Skip to content

Latest commit

 

History

History
76 lines (58 loc) · 4.03 KB

5-InitialConfiguration.md

File metadata and controls

76 lines (58 loc) · 4.03 KB

5. Initial IDS/IPS Configuration

Estimated Time to Complete: 30 minutes

Now that we have verified the lab has been deployed correctly, basic NSX networking configuration has been applied and the appropriate vunlerable application VMs have been deployed, we can configure the NSX Distributed IDS/IPS.

Create Groups

  1. In the NSX Manager UI, navigate to Inventory --> Groups
  2. Click ADD GROUP
  3. Create a Group with the below parameters. Click Save when done.
    • Name Production Applications
    • Compute Members: Membership Criteria: Virtual Machine Tag Equals Production Scope Environment
  4. Create another Group with the below parameters. Click Save when done.
    • Name Development Applications
    • Compute Members: Membership Criteria: Virtual Machine Tag Equals Development Scope Environment
  5. Confirm previously deployed VMs became a member of appropriate groups due to applied tags. Click View Members for the 2 groups you created and confirm
    • Members of Development Applications: APP-2-APP-TIER, APP-2-WEB-TIER
    • Members of Production Applications: APP-1-APP-TIER, APP-1-WEB-TIER

Note: Tags were applied to the workloads through the Powershell script used to deploy the lab environment.

Enable Intrusion Detection

  1. In the NSX Manager UI, navigate to Security --> Distributed IDS --> Settings
  2. Under Enable Intrusion Detection for Cluster(s), set Workload-Cluster to Enabled

NSX can automatically update it’s IDS signatures by checking our cloud-based service. By default, NSX manager will check once per day and we publish new signature update versions every two week (with additional non-scheduled 0-day updates). NSX can also be configured to optionally automatically apply newly updated signatures to all hosts that have IDS enabled.

Enable Automated Signature Update propagation

  1. Under Intrusion Detection Signatures, select Auto Update new versions (recommended) in order to propagate the latest signature updates from the cloud to the distributed IDS instances
  2. Optionally, click View and Change Versions and expand one of the signature sets to see what signatures have been added/updated/disabled in this particular release

Note: if a proxy server is configured for NSX Manager to access the internet, click Proxy Settings and complete the configuration

Create IDS Profiles

  1. In the NSX Manager UI, navigate to Security --> Distributed IDS --> Profiles
  2. Click ADD IDS PROFILE
  3. Create an IDS Profile with the below parameters. Click Save when done.
    • Name Production
    • Signatures to Include: Critical, High, Medium
  4. Create another IDS Profile with the below parameters. Click Save when done.
    • Name Development
    • Signatures to Include: Critical, High

Create IDS Rules

  1. In the NSX Manager UI, navigate to Security --> Distributed IDS --> Rules
  2. Click ADD POLICY
  3. Create an IDS Policy named NSX PoV .
  4. Check the checkbox for the policy you just created and click ADD RULE.
  5. Add an IDS Rule with the following parameters
    • Name Production Applications IDS Policy
    • IDS Profile Production
    • Applied to Production Applicatons (group)
    • Leave other settings to defaults
  6. Add another IDS Rule with the following parameters
    • Name Development Applications IDS Policy
    • IDS Profile Development
    • Applied to Development Applicatons (group)
    • Leave other settings to defaults
  7. Click Publish

You have now successfully configured the NSX Distributed IDS/IPS ! In the next exercise, we will run through a basic attack scenario to confirm intrusion attemtps are detected and get familair with the NSX IDS/IPS Events view.

Next Step: 6. Basic Attack Scenario