vshield app and vshield edge
If you can't read please download the document
DESCRIPTION
vShield App and vShield Edge. Planning, Installation and Designing based on 5.0.1. From Preetam Zare http://vcp5.wordpress.com http://vShieldSuite.wordpress.com. Agenda –vShield App. Introduction to vShield Suite vShield Manager Installation, Configuration and Administration - PowerPoint PPT PresentationTRANSCRIPT
PowerPoint Presentation
vShield App and vShield EdgePlanning, Installation and Designing based on 5.0.1From Preetam Zarehttp://vcp5.wordpress.comhttp://vShieldSuite.wordpress.com
2010 VMware Inc. All rights reservedConfidential#ConfidentialPreetam Zare 1Agenda vShield AppIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementvShield App Spoof GuardRole Based Access Control (RBAC) Model of vShieldDeployment & Availability consideration
#ConfidentialPreetam Zare 2Agenda vShield EdgePlanning and Installation of vShield EdgevShield Edge ServicesDHCPNATFirewallVPNLoad BalancingStatic RoutingScenariosDeployment and Availability Considerations
#ConfidentialPreetam Zare Segment your services VLAN or subnet based policies Interior or Web application FirewallsVLAN 1
VLANsData Center needs to be secured at different levels Cost & ComplexityAt the vDC Edge Sprawl: hardware, FW rules, VLANs Rigid FW rules Performance bottlenecksPrevent unwanted access Firewall, VPN Load balancers
Protect your data Anti-virus Data Leak Protection
Perimeter SecurityInternal SecurityEnd Point Security
#Preetam Zare The general, well-accepted approach to securing IT is to employ a layered approach, often referred to as defense-in-depth. Physical datacenters have been traditionally protected using a combination of hardware appliances external to the systems, along with agents that run inside a systems OS.4Why Security in Virtualized Datacenter?Network security devices become chokepointsCapacity is never right-sizedNo intra-host virtual machine visibilityAudit trails are lackingPhysical topologies are too rigidCurrent Security is static
#Preetam Zare Traditional vSphere Infrastructure Setup Without Vshield
vSphere 5.0
vSphere 5.0VPN Gateway
SwitchLoad BalancerFirewallL2-L3 Switch
vSphere 5.0
vSphere 5.0VPN Gateway
SwitchLoad BalancerFirewallL2-L3 Switch
vSphere 5.0
vSphere 5.0VPN Gateway
SwitchLoad BalancerFirewallL2-L3 Switch
INTERNETCompany ACompany BCompany C#Preetam Zare vSphere Infrastructure Setup Without Vshield
vSphere 5.0
vSphere 5.0VPN Gateway
SwitchLoad BalancerFirewallL2-L3 Switch
vSphere 5.0
vSphere 5.0VPN Gateway
SwitchLoad BalancerFirewallL2-L3 Switch
vSphere 5.0
vSphere 5.0VPN Gateway
SwitchLoad BalancerFirewallL2-L3 Switch
INTERNETCompany ACompany BCompany CvSphere 5.0#Preetam Zare
vShield Product Family
VMware vSphere
VMware vSphere
DMZ
Application 1
Application 2Securing the Private Cloud End to End: from the Edge to the Endpoint
EdgevShield EdgeSecure the edge of the virtual datacenterSecurity ZonevShield App- Create segmentation between workloads- Sensitive data discoveryEndpoint = VM vShield EndpointAnti-virus processingEndpoint = VM vShield ManagerCentralized Management
#Preetam Zare For vSphere-based environments, vShield solutions provide capabilities to secure the edge of the vDC, protect virtual applications from network-based threats, discover sensitive data residing in virtual machines, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security VMs.
These new product offerings can start securing infrastructure almost immediately since all the underlying compute resources are already present in the vSphere environment. These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center.8What Is vShield Edge?vShield Edge secures the perimeter, edge, around a virtual datacenter.Common vShield Edge deployments include:Protecting the ExtranetProtecting multi-tenant cloud environments
VMware vSphere
Tenant A
Tenant C
Tenant X
vShield Edge
VPN
Load balancer
Firewall
Secure Virtual ApplianceSecure Virtual ApplianceSecure Virtual AppliancevShield EdgevShield Edge9#Preetam Zare vShield Edge provides network-edge security and gateway services to isolate the virtual machines in a port group.
Common deployments of vShield Edge include protecting access to a companys Extranet. vShield Edge can also be used in a multi-tenant cloud environment where the vShield Edge provides perimeter security for each tenants virtual datacenters (or VDC).9vShield Edge CapabilitiesEdge functionalityStateful inspection firewallNetwork Address Translation (NAT)Dynamic Host Configuration Protocol (DHCP)Site to site VPN (IPSec)Web Load Balancer(NEW) Static Routing(NEW) Certificate mode support for IPSEC VPNManagement featuresREST APIs for scriptingLogging of functions
VMware vSphere
Tenant A
Tenant C
Tenant X
vShield Edge
VPN
Load balancer
Firewall
Secure Virtual ApplianceSecure Virtual ApplianceSecure Virtual AppliancevShield EdgevShield Edge10#Preetam Zare vShield Edge secures the edge of a virtual datacenter with firewalling, VPN, NAT, DHCP, and Web load-balancing capabilities that enable rapid, secure scaling of cloud infrastructures. Along with network isolation, these edge services create logical security perimeters around virtual datacenters and enable secure multi-tenancy.
New features in vShield Edge include the ability to set up static routing, instead of requiring NAT for connections to the outside, as well as certificate-based VPN.10Securing the Data Center Interior with vShield AppKey BenefitsComplete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster.Intuitive business language policy leveraging vCenter inventory.
#Preetam Zare vShield App helps you overcome the challenges of securing the interior of your virtual datacenter.
vShield App is software-based, it is deployed as a virtual appliance. As a result, vShield App is better than physically securing the virtual datacenter because it is a lot less expensive than buying a number of physical firewalls and segmenting them into different security zones. Also, with vShield App, you can create virtual firewalls with unlimited port density.
vShield App provides complete visibility and control of inter-virtual machine traffic in logical security zones that you create. vShield App provides hypervisor-level introspection into the inter-VM traffic. vShield App enables multiple trust zones in the same ESX/ESXi cluster. vShield App also allows you to create intuitive, business language policies, using the vCenter Server inventory for convenience.
