Enterprise 4 Build 4 (E4B4) - SDP, Microsegmentation, and EIG - VMware Workspace ONE Access, VMware Unified Access Gateway, and VMware NSX-T as PEs Product Guides

Note

This page is supplementary material for the NIST SP 1800-35 publication.

This section of the practice guide contains detailed instructions for installing, configuring, and integrating all the products used to implement E4B4. For additional details on E4B4’s logical and physical architectures, please refer to Architecture and Builds. Note that after this build was completed, VMware was acquired by Broadcom.

VMware Workspace ONE Access

Workspace ONE Access can serve as an IdP and integrate with a large range of enterprise identity components. For this build, Workspace ONE Access was integrated with an on-premises Active Directory to serve as an IdP.

Setup

Each cloud-based instance of Workspace ONE Access must be provisioned by VMware. After this has been completed, VMware provides access and setup instructions.

Integration with Microsoft AD

To integrate with AD, an on-premises agent was installed on a Microsoft Windows Server 2019 system and connected to Workspace ONE Access. After this, Workspace ONE Access was configured to pull user, group, and attribute information.

1. The step-by-step guide to adding the on-prem connector can be triggered in the Workspace ONE Access console by navigating to Integrations -> Connectors and clicking New.

2. After the on-prem agent is installed and connected to Workspace ONE Access, follow the official VMware documentation to add a new LDAP Directory and point Workspace ONE Access to your AD installation.

Once these two steps are completed, AD users, groups, and attributes are available for use within Workspace ONE.

Set Up Built-In IDP

Integration with AD was completed using the built-in IDP option. When users attempt to authenticate to resources, they will be redirected to Workspace ONE Access for user and device authentication.

1. In the Workspace ONE Access console, navigate to Integrations -> Identity Providers and click Add -> Built-in IDP. Choose your AD directory created in the previous section.

2. Fill out details in the form pertaining to your installation.

3. Under Users, select the directory that you created in your previous integration with RadiantOne.

4. Under Authentication Methods, select Mobile SSO for both Android and iOS.

5. Choose All Ranges as the Network option.

6. Click Save in the bottom right corner.

VMware Unified Access Gateway (UAG)

VMware Unified Access Gateway (UAG) helps enable secure remote access for users of virtual desktops, internal sites, applications, and file repositories.

UAG Setup

1. Open firewall rules depending on the services to be utilized. For this build, inbound TCP port 443 was opened to the destination IP of the UAG appliance. Port lists can be obtained here: UAG port list

2. Deploy the UAG appliance using the OVF Template Wizard from VMware. Follow instructions found in the deployment document here: UAG Deployment Guide. For this build, the following optional configuration variables were set:

   1. Size: Large

   2. Enable SSH

   3. Allow SSH root login using password

UAG Configuration

1. Access the UAG console using the IP address specified in the previous section. Log in with the admin account. On the Welcome Screen, choose Configure Manually.

2. If desired, change the system setting defaults by following this guide: UAG System Configuration.

3. Enable Edge Service Settings at the top of the admin page. Click the gear next to Tunnel Settings and set the following information:

   1. API Server URL: the API URL of your tenant. VMware can provide this information.

   2. API Server username

   3. API Server password

   4. Organization Group ID (found in the UEM console)

   5. Tunnel Server Hostname: FQDN of your UAG appliance

Configure Workspace One Integration with UAG Tunnel

1. From the Workspace One UEM Console, configure the UAG Tunnel Connection using the UEM Tunnel Configuration Guide as a reference. For this build, the following configuration options were set:

   1. Deployment Type: Basic

   2. Hostname: hostname of the UAG appliance

   3. Port: 443

   4. Server Authentication: Airwatch

   5. Client Authentication: Airwatch

   6. Networking: disabled

   7. Logging: disabled

   8. No Custom Settings

2. From the Workspace One UEM Tunnel Configuration page, set up Device Traffic Rule Sets using the Assign Traffic Rules Guide as a reference. For this build, these settings were configured:

   1. Tunnel Mode: Per Application

   2. Rule 1: Chrome on Android

      1. Click on Add Rule. Under the Application dropdown, choose Google Chrome. Under the Action dropdown, select TUNNEL. For the Destination field, enter your Workspace Air Tenant URL.

