View
222
Download
2
Category
Tags:
Preview:
Citation preview
© 2010 VMware Inc. All rights reserved
Confidential
vShield App and vShield Edge
Planning, Installation and Designing based on 5.0.1
From Preetam Zarehttp://vcp5.wordpress.comhttp://vShieldSuite.wordpress.com
2 Confidential Preetam Zare
Agenda –vShield App
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration
3 Confidential Preetam Zare
Agenda –vShield Edge
• Planning and Installation of vShield Edge
• vShield Edge Services
• DHCP
• NAT
• Firewall
• VPN
• Load Balancing
• Static Routing
• Scenarios
• Deployment and Availability Considerations
4 Preetam Zare
Segment your services• VLAN or subnet based policies • Interior or Web application Firewalls
VLAN 1
VLANs
Data Center needs to be secured at different levels
Cost & ComplexityAt the vDC Edge
• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks Prevent unwanted access• Firewall, VPN• Load balancers
Protect your data• Anti-virus• Data Leak Protection
Perimeter Security
Internal Security
End Point Security
5 Preetam Zare
Why Security in Virtualized Datacenter?
Network security devices become chokepoints
Capacity is never right-sized
No intra-host virtual machine visibility
Audit trails are lacking
Physical topologies are too rigid
Current Security is static
6 Preetam Zare
Traditional vSphere Infrastructure Setup Without Vshield
vSphere 5.0 vSphere 5.0
VPN Gateway
Switch
Load Balancer
Firewall
L2-L3 Switch
vSphere 5.0 vSphere 5.0
VPN Gateway
Switch
Load Balancer
Firewall
L2-L3 Switch
vSphere 5.0 vSphere 5.0
VPN Gateway
Switch
Load Balancer
Firewall
L2-L3 Switch
INTERNET
Company A Company B Company C
7 Preetam Zare
vSphere Infrastructure Setup Without Vshield
vSphere 5.0 vSphere 5.0
VPN Gateway
Switch
Load Balancer
Firewall
L2-L3 Switch
vSphere 5.0 vSphere 5.0
VPN Gateway
Switch
Load Balancer
Firewall
L2-L3 Switch
vSphere 5.0 vSphere 5.0
VPN Gateway
Switch
Load Balancer
Firewall
L2-L3 Switch
INTERNET
Company A Company B Company C
vSphere 5.0
8 Preetam Zare
vShield Product Family
VMware vSphere VMware vSphere
DMZ Application 1 Application 2
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge
Secure the edge of the virtual datacenter
Security Zone
vShield App
- Create segmentation between workloads- Sensitive data discovery
Endpoint = VM
vShield Endpoint
Anti-virus processing
Endpoint = VM vShield Manager
Centralized Management
9 Preetam Zare
What Is vShield Edge?
vShield Edge secures the perimeter, “edge”, around a virtual datacenter.
Common vShield Edge deployments include: Protecting the Extranet Protecting multi-tenant
cloud environmentsVMware vSphere
Tenant A Tenant C Tenant X
vShield Edge
VPNLoad balancerFirewall
Secure Virtual
Appliance
Secure Virtual
Appliance
Secure Virtual
Appliance
vShield Edge
vShield Edge
9
10 Preetam Zare
vShield Edge Capabilities
Edge functionality• Stateful inspection firewall• Network Address Translation
(NAT)• Dynamic Host Configuration
Protocol (DHCP)• Site to site VPN (IPSec)• Web Load Balancer• (NEW) Static Routing• (NEW) Certificate mode support
for IPSEC VPN
Management features• REST APIs for scripting• Logging of functions
VMware vSphere
Tenant A Tenant C Tenant X
vShield Edge
VPNLoad balancerFirewall
Secure Virtual
Appliance
Secure Virtual
Appliance
Secure Virtual
Appliance
vShield Edge
vShield Edge
10
11 Preetam Zare
Securing the Data Center Interior with vShield App
Key Benefits
• Complete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster.
• Intuitive business language policy leveraging vCenter inventory.
12 Preetam Zare
vShield EndpointOffload Anti-virus Processing for Endpoints
Benefits• Improve performance by offloading anti-virus functions
in tandem with AV partners• Improve VM performance by eliminating anti-virus
storms• Reduce risk by eliminating agents susceptible to attacks • Satisfy audit requirements with detailed logging of AV
tasks
13 Preetam Zare
Cloud Infrastructure Security- Defense in Depth
First Level of Defense- vShield Edge • Threat mitigation and blocks unauthorized
external traffic• Suite of edge services• To secure the edge of the vDC
Zoning within the ORG- vShield App• Policy applied to VM zones• Dynamic, scale-out operation• VM context based controls
Compliance Check vShield App with data security
• Discover PCI, PHI, PII sensitive data for virtual environment
• Compliance posture check
Coke Pepsi
* *AV agent offload- vShield Endpoint
• Attain higher efficiency• Supports multiple AV solutions• Always ON AV scanning
14 Confidential Preetam Zare
Agenda
Introduction to vShield Suite
vShield Manager Installation, Configuration and Administration
Planning and Installation of vShield App
vShield App Flow Monitoring
vShield App Firewall Management
Use Cases of vShield App
Design consideration of vShield App
15 Confidential Preetam Zare Preetam Zare
vShield Manager Introduction
vShield manager console acts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield Endpoint
Vshield manager is pre-packaged as OVA appliance.
vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint.
vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules.
vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory.
