Primer Series: NAPP - Malware Prevention

Introduction

The NSX Malware Prevention application uses a combination of techniques including hash-based detection of known malicious files, local analysis of unknown files, as well as cloud-based analysis via the NSX Advanced Threat Prevention cloud service where files can be detonated (opened) in a sandbox environment to be able to identify potentially malicious, unknown threats before they can be run within a datacenter.

Prerequisites

NSX Malware Prevention requires NSX-T Data Center version 3.2.0 or higher, as well as NSX Application Platform (NAPP). To see deployment requirements of NAPP please refer to the first article in this Primer Series on NAPP here.

NAPP features are available based on your licensing level.

License requirements

• NSX Data Center Evaluation
• NSX-T Evaluation
• NSX Advanced Threat Prevention (Only applicable for customers who have previously purchased the license)
• NSX Advanced Threat Prevention add on for NSX Distributed Firewall with Threat Prevention
• NSX Advanced Threat Prevention add on for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus
• NSX Distributed Firewall with Advanced Threat Prevention
• NSX Gateway Firewall with Advanced Threat Prevention
• NSX Advanced Threat Prevention add on for NSX Gateway Firewall
• NSX-T Advanced with NSX Advanced Threat Prevention add on for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus
• NSX-T Enterprise Plus with NSX Advanced Threat Prevention add on for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus

External network connectivity

In addition, NSX Malware Prevention requires outbound TCP port 443 to allow HTTPS connections to VMware's NSX Advanced Threat Prevention cloud service.

💡 NSX Malware Prevention application can function as designed only when your NSX-T Data Center is connected to the internet

Once NAPP is deployed, the tile for enabling the NSX Malware Prevention feature will appear at the bottom of the NSX Application Platform page under 'Features' by navigating to System > NSX Application Platfrom from within the NSX-T Manager web UI.

VMware tools

To leverage the NSX Malware Prevention feature, virtual machines require a modified or complete installation of VMware Tools to include the 'NSX File Introspection' thin agent. The NSX File Introspection thin agent is a security feature which enables the offloading of anti-virus and anti-malware agent processing from the local VM to a dedicated virtual appliance known as a Service Virtual Machine (SVM) which is deployed as a VM within each host of a protected cluster.

Service Virtual Machine (SVM)

Service Virtual Machines are responsible for processing files opened or transmitted within a VM to ensure they are not malicious. SVM's are deployed via an OVF bundle downloaded from the 'Download VMware NSX-T Data Center' page. The OVF bundle includes four files:

• .ovf - OVF file
• .mf - manifest file
• .cert - certificate file
• .vmdk - disk file

SVM's are deployed to all ESXi hosts within a cluster enabled for malware prevention. This is done by hosting the OVF binaries on a web server which meets the following requirements:

• Unauthenticated access over HTTP
• The web server must be accessible to the NSX Manager, all ESXi hosts within clusters which protection is needed, and all vCenter server instances registered as Compute Managers with NSX-T.
• MIME types for extracted files must be defined within the web server

After the web server has been stood up and the OVF bundle of files are hosted on the web server we will need to register the web server with the NSX-T Manager so malware protected hosts can deploy the Service Virtual Machines. This is done via an API call to the NSX-T Manager with the web server URL and SVM version defined within the API call POST body.

API URL:

POST <https://nsxt-mgr.lab.local/napp/api/v1/malware-prevention/svm-spec>

Body:

{ 
"ovf_url" : "<http://mps-web.lab.local/nsx-svm-appliance-3.2.1.0.0.19801960.ovf>", 
"deployment_spec_name" : "NSX_Distributed_MPS", 
"svm_version" : "3.2"
}

Distributed Malware Prevention

Distributed malware prevention provides VM file level protection within the NSX Data Center. Distributed malware prevention is enabled at the cluster level. Once enabled, each host will download the OVF binaries from the customer deployed web server and deploy one SVM per host. Once the required SVM's are up and running, malware prevention policies can be created. To deploy the SVM's, navigate within the NSX-T Manager web UI to System > Service Deployments > Deployment > DEPLOY SERVICE. Malware prevention polices as of NSX-T version 3.2.0 only supports Windows virtual machines and is limited to Windows Portable Executable (PE) files which do not exceed 64MB in size. These limitations are important to keep in mind when creating malware policies. Distributed malware polices are able to be created by navigating to Security > IDS/IPS & Malware Prevention > Distributed Rules> + Add Policy within the NSX-T Manager web UI.

