NSX PCI Reference Architecture Workshop Session 2

- Privileged User Control

Allen Shortnacy, VMware

SEC5820

#SEC5820

2

Privileged User Risk

3

What Analysts Are Saying

“A compromise of the virtualization platform

is a worst-case security scenario that places

all the VMs hosted on the virtualization

platform at risk.”

“Hypervisor security protection should be

treated as a defense-in-depth problem,

using multiple strategies to ensure the

overall integrity of this critical layer.”

- Gartner*

* Gartner, Inc. “Hype Cycle for Virtualization, 2012”, Phil Dawson, Nathan Hill, July 24, 2012

4

Jason Cornish, former Shionogi Pharma IT Staffer Pled guilty to Feb ‘11 computer intrusion

Events Demonstrate the Risk

– Wiped out 88 virtual

servers

on 15 VMware hosts:

email,

order tracking, financial,

& other services

– Shionogi’s operations frozen

for days unable to ship product

unable to issue checks

unable to send email

5

About Privileged Users

Cloud and SDDC have expanded the universe of threats from privileged users

• Administrators have accumulated more effective rights due to shared resources

• Often times with poor accountability for actions, whether malicious or just dumb

Advanced persistent threats are real

• If they are in your environment these privileged user accounts are likely targets for

compromise

• If you are using shared accounts tracking activities to a specific user very difficult

Few organizations rely on multi-factor authentication across all user communities

• Solutions and techniques readily available to ensure identity of who is on your systems

• Rarely ties to a comprehensive authorization policy for privileged user activities

• Necessitates an approach to effectively monitor all activities tied to strongly identified

privileged user sessions

6

Four Steps to Controlling Privileged Users in the SDDC

Create Controlled Access Points to the SDDC Edge

• NSX Edge VPN Services or Partner such as Xceedium

• Establish LDAP Role Based Access Controls to govern session criteria

• Provide ‘jump box’ configured with desired client applications/browser

Establish NSX Identity Aware Firewall Policies

• Propagate identity context of remote session to NSX Edge firewall

• Ensures LDAP Group membership to access target application

Provide Prescribed Session for Conducting Administrative Activities

• Time bound sessions, privileged user password vaulting, multi-factor authentication, etc.

• Integration with other services to dynamically define session criteria

Leverage User Activity Monitoring for Audit

• Expands typical source/destination log information to application context

• Integrating syslog data with event correlation engine provides other integration

possibilities

7

NSX Edge SSL VPN Services

All SDDC and Application Admin

Role

Admin

VSM 10.112.243.44

VPN External Interface- 10.112.243.45 Internal Interface- 192.168.1.1

Internet Virtual IP : 192.168.27.2

STEP-1 Enable SSL Service STEP-2

Configure Private

Network

STEP-3 Dynamic IP Pool

Remote User will get IP in this range.

Step -4 Client Install Package

Step -5 Configure User

Authentication Methods

•Local Database

•AD

•LDAP

•Radius

• RSA

Configuration is now complete Corporate LAN 192.168.1.0/24

Remote User

User is ready to Connect

NSX Edge SSL-VPN provides controlled access to Jump Box with

Administrative tools located in controlled location

8

NSX Edge VPN with AES-NI

Up to 40% performance increase by supporting the Intel® AES-NI (AES

New Encryption Instruction Set).

The Edge offloads the AES encryption of data to the hardware on supported

Intel Xeon and 2nd generation Intel Core processors.

No user configuration needed to enable – AES-NI support in hardware is

auto-detected.

Supports both pre-shared key (PSK) and certificate authentication mode

Encryption algorithms – 3DES, AES (128 and 256 bits)

Performance - 1 Gbps throughput

NSX

9

Role

SDDC Administrator

Application or Database

Administrator

Action

NSX Edge Manager

Configure SSL-VPN/AD

Integration

Configure ‘Jump Box’