16 Confidential Preetam Zare
vShield Manager –Central Management Console
VSPHERE VSPHERE VSPHERE
Management Network
vCenter
Automatic deployment of
vShield app appliance via
vshield manager
Vshield ManagerClient
Central point of management.
For RBAC model, stores flow data and manages Rule
base
You can connect to vshield manager directly via web interface or via
vcenter plug-in
17 Confidential Preetam Zare
Vshield Manager Communication Paths
VSPHERE
Management Network
vCenter
TCP 22
UDP 123
Access to ESXi host TCP 902/903
vShield App Appliance
TCP 443
TCP 443
vSphereClient
SSH Access to CLI
TCP 22
Vshield webconsole
SS
H A
ccess to C
LI
TC
P 22
SSH Client
REST API --> TCP 80/443
Default EnabledDefault disabled
vShield Manager
18 Confidential Preetam Zare
vShield Manager Requirements
Virtual Hardware Summary
Memory 3 GB
CPU 1
Disk 8 GB
Software vShield OVA File
Web Browser IE6.x and Later, Mozilla Firewall 1.x and Later, Safari 1.x and 2.x
For latest interoperability information check herehttp://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php
19 Confidential Preetam Zare
Latest interoperability
20 Confidential Preetam Zare Preetam Zare
Permission
Permission to Add and Power on Virtual Machines
Access to datastores where vShield Suite will be deployed
DNS reverse look up entry is working for all ESXi host
21 Confidential Preetam Zare Preetam Zare
vShield Manager Installation
Multi-Step installation ProcessObtain the vShield Manager OVA File
Install vShield Manager Virtual Appliance
Configure the Network Settings of the vShield Manager
Logon to the vShield Manager Interface
Synchronize the vShield Manager with the vCenter Server
Register vShield Manager Plug-in with vSphere Client
Change the default admin password of the vShield Manager
22 Confidential Preetam Zare Preetam Zare
Steps to Install vShield Manager
Open vSphere client, click File menu selects Deploy OVF Template as shown below
23 Confidential Preetam Zare Preetam Zare
Browse to locate OVA file
New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file you’ve downloaded from VMware’s site
24 Confidential Preetam Zare Preetam Zare
After selecting the OVA file, press Next. OVA file’s meta will be read and you will see screen below
25 Preetam Zare
Enter name for vShield manager virtual machine and select location as mentioned below
26 Preetam Zare
Select Datastore
Strongly recommended to select shared Datastore so that
vMotion, DRS and HA functionality can be used during planned &
unplanned downtime.
27 Preetam Zare
Select disk format
28 Preetam Zare
Review the settings and close OVF templates
29 Preetam Zare
Virtual Machine Properties
30 Preetam Zare
Warning :Don’t upgrade VMware tools on vShield Manager Appliances
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance.
31 Preetam Zare
Configure the Network Settings of the vShield Manager
Initial Network Configuration i.e. IP, DG and DNS must be done via CLI
Right Click vShield Manager Appliance & Select Open Console
32 Preetam Zare
Contd… Configure the Network Settings of the vShield Manager
33 Preetam Zare
Enter IP, Default Gateway and DNS Details
To enter Enabled type ‘enable’
Enter IP Details
Finally Press ‘y’ to confirm settings
To start wizard type ‘setup’
34 Preetam Zare
Contd … Enter IP, Default Gateway and DNS Details
35 Preetam Zare
Getting Familiar With Vshield Manager Interface
36 Preetam Zare
Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS session
Log in to the vShield Manageruser interface
by using the username admin and the password default.
37 Preetam Zare
Synchronizing the vShield Manager with the vCenter
Enter vCenter Details and Press Save
Don’t select this
Follow Domain\Username format if the user is domain user
Register vCenter extension to access vshield manager within vCenter
38 Preetam Zare
After vShield Manager and vCenter Are Connected
After synch is completed, vCenter data is
populated as seen below screen.
On the right hand of the screen we see confirmation that vSphere Inventory was successfully updated
vShield Manager doesn’tAppear as resource in the
Inventory Panel of vShield Manager user
Interface
39 Preetam Zare
Contd …After vShield Manager and vCenter Are Connected
40 Preetam Zare
Configure Date/Time for vShield Manager
41 Preetam Zare
Generate Tech Support Bundle
42 Preetam Zare
System Resource Utilization Of vShield Manager
43 Preetam Zare
Backup vShield Manager Configuration
You can backup the configuration & transfer to remote backup server over FTP
For one time backup Scheduled Backups must be Off.
Schedule BackupBackup Directory
on FTP Server
44 Preetam Zare
Backup vShield Manager Configuration –Backup files
Backup Directory on FTP Server
vShield ManagerBackup Files on FTP Server
45 Preetam Zare
vShield Manager via Web Browser Vs. vSphere Client Plug-in
You can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client.
It is your choice, whatever works best for you.
The functions that you cannot access from the vSphere Client such as
• Configuring the vShield Manager’s settings
• Backing up the vShield Manager’s database
• Configuring the vShield Manager’s users, and
• The vShield Manager’s system events and audit logs.
