Confidential vShield App and vShield Edge Planning, Installation and Designing based on 5.0.1 From Preetam Zare http://vcp5.wordpress.com http://vShieldSuite.wordpress.com
2 Confidential Preetam Zare Agenda vShield App Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration
3 Confidential Preetam Zare Agenda vShield Edge Planning and Installation of vShield Edge vShield Edge Services DHCP NAT Firewall VPN Load Balancing Static Routing Scenarios Deployment and Availability Considerations
4 Preetam Zare Segment your services VLAN or subnet based policies Interior or Web application Firewalls VLAN 1 VLANs Data Center needs to be secured at different levels Cost & Complexity At the vDC Edge Sprawl: hardware, FW rules, VLANs Rigid FW rules Performance bottlenecks Prevent unwanted access Firewall, VPN Load balancers Protect your data Anti-virus Data Leak Protection Perimeter Security Internal Security End Point Security 5 Preetam Zare Why Security in Virtualized Datacenter? Network security devices become chokepoints Capacity is never right-sized No intra-host virtual machine visibility Audit trails are lacking Physical topologies are too rigid Current Security is static
6 Preetam Zare Traditional vSphere Infrastructure Setup Without Vshield vSphere 5.0 vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch vSphere 5.0 vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch vSphere 5.0 vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch INTERNET Company A Company B Company C 7 Preetam Zare vSphere Infrastructure Setup Without Vshield vSphere 5.0 vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch vSphere 5.0 vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch vSphere 5.0 vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch INTERNET Company A Company B Company C vSphere 5.0 8 Preetam Zare vShield Product Family DMZ Application 1 Application 2 Securing the Private Cloud End to End: from the Edge to the Endpoint Edge vShield Edge Secure the edge of the virtual datacenter Security Zone vShield App - Create segmentation between workloads - Sensitive data discovery Endpoint = VM vShield Endpoint Anti-virus processing Endpoint = VM vShield Manager Centralized Management 9 Preetam Zare What Is vShield Edge? vShield Edge secures the perimeter, edge, around a virtual datacenter. Common vShield Edge deployments include: Protecting the Extranet Protecting multi-tenant cloud environments Tenant A Tenant C Tenant X vShield Edge VPN Load balancer Firewall Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance vShield Edge vShield Edge 9 10 Preetam Zare vShield Edge Capabilities Edge functionality Stateful inspection firewall Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP) Site to site VPN (IPSec) Web Load Balancer (NEW) Static Routing (NEW) Certificate mode support for IPSEC VPN Management features REST APIs for scripting Logging of functions
Tenant A Tenant C Tenant X vShield Edge VPN Load balancer Firewall Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance vShield Edge vShield Edge 10 11 Preetam Zare Securing the Data Center Interior with vShield App Key Benefits Complete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster. Intuitive business language policy leveraging vCenter inventory. 12 Preetam Zare vShield Endpoint Offload Anti-virus Processing for Endpoints Benefits Improve performance by offloading anti-virus functions in tandem with AV partners Improve VM performance by eliminating anti-virus storms Reduce risk by eliminating agents susceptible to attacks Satisfy audit requirements with detailed logging of AV tasks 13 Preetam Zare Cloud Infrastructure Security- Defense in Depth First Level of Defense- vShield Edge Threat mitigation and blocks unauthorized external traffic Suite of edge services To secure the edge of the vDC Zoning within the ORG- vShield App Policy applied to VM zones Dynamic, scale-out operation VM context based controls Compliance Check vShield App with data security Discover PCI, PHI, PII sensitive data for virtual environment Compliance posture check * * AV agent offload- vShield Endpoint Attain higher efficiency Supports multiple AV solutions Always ON AV scanning
14 Confidential Preetam Zare Agenda Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management Use Cases of vShield App Design consideration of vShield App
15 Confidential Preetam Zare Preetam Zare vShield Manager Introduction vShield manager console acts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield Endpoint Vshield manager is pre-packaged as OVA appliance. vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint. vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules. vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory.