11vShield EndpointOffload Anti-virus Processing for EndpointsBenefitsImprove performance by offloading anti-virus functions in tandem with AV partnersImprove VM performance by eliminating anti-virus stormsReduce risk by eliminating agents susceptible to attacks Satisfy audit requirements with detailed logging of AV tasks
#Preetam Zare vShield Endpoint has not changed in vShield 5.0, but we expect more partners to provide solutions. (NOTE: check with product team for latest info)12
Cloud Infrastructure Security- Defense in DepthFirst Level of Defense- vShield Edge Threat mitigation and blocks unauthorized external trafficSuite of edge servicesTo secure the edge of the vDCZoning within the ORG- vShield AppPolicy applied to VM zonesDynamic, scale-out operationVM context based controls
Compliance Check vShield App with data securityDiscover PCI, PHI, PII sensitive data for virtual environmentCompliance posture check Coke
Pepsi
**AV agent offload- vShield EndpointAttain higher efficiencySupports multiple AV solutionsAlways ON AV scanning
#Preetam Zare AgendaIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementUse Cases of vShield AppDesign consideration of vShield App
#ConfidentialPreetam Zare 14vShield Manager IntroductionvShield manager console acts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield EndpointVshield manager is pre-packaged as OVA appliance.vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint.vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules.vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory.
Preetam Zare #ConfidentialPreetam Zare vShield manager is pre-requisite15vShield Manager Central Management Console
VSPHEREVSPHEREVSPHERE
Management NetworkvCenter
Automatic deployment of vShield app appliance via vshield managerVshield ManagerClientCentral point of management. For RBAC model, stores flow data and manages Rule baseYou can connect to vshield manager directly via web interface or via vcenter plug-in
#ConfidentialPreetam Zare Vshield Manager Communication Paths
VSPHEREManagement NetworkvCenter
TCP 22UDP 123Access to ESXi host TCP 902/903vShield App ApplianceTCP 443TCP 443vSphereClient
SSH Access to CLI TCP 22Vshield webconsole
SSH Access to CLI TCP 22
SSH ClientREST API --> TCP 80/443Default EnabledDefault disabledvShield Manager#ConfidentialPreetam Zare vShield Manager RequirementsVirtual HardwareSummaryMemory3 GBCPU1Disk8 GBSoftwarevShield OVA FileWeb BrowserIE6.x and Later, Mozilla Firewall 1.x and Later, Safari 1.x and 2.xFor latest interoperability information check herehttp://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php
#ConfidentialPreetam Zare 18Latest interoperability
#ConfidentialPreetam Zare PermissionPermission to Add and Power on Virtual MachinesAccess to datastores where vShield Suite will be deployedDNS reverse look up entry is working for all ESXi hostPreetam Zare #ConfidentialPreetam Zare vShield Manager InstallationMulti-Step installation ProcessObtain the vShield Manager OVA FileInstall vShield Manager Virtual ApplianceConfigure the Network Settings of the vShield ManagerLogon to the vShield Manager InterfaceSynchronize the vShield Manager with the vCenter ServerRegister vShield Manager Plug-in with vSphere ClientChange the default admin password of the vShield Manager
Preetam Zare #ConfidentialPreetam Zare Steps to Install vShield ManagerOpen vSphere client, click File menu selects Deploy OVF Template as shown below
Preetam Zare #ConfidentialPreetam Zare Browse to locate OVA file
New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file youve downloaded from VMwares sitePreetam Zare #ConfidentialPreetam Zare After selecting the OVA file, press Next. OVA files meta will be read and you will see screen below
Preetam Zare #ConfidentialPreetam Zare Enter name for vShield manager virtual machine and select location as mentioned below
#Preetam Zare Select Datastore
Strongly recommended to select shared Datastore so thatvMotion, DRS and HA functionality can be used during planned & unplanned downtime.#Preetam Zare Select disk format
#Preetam Zare Review the settings and close OVF templates
#Preetam Zare Virtual Machine Properties
#Preetam Zare Warning :Dont upgrade VMware tools on vShield Manager AppliancesEach vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance.
#Preetam Zare Configure the Network Settings of the vShield ManagerInitial Network Configuration i.e. IP, DG and DNS must be done via CLIRight Click vShield Manager Appliance & Select Open Console
#Preetam Zare Contd Configure the Network Settings of the vShield Manager
#Preetam Zare Enter IP, Default Gateway and DNS Details
To enter Enabled type enableEnter IP DetailsFinally Press y to confirm settingsTo start wizard type setup#Preetam Zare Contd Enter IP, Default Gateway and DNS Details
#Preetam Zare Getting Familiar With Vshield Manager Interface#Preetam Zare
Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS sessionLog in to the vShield Manageruser interfaceby using the username admin and the password default.#Preetam Zare Synchronizing the vShield Manager with the vCenter
Enter vCenter Details and Press SaveDont select thisFollow Domain\Username format if the user is domain user
Register vCenter extension to access vshield manager within vCenter#Preetam Zare After vShield Manager and vCenter Are ConnectedAfter synch is completed, vCenter data is populated as seen below screen.
On the right hand of the screen we see confirmation that vSphere Inventory was successfully updatedvShield Manager doesntAppear as resource in the Inventory Panel of vShield Manager user Interface#Preetam Zare Contd After vShield Manager and vCenter Are Connected
#Preetam Zare Configure Date/Time for vShield Manager
#Preetam Zare Generate Tech Support Bundle
#Preetam Zare System Resource Utilization Of vShield Manager
#Preetam Zare Backup vShield Manager ConfigurationYou can backup the configuration & transfer to remote backup server over FTPFor one time backup Scheduled Backups must be Off.
Schedule BackupBackup Directory on FTP Server#Preetam Zare Backup vShield Manager Configuration Backup files
Backup Directory on FTP ServervShield ManagerBackup Files on FTP Server#Preetam Zare vShield Manager via Web Browser Vs. vSphere Client Plug-inYou can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client. It is your choice, whatever works best for you. The functions that you cannot access from the vSphere Client such as Configuring the vShield Managers settingsBacking up the vShield Managers databaseConfiguring the vShield Managers users, and The vShield Managers system events and audit logs.Configuration vShield Apps Spoof Guard, Fail Safe Mode and VM Exclusion list #Preetam Zare DEMO/LAB vShield Manager#Preetam Zare AgendaIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementvShield App Spoof GuardRole Based Access Control (RBAC) Model of vShieldDeployment & Availability consideration of vShield App
#Preetam Zare 47vShield App ArchitectureHypervisor-Level FirewallInbound/outbound connection control enforced at the virtual NIC levelDynamic protection as virtual machines migrateProtection against ARP spoofing
vCenter ServervSphere ClientESXi HostvShieldApp
vSphere
ESXi Host
vSphere
vShieldManager
vShieldApp
#Preetam Zare vShield App is a hypervisor-level firewall. You can control inbound and outbound communication between virtual NICs, whether they are on the same virtual machine or on different virtual machines. Note that a virtual machine can be multi-homed, which means it can have multiple vNICs. Therefore, each vNIC can have its own security policy to prevent certain types of traffic from passing.
vShield App is independent of network topology. Firewall capabilities are built in to vShield App and security policies follow the virtual machine if it migrates to a different host in the cluster.