• Configuration vShield App’s Spoof Guard, Fail Safe Mode and VM Exclusion list
46 Preetam Zare
DEMO/LAB vShield Manager
47 Preetam Zare
Agenda• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
48 Preetam Zare
vShield App Architecture
Hypervisor-Level Firewall
• Inbound/outbound connection control enforced at the virtual NIC level
• Dynamic protection as virtual machines migrate
• Protection against ARP spoofing
vCenter Server
vSphere Client
ESXi Host
vShieldApp
vSphere
ESXi Host
vSphere
vShieldManager
vShieldApp
49 Preetam Zare
Before vShield App is Deployed
vSwitch/vDS SwitchVSPHERE
HOST
50 Preetam Zare
After vShield App is Deployed
vShield Hypervisor
module
vSwitch/vDS SwitchVSPHERE
HOST
All VM traffic is Passed via LKM &
Inspected by vShield FW
51 Preetam Zare
Deploying vShield App
ESXi 5.0 ESXi 5.0
vCenter 5.0
vSphere 5.0
vShield App
vSphere 5.0
vShield App
vShieldManager
Browser
Based
Session
vClient Based Session
52 Preetam Zare
Install vShield Component Licenses
53 Preetam Zare
vShield App Installation Requirements
You must meet the following requirements.
Deploy one vShield Manager system per vCenter Server
Deploy one vShield App instance per ESXi host.
You must be using vCenter Server version 5.0.
And, you must have the vShield Manager OVA file
Hardware Summary
Memory 1 GB (Automatically reserved)
CPU 2 vCPU
Disk Space 5 GB
54 Preetam Zare
Contd … vShield App Installation Requirements
vCenter Privileges:
Access to the vSphere Client.
Ability to add and power on virtual machines
Ability to access the datastore holding the virtual machine’s files, and to copy files to this datastore.
Make sure that cookies are enabled in order to access the vShield Manager.
Web browser Version
Internet Explorer 6.x and later
Mozilla Firefox 1.x and later
Safari 1.x or 2.x
55 Preetam Zare
Steps to Install vShield App
56 Preetam Zare
Select Installation Parameters for vShield App
Warning displayed
This port group must be able to reach the port group that the
vShield Manager is connected to.
57 Preetam Zare
vShield Installation In Progress
58 Preetam Zare
vShield App Hardware Configuration
vShield App is always
Appended with the name of ESXi host
59 Preetam Zare
Verifying vShield App Installation
60 Preetam Zare
Verifying vShield App Installation –Memory reservation
61 Preetam Zare
Verifying vShield App Installation –Virtual Machine Protection
VM’s with protected Icon. This is only visible
Via web interface
62 Preetam Zare
Verifying vShield App Installation –vShield App FW status
63 Preetam Zare
Agenda• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
64 Preetam Zare
vShield App Packet flow
VM sends the packet out as a part of theTelnet protocol, its intercepted
by the virtual network adapter-level FW & is FWD to the vShield App on that host.
The vshield App appliance inspects the packet. If the security profile allows the packet to flow through, the
packet is sent back to the virtual network adaptor-level firewall.
The virtual network adapter-level firewall sends the packet to vswitch port group PG-X.
The vSwitch looks up the MAC address and accordingly sends the traffic out on the up-link port of Host 1.
The external infrastructure that involves physical switches will carry this packet on VLAN 1000.
The external switch sends the packet to the Host 2 network adapter based on the MAC address table.
The vswitch on Host 2 receives the packet. The vswitch looks up the
MAC address and accordingly sends the traffic out to the virtual
machine on Host .2
The virtual network adaptor-level firewall intercepts the packet and
forwards it to the vShield App appliance.
VM sends the packet out as a part of theTelnet protocol, its intercepted
by the virtual network adapter-level FW & is FWD to the vShield App on that host.
The virtual network adaptor-level firewall sends the packet to the VM
65 Preetam Zare
Flow Monitoring Introduction
Inter-virtual Machine Communications
All traffic on protected virtual machine is directed to virtual network adapter level firewall, this actually equips vShield APP FW to read the packets moving in and out of virtual machines.
Data displayed in
• Graphical
• Tabular Format
• Tabular format is further divided into allowed and block traffic as shown in next slide
66 Preetam Zare
Flow Monitoring –Tabular Format
Data displayed below can be used to learn the type of traffic flowing in and out of VM. Then we can use this data for creating or blocking the rule.
67 Preetam Zare
Flow Monitoring – View And Interpret Charts And Reports
68 Preetam Zare
Flow Monitoring – Traffic categorization based on Protocol/Application
69 Preetam Zare
Flow Monitoring – Key advantages
Analysis of Inter-VM traffic can be easily done
You can dynamically create rules right from flow monitoring console
This can be of great help for debugging network related problem as you can enable logging for every individual virtual machine as on needed basis.
70 Preetam Zare
DEMO/LABInstalling vShield App & Flow monitoring
71 Preetam Zare
Agenda• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
72 Preetam Zare
Introduction vShield App Firewall
vNIC‐level firewall
vShield App installs as a hypervisor module and firewall service virtual appliance
Places a firewall filter on every virtual NIC.
IP-based stateful firewall
No Network changes or IP changes
• vShield App can create and enforce logical (i.e. not just VLAN or physical subnet) application boundaries all the way down to layer 2
73 Preetam Zare
vShield App Firewall Rules : L2 and L3 rules
Firewall Protection Through Access Policy Enforcement
The App Firewall Tab Represents The vShield App Firewall Access Control List.
L2 Rules Monitor
• ICMP, IPv6, PPP, ARP traffic.
L3 Rules Monitors
• DHCP, FTP, SNMP HTPP.
• L3 rules also monitors application specific traffic (Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP)
You can configure Layer 3 and Layer 2 rules at the datacenter level only.
By default, all L3, and L2 traffic is allowed to pass.
74 Preetam Zare
Hierarchy of vShield App Firewall Rules
Enforced Top to Bottom
The first rule in the table that matches the traffic parameters is enforced.