16 Confidential Preetam Zare vShield Manager Central Management Console VSPHERE VSPHERE VSPHERE Management Network vCenter Automatic deployment of vShield app appliance via vshield manager Vshield Manager Client Central point of management. For RBAC model, stores flow data and manages Rule base You can connect to vshield manager directly via web interface or via vcenter plug-in 17 Confidential Preetam Zare Vshield Manager Communication Paths VSPHERE Management Network vCenter Access to ESXi host TCP 902/903 vShield App Appliance TCP 443 TCP 443 vSphere Client Vshield web console SSH Client REST API --> TCP 80/443 Default Enabled Default disabled vShield Manager 18 Confidential Preetam Zare vShield Manager Requirements Virtual Hardware Summary Memory 3 GB CPU 1 Disk 8 GB Software vShield OVA File Web Browser IE6.x and Later, Mozilla Firewall 1.x and Later, Safari 1.x and 2.x For latest interoperability information check here http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php
19 Confidential Preetam Zare Latest interoperability 20 Confidential Preetam Zare Preetam Zare Permission Permission to Add and Power on Virtual Machines Access to datastores where vShield Suite will be deployed DNS reverse look up entry is working for all ESXi host 21 Confidential Preetam Zare Preetam Zare vShield Manager Installation Multi-Step installation Process Obtain the vShield Manager OVA File Install vShield Manager Virtual Appliance Configure the Network Settings of the vShield Manager Logon to the vShield Manager Interface Synchronize the vShield Manager with the vCenter Server Register vShield Manager Plug-in with vSphere Client Change the default admin password of the vShield Manager
22 Confidential Preetam Zare Preetam Zare Steps to Install vShield Manager Open vSphere client, click File menu selects Deploy OVF Template as shown below
23 Confidential Preetam Zare Preetam Zare Browse to locate OVA file
New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file youve downloaded from VMwares site 24 Confidential Preetam Zare Preetam Zare After selecting the OVA file, press Next. OVA files meta will be read and you will see screen below
25 Preetam Zare Enter name for vShield manager virtual machine and select location as mentioned below
26 Preetam Zare Select Datastore Strongly recommended to select shared Datastore so that vMotion, DRS and HA functionality can be used during planned & unplanned downtime. 27 Preetam Zare Select disk format 28 Preetam Zare Review the settings and close OVF templates 29 Preetam Zare Virtual Machine Properties 30 Preetam Zare Warning :Dont upgrade VMware tools on vShield Manager Appliances Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance. 31 Preetam Zare Configure the Network Settings of the vShield Manager Initial Network Configuration i.e. IP, DG and DNS must be done via CLI Right Click vShield Manager Appliance & Select Open Console 32 Preetam Zare Contd Configure the Network Settings of the vShield Manager 33 Preetam Zare Enter IP, Default Gateway and DNS Details To enter Enabled type enable Enter IP Details Finally Press y to confirm settings To start wizard type setup 34 Preetam Zare Contd Enter IP, Default Gateway and DNS Details 35 Preetam Zare Getting Familiar With Vshield Manager Interface 36 Preetam Zare Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS session Log in to the vShield Manager user interface by using the username admin and the password default. 37 Preetam Zare Synchronizing the vShield Manager with the vCenter Enter vCenter Details and Press Save Dont select this Follow Domain\Username format if the user is domain user Register vCenter extension to access vshield manager within vCenter 38 Preetam Zare After vShield Manager and vCenter Are Connected After synch is completed, vCenter data is populated as seen below screen. On the right hand of the screen we see confirmation that vSphere Inventory was successfully updated vShield Manager doesnt Appear as resource in the Inventory Panel of vShield Manager user Interface 39 Preetam Zare Contd After vShield Manager and vCenter Are Connected
40 Preetam Zare Configure Date/Time for vShield Manager
41 Preetam Zare Generate Tech Support Bundle
42 Preetam Zare System Resource Utilization Of vShield Manager
43 Preetam Zare Backup vShield Manager Configuration You can backup the configuration & transfer to remote backup server over FTP For one time backup Scheduled Backups must be Off.