Xceedium

Establish Policies for Admin

actions on protected assets

Step 1: Establish Secure Bastion Host DMZ with NSX Edge

Providing access to tools used for administrative tasks must be

controlled with role based access to an approved session

VXLAN

VXLAN

Network

Fabric

WAN

Internet

.1Q

.1Q

VXLAN

.1Q

VMworld 2013

June, 2013

The Problems We Solve

– Protect Enterprises from Privileged User Risks

– Manage Privileged Access Across Traditional, Virtualized,

Cloud, and Hybrid Enterprises

– Enforce Audit and Compliance Controls

– PCI DSS, HIPAA/HITECH, NERC CIP, FISMA, SOX

– Enable Secure Migration of Enterprise Applications to the

Cloud

– Federate Privileged Identity Across Hybrid Cloud Architectures

© 2013 Xceedium, Inc. 11

Identity Integration Enterprise-Class Core

Unified Policy Management

Control and Audit All Privileged Access

• Vault Credentials • Centralized Authentication • Federate Identity • Privileged Single Sign-on

• Role-Based Access Control • Monitor & Record Activity • Full Attribution • Protect End Systems, Consoles, APIs

12

Introducing Privileged Identity Management for the New Enterprise

Traditional Data Center

Mainframe, Windows, Linux, Unix, Networking

New Enterprise

Virtualized Data Center

VMware Console / APIs

SaaS Applications

SaaS App Console

Public Cloud - IaaS

Cloud Console /APIs

Hardware Appliance Cloud Appliance OVF Virtual Appliance

13

Xsuite for VMware PIM for VMware vSphere and vCloud

Auto-Discovery and provisioning of all VMware Infrastructure Virtual Machine’s via

VMware’s API.

• Dynamic Discovery and provisioning for Access of Virtual Machines

Roles Based Privileged Access Control & Single Sign-On Across:

• Enterprise systems, vCenter, vShield, vCloud Director, and the New NSX Consoles, as

well as Physical and Virtual Machines

Separation of Duties for vCenter, vShield, vCloud Director, and NSX Console

Full Audit Trail and Session Recording Across:

• Enterprise systems, vCenter, vShield, vCloud Director, NSX Console, all Virtual

Machines Privileged user Sessions

• API Access to VMware vShield, & vCloud

Password and Access Key Management:

• Vaulting and lifecycle management of all privileged user credentials for: enterprise

systems, vCenter, vShield, vCloud Director, and NSX Console, AD based Console users

and Virtual Machines.

Strong Authorization and Attributed Use:

• Support for multi-factor authentication

• Detailed record of who is using each account, even for shared accounts vCenter,

vShield, vCloud Director, and the New NSX Console, Unix root accounts, Windows

admin. accounts)

VMware Reference Architecture

VMware VM Target Server Connection in Controlled, Audited, and Recorded

Enterprise Network

VMware vSphere Console

Virtual Machines are discovered by the VIISDK API and provisioned via vCenter Tagging.

VM Target

Devices

VMware vCloud

Director

VMware vShield Console

VMware NSX Console

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

VM Target

Devices

Post API/Sessions

User is logged in as provisioned user to provisioned org will access, recording and audit.