System defined rules can’t be deleted or add, you can only change the action element i.e. to Allow (default) or Deny
75 Preetam Zare
In Layer 2 –High Precedence rules are applied first
1
In Layer 2 –Low Precedence rules
are applied Second
2
In Layer 2 –System Defined rules are
applied last
3
All Layer 3 Rules Are Applied Second
2
All Layer 2 Rules Are Applied First
1
In Layer 3 –High Precedence rules are applied first
4
In Layer 3 –Low Precedence rules
are applied Second
5
In Layer 3 –System Defined rules are
applied last
6
76 Preetam Zare
Container-Level and Custom Priority Precedence
77 Preetam Zare
How to define Firewall Policy Rule
Firewall policies contains 5 pieces of information
78 Preetam Zare
vSphere Groupings
vSphere groupings can also be based on network objects, specifically port groups and VLANs
79 Preetam Zare
Firewall Rules Example 1: Using vSphere Groupings
When you specify a container as the source or destination, all IP addresses within that container are included in the rule.
80 Preetam Zare
Firewall Rules Example 2: Using vSphere Grouping
81 Preetam Zare
How To Create A Firewall Rule –Step 1
82 Preetam Zare
How To Create A Firewall Rule –Step 2
Enter source
Enter Destination and other details
83 Preetam Zare
How To Create A Firewall Rule –Step 2 Contd
Server inside "WinXP01-
Server18" group
Server outside "Fort" datacenter
Server Inside "WinXP01-Server18" group cannot access system outside Fort datacenter on RARP protocol, this traffic is logged.
84 Preetam Zare
How To Create A Firewall Rule –Step 3 Publishing Rule
85 Preetam Zare
Create rule using MAC Set and IP Set
You can also define rules based on MAC and IP Set.
Where do we use this type of rules?
• When you want to configure a rule based on virtual machine identity i.e. MAC Set, IP Set and Port Group.
• In this case even if Virtual machine follows any part of resource pool, rule will always apply.
• Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies.
86 Preetam Zare
Creating MAC Set
Scope field is automatically selected1. Enter Name of the group2. Optionally enter description3. Enter MAC Addresses as shown in below screen. 4. Press Ok
87 Preetam Zare
Creating IP Set
Scope field is automatically selected1. Enter Name of the group2. Optionally enter description3. Enter IP Addresses as shown in below screen. 4. Press Ok
88 Preetam Zare
After MAC Set is created
Below screen shows when the group configuration is complete. You use Edit and Delete button to change the IP/MAC set
89 Preetam Zare
vSphere Grouping -Example
WinXP01-RuleSet
192.168.1.105 192.168.1.125
Medical Records
Resource Pools
90 Preetam Zare
Creating rule based on IP/Mac Set
Select datacenter, on right hand side select Layer 3 rule (IP set) or layer 2 rule (MAC set) here.
Select add rule and enter the details as shown next slide
91 Preetam Zare
Anything inside Medical Records cannot access IP's defined inside
rule "WinXP01-Server18-IP i.e.192.168.1.105, 192.168.1.125
If you select outside, then medical records can access only IP's defined
inside rule "WinXP01-Server18-IP
92 Preetam Zare
Creating Security Group –Step 1
93 Preetam Zare
Creating Security Group –Step 2
NIC level grouping is
possible
94 Preetam Zare
Creating Rule based on Security Group
Press Ok
Publish the rule
95 Preetam Zare
Rule based vSphere Security Group –Port Group
Logical Rule translates into physical world explained below
Even if the VM’s are same Datacenter, Cluster, ESXi, Resource Pool or vApp they cannot communicate
96 Preetam Zare
Advantages of Security Groups
vShield App allows you to create custom containers known as security groups.
You assign virtual machines to security groups by assigning their vNICs to the appropriate group. Then, you can use the security group in the source or destination field of an App Firewall rule.
The key benefit of security groups is the ease of creating different trust zones. Whether through the use of vSphere objects or through the use of manually configured security groups, the key benefit is ease of protection and quality of protection through the use of logical zoning as opposed to carving up a network to provide network isolation.
97 Preetam Zare
Best Practices: Firewall Rules
Create Firewall Rules That Meet Your Business & Security Needs
Identify source and destination. Take full advantage of vSphere Grouping
Use vSphere Security group only when you create rule based on vSphere Grouping
By default vShield FW allows incoming and outgoing traffic, As a best practice you may want to deny all traffic
98 Preetam Zare
Building Firewall Rules
Option A: More Restrictive
• vShield installs with default “allow” rule
• Build rules based on Application/Vendor’s port guide
• Monitor, document, validate traffic flows via vShield Flows
• Adjust rules as necessary
• Change default rule to “deny”
Option B: Less Restrictive
• vShield installs with default “allow” rule
• Build rules between communicating VMs
• Allows all traffic between selected VMs
• Monitor, document, validate traffic flows via vShield Flows
• Adjust rules as necessary
• Change default rule to “deny”
99 Preetam Zare
Logging and auditing
vShield App has its own logging mechanism.
Logging can be great help in troubleshooting app appliance.
Auditing of traffic which was either allowed or blocked can be configured per rule set. You’ve to enable logging for every rule you configure.
Logs are captured and retained for one year. Logs more than one year are overwritten.
Note that enabling logging for rules that match a high amount of traffic can impact performance. Therefore, it is a
good idea to be selective of the rules that you want to log.