48Before vShield App is Deployed
vSwitch/vDS SwitchVSPHERE HOST#Preetam Zare After vShield App is Deployed
vShield Hypervisor modulevSwitch/vDS SwitchVSPHERE HOSTAll VM traffic is Passed via LKM & Inspected by vShield FW#Preetam Zare Deploying vShield AppESXi 5.0ESXi 5.0
vCenter 5.0
vSphere 5.0
vShield App
vSphere 5.0
vShield AppvShieldManagerBrowser Based SessionvClient Based Session
#Preetam Zare The next task is to install vShield App on each ESXi host that you want to protect in your vSphere environment.vShield App uses vShield Manager5.0. The steps that we will take to install a vShield App instance on an ESXi host are to add a management port group for the vShield instances to use, install vShield App on each host, and verify that the functions specific to vShield App, such as flow monitoring and security groups, are enabled.51Install vShield Component Licenses
#Preetam Zare vShield App Installation RequirementsYou must meet the following requirements. Deploy one vShield Manager system per vCenter ServerDeploy one vShield App instance per ESXi host. You must be using vCenter Server version 5.0. And, you must have the vShield Manager OVA file
HardwareSummaryMemory1 GB (Automatically reserved)CPU2 vCPUDisk Space5 GB#Preetam Zare Contd vShield App Installation RequirementsvCenter Privileges:Access to the vSphere Client. Ability to add and power on virtual machinesAbility to access the datastore holding the virtual machines files, and to copy files to this datastore.
Make sure that cookies are enabled in order to access the vShield Manager.
Web browserVersionInternet Explorer6.x and laterMozilla Firefox1.x and laterSafari1.x or 2.x #Preetam Zare Steps to Install vShield App
#Preetam Zare Select Installation Parameters for vShield App
Warning displayed This port group must be able to reach the port group that the vShield Manager is connected to.#Preetam Zare vShield Installation In Progress
#Preetam Zare vShield App Hardware Configuration
vShield App is alwaysAppended with the name of ESXi host#Preetam Zare Verifying vShield App Installation
#Preetam Zare After installing the vShield App service on the ESXi host, go to the vShield Manager user interface to verify that the service has been installed. In the vShield Manager inventory panel, select the datacenter, then select the App Firewall tab. The App Firewall tab indicates whether or not the vShield App service is enabled on a host.
59Verifying vShield App Installation Memory reservation
#Preetam Zare Verifying vShield App Installation Virtual Machine Protection
VMs with protected Icon. This is only visibleVia web interface#Preetam Zare 61Verifying vShield App Installation vShield App FW status
#Preetam Zare AgendaIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementvShield App Spoof GuardRole Based Access Control (RBAC) Model of vShieldDeployment & Availability consideration of vShield App
#Preetam Zare 63vShield App Packet flow
VM sends the packet out as a part of theTelnet protocol, its interceptedby the virtual network adapter-level FW & is FWD to the vShield App on that host.The vshield App appliance inspects the packet. If the security profile allows the packet to flow through, the packet is sent back to the virtual network adaptor-level firewall.The virtual network adapter-level firewall sends the packet to vswitch port group PG-X.The vSwitch looks up the MAC address and accordingly sends the traffic out on the up-link port of Host 1.The external infrastructure that involves physical switches will carry this packet on VLAN 1000.The external switch sends the packet to the Host 2 network adapter based on the MAC address table.The vswitch on Host 2 receives the packet. The vswitch looks up the MAC address and accordingly sends the traffic out to the virtual machine on Host .2The virtual network adaptor-level firewall intercepts the packet and forwards it to the vShield App appliance.VM sends the packet out as a part of theTelnet protocol, its interceptedby the virtual network adapter-level FW & is FWD to the vShield App on that host.The virtual network adaptor-level firewall sends the packet to the VM#Preetam Zare 64Flow Monitoring IntroductionInter-virtual Machine Communications All traffic on protected virtual machine is directed to virtual network adapter level firewall, this actually equips vShield APP FW to read the packets moving in and out of virtual machines. Data displayed inGraphicalTabular FormatTabular format is further divided into allowed and block traffic as shown in next slide
#Preetam Zare Flow Monitoring Tabular FormatData displayed below can be used to learn the type of traffic flowing in and out of VM. Then we can use this data for creating or blocking the rule.
#Preetam Zare Flow Monitoring View And Interpret Charts And Reports
#Preetam Zare Flow Monitoring Traffic categorization based on Protocol/Application
#Preetam Zare You can select a specific traffic type, such as FTP, HTTP, LDAP. To view a certain traffic type in the charts, display the application drop down list and select desired protocol/application68Flow Monitoring Key advantagesAnalysis of Inter-VM traffic can be easily doneYou can dynamically create rules right from flow monitoring console This can be of great help for debugging network related problem as you can enable logging for every individual virtual machine as on needed basis.
#Preetam Zare DEMO/LABInstalling vShield App & Flow monitoring#Preetam Zare AgendaIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementvShield App Spoof GuardRole Based Access Control (RBAC) Model of vShieldDeployment & Availability consideration of vShield App
#Preetam Zare 71Introduction vShield App FirewallvNIClevel firewallvShield App installs as a hypervisor module and firewall service virtual appliancePlaces a firewall filter on every virtual NIC. IP-based stateful firewallNo Network changes or IP changesvShield App can create and enforce logical (i.e. not just VLAN or physical subnet) application boundaries all the way down to layer 2
#Preetam Zare vShield App provides a centralized and hierarchical App firewall service for ESXi hosts. It is an interior, vNIClevel firewall that allows you to create access control policies regardless of network topology. A vShield App monitors all traffic in and out of an ESXi host, including between virtual machines in the same port group. vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App provides firewalling capability between virtual machines by placing a firewall filter on every virtual NIC. It implements an IP-based stateful firewall and application layer gateway for a broad range of protocols including Oracle, FTP, and RPC. The firewall filter operates transparently and does not require network changes or modification of IP addresses to create security zones.
72vShield App Firewall Rules : L2 and L3 rulesFirewall Protection Through Access Policy EnforcementThe App Firewall Tab Represents The vShield App Firewall Access Control List.L2 Rules MonitorICMP, IPv6, PPP, ARP traffic.L3 Rules Monitors DHCP, FTP, SNMP HTPP. L3 rules also monitors application specific traffic (Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP)You can configure Layer 3 and Layer 2 rules at the datacenter level only. By default, all L3, and L2 traffic is allowed to pass.
