In this example, your objective is to create a security policy with Distributed Malware Prevention firewall rules that detects and prevents malicious Portable Executable files on Windows workload VMs that are running database servers and Web servers in your organization.

You can use the NSX Distributed Malware Prevention service in NSX to meet this objective. For this example, you will group workload VMs of database servers and Web servers by using a dynamic membership criterion based on tags.

Assumptions:

  • Tags required for grouping of workload VMs are added already in the NSX inventory, as follows:
    • Tag Name: DB, Scope: Servers
    • Tag Name: WEB, Scope: Servers
  • DB Tag is assigned to three database workloads (Windows VMs): VM1, VM2, and VM3.
  • WEB Tag is assigned to three application workloads (Windows VMs): VM4, VM5, and VM6
  • Cloud File Analysis option is selected in the Malware Prevention profile.

Prerequisites

NSX Malware Prevention service virtual machine is deployed on vSphere host clusters where the workload VMs are running. For detailed instructions, see Deploy the NSX Distributed Malware Prevention Service.

Procedure

  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Organize database workload VMs and application workload VMs into two Groups.
    1. Navigate to Inventory > Groups.
    2. Click Add Group.
    3. Create two groups with a dynamic membership criterion based on tags and with Virtual Machine as members, as shown in the following screenshots.

      - Dynamic criterion for DB Servers group based on a tag assigned to VM.

      - Dynamic criterion for Web Servers group based on a tag assigned to VM.
    4. On the Groups page, for each group, click View Members, and verify that the effective members are shown.
      Group Name Effective Members
      DB-Servers VM1, VM2, VM3
      Web-Servers VM4, VM5, VM6
  3. Navigate to Security > IDS/IPS & Malware Prevention > Distributed Rules.
  4. Click Add Policy to create a section, and enter a name for the policy.
    For example, enter Malware-Prevention-Rules.
  5. Click Add Rule and configure the rule settings.
    1. Enter a name for the rule.
      For example, enter Protect-DB-Web-Servers.
    2. In the Sources, Destinations, and Services columns, retain Any.
    3. In the Security Profiles column, select the Malware Prevention profile to use for this rule.
    4. In the Applied To column, select the DB-Servers and Web-Servers groups that you created earlier.
    5. In the Mode column, select Detect and Prevent.
  6. Publish the rule.

Results

The rule is pushed to the host.

When Windows Portable Executable (PE) files are detected on the workload VMs, file events are generated and shown in the Malware Prevention dashboard. If the file is benign, the file is downloaded on the workload VM. If the file is a known malware (file matches known malware file signatures in NSX), and Detect and Prevent mode is specified in the rule, then the malicious file is blocked on the workload VM.

If the file is an unknown malware (Day-zero threat) and detected for the first time in the data center, it is downloaded on the workload VM. After NSX has determined the file verdict as malicious either by using local file analysis or cloud file analysis, the verdict is distributed to the other ESXi hosts and NSX Edges in the data center, which are activated for NSX Malware Prevention. When the file with the same hash is detected again on any of the workload VMs that are protected by NSX Malware Prevention, the security policy is applied, and the malicious file is blocked on the workload VMs.