100 Preetam Zare
vShield Manager event logging –Audit Logs
All the actions performed by all vshield users is captured in events and available for audit.
Logging is done for operations related to system.
E.g. appliance is
down/rebooted or
unreachable. If the app
appliance is unreachable it
will be unreachable to vshield
manager.
101 Preetam Zare
vShield Manager event logging –Audit Logs
Events are further categorized as informational or critical as shown below
102 Preetam Zare
All vShield App configuration
parameters are available only when you select host on
left hand side
103 Preetam Zare
Configuring Syslog Server for vShield App Contd…
Three log levels are available1. Alert2. Emergency3. Critical
If you select Emergency, then only emergency-level events are sent to the syslog server. If you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server.
104 Preetam Zare
Interpreting Logs Of Traffic Rule –Example 1
proto= protocol
vesxi27=host at which alerts are observed
L2=Layer2 protocol
DROP=traffic is dropped
105 Preetam Zare
Interpreting Logs Of Traffic Rule –Example 2
proto= ICMP protocol
vesxi27=host at which alerts are observed
L3=Layer3 protocol
DROP=traffic is dropped
106 Preetam Zare
Reverting to previous vShield App Firewall configuration
Automatic mechanism to create backup of firewall rules configuration
vShield Manager takes snapshots each time new rule is committed
Previous configuration can be easily reverted via drop down menu
107 Preetam Zare
Agenda• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
108 Preetam Zare
Role-Based Access ControlNew in vShield Manager 5.0
Confidential
Super user (admin)
vShield admin
Security admin
Auditor
vShield operations and security: Everything related to vShield product
Role Privilege Summary
vShield operations only: installation, configuration of virtual appliances, ESX host modules, etc.
vShield security only: Policy definition, reports for edge, app, endpoint, data security
Read-only access to vShield operations and security settings
109 Preetam Zare
RBAC: Scope
Role-based access control (RBAC) enables clear separation of workflow for virtual infrastructure and security administrators. RBAC provides flexibility in
delegating administration across resource pools and security groups, improving security of applications and data.
To vSphere Administrators
To vSphere Administrators
110 Preetam Zare
LAB/DEMO
Firewall Lab
Reverting To Previous Vshield App Firewall Configuration
User Creations And Configurations
111 Preetam Zare
Agenda• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
112 Preetam Zare
Spoof Guard
Why to use spoof guard?
• To reduce man in the middle attack which is referred as IP & MAC Spoofing
How does it work?
• VM’s IP addresses are collected during synchronization cycle that happens between vshield and vCenter via vSphere API.
• If the IP address is modified in the VM and it doesn’t matches with the Spoof Guard collected data, VM is isolated and not allowed to communicate outside.
• It works in datacenter context and it disabled by default
113 Preetam Zare
Enable Spoof Guard
Click Edit to enable it. Select Enable first and then select the option as per your requirement.
114 Preetam Zare
Spoof Guard – IP Address Monitoring and Management
IP Address is collected can be monitored and manage automatically or manually
1. Automatically Trust IP Assignments On Their First Use- IP is gathered when first time VM is powered ON. This data is read via VMware tools.
- Once the list is populated it is push down to vShield app virtual appliance, which then inspects every packet originating out of a network adapter for the prescribed IP. If these do not match, the packet is simply dropped.
- This operates separately from app firewall rules.
2. Manually Inspect and Approve All IP Assignments Before Use
- In this mode all traffic is block until you approve MAC-to-IP address assignment.
NB: SpoofGuard inherently trusts the MAC addresses of virtual machines from the VMX files and vSphere SDK.
115 Preetam Zare
Spoof Guard : View and Approve IP
Lists the IP addresses where the current IP address does not match the published IP address.
IP address changes that require approval before traffic can flow to or from these VM
List of all validated IP addresses
116 Preetam Zare
Contd … Spoof Guard –View and Approve IP
117 Preetam Zare
Agenda• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
118 Preetam Zare
vShield Manager Deployment Consideration
Do not host vShield manager on the same cluster which it is responsible to manage. If vShield Manager is deployed within the infrastructure it is protecting you will suffer circular dependencies*.
E.g. An inadvertent configuration error could result in a unmanageable environment if the vShield Manager appliance were to loose connectivity or were prevented from communicating with other components due to a misconfigured security policy
You cannot use VMware FT to protect vShield manager if vShield app is deployed. This only applies if vShield app is deployed from the vShield manager in question
A vShield manager instance must be deployed for each vCenter in use
* Starting vShield 5.0.1 you can exclude vShield manager from the host.
119 Preetam Zare
Enter inside VMX file
120 Preetam Zare
vShield Manager Placement Consideration – Option 1
Management Cluster
Edge App FW Edge App FW
Production Cluster
vCenter 5.0
vShield Manager
AD/DNS/DHCP
VCDB/VUMDB
vSphere 5.0
Shared Management Cluster Model isolates the management
from being impacted by Production Cluster hardware failure issues.
vSphere 5.0
• vCenter Server/Appliance• vCenter Database• vShield Manager• vCenter Update Manager• Active Directory• DNS• Syslog Server
Highly
Recommended
121 Preetam Zare
vShield Manager Deployment Consideration – Option 2
EdgeApp FW Edge
App FW
Production Cluster B
vSphere 5.0
Cross-Managed Cluster Model will provide isolation similar to management cluster
EdgeAppFW Edge
App FW
Production Cluster A
vSphere 5.0
vCenter 5.0
vShield Manager
vCenter 5.0
vShield Manager
122 Preetam Zare
vShield Manager Deployment Consideration – Option 3
Edge App FW Edge App FW
Production Cluster
vCenter 5.0vShield Manager
vSphere 5.0
Single cluster model with vShield Manager exclusion*
DisablesvApp
Protecting using
Exclusion list
123 Preetam Zare
VM Exclusion introduced in vShield 5.0.1
With 5.0.1, there is now a option to exclude VM. This has the effect of disabling all vShield App protection for the excluded VM including Spoof Guard
This exclusion list is applied across all vShield App installations within the specified vShield Manager. If a virtual machine has multiple vNICs, all of them are excluded from protection.
