© 2010 VMware Inc. All rights reserved Confidential vShield App and vShield Edge Planning,...

© 2010 VMware Inc. All rights reserved

Confidential

vShield App and vShield Edge

Planning, Installation and Designing based on 5.0.1

From Preetam Zarehttp://vcp5.wordpress.comhttp://vShieldSuite.wordpress.com

2 Confidential Preetam Zare

Agenda –vShield App

• Introduction to vShield Suite

• vShield Manager Installation, Configuration and Administration

• Planning and Installation of vShield App

• vShield App Flow Monitoring

• vShield App Firewall Management

• vShield App Spoof Guard

• Role Based Access Control (RBAC) Model of vShield

• Deployment & Availability consideration

3 Confidential Preetam Zare

Agenda –vShield Edge

• Planning and Installation of vShield Edge

• vShield Edge Services

• DHCP

• NAT

• Firewall

• VPN

• Load Balancing

• Static Routing

• Scenarios

• Deployment and Availability Considerations

4 Preetam Zare

Segment your services• VLAN or subnet based policies • Interior or Web application Firewalls

VLAN 1

VLANs

Data Center needs to be secured at different levels

Cost & ComplexityAt the vDC Edge

• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks Prevent unwanted access• Firewall, VPN• Load balancers

Protect your data• Anti-virus• Data Leak Protection

Perimeter Security

Internal Security

End Point Security

5 Preetam Zare

Why Security in Virtualized Datacenter?

Network security devices become chokepoints

Capacity is never right-sized

No intra-host virtual machine visibility

Audit trails are lacking

Physical topologies are too rigid

Current Security is static

6 Preetam Zare

Traditional vSphere Infrastructure Setup Without Vshield

vSphere 5.0 vSphere 5.0

VPN Gateway

Switch

Load Balancer

Firewall

L2-L3 Switch

vSphere 5.0 vSphere 5.0

VPN Gateway

Switch

Load Balancer

Firewall

L2-L3 Switch

vSphere 5.0 vSphere 5.0

VPN Gateway

Switch

Load Balancer

Firewall

L2-L3 Switch

INTERNET

Company A Company B Company C

7 Preetam Zare

vSphere Infrastructure Setup Without Vshield

vSphere 5.0 vSphere 5.0

VPN Gateway

Switch

Load Balancer

Firewall

L2-L3 Switch

vSphere 5.0 vSphere 5.0

VPN Gateway

Switch

Load Balancer

Firewall

L2-L3 Switch

vSphere 5.0 vSphere 5.0

VPN Gateway

Switch

Load Balancer

Firewall

L2-L3 Switch

INTERNET

Company A Company B Company C

vSphere 5.0

8 Preetam Zare

vShield Product Family

VMware vSphere VMware vSphere

DMZ Application 1 Application 2

Securing the Private Cloud End to End: from the Edge to the Endpoint

Edge

vShield Edge

Secure the edge of the virtual datacenter

Security Zone

vShield App

- Create segmentation between workloads- Sensitive data discovery

Endpoint = VM

vShield Endpoint

Anti-virus processing

Endpoint = VM vShield Manager

Centralized Management

9 Preetam Zare

What Is vShield Edge?

vShield Edge secures the perimeter, “edge”, around a virtual datacenter.

Common vShield Edge deployments include: Protecting the Extranet Protecting multi-tenant

cloud environmentsVMware vSphere

Tenant A Tenant C Tenant X

vShield Edge

VPNLoad balancerFirewall

Secure Virtual

Appliance

Secure Virtual

Appliance

Secure Virtual

Appliance

vShield Edge

vShield Edge

9

10 Preetam Zare

vShield Edge Capabilities

Edge functionality• Stateful inspection firewall• Network Address Translation

(NAT)• Dynamic Host Configuration

Protocol (DHCP)• Site to site VPN (IPSec)• Web Load Balancer• (NEW) Static Routing• (NEW) Certificate mode support

for IPSEC VPN

Management features• REST APIs for scripting• Logging of functions

VMware vSphere

Tenant A Tenant C Tenant X

vShield Edge

VPNLoad balancerFirewall

Secure Virtual

Appliance

Secure Virtual

Appliance

Secure Virtual

Appliance

vShield Edge

vShield Edge

10

11 Preetam Zare

Securing the Data Center Interior with vShield App

Key Benefits

• Complete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster.

• Intuitive business language policy leveraging vCenter inventory.

12 Preetam Zare

vShield EndpointOffload Anti-virus Processing for Endpoints

Benefits• Improve performance by offloading anti-virus functions

in tandem with AV partners• Improve VM performance by eliminating anti-virus

storms• Reduce risk by eliminating agents susceptible to attacks • Satisfy audit requirements with detailed logging of AV

tasks

13 Preetam Zare

Cloud Infrastructure Security- Defense in Depth

First Level of Defense- vShield Edge • Threat mitigation and blocks unauthorized

external traffic• Suite of edge services• To secure the edge of the vDC

Zoning within the ORG- vShield App• Policy applied to VM zones• Dynamic, scale-out operation• VM context based controls

Compliance Check vShield App with data security

• Discover PCI, PHI, PII sensitive data for virtual environment

• Compliance posture check

Coke Pepsi

* *AV agent offload- vShield Endpoint

• Attain higher efficiency• Supports multiple AV solutions• Always ON AV scanning

14 Confidential Preetam Zare

Agenda

Introduction to vShield Suite

vShield Manager Installation, Configuration and Administration

Planning and Installation of vShield App

vShield App Flow Monitoring

vShield App Firewall Management

Use Cases of vShield App

Design consideration of vShield App

15 Confidential Preetam Zare Preetam Zare

vShield Manager Introduction

vShield manager console acts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield Endpoint

Vshield manager is pre-packaged as OVA appliance.

vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint.

vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules.

vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory.

