Archive

Category Archives for "VMware Network Virtualization Blog"

Announcing VMware HCX 4.1

VMware HCX is a crucial component of the modernization journey for many VMware customers as they transform their data centers into SDDCs, both on-premises and in the public cloud. HCX, an application mobility platform, simplifies application migration, workload rebalancing, and business continuity across data centers and clouds, and enables large-scale migration of workloads to modern environments.

With the HCX 4.0 release, we rolled out some major updates. Now, the journey continues steadily forward with the release of HCX 4.1. Let’s dive in and see what’s new.

What’s New

Migrations Estimations: Predictive Estimations for Bulk Migrations

One key capability that was launched in HCX 4.0 was Migration Estimation — which provides real-time predictions for bulk migrations. With the HCX 4.1 release, customers will see a more accurate predictive estimate for bulk migrations in draft stage before wave execution.

Seed Checkpoint for Bulk Migration​

In the past, failed replication-based migrations, like bulk migrations with HCX, automatically executed a cleanup process, which would lead to a total loss of replicated data. To the customer, this entailed losing all migration progress, while for larger VM profiles this meant the loss of many days of replication progress.

The seed checkpoint Continue reading

Exploring VMware’s Kubernetes App Connectivity and Security Solution: A Deep Dive, with Demos

Modern apps need to run in multi-cluster, multi-cloud environments across a mix of traditional and microservices architectures. In this context, enterprise platform, infrastructure, and operations teams are presented with unique challenges in securely connecting and managing modern workloads, in delivering scalable services, or bridging between traditional VM workloads and containers, and supporting production operations for modern apps.  

VMware recently introduced the “VMware Modern Apps Connectivity solution”, which brings together the advanced capabilities of Tanzu Service Mesh (TSM) and VMware NSX Advanced Load Balancer ALB (formerly Avi Networks) address today’s unique enterprise challenges.  

In this blog, we’ll take a deeper look at this solution and demonstrate how its cloud-native principles enable a set of important use cases that automate the process of connecting, observing, scaling, and better securing applications across multi-site environments and clouds. We’ll also show how state-of-the-art capabilities in this solution — like Global Server Load Balancing (GSLB) and Intelligent Autoscaling — enable enterprises to deliver advanced use cases such as cloud-bursting.  

Step 0: Set up (typical HA architecture for a modern distributed app) 

Let’s start by looking at our set-up, which is a typical architecture for a highly-available modern app deployment Continue reading

Introducing OSPF Support in NSX-T 3.1.1

NSX-T has revolutionized the data center and plays a key role in modern data center fabrics. Its unmatched capabilities are key elements in any effort to modernize networking in the data center.

NSX-T version 3.1.1 will go down as a critical milestone in this journey, as it supports OSPF version 2.

Based on RFC 2328, Open Shortest Path First Version 2 (OSPF v2) provides fast convergence, scalability, and is widely known among network architects and their operations teams. As a result, it is one of the most popular link state routing protocols in enterprise networks and data centers.

Interconnecting your physical networking fabric with NSX-T was possible using static routes and BGP. OSPF is now an option to consider leveraging dynamic routing protocols in the data center. By supporting OSPF as a dynamic routing protocol, existing NSX for vSphere customers can migrate seamlessly to NSX-T.

In this blogpost, we will demonstrate how to implement OSPFv2 within NSX-T in your data center.

OSPF Support in NSX-T

Providing connectivity between users and applications in a data center is crucial. The main purpose of any routing protocol is to dynamically exchange or share information regarding the reachability of a network.

Continue reading

Don’t Be Fooled by Agent Tesla’s Football Club Red Herring

Contributors: Subrat Sarkar (T-Rex), Jason Zhang (NSBU TAU)

Agent Tesla is a remote access tool (RAT) that is known for stealing credentials from several applications, including web browsers, VPN clients, and mail and FTP applications. It also supports keylogging, screen grabbing, and other functionality. Since it first came on to the scene in 2014, Agent Tesla has evolved into a fully customizable commercial malware tool, which is readily available on underground markets. Given the huge popularity of the malware, this threat has been thoroughly covered by the threat intelligence community, including our analysis in 2018 [1], our reports on COVID-19 related cyber threats [2] [3], and a recent article describing a surge of infections [4]. More recently, we detected a new wave of Agent Tesla attacks that exhibited some interesting characteristics, such as requesting a connection to top European football club websites.

