VMware Hands-on Labs - HOL-PRT-1464


Lab Overview - HOL-PRT-1464 - Applying Data Center Security with Symantec & VMware NSX

Lab Guidance


With Software Defined Data Centers (SDDC), there is even more demand for application to be made available at the speed of business, leading to automation in orchestration and deployment. This has enabled IT organizations to be agile and lower their time to market. However, we continue to see security as a bottleneck. 

Symantec Data Center Security: Server removes this bottleneck by lowering the security tax by providing frictionless threatprotection with the best in class AV scan engine from Symantec. It leverages VMware NSX Service Composer to automate and orchestrate security policies mapped to security groups. It follows the best practices of VMware NSX to deliver agentless malware and network intrusion prevention (NIPS) for workloads on Software Defined Data Centers. 

The lab contains the following modules:

You have 90 minutes to complete all the modules above.

Lab Captains: Daniel Lopez, Amit Chakrabarty


About Symantec Data Center Security: Server


Symantec Data Center Security protects and secures enterprise data center by a rich set of security controls for both physical and virtual server environment. 



Module 1 - Configure policies, Test Virtual Machine, and NSX Security Group (15 Min)

Introduction


In this section you will do the prep work that is required for the future modules. As part of this you will:


Prepare Test Virtual Machine


To begin these steps, make sure you are in the Controlcenter VM.


 

Access the Test Virtual Machine via RDP

 

Double-click on the "TestGvm.RDP" shortcut on the Desktop.

 

 

Unzip the Eicar text file

 

Double-click on the eicar.zip on the Desktop. Notice that inside this zip file there is a text file called "eicar.txt". Eicar files are used to test threat protection engines. While real malware could do damage, this test file allows you to test anti-virus software without having to use a real virus file. Eicar files are indentified as verified virus file. 

For this module, the Eicar file will be used to test the threat protection features of Symantec Data Center Security:Server scan engine. This file will be copied to several locations in the next steps. Leave the window up.

 

 

Create first demo folder

Open another Window Explorer window. Go to the C:\ drive and create a folder called "TP_Demo1".

 

 

Add Eicar text file to first demo folder

 

Drag and drop the eicar.txt inside the archive to the "TP_Demo1" folder.

 

 

Create second demo folder

Go back to the C:\ drive and create another folder called "TP_Demo2".

 

 

Add Eicar text file to second demo folder

 

Drag and drop the eicar.txt inside the archive to the "TP_Demo2" folder.

 

 

Clean up all of the remaining Eicar files

There are several other locations where the Eicar test file(s) are located. Removing these files will allow for fewer false positives.

 

 

Delete EICAR zip file from Desktop

Right-click on the eicar.zip on the Desktop and select Delete.

 

 

Close all folder and files

To prevent the On-Access Scan on test files close all opened folders and files.

 

 

Minimize the Test Virtual  Machine RDP session

The preparation for the Test Virtual Machine is now completed. Minimize the TestGvm RDP session.

 

Deploy Virtual Machine Threat Protection Policy


To begin these steps return to the Controlcenter VM.


 

Access the Symantec Data Center Security: Server Management Server

 

Double-click on the "Symantec DCS.RDP" shortcut on the Desktop of the Controlcenter.

 

 

Symantec Data Center Security: Server Management Console

 

Click on the "Management Console" shortcut on the Desktop of the Symantec DCS RDP session.

 

 

Log into the Management Console

 

Credentials to access the Management Console are:

Click on the "Log On" button

 

 

Access the Virtual Machine Threat Protection policies

 

Go to Policies > Virtual Machine Threat Protection.

 

 

Access the Symantec default policies workspace folder

 

Click on Policies > Workspace > Symantec folder on the the left panel.

 

 

Edit the existing Virtual Machine Threat Protection Policy

 

Right-click on the "Virtual Machine Threat Protection Policy" and select "Edit".

 

 

Disable the Rescan policy option

 

On the Policy's General Settings, uncheck the box next to "Rescan Quarantine files when On-Demand scans runs" option. This feature will be enabled in a later step.