Schedule Backup Backup Directory on FTP Server 44 Preetam Zare Backup vShield Manager Configuration Backup files
Backup Directory on FTP Server vShield Manager Backup Files on FTP Server 45 Preetam Zare vShield Manager via Web Browser Vs. vSphere Client Plug-in You can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client. It is your choice, whatever works best for you. The functions that you cannot access from the vSphere Client such as Configuring the vShield Managers settings Backing up the vShield Managers database Configuring the vShield Managers users, and The vShield Managers system events and audit logs. Configuration vShield Apps Spoof Guard, Fail Safe Mode and VM Exclusion list 46 Preetam Zare DEMO/LAB vShield Manager 47 Preetam Zare Agenda Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration of vShield App
48 Preetam Zare vShield App Architecture Hypervisor-Level Firewall Inbound/outbound connection control enforced at the virtual NIC level Dynamic protection as virtual machines migrate Protection against ARP spoofing vCenter Server vSphere Client ESXi Host vShield App vSphere ESXi Host vSphere vShield Manager vShield App 49 Preetam Zare Before vShield App is Deployed vSwitch/vDS Switch VSPHERE HOST 50 Preetam Zare After vShield App is Deployed vShield Hypervisor module vSwitch/vDS Switch VSPHERE HOST All VM traffic is Passed via LKM & Inspected by vShield FW 51 Preetam Zare Deploying vShield App
53 Preetam Zare vShield App Installation Requirements You must meet the following requirements. Deploy one vShield Manager system per vCenter Server Deploy one vShield App instance per ESXi host. You must be using vCenter Server version 5.0. And, you must have the vShield Manager OVA file
Hardware Summary Memory 1 GB (Automatically reserved) CPU 2 vCPU Disk Space 5 GB 54 Preetam Zare Contd vShield App Installation Requirements vCenter Privileges: Access to the vSphere Client. Ability to add and power on virtual machines Ability to access the datastore holding the virtual machines files, and to copy files to this datastore.
Make sure that cookies are enabled in order to access the vShield Manager.
Web browser Version Internet Explorer 6.x and later Mozilla Firefox 1.x and later Safari 1.x or 2.x 55 Preetam Zare Steps to Install vShield App
56 Preetam Zare Select Installation Parameters for vShield App
Warning displayed This port group must be able to reach the port group that the vShield Manager is connected to. 57 Preetam Zare vShield Installation In Progress
vShield App is always Appended with the name of ESXi host 59 Preetam Zare Verifying vShield App Installation 60 Preetam Zare Verifying vShield App Installation Memory reservation
61 Preetam Zare Verifying vShield App Installation Virtual Machine Protection VMs with protected Icon. This is only visible Via web interface 62 Preetam Zare Verifying vShield App Installation vShield App FW status
63 Preetam Zare Agenda Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration of vShield App
64 Preetam Zare vShield App Packet flow
VM sends the packet out as a part of the Telnet protocol, its intercepted by the virtual network adapter-level FW & is FWD to the vShield App on that host. The vshield App appliance inspects the packet. If the security profile allows the packet to flow through, the packet is sent back to the virtual network adaptor-level firewall. The virtual network adapter-level firewall sends the packet to vswitch port group PG-X. The vSwitch looks up the MAC address and accordingly sends the traffic out on the up-link port of Host 1. The external infrastructure that involves physical switches will carry this packet on VLAN 1000. The external switch sends the packet to the Host 2 network adapter based on the MAC address table. The vswitch on Host 2 receives the packet. The vswitch looks up the MAC address and accordingly sends the traffic out to the virtual machine on Host .2 The virtual network adaptor-level firewall intercepts the packet and forwards it to the vShield App appliance. VM sends the packet out as a part of the Telnet protocol, its intercepted by the virtual network adapter-level FW & is FWD to the vShield App on that host. The virtual network adaptor-level firewall sends the packet to the VM 65 Preetam Zare Flow Monitoring Introduction Inter-virtual Machine Communications All traffic on protected virtual machine is directed to virtual network adapter level firewall, this actually equips vShield APP FW to read the packets moving in and out of virtual machines. Data displayed in Graphical Tabular Format Tabular format is further divided into allowed and block traffic as shown in next slide
66 Preetam Zare Flow Monitoring Tabular Format Data displayed below can be used to learn the type of traffic flowing in and out of VM. Then we can use this data for creating or blocking the rule.
67 Preetam Zare Flow Monitoring View And Interpret Charts And Reports
68 Preetam Zare Flow Monitoring Traffic categorization based on Protocol/Application
69 Preetam Zare Flow Monitoring Key advantages Analysis of Inter-VM traffic can be easily done You can dynamically create rules right from flow monitoring console This can be of great help for debugging network related problem as you can enable logging for every individual virtual machine as on needed basis.
70 Preetam Zare DEMO/LAB Installing vShield App & Flow monitoring 71 Preetam Zare Agenda Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration of vShield App
72 Preetam Zare Introduction vShield App Firewall vNIClevel firewall vShield App installs as a hypervisor module and firewall service virtual appliance Places a firewall filter on every virtual NIC. IP-based stateful firewall No Network changes or IP changes vShield App can create and enforce logical (i.e. not just VLAN or physical subnet) application boundaries all the way down to layer 2
73 Preetam Zare vShield App Firewall Rules : L2 and L3 rules Firewall Protection Through Access Policy Enforcement The App Firewall Tab Represents The vShield App Firewall Access Control List. L2 Rules Monitor ICMP, IPv6, PPP, ARP traffic. L3 Rules Monitors DHCP, FTP, SNMP HTPP. L3 rules also monitors application specific traffic (Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP) You can configure Layer 3 and Layer 2 rules at the datacenter level only. By default, all L3, and L2 traffic is allowed to pass.