In this blog post, we first present some of VMware’s NSX Advanced Threat Prevention telemetry and email metadata from the attack. We then provide our analysis detailing the most distinctive aspects of the attack, from the use of well-known European football club websites to key tactics, techniques, and procedures (TTPs).

The Agent Tesla Campaign

Figure 1 shows Continue reading

Is Your Perimeter Firewall Enough?

It’s not unnecessary, but a perimeter firewall is not enoughPicture this: innocent end-user at a mid-size commercial firm clicks on an email link originating in a phishing email attack. Sigh. The bad actor is now already behind the firewall. Without lateral controls, the exploit can quickly propagate throughout the network. In fact, according to our recent Threat Landscape Report, email is still the number one vector to deliver malware, and 4% of all emails are malicious. So if you have 701 emails in your inbox right now (no? just me?) 28 of them may be malicious. Yikes.  

See What Evaded the Perimeter Threat Landscape Report

Most data center traffic happens within the data center and behind perimeter firewalls—a.k.a. east-west traffic, internal traffic, or lateral traffic—as opposed to north-south traffic, which is inbound/outbound. Likewise, most of the high-profile attacks in recent times have involved malware sitting inside the network, moving laterally from server to server and remaining undetected for months. This is what causes real damage. You simply need more visibility and control in east-west traffic to prevent attackers’ lateral movement.

Perimeter Firewalls Weren’t Made to Secure East-West Traffic

It’s true, traditional appliance-based firewalls Continue reading

How to Protect Azure VMware Solution Resources with Azure Application Gateway

Azure VMware Solution (AVS) is a VMware validated private cloud solution managed and maintained by Azure. It runs on dedicated bare-metal Azure infrastructure. AVS allows customers to manage and secure applications across VMware environments and Microsoft Azure with a consistent operating framework. It supports workload migration, VM deployment, and Azure service consumption 

As AVS private cloud runs on an isolated Azure environment, it is not accessible from Azure or the Internet by default. Users can use either ExpressRoute Global Reach (i.e., from on-prem) or a jump box (i.e., on an Azure VNet) to access AVS private cloud. This means AVS workload VMs are confined within AVS private cloud and not accessible from the Internet 

But what if customers want to make AVS Private Cloud resources, such as web servers, accessible from the Internet? In that case, Public IP needs to be deployed. There are couple of ways to do this: (1) Azure Application Gateway, and (2) Destination NAT or DNAT using Azure WAN Hub and Firewall. Azure Application Gateway is Continue reading

Data Center Threats: Turning Remote Access into Money

Data centers are an appealing target for cybercriminals. Even though they may be more difficult to compromise than the home computer of a kid playing Fortnite or the laptop of a sales representative connecting to a random wireless network, they can bring very large rewards: databases with millions of records containing financial and personal information, substantial computational resources that can be used to mine cryptocurrencies, and access to key assets that can be held for ransom.

In this blog post, we analyze the main pathways that cybercriminals leverage to gain access to data centers, how they take advantage of that access, and what security administrators can do to reduce and manage the associated risks.

Getting into the Data Center

The obvious first goal of an attacker is to gain access to the targeted data center. This can be achieved in several ways — including social engineering [1], physical access [2], and occasionally by deer [3]— but anecdotal evidence suggests that the two main avenues are remote exploitation (also known as remote-to-local attacks [4]), and stolen credentials [5].

Remote-to-local Attacks

In a remote-to-local attack, an attacker targets a remotely accessible service provided by one of the workloads running in the data Continue reading

VMware Wins 2021 Global InfoSec Award as Market Leader in Firewall 

Today at RSA Conference 2021, we’re excited to announce that VMware is a winner of the CyberDefense Magazine 2021 Global InfoSec Award as Market Leader in Firewall.  One of VMware’s core beliefs is that we need structural and architectural changes to how organizations approach security. This means taking a fresh look at how we approach issues such as internal data center security. This is exactly what led us to deliver the VMware NSX Service-defined Firewall.