   3. Rule 2: Other Web Browsers

      1. Click on Add Rule. Under the Application dropdown, choose Safari - MacOS, Chrome - iOS, Chrome - Android, Chrome - WinRT, and Chrome - MacOS. Under the Action dropdown, select TUNNEL. For the Destination field, list any URL resources that require traffic to be tunneled.

   4. Rule 3: All Other Apps set to BYPASS

   5. Save and Publish the rules once complete.

VMware NSX-T

VMware NSX provides an agile software-defined infrastructure to build cloud-native application environments. NSX focuses on providing networking, security, automation, and operational simplicity for emerging application frameworks and architectures that have heterogeneous endpoint environments and technology stacks.

Setup and Installation

NSX-T requires an existing vSphere cluster to operate with an existing vCenter server already installed. The high-level steps for installation are as follows:

1. Deploy the NSX Manager VM.

2. Configure a vSphere Distributed Switch (VDS).

3. Create an uplink profile and configure host transport nodes.

4. Deploy two NSX Edge VMs to form an edge cluster.

5. Create and configure one tier-0 gateway for north-south traffic.

6. Create and configure a tier-1 gateway to route traffic from tenant VMs.

7. Create and configure a segment (logical switch) for tenant VMs.

8. Deploy a test VM to test north-south and east-west connectivity.

Step-by-step instructions can be found in the NSX-T Quick Start Guide here.

Enable and Configure Identity Firewall in NSX-T

Once NSX-T is configured, enable and configure Identity Firewall in NSX-T to provide ZTA features, including identity-specific network rules. The high-level procedure is as follows:

1. Enable NSX File Introspection driver and NSX Network Introspection driver (VMware Tools full installation adds these by default), or event log scraping. See Identity Firewall Event Log Sources. After configuring event log servers in the Active Directory, you need to turn on the Event Log Sources or Aria Operations for Logs.

2. Enable Identity Firewall on DFW and GFW. Identity Firewall must be activated for IDFW firewall rules to take effect.

3. Configure AD (required) and event log scraping (optional): Configuring Active Directory and Event Log Scraping. Active Directory is used in creating user-based Identity Firewall rules.

4. Configure AD sync operations: Synchronize Active Directory. Active Directory objects can be used to create security groups based on user identity, and identity-based firewall rules.

5. Create a group with AD group members: Add a Group. Groups include different objects that are added both statically and dynamically and can be used as the source and destination of a firewall rule.

6. Assign group with AD group members to a distributed firewall rule or gateway firewall rule. If creating a DFW rule using guest introspection, make sure that the Applied to field applies to the destination group: Add a Distributed Firewall. The distributed firewall monitors all the East-West traffic on your virtual machines. The Source field should be an AD-based group.

The full Identity Firewall Workflow Guide can be found here.

Configure Segment Firewall for URL Blocking

For this build we configured a Tier-1 Segment Firewall to block a subset of users from access specific URLs with the following rule and profile:

Segment Firewall Rule Settings:

• Source: Active Directory Group “Test NSX Users”

• Destination: Any

• Services: HTTP, HTTPS

• Applied To: T1

• Action: Allow

• Profile: URL Category

“URL Category” Profile Settings:

• L7 Profile

• Name: URL Category

• Attribute Values: “Alcohol and Tobacco” and “Auctions”

• Action: Reject with Response

• Logging: Yes

• Enabled: Yes

Configure Distributed Firewall Rule for VM to VM Blocking

For this build we configured a Distributed Firewall rule to block VM to VM traffic with our vSphere cluster with the following rule configuration:

• Sources: NSX Group “UseCaseGSubjectsGroup” (Virtual Machine Group)

• Destinations: NSX Group “UseCaseGResourcesGroup” (Virtual Machine Group)

• Services: Any

• Applied To: DFW

• Action: Reject

• Enable: On

VMware Workspace ONE UEM

Workspace ONE UEM provides endpoint management capabilities for this build and allows certificates to be provisioned for user authentication.

Setup

The cloud-based Workspace ONE UEM instance must be provisioned by VMware. After this has been completed, follow the official Workspace ONE UEM documentation to deploy agents to each of your managed endpoints. Instructions for deploying profiles and compliance requirements to devices can also be found in the link above.

Integration with Active Directory

Workspace ONE UEM integrates with your existing directory service - such as Active Directory, Lotus Domino, and Novell e-Directory - to provide directory-based account access. This type of account access lets users authenticate with Workspace ONE UEM apps and enroll devices using their existing directory service credentials. The Workspace One UEM Directory Services Guide can be found here.