 

 

Verify proper Network Security Settings

 

Verify that the checkbox next to "Block connection when threats are found..." option is unchecked. Notice that this setting will allow the policy to only log threats. In a later module this feature will be enabled to test Symantec's Network Threat Protection Services.

 

 

Save Policy Settings

 

Click the "OK" button to save policy settings.

 

 

Submit policy changes

 

  1. Type "1" as the new Revision number
  2. Click on the "submit" button to finalize and submit policy changes

 

 

Publish Policy

 

Right-Click on the "Virtual Machine Threat Protection Policy" and select "Publish Policy".

 

 

Accept Threat Protection Policy overwrite warning

 

A pop-up informing you that the new changes to the policy will overwrite the existing published policy will appear. Click the "Ok" button. The same policy will be used throughout the lab so overwriting the policy is part of the normal process.

 

 

Accept Threat Protection policy published successfully pop-up

 

After allowing the policy to be overwritten you will receive a pop-up informing you that the Threat Protection Policy was successfully published. Click on the "Ok" button to confirm. You will now see a green dot next to the "Virtual Machine Threat Protection Policy" reaffirming the action.

 

 

Minimize the Symantec DCS RDP session

The configuration changes and deployment of the Threat Protection Policy are now completed. Minimize the Symantec DCS RDP session.

 

Create a NSX Security Group


In this section you will :

To begin this step, make sure that you are in the Controlcenter VM.


 

Acces Google Chrome Web Browser

 

On the ControlCenter VM, click on the Mozilla Firefox web browser shortcut on the Desktop. Feel free to select another browser if desired.

 

 

Access the vSphere Web Client homepage

 

Click on the Firefox shortcut displayed above.

 

 

Login to the vSphere Web Client Home Page

 

Use the following credentials...

Do not use Windows session authentication.

 

 

Access the Networking & Security panel (NSX)

 

On the vSphere Web Client home page select the "Networking & Security" tab to access the VMware NSX appliance settings.

 

 

Access the Service Composer

 

On the "Networking & Security" home page select the "Service Composer" tab.

 

 

Access the Security Groups tab

 

Click on the "Security Groups" tab.

 

 

Create a new Security Group

 

Click on the "New Security Group" icon.

 

 

Name the Security Group

 

Name the security group "Symantec Protected Group". There is no need to add a description.

 

 

Add Test Virtual Machine to new Security Group

 

  1. Select the third option, "Select objects to include".  
  2. Scroll through the tabs until you find  "Virtual Machine" and click on it.
  3. Select the Test Virtual Machine (Win7-DCS-TestGvm)
  4. Click the "Finish" button.

 

Summary


In this module you learnt how to :

You also learnt the powerful concept of micro-segmentation of VMware NSX by using security groups. This features enables you to orchestrate and automate management of security policies in large scale deployments. This is leveraged by Symantec to bring best of the breed products to market by integrating directly with VMware NSX.


Module 2 - Demonstrate Symantec's Virtual Machine Threat Protection and Quarantine Features (45 Min)

Introduction


In this module you will learn how to:


Threat Detection and Quarantine


To begin this module access the vSphere Web Client and go to the "Networking & Security" home page.


 

Access the Service Composer

 

On the "Networking & Security" home page select the "Service Composer" tab.

 

 

Access the Security Policies tab

 

Click on the "Security Policies" tab.

 

 

Create new Security Policy

 

Click on the "Create Security Policy" icon.

 

 

Name the Security Policy

 

Name the Security Policy "DCS AV Security Policy". Leave all the defaults. Click on the "Next" button.

 

 

Add an Endpoint Service

 

Click on the "Add endpoint service" icon.

 

 

Provide appropriate entries and selections for new Endpoint Service

 

  1. Name: "DCS AV Policy"
  2. Action: "Apply"
  3. Service Type: "Anti Virus"
  4. Service Name: "Symantec DataCenter Security for VMware NSX
  5. Service Configuration: "Virtual Machine Threat Protection Policy"
  6. State: "Enabled"
  7. Enforce: "Yes"
  8. Click the "OK" button

 

 

Complete the new Security Policy

 

Click on the "Finish" Button to complete the policy.