The NSX Service-defined Firewall is one of the foundations of VMware Security. This solution is a unique distributed, scale-out internal firewall that protects all east-west traffic across all workloads without network changes. This radically simplifies the security deployment model. It includes a distributed firewall, advanced threat protection, and network traffic analytics. With the VMware NSX Service-defined Firewall, security teams can protect their organizations from cyberattacks that make it past the traditional network perimeter and attempt to move laterally. Its key differentiating capabilities include:

  • Distributed, granular enforcement: The NSX Service-defined Firewall provides distributed and granular enforcement of security policies to deliver protection down to the workload level, eliminating the need for network changes.
  • Scalability and throughput: Because it is distributed, the Service-defined Firewall is elastic, Continue reading

Threat Landscape Report – Threats Evading Perimeter Defenses

Today’s reality is that security breaches are a given. Sophisticated attackers are too numerous and too determined to get caught by perimeter defenses. A new VMware Threat Analysis Unit report bears this out. In North-by-South-West: See What Evaded Perimeter Defenses, the findings are clear: despite a cadre of perimeter defenses being deployed, malicious actors are actively operating in the network. The research presents a clear picture of how attackers evade perimeter detection, infect systems, and then attempt to spread laterally across the network to execute their objective.

Watch Chad Skipper, Global Security Technologist, provide an overview of the findings.

Key insights include:

  • The best offense is to evade defense: Threat actors’ first order of business is to evade detection. Evasion of defense systems is the most encountered MITRE ATT&CK ® tactic used by malware, followed by execution and discovery.
  • Email attacks lead the pack: Email continues to be used as the most common attack vector to gain initial access with more than four percent of all business emails analyzed contained a malicious component
  • ZIP-ing through defenses: More than half of all malicious artifacts analyzed were delivered by a Zip archive. Attackers have massively scaled up operations Continue reading

Multi-Cloud Connectivity and Security Needs of Kubernetes Applications

Application initiatives are driving better business outcomes, an elevated customer experience, innovative digital services, and the anywhere workforce. Organizations surveyed by VMware report that 90% of app initiatives are focused on modernization(1). Using a container-based microservices architecture and Kubernetes, app modernization enables rapid feature releases, higher resiliency, and on-demand scalability. This approach can break apps into thousands of microservices deployed across a heterogeneous and often distributed environment. VMware research also shows 80% of surveyed customers today deploy applications in a distributed model across data center, cloud, and edge(2).

Enterprises are deploying their applications across multiple clusters in the data center and across multiple public or private clouds (as an extension of on-premises infrastructure) to support disaster avoidance, cost reduction, regulatory compliance, and more.

Applications Deployed in a Distributed Model

Fig 1: Drivers for Multi-Cloud Transformation 

The Challenges in Transitioning to Modern Apps 

While app teams can quickly develop and validate Kubernetes applications in dev environments, a very different set of security, connectivity, and operational considerations awaits networking and operations teams deploying applications to production environments. These teams face new challenges as they transition to production with existing applications — even more so when applications are distributed across multiple infrastructures, clusters, and clouds. Continue reading

It Should Be Easy to Upgrade Your Load Balancer —And it Can Be

Applications have never been more important in business than they are today. And where there are applications, there’s a load balancer, working behind the scenes to ensure your applications can be used comfortably and safely at all times. When operating a load balancer, the most troublesome issue is upgrade work. Let’s examine the problems of traditional load balancer upgrades and take a look at VMware’s automated, streamlined solution: NSX Advanced Load Balancer.

Why do you need to upgrade your load balancer in the first place?

The main reasons to upgrade a load balancer are to patch vulnerabilities and bugs, to enable new features, and for EoSL support. A load balancer, located between users and applications, must above all be stable; we particularly want to avoid service disruptions due to defects in the load balancer software. For this reason, load balancer upgrades are inevitable. And for IT, the trick is to make them, as transparent and painless as possible..

For illustration, let’s take a look at a recent international case involving load balancers. To address software glitches, a project was running to upgrade hundreds of load balancers. The upgrade work was carried out little by little over several months, with operations personnel setting Continue reading

Achieving Application Resiliency via VMware Tanzu Service Mesh and AWS Route 53

Service Mesh is quickly becoming a fact of life for modern apps, and many companies are choosing this method for their distributed micro-services communications. While most examples of service mesh focus only on the east-west aspect of app services communications and security, Tanzu Service Mesh aims at including the entire application transaction which includes both east-west as well as north-south communications in the mesh.