Once all the polices have been created, click 'PUBLISH' in the top right corner of the ruleset.

Gateway Malware Prevention

 💡 The Gateway Malware Prevention Feature is supported beginning in NSX-T Version 3.2.1

Gateway malware prevention can be enabled on Tier-1 Gateways to provide north/south malware protection. Enabled NSX Tier-1 Edge VM's monitor and extract files being sent or received via traffic traversing member Edge's. This security feature is available only on Edge's of VM form factor with a size of 'Extra Large'. Bare metal and Public Cloud Gateways are not supported as of NSX version 3.2.0. Gateway Malware Prevention is enabled on a per Tier-1 Gateway basis and can be done by navigating to Security > IDS/IPS & Malware Prevention > Settings within the NSX-T Manager web UI.

Gateway Malware Prevention polices supports protection against multiple file categories. Whereas, Distributed Malware Prevention only supports Windows Portable Executable (PE) files within Windows VMs. As of NSX-T version 3.2.0 the following Gateway categories are supported.

• Executable
• Document
• Script
• Archive
• Data
• Media
• Other - (.website, .url, .htm, .html, .eml)

💡 For a list of supported file extension details within each category please refer to the VMware NSX-T Administration Guide

To create a Malware Prevention Security Profile navigate to Security > IDS/IPS & Malware Prevention > Profiles > Malware Prevention > ADD PROFILE . From here customized profiles can be created by only selecting which file types you want to be monitored. In addition, users can toggle whether or not unknown files should be sent to VMware's NSX Advanced Threat Prevention cloud service for further analysis. Cloud analysis involves detailed analysis techniques to determine whether a file is benign, malicious or suspicious.

Techniques leveraged through cloud analysis:

• Sandboxing and behavioral analysis
• Statistical algorithms
• Artificial Intelligence and machine learning
• Deep content inspection

Malware Prevention policies can be created on a per Tier-1 Gateway basis by navigating to Security > IDS/IPS & Malware Prevention > Gateway Rules . From the 'Gateway Rules' page select the Tier-1 Gateway on the dropdown menu at the top of the page and click on the '+ ADD POLICY' button to begin. Populate the columns as needed to define/limit the scope of what traffic should be monitored and apply the desired 'Security Profile' created earlier.

Malware Prevention Dashboard

NSX Malware Prevention events are displayed on the Malware Prevention dashboard. Events are generated when files are extracted by either the IDS engine on NSX Edges for north/south taffic or by the NSX Guest Introspection agent installed via VMware tools within VM's for distributed east/west traffic. Scanned files are determined to either be benign, malicious or suspicious. File events and statistics within the dashboard are able to display a maximum of two million events dating back up to fourteen days. The Malware Prevention dashboard can be viewed within the NSX-T Manager web UI by navigating to Security > Malware Prevention. Within the Malware Prevention page there are two tabs, 'Potential Malware' and 'All Files'. The Potential Malware tab is the default landing page within the Malware Prevention dashboard. The Potential Malware page is broken into two sections with the top containing a timeline chart with flagged malicious files plotted on a chart with their icon size being relative to the severity score assigned. Severity scores are assigned to each flagged file to provide security engineers a threat context at a glance file by file.

Severity scores are broken down into three ranges:

The bottom section contains a table listing in chronological order (by default) the most recently flagged files. Each flagged row can be expanded to provide further details such as affected clients, file details and whether the malicious file is tied to an ongoing campaign. When a file is flagged, an analysis report is automatically generated with a clickable link to review further details surrounding the file. Additional details within the report are also available via a VirusTotal.com link to view the Virus Total report.

The 'All Files' tab shows an aggregated list of all unique files that have been extracted within the data center, including files determined to be benign. The default view is one hour however, different time periods are viewable via a dropdown menu up to fourteen days back.

Conclusion

VMware's NSX Malware Prevention application within the NSX Application Platform offers customers a native, lightweight solution to protect endpoints within an NSX protected data center. By offering native NSX anti-malware protection within VMware's security suite, companies can now easily deploy NSX, buildout and manage their SDN, security and endpoint protection all within a single homogenous SDDC solution.