#Preetam Zare vShield App provides firewall protection through access policy enforcement. Policies can be created automatically from the Flow Monitoring report. Or, policies can be created manually from the App Firewall tab. The App Firewall tab represents the vShield App firewall access control list.The App Firewall tab offers two sets of configurable rules: Layer 3 (L3) rules and Layer 2 (L2) rules. Layers refer to layers of the Open Systems Interconnection (OSI) Reference Model.L3 rules govern TCP and UDP transport of Layer 7, or applicationspecific traffic. The protocols that L3 rules monitor are DHCP, DNS, FTP, HTTP, and SNMP. L3 rules also monitor application specific traffic including Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP. These rules improve security by opening ports only as needed.L2 rules monitor traffic from protocols such as ICMP and ARP. Layer 2 firewall protects against multiple types of attacks, e.g., password sniffing, DHCP snooping, ARP spoofing/poisoning attacks, and so on. You can configure Layer 3 and Layer 2 rules at the datacenter level only. By default, all L3, and L2 traffic is allowed to pass.
73Hierarchy of vShield App Firewall RulesEnforced Top to BottomThe first rule in the table that matches the traffic parameters is enforced.System defined rules cant be deleted or add, you can only change the action element i.e. to Allow (default) or Deny
#Preetam Zare A vShield App checks each traffic session against the top rule in the App Firewall table before moving down the subsequent rules in the table.74
In Layer 2 High Precedence rules are applied first1In Layer 2 Low Precedence rules are applied Second2In Layer 2 System Defined rules are applied last3All Layer 3 Rules Are Applied Second2All Layer 2 Rules Are Applied First1In Layer 3 High Precedence rules are applied first4In Layer 3 Low Precedence rules are applied Second5In Layer 3 System Defined rules are applied last6#Preetam Zare Container-Level and Custom Priority Precedence
#Preetam Zare How to define Firewall Policy RuleFirewall policies contains 5 pieces of information
#Preetam Zare vSphere GroupingsvSphere groupings can also be based on network objects, specifically port groups and VLANs
#Preetam Zare Firewall Rules Example 1: Using vSphere GroupingsWhen you specify a container as the source or destination, all IP addresses within that container are included in the rule.
#Preetam Zare Firewall Rules Example 2: Using vSphere Grouping
#Preetam Zare How To Create A Firewall Rule Step 1
#Preetam Zare How To Create A Firewall Rule Step 2
Enter sourceEnter Destination and other details
#Preetam Zare How To Create A Firewall Rule Step 2 Contd
Server inside "WinXP01-Server18" groupServer outside "Fort" datacenterServer Inside "WinXP01-Server18" group cannot access system outside Fort datacenter on RARP protocol, this traffic is logged.#Preetam Zare How To Create A Firewall Rule Step 3 Publishing Rule
#Preetam Zare Create rule using MAC Set and IP SetYou can also define rules based on MAC and IP Set. Where do we use this type of rules?When you want to configure a rule based on virtual machine identity i.e. MAC Set, IP Set and Port Group. In this case even if Virtual machine follows any part of resource pool, rule will always apply. Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies.
#Preetam Zare You can also define rules based on MAC and IP Set. Both follow same procedure to create rule, all we have to select is IP range or MAC range. Before lets understand where do we use this type of rules. Virtual machine is identified port group, MAC address and IP Address. If you want to configure a rule based on virtual machine identity then MAC Set, IP Set and Port Group set are right types of rules to configure. In this case even if Virtual machine follows any part of resource pool, cluster rule will always apply. Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies.
85Creating MAC Set
Scope field is automatically selected1. Enter Name of the group2. Optionally enter description3. Enter MAC Addresses as shown in below screen. 4. Press Ok
#Preetam Zare Creating IP Set
Scope field is automatically selected1. Enter Name of the group2. Optionally enter description3. Enter IP Addresses as shown in below screen. 4. Press Ok
#Preetam Zare 87After MAC Set is createdBelow screen shows when the group configuration is complete. You use Edit and Delete button to change the IP/MAC set
#Preetam Zare 88vSphere Grouping -ExampleWinXP01-RuleSet
192.168.1.105192.168.1.125
Medical Records Resource Pools
#Preetam Zare Creating rule based on IP/Mac SetSelect datacenter, on right hand side select Layer 3 rule (IP set) or layer 2 rule (MAC set) here.Select add rule and enter the details as shown next slide
#Preetam Zare
Anything inside Medical Records cannot access IP's defined inside rule "WinXP01-Server18-IP i.e.192.168.1.105, 192.168.1.125If you select outside, then medical records can access only IP's defined inside rule "WinXP01-Server18-IP
#Preetam Zare Creating Security Group Step 1
#Preetam Zare Creating Security Group Step 2
NIC level grouping is possible#Preetam Zare Creating Rule based on Security GroupPress OkPublish the rule
#Preetam Zare Rule based vSphere Security Group Port GroupLogical Rule translates into physical world explained below
Even if the VMs are same Datacenter, Cluster, ESXi, Resource Pool or vApp they cannot communicate
#Preetam Zare Advantages of Security GroupsvShield App allows you to create custom containers known as security groups. You assign virtual machines to security groups by assigning their vNICs to the appropriate group. Then, you can use the security group in the source or destination field of an App Firewall rule.The key benefit of security groups is the ease of creating different trust zones. Whether through the use of vSphere objects or through the use of manually configured security groups, the key benefit is ease of protection and quality of protection through the use of logical zoning as opposed to carving up a network to provide network isolation.
#Preetam Zare Best Practices: Firewall RulesCreate Firewall Rules That Meet Your Business & Security NeedsIdentify source and destination. Take full advantage of vSphere GroupingUse vSphere Security group only when you create rule based on vSphere GroupingBy default vShield FW allows incoming and outgoing traffic, As a best practice you may want to deny all traffic#Preetam Zare In general, create firewall rules that meet your business needs. In addition, you might consider the following guidelines:Where possible, when identifying the source and destination, take advantage of vSphere groupings in your vCenter Server inventory, such as the datacenter, cluster, vApp. By writing rules in terms of these groupings, the number of firewall rules is reduced, which makes the rules easier to track and less prone to configuration error. If a vSphere grouping does not suit your needs because you need to create a more specialized group, then take advantage of security groups. Like vSphere groupings, security groups reduces the number of rules that you need to create, making the rules easier to track and maintain.Finally, set the action on the default firewall rules based on your business policy. For example, as a security best practice, you might deny all traffic by default. If all traffic is denied, then vShield App drops all incoming and outgoing traffic. Allowing all traffic by default makes your datacenter very accessible, but also insecure.97Building Firewall RulesOption A: More RestrictivevShield installs with default allow ruleBuild rules based on Application/Vendors port guideMonitor, document, validate traffic flows via vShield FlowsAdjust rules as necessaryChange default rule to denyOption B: Less RestrictivevShield installs with default allow ruleBuild rules between communicating VMsAllows all traffic between selected VMsMonitor, document, validate traffic flows via vShield FlowsAdjust rules as necessaryChange default rule to deny#Preetam Zare Logging and auditingvShield App has its own logging mechanism. Logging can be great help in troubleshooting app appliance.Auditing of traffic which was either allowed or blocked can be configured per rule set. Youve to enable logging for every rule you configure. Logs are captured and retained for one year. Logs more than one year are overwritten.