74 Preetam Zare Hierarchy of vShield App Firewall Rules Enforced Top to Bottom The first rule in the table that matches the traffic parameters is enforced. System defined rules cant be deleted or add, you can only change the action element i.e. to Allow (default) or Deny
75 Preetam Zare In Layer 2 High Precedence rules are applied first 1 In Layer 2 Low Precedence rules are applied Second 2 In Layer 2 System Defined rules are applied last 3 All Layer 3 Rules Are Applied Second 2 All Layer 2 Rules Are Applied First 1 In Layer 3 High Precedence rules are applied first 4 In Layer 3 Low Precedence rules are applied Second 5 In Layer 3 System Defined rules are applied last 6 76 Preetam Zare Container-Level and Custom Priority Precedence 77 Preetam Zare How to define Firewall Policy Rule Firewall policies contains 5 pieces of information 78 Preetam Zare vSphere Groupings
vSphere groupings can also be based on network objects, specifically port groups and VLANs
79 Preetam Zare Firewall Rules Example 1: Using vSphere Groupings
When you specify a container as the source or destination, all IP addresses within that container are included in the rule.
80 Preetam Zare Firewall Rules Example 2: Using vSphere Grouping
81 Preetam Zare How To Create A Firewall Rule Step 1
82 Preetam Zare How To Create A Firewall Rule Step 2
Enter source Enter Destination and other details 83 Preetam Zare How To Create A Firewall Rule Step 2 Contd Server inside "WinXP01- Server18" group Server outside "Fort" datacenter Server Inside "WinXP01-Server18" group cannot access system outside Fort datacenter on RARP protocol, this traffic is logged. 84 Preetam Zare How To Create A Firewall Rule Step 3 Publishing Rule
85 Preetam Zare Create rule using MAC Set and IP Set You can also define rules based on MAC and IP Set. Where do we use this type of rules? When you want to configure a rule based on virtual machine identity i.e. MAC Set, IP Set and Port Group. In this case even if Virtual machine follows any part of resource pool, rule will always apply. Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies.
86 Preetam Zare Creating MAC Set
Scope field is automatically selected 1. Enter Name of the group 2. Optionally enter description 3. Enter MAC Addresses as shown in below screen. 4. Press Ok
87 Preetam Zare Creating IP Set
Scope field is automatically selected 1. Enter Name of the group 2. Optionally enter description 3. Enter IP Addresses as shown in below screen. 4. Press Ok
88 Preetam Zare After MAC Set is created Below screen shows when the group configuration is complete. You use Edit and Delete button to change the IP/MAC set
89 Preetam Zare vSphere Grouping -Example WinXP01- RuleSet 192.168.1.105 192.168.1.125 Medical Records Resource Pools 90 Preetam Zare Creating rule based on IP/Mac Set Select datacenter, on right hand side select Layer 3 rule (IP set) or layer 2 rule (MAC set) here. Select add rule and enter the details as shown next slide
91 Preetam Zare Anything inside Medical Records cannot access IP's defined inside rule "WinXP01-Server18-IP i.e. 192.168.1.105, 192.168.1.125 If you select outside, then medical records can access only IP's defined inside rule "WinXP01-Server18-IP 92 Preetam Zare Creating Security Group Step 1
93 Preetam Zare Creating Security Group Step 2 NIC level grouping is possible 94 Preetam Zare Creating Rule based on Security Group
Press Ok Publish the rule 95 Preetam Zare Rule based vSphere Security Group Port Group Logical Rule translates into physical world explained below
Even if the VMs are same Datacenter, Cluster, ESXi, Resource Pool or vApp they cannot communicate 96 Preetam Zare Advantages of Security Groups vShield App allows you to create custom containers known as security groups. You assign virtual machines to security groups by assigning their vNICs to the appropriate group. Then, you can use the security group in the source or destination field of an App Firewall rule. The key benefit of security groups is the ease of creating different trust zones. Whether through the use of vSphere objects or through the use of manually configured security groups, the key benefit is ease of protection and quality of protection through the use of logical zoning as opposed to carving up a network to provide network isolation.
