Tech Notes > Security Services Platform

Overview

• Runs Vdefend security services

• This is an integrated security platform that can be deployed in the cloud.

• Services run inside kubanties on virtual machines

Services include

• Security Intelligence

• Network Detection and Response

• Malware prevention

• Rule Analysis

Install process

• Install SSP on vSphere

• Install NSX

• Link SSP to NSX

• Install platform features

vSphere > SSPI > NSX > NSX Features

Components

vSphere

• vSphere controls the clusters.

• By default a cluster has 3 hosts

• This default is often expanded

• Virtual machines are started on the hosts

• SSPI and NSX run on their own VM's

• Other VM's include:

• Ssp-service-controller
• SSP-servie-md-0-worker two of these

This configuration gives a total of 5 VM's and 3 Guest OS in a basic configuration.

NSX

• Management is performed in NSX.

• After deployment of the NSX connect to the web UI using IP / FQDN

Features are based off the configuration you set in NSX:

• Security Intelligence

This feature provides distributed visibility and policy recommendations within an NSX environment, and lets you visualize security posture, analyze traffic flows, and create micro-segmentation policies.

• Network Detection and Response (NDR)

This feature continuously monitors your network for threats and anomalous behavior, using techniques like network traffic analysis, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), and advanced threat analysis, and then responds to identified threats.

• Malware Prevention Service (MPS)

This feature provides file-level protection against known and unknown malicious files, including zero-day threats, by analyzing traffic and extracting files for analysis.

• Network Traffic Analysis (NTA)

This feature monitors and inspects network traffic patterns and identifies anomalies or suspicious behavior.

• Metrics

This feature collects point-in-time, time-series, and lifetime data to let you perform analyses (such as Top N) of your environment.

[1]

Private IP Ranges

• Defined in security intelligence

• These networks contain unsecured data

• Defining them is a must for the system to function correctly

[2]

Distributed Firewall

• This is a firewall that is deployed on each VM.

• Works the same way as a security group in AWS.

• Rules are loaded from NSX with NSX controlling the distributed firewall.

Advantages of the distributed firewall approach

• Enforces Zero trust

• Prevents lateral movement inside the security boundary (zero trust)

• Parameter security (ie hardware firewalls) are no longer sufficient.

If a node is breached no lateral movement is prevented without a ZTA.

• Firewalling each VM is also more secure than an agent based approach.

Again this all comes back to zero trust.

How it is organized

• VM's are assigned to groups.

• Polices contain rules / What to do with the packet.

• Rules are assigned to source and destination groups.

Source Group + Destination group > Policy > Action

• Key point the source group and destination group much match what is defined for the policy.

• The policy will then execute the action based on the service.

• The action could be allow / drop

Reference Material

techdocs