Introduction

VMware's NSX Intelligence application has evolved into a data center network security analytics platform which provides visibility into the security posture of your NSX-T Data Center environment. One of the ways users gain visibility is through the network traffic visualization pane within the NSX-T manager UI. Users are able to see what information has been gathered by the Intelligence appliance over a set amount of time through monitoring of network flows within the NSX-T Data Center environment.

Another feature of the NSX Intelligence application is its ability to make security policy recommendations at the Distributed Firewall (DFW) level to protect workloads and assist users in creating a zero-trust, secure environment.

Intelligence also acts as an analytics and network traffic monitor, enabling Intelligence to establish a baseline traffic behavior for all NSX-T Data Center workloads. With this information it is able to observe Suspicious Traffic when it occurs and compare that traffic against a known baseline as well as a set of sensors called 'Detectors' which are based on the MITRE ATT&CK Framework to provide further, intelligent analysis of the traffic to mitigate false positives and provide context to users enabling them to act quickly and efficiently to stop unwanted network traffic within their datacenter.

Prerequisites

The NSX Intelligence appliance has moved from an ova deployed virtual machine appliance to a micro-services deployment within the NSX Application Platform (NAPP). This change does come with some pre-requisites not previously required.

NSX Intelligence in its latest form requires NSX-T Data Center version 3.2 or higher as well as NAPP to be deployed. To see deployment requirements of NAPP please refer to the first article in this Primer Series on NAPP here. NAPP features are available based on your licensing level. The NSX Intelligence application requirements are as follows:

License requirements:

  • NSX-T Evaluation
  • NSX-T Enterprise Plus
  • NSX Data Center Evaluation
  • NSX Data Center Enterprise Plus
  • NSX Distributed Firewall
  • NSX Distributed Firewall with Threat Prevention
  • NSX Distributed Firewall with Advanced Threat Prevention
  • NSX Data Center Advanced or NSX-T Advanced with one of the following Threat Prevention Add-On licenses
    • NSX Advanced Threat Prevention
    • NSX Threat Prevention Add on for Distributed Firewall
    • NSX Advanced Threat Prevention Add on for NSX Distributed Firewall, NSX Data Center Advanced, or NSX Data Center Enterprise Plus

💡 License requirements can change. Please consult with your WWT account manager to ensure you are getting the correct license for your organization's needs.

Once NAPP is deployed, the tile for enabling the Intelligence feature will appear at the bottom of the NSX Application Platform page under 'Features' by navigating to System > NSX Application Platfrom from within the NSX-T Manager web UI.

NAPP Feature Deployment

NSX Intelligence Views and Flows

The updated NSX Intelligence application still maintains the familiar Views and Flows pane from previous versions. The Views and Flows pane can be viewed within the NSX-T Data Center web UI by navigating to Plan & Troubleshoot > Discover & Take Action. Here, users are able to visualize network traffic flows between applications at the virtual machine, physical server, IP address or combination of those compute entities. The default view is the 'Groups' view. However, this can be changed and customized to filter by 'Compute' objects, select individual objects or a group of objects. Displayed object flows can be narrowed by time from current (Now), and back one month. To further simplify the visualization pane, all flows are represented by colored lines to signify:

  • 'Unprotected' flows in red
    • Unprotected flows are represented with a red dashed line to identify any observed network traffic which did not match an already user defined DFW rule. This is highlighted in red to draw the user's attention to create a more granular security policy for this flow type instead of relying on the default ruleset within the DFW.
  • 'Blocked' flows in blue
    • Blocked flows are represented with a solid blue line to signify traffic flows which were processed by a 'Drop' or 'Reject' rule within the DFW ruleset.
  • 'Allowed' flows in green.
    • Allowed flows are represented with a solid green line to signify traffic flows which were processed by an 'Allow' rule within the DFW ruleset.
NSX Intelligence Views and Flows

Objects within the Views and Flows pane are clickable to further drill down to focus the view on a particular object, as well as get individual flow details for any group or compute entity which resides within the NSX-T Data Center environment. With 'Blocked' and 'Allowed' flows, users can view which DFW rule ID matched the flow as well as additional details of the source and destination compute entities by observing which process (VM only) within the application generated the flow as well as the user account.

The NSX Intelligence Flows and Views pane is a powerful tool which users can leverage to gain visibility into their NSX-T Data Center environment. By enabling users to visualize workloads clustered into granular groups and providing context through a hierarchical application map that can scale to tens of thousands of workloads to accommodate even large environments, while providing the detailed context at the workload level needed to aid organizations on their path toward a Zero-Trust security model.

Micro-segmentation rule recommendations

The NSX Intelligence rule recommendation feature enables users to automatically generate micro-segmented policy recommendations based on the network traffic flows observed within the NSX-T Data Center environment. Generated micro-segmentation policy recommendations are able to be reviewed, edited, and published directly to the DFW ruleset. The rule recommendation engine can be run on workloads multiple times in an iterative process over time as applications grow and change.

The rule recommendation engine can be started by navigating to Plan & Troubleshoot > Recommendations > START NEW RECOMMENDATION. Here users are able to define which entities are to be analyzed and within which time range network traffic flows should be considered. Users also have the option to choose which traffic direction to monitor as well as how security policies should be generated. Either compute-based (NSX-T inventory objects) or IP-based where polices would be generated based on IP address. It is also possible to have security policies be created at Layer-7 or Layer-4. Up to one-hundred virtual machines or physical servers with groups up to two-hundred fifty entities is supported per rule recommendation session. However, multiple sessions can be created. If multiple sessions are created, the sessions are processed in a serial fashion.

The rule recommendation engine is able to make recommendations for the following objects:

  • Security Polices
  • Security Groups
  • Services (port and protocol)
    • Service recommendations are generated to cover application communication where services have not yet been defined within the NSX-T Data Center inventory.

Policies published via the rule recommendation engine are placed within the application level category of the DFW.

The NSX Intelligence rule recommendation engine is able to generate specific, targeted application level security polices through fully distributed, in-line packet inspection at the hypervisor level. This distributed approach allows for a highly scalable, efficient network traffic flow analysis with minimal overhead.

Suspicious traffic

The NSX Intelligence application is an analytics engine to monitor network traffic flows throughout an NSX-T Data Center. By monitoring and caching thirty days of network traffic flows the Intelligence appliance is able to get a more holistic picture of what "normal" day to day traffic flows look like within each NSX-T Data Center environment. Armed with this information, NSX Intelligence is able to monitor suspicious traffic, such as abnormal activity and malicious behavior. When traffic is flagged as being suspicious, flagged flows are further analyzed using supported detectors to try and provide additional context and more clearly identify the activity taking place.

Detectors are monitoring sensors used to detect events within network traffic flows based on the MITRE ATT&CK Framework. All Detectors are disabled by default. Detectors can be enabled and modified via exclusion lists and likelihood values to tune them to fit environmental needs. Detectors can be viewed and enabled by navigating to Security > Suspicious Traffic > Detector Definitions.

As of NSX-T Application Platform (NAPP) version 3.2.0 the list of detectors curated based on the MITRE ATT&CK framework and available to be enabled are listed here.

Detectors Table

Traffic flagged as suspicious will be reported leveraging below nomenclature definitions.

Suspicious Traffic Terminology

If the Network Detection and Response (NDR) feature within NAPP is also enabled, suspicious traffic is forwarded to VMware's NSX Advanced Threat Prevention cloud service for further analysis. Network Detection and Response (NDR) is covered in the next article within this primer series.