Architecture pattern for integrating IBM Cloud Security and Compliance Center Workload Protection with vCenter Server
This architecture pattern describes how to use IBM Cloud® Security and Compliance Center Workload Protection with a VMware Cloud Foundation for Classic - Automated with NSX-T instance on the IBM Cloud classic infrastructure.
Security and Compliance Center Workload Protection offers functions to protect your Microsoft Windows® and Linux® virtual machines (VMs) that are hosted on your VMware® environment. These functions include compliance, vulnerability scanning, and threat detection.
Currently, only the threat detection feature is available for Windows VMs.
Although Security and Compliance Center Workload Protection offers functions for your other IBM Cloud services, these functions are not discussed in this pattern. For more information, see Getting started with IBM Cloud Security and Compliance Center Workload Protection.
Security and Compliance Center Workload Protection implements Sysdig Secure functions. Information that is provided by the Sysdig Secure documentation also applies to Workload Protection.
After you provision an instance of the Security and Compliance Center Workload Protection service, you can deploy the agent on your Windows VMs or you can deploy the agent and host scanner on your Linux VMs. The agent collects data that you can use for intrusion detection, while the host scanner is used for posture management and vulnerability scanning capabilities.
Overview of Security and Compliance Center Workload Protection for VMware workloads
Security and Compliance Center Workload Protection enables the following three practices for your VMware workloads:
- Threat detection - Threat detection is managed by defining policies, which consist of rules to detect and respond to security violations, suspicious behavior, or anomalous activities within your Windows and Linux VMs. Security and Compliance Center Workload Protection provides customizable, prebuilt policies, which are created and maintained by Sysdig’s Threat Research team. These policies can detect and prevent various security threats, such as: malware, intrusions, and DDoS attacks. The results of these policies can be viewed in Events. For more information, see Events Feed.
- Vulnerabilities - Security and Compliance Center Workload Protection provides a highly accurate view of the vulnerability risks of your Linux VMs. The views include rich details on your vulnerability risks, such as: CVSS vector, score, fix age, and insights from multiple expert feeds including the NIST National Vulnerability Database (NVD) and VulnDB.
- Compliance - Posture management provides the framework that includes controls, guidelines, benchmarks, and standards for managing compliance. With Security and Compliance Center Workload Protection, you can evaluate your Linux VMs against
several CIS benchmarks such as CIS Distribution Independent Linux Benchmark and compliance policies. For more information, see Analyzing compliance postures from detection to remediation.
Typical use cases include:
- Check the current compliance status against predefined policies to understand the magnitude of the compliance gap.
- Demonstrate to an auditor the compliance status at a specific point in time, by creating a report of the compliance status of the VMs.
Pattern for integrating Security and Compliance Center Workload Protection
The following diagram shows an example of integrating a vCenter Server with NSX-T instance on IBM Cloud classic infrastructure with IBM Cloud Security and Compliance Center Workload Protection.
This architecture pattern is summarized as follows:
- The agents, which are installed on your Windows or Linux VMs, collect data that is used for threat detection, posture management, and vulnerability scanning. For more information, see Sysdig Agents. The Sysdig Secure Windows Agent provides runtime detection and policy enforcement for host processes on Windows. For more information, see Windows Hosts. For Linux VMs, the agent has two parts:
- Agent - Runtime threat detection is provided by the agent, which processes syscall events and metrics, creates capture files, and performs auditing and compliance tasks. For more information about deploying the agent, see Sysdig Agent.
- Vulnerability Host Scanner - The host scanner is used to scan for vulnerabilities on the Linux VM. For more information about deploying the host scanner, see Vulnerability Host Scanner.
- Your DNS servers need to be able to resolve the Security and Compliance Center Workload Protection endpoint URLs. Configure your DNS servers to use IBM Cloud DNS resolvers, if needed.
- Firewall rules enable the downloading of the agents from the Internet and HTTPS connectivity to the Security and Compliance Center Workload Protection private endpoints. For more information about configuring firewall rules, see Add a Gateway Firewall Policy and Rule.
- Source Network Address Translation (SNAT) rules allow your VMs overlay IP addresses to be translated to IBM Cloud supplied IP addresses that can be used on the Internet. For more information about configuring SNAT rules, see Configure NAT/DNAT/No SNAT/No DNAT/Reflexive NAT.
- The IBM Cloud Security and Compliance Center Workload Protection instance. For more information, see:
Agents can be installed as a docker container or as a package installed on the operating system. This pattern assumes the use of an operating system package. References in Sysdig Secure and IBM Cloud Cloud Security and Compliance Center Workload Protection documentation to Host Analyzers and Kubernetes Security Posture Management can be ignored when a package is used.
Considerations
When you design or deploy this architecture pattern, consider the following information:
- For Linux VMs, the agents log file is
/opt/draios/logs/draios.log
. - You require only a single SNAT IP address for all your VMs hosted in your virtual data center to communicate with the Security and Compliance Center Workload Protection instance.
- This pattern describes firewall policies and SNAT configured on the T0. Use of the T1 is also possible.
- This pattern does not use the distributed firewall. For more information about configuring the distributed firewall, see FQDN Filtering.