Note that enabling logging for rules that match a high amount of traffic can impact performance. Therefore, it is a good idea to be selective of the rules that you want to log.
#Preetam Zare App has its own logging mechanism. Logging can be great help in troubleshooting app appliance. Logging is done for events related to system. For example appliance is down/rebooted or unreachable. If the app appliance is unreachable it will be unreachable to vshield manager. Events are further categorized as informational or critical as shown belowAuditing of traffic which was either allowed or blocked can be configured per rule set. Youve to enable logging for every rule you configure. All the actions performed by all vshield users is captured in events and available for audit. These logs are captured and retained for one year. Logs more than one year are overwritten.
99vShield Manager event logging Audit LogsAll the actions performed by all vshield users is captured in events and available for audit. Logging is done for operations related to system. E.g. appliance is down/rebooted or unreachable. If the app appliance is unreachable it will be unreachable to vshield manager.
#Preetam Zare vShield Manager event logging Audit LogsEvents are further categorized as informational or critical as shown below
#Preetam Zare
All vShield App configuration parameters are available only when you select host on left hand side#Preetam Zare Configuring Syslog Server for vShield App Contd
Three log levels are availableAlertEmergencyCritical
If you select Emergency, then only emergency-level events are sent to the syslog server. If you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server.
#Preetam Zare Interpreting Logs Of Traffic Rule Example 1proto= protocolvesxi27=host at which alerts are observedL2=Layer2 protocolDROP=traffic is dropped
#Preetam Zare Interpreting Logs Of Traffic Rule Example 2proto= ICMP protocolvesxi27=host at which alerts are observedL3=Layer3 protocolDROP=traffic is dropped
#Preetam Zare Reverting to previous vShield App Firewall configurationAutomatic mechanism to create backup of firewall rules configurationvShield Manager takes snapshots each time new rule is committedPrevious configuration can be easily reverted via drop down menu
#Preetam Zare AgendaIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementvShield App Spoof GuardRole Based Access Control (RBAC) Model of vShieldDeployment & Availability consideration of vShield App
#Preetam Zare 107Role-Based Access ControlNew in vShield Manager 5.0Confidential
Super user (admin)vShield adminSecurity adminAuditorvShield operations and security: Everything related to vShield productRolePrivilege SummaryvShield operations only: installation, configuration of virtual appliances, ESX host modules, etc.vShield security only: Policy definition, reports for edge, app, endpoint, data securityRead-only access to vShield operations and security settings#Preetam Zare A new feature in vShield Manager 5.0 that applies to all vShield solutions is role-based access controls. All the vShield products now employ RBAC to limit what individual people can do when they log in to vShield Manager. This provides critical separation-of-duties capabilities.
108RBAC: Scope
Role-based access control (RBAC) enables clear separation of workflow for virtual infrastructure and security administrators. RBAC provides flexibility in delegating administration across resource pools and security groups, improving security of applications and data.
To vSphere Administrators To vSphere Administrators#Preetam Zare LAB/DEMOFirewall LabReverting To Previous Vshield App Firewall ConfigurationUser Creations And Configurations
#Preetam Zare AgendaIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementvShield App Spoof GuardRole Based Access Control (RBAC) Model of vShieldDeployment & Availability consideration of vShield App
#Preetam Zare 111Spoof GuardWhy to use spoof guard?To reduce man in the middle attack which is referred as IP & MAC Spoofing
How does it work?VMs IP addresses are collected during synchronization cycle that happens between vshield and vCenter via vSphere API. If the IP address is modified in the VM and it doesnt matches with the Spoof Guard collected data, VM is isolated and not allowed to communicate outside.It works in datacenter context and it disabled by default
#Preetam Zare Enable Spoof GuardClick Edit to enable it. Select Enable first and then select the option as per your requirement.
#Preetam Zare Spoof Guard IP Address Monitoring and ManagementIP Address is collected can be monitored and manage automatically or manuallyAutomatically Trust IP Assignments On Their First UseIP is gathered when first time VM is powered ON. This data is read via VMware tools. Once the list is populated it is push down to vShield app virtual appliance, which then inspects every packet originating out of a network adapter for the prescribed IP. If these do not match, the packet is simply dropped. - This operates separately from app firewall rules.Manually Inspect and Approve All IP Assignments Before Use- In this mode all traffic is block until you approve MAC-to-IP address assignment.
NB: SpoofGuard inherently trusts the MAC addresses of virtual machines from the VMX files and vSphere SDK. #Preetam Zare Spoof Guard : View and Approve IP
Lists the IP addresses where the current IP address does not match the published IP address.IP address changes that require approval before traffic can flow to or from these VMList of all validated IP addresses#Preetam Zare 115Contd Spoof Guard View and Approve IP
#Preetam Zare When you want to approve the IP, go to IP assignments that require my review and approval or select Require Approval link. You now see difference in Approved IP and Currently Seen IP. 116AgendaIntroduction to vShield SuitevShield Manager Installation, Configuration and AdministrationPlanning and Installation of vShield AppvShield App Flow MonitoringvShield App Firewall ManagementvShield App Spoof GuardRole Based Access Control (RBAC) Model of vShieldDeployment & Availability consideration of vShield App
#Preetam Zare 117vShield Manager Deployment ConsiderationDo not host vShield manager on the same cluster which it is responsible to manage. If vShield Manager is deployed within the infrastructure it is protecting you will suffer circular dependencies*. E.g. An inadvertent configuration error could result in a unmanageable environment if the vShield Manager appliance were to loose connectivity or were prevented from communicating with other components due to a misconfigured security policyYou cannot use VMware FT to protect vShield manager if vShield app is deployed. This only applies if vShield app is deployed from the vShield manager in questionA vShield manager instance must be deployed for each vCenter in use
* Starting vShield 5.0.1 you can exclude vShield manager from the host.