 

 

Apply new Security Policy to existing Security Group

 

Right-click on the new "DCS AV Security Policy" and select "Apply Policy".

 

 

Select the Security Group to which Security Policy will be apply to

 

From the resulting pop-up check the security group "Symantec Protected Group" and click on the "OK" button.

 

 

Check Security Groups in the Symantec Data Center Security: Server Management Console

 

  1. Go back to your Symantec DCS RDP session by maximizing the Window
  2. Go to Assets > Virtual Machine Threat Protection > Guest VM View > Security Groups
  3. Click "Refresh"
  4. Once the refresh completes the "Symantec Protected Group" should appear in the list of Security Groups

 

 

Verify that Test Virtual Machine is protected

 

Double-click on the "Symantec Protected Group" to check if the Test Virtual Machine is under the Protected Guest VMs.

If the Test Virtual Machine is not in the "Protected Guest VMs" tab click on the Refresh button a few more times (NSX will eventually trickle a message to the Symantec Data Center Security: Server).

 

 

Activate a scan on the Test Virtual Machine

 

Right-click on the Test Virtual Machine "Win7-DCS-TestGvm" and select "Scan Now".

 

 

Select scan type option

 

In the resulting pop-up, select "Scan Targeted Paths".

 

 

Add File Path

 

Click on the "Add" button and enter the file path "C:\TP_Demo1\eicar.txt". Click on the "OK" button.

 

 

Start Scan

 

Click on the "Scan Now" to trigger the threat protection scan. Click "Ok" on the Success pop-up.

 

 

Verify path on Test Virtual Machine to see if EICAR test was detected

 

Return to the TestGvm RDP session (Test Virtual Machine), go to C:\TP_Demo1 and verify the eicar.txt file is missing.

 

 

Find the quarantined file

 

Go to "C:\VirtualAgent\Quarantine" and verify a file exists. This is the quarantined Eicar test file.

Note: Several other files could be present in this folder. Make sure you check the modified date of the file(s) present. The name of the file in this quarantine folder will also differ.

 

 

Verify data inside quarantine file is obfuscated

 

Open this file in notepad. Verify the data is obfuscated (i.e. Eicar string is not readable).

 

 

Verify that "Endpoint malware threat detected" event exists in the Symantec Data Center Security: Server Management Console

 

  1. Minimize the current TestGvm RDP session and return back to the Symantec DCS RDP session
  2. Go to Monitors > Events tab and then choose Virtual Machine Threat Protection Events from the Monitor Types
  3. Refresh and verify an "Endpoint malware threat detected" event exists.

 

 

Check "Endpoint malware threat detected" event details

 

Double-click on the "Endpoint malware threat detected" event. Verify you see the infected file is "C:\TP_Demo1\eicar.txt".

 

Purging


In the previous section an Eicar.txt file was quarantined. In this section, you will see how Data Center Security: Server can be configured to purge quarantined files after a specific time. 


 

Confirm purge quarantine files time interval

 

Per the "Virtual Machine Threat Protection Policy", the quarantine file feature was enabled and the default for purging quarantine files was left to purge files older than 30 days. In the next set of steps the Test Virtual Machine's time and date will be modified to make sure that the quarantined file (C:\TP_Demo1\eicar.txt) is successfully purged from the system after the set time interval.

 

 

Note the date on the Test Virtual Machine

 

Open the date/time pop-up on the bottom right of the screen. Note the date (i.e. July 16, 2014).

 

 

Advance date on Test Virtual Machine 30 days forward

 

  1. Click on the start menu and type "PowerShell"
  2. Right-click on the "Windows PowerShell" result and select "Run as administrator"
  3. Run the following command in PowerShell:
Set-Date -Date (Get-Date).AddDays(30)

 

 

Verify files are purged from the Quarantine folder

 

Note that the date moved forward 30 days (i.e. August 15, 2014). Within 2 minutes, the files in the quarantine folder will be purged/deleted per the configuration on the "Virtual Machine Threat Protection Policy". If the file doesn't disappear right-click anywhere in the window and select on "Refresh".