97 Preetam Zare Best Practices: Firewall Rules Create Firewall Rules That Meet Your Business & Security Needs Identify source and destination. Take full advantage of vSphere Grouping Use vSphere Security group only when you create rule based on vSphere Grouping By default vShield FW allows incoming and outgoing traffic, As a best practice you may want to deny all traffic 98 Preetam Zare Building Firewall Rules Option A: More Restrictive vShield installs with default allow rule Build rules based on Application/Vendors port guide Monitor, document, validate traffic flows via vShield Flows Adjust rules as necessary Change default rule to deny Option B: Less Restrictive vShield installs with default allow rule Build rules between communicating VMs Allows all traffic between selected VMs Monitor, document, validate traffic flows via vShield Flows Adjust rules as necessary Change default rule to deny 99 Preetam Zare Logging and auditing vShield App has its own logging mechanism. Logging can be great help in troubleshooting app appliance. Auditing of traffic which was either allowed or blocked can be configured per rule set. Youve to enable logging for every rule you configure. Logs are captured and retained for one year. Logs more than one year are overwritten.
Note that enabling logging for rules that match a high amount of traffic can impact performance. Therefore, it is a good idea to be selective of the rules that you want to log.
100 Preetam Zare vShield Manager event logging Audit Logs All the actions performed by all vshield users is captured in events and available for audit. Logging is done for operations related to system. E.g. appliance is down/rebooted or unreachable. If the app appliance is unreachable it will be unreachable to vshield manager.
101 Preetam Zare vShield Manager event logging Audit Logs Events are further categorized as informational or critical as shown below
102 Preetam Zare
All vShield App configuration parameters are available only when you select host on left hand side 103 Preetam Zare Configuring Syslog Server for vShield App Contd
Three log levels are available 1. Alert 2. Emergency 3. Critical
If you select Emergency, then only emergency-level events are sent to the syslog server. If you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server.
104 Preetam Zare Interpreting Logs Of Traffic Rule Example 1
proto= protocol vesxi27=host at which alerts are observed L2=Layer2 protocol DROP=traffic is dropped
105 Preetam Zare Interpreting Logs Of Traffic Rule Example 2
proto= ICMP protocol vesxi27=host at which alerts are observed L3=Layer3 protocol DROP=traffic is dropped
106 Preetam Zare Reverting to previous vShield App Firewall configuration Automatic mechanism to create backup of firewall rules configuration vShield Manager takes snapshots each time new rule is committed Previous configuration can be easily reverted via drop down menu
107 Preetam Zare Agenda Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration of vShield App
108 Preetam Zare Role-Based Access Control New in vShield Manager 5.0 Confidential Super user (admin) vShield admin Security admin Auditor vShield operations and security: Everything related to vShield product Role Privilege Summary vShield operations only: installation, configuration of virtual appliances, ESX host modules, etc. vShield security only: Policy definition, reports for edge, app, endpoint, data security Read-only access to vShield operations and security settings 109 Preetam Zare RBAC: Scope
Role-based access control (RBAC) enables clear separation of workflow for virtual infrastructure and security administrators. RBAC provides flexibility in delegating administration across resource pools and security groups, improving security of applications and data.
To vSphere Administrators To vSphere Administrators 110 Preetam Zare LAB/DEMO Firewall Lab Reverting To Previous Vshield App Firewall Configuration User Creations And Configurations
111 Preetam Zare Agenda Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration of vShield App
112 Preetam Zare Spoof Guard Why to use spoof guard? To reduce man in the middle attack which is referred as IP & MAC Spoofing
How does it work? VMs IP addresses are collected during synchronization cycle that happens between vshield and vCenter via vSphere API. If the IP address is modified in the VM and it doesnt matches with the Spoof Guard collected data, VM is isolated and not allowed to communicate outside. It works in datacenter context and it disabled by default
113 Preetam Zare Enable Spoof Guard
Click Edit to enable it. Select Enable first and then select the option as per your requirement.
114 Preetam Zare Spoof Guard IP Address Monitoring and Management IP Address is collected can be monitored and manage automatically or manually 1. Automatically Trust IP Assignments On Their First Use - IP is gathered when first time VM is powered ON. This data is read via VMware tools. - Once the list is populated it is push down to vShield app virtual appliance, which then inspects every packet originating out of a network adapter for the prescribed IP. If these do not match, the packet is simply dropped. - This operates separately from app firewall rules. 2. Manually Inspect and Approve All IP Assignments Before Use - In this mode all traffic is block until you approve MAC-to-IP address assignment.