The vShield Manager and service virtual machines are automatically excluded from vShield App protection.
Caveat: A caveat is that the MAC/IP pairs for excluded VM will still show up in the Spoof guard tab of the UI, even though the functionality is disabled.
124 Preetam Zare
How to Exclude VM from vShield App
125 Preetam Zare
After FailSafe is enabled, VM’s are powered ON are
fast suspended and resumed, while Powered
OFF VM’s are just reconfigured
126 Preetam Zare
VMX entry for Web01 before
FailSafe is enabled
VMX entry for Web01 After FailSafe is
enabled
127 Preetam Zare
vShield App Deployment Consideration
vShield App must be deployed and running on every host in the cluster that protected virtual machines may migrate to.
Renaming vShield App security virtual machine is not supported. Doing so it will render it unmanageable as vShield Manager uses the name it assigned at the point of provisioning to manage the vShield App security virtual machine
Use vShield app security groups to tier servers of same functions (DC, Webserver, DB Server etc.). This will simplify firewall configuration and rules
128 Preetam Zare
Availability ConsiderationvShield App
129 Preetam Zare
Availability Considerations: vShield Manager
What If vShield Manager appliance is unavailable
• First and foremost zero impact
• All existing rules of vShield App are enforced
• Logs are sent to syslog server
• Only impact is, New rules or changes to existing rules cannot be made
• In addition, the flow-monitoring data might be lost, depending on the duration of the failure.
• vShield Manager backup can be used to restore via backup
What If host which is hosting vShield Manager appliance is unavailable
vShield manager is HA and DRS aware and can take full advantage of it. In this case
vShield Manager will automatically restart to another host
130 Preetam Zare
Availability Considerations: vShield App
What If vShield App appliance is unavailable
• All traffic to and from the protected virtual machines hosted on the host on which vShield App was running is blocked *
• At process level, built-in watch dog restarts the failed processes
• VMware HA virtual machine monitoring will detect (via VMware tools and network packets) and restart fail vshield app.
• vCenter Alarm is triggered if VM migrates onto a host where vShield Appliance is not installed
What If host which is hosting vShield App appliance is unavailable
DRS is disabled for vShield App
Except for vshield App VM, protected VM’s are restarted on another host and they get
automatically protected assuming the host is installed with vShield App
* From vShield 5.0.1 , you have option to disable this behavior, though strongly not recommended
131 Preetam Zare
vShield App: DRS and HA Settings
The HA restart priority for the vShield App appliance is set to high. This is to ensure it is the first to restart during failure over event. It makes sure that its running before the VMs its protecting .
vShield vApp should never be moved to another host. Therefore during installation DRS is automatically disabled for vShield vApp
If the host is put in maintenance mode, vShield App automatically shuts down and automatically restarts when host exits maintenance mode.
You cannot use FT to protect vShield Manger when vShield App is deployed, vShield Manager used linked clones and snapshots as part of the deployment process for the vShield Firewall Service Appliance virtual machines.
132 Preetam Zare
Verifying vShield App Installation – HA Restart Priority
133 Preetam Zare
Verifying vShield App Installation –DRS is Disabled
134 Preetam Zare
vShield App Industry Best Practices
vShield App provides security protection for virtual machines
Firewall rule groups will need to be translated from the old firewall into vShield Manager
Set up roles and responsibilities within vShield Manager that only allow the minimum of permissions to perform required functions by administrators.
• E.g. Give vSphere Administrator ability to install vShield Suite via vShield Admin role and ability view rule via Auditor Role
Ensure audit logs are reviewed regularly
135 Preetam Zare
Contd .. vShield App Industry Best Practices
Define a thorough test plan
Penetration testing and external auditing
Consider creating an application group that contains the ports
• For example you might create an application group called WEB containing both TCP 80 and 443.
Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure.
Consider mirroring the logs to an alternate site
136 Preetam Zare
Contd … vShield App Industry Best Practices
Use the vShield REST API’s to back up the firewall rule base .
Use the REST API’s to turn off rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled.
If you are replicating the infrastructure to a DR site ensure that vShield Edge and vShield App are set up appropriately at the DR site and that you have a process to ensure the rule base is up to date.
Updates and changes to the DR site can be automated using the vShield REST API’s, which can also be integrated with VMware vCenter Site Recovery Manager.
vShield App and Host Profiles
137 Preetam Zare
Agenda –vShield Edge
• Planning and Installation of vShield Edge
• vShield Edge Services
• DHCP
• NAT
• Firewall
• VPN
• Load Balancing
• Static Routing
• Scenarios
• Deployment and Availability Considerations
138 Preetam Zare
Introduction
Protects the edge of infrastructure
Common Gateway Services
• DHCP
• VPN
• NAT
• Static Routing
• Load Balancing
Common Deployment Models
• DMZ
• VPN Extranets
• Multi-Tenant Cloud Environment
139 Preetam Zare
Logical View of vShield Edge
Network Isolation happens at Port
group Level
140 Preetam Zare
Port group Isolation based on VLAN
With VLAN isolation, vShield Edge is used to secure port groups with a standard VLAN configuration.