16 Confidential Preetam Zare

vShield Manager –Central Management Console

VSPHERE VSPHERE VSPHERE

Management Network

vCenter

Automatic deployment of

vShield app appliance via

vshield manager

Vshield ManagerClient

Central point of management.

For RBAC model, stores flow data and manages Rule

base

You can connect to vshield manager directly via web interface or via

vcenter plug-in

17 Confidential Preetam Zare

Vshield Manager Communication Paths

VSPHERE

Management Network

vCenter

TCP 22

UDP 123

Access to ESXi host TCP 902/903

vShield App Appliance

TCP 443

TCP 443

vSphereClient

SSH Access to CLI

TCP 22

Vshield webconsole

SS

H A

ccess to C

LI

TC

P 22

SSH Client

REST API --> TCP 80/443

Default EnabledDefault disabled

vShield Manager

18 Confidential Preetam Zare

vShield Manager Requirements

Virtual Hardware Summary

Memory 3 GB

CPU 1

Disk 8 GB

Software vShield OVA File

Web Browser IE6.x and Later, Mozilla Firewall 1.x and Later, Safari 1.x and 2.x

For latest interoperability information check herehttp://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php

19 Confidential Preetam Zare

Latest interoperability

20 Confidential Preetam Zare Preetam Zare

Permission

Permission to Add and Power on Virtual Machines

Access to datastores where vShield Suite will be deployed

DNS reverse look up entry is working for all ESXi host

21 Confidential Preetam Zare Preetam Zare

vShield Manager Installation

Multi-Step installation ProcessObtain the vShield Manager OVA File

Install vShield Manager Virtual Appliance

Configure the Network Settings of the vShield Manager

Logon to the vShield Manager Interface

Synchronize the vShield Manager with the vCenter Server

Register vShield Manager Plug-in with vSphere Client

Change the default admin password of the vShield Manager

22 Confidential Preetam Zare Preetam Zare

Steps to Install vShield Manager

Open vSphere client, click File menu selects Deploy OVF Template as shown below

23 Confidential Preetam Zare Preetam Zare

Browse to locate OVA file

New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file you’ve downloaded from VMware’s site

24 Confidential Preetam Zare Preetam Zare

After selecting the OVA file, press Next. OVA file’s meta will be read and you will see screen below

25 Preetam Zare

Enter name for vShield manager virtual machine and select location as mentioned below

26 Preetam Zare

Select Datastore

Strongly recommended to select shared Datastore so that

vMotion, DRS and HA functionality can be used during planned &

unplanned downtime.

27 Preetam Zare

Select disk format

28 Preetam Zare

Review the settings and close OVF templates

29 Preetam Zare

Virtual Machine Properties

30 Preetam Zare

Warning :Don’t upgrade VMware tools on vShield Manager Appliances

Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance.

31 Preetam Zare

Configure the Network Settings of the vShield Manager

Initial Network Configuration i.e. IP, DG and DNS must be done via CLI

Right Click vShield Manager Appliance & Select Open Console

32 Preetam Zare

Contd… Configure the Network Settings of the vShield Manager

33 Preetam Zare

Enter IP, Default Gateway and DNS Details

To enter Enabled type ‘enable’

Enter IP Details

Finally Press ‘y’ to confirm settings

To start wizard type ‘setup’

34 Preetam Zare

Contd … Enter IP, Default Gateway and DNS Details

35 Preetam Zare

Getting Familiar With Vshield Manager Interface

36 Preetam Zare

Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS session

Log in to the vShield Manageruser interface

by using the username admin and the password default.

37 Preetam Zare

Synchronizing the vShield Manager with the vCenter

Enter vCenter Details and Press Save

Don’t select this

Follow Domain\Username format if the user is domain user

Register vCenter extension to access vshield manager within vCenter

38 Preetam Zare

After vShield Manager and vCenter Are Connected

After synch is completed, vCenter data is

populated as seen below screen.

On the right hand of the screen we see confirmation that vSphere Inventory was successfully updated

vShield Manager doesn’tAppear as resource in the

Inventory Panel of vShield Manager user

Interface

39 Preetam Zare

Contd …After vShield Manager and vCenter Are Connected

40 Preetam Zare

Configure Date/Time for vShield Manager

41 Preetam Zare

Generate Tech Support Bundle

42 Preetam Zare

System Resource Utilization Of vShield Manager

43 Preetam Zare

Backup vShield Manager Configuration

You can backup the configuration & transfer to remote backup server over FTP

For one time backup Scheduled Backups must be Off.

Schedule BackupBackup Directory

on FTP Server

44 Preetam Zare

Backup vShield Manager Configuration –Backup files

Backup Directory on FTP Server

vShield ManagerBackup Files on FTP Server

45 Preetam Zare

vShield Manager via Web Browser Vs. vSphere Client Plug-in

You can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client.

It is your choice, whatever works best for you.

The functions that you cannot access from the vSphere Client such as

• Configuring the vShield Manager’s settings

• Backing up the vShield Manager’s database

• Configuring the vShield Manager’s users, and

• The vShield Manager’s system events and audit logs.

