Loading

Sorry

Your web browser doesn't support some required capabilities.

This interactive demo works best with the latest version of Chrome, Firefox, or Safari.

Sorry

An error occurred. Please reload the page or try a different browser.

Sorry

Sorry

Unable to initialize the simulation player:

Please reload the page or try a different browser.

X

This is an interactive demo

Drive it with your mouse, your finger, or just use the arrow keys.

Use Learn mode to learn the demo. The orange boxes show where to click.

Use Present mode to hide the orange boxes and notes.

Click a Shortcut to jump to a specific part of the demo.

X
Hide notes
Restore notes
Open notes window
Increase font size
Decrease font size

Adaptive Microsegmentation: Next generation cloud security with NSX + AppDefense

Introduction

A modern application is not a piece of software running on a single machine — it’s a distributed system. Different pieces of software running on different workloads, networked together. And we have thousands of them, all commingled on a common infrastructure or, more lately, spanning multiple data centers and clouds. Our internal networks have evolved to be relatively flat — a decision designed to facilitate organic growth. But this architecture has also unintentionally led to enormous security challenges. In a flat network, if one workload is compromised there are virtually no controls in place to prevent an attacker from moving laterally through the network to compromise every other workload.

Let’s see an example of adaptive microsegmentation.  Adaptive Micro-segmentation brings together our innovations around network, with VMware, and compute, with VMware AppDefense, to deliver a solution that can…

  • Learn the purpose, composition and intended behavior of all components that make up an application or regulatory scope — both at a network and compute level.
  • Lock down both the workload and network elements of the application.
  • And adapt to application changes.

VMware is uniquely positioned to deliver Adaptive Micro-segmentation due to our ability to leverage the existing infrastructure, itself, which offers the following benefits:

  • Built-in versus bolted-on (intrinsic security) — The network and workload controls that Adaptive Micro-segmentation relies on are built directly into the infrastructure. This means no more bolted-on boxes or agents.
  • Unique application context – The visibility and contextual understanding of applications that Adaptive Micro-segmentation uses is also directly derived from its position within the infrastructure that applications and data live on top of.

Application Discovery

AppDefense Configuration

To verify the details of the Cordsshop e-commerce application, we will first leverage the App Defense UI to see what has been discovered about our application.

  1. Click the E-commerce application
  2. Click App Topology
  3. Click the App Tier blue circle. Take notice of the details
    • VMs: 2
    • Processes : 136
    • Reputation details
  4. Click the 1 link between App Tier and DB Tier 
  5. Click the php-cgi.exe process to view details
  6. Click back into the app topology
  7. Click the Web Tier blue circle
  8. Take notice of details
  9. Click the 2 link between Web Tier and App Tier
  10. Click the haproxy process to view details
  11. Click back into the app topology
  12. Click the + circle connected to the App Tier
  13. Click the Globe icon to view external connection details
  14. Click the svchost.exe process
  15. Take notice of connection and port details externally
  16. Click back into the app topology
  17. Click Services and Processes

Simple Application Enforcement

NSX Configuration

  1. Press "TAB" to switch to the NSX Manager browser tab
  2. Click Firewall
  3. Verify that the current firewall/segmentation policies are empty
  4. Press "TAB" to switch to back to the AppDefense UI
  5. Click Verify and Protect
  6. Click the Verify and Protect button
  7. Press "TAB" to switch to the NSX Manager browser tab
  8. Click on the NSX logo to refresh the page
  9. Take notice that all the enforcement rules for the e-commerce app have been configured and enabled
  10. Press "TAB" to switch to back to the AppDefense UI

Application Attack

Hacking Apps 101

Now we have basic microsegmentation configured for our Cordsshop e-commerce application.  However, if one of the systems was already comprised, we will take a look at what a hacker might do with your systems to comprise the business, but how we can stay on top of and adaptive to behaviors that change.  We will first disable the host AV on our system:

Press ENTER to execute command line syntax

  1. Press any key to type and disable host AV on our App Server
  2. Press any key to type and begin a known Metasploit exploit between the App Server attempting to steal customer data from the SQL DB server

In the long form of this demo, we first show this exploit working successfully - but given the time and amount of clicks, we jumped ahead and here we notice the exploit fails in this scenario because of the basic microsegmention configured on the app (in the previous step), locking down the applications communications to the "known good" state. But the hacker already has access to our App Server, so what else could they do if stealing credit card info from the DB isn't working?

  1. Press any key to type and exit the Metasploit
  2. Press any key to type and execute a script to hide any trace of our hack and nuke the filesystem of our naughty behavior
  3. Take notice that the App-Tier-1 VM has crashed 
  4. Press "TAB" to switch to back to the AppDefense UI

Adaptive Micro-segmentation

App Defense will of course be able to tell that this system has an issue immediately, but beyond just alerting and letting the administrator know there is an issue, let's see what else we can do to protect our business from more advanced attacks and allow things like automation to move the business forward as the application may change over time.

AppDefense Configuration

  1. Click Alarms
  2. Click View Alarms
  3. Take notice of the current alarms
  4. Click the check box to select all
  5. Click Clear Alarms
  6. Click the Clear button
  7. Click the E-commerce application
  8. Click the three dots in the upper right
  9. Click Edit Service
  10. Click Rules
  11. Click Alert
  12. Click Block and sent alert
  13. Click Alert
  14. Click Block and sent alert
  15. Click Update
  16. Press "TAB" to switch to back to attacker CLI
  17. Press any key to type and gain admin/shell access to App Server

The attacker can no longer gain access to the system

  1. Press "TAB" to switch to back to the AppDefense UI
  2. Click Alarms
  3. Take notice of the block and send alert alarm

App Behavior Changes 

  1. Click the E-commerce application

Here we are viewing the details of the lsass.exe process on the Windows App Server.  Take note of the current inbound/outbound connection definitions.  AppDefense uses machine learning to verify what it observes about this process, compared to what this process is known to do based on other instances of the service.  We're now going to take a look at what it's discovered, and how App Defense has automated the NSX ruleset for this application based off these changes.

  1. Click Alarms
  2. Click the lsass.exe process notification for new outbound connection
  3. Take notice that a new external connection via TCP port 389 has been discovered and trusted based on the findings from the machine learning
  4. Click the E-commerce application
  5. Click to scroll down and find the lsass.exe process
  6. Click on the lsass.exe proces
  7. Click the > icon to expand
  8. Take notice that the new outbound connection details for the remote address and remote port are now part of this processes trusted/known state
  9. Press "TAB" to switch to the NSX Manager UI
  10. Click the - to minimize the current ruleset
  11. Click the Adaptive Segmention Rules section
  12. Click the TCP service details
  13. Click Edit Rule Service
  14. Verify NSX has been configured for the new connection to 10.2.2.3 over TCP port 389

(End of Demo)

 

How likely is it that you would recommend this demo to a friend or colleague?
Not at all likely Extremely likely
Thanks, we appreciate your feedback!
Copyright © 2018 VMware, Inc. All rights reserved.