#Preetam Zare The issue is that in certain portions of the install process the vCenter Server and vShield Manager virtual machines could end up being mistakenly cut off from communication with the infrastructure they were managing.118
Enter inside VMX file #Preetam Zare vShield Manager Placement Consideration Option 1Management Cluster
EdgeApp FWEdgeApp FWProduction ClustervCenter 5.0vShield ManagerAD/DNS/DHCP
VCDB/VUMDBvSphere 5.0
Shared Management Cluster Model isolates the management from being impacted by Production Cluster hardware failure issues.
vSphere 5.0vCenter Server/AppliancevCenter DatabasevShield ManagervCenter Update ManagerActive DirectoryDNSSyslog ServerHighly Recommended#Preetam Zare The management cluster may also include virtual machines or have access to servers that provide infrastructure services such as directory (LDAP), timekeeping (NTP), networking (DNS, DHCP), logging (syslog), and security.
Component databases, if running on the same platform, can be placed on the same database server if sized properly. For example, the databases used by vCloud Director, vCenter Server, and vCenter Chargeback can run on the same database server.
Both the management cluster and resource groups reside in the same physical site to provide a consistent level of service. This minimizes latency issues, which could arise in a multi-site environment if workloads move between sites over a slower or less reliable network. 120vShield Manager Deployment Consideration Option 2
EdgeApp FWEdgeApp FWProduction Cluster BvSphere 5.0
Cross-Managed Cluster Model will provide isolation similar to management cluster
EdgeAppFWEdgeApp FWProduction Cluster AvSphere 5.0
vCenter 5.0vShield ManagervCenter 5.0vShield Manager#Preetam Zare vShield Manager Deployment Consideration Option 3
EdgeApp FWEdgeApp FWProduction ClustervCenter 5.0vShield ManagervSphere 5.0
Single cluster model with vShield Manager exclusion*DisablesvApp Protecting using Exclusion list#Preetam Zare 122VM Exclusion introduced in vShield 5.0.1With 5.0.1, there is now a option to exclude VM. This has the effect of disabling all vShield App protection for the excluded VM including Spoof GuardThis exclusion list is applied across all vShield App installations within the specified vShield Manager. If a virtual machine has multiple vNICs, all of them are excluded from protection.The vShield Manager and service virtual machines are automatically excluded from vShield App protection.
Caveat: A caveat is that the MAC/IP pairs for excluded VM will still show up in the Spoof guard tab of the UI, even though the functionality is disabled. #Preetam Zare How to Exclude VM from vShield App
#Preetam Zare
After FailSafe is enabled, VMs are powered ON are fast suspended and resumed, while Powered OFF VMs are just reconfigured#Preetam Zare
VMX entry for Web01 before FailSafe is enabledVMX entry for Web01 After FailSafe is enabled#Preetam Zare vShield App Deployment ConsiderationvShield App must be deployed and running on every host in the cluster that protected virtual machines may migrate to.Renaming vShield App security virtual machine is not supported. Doing so it will render it unmanageable as vShield Manager uses the name it assigned at the point of provisioning to manage the vShield App security virtual machineUse vShield app security groups to tier servers of same functions (DC, Webserver, DB Server etc.). This will simplify firewall configuration and rules
#Preetam Zare Availability ConsiderationvShield App#Preetam Zare Availability Considerations: vShield ManagerWhat If vShield Manager appliance is unavailableFirst and foremost zero impactAll existing rules of vShield App are enforcedLogs are sent to syslog serverOnly impact is, New rules or changes to existing rules cannot be madeIn addition, the flow-monitoring data might be lost, depending on the duration of the failure.vShield Manager backup can be used to restore via backup
What If host which is hosting vShield Manager appliance is unavailablevShield manager is HA and DRS aware and can take full advantage of it. In this case vShield Manager will automatically restart to another host
#Preetam Zare Availability Considerations: vShield AppWhat If vShield App appliance is unavailableAll traffic to and from the protected virtual machines hosted on the host on which vShield App was running is blocked *At process level, built-in watch dog restarts the failed processesVMware HA virtual machine monitoring will detect (via VMware tools and network packets) and restart fail vshield app. vCenter Alarm is triggered if VM migrates onto a host where vShield Appliance is not installed
What If host which is hosting vShield App appliance is unavailableDRS is disabled for vShield AppExcept for vshield App VM, protected VMs are restarted on another host and they get automatically protected assuming the host is installed with vShield App
* From vShield 5.0.1 , you have option to disable this behavior, though strongly not recommended#Preetam Zare vShield App: DRS and HA Settings The HA restart priority for the vShield App appliance is set to high. This is to ensure it is the first to restart during failure over event. It makes sure that its running before the VMs its protecting .vShield vApp should never be moved to another host. Therefore during installation DRS is automatically disabled for vShield vAppIf the host is put in maintenance mode, vShield App automatically shuts down and automatically restarts when host exits maintenance mode. You cannot use FT to protect vShield Manger when vShield App is deployed, vShield Manager used linked clones and snapshots as part of the deployment process for the vShield Firewall Service Appliance virtual machines.
#Preetam Zare Disable DRS (If not already disabled): On Vshield app virtual appliance DRS is disabled by default. It is recommended to pin the VM to the host it was deployed. The reason for this is app firewall correlates with the security rules and data path for virtual machines on that host. This mandates that a vshield app virtual machine should never be moved from that host. Also app is installed on every host.131Verifying vShield App Installation HA Restart Priority
#Preetam Zare Verifying vShield App Installation DRS is Disabled
#Preetam Zare vShield App Industry Best PracticesvShield App provides security protection for virtual machinesFirewall rule groups will need to be translated from the old firewall into vShield Manager Set up roles and responsibilities within vShield Manager that only allow the minimum of permissions to perform required functions by administrators. E.g. Give vSphere Administrator ability to install vShield Suite via vShield Admin role and ability view rule via Auditor RoleEnsure audit logs are reviewed regularly#Preetam Zare vShield App provides security protection for virtual machines and not host management interfaces, vMotion, network storage, or VMware Fault Tolerance network communications.
Inspection and monitoring of inter-vm traffic on the same port group and host, and inter-host traffic is very important when customers are trying to meet compliance
Firewall rule groups will need to be translated from the old firewall into vShield Manager and then used as the basis for the rules. This can cut down the number of individual rules necessary to provide the same level of security.
134Contd .. vShield App Industry Best PracticesDefine a thorough test plan Penetration testing and external auditingConsider creating an application group that contains the ports For example you might create an application group called WEB containing both TCP 80 and 443.
Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure. Consider mirroring the logs to an alternate site#Preetam Zare Define a thorough test plan that will test all the necessary applications and rules that are required. Penetration testing and external auditing would also be advised to ensure that the solution minimizes any potential security risks.