Isolation of virtual machines is provided exclusively by VLANs in Layer 2.
When To Use VLAN Isolation
When to use Network infrastructure build around VLANs Physical machines need to participate in
protected network
Virtual Switch Support vSS vDS Cisco nexus 1000v
141 Preetam Zare
VMware vSphere
Internet FacingVLAN-108PG-CORP1 (VLAN-126)
Access Aggregation layer
PG-CORP2 (VLAN-135)
VLAN-126
VLAN-135
VLAN-108
EX
TE
RN
AL
INT
ER
FAC
E
INT
ER
NA
LIN
TE
RFA
CE
EX
TE
RN
AL
INT
ER
FAC
E
INT
ER
NA
LIN
TE
RFA
CE
142 Preetam Zare
vCloud Director Network Isolation
VM Identity is used to isolate a group of VMs from other VMs
All VM’s on Single Layer-2 domain but are isolated by assigning them to different port groups
Traffic between VMs in the same port group is allowed, but traffic between VMs across different port groups is not allowed by a virtual switch
This port group isolation feature is supported ONLY on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V
143 Preetam Zare
vCDNI -Communication Between Tenants Across The Host
The key point is that although the virtual machines of tenant X and tenant Z are on the same Layer 2 domain, their networks are isolated from each other by vShield Edge.
144 Preetam Zare
vCDNI -Communication Between Tenants Within The Host
VMs traffic is isolated from each other because they are on different secured, port groups. As a result, communication must flow through the vShield Edge virtual machines of both tenants. All traffic flows over the Provider VLAN, VLAN 100.
145 Preetam Zare
vCDNI –VM’s Communication of same Tenant
VM’s Freely need to communicate without need to go through vShield Edge VM and Provider VLAN
146 Preetam Zare
Advantages of vCloud Director Network Isolation (vCDNI)
Using cloud network isolation instead of VLAN isolation, the vShield environment is simpler to scale.
Provisioning cloud network isolation can be automated with scripts that use the vShield REST APIs.
Finally, a key advantage that cloud network isolation has over VLAN isolation is that cloud network isolation does not need any complex configuration at the Aggregation layer.
147 Preetam Zare
Protecting Extranet: VPN Services
148 Preetam Zare
vShield Edge: DHCP Services
149 Preetam Zare
vShield Edge: NAT Services
150 Preetam Zare
vShield Edge Services: Load Balancer Services
151 Preetam Zare
vShield Edge Services: Firewall Services
152 Preetam Zare
vShield Edge Firewall Rules and Direction
EXTERNAL INTERFACE
INTERNAL INTERFACE
Incoming Traffic on both the Interfaces is blocked by default
Outgoing Traffic on both the Interfaces is allowed by default
EXTERNAL INTERFACE: OUTGOING
INTERNALINTERFACE:OUTGOING
vShield EdgeEXTERNAL
INTERFACE:INCOMING
INTERNAL INTERFACE: INCOMING
153 Preetam Zare
vShield Edge Firewall Rules and Direction -Example
Internal Interface
External Interface
PRIVATE PORT
GROUP 172.16.1.0/24 Subnet
Traffic incoming172.16.2.0/2
4 Subnet
154 Preetam Zare
VSHIELD EDGE SERVICES – STATIC ROUTING
Most networks have a single router called the default gateway . If a network has a default gateway, the nodes on the network can send traffic to the gateway and the gateway will then forward the traffic to the destination.
All machines in a network have a routing table. A Routing table is a list of destination networks and the router that carries traffic to that destination.
Manually adding routes to a routing table is called static routing.
Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table.
In a network, you can create a static routing either internal network or external network.
155 Preetam Zare
Static Routing between two vApp
APPLICATION 1 APPLICATION 2
PG- PUBLIC
PG- APP-1 PG- APP-2
Internal Interface Internal Interface
External Interface External Interface
172.16.1.10
172.16.2.1
192.168.1.233192.168.1.232
172.16.2.10
172.16.1.1
156 Preetam Zare
Installing vShield Edge for Application 1
Installing vShield Edge
Application for APP1
157 Preetam Zare
vShield Edge Installed for for Application 1 and Application 2
158 Preetam Zare
Configure Static Route for APP1 Network
It is the network APP1 want to reach
It is the gateway of Destination
network
159 Preetam Zare
Configure Static Route for APP2 Network
It is the network APP2 want to reach
It is the gateway of Destination
network
160 Preetam Zare
Static Route Set Up for APP1 & APP2 Network
APPLICATION 1 APPLICATION 2
PG- PUBLIC
PG- APP-1 PG- APP-2
Internal Interface Internal Interface
External Interface External Interface
172.16.1.10
172.16.2.1
192.168.1.233192.168.1.232
172.16.2.10
172.16.1.1
161 Preetam Zare
Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other
APPLICATION 1
APPLICATION 2
PG- PUBLIC
PG- APP-1PG- APP-2
Internal Interface Internal Interface
External Interface External Interface
172.16.1.10
172.16.2.1
192.168.1.233192.168.1.232
172.16.2.10
172.16.1.1
Outgoing Traffic allowed by default
162 Preetam Zare
Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other
APPLICATION 1
APPLICATION 2
PG- PUBLIC
PG- APP-1PG- APP-2
Internal Interface Internal Interface
External Interface
External Interface
172.16.1.10
172.16.2.1
192.168.1.233
192.168.1.232
172.16.2.10
172.16.1.1
163 Preetam Zare
Rules defined at APP-1 FW
Rules defined at APP-2 FW
164 Preetam Zare
Ping and Tracert request from
APP1 VM
165 Preetam Zare
Ping and Tracert request from
APP2 VM
166 Preetam Zare
How To Configure NAT Services
SCENARIO
Customer wish to access Web Server Web01 which sits inside the DMZ network of CORP A
Web Server Web01 sits in 10.1.1.x/24 network and has been assigned IP by vShield Edge DHCP Services as 10.1.1.10
Customer’s wants to access Web Server Web01. Customer network is 192.168.1.x/24
We can configure NAT
167 Preetam Zare
vShield Edge Configured to Meet Customer Scenario
10.1.1.11
Internal Interface: 10.1.1.1
Private SwitchvSwitch Connected to External
NetworkExternalINTERNAL
192.168.1.x10.1.1.10
External Interface:
192.168.1.135vShield
Edge
1. DCHP Service
2. NAT Service3. FW Rules
Web01Web02
168 Preetam Zare
Configure DHCP
169 Preetam Zare
Use SNAT when Internal IP needs to be translated into External IP.