 

 

Reset time on the Test Virtual Machine

 

Run the following command in PowerShell:

Set-Date -Date (Get-Date).AddDays(-30)

Confirm that machine is back to original date (i.e. July 16, 2014).

 

Rescanning and Whitelisting


The rescan option in the Threat Protection Policy’s Quarantine settings rescans the quarantined files when On-Demand Scans are run. Quarantined files are released/restored to the original locations if they are no longer classified as threats. This classification is based on new definitions or if they are exclusively whitelisted in the Scan Settings of the Security Virtual Appliance configuration base policy (SVA_Config_Base_Policy). In this section you will Rescanning after Whitelisting the Eicar test file.


 

Activate a second scan on the Test Virtual Machine

 

  1. Go back to your Symantec DCS RDP session by maximizing the Window
  2. Go to Assets > Virtual Machine Threat Protection > Guest VM View > Security Groups > Symantec Protected Group
  3. Right-click on the Test Virtual Machine "Win7-DCS-TestGvm" and select "Scan Now"

 

 

Select scan type option

 

In the resulting pop-up, select "Scan Targeted Paths".

 

 

Add File Path

 

  1. Click on the "Add" button
  2. Enter the path "C:\TP_Demo2\eicar.txt"
  3. Click on the "OK" button.

 

 

Start Scan

 

Click on the "Scan Now" to trigger the threat protection scan. Click "Ok" on the success pop-up.

 

 

Verify path on Test Virtual Machine to see if Eicar test was detected

 

Return to the TestGvm RDP session (Test Virtual Machine), go to C:\TP_Demo2 and verify the eicar.txt file is missing.

 

 

Verify  Eicar test file is in quarantine folder

 

Go to "C:\VirtualAgent\Quarantine" and verify the the eicar.txt quarantined file exists.

Once you confirm a quarantine file exist go ahead and close all Windows Explorer Window(s).

 

 

Edit Virtual Machine Threat Protection Policy

 

  1. Return to your Symantec DCS RDP session
  2. Go to Policies > Virtual Machine Threat Protection > Workspace > Symantec folder
  3. Right-click on the "Virtual Machine Threat Protection Policy" and select "Edit"

 

 

Enable Rescan in the Virtual Machine Threat Protection Policy

 

Check the ‘Rescan quarantined files...” option and click the "Ok" button.

 

 

Edit policy revision number

 

In the resulting "submit changes" pop-up, edit Revision number from 2 to 1. (This avoids steps to reconfigure Security Policy on the vSphere Web Client)

 

 

Publish Virtual Machine Threat Protection Policy

 

Right-Click on the "Virtual Machine Threat Protection Policy" and select "Publish Policy". Click OK when asked to over-write existing policy. A second pop-up will appear stating that the policy won't take effect until you apply to a Security Group. Click OK to finalize action.

 

 

Find latest "Endpoint malware threat detected" event

 

  1. Go to Monitors > Events > Monitor Types > Virtual Machine Threat Protection Events
  2. Notice the latest "Endpoint malware threat detected" event. Double-click on the event to see event details

 

 

Copy the Eicar test file hash

 

  1. Copy the file hash value by double-clicking on it to highlight it and using keyboard shortcut CTRL + c
  2. Close the event detail window

 

 

Edit Security Virtual Appliance Configuration Base Policy

 

  1. Go back to Policies > Virtual Threat Machine Protection > Workspace > Symantec folder
  2. Right-click on the "SVA_Config_Base_Policy" and select "Edit"

 

 

Whitelist the Eicar test file

 

  1. Go to the "Scan Settings" tab
  2. Click on "Edit[+]" to see the list of whitelisted files
  3. Click on the "Add" button
  4. In "SHA-256 Digest" field, paste the file has copied using the keyboard shortcut CTRL + v
  5. In the "Description" field, type "EICAR Test Demo File"
  6. Click "OK" to enter the new entry into the list
  7. Click on the "OK" button on the policy to save the change
  8. Click on the "Submit" button to submit changes (Note: no need to modify Revision number here)

 

 

Publish Security Virtual Appliance Configuration Base Policy

 

Right-click on the "SVA_Config_Based_Policy" and select "Publish". Click OK on the success pop-up.