If you have a common group of ports that are assigned to multiple objects consider creating an application group that contains the ports, for example you might create an application group called WEB containing both TCP 80 and 443.
Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure. Consider mirroring the logs to an alternate site to ensure availability of logs in case of incident investigation or response if something happens to the primary site. Consider using a tool such as Splunk, RSA enVision or similar to visualize and correlate log events and highlight any possible events of interest.
135Contd vShield App Industry Best PracticesUse the vShield REST APIs to back up the firewall rule base . Use the REST APIs to turn off rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled.If you are replicating the infrastructure to a DR site ensure that vShield Edge and vShield App are set up appropriately at the DR site and that you have a process to ensure the rule base is up to date. Updates and changes to the DR site can be automated using the vShield REST APIs, which can also be integrated with VMware vCenter Site Recovery Manager.vShield App and Host Profiles#Preetam Zare Use the vShield REST APIs in addition to the vShield Manager backup functionality to back up the firewall rule base and store this in a version controlled repository such as SVN or CVS. Use the REST APIs to turn off accept rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled.136Agenda vShield EdgePlanning and Installation of vShield EdgevShield Edge ServicesDHCPNATFirewallVPNLoad BalancingStatic RoutingScenariosDeployment and Availability Considerations
#Preetam Zare IntroductionProtects the edge of infrastructureCommon Gateway ServicesDHCPVPNNATStatic RoutingLoad BalancingCommon Deployment ModelsDMZVPN ExtranetsMulti-Tenant Cloud Environment
#Preetam Zare Logical View of vShield Edge
Network Isolation happens at Port group Level#Preetam Zare Port group Isolation based on VLANWith VLAN isolation, vShield Edge is used to secure port groups with a standard VLAN configuration. Isolation of virtual machines is provided exclusively by VLANs in Layer 2.
When To Use VLAN IsolationWhen to useNetwork infrastructure build around VLANsPhysical machines need to participate in protected networkVirtual Switch SupportvSSvDSCisco nexus 1000v#Preetam Zare It is up to the administrator to ensure that the VLANs are configured properly across all hosts.
140
VMware vSphereInternet FacingVLAN-108PG-CORP1 (VLAN-126)
Access Aggregation layerPG-CORP2 (VLAN-135)
VLAN-126VLAN-135VLAN-108
EXTERNALINTERFACE
INTERNALINTERFACE
EXTERNALINTERFACEINTERNALINTERFACE#Preetam Zare Each tenant is assigned its own VLAN for each of the respective tenants virtual machine traffic
It is important to note that this VLAN separation of traffic between tenants provides Layer 2 isolation at the aggregation layer.
But, VLAN isolation does not provide security from attacks at Layer 3 and above.
To protect from higher layer network attacks, the vShield Edge virtual appliance acts as a firewall.
The vShield Edge virtual machine is deployed per tenant.
On the internal port group PG-CORP1, all virtual machines belonging to tenant CORP1 are connected to this port group and are allowed to communicate with each other without having to go through the vShield Edge firewall.
If a virtual machine on the tenant CORP1 network wants to access external devices, then traffic has to flow through the vShield Edge virtual machine. And, depending on the security rules defined in the vShield Edge firewall, the access will be either allowed or denied.
141vCloud Director Network IsolationVM Identity is used to isolate a group of VMs from other VMsAll VMs on Single Layer-2 domain but are isolated by assigning them to different port groupsTraffic between VMs in the same port group is allowed, but traffic between VMs across different port groups is not allowed by a virtual switchThis port group isolation feature is supported ONLY on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V
#Preetam Zare When a virtual machine is deployed in the virtual infrastructure, it is assigned a MAC address and an IP address. In addition, it is connected to a specific port group of a virtual switch. IP address may not be assigned in all cases but other two unique parameters can always identify virtual machines. So any virtual machine that gets deployed must be associated with a port group on a virtual switch. This fact is used to isolate a group of virtual machines from other virtual machines.
Administrators now can use one subnet (single layer-2 domain) to place all their virtual machines and can provide isolation within a group of virtual machines by assigning them to different port groups. Traffic between virtual machines in the same port group is allowed, but traffic between virtual machines across different port groups is not allowed by a virtual switch. This port group isolation feature is supported on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V. In a vDS, a port group definition can span across the entire datacenter, so an isolated virtual network through port groups can also span across the complete datacenter.
142vCDNI -Communication Between Tenants Across The HostThe key point is that although the virtual machines of tenant X and tenant Z are on the same Layer 2 domain, their networks are isolated from each other by vShield Edge.
#Preetam Zare vCDNI -Communication Between Tenants Within The HostVMs traffic is isolated from each other because they are on different secured, port groups. As a result, communication must flow through the vShield Edge virtual machines of both tenants. All traffic flows over the Provider VLAN, VLAN 100.
#Preetam Zare vCDNI VMs Communication of same TenantVMs Freely need to communicate without need to go through vShield Edge VM and Provider VLAN
#Preetam Zare Advantages of vCloud Director Network Isolation (vCDNI)Using cloud network isolation instead of VLAN isolation, the vShield environment is simpler to scale.Provisioning cloud network isolation can be automated with scripts that use the vShield REST APIs.Finally, a key advantage that cloud network isolation has over VLAN isolation is that cloud network isolation does not need any complex configuration at the Aggregation layer.
#Preetam Zare Protecting Extranet: VPN Services
#Preetam Zare vShield Edge: DHCP Services
#Preetam Zare vShield Edge: NAT Services
#Preetam Zare vShield Edge Services: Load Balancer Services
#Preetam Zare vShield Edge Services: Firewall Services
#Preetam Zare vShield Edge Firewall Rules and Direction
EXTERNAL INTERFACEINTERNAL INTERFACEIncoming Traffic on both the Interfaces is blocked by defaultOutgoing Traffic on both the Interfaces is allowed by defaultEXTERNAL INTERFACE: OUTGOINGINTERNALINTERFACE:OUTGOINGvShield EdgeEXTERNALINTERFACE:INCOMINGINTERNAL INTERFACE: INCOMING#Preetam Zare vShield Edge Firewall Rules and Direction -Example
Internal InterfaceExternal Interface
PRIVATE PORT GROUP
172.16.1.0/24 SubnetTraffic incoming172.16.2.0/24 Subnet#Preetam Zare 153vShield Edge services Static routingMost networks have a single router called the default gateway . If a network has a default gateway, the nodes on the network can send traffic to the gateway and the gateway will then forward the traffic to the destination. All machines in a network have a routing table. A Routing table is a list of destination networks and the router that carries traffic to that destination. Manually adding routes to a routing table is called static routing.Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table.In a network, you can create a static routing either internal network or external network. #Preetam Zare Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table.
