microsegmentationThe VMware NSX Micro-segmentation Cybersecurity Benchmark report has been released! As previewed in part six of the Micro-segmentation Defined – NSX Securing Anywhere blog series , independent cyber risk management advisor and assessor Coalfire was sponsored by VMware to create an industry first Micro-segmentation Cybersecurity Benchmark report. Coalfire conducted an audit of the VMware NSX micro-segmentation capabilities to develop this benchmark report detailing the efficacy of NSX as a security platform through a detailed “micro-audit” process, testing NSX against simulated zero-day threats.

Testing included five different network design patterns, and demonstrated how NSX micro-segmentation can provide stateful, distributed,  policy-based protection in environments regardless of network topology. Topologies included –

  • Flat L2 network segments
  • L2 and L3 networks with centralized virtual or physical routers, representative of typical data center rack implementations built on hybrid physical and network virtualization platform / distributed virtual switch (dVS)
  • Networks with connection to other physical servers
  • Overlay-based networks using the Distributed Firewalls (DFW) and Distributed Logical Routers (DLR)
  • Physical VLAN and overlay-based networks using service insertion technologies running on dedicated VMs (in our case, Palo Alto Networks NextGen FW with Panorama)
five-micro-seg-design-patterns

Coalfire’s examination and testing of VMware NSX technology utilized simulated exploits that depict likely malware and virus behavior in actual production network scenarios. The methodology used simulated real-world attacks that begin with the successful compromise of an exploited machine within the network and then follow with attack propagation to other virtual or physical machines that share network access with the exploited VM. Testing illustrated the following three representative attack types using Microsoft Windows variants as target machines, and measured efficacy of NSX micro-segmentation in mitigating said attacks:

  •  Zero-day attacks, where maximum compromise of the target machine occurs. Maximum compromise gives the attacker complete machine access with full administrative rights.
  • Browser-based attacks that exploit weaknesses in browser add-ons.
  • Installed application vulnerability to represent complex scenarios where application software has been installed on an otherwise secure and patched VM.

Coalfire notes the following conclusions within the Micro-segmentation Cybersecurity Benchmark report:

  • NSX micro-segmentation was validated to map to security recommendations made in NIST Special Publication 800-125B “Secure Network Virtual Configuration for Virtual Machine (VM) Protection”
  • NSX provides granular level security policy control and traffic visibility that operationalizes security and enables clients to meet regulatory compliance requirements such as PCI DSS
  • NSX meets the definition of micro-segmentation by enabling a combination of foundational security capabilities

For the full methodology, testing and conclusion, please download the report here. You can also view a recording of VMworld 2016 session – VMware NSX Micro-segmentation – Definition & Benchmark Deep-Dive [SEC10019] – where Chris Krueger of Coalfire Systems and I walk through the methodology and details of the testing.