Welcome to part 6 of the Micro-segmentation Defined NSX Securing “Anywhere” blog series.Previous topics covered in this series include
Part I Micro-segmentation Defined
Part II Securing Physical Environments
Part III Operationalizing Micro-segmentation
Part IV Service Insertion
Part V Context, Visibility, and Containment
Previous posts set the stage by introducing and defining the characteristics of micro-segmentation; showing how it has utility in the modern data center; how we might apply it to our existing software-defined and physical networks; how policy-driven NSX management may be used to deliver comprehensive security; and, that we can use physical and virtual third-party security appliances in conjunction with NSX to create a service chain and apply special processing to our vital network flows.
In this sixth part of the NSX Securing “Anywhere” blog, Chris Krueger of Coalfire Systems will preview some of our work in comprehensively benchmarking VMware NSX micro-segmentation. The Micro-segmentation Benchmark is a project being delivered by Coalfire Systems, Inc. an internationally recognized third party audit organization (3PAO) and leading provider of IT advisory services for security in retail, payments, healthcare, financial services, higher education, hospitality, government,and utilities. Coalfire has provided VMware independent security validation of much of the VMware product line against regulatory compliance objectives such as HIPAA, PCI DSS, FedRAMP, FISMA, NERC CIP, CJIS, etc. through the VMware Reference Architecture Framework series of papers available on VMware Partner Exchange.
The VMware NSX Micro-segmentation Benchmark is an industry first and wehope it encourages scientific review of security products from all vendors. We are presenting here a preview of the upcoming “Coalfire Research and Opinion Series” paper titled, VMware NSX Micro-segmentation Benchmark A Micro-audit of NSX Threat Mitigation Effectiveness. If attending VMworld, be sure to check out session SEC10019 and Group Discussion NET10712-GD , where we will dive further into the NSX Micro-segmentation Benchmark and findings.
Guest Co-Author Chris Krueger, Principal, Cloud and Virtualization, Coalfire Systems, Inc., Coalfire Labs
Objectives of the NSX Micro-auditThe objectives of the NSX micro-audit are to take real-world examples of likely network topologies (network design patterns) and test them against actual threat scenarios taken from the “playbook” of actual “hackers” and penetration testers. Using a reference NSX installation constructed on a multi-cluster VMware ESXi 6.0 test-bed, we wanted to determine the following:
Does VMware NSX functionally satisfy NIST SP 800-125B recommendations VM-FW-R1, VM-FW-R2, VM-FW-R3 and VM-FW-R4? Are the precepts of micro-segmentation, as defined in the complete definition, satisfied conceptually and in testing, by NSX? Can real-world threats be stopped by NSX in E-W (peer transits on the L2 network) and N-S (network to network transits via L3), using industry-standard Penetration Testing tools?In this blog, we will focus on the “heart” of the micro-segmentation benchmark, the determination of NSX’s capacity to stop real-word threats, specifically in the E-W (L2) transit direction. In the complete paper, multiple network design patterns, depicting five network scenarios are explored; and, the NIST SP 800-125B and micro-segmentation complete definition topics are addressed.
Owing to the brevity of this blog, our sampling will concentrate on Design Pattern 1, the Flat Network Segment with Physical Router scenario.
Threat Simulation MethodologyOur examination and testing of the NSX technology is based on simulated exploits that depict likely malware and virus behavior in actual production network scenarios. Our testing uses the Rapid 7 free-edition of MetaSploit, running on a Kali linux VM. This Kali Linux VM performs the function of an exploited machine, being used as a vector to attack other machines on the network(s).
Our methodology encompasses several traditional aspects of actual attack techniques used by both autonomous threats, and human-coordinated exploits. Brief review of the following cyber kill chain diagram will help illustrate our threat simulation methodology:
Our threat simulation focuses on an abbreviated attack scenario based the Reconnaissance and Exploitation stages of the kill chain. Specifically, we:
Recon via use of the “db_nmap v A {IP Range}” command on the Kali Linux MetaSploit console Presume Weaponization and Delivery, with the particular MetaSploit exploit scenario (see below) chosen with knowledge of its lethality on the target machine(s) Invoke Exploitation by running the MetaSploit attack and observing the results via the msconsole. Successful exploitation is evident by MetaSploit dropping into the Meterpreter console (SMB and Magento) or other indication of delivery of lethal payload, in the case of the Java ARA Abort our threat simulation with an expectation that subsequent Installation, Command and Control and Actions on Target events would follow an actual Exploitation Attack via MetaSploit ToolkitIn our particular exploitation scenarios, we are instigating the events through manual use of the MetaSploit console, following these basic steps:
PREPARATION / Recon (2 steps) DB_NMAP Scanner All targets Our MetaSploit console running on the Kali Linux require a set of target hosts in it’s database. Pentesters typically use NMAP either externally or the DB_NMAP to generate the list of target IPs to prepare for MetaSploit exploits and use of other utilities. We ran DB_NMAP v A before each exploit. Results from the DB_NMAP command generally create an “early revision” of hosts detail, which has a number of inaccuracies in the table, with approximation of OS version, and other details, which a tester typically corrects by loading and running the auxiliary tool SMB_VERSION.
Auxiliary Tool SMB_VERSION All Targets ― was used to further refine the version, language and option details on all targets. This is a customary step in many PenTests to correct inaccuracies in machine OS typing, versions, etc. Our process run auxiliary/scanner/smb/smb_version before each exploit.
EXPLOITS / Weaponization (one or several used)
We use the following exploits, which are listed here with reference information that is used to locate them in various threat databases, or is commonly the “handle” for the particular weapon.
Classic Worm Exploit SMB MS08-067 Remote Code Execution
Targeting windows Servers and XP workstations and possibly the