• Configuration vShield App’s Spoof Guard, Fail Safe Mode and VM Exclusion list

46 Preetam Zare

DEMO/LAB vShield Manager

47 Preetam Zare

Agenda• Introduction to vShield Suite

• vShield Manager Installation, Configuration and Administration

• Planning and Installation of vShield App

• vShield App Flow Monitoring

• vShield App Firewall Management

• vShield App Spoof Guard

• Role Based Access Control (RBAC) Model of vShield

• Deployment & Availability consideration of vShield App

48 Preetam Zare

vShield App Architecture

Hypervisor-Level Firewall

• Inbound/outbound connection control enforced at the virtual NIC level

• Dynamic protection as virtual machines migrate

• Protection against ARP spoofing

vCenter Server

vSphere Client

ESXi Host

vShieldApp

vSphere

ESXi Host

vSphere

vShieldManager

vShieldApp

49 Preetam Zare

Before vShield App is Deployed

vSwitch/vDS SwitchVSPHERE

HOST

50 Preetam Zare

After vShield App is Deployed

vShield Hypervisor

module

vSwitch/vDS SwitchVSPHERE

HOST

All VM traffic is Passed via LKM &

Inspected by vShield FW

51 Preetam Zare

Deploying vShield App

ESXi 5.0 ESXi 5.0

vCenter 5.0

vSphere 5.0

vShield App

vSphere 5.0

vShield App

vShieldManager

Browser

Based

Session

vClient Based Session

52 Preetam Zare

Install vShield Component Licenses

53 Preetam Zare

vShield App Installation Requirements

You must meet the following requirements.

Deploy one vShield Manager system per vCenter Server

Deploy one vShield App instance per ESXi host.

You must be using vCenter Server version 5.0.

And, you must have the vShield Manager OVA file

Hardware Summary

Memory 1 GB (Automatically reserved)

CPU 2 vCPU

Disk Space 5 GB

54 Preetam Zare

Contd … vShield App Installation Requirements

vCenter Privileges:

Access to the vSphere Client.

Ability to add and power on virtual machines

Ability to access the datastore holding the virtual machine’s files, and to copy files to this datastore.

Make sure that cookies are enabled in order to access the vShield Manager.

Web browser Version

Internet Explorer 6.x and later

Mozilla Firefox 1.x and later

Safari 1.x or 2.x

55 Preetam Zare

Steps to Install vShield App

56 Preetam Zare

Select Installation Parameters for vShield App

Warning displayed

This port group must be able to reach the port group that the

vShield Manager is connected to.

57 Preetam Zare

vShield Installation In Progress

58 Preetam Zare

vShield App Hardware Configuration

vShield App is always

Appended with the name of ESXi host

59 Preetam Zare

Verifying vShield App Installation

60 Preetam Zare

Verifying vShield App Installation –Memory reservation

61 Preetam Zare

Verifying vShield App Installation –Virtual Machine Protection

VM’s with protected Icon. This is only visible

Via web interface

62 Preetam Zare

Verifying vShield App Installation –vShield App FW status

63 Preetam Zare

Agenda• Introduction to vShield Suite

• vShield Manager Installation, Configuration and Administration

• Planning and Installation of vShield App

• vShield App Flow Monitoring

• vShield App Firewall Management

• vShield App Spoof Guard

• Role Based Access Control (RBAC) Model of vShield

• Deployment & Availability consideration of vShield App

64 Preetam Zare

vShield App Packet flow

VM sends the packet out as a part of theTelnet protocol, its intercepted

by the virtual network adapter-level FW & is FWD to the vShield App on that host.

The vshield App appliance inspects the packet. If the security profile allows the packet to flow through, the

packet is sent back to the virtual network adaptor-level firewall.

The virtual network adapter-level firewall sends the packet to vswitch port group PG-X.

The vSwitch looks up the MAC address and accordingly sends the traffic out on the up-link port of Host 1.

The external infrastructure that involves physical switches will carry this packet on VLAN 1000.

The external switch sends the packet to the Host 2 network adapter based on the MAC address table.

The vswitch on Host 2 receives the packet. The vswitch looks up the

MAC address and accordingly sends the traffic out to the virtual

machine on Host .2

The virtual network adaptor-level firewall intercepts the packet and

forwards it to the vShield App appliance.

VM sends the packet out as a part of theTelnet protocol, its intercepted

by the virtual network adapter-level FW & is FWD to the vShield App on that host.

The virtual network adaptor-level firewall sends the packet to the VM

65 Preetam Zare

Flow Monitoring Introduction

Inter-virtual Machine Communications

All traffic on protected virtual machine is directed to virtual network adapter level firewall, this actually equips vShield APP FW to read the packets moving in and out of virtual machines.

Data displayed in

• Graphical

• Tabular Format

• Tabular format is further divided into allowed and block traffic as shown in next slide

66 Preetam Zare

Flow Monitoring –Tabular Format

Data displayed below can be used to learn the type of traffic flowing in and out of VM. Then we can use this data for creating or blocking the rule.

67 Preetam Zare

Flow Monitoring – View And Interpret Charts And Reports

68 Preetam Zare

Flow Monitoring – Traffic categorization based on Protocol/Application

69 Preetam Zare

Flow Monitoring – Key advantages

Analysis of Inter-VM traffic can be easily done

You can dynamically create rules right from flow monitoring console

This can be of great help for debugging network related problem as you can enable logging for every individual virtual machine as on needed basis.

70 Preetam Zare

DEMO/LABInstalling vShield App & Flow monitoring

71 Preetam Zare

Agenda• Introduction to vShield Suite

• vShield Manager Installation, Configuration and Administration

• Planning and Installation of vShield App

• vShield App Flow Monitoring

• vShield App Firewall Management

• vShield App Spoof Guard

• Role Based Access Control (RBAC) Model of vShield

• Deployment & Availability consideration of vShield App

72 Preetam Zare

Introduction vShield App Firewall

vNIC‐level firewall

vShield App installs as a hypervisor module and firewall service virtual appliance

Places a firewall filter on every virtual NIC.

IP-based stateful firewall

No Network changes or IP changes

• vShield App can create and enforce logical (i.e. not just VLAN or physical subnet) application boundaries all the way down to layer 2

73 Preetam Zare

vShield App Firewall Rules : L2 and L3 rules

Firewall Protection Through Access Policy Enforcement

The App Firewall Tab Represents The vShield App Firewall Access Control List.

