This post was written by Hadar Freehling, Security & Compliance Systems Engineer Specialist at VMware. The post originally appeared here on the dfudsecurity blog


There is a lot of power in having security controls in software.  This is what I tell my customer, not just because I work for VMware. Why is that? The reason I find it so powerful is that I can now automate a lot of the security actions that use to be very manual. No more opening tickets to get a SPAN setup on the switch. No more waiting for a firewall change window to lock down a port. Not only that, I have visibility into the VM, like what apps are running and who started them, and what’s on the wire. I can protect different assets with different policies, and these polices can be dynamic.

With the help of my good friend John Dias (vRealize Orchestrator master), we created the follow video to show some of the potential of having everything in software.

Here is the scenario of the workflow.  You are a security person and want to stop all server admins and users from launching a putty session once they have RDPed into a server since they should only be doing this from approved jump boxes or desktops. Basically, I want to stop all intra-data center putty ssh sessions. I am actually looking for putty, the application, not just ssh. This could be any application or port, but I wanted to target a specific application for this demo.

With VMware NSX, we have enabled server Activity Monitoring so that all processes are monitored and recorded.  We have also configured an alert to fire in Log Insight as soon as a putty session is detected (All activity monitoring logs are sent to Log Insight).  Now, the alert is set to fire when a putty.exe process is seen, but you could customize it to only fire if a certain person or destination is seen.

Once Log Insight fires an alert, the vRealize Orchestrator workflow we have running will parse the required information from the log. This includes source, destination, and port. With this information, the workflow will then create a dynamic firewall rule in the DFW to block the putty session.

The firewall name is actually a time stamp, because my vCO workflow removes old firewall rules after 5 minutes.

The question you may ask is, would I really do this in my environment? The answer is, maybe. You may or you may not, but I bet you can see some of the potential that these products have.  You can see that having everything in software opens up a whole new world for security.

If you have any ideas or scenarios, let me know, and maybe your idea will be in our next video.