In previous blogs and articles (here and here ), we dug into the core construct of the system, called Global Namespace (GNS). GNS is the instantiation of application connectivity patterns and services. In the case we are describing here, one of these services consists of “northbound” access to the application in a resilient configuration through integration with a Global Server Load Balancing (GSLB) solution. In the current version of the service, we support the following integrations:

  1. VMware NSX-ALB (aka avi networks) – VMware’s own complete software load balancing solution.
  2. AWS Route 53 – AWS DNS service providing GSLB services for resiliency. This is useful for customers who do not own NSX-ALB.

In this first blog, we’ll describe how the solution works with AWS Route 53 and how to configure it. In a later post, we’ll Continue reading

How to Implement Network Segmentation with Zero Changes to Your Network

Across industries, network segmentation is quickly becoming a critical capability for enterprises of all sizesWhy? First, network segmentation prevents the lateral spread of threats inside the network. Second, it separates dev, test, and production environments. And lastly, it meets increasingly complex compliance requirements while enabling a Zero Trust security strategy. 

Howeverhistorically network segmentation has been fraught with operational challenges and limited by platform capabilities, leading to the perception that setting up and configuring segmentation policies requires massive changes to the physical network as well as a complex, bloated, and costly deployment of physical firewall appliances. 

Not anymore. VMware takes a distributed, software-based approach to segmentation, eliminating the need to redesign your network in order to deploy security. Instead, segmentation policies are applied at the workload level through NSX Firewall, which is deployed on top of your existing VSphere 7 environments. This allows you to easily create zones in the data center where you can separate traffic by application or environment  providing the quickest and easiest way to achieve your data center segmentation Continue reading

How to Publish AVS Workloads on the Internet

Azure VMware Solution (AVS) is a VMwarevalidated private cloud solution, managed and maintained by Azure. It runs on dedicated, bare-metal Azure infrastructure. AVS allows customers to manage and secure applications across both VMware environments and Microsoft Azure resources with a consistent operating framework. It supports workload migration, VM deployment, and Azure service consumption.  

 As AVS private cloud runs on an isolated Azure environmentby default it is not accessible from Azure or the Internet. Users can use either ExpressRoute Global Reach (i.e., from on-prem) or a jump box (i.e., on an Azure VNet) to access AVS private cloud. This means AVS workload VMs are confined within AVS private cloud and not accessible from the Internet. If customers want to make AVS Private Cloud resources, such as web servers, accessible from the Internet, Public IP needs to be deployed. There are couple of ways to do this: (1) Destination NAT or DNAT via Azure Virtual WAN/Azure Firewall; and (2) Azure Application Gateway. This article focuses on DNAT with Azure Virtual WAN/Azure Firewall. 

Continue reading

Security Power Block Series: Secure Your Data Center with NSX Firewall

We get it. The world of network security is changing, and it’s hard to keep up. Between your regular duties, pressure to adapt to changing realities, and pandemic stress on both your work and home life, ita challenge to find the time to build new skills.  

Understanding that your time is precious, we’ve created a series of succinct, 30-minute, security-focused webinars that take a deep dive into the topics, strategies, and techniques you need to know. The four sessions in our Security Power Block Series will explore the new security landscape, how our unique architecture is ideal for protecting East-West traffic from modern security threats, and real-world use cases you can use to operationalize your data center security at scale.   

You can register for one, two, three, or all sessions at once and you’ll automatically receive invitations with session links that you can add directly to your calendar. Staying informed — and learning new skills — couldn’t be easier. 

Network Segmentation Made Easy  

April 14, 2021 
10:00 a.m. PT  

Zoning or segmenting data center networks into manageable chunks Continue reading

4 Data Center Security Issues That Will Make You Rethink Firewalling

Recall what was happening a decade ago? While 2011 doesn’t seem that long ago (you rememberthe Royal Wedding, Kim Kardashian’s divorce, and of course Charlie Sheen’s infamous meltdown), a lot has changed in 10 years. Back then, most data centers were just starting to experiment with virtualization. Remember when it was considered safe for only a handful of non-essential workloads to go virtual? Well, today about half of the servers globally have become virtualized, and we’ve moved well beyond just virtualization. Nearly every enterprise data center has become a hybrid environment, with a mix of physical and virtual storage and compute resources. Containerization and the technologies supporting it are starting to take hold. And of course, cloud computing has become pervasive in all aspects of enterprise computing. 