L2 Rules Monitor

• ICMP, IPv6, PPP, ARP traffic.

L3 Rules Monitors

• DHCP, FTP, SNMP HTPP.

• L3 rules also monitors application specific traffic (Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP)

You can configure Layer 3 and Layer 2 rules at the datacenter level only.

By default, all L3, and L2 traffic is allowed to pass.

74 Preetam Zare

Hierarchy of vShield App Firewall Rules

Enforced Top to Bottom

The first rule in the table that matches the traffic parameters is enforced.

System defined rules can’t be deleted or add, you can only change the action element i.e. to Allow (default) or Deny

75 Preetam Zare

In Layer 2 –High Precedence rules are applied first

1

In Layer 2 –Low Precedence rules

are applied Second

2

In Layer 2 –System Defined rules are

applied last

3

All Layer 3 Rules Are Applied Second

2

All Layer 2 Rules Are Applied First

1

In Layer 3 –High Precedence rules are applied first

4

In Layer 3 –Low Precedence rules

are applied Second

5

In Layer 3 –System Defined rules are

applied last

6

76 Preetam Zare

Container-Level and Custom Priority Precedence

77 Preetam Zare

How to define Firewall Policy Rule

Firewall policies contains 5 pieces of information

78 Preetam Zare

vSphere Groupings

vSphere groupings can also be based on network objects, specifically port groups and VLANs

79 Preetam Zare

Firewall Rules Example 1: Using vSphere Groupings

When you specify a container as the source or destination, all IP addresses within that container are included in the rule.

80 Preetam Zare

Firewall Rules Example 2: Using vSphere Grouping

81 Preetam Zare

How To Create A Firewall Rule –Step 1

82 Preetam Zare

How To Create A Firewall Rule –Step 2

Enter source

Enter Destination and other details

83 Preetam Zare

How To Create A Firewall Rule –Step 2 Contd

Server inside "WinXP01-

Server18" group

Server outside "Fort" datacenter

Server Inside "WinXP01-Server18" group cannot access system outside Fort datacenter on RARP protocol, this traffic is logged.

84 Preetam Zare

How To Create A Firewall Rule –Step 3 Publishing Rule

85 Preetam Zare

Create rule using MAC Set and IP Set

You can also define rules based on MAC and IP Set.

Where do we use this type of rules?

• When you want to configure a rule based on virtual machine identity i.e. MAC Set, IP Set and Port Group.

• In this case even if Virtual machine follows any part of resource pool, rule will always apply.

• Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies.

86 Preetam Zare

Creating MAC Set

Scope field is automatically selected1. Enter Name of the group2. Optionally enter description3. Enter MAC Addresses as shown in below screen. 4. Press Ok

87 Preetam Zare

Creating IP Set

Scope field is automatically selected1. Enter Name of the group2. Optionally enter description3. Enter IP Addresses as shown in below screen. 4. Press Ok

88 Preetam Zare

After MAC Set is created

Below screen shows when the group configuration is complete. You use Edit and Delete button to change the IP/MAC set

89 Preetam Zare

vSphere Grouping -Example

WinXP01-RuleSet

192.168.1.105 192.168.1.125

Medical Records

Resource Pools

90 Preetam Zare

Creating rule based on IP/Mac Set

Select datacenter, on right hand side select Layer 3 rule (IP set) or layer 2 rule (MAC set) here.

Select add rule and enter the details as shown next slide

91 Preetam Zare

Anything inside Medical Records cannot access IP's defined inside

rule "WinXP01-Server18-IP i.e.192.168.1.105, 192.168.1.125

If you select outside, then medical records can access only IP's defined

inside rule "WinXP01-Server18-IP

92 Preetam Zare

Creating Security Group –Step 1

93 Preetam Zare

Creating Security Group –Step 2

NIC level grouping is

possible

94 Preetam Zare

Creating Rule based on Security Group

Press Ok

Publish the rule

95 Preetam Zare

Rule based vSphere Security Group –Port Group

Logical Rule translates into physical world explained below

Even if the VM’s are same Datacenter, Cluster, ESXi, Resource Pool or vApp they cannot communicate

96 Preetam Zare

Advantages of Security Groups

vShield App allows you to create custom containers known as security groups.

You assign virtual machines to security groups by assigning their vNICs to the appropriate group. Then, you can use the security group in the source or destination field of an App Firewall rule.

The key benefit of security groups is the ease of creating different trust zones.  Whether through the use of vSphere objects or through the use of manually configured security groups, the key benefit is ease of protection and quality of protection through the use of logical zoning as opposed to carving up a network to provide network isolation.

97 Preetam Zare

Best Practices: Firewall Rules

Create Firewall Rules That Meet Your Business & Security Needs

Identify source and destination. Take full advantage of vSphere Grouping

Use vSphere Security group only when you create rule based on vSphere Grouping

By default vShield FW allows incoming and outgoing traffic, As a best practice you may want to deny all traffic

98 Preetam Zare

Building Firewall Rules

Option A: More Restrictive

• vShield installs with default “allow” rule

• Build rules based on Application/Vendor’s port guide

• Monitor, document, validate traffic flows via vShield Flows

• Adjust rules as necessary

• Change default rule to “deny”

Option B: Less Restrictive

• vShield installs with default “allow” rule

• Build rules between communicating VMs

• Allows all traffic between selected VMs

• Monitor, document, validate traffic flows via vShield Flows

• Adjust rules as necessary

• Change default rule to “deny”

99 Preetam Zare

Logging and auditing

vShield App has its own logging mechanism.

Logging can be great help in troubleshooting app appliance.

Auditing of traffic which was either allowed or blocked can be configured per rule set. You’ve to enable logging for every rule you configure.

Logs are captured and retained for one year. Logs more than one year are overwritten.

