Network Security

Virtual Patching with VMware NSX Distributed IDS/IPS

Patching: The Perennial Problem  

Cybersecurity consumes an ever-increasing amount of our time and budgets, yet gaps remain and are inevitably exploited by bad actors. One of the biggest gaps is unpatched vulnerabilities: a recent survey found that 60% of cyberattacks in 2019 were associated with vulnerabilities for which patches were availablei.   

Most companies have a patch schedule that is barely able to keep up with applying the most important patches to the most critical vulnerabilities. Yet new ones crop up all the time: approximately 15,000 new vulnerability are discovered every year, which translates to one every 30 minutes ii. They impact all types of workloads, from multiple vendors, as well as open source projects.  

It’s a constant race to try to find and fix the most dangerous vulnerabilities before the bad actors can exploit them. But ignoring them is not an option.  

The Simplest Approach is Not So Simple  

Why not just patch everything or fix flaws in the code? Because it’s operationally challenging – and almost impossible 

First, patching is an expensive and largely manual process. Second, applications may rely on specific versions of software that can’t be patched without interfering with the necessary functionality. Third, for some systems, no patches are available. This might be due to legacy codeoutsourced applications, version that is no longer being maintained by the vendor, or in situations where the original development team is no longer available – and left behind little or no documentation on the actual code structure. Fourth, even when patches are available, the organization may have to wait for the vendor to implement the patch according to their own patch release schedule: this may mean a prolonged wait and an extended window of risk. Finally, maintenance windows are often unavailable for business critical applications making it all but impossible to apply vendor’s patch. 

Even when a patch is installed, the work is not done. Regression tests need to be run to make sure nothing was broken during the patching process. This further lengthens the time from vulnerability discovery to mitigation.  

Virtual Patching – Getting Close to a Solution  

One way to reduce the workload significantly is through virtual patching, defined by OWASP (the Open Web Application Security Project) as “[a] security policy enforcement layer which prevents the exploitation of a known vulnerability iii.” Virtual patching is generally implemented as an intermediate policy enforcement layer (e.g. IDS/IPS) between the attacker and the unpatched vulnerability. This prevents the vulnerability from being exploited without modifying source code or binaries 

Virtual patching brings several benefits. It buys the organization time, reducing the risk until patch is released, applied, and tested. It protects systems that can’t be taken offline, and it lets an organization maintain its patching cycle without the need for constant interruptions.  

For most data center applications, virtual patching is done through a centralized IDS/IPS at the data center edge, implemented either standalone or as part of firewall.  

The Achilles Heel of Traditional IDP/IPS  

While the traditional approach to IDS/IPS is useful, there are still major problems to be addressed 

  • Signatures must be run for all workloads in the data center. This bruteforce approach incurs performance penalties for running thousands of signatures simultaneously. 
  • Because most signatures are irrelevant to most workloads, frequent false positives arise. Chasing them down takes time and effort.  
  • Mistakes are expensive: bad or underperforming signatures may affect all workloads.  
  • It takes significant manual intervention to manage the performance of the IDS/IPS component of a firewall or the appliance itself (e.g. hair-pinning traffic to the central appliance for inspection and managing thousands of signatures).  
  • The traditional IDS/IPS doesn’t see east-west trafficiv so it is unable to virtually patch all workloads in the datacenter. This could allow an attacker’s lateral movement in the data center — a big gap in security 

Advanced Virtual Patching with NSX Distributed IDS/IPS 

NSX Distributed IDS/IPS overcomes the weaknesses of traditional approaches, saving time and effort while elevating the level of overall security 

FocusedNSX Distributed IDS/IPS takes advantage of the VMware intrinsic understanding of workloads, turning on the signatures that are applicable to the workload. This results in better throughput, without the need to run all signatures simultaneously. 

Accurate: False positives arising from irrelevant signatures are avoided, saving time and effort 

Efficient: Bad or underperforming signatures affect only the specific workloads for which they are enabled, limiting the blast radius  

Scalable: As more workloads are added, the scale-out architecture ensures that capacity expands automatically – without manual intervention to manage performance.  

Comprehensive: NSX Distributed IDS/IPS sees all east-west traffic because it is a part of the NSX Service-defined Firewall and can be turned on for any east-west traffic flow. This means it can deal effectively with undesired lateral movement.   

In a Nutshell: Save Time, Reduce Effort, Increase Security 

NSX Distributed IDS/IPS brings efficiency and flexibility that are unavailable via traditional appliances. This lightweight, scalable method for virtual patching is better than heavyweight virtual patching that runs as a part of a centralized firewall or IDS/IPS appliance. Its focused approach results in accurate results and optimal performance. The correct signatures are applied automatically, making it easier to manage policies, demonstrate compliance and troubleshoot. Further, because NSX Distributed IDS/IPS can see all east-west traffic in the data center, it enables the organization to detect and block malicious internal network traffic in a way that centralized solutions deployed at the data center edge simply can’t.  

With VMware NSX Distributed IDS/IPSwidespread use of virtual patching in the data center has finally become a reality.  

Read VMware’s “Internal Firewalls for Dummies” to learn more about distributed IDS/IPS and the NSX Service-defined Firewall