Security Services Platform

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Computer Notes > Security Services Platform

Overview

  • Runs Vdefend security services
  • This is an integrated security platform that can be deployed in the cloud.
  • Services run inside kubanties on virtual machines


Services include

  • Security Intelligence
  • Network Detection and Response
  • Malware prevention
  • Rule Analysis


Install process

  • Install SSP on vSphere
  • Install NSX
  • Link SSP to NSX
  • Upload packages using package management.
  • Install platform features


vSphere > SSPI > NSX > NSX Features

Package management notes

  • Accessed from the vdefend SSP Installer
  • The URL feature in upload enabled packages to be downloaded to the installer from an internal server on the air gapped network.
  • User downloads package > adds to internal server > downloads from internal server using SSPI
  • Packages are signed, only signed packages are allowed.


Components

vSphere

  • vSphere controls the clusters.
  • By default a cluster has 3 hosts
  • This default is often expanded


  • Virtual machines are started on the hosts
  • SSPI and NSX run on their own VM's
  • Other VM's include:
  • Ssp-service-controller
  • SSP-servie-md-0-worker two of these


This configuration gives a total of 5 VM's and 3 Guest OS in a basic configuration.


NSX

  • Management is performed in NSX.
  • After deployment of the NSX connect to the web UI using IP / FQDN


Features are based off the configuration you set in NSX:


  • Security Intelligence
This feature provides distributed visibility and policy recommendations within an NSX environment, and lets you visualize security posture, analyze traffic flows, and create micro-segmentation policies.


  • Network Detection and Response (NDR)
This feature continuously monitors your network for threats and anomalous behavior, using techniques like network traffic analysis, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), and advanced threat analysis, and then responds to identified threats.



  • Malware Prevention Service (MPS)
This feature provides file-level protection against known and unknown malicious files, including zero-day threats, by analyzing traffic and extracting files for analysis.



  • Network Traffic Analysis (NTA)
This feature monitors and inspects network traffic patterns and identifies anomalies or suspicious behavior.



  • Metrics
This feature collects point-in-time, time-series, and lifetime data to let you perform analyses (such as Top N) of your environment.


[1]


Private IP Ranges

  • Defined in security intelligence
  • These networks contain unsecured data
  • Defining them is a must for the system to function correctly

[2]


Distributed Firewall

  • This is a firewall that is deployed on each VM.
  • Works the same way as a security group in AWS.
  • Rules are loaded from NSX with NSX controlling the distributed firewall.


Advantages of the distributed firewall approach

  • Enforces Zero trust
  • Prevents lateral movement inside the security boundary (zero trust)
  • Parameter security (ie hardware firewalls) are no longer sufficient.
If a node is breached no lateral movement is prevented without a ZTA.


  • Firewalling each VM is also more secure than an agent based approach.
Again this all comes back to zero trust.


A key concept here is North / South & East West Network Security

How it is organized

  • VM's are assigned to groups.
  • Polices contain rules / What to do with the packet.
  • Rules are assigned to source and destination groups.


Source Group + Destination group > Policy > Action


  • Key point the source group and destination group much match what is defined for the policy.
  • The policy will then execute the action based on the service.
  • The action could be allow / drop / reject


  • A policy can be time based.

more information on the distributed firewall


Gateway Firewall

This is a parameter firewall with IDS/IPS configured from NSX.


This is a software only firewall designed to control north / south traffic. [3]


Manages through NSX manager alongside the distributed firewall. [4]


This is installed from the NXT Edge Appliance.

  • This is downloaded and installed as an .ova or .iso image. [5]
  • Runs on the vSphere Client [6]
  • Can also be run on bare metal server (using ISO installer) [7]


Types of Gateway

  • Tier-0
  • Connects to external networks
  • Handles routing
  • This is a North/South gateway
  • Controlled by the NSX admin


  • Tier-1
  • Handles routing between networks
  • This is a east/west gateway
  • Controlled by tenant admins

More Details

SSP Data Storage

SSP Data Storage

External Material

techdocs

Retrieved from "https://cramsession.net/index.php?title=Security_Services_Platform&oldid=1236"