Note that enabling logging for rules that match a high amount of traffic can impact performance. Therefore, it is a

good idea to be selective of the rules that you want to log.

100 Preetam Zare

vShield Manager event logging –Audit Logs

All the actions performed by all vshield users is captured in events and available for audit.

Logging is done for operations related to system.

E.g. appliance is

down/rebooted or

unreachable. If the app

appliance is unreachable it

will be unreachable to vshield

manager.

101 Preetam Zare

vShield Manager event logging –Audit Logs

Events are further categorized as informational or critical as shown below

102 Preetam Zare

All vShield App configuration

parameters are available only when you select host on

left hand side

103 Preetam Zare

Configuring Syslog Server for vShield App Contd…

Three log levels are available1. Alert2. Emergency3. Critical

If you select Emergency, then only emergency-level events are sent to the syslog server. If you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server.

104 Preetam Zare

Interpreting Logs Of Traffic Rule –Example 1

proto= protocol

vesxi27=host at which alerts are observed

L2=Layer2 protocol

DROP=traffic is dropped

105 Preetam Zare

Interpreting Logs Of Traffic Rule –Example 2

proto= ICMP protocol

vesxi27=host at which alerts are observed

L3=Layer3 protocol

DROP=traffic is dropped

106 Preetam Zare

Reverting to previous vShield App Firewall configuration

Automatic mechanism to create backup of firewall rules configuration

vShield Manager takes snapshots each time new rule is committed

Previous configuration can be easily reverted via drop down menu

107 Preetam Zare

Agenda• Introduction to vShield Suite

• vShield Manager Installation, Configuration and Administration

• Planning and Installation of vShield App

• vShield App Flow Monitoring

• vShield App Firewall Management

• vShield App Spoof Guard

• Role Based Access Control (RBAC) Model of vShield

• Deployment & Availability consideration of vShield App

108 Preetam Zare

Role-Based Access ControlNew in vShield Manager 5.0

Confidential

Super user (admin)

vShield admin

Security admin

Auditor

vShield operations and security: Everything related to vShield product

Role Privilege Summary

vShield operations only: installation, configuration of virtual appliances, ESX host modules, etc.

vShield security only: Policy definition, reports for edge, app, endpoint, data security

Read-only access to vShield operations and security settings

109 Preetam Zare

RBAC: Scope

Role-based access control (RBAC) enables clear separation of workflow for virtual infrastructure and security administrators. RBAC provides flexibility in

delegating administration across resource pools and security groups, improving security of applications and data.

To vSphere Administrators

To vSphere Administrators

110 Preetam Zare

LAB/DEMO

Firewall Lab

Reverting To Previous Vshield App Firewall Configuration

User Creations And Configurations

111 Preetam Zare

Agenda• Introduction to vShield Suite

• vShield Manager Installation, Configuration and Administration

• Planning and Installation of vShield App

• vShield App Flow Monitoring

• vShield App Firewall Management

• vShield App Spoof Guard

• Role Based Access Control (RBAC) Model of vShield

• Deployment & Availability consideration of vShield App

112 Preetam Zare

Spoof Guard

Why to use spoof guard?

• To reduce man in the middle attack which is referred as IP & MAC Spoofing

How does it work?

• VM’s IP addresses are collected during synchronization cycle that happens between vshield and vCenter via vSphere API.

• If the IP address is modified in the VM and it doesn’t matches with the Spoof Guard collected data, VM is isolated and not allowed to communicate outside.

• It works in datacenter context and it disabled by default

113 Preetam Zare

Enable Spoof Guard

Click Edit to enable it. Select Enable first and then select the option as per your requirement.

114 Preetam Zare

Spoof Guard – IP Address Monitoring and Management

IP Address is collected can be monitored and manage automatically or manually

1. Automatically Trust IP Assignments On Their First Use- IP is gathered when first time VM is powered ON. This data is read via VMware tools.

- Once the list is populated it is push down to vShield app virtual appliance, which then inspects every packet originating out of a network adapter for the prescribed IP. If these do not match, the packet is simply dropped.

- This operates separately from app firewall rules.

2. Manually Inspect and Approve All IP Assignments Before Use

- In this mode all traffic is block until you approve MAC-to-IP address assignment.

NB: SpoofGuard inherently trusts the MAC addresses of virtual machines from the VMX files and vSphere SDK.

115 Preetam Zare

Spoof Guard : View and Approve IP

Lists the IP addresses where the current IP address does not match the published IP address.

IP address changes that require approval before traffic can flow to or from these VM

List of all validated IP addresses

116 Preetam Zare

Contd … Spoof Guard –View and Approve IP

117 Preetam Zare

Agenda• Introduction to vShield Suite

• vShield Manager Installation, Configuration and Administration

• Planning and Installation of vShield App

• vShield App Flow Monitoring

• vShield App Firewall Management

• vShield App Spoof Guard

• Role Based Access Control (RBAC) Model of vShield

• Deployment & Availability consideration of vShield App

118 Preetam Zare

vShield Manager Deployment Consideration

Do not host vShield manager on the same cluster which it is responsible to manage. If vShield Manager is deployed within the infrastructure it is protecting you will suffer circular dependencies*.

E.g. An inadvertent configuration error could result in a unmanageable environment if the vShield Manager appliance were to loose connectivity or were prevented from communicating with other components due to a misconfigured security policy

You cannot use VMware FT to protect vShield manager if vShield app is deployed. This only applies if vShield app is deployed from the vShield manager in question

A vShield manager instance must be deployed for each vCenter in use

* Starting vShield 5.0.1 you can exclude vShield manager from the host.