Now, the business benefits of today’s software-defined data center are many, especially in terms of resource efficiency and cost savings. But there’s no denying that complexity has also increased, because all the same resources are still needed—compute, storage, switching, routingbut now any number of these resources may be on-prem or in the Continue reading

Dridex Reloaded: Analysis of a New Dridex Campaign

Dridex is a banking Trojan. After almost a decade since it was first discovered, the threat is still active. According to report published by Check Point [1]Dridex was one of the most prevalent malware in 2020. The recent Dridex campaign detected by VMware demonstrates that this ongoing threat constantly evolves with new tactics, techniques, and procedures (TTPs), which exhibit great differences with respect to the variants we’ve collected from campaigns since April 2020 (as discussed in the section Comparison with old Dridex samples). 

In this blog post, we first examine the recent Dridex attack by looking into some of VMware’s NSX Advanced Threat Prevention telemetry, which showcases the magnitude of the campaign. We then present the analysis for the most distinctive aspects of the attack, from the techniques leveraged by the XLSM downloader to the main functionality of the DLL payloads. Finally, we provide a comparison to some other Dridex variants seen in the past, which leads to the conclusion that the Dridex variant from the January 2021 campaign is very different from previous variants. 

The Dridex Campaign 

The chart below shows Continue reading

Memory Forensics for Virtualized Hosts

Detecting In-Memory Malware Threats

Memory analysis plays a key role in identifying sophisticated malware in both user space and kernel space, as modern threats are often file-less, operating without creating a file system artifact.

The most effective approach to the detection of these sophisticated malware components is to install on the protected operating system an agent that continuously monitors the OS memory for signs of compromise. However, this approach has a number of drawbacks. First, the agent introduces a constant overhead in the monitored OS — caused by both the resources used by the agent process (e.g., CPU, memory) and the instrumentation used to capture relevant events (e.g., API hooking). Second, a malware sample can detect the presence of an agent and attempt to either disable the agent or evade detection. Third, depending on how it is deployed, the agent not have access to specific portions of the user-space and kernel-space memory, and, as a consequence, may miss important evidence of a compromise. Finally, deploying, maintaining, and updating agents on every endpoint can be challenging, especially in heterogeneous deployments where multiple versions of different operating systems and architectures coexist.

A complementary approach to the detection of Continue reading

Witness VMware Disrupt Enterprise Data Center Security at XFD5 

The security industry needs to wake up. Today’s attackers are too numerous and too determined to get caught by simple perimeter defenses. It’s no longer a matter of if an attack will be successful, it’s a matter of when. Security pros need to recognize this reality, stop using archaic detect and respond approaches to secure the enterprise, and start focusing on blocking the spread of attacks once they make that initial breach.  

Changing the industry won’t be easy. It will require a bold step  one that we believe we’ve taken at VMware with our distributed, software-defined approach to enterprise security. This approach gives us the ability to operationalize east-west security at scale, simplify the implementation of segmentation in just a few steps, and insert advanced threat prevention inside the data center. 

We’ll showcase these latest security advances on Thursday, March 25, starting at  at 2:00 pm PST. Broadcasting live around the world during Security Field Day 5 NSX security experts will run through simple, practical steps that security teams can take to meet Continue reading

VMware to Help Customers Make Modern Apps More Secure with Acquisition of Mesh7

By Tom Gillis, SVP/GM, Networking and Security Business Unit, VMware

EDITORIAL UPDATE: On March 31, 2021 VMware officially closed its acquisition of Mesh7. The blog post originally appeared on March 18, 2021 below and has been amended to reflect that announcement.

With the VMware Virtual Cloud Network, we are delivering a modern network that understands the needs of applications and programmatically delivers connectivity and security services to meet those requirements. The ultimate result is a better experience for both users and applications. We are furthering our efforts to make modern applications more secure with our acquisition of Mesh7, which closed today. The Mesh7 technology will enable VMware to bring visibility, discovery, and better security to APIs.

So why is this important?

Customers are driving app modernization to shed the legacy of monolithic applications, to free IT and developers from single, rigid environments, and to make every service, every team, and every business more agile. Modern applications require reliable connectivity, dynamic service discovery, and the ability to automate changes quickly without disruption as they extend across multi-cloud environments. Security teams and operators need better visibility into application behavior and overall security posture, and the developer experience needs to lead to Continue reading

1 2 3 22