154Static Routing between two vAppAPPLICATION 1APPLICATION 2
PG- PUBLICPG- APP-1PG- APP-2Internal InterfaceInternal InterfaceExternal InterfaceExternal Interface172.16.1.10172.16.2.1192.168.1.233192.168.1.232
172.16.2.10172.16.1.1#Preetam Zare Installing vShield Edge for Application 1
Installing vShield Edge Application for APP1#Preetam Zare vShield Edge Installed for for Application 1 and Application 2
#Preetam Zare Configure Static Route for APP1 Network
It is the network APP1 want to reachIt is the gateway of Destination network#Preetam Zare Configure Static Route for APP2 Network
It is the network APP2 want to reachIt is the gateway of Destination network#Preetam Zare Static Route Set Up for APP1 & APP2 NetworkAPPLICATION 1APPLICATION 2
PG- PUBLICPG- APP-1PG- APP-2Internal InterfaceInternal InterfaceExternal InterfaceExternal Interface172.16.1.10172.16.2.1192.168.1.233192.168.1.232
172.16.2.10172.16.1.1
#Preetam Zare 160Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each OtherAPPLICATION 1APPLICATION 2
PG- PUBLICPG- APP-1PG- APP-2Internal InterfaceInternal InterfaceExternal InterfaceExternal Interface172.16.1.10172.16.2.1192.168.1.233192.168.1.232
172.16.2.10172.16.1.1
Outgoing Traffic allowed by default#Preetam Zare 161Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each OtherAPPLICATION 1APPLICATION 2
PG- PUBLICPG- APP-1PG- APP-2Internal InterfaceInternal InterfaceExternal InterfaceExternal Interface172.16.1.10172.16.2.1192.168.1.233192.168.1.232
172.16.2.10172.16.1.1
#Preetam Zare 162
Rules defined at APP-1 FWRules defined at APP-2 FW#Preetam Zare
Ping and Tracert request from APP1 VM#Preetam Zare
Ping and Tracert request from APP2 VM#Preetam Zare How To Configure NAT ServicesSCENARIOCustomer wish to access Web Server Web01 which sits inside the DMZ network of CORP AWeb Server Web01 sits in 10.1.1.x/24 network and has been assigned IP by vShield Edge DHCP Services as 10.1.1.10Customers wants to access Web Server Web01. Customer network is 192.168.1.x/24We can configure NAT
#Preetam Zare vShield Edge Configured to Meet Customer Scenario10.1.1.11Internal Interface: 10.1.1.1Private SwitchvSwitch Connected to External Network
External
INTERNAL
192.168.1.x10.1.1.10External Interface: 192.168.1.135vShield EdgeDCHP ServiceNAT ServiceFW RulesWeb01Web02
#Preetam Zare Configure DHCP
#Preetam Zare
Use SNAT when Internal IP needs to be translated into External IP. Use DNAT when External IP needs to be translated into Internal IP.
#Preetam Zare Open Firewall Ports to allow NAT Traffic
#Preetam Zare 10.1.1.11Internal Interface: 10.1.1.1Private SwitchvSwitch Connected to External Network
External
INTERNAL
192.168.1.x10.1.1.10External Interface: 192.168.1.135vShield EdgeDCHP ServiceNAT ServiceFW RulesWeb01Web02
#Preetam Zare vShield Edge Deployment ConsiderationsOnly HTTP(80) round-robin load balancing is currently supportedEach vShield Edge instance supports up to a maximum of 10 site-to-site VPN sessionsVMware strongly recommends you protect vShield Edge appliances using HA and DRS features. In the event of a cluster host going offline while running vShield Edge appliance, the appliance is restarted on another host in the cluster#Preetam Zare Traditional Layer2 SegmentationPG 1VLAN 11PG 2VLAN 12PG 3VLAN 13vSwitch/vDSPhysical Switch
#Preetam Zare Cloud Network Isolation (CNI) SegmentationPG 1VLAN 1PG 2VLAN 1PG 3VLAN 1vDSPhysical SwitchVMs on one PG cannot talk to VMs on another PG at Layer 2. Even if they share same VLAN
#Preetam Zare Method 1 Using VLAN per organization
HOST 1HOST 2ORG A : LAN 72ORG B : LAN 81ORG C : LAN 72ORG C : LAN 72ORG A : LAN 72ORG B : LAN 81Internet Facing#Preetam Zare Method 2 Using Mixed Trust Model
Multi TenantSingle TenantORG A : LAN 72ORG B : LAN 81ORG C : LAN 63
PCIHIPPASOX
Internet FacingORG Z : LAN 54#Preetam Zare Method 3 Single VLAN Multi Tenant
Internet Facing
Tenant-2
PCIHIPPASOX
ORG Z : LAN 54
Tenant-1
MailDBAWeb
ORG Z : LAN 54Internet FacingCNISingle VLANSegmentation via App#Preetam Zare Performance Statistics
#Preetam Zare Difference between vShield Edge and vShield appvShield EdgevShield AppDeployed per port groupDeployed per hostEnforcement between virtual datacenter and untrusted networksEnforcement between VMsChange - awareStateful, application level firewallFive-tuple rule based policiesSite to Site VPN (IPSEC), DHCP, NAT, Firewall, Load Balancing, Cloud Network IsolationHypervisor-based firewall, flow monitoring, security groups#Preetam Zare Can firewall rules be backed up and restored? How?There are multiple methods to backup firewall rules. The recommended methods are: via vShield Manager user interfacevia REST APIs, which can be scripted/automatedYou can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup.
VI administrators can use REST APIs (accessible via web interface client) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations. #Preetam Zare REST API -BASICSThe vShield REST API uses HTTP RequestsHTTP Requests are often executed by a script or higher level languagevShield REST API WorkflowsMake an HTTP Request (Typically GET,PUT,POST or DELETE) against vShield Manager URLResponse could be XML or HTTP Response codeXML Response is generally a link or other information about the state of objectHTTP Response code indicates whether the request is succeeded or failed.vShield Manager requires TCP port 80/443 to be opened for the vShield REST API request to pass through#Preetam Zare Executing REST API using REST Client
#Preetam Zare
#Preetam Zare
#Preetam Zare
#Preetam Zare Working with IP Sets using vShield REST API
#Preetam Zare Reading IP Sets
https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-2https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-81#Preetam Zare
#Preetam Zare XML Format to Create IP Set
New Description
TestIPSet20
10.112.201.8-10.112.201.14
POST https:///api/2.0/services/ipset/datacenter-2Automatically created#Preetam Zare Create IP Set
#Preetam Zare
#Preetam Zare