 

 

Activate a third scan on the Test Virtual Machine

 

  1. Go to back to Assets > Virtual Machine Threat Protection > Guest VM View > Security Groups > Symantec Protected Group
  2. Click on the "Refresh" Button
  3. Right-click on the Test Virtual Machine "Win7-DCS-TestGvm" and select "Scan Now"

 

 

Select scan type option

 

In the resulting pop-up, select "Scan Targeted Paths".

 

 

Add File Path

 

  1. Click on the "Add" button
  2. Enter the path "C:\TP_Demo2\eicar.txt"
  3. Click on the "OK" button.

 

 

Start Scan

 

Click on the "Scan Now" to trigger the threat protection scan. Click "Ok" on the success pop-up.

 

 

Verified Whitelisted file was restored

 

  1. Go back to the TestGvm (Test Virtual Machine) RDP session
  2. Make sure that the eicar.txt test file in C:\TP_Demo2 was restored
  3. The Quarantine folder in C:\VirtuaAgent\Quarantine should be empty

 

Summary


In this module you learned how to:


Module 3 - Demonstrate Symantec's Virtual Machine Network Security Introspection (30 Min)

Introduction


This module discusses:


Create New NSX Security Policy with Network Introspection Services


To begin this module access the vSphere Web Client and go to the "Network and Security" home page.


 

Access the Service Composer

 

On the "Network and Security" home page select the "Service Composer" tab.

 

 

Access the Security Policies tab

 

Click on the "Security Policies" tab.

 

 

Create new Security Policy

 

Click on the "Create Security Policy" icon.

 

 

Name the new Security Policy

 

Name the Security Policy "DCS Network Threat Protection".

 

 

Add a new Network Introspection Service option

 

  1. Click on the 4th option on the left side panel named "Network Introspection Services"
  2. Click on the green plus (+) icon to add a new Network Introspection Service

 

 

Provide appropriate entries and selections for new Network Introspection Service

 

  1. Name: "DCS Network Threat"
  2. Service Name: "Symantec DataCenter Security Service for VMware NSX"
  3. Profile: "Virtual Machine Threat Protection Policy profile"
  4. Source: Click on "Change...", on the source pop-up select "Any"
  5. Destination: Leave as "Policy's Security Groups"
  6. Click the "OK" button

 

 

Finalize changes to the existing Security  Policy

 

Click on the "Finish" Button to save and finalize the new "DCS Network Threat" security policy.

 

 

Apply new Security Policy to existing Security Group

 

Right-click on the new "DCS Network Threat Protection" and select "Apply Policy".

 

 

Select the Security Group to which Security Policy will be apply to

 

From the resulting pop-up check the security group "Symantec Protected Group" and click on the "OK" button.

 

Simulate Inbound Network Threat in Log Only Mode


In this section you will perform the simulation of a network threat, specifically a SQL Injection, to an SQL web front end. The test virtual Machine (TestGvm) is hosting an implementation of PHP for Windows running on an Internet Information Services (IIS) server. The victim website hosted in the Test Virtual machine contains a table with dummy personal identifiable information (PII).  A URL with a crafted SQL injection query will be used to test whether the attack is allowed or denied.

In this step, the SQL injection simulation will be succesful since the Virtual Machine Threat Detection Policy is set to log only mode.


 

Refresher of Network Security Settings in Virtual Machine Threat Protection policy

 

In an earlier step it was verified that the "Block connection when threats are found (Threats will only be logged when left unchecked)" option was unchecked. There is no need to modify the "Virtual Machine Threat Protection Policy" for this step since the policy is already modified to only log when the threat is found.

 

 

Type the URL with a crafted SQL injection query and explore results

 

http://192.168.120.30/ax/gettprojectnodes.php?test=1&root_node=selectfromwhere

Notice how the URL is structured and the results you get in the web browser. The PII data is now exposed.

