes are configured for NSX-T, when configuring the clusters you are simply enabling these features.
Configure IDS Profile
The second step would be to configure an IDS Profile if you do not want to use the default profile (see picture IDS Profile Config). During this step, Severities can be defined from Critical, High, Medium to Low which is based on CVSS (Common Vulnerability Scoring System) score.
To add a new profile click add IDS Profile, and once configured click save.
Configure IDS Rules
The last IDS configuration step will be to create a policy with IDS rules (IDS Rules Picture). The administration of IDS rules is very similar to the DFW firewall rules. A configuration of an IDS rules includes name, sources, destinations, services, IDS profile and the applied to field.
In the below example i have specific Any source, Any Destination for all services with the IDS Profile i created in the previous step, with the rule being applied to a group of virtual machines that form a test application.
Testing IDS
Please note, these tests I run are in an isolated lab environment, please consult your network and security teams before running any testing tools in your environment.
Within my lab I use a kali security appliance https://www.kali.org combined with the legion application. The Legion application has the ability to scan networks and servers against known Common Vulnerabilities and Exposures. This method generates traffic which the IDS tool can report on.
Below is an example of NSX-T IDS at work, it displays the on going intrusions while giving you the critical nature of the detected threat and the CVSS details.
You can drill down and specific details on each threat by clicking on the arrow next top the reported intrusion.