NB: SpoofGuard inherently trusts the MAC addresses of virtual machines from the VMX files and vSphere SDK. 115 Preetam Zare Spoof Guard : View and Approve IP
Lists the IP addresses where the current IP address does not match the published IP address. IP address changes that require approval before traffic can flow to or from these VM List of all validated IP addresses 116 Preetam Zare Contd Spoof Guard View and Approve IP
117 Preetam Zare Agenda Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration of vShield App
118 Preetam Zare vShield Manager Deployment Consideration Do not host vShield manager on the same cluster which it is responsible to manage. If vShield Manager is deployed within the infrastructure it is protecting you will suffer circular dependencies*. E.g. An inadvertent configuration error could result in a unmanageable environment if the vShield Manager appliance were to loose connectivity or were prevented from communicating with other components due to a misconfigured security policy You cannot use VMware FT to protect vShield manager if vShield app is deployed. This only applies if vShield app is deployed from the vShield manager in question A vShield manager instance must be deployed for each vCenter in use
* Starting vShield 5.0.1 you can exclude vShield manager from the host.
119 Preetam Zare
Enter inside VMX file 120 Preetam Zare vShield Manager Placement Consideration Option 1 Management Cluster Edge App FW Edge App FW Production Cluster vCenter 5.0 vShield Manager AD/DNS /DHCP VCDB/V UMDB vSphere 5.0 Shared Management Cluster Model isolates the management from being impacted by Production Cluster hardware failure issues.
vSphere 5.0 vCenter Server/Appliance vCenter Database vShield Manager vCenter Update Manager Active Directory DNS Syslog Server 121 Preetam Zare vShield Manager Deployment Consideration Option 2 Edge App FW Edge App FW Production Cluster B vSphere 5.0 Cross-Managed Cluster Model will provide isolation similar to management cluster Edge App FW Edge App FW Production Cluster A vSphere 5.0 vCenter 5.0 vShield Manager vCenter 5.0 vShield Manager 122 Preetam Zare vShield Manager Deployment Consideration Option 3 Edge App FW Edge App FW Production Cluster vCenter 5.0 vShield Manager vSphere 5.0 Single cluster model with vShield Manager exclusion* Disables vApp Protecting using Exclusion list 123 Preetam Zare VM Exclusion introduced in vShield 5.0.1 With 5.0.1, there is now a option to exclude VM. This has the effect of disabling all vShield App protection for the excluded VM including Spoof Guard This exclusion list is applied across all vShield App installations within the specified vShield Manager. If a virtual machine has multiple vNICs, all of them are excluded from protection. The vShield Manager and service virtual machines are automatically excluded from vShield App protection.
Caveat: A caveat is that the MAC/IP pairs for excluded VM will still show up in the Spoof guard tab of the UI, even though the functionality is disabled. 124 Preetam Zare How to Exclude VM from vShield App
125 Preetam Zare
After FailSafe is enabled, VMs are powered ON are fast suspended and resumed, while Powered OFF VMs are just reconfigured 126 Preetam Zare
VMX entry for Web01 before FailSafe is enabled VMX entry for Web01 After FailSafe is enabled 127 Preetam Zare vShield App Deployment Consideration vShield App must be deployed and running on every host in the cluster that protected virtual machines may migrate to. Renaming vShield App security virtual machine is not supported. Doing so it will render it unmanageable as vShield Manager uses the name it assigned at the point of provisioning to manage the vShield App security virtual machine Use vShield app security groups to tier servers of same functions (DC, Webserver, DB Server etc.). This will simplify firewall configuration and rules
128 Preetam Zare Availability Consideration vShield App 129 Preetam Zare Availability Considerations: vShield Manager What If vShield Manager appliance is unavailable First and foremost zero impact All existing rules of vShield App are enforced Logs are sent to syslog server Only impact is, New rules or changes to existing rules cannot be made In addition, the flow-monitoring data might be lost, depending on the duration of the failure. vShield Manager backup can be used to restore via backup
What If host which is hosting vShield Manager appliance is unavailable vShield manager is HA and DRS aware and can take full advantage of it. In this case vShield Manager will automatically restart to another host
130 Preetam Zare Availability Considerations: vShield App What If vShield App appliance is unavailable All traffic to and from the protected virtual machines hosted on the host on which vShield App was running is blocked * At process level, built-in watch dog restarts the failed processes VMware HA virtual machine monitoring will detect (via VMware tools and network packets) and restart fail vshield app. vCenter Alarm is triggered if VM migrates onto a host where vShield Appliance is not installed
What If host which is hosting vShield App appliance is unavailable DRS is disabled for vShield App Except for vshield App VM, protected VMs are restarted on another host and they get automatically protected assuming the host is installed with vShield App
* From vShield 5.0.1 , you have option to disable this behavior, though strongly not recommended 131 Preetam Zare vShield App: DRS and HA Settings The HA restart priority for the vShield App appliance is set to high. This is to ensure it is the first to restart during failure over event. It makes sure that its running before the VMs its protecting . vShield vApp should never be moved to another host. Therefore during installation DRS is automatically disabled for vShield vApp If the host is put in maintenance mode, vShield App automatically shuts down and automatically restarts when host exits maintenance mode. You cannot use FT to protect vShield Manger when vShield App is deployed, vShield Manager used linked clones and snapshots as part of the deployment process for the vShield Firewall Service Appliance virtual machines.