119 Preetam Zare

Enter inside VMX file

120 Preetam Zare

vShield Manager Placement Consideration – Option 1

Management Cluster

Edge App FW Edge App FW

Production Cluster

vCenter 5.0

vShield Manager

AD/DNS/DHCP

VCDB/VUMDB

vSphere 5.0

Shared Management Cluster Model isolates the management

from being impacted by Production Cluster hardware failure issues.

vSphere 5.0

• vCenter Server/Appliance• vCenter Database• vShield Manager• vCenter Update Manager• Active Directory• DNS• Syslog Server

Highly

Recommended

121 Preetam Zare

vShield Manager Deployment Consideration – Option 2

EdgeApp FW Edge

App FW

Production Cluster B

vSphere 5.0

Cross-Managed Cluster Model will provide isolation similar to management cluster

EdgeAppFW Edge

App FW

Production Cluster A

vSphere 5.0

vCenter 5.0

vShield Manager

vCenter 5.0

vShield Manager

122 Preetam Zare

vShield Manager Deployment Consideration – Option 3

Edge App FW Edge App FW

Production Cluster

vCenter 5.0vShield Manager

vSphere 5.0

Single cluster model with vShield Manager exclusion*

DisablesvApp

Protecting using

Exclusion list

123 Preetam Zare

VM Exclusion introduced in vShield 5.0.1

With 5.0.1, there is now a option to exclude VM. This has the effect of disabling all vShield App protection for the excluded VM including Spoof Guard

This exclusion list is applied across all vShield App installations within the specified vShield Manager. If a virtual machine has multiple vNICs, all of them are excluded from protection.

The vShield Manager and service virtual machines are automatically excluded from vShield App protection.

Caveat: A caveat is that the MAC/IP pairs for excluded VM will still show up in the Spoof guard tab of the UI, even though the functionality is disabled.

124 Preetam Zare

How to Exclude VM from vShield App

125 Preetam Zare

After FailSafe is enabled, VM’s are powered ON are

fast suspended and resumed, while Powered

OFF VM’s are just reconfigured

126 Preetam Zare

VMX entry for Web01 before

FailSafe is enabled

VMX entry for Web01 After FailSafe is

enabled

127 Preetam Zare

vShield App Deployment Consideration

vShield App must be deployed and running on every host in the cluster that protected virtual machines may migrate to.

Renaming vShield App security virtual machine is not supported. Doing so it will render it unmanageable as vShield Manager uses the name it assigned at the point of provisioning to manage the vShield App security virtual machine

Use vShield app security groups to tier servers of same functions (DC, Webserver, DB Server etc.). This will simplify firewall configuration and rules

128 Preetam Zare

Availability ConsiderationvShield App

129 Preetam Zare

Availability Considerations: vShield Manager

What If vShield Manager appliance is unavailable

• First and foremost zero impact

• All existing rules of vShield App are enforced

• Logs are sent to syslog server

• Only impact is, New rules or changes to existing rules cannot be made

• In addition, the flow-monitoring data might be lost, depending on the duration of the failure.

• vShield Manager backup can be used to restore via backup

What If host which is hosting vShield Manager appliance is unavailable

vShield manager is HA and DRS aware and can take full advantage of it. In this case

vShield Manager will automatically restart to another host

130 Preetam Zare

Availability Considerations: vShield App

What If vShield App appliance is unavailable

• All traffic to and from the protected virtual machines hosted on the host on which vShield App was running is blocked *

• At process level, built-in watch dog restarts the failed processes

• VMware HA virtual machine monitoring will detect (via VMware tools and network packets) and restart fail vshield app.

• vCenter Alarm is triggered if VM migrates onto a host where vShield Appliance is not installed

What If host which is hosting vShield App appliance is unavailable

DRS is disabled for vShield App

Except for vshield App VM, protected VM’s are restarted on another host and they get

automatically protected assuming the host is installed with vShield App

* From vShield 5.0.1 , you have option to disable this behavior, though strongly not recommended

131 Preetam Zare

vShield App: DRS and HA Settings

The HA restart priority for the vShield App appliance is set to high. This is to ensure it is the first to restart during failure over event. It makes sure that its running before the VMs its protecting .

vShield vApp should never be moved to another host. Therefore during installation DRS is automatically disabled for vShield vApp

If the host is put in maintenance mode, vShield App automatically shuts down and automatically restarts when host exits maintenance mode.

You cannot use FT to protect vShield Manger when vShield App is deployed, vShield Manager used linked clones and snapshots as part of the deployment process for the vShield Firewall Service Appliance virtual machines.

132 Preetam Zare

Verifying vShield App Installation – HA Restart Priority

133 Preetam Zare

Verifying vShield App Installation –DRS is Disabled

134 Preetam Zare

vShield App Industry Best Practices

vShield App provides security protection for virtual machines

Firewall rule groups will need to be translated from the old firewall into vShield Manager

Set up roles and responsibilities within vShield Manager that only allow the minimum of permissions to perform required functions by administrators.

• E.g. Give vSphere Administrator ability to install vShield Suite via vShield Admin role and ability view rule via Auditor Role

Ensure audit logs are reviewed regularly

135 Preetam Zare

Contd .. vShield App Industry Best Practices

Define a thorough test plan

Penetration testing and external auditing

Consider creating an application group that contains the ports

• For example you might create an application group called WEB containing both TCP 80 and 443.

Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure.

Consider mirroring the logs to an alternate site

136 Preetam Zare

Contd … vShield App Industry Best Practices

Use the vShield REST API’s to back up the firewall rule base .

Use the REST API’s to turn off rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled.

If you are replicating the infrastructure to a DR site ensure that vShield Edge and vShield App are set up appropriately at the DR site and that you have a process to ensure the rule base is up to date.