Use DNAT when External IP needs to be translated into Internal IP.
170 Preetam Zare
Open Firewall Ports to allow NAT Traffic
171 Preetam Zare
10.1.1.11
Internal Interface: 10.1.1.1
Private SwitchvSwitch Connected to External
NetworkExternalINTERNAL
192.168.1.x10.1.1.10
External Interface:
192.168.1.135vShield
Edge
1. DCHP Service
2. NAT Service3. FW Rules
Web01Web02
172 Preetam Zare
vShield Edge Deployment Considerations
Only HTTP(80) round-robin load balancing is currently supported
Each vShield Edge instance supports up to a maximum of 10 site-to-site VPN sessions
VMware strongly recommends you protect vShield Edge appliances using HA and DRS features. In the event of a cluster host going offline while running vShield Edge appliance, the appliance is restarted on another host in the cluster
173 Preetam Zare
Traditional Layer2 Segmentation
PG 1VLAN 11
PG 2VLAN 12
PG 3VLAN 13
vSwitch/vDS
Physical Switch
174 Preetam Zare
Cloud Network Isolation (CNI) Segmentation
PG 1VLAN 1
PG 2VLAN 1
PG 3VLAN 1
vDS
Physical Switch
VMs on one PG cannot talk to VMs on another PG at Layer 2. Even if they share same VLAN
175 Preetam Zare
Method 1 –Using VLAN per organization
HOST 1 HOST 2
ORG A : LAN 72 ORG B : LAN 81
ORG C : LAN 72 ORG C : LAN 72
ORG A : LAN 72 ORG B : LAN 81
Internet Facing
176 Preetam Zare
Method 2 –Using Mixed Trust Model
Multi Tenant
Single Tenant
ORG A : LAN 72 ORG B : LAN 81
ORG C : LAN 63
PC
I
HIP
PA SO
X
Internet Facing
ORG Z : LAN 54
177 Preetam Zare
Method 3 –Single VLAN Multi Tenant
Internet Facing
Tenant-2
PC
I
HIP
PA SO
X
ORG Z : LAN 54Tenant-1
Ma
il
DB
A
We
bORG Z : LAN 54
Internet Facing
CNISingle VLANSegmentation via App
178 Preetam Zare
Performance Statistics
179 Preetam Zare
Difference between vShield Edge and vShield app
vShield Edge vShield App
Deployed per port group Deployed per host
Enforcement between virtual datacenter and untrusted networks
Enforcement between VMs
Change - aware
Stateful, application level firewall
Five-tuple rule based policies
Site to Site VPN (IPSEC), DHCP, NAT, Firewall, Load Balancing, Cloud Network Isolation
Hypervisor-based firewall, flow monitoring, security groups
180 Preetam Zare
Can firewall rules be backed up and restored? How?
There are multiple methods to backup firewall rules. The recommended methods are:
• via vShield Manager user interface
• via REST APIs, which can be scripted/automated
You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup.
VI administrators can use REST APIs (accessible via web interface client) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations.
181 Preetam Zare
REST API -BASICS
The vShield REST API uses HTTP Requests
HTTP Requests are often executed by a script or higher level language
vShield REST API Workflows
• Make an HTTP Request (Typically GET,PUT,POST or DELETE) against vShield Manager URL
• Response could be XML or HTTP Response code
• XML Response is generally a link or other information about the state of object
• HTTP Response code indicates whether the request is succeeded or failed.
vShield Manager requires TCP port 80/443 to be opened for the vShield REST API request to pass through
182 Preetam Zare
Executing REST API using REST Client
183 Preetam Zare
184 Preetam Zare
185 Preetam Zare
186 Preetam Zare
Working with IP Sets using vShield REST API
187 Preetam Zare
Reading IP Sets
https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-2
https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-81
188 Preetam Zare
189 Preetam Zare
XML Format to Create IP Set
<ipset><objectId />
<type><typeName />
</type><description>
New Description</description>
<name>TestIPSet2</name><revision>0</revision><objectTypeName />
<value>10.112.201.8-10.112.201.14</value></ipset>
POST https://<vsm-ip>/api/2.0/services/ipset/datacenter-2
Automatically created
190 Preetam Zare
Create IP Set
191 Preetam Zare
Recommended