132 Preetam Zare Verifying vShield App Installation HA Restart Priority 133 Preetam Zare Verifying vShield App Installation DRS is Disabled
134 Preetam Zare vShield App Industry Best Practices vShield App provides security protection for virtual machines Firewall rule groups will need to be translated from the old firewall into vShield Manager Set up roles and responsibilities within vShield Manager that only allow the minimum of permissions to perform required functions by administrators. E.g. Give vSphere Administrator ability to install vShield Suite via vShield Admin role and ability view rule via Auditor Role Ensure audit logs are reviewed regularly 135 Preetam Zare Contd .. vShield App Industry Best Practices Define a thorough test plan Penetration testing and external auditing Consider creating an application group that contains the ports For example you might create an application group called WEB containing both TCP 80 and 443.
Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure. Consider mirroring the logs to an alternate site 136 Preetam Zare Contd vShield App Industry Best Practices Use the vShield REST APIs to back up the firewall rule base . Use the REST APIs to turn off rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled. If you are replicating the infrastructure to a DR site ensure that vShield Edge and vShield App are set up appropriately at the DR site and that you have a process to ensure the rule base is up to date. Updates and changes to the DR site can be automated using the vShield REST APIs, which can also be integrated with VMware vCenter Site Recovery Manager. vShield App and Host Profiles 137 Preetam Zare Agenda vShield Edge Planning and Installation of vShield Edge vShield Edge Services DHCP NAT Firewall VPN Load Balancing Static Routing Scenarios Deployment and Availability Considerations
138 Preetam Zare Introduction Protects the edge of infrastructure Common Gateway Services DHCP VPN NAT Static Routing Load Balancing Common Deployment Models DMZ VPN Extranets Multi-Tenant Cloud Environment
139 Preetam Zare Logical View of vShield Edge Network Isolation happens at Port group Level 140 Preetam Zare Port group Isolation based on VLAN With VLAN isolation, vShield Edge is used to secure port groups with a standard VLAN configuration. Isolation of virtual machines is provided exclusively by VLANs in Layer 2.
When To Use VLAN Isolation When to use Network infrastructure build around VLANs Physical machines need to participate in protected network Virtual Switch Support vSS vDS Cisco nexus 1000v 141 Preetam Zare VMware vSphere Internet FacingVLAN-108 PG-CORP1 (VLAN-126) Access Aggregation layer PG-CORP2 (VLAN-135) VLAN-126 VLAN-135 VLAN-108 E X T E R N A L
I N T E R F A C E
I N T E R N A L
I N T E R F A C E
E X T E R N A L
I N T E R F A C E
I N T E R N A L
I N T E R F A C E
142 Preetam Zare vCloud Director Network Isolation VM Identity is used to isolate a group of VMs from other VMs All VMs on Single Layer-2 domain but are isolated by assigning them to different port groups Traffic between VMs in the same port group is allowed, but traffic between VMs across different port groups is not allowed by a virtual switch This port group isolation feature is supported ONLY on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V
143 Preetam Zare vCDNI -Communication Between Tenants Across The Host The key point is that although the virtual machines of tenant X and tenant Z are on the same Layer 2 domain, their networks are isolated from each other by vShield Edge.
144 Preetam Zare vCDNI -Communication Between Tenants Within The Host VMs traffic is isolated from each other because they are on different secured, port groups. As a result, communication must flow through the vShield Edge virtual machines of both tenants. All traffic flows over the Provider VLAN, VLAN 100. 145 Preetam Zare vCDNI VMs Communication of same Tenant VMs Freely need to communicate without need to go through vShield Edge VM and Provider VLAN 146 Preetam Zare Advantages of vCloud Director Network Isolation (vCDNI) Using cloud network isolation instead of VLAN isolation, the vShield environment is simpler to scale. Provisioning cloud network isolation can be automated with scripts that use the vShield REST APIs. Finally, a key advantage that cloud network isolation has over VLAN isolation is that cloud network isolation does not need any complex configuration at the Aggregation layer.
