This week has been pretty heavy on demonstrating NSX and its various security capabilities. One of capabilities that is the slightly ignored is the inbuilt DLP capabilities for finding private data such as credit card numbers, SWIFT codes, VAT numbers, driving licence ID numbers etc on deployed VMs. Usually most conversations around NSX are about Microsegmentation and the L7 deep packet inspection capabilities that will help with Data Leakage however I’d like to point out there is yet another side to the product namely the Guest Introspection & Data Security services.
One of the usual threats customers can have is insider threats where an employee or contractor may copy sensitive data from a main server and leave it on their desktop to do with what they will at a later stage. If you are using NSX within a Horizon VDI deployment with NSX underneath then it’s only a matter of a few clicks and you’ll be able to keep track of where your sensitive data is on your infrastructure. From a real world experience I’ve seen text files of customer banking details being left on unsecured fileshares without the proper permissions structure (by accident) but in the wrong hands it would have been enough to trigger a trip to the Data Protection Commissioner and get scolded and fined for such a security breach. This one NSX service would have caught that file and potential data breach.
I certainly am not claiming the out of the box capabilities are as good as third party security tooling however when you have the capability to secure your data at no added cost to you as part of your NSX deployment you’d be foolish not to try it out and see the results!
You will find below a handful of screenshots showing the simple steps I took to deploy these capabilities and the results.
These services are native to the NSX platform and require no special licences. They are deployed on the next tab along from where you would configure vxlan. The deployment is simple and at most requires an IP Pool or DHCP scope to be available.
Once deployed you will hopefully see that the installation has succeeded and the services are ‘Up’.
So at this point you have simply deployed a couple of service VMs on each host that aren’t doing a hell of a lot. What you now need to do is decide on what VMs in your environment you want to monitor and create a Security Group in Service Composer to match those VMs. In my case I simply wanted to scan the Windows 7 VMs in my lab so my Security Group was dynamically created based on the VM OS being Windows 7!
Next was actually setting up a Security Policy which again was pretty straightforward.
As you can see from the screenshot I am looking to find some credit card data one the VMs. Once this security policy is created it needs to be applied to the security group you wish to scan. This is done just like if you were applying firewall polices to a security group.
The final step to setup the scanning for my credit card data is to configure the elements of the data security tab in the NSX manager.
As you can see I was scanning for certain types of credit card and financial details within a myriad of file types. There are plenty of other data types preconfigured within the system but at this point I haven’t spotted how to add other RegEx formats (probably just need to RTFM!).
So what were the results of setting the policy? Well other than a false positive within an Adobe Reader cab file it picked up my Visa, MasterCard and Swift banking codes in some text files I left on my W7 desktop.
I just wanted to add on another couple of file types that were not included in the list of files – .png and .gif (only two more of many of course…).
Take it easy, Patrick
Thanks Patrick, After NSX 6.2.3 the data security element will be deprecated however I’d be expecting the capability to be replaced in a future version.
I also heard that the capability is getting depreciated. Is there any other feature taking it’s place. I believe this is a very important feature and should not be removed. Especially for service provider it is important to showcase it to customer.
re the RegEx custom pattern see http://blog.bertello.org/2016/08/18/customized-regex-as-a-classification-value-on-nsx-data-security-regulation 🙂