This article focuses on the Distributed Intrusion Detection & Prevention (D-IDPS) component of the NSX Security Platform. The guidance documented here provides recommended practices to allow for DIDPS to be deployed in a scalable and performant manner.
NSX-T
What is IDPS?
IDS is fundamentally Pattern Matching for signs of known attacks. NSX IDPS inspects traffic that is specifically being allowed IN or OUT via a Distributed Firewall policy.
NSX Distributed IDPS is a control point that is situated logically at every Virtual NIC (vNic) of all Virtual Machines (VMs).
Why is it important to fine tune IDPS?
A key aspect of any successful IDPS deployment is the tuning of policy design along with patterns or signatures to align with workload profiles and security requirements. This will reduce latency, the computational overhead for traffic analysis and will also assist in reducing the number of false positives (noise) in the environment.
What are some of the General recommended practices for a scalable and performant D-IDPS implementation ?
When building a D-IDPS policy, you should start by limiting the attack surface using the Distributed Firewall (DFW). When a base security posture has been established, D-IDPS can be used to further enhance the security posture.
Best Practices for IDPS Performance
Compute
Before enabling D-IDPS on a node or cluster, it is best to evaluate the clusters and host resource utilisation using metrics such as Host CPU usage and CPU RDY% time for virtual workloads and make sure there is enough resources to support a minimum 5 worker threads and 1 receiver thread required by the IDPS Engine. You can use tools such as vROPS to view the existing vCPU:pCPU oversubscription ratio.
General recommendations for ideal IDS/IPS performance:
Rules
Directionality
• If throughput is a concern, consider single directionality (IN or OUT) to limit traffic redirected to IDPS engine
For Server workloads:
– IN direction can be sufficient if a proper segmentation policy has been applied to block outbound (external) flows and if all communication is inbound to workloads protected by D=IDPS
– For allow outbound (external) communication, IDPS in OUT or IN/OUT direction can be applied in a granular rule
For VDI workloads:
– OUT direction can be sufficient if a segmentation policy has been applied which blocks inbound service access to VDI desktops
• Use directionality with care. Directionality is stateful and effectively determines when a flow entry (for redirection to IDPS) is created.
The default option (IN and OUT) guarantees that IDPS is applied to all traffic that matches the rule, but the same flow is redirected twice if both SRC/DST are a VM with IDPS enabled.
Note: When using a single direction, flows initiated in the other direction are not subject to IDPS inspection! Changing the direction to “IN” only will also result in C2 traffic from a compromised workload not being inspected!
Profiles