Privileged Users

Xceedium Client AD/LDAP

Radius Server

User Authenticates to Xsuite with Credentials, PIV, CAC, or Smartcard

Xsuite Authenticates User/Group with

AD/LDAP & Radius

Client Receives Transparent Access to Target Server

PIV/CAC Revocation Server

ADFS Server

Xsuite OVF based Virtual Appliance

Syslog

Splunk

VMware Log Insight

Session Recordings

Full Audit of all VMware Console & Virtual Machine Privileged User activity

15

Demo: Establish NSX Edge SSL-VPN and Partner Solutions

16

Role

SDDC Administrator

Application or Database

Administrator

Action

In Service composer / Firewall

Edit source / destination

Edit identity based security

groups

Step 2: Protect Your Secure Zones with NSX Identity Firewall

It is critical to provide purpose driven firewall rules that restrict access

to controlled VMs to only those nodes which require access

VXLAN

VXLAN

Network

Fabric

WAN

Internet

.1Q

.1Q

VXLAN

.1Q

17

Identity Based Access Control

Active Directory

Eric Frost

User AD Group App Name Originating

VM Name

Destination

VM Name

Source IP Destination IP

Eric Frost DBA PGAdmin.exe Eric-Win7 vPostgres-GL 192.168.10.75 192.168.10.78

IP: 192.168.10.75

AD Source Destination Source IP Destination IP

DBA vPostgres-GL 192.168.10.75 192.168.10.78

Rule Table

Logs

18

Demo: Create NSX Firewall Rules for Controlling Access

19

Step 3: Access Prescribed Session for Governed Activities

Providing a role based access controlled, multi-factor authenticated

session creates a trusted, least privilege connection to the target

VXLAN

VXLAN

Network

Fabric

WAN

Internet

.1Q

.1Q

VXLAN

.1Q

Role

Application or Database

Administrator

Action

SSL-VPN or Xceedium Client

Authenticate to the Jump Box

with Role Based Control

Leverage appropriate

administrative tool(s) with

identity firewall controlled access

20

Demo: Establish Secure Desktop Networking for Role Based Sessions

21

Step 4: Privileged User Activity Monitoring

NSX provides logging of privileged user activity expanded to

incorporate identity firewall rules as well as application used for access

Role

SDDC Administrator

Information Risk Personnel

Action

In NSX Manager

Review session logs for

approved activity

In Xceedium

Record session for review

VXLAN

VXLAN

Network

Fabric

WAN

Internet

.1Q

.1Q

VXLAN

.1Q

22

What is VMware Activity Monitoring?

Visibility into group, application and destination activity in the virtual

environment which generates an activity log of:

Applications running on virtual machines

Server access by Desktop Pool, Security group or AD Group

Interactions between groups (SG, AD, DP)

Dev Security Group Developer AD Group

Desktop

Pool

Security

Group

AD

Group

23

With / Without NSX: Visibility Comparison

Active Directory Eric Frost

Today

Source Destination

172.16.254.1 172.16.112.2

With Activity

Monitoring

VM Tools

User AD Group App Name Originating VM

Name

Destination

VM Name

Source IP Destination IP

Eric DBA Pgadmin.exe Windows 7 PostgreSQL DB

Server

192.168.10.75 192.168.10.78

VSM SVM

Compute Management Gateway

24

Demo: Privileged User Activity Monitoring

25

Summary – Value Achieved via Privileged User Control

Leveraging NSX Edge and Partner technologies facilitates strong authentication

and role based authorization to bastion host as a single point of entry

Establishing NSX Distributed Firewall Identity Based Rules extend the paradigm

to support access of the target only via prescribed means

Supports enhanced integration with other processes like service desk requests or

other deep packet monitoring tools to validate activities

Information Risk professionals and Auditors have access to information from

Activity Based Monitoring and partner technologies like Xceedium to create

irrefutable chains of evidence that only approved activities were conducted

26

VMworld: Security and Compliance Sessions

Category Topic

NSX

• 5318: NSX Security Solutions In Action (201)

• 5753: Dog Fooding NSX at VMware IT (201)

• 5828: Datacenter Transformation (201)

• 5582: Network Virtualization across Multiple Data Centers (201)

NSX Firewall

• 5893: Economies of the NSX Distributed Firewall (101)

• 5755: NSX Next Generation Firewalls (201)

• 5891: Build a Collapsed DMZ Architecture (301)

• 5894: NSX Distributed Firewall (301)

NSX Service

Composer

• 5749: Introducing NSX Service Composer (101)

• 5750: NSX Automating Security Operations Workflows (201)

• 5889: Troubleshooting and Monitoring NSX Service Composer (301)

Compliance

• 5428: Compliance Reference Architecture Framework Overview (101)

• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)

• 5253: Streamlining Compliance (201)

• 5775: Segmentation (301)

• 5820: Privileged User Control (301)

• 5837: Operational Efficiencies (301)

Other

• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in

Virtualized Infrastructure (Catbird – Jefferson radiology)

• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A

Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)

• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based

IaaS provider better be doing! (Intel)

27

For More Information…

VMware Collateral VMware Approach to Compliance

VMware Solution Guide for PCI

VMware Architecture Design Guide for PCI

VMware QSA Validated Reference Architecture PCI

Partner Collateral VMware Partner Solution Guides for PCI

How to Engage? compliance-solutions@vmware.com

@VMW_Compliance on Twitter

THANK YOU

NSX PCI Reference Architecture Workshop Session 2

- Privileged User Control

Allen Shortnacy, VMware

SEC5820

#SEC5820