Application Deployment

Internal (private) applications or public (App Store) applications can be deployed via UEM to provide services to endpoints. Google Chrome and VMWare’s UAG Tunnel Application were both deployed as a public application via UEM to Android and iOS devices. All public applications follow the same deployment steps provided in the Deploy Public Applications Guide of the Workspace One UEM User Manual.

For macOS and Windows, the VMWare UAG Tunnel and Carbon Black Enterprise EDR agent were deployed as internal applications. All internal applications follow the same deployment steps provided in the Deploy Internal Applications Guide of the Workspace One UEM User Guide.

VMware Workspace ONE MTD

Workspace ONE MTD provides endpoint security and protection for iOS, Android, and Chrome OS, securing devices against app, device, OS, and network-based threats. Integrating MTD with Workspace ONE UEM empowers your organization to adopt secure mobility without compromising productivity.

Setup

The cloud-based Workspace ONE MTD instance must be provisioned by VMware. After this has been completed, log into your Workspace One MTD console to continue configuration.

Workspace One UEM Integration

Follow the Workspace ONE MTD and UEM Configuration Guide to create an Organizational Unit in MTD and integrate UEM with Workspace One MTD.

Configure Device Enrollment

Once UEM integration is complete, configure an enrollment group in UEM to automatically enroll devices from UEM into MTD by following the Monitor Enrollment and Activation Guide here.

Configure and Enforce Compliance

Device Compliance and Threat Classification is configured once enrollment is complete. Devices can be placed into Low/Medium/High Risk groups depending on rule sets. Additionally, AllowList and DenyList URL sets may be configured to allow or block specific URLs on devices. The Compliance and Threat Classification Configuration Guide can be found here.

VMware Carbon Black Enterprise EDR

VMware Carbon Black Enterprise EDR Standard is a next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution that protects against the full spectrum of modern cyber-attacks.

Setup

The cloud-based VMWare Carbon Black Enterprise EDR instance must be provisioned by VMware. After this has been completed, log into your Carbon Black Cloud console to continue configuration.

Carbon Black Cloud Sensor Installation

Carbon Black Endpoints require Cloud sensors for protection. Each Windows, Linux, macOS, or VDI endpoint will need a Cloud sensor installed to provide protection. Sensor installation instructions are provided in the VMWare Carbon Black Cloud Sensor Installation Guide.

Carbon Black Cloud Policies

Once endpoints are configured, policies must be set to control endpoint behavior. Overall policy configuration is addressed in the Managing Policies section of the VMWare Carbon Black Cloud User Guide.

For this build, a “Deny Operation” rule was set in the “Blocking and Isolation” policy section for the process “/usr/local/bin/nmap”.

VMware Carbon Black Cloud

VMware Carbon Black Cloud provides the visibility and control that DevOps and security teams need to secure Kubernetes clusters and the applications deployed on them. It delivers instant visibility into all workloads with the ability to enforce compliance, security, and governance from a single dashboard.

Setup

The cloud-based VMWare Carbon Black Cloud instance must be provisioned by VMware. After this has been completed, log into your Carbon Black Cloud console to continue configuration.

Add Existing Cluster to Carbon Black and Install Kubernetes Sensor on Cluster to Enable Carbon Black Cloud

To complete the following steps, an existing Kubernetes cluster is required, along with terminal access to the cluster. Step-by-step instructions are provided in the Kubernetes Sensor Installation Guide.

Set Kubernetes Policies

Runtime and hardening policies can be set according to best practices in the Carbon Black for Containers User’s Guide. For this build, default rules and policies were used and were not changed.

VMware vSphere, vCenter, and vSAN

Installation and configuration of vSphere, vCenter, and vSAN is outside the scope of this document. General information can be found here: https://docs.vmware.com/en/VMware-vSphere/index.html

IBM Security QRadar XDR

For installation, configuration, and integration instructions, refer to IBM Security QRadar XDR.

Tenable.io

For installation, configuration, and integration instructions, refer to Tenable.io.

Tenable.ad

For installation, configuration, and integration instructions, refer to Tenable.ad.

Tenable NNM

For installation, configuration, and integration instructions, refer to Tenable NNM.

Mandiant Security Validation (MSV)

For installation, configuration, and integration instructions, refer to Mandiant Security Validation (MSV).

DigiCert ONE

For installation, configuration, and integration instructions, refer to DigiCert ONE.