 

 

Verify that "Guest network threat detected" event exist in the Symantec Data Center Security: Server Management Console

 

  1. Return back to the Symantec DCS RDP session
  2. Go to Monitors> Events tab > Monitor Types > Virtual Machine Threat Protection Events
  3. Refresh and verify a ‘Guest network threat detected’ event exists.

 

 

Check "Guest network threat detected" event details

 

The remediation status is “Guest network threat logged” since the Virtual Machine Threat Protection Policy is configured to only log when the threat is found. Some of the information logged in the event include: threat name, source and destination IP address and port of the network traffic, among others.

 

Simulate Inbound Network Threat and Block It


In this step the network threat (SQL injection) will be activated one more time. This time the SQL injection simulation will fail as we will make changes on the Virtual Machine Threat Protection Policy to prevent the attack from occurring.


 

Access the Virtual Machine Threat Protection policies

 

Go to Policies > Virtual Machine Threat Protection.

 

 

Access the Symantec default policies workspace folder

 

Click on Policies > Workspace > Symantec folder on the the left panel.

 

 

Edit the Virtual Machine Threat Protection Policy

 

Right-click on the "Virtual Machine Threat Protection Policy" and select "Edit".

 

 

Modify Network Security Settings to enable the blockage of threats

 

  1. Check the box next to "Block connection when threats are found..." option.
  2. Click on the "Ok" button

 

 

Submit policy changes

 

  1. Type "1" as the new Revision number
  2. Click on the "submit" button to finalize and submit policy changes.

 

 

Publish Policy

 

Right-Click on the "Virtual Machine Threat Protection Policy" and select "Publish Policy".

 

 

Accept Threat Protection policy overwrite warning

 

A pop-up informing you that the new changes to the policy will overwrite the existing publish policy will appear. Click the "Ok" button.

 

 

Accept Threat Protection Policy published successfully pop-up

 

After allowing the policy to be overwritten you will receive a pop-up informing you that the Threat Protection was  successfully published. Click on the "Ok" button to confirm. You will now see a green dot next to the "Virtual Machine Threat Protection Policy" reaffirming the action.

 

 

Type the URL with a crafted SQL injection query and explore results

 

http://192.168.120.30/ax/gettprojectnodes.php?test=1&root_node=selectfromwhere 

Notice how the URL is now blocked. The Virtual Machine Threat Protection Policy is now actively blocking network threats.  

 

 

Verify that "Guest network threat detected" event exist in the Symantec Data Center Security: Server Management Console

 

  1. Return back to the Symantec DCS RDP session
  2. Go to Monitors> Events tab > Monitor Types > Virtual Machine Threat Protection Events
  3. Refresh and verify a ‘Guest network threat detected’ event exists.

 

 

Check "Guest network threat detected" event details

 

The remediation status this time is “Guest network threat blocked” since the Virtual Machine Threat Protection Policy is configured to  block the connection when threat is found.

 

Summary


Micro-segmentation feature of VMware NSX gives access to the L2 level traffic flowing through Guest Virtual Machine. In this module you learned, how these data packets can be inspected to detect and block possible network based threats like SQL Injection. We call this feature Guest Network Threat Protection (GNTP).

This module covered:


Summary Review of DCS and NSX

Conclusion


This concludes HOL-PRT-1464 - "Applying Data Center Security with Symantec & VMware NSX".  We hope you have enjoyed taking this lab.

Symantec Data Center Security:Server delivers advanced secruity services on VMware NSX by integrating into the hypervisor. This integration makes  management and consumption of security policies part of integrated NSX workflow. As a result of this native integration, Symantec security appliance will work seamlessly across other NSX integration like vCAC from VMware.

For mor information and or if are interested to learn more about Symantec Data Center , please contact -  amit_chakrabarty@symantec.com.

 


Interested in our solution?



 

Scan the QRcode with your smartphone or tablet for more information

 

Interested in Symantec Data Center Security: Server/Server Advanced?.. For more information about our solution please scan the QRcode with your smartphone or tablet or enter the URL http://www.symantec.com/data-center-security

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-PRT-1464

Version: 20160503-134137