Updates and changes to the DR site can be automated using the vShield REST API’s, which can also be integrated with VMware vCenter Site Recovery Manager.

vShield App and Host Profiles

137 Preetam Zare

Agenda –vShield Edge

• Planning and Installation of vShield Edge

• vShield Edge Services

• DHCP

• NAT

• Firewall

• VPN

• Load Balancing

• Static Routing

• Scenarios

• Deployment and Availability Considerations

138 Preetam Zare

Introduction

Protects the edge of infrastructure

Common Gateway Services

• DHCP

• VPN

• NAT

• Static Routing

• Load Balancing

Common Deployment Models

• DMZ

• VPN Extranets

• Multi-Tenant Cloud Environment

139 Preetam Zare

Logical View of vShield Edge

Network Isolation happens at Port

group Level

140 Preetam Zare

Port group Isolation based on VLAN

With VLAN isolation, vShield Edge is used to secure port groups with a standard VLAN configuration.

Isolation of virtual machines is provided exclusively by VLANs in Layer 2.

When To Use VLAN Isolation

When to use Network infrastructure build around VLANs Physical machines need to participate in

protected network

Virtual Switch Support vSS vDS Cisco nexus 1000v

141 Preetam Zare

VMware vSphere

Internet FacingVLAN-108PG-CORP1 (VLAN-126)

Access Aggregation layer

PG-CORP2 (VLAN-135)

VLAN-126

VLAN-135

VLAN-108

EX

TE

RN

AL

INT

ER

FAC

E

INT

ER

NA

LIN

TE

RFA

CE

EX

TE

RN

AL

INT

ER

FAC

E

INT

ER

NA

LIN

TE

RFA

CE

142 Preetam Zare

vCloud Director Network Isolation

VM Identity is used to isolate a group of VMs from other VMs

All VM’s on Single Layer-2 domain but are isolated by assigning them to different port groups

Traffic between VMs in the same port group is allowed, but traffic between VMs across different port groups is not allowed by a virtual switch

This port group isolation feature is supported ONLY on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V

143 Preetam Zare

vCDNI -Communication Between Tenants Across The Host

The key point is that although the virtual machines of tenant X and tenant Z are on the same Layer 2 domain, their networks are isolated from each other by vShield Edge.

144 Preetam Zare

vCDNI -Communication Between Tenants Within The Host

VMs traffic is isolated from each other because they are on different secured, port groups. As a result, communication must flow through the vShield Edge virtual machines of both tenants. All traffic flows over the Provider VLAN, VLAN 100.

145 Preetam Zare

vCDNI –VM’s Communication of same Tenant

VM’s Freely need to communicate without need to go through vShield Edge VM and Provider VLAN

146 Preetam Zare

Advantages of vCloud Director Network Isolation (vCDNI)

Using cloud network isolation instead of VLAN isolation, the vShield environment is simpler to scale.

Provisioning cloud network isolation can be automated with scripts that use the vShield REST APIs.

Finally, a key advantage that cloud network isolation has over VLAN isolation is that cloud network isolation does not need any complex configuration at the Aggregation layer.

147 Preetam Zare

Protecting Extranet: VPN Services

148 Preetam Zare

vShield Edge: DHCP Services

149 Preetam Zare

vShield Edge: NAT Services

150 Preetam Zare

vShield Edge Services: Load Balancer Services

151 Preetam Zare

vShield Edge Services: Firewall Services

152 Preetam Zare

vShield Edge Firewall Rules and Direction

EXTERNAL INTERFACE

INTERNAL INTERFACE

Incoming Traffic on both the Interfaces is blocked by default

Outgoing Traffic on both the Interfaces is allowed by default

EXTERNAL INTERFACE: OUTGOING

INTERNALINTERFACE:OUTGOING

vShield EdgeEXTERNAL

INTERFACE:INCOMING

INTERNAL INTERFACE: INCOMING

153 Preetam Zare

vShield Edge Firewall Rules and Direction -Example

Internal Interface

External Interface

PRIVATE PORT

GROUP 172.16.1.0/24 Subnet

Traffic incoming172.16.2.0/2

4 Subnet

154 Preetam Zare

VSHIELD EDGE SERVICES – STATIC ROUTING

Most networks have a single router called the default gateway . If a network has a default gateway, the nodes on the network can send traffic to the gateway and the gateway will then forward the traffic to the destination.

All machines in a network have a routing table. A Routing table is a list of destination networks and the router that carries traffic to that destination.

Manually adding routes to a routing table is called static routing.

Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table.

In a network, you can create a static routing either internal network or external network.

155 Preetam Zare

Static Routing between two vApp

APPLICATION 1 APPLICATION 2

PG- PUBLIC

PG- APP-1 PG- APP-2

Internal Interface Internal Interface

External Interface External Interface

172.16.1.10

172.16.2.1

192.168.1.233192.168.1.232

172.16.2.10

172.16.1.1

156 Preetam Zare

Installing vShield Edge for Application 1

Installing vShield Edge

Application for APP1

157 Preetam Zare

vShield Edge Installed for for Application 1 and Application 2

158 Preetam Zare

Configure Static Route for APP1 Network

It is the network APP1 want to reach

It is the gateway of Destination

network

159 Preetam Zare

Configure Static Route for APP2 Network

It is the network APP2 want to reach

It is the gateway of Destination

network

160 Preetam Zare

Static Route Set Up for APP1 & APP2 Network

APPLICATION 1 APPLICATION 2

PG- PUBLIC

PG- APP-1 PG- APP-2

Internal Interface Internal Interface

External Interface External Interface

172.16.1.10

172.16.2.1

192.168.1.233192.168.1.232

172.16.2.10

172.16.1.1

161 Preetam Zare

Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other

APPLICATION 1

APPLICATION 2

PG- PUBLIC

PG- APP-1PG- APP-2

Internal Interface Internal Interface

External Interface External Interface

172.16.1.10

172.16.2.1

192.168.1.233192.168.1.232

172.16.2.10

172.16.1.1

Outgoing Traffic allowed by default

162 Preetam Zare

Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other

APPLICATION 1

APPLICATION 2

PG- PUBLIC

PG- APP-1PG- APP-2

Internal Interface Internal Interface

External Interface

External Interface

172.16.1.10

172.16.2.1

192.168.1.233

192.168.1.232

172.16.2.10

172.16.1.1

163 Preetam Zare

Rules defined at APP-1 FW

Rules defined at APP-2 FW

164 Preetam Zare

Ping and Tracert request from

APP1 VM

165 Preetam Zare

Ping and Tracert request from

APP2 VM

166 Preetam Zare

How To Configure NAT Services

SCENARIO

Customer wish to access Web Server Web01 which sits inside the DMZ network of CORP A

