- Huawei Technologies Co.
- ZTE Corp.
- Hytera Communications Corp.
- Hangzhou Hikvision Digital Technology Co.
- Dahua Technology Co.
I am excited to announce the integration of Ordr Systems Control Engine (SCE) and VMware NSX-T™ Data Center and VMware NSX® Intelligence™.
Ordr Systems Control Engine (SCE): Discovers every connected device, profiles device behaviors and risks, and automates response. Ordr not only identifies devices with vulnerabilities, weak ciphers, weak certificates, and active threats, but also those that exhibit malicious or suspicious behaviors. Ordr enables networking and security teams to easily automate response by dynamically creating policies that isolate mission-critical devices, those that share protected organizationally unique sensitive data (PCI, PHI, PII) or run vulnerable operating systems.
VMware NSX-T Data Center: Includes Distributed Firewall functionality to specify dynamic security policies down to the VM level with the ability to configure east-west and north-south firewalling.
VMware NSX Intelligence: Provides a graphical user interface to visualize the security posture and network traffic flows that have occurred in your on-premises NSX-T Data Center environment.
With the integration, joint customers can now:
- Achieve cutting edge visibility
- Accelerate NSX-T Data Center microsegmentation
- Minimize the potential business impact associated with firewall changes
If your VMware NSX data center firewall microsegmentation team is looking for a method to significantly reduce the overhead of maintaining static NSX-T IPsets and group objects, it is time to consider a solution that is capable of addressing the following scenarios:
- Automated NSX-T group object creation for non-data center device types
Since NSX-T provides excellent visibility for the entire data center, the most time-consuming objects to create and maintain are ones which pertain to devices outside of the data center (enterprise campus, branch sites, etc).
Ordr continuously discovers devices as they join campus and branch networks and can automate the creation of corresponding group objects in NSX.
NOTE: Ordr creates NSX objects with a standard prefix of “ordr-“. This allows NSX admins to easily recognize which objects are autogenerated and maintained by Ordr.
- Automated IP address membership tracking for NSX group objects
Dynamically creating NSX-T groups is a great start, but this capability alone does not solve the labor-intensive aspect of maintaining IP address membership for each type of device.
Ordr tracks the IP addresses of each type of device in the campus and branch. If a credit card reader device IP changes, Ordr will automatically update the NSX group with the new IP address.
- Support for advanced visualizations in the latest version of NSX Intelligence
Ordr programmatically creates NSX group objects and their members in a format which is compatible with the latest version of NSX Intelligence (announced at VMworld 2020[CI1] ).
This means that NSX Intelligence is able to render all communications from Ordr-defined and maintained NSX device groups.
This capability is key for teams who are looking to accelerate their data center security initiatives by gaining a comprehensive understanding regarding all types of campus and branch devices which are communicating to virtual machines in the data center.
How it works:
Ordr SCE sensors use advanced deep packet inspection (DPI) techniques to process campus and branch traffic from a SPAN/port mirror, TAP, or packet broker feed
Ordr SCE sensors forward metadata to the SCE Analytics system which identifies all the device types (including unmanaged IoT devices) which are communicating on the campus network
Ordr SCE Analytics programmatically creates NSX groups and their member IP addresses
NSX Intelligence with Ordr device data in action:
In this example screenshot from NSX Intelligence, we can quickly see that the Alaris Manager VM is receiving unprotected communication from two different device types in the campus network.
NSX group 1: ordr-BD-Alaris-Infusion-Pump
NSX group 2: ordr-Shenzhen-Network-Camera
This type of information can be leveraged to reduce the amount of manual labor associated with understanding source/destination communication for thousands of different campus and branch device types communicating to virtual machines in the data center.
In summary, the Ordr integration with NSX-T Data Center and NSX Intelligence allows teams to achieve greater operational efficiency by automating labor intensive tasks and unlocking rich device type context visibility for all campus and branch devices communicating with virtual machines.
For more on how one of our customers is leveraging this integration today, visit our on-demand VMworld breakout session NSX Intelligence: Visibility and Security for the Modern Data Center – Pt2 [ISNS2496] with Ray Budavari, Sr. Staff Technical Product Manager at VMware, Brandon Rivera, Enterprise Infrastructure Architect at CHRISTUS Health, and myself as we take a deep dive into the integration, and provide a demo of the Ordr and NSX Intelligence capabilities.
While my career started on the technical side, first with helpdesk support and then to a technical support engineer, I have enjoyed the journey into Sales. Through this journey, I find that the best part of my day is when I get to work with customers and partners on solving technical problems. While working with organizations in the Midwest region, this is a top issue I frequently hear about, “I am concerned about smart speakers with the ability to listen and share data. I want to track them down so I can understand what are out there and where they’re located, so I can understand the risk, remove them, and educate our users about the risks.”
While devices like Amazon Alexa and Google Home are top of mind, devices like smart lights, connected thermostats, and more are equally of concern. Any device that you can audibly address and say, “Hey Siri”, “Hey Google”, “Hey Alexa!”, or “Hey, thing” to, has the ability to be a threat to organizations.
These concerns are nothing new in the security community and while this Washington Post article gives a good background on the scope and concerns around this topic, there are still billions of IoT devices and a noticeable fraction of those smart speakers. The reality is these devices can be used against organizations, if someone is enterprising enough to take advantage of them.
In large hospitals, I’ve have seen smart speakers located in board rooms, executive offices, a front information/security desk, a desk in a 911 dispatch center, a SOCs on an analysts desk, and more. These devices bring risk to an organization through external threats and especially insider threats. One individual could walk into a board room and say, “Hey Alexa, record the next two hours,” or remotely access the device for listening, before a board meeting, sharing organizationally unique sensitive data.
While there are many articles to highlight how devices users can review and delete recordings, they still pose a tremendous threat to organizations, especially when they don’t know if/where they exist.
- PC Mag – review and delete recordings
- ZD Net – research from Check Point on exploiting these devices
In my tenure at Ordr, I have worked with various organizations to locate these devices and secure their network. Here are some foundational steps I walk through:
Step 1. Find the devices/continuously monitor for these device types:
This is an easy one for Ordr.
- Ordr has profiles for all of these types of systems.
- Ordr is always on as well, so this is continuous. Not just a point in time or scheduled check for systems like this. No scanning required either – so no drops in coverage.
- How does Ordr see these systems? Just send a copy of your wireless traffic to an Ordr SCE Sensor. Ordr can see your Corporate and Guest Wireless (as that is where most of these live).
- Ordr discovers and classifies these systems, automatically. Here is a screen shot of a few examples of these types devices profiled by top manufacturers:
You get the point.
Step 2: Contextual Detail:
You will need to know where the device is, when it first appeared, where is it communicating, etc. You have more questions at this point, and Ordr has the answer.
Here is an example of the information Ordr will give you:
You need and get network detail on IP, MAC address, which wireless network it is connected on, access point it is connected to, location information, the VLAN it is on, as well as when the device was first detected and last seen on the network by Ordr. These devices come and go, so the Network Stats will capture historical anchoring into the environment to track the device while it has been in your environment.
Step 3: Removal of the Device
If you can’t get to the device physically, you can remove it from the wireless network. With Ordr integrated into your switches, NAC solution, or Firewall solution, you can either remove the device connectivity completely, or push a policy to restrict its access….until you can address the educational moment with your colleague.
Below is an example of the communications this Amazon Alexa device had in the environment, and where you would push Ordr policy from our Flow Genome to your existing security systems.
I hope you found this to be helpful.
“Hey Siri, leave comment below.”