Enable VMware NSX-T 3.0 Distributed IDS Configuration

One of the great new features of VMware NSX-T 3.0 is the distributed IDS capabilities that it offers now as part of the platform. In the same way that NSX changed the game with firewalling with the distributed firewall, the distributed IDS provides the same great advantages for scale, efficiency, and security in your environment. With distributed IDS, you no longer have to worry about traffic hairpinning for IDS functionality hitting a physical firewall and then making a U-turn back to your hypervisor hosts. It is easy to configure and start using in your NSX-T-enabled environment. In this post, we will take a quick look at Enable VMware NSX-T 3.0 distributed IDS configuration to see how this is “turned on” in your environment and a few basic configuration settings.

What is VMware NSX-T 3.0 Distributed IDS?

Before looking at how to enable VMware NSX-T 3.0 distributed IDS configuration, let’s see a bit more about what it is exactly. With VMware NSX Distributed IDS/IPS, you are albe to scrutinize the lateral movement of east-west network traffic across your on-premises, hybrid cloud, or multi-cloud environment.

This allows you to replace or remove altogether discrete IDS/IPS devices that you may be using for this functionality in your environment. What are some of the advantages of the new distributed IDS/IPS functionality?

  • Elastic throughput – With the new distributed IDS, you can scale inspection capacity by simply adding more hosts to your environment. This helps to eliminate bottlenecks in your IDS security solution.
  • No traffic Hairpinning – For performance, simplicity, and efficiency, the last thing you want to do is hairpin traffic or make it leave and simply make a U-turn and go back the way it came. All the IDS/IPS capabilities are applied inside the hypervisor itself, so this is highly efficient and yields tremendous performance.
  • Application Context – low false positives – Since VMware is using application context for the distributed IDS/IPS functionality, there are almost zero-false-positives and high fidelity when it comes to the signature matches
  • Eliminate need for dedicated applicances – If you have been using dedicated virtual appliances, the distributed IDS/IPS will help you potentially reclaim compute capacity in the environment dedicated to these discrete virtual appliances.

Key capabilities of the distributed IDS/IPS solution:

  • Distributed analysis – The IDS/IPS engine is distributed out to each workload and scales in a way that is linear across your environment.
  • Context-based signature distribution – Only the relevant threat signatures for evaluation at each workload are enabled based on the running applications, operating systems, etc. This helps to make it extremely more efficient than the way traditional discrete appliances apply IDS/IPS.
  • Application context – Better classification of applications running on each workload and the rules that need to be applied to each using the distributed IDS/IPS
  • Policy and state mobility – Policies and state moves with the workload when it moves. This means that workloads are automatically secured at their new location without manual reconfiguration
  • Automated policy lifecycle management – Automatic creation of security policies for new workloads and elimination of policies that are no longer needed

Enable VMware NSX-T 3.0 distributed IDS configuration

Now that you have added either standalone hosts to your NSX-T 3.0 environment, we can enable and configure the distributed IDS functionality.

If you navigate to the New NSX-T 3.0 distributed IDS rule published successfully Security > Security Overview > Insights section, you will see the Get started with IDS >> link. Click this.

Getting started with NSX-T 3.0 distributed IDS

This will launch the Getting started with NSX’s Intrusion Detection System workflow. Click the Get Started button.

Launching the getting started workflow with NSX-T 3.0 distributed IDS

Right off the bat for me, I see there is an Intrusion Detection signature update available. By default the box Auto update new versions (recommended) is not checked. You can check this box if you want these to be downloaded automatically which is what most will want to do. Click the Update Now link to perform an ad-hoc update.

As you can see, it is simple to enable the distributed IDS. By the standalone hosts section and the clusters section, you will see the toggle button to enable distributed IDS.

Updating the NSX-T 3.0 distributed IDS signatures

Signature update completes successfully.

Update of NSX-T 3.0 distributed IDS signatures is successful

When you click the toggle button, you will need to confirm enabling the distributed IDS functionality.

Enable the distributed IDS on either your standalone ESXi host or vSphere cluster

The toggle button is now on and it is enabled.

NSX-T 3.0 distributed IDS has been enabled on a vSphere cluster

Adding an NSX-T 3.0 Distributed IDS Profile

We need to add both a profile and rule containing our profile that matches traffic in the environment to get a basic configuration going. Click the Add IDS Profile under Profiles.

Adding an NSX-T 3.0 distributed IDS profile

Here you can check the severities to include checkboxes to include those severities you want to include in the profile.

Naming the new IDS profile and setting the severities to include

Also, you can exclude specific signatures if needed as well.

Signatures to exclude in the new profile

The new profile is added successfully.

Profile created and status successful

Next, we can add a rule that references the profile you created above. Under Rules click the Add Policy link.

Adding a new policy to include the new profile

Below, I have added a rule that references any source and destination along with the IDS Profile that I created. To make this live, just like the distributed firewall, we need to Publish the changes.

After adding the new policy including the new profile publish the new rule

The new distributed IDS rule is now live in the environment. Easy!

New NSX-T 3.0 distributed IDS rule published successfully

Wrapping Up

The process to Enable VMware NSX-T 3.0 Distributed IDS Configuration is extremely easy in the UI. VMware has made the workflows intuitive and you can actually get a basic policy up and running in just a few minutes on your cluster or standalone hosts.

The new distributed IDS/IPS provides great new capabilities that will take the security in NSX-T environments to the next level and help to protect internal workloads from lateral threats in the environment.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.