Web Server Web01 sits in 10.1.1.x/24 network and has been assigned IP by vShield Edge DHCP Services as 10.1.1.10

Customer’s wants to access Web Server Web01. Customer network is 192.168.1.x/24

We can configure NAT

167 Preetam Zare

vShield Edge Configured to Meet Customer Scenario

10.1.1.11

Internal Interface: 10.1.1.1

Private SwitchvSwitch Connected to External

NetworkExternalINTERNAL

192.168.1.x10.1.1.10

External Interface:

192.168.1.135vShield

Edge

1. DCHP Service

2. NAT Service3. FW Rules

Web01Web02

168 Preetam Zare

Configure DHCP

169 Preetam Zare

Use SNAT when Internal IP needs to be translated into External IP.

Use DNAT when External IP needs to be translated into Internal IP.

170 Preetam Zare

Open Firewall Ports to allow NAT Traffic

171 Preetam Zare

10.1.1.11

Internal Interface: 10.1.1.1

Private SwitchvSwitch Connected to External

NetworkExternalINTERNAL

192.168.1.x10.1.1.10

External Interface:

192.168.1.135vShield

Edge

1. DCHP Service

2. NAT Service3. FW Rules

Web01Web02

172 Preetam Zare

vShield Edge Deployment Considerations

Only HTTP(80) round-robin load balancing is currently supported

Each vShield Edge instance supports up to a maximum of 10 site-to-site VPN sessions

VMware strongly recommends you protect vShield Edge appliances using HA and DRS features. In the event of a cluster host going offline while running vShield Edge appliance, the appliance is restarted on another host in the cluster

173 Preetam Zare

Traditional Layer2 Segmentation

PG 1VLAN 11

PG 2VLAN 12

PG 3VLAN 13

vSwitch/vDS

Physical Switch

174 Preetam Zare

Cloud Network Isolation (CNI) Segmentation

PG 1VLAN 1

PG 2VLAN 1

PG 3VLAN 1

vDS

Physical Switch

VMs on one PG cannot talk to VMs on another PG at Layer 2. Even if they share same VLAN

175 Preetam Zare

Method 1 –Using VLAN per organization

HOST 1 HOST 2

ORG A : LAN 72 ORG B : LAN 81

ORG C : LAN 72 ORG C : LAN 72

ORG A : LAN 72 ORG B : LAN 81

Internet Facing

176 Preetam Zare

Method 2 –Using Mixed Trust Model

Multi Tenant

Single Tenant

ORG A : LAN 72 ORG B : LAN 81

ORG C : LAN 63

PC

I

HIP

PA SO

X

Internet Facing

ORG Z : LAN 54

177 Preetam Zare

Method 3 –Single VLAN Multi Tenant

Internet Facing

Tenant-2

PC

I

HIP

PA SO

X

ORG Z : LAN 54Tenant-1

Ma

il

DB

A

We

bORG Z : LAN 54

Internet Facing

CNISingle VLANSegmentation via App

178 Preetam Zare

Performance Statistics

179 Preetam Zare

Difference between vShield Edge and vShield app

vShield Edge vShield App

Deployed per port group Deployed per host

Enforcement between virtual datacenter and untrusted networks

Enforcement between VMs

Change - aware

Stateful, application level firewall

Five-tuple rule based policies

Site to Site VPN (IPSEC), DHCP, NAT, Firewall, Load Balancing, Cloud Network Isolation

Hypervisor-based firewall, flow monitoring, security groups

180 Preetam Zare

Can firewall rules be backed up and restored? How?

There are multiple methods to backup firewall rules. The recommended methods are:

• via vShield Manager user interface

• via REST APIs, which can be scripted/automated

You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup.

VI administrators can use REST APIs (accessible via web interface client) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations.

181 Preetam Zare

REST API -BASICS

The vShield REST API uses HTTP Requests

HTTP Requests are often executed by a script or higher level language

vShield REST API Workflows

• Make an HTTP Request (Typically GET,PUT,POST or DELETE) against vShield Manager URL

• Response could be XML or HTTP Response code

• XML Response is generally a link or other information about the state of object

• HTTP Response code indicates whether the request is succeeded or failed.

vShield Manager requires TCP port 80/443 to be opened for the vShield REST API request to pass through

182 Preetam Zare

Executing REST API using REST Client

183 Preetam Zare

184 Preetam Zare

185 Preetam Zare

186 Preetam Zare

Working with IP Sets using vShield REST API

187 Preetam Zare

Reading IP Sets

https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-2

https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-81

188 Preetam Zare

189 Preetam Zare

XML Format to Create IP Set

<ipset><objectId />

<type><typeName />

</type><description>

New Description</description>

<name>TestIPSet2</name><revision>0</revision><objectTypeName />

<value>10.112.201.8-10.112.201.14</value></ipset>

POST https://<vsm-ip>/api/2.0/services/ipset/datacenter-2

Automatically created

190 Preetam Zare

Create IP Set

191 Preetam Zare