147 Preetam Zare Protecting Extranet: VPN Services 148 Preetam Zare vShield Edge: DHCP Services 149 Preetam Zare vShield Edge: NAT Services 150 Preetam Zare vShield Edge Services: Load Balancer Services 151 Preetam Zare vShield Edge Services: Firewall Services 152 Preetam Zare vShield Edge Firewall Rules and Direction EXTERNAL INTERFACE INTERNAL INTERFACE Incoming Traffic on both the Interfaces is blocked by default Outgoing Traffic on both the Interfaces is allowed by default EXTERNAL INTERFACE: OUTGOING INTERNAL INTERFACE: OUTGOING vShield Edge EXTERNAL INTERFACE: INCOMING INTERNAL INTERFACE: INCOMING 153 Preetam Zare vShield Edge Firewall Rules and Direction -Example Internal Interface External Interface PRIVATE PORT GROUP 172.16.1.0/24 Subnet Traffic incoming 172.16.2.0/24 Subnet 154 Preetam Zare VSHIELD EDGE SERVICES STATIC ROUTING Most networks have a single router called the default gateway . If a network has a default gateway, the nodes on the network can send traffic to the gateway and the gateway will then forward the traffic to the destination. All machines in a network have a routing table. A Routing table is a list of destination networks and the router that carries traffic to that destination. Manually adding routes to a routing table is called static routing. Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table. In a network, you can create a static routing either internal network or external network. 155 Preetam Zare Static Routing between two vApp APPLICATION 1 APPLICATION 2 PG- PUBLIC PG- APP-1 PG- APP-2 Internal Interface Internal Interface External Interface External Interface 172.16.1.10 172.16.2.1 192.168.1.233 192.168.1.232 172.16.2.10 172.16.1.1 156 Preetam Zare Installing vShield Edge for Application 1 Installing vShield Edge Application for APP1 157 Preetam Zare vShield Edge Installed for for Application 1 and Application 2 158 Preetam Zare Configure Static Route for APP1 Network It is the network APP1 want to reach It is the gateway of Destination network 159 Preetam Zare Configure Static Route for APP2 Network It is the network APP2 want to reach It is the gateway of Destination network 160 Preetam Zare Static Route Set Up for APP1 & APP2 Network APPLICATION 1 APPLICATION 2 PG- PUBLIC PG- APP-1 PG- APP-2 Internal Interface Internal Interface External Interface External Interface 172.16.1.10 172.16.2.1 192.168.1.233 192.168.1.232 172.16.2.10 172.16.1.1 161 Preetam Zare Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other APPLICATION 1 APPLICATION 2 PG- PUBLIC PG- APP-1 PG- APP-2 Internal Interface Internal Interface External Interface External Interface 172.16.1.10 172.16.2.1 192.168.1.233 192.168.1.232 172.16.2.10 172.16.1.1 Outgoing Traffic allowed by default 162 Preetam Zare Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other APPLICATION 1 APPLICATION 2 PG- PUBLIC PG- APP-1 PG- APP-2 Internal Interface Internal Interface External Interface External Interface 172.16.1.10 172.16.2.1 192.168.1.233 192.168.1.232 172.16.2.10 172.16.1.1 163 Preetam Zare Rules defined at APP-1 FW Rules defined at APP-2 FW 164 Preetam Zare Ping and Tracert request from APP1 VM 165 Preetam Zare Ping and Tracert request from APP2 VM 166 Preetam Zare How To Configure NAT Services SCENARIO Customer wish to access Web Server Web01 which sits inside the DMZ network of CORP A Web Server Web01 sits in 10.1.1.x/24 network and has been assigned IP by vShield Edge DHCP Services as 10.1.1.10 Customers wants to access Web Server Web01. Customer network is 192.168.1.x/24 We can configure NAT
167 Preetam Zare vShield Edge Configured to Meet Customer Scenario 10.1.1.11 Internal Interface: 10.1.1.1 Private Switch vSwitch Connected to External Network External INTERNAL 192.168.1.x 10.1.1.10 External Interface: 192.168.1.135 vShield Edge 1. DCHP Service 2. NAT Service 3. FW Rules Web01 Web02 168 Preetam Zare Configure DHCP 169 Preetam Zare Use SNAT when Internal IP needs to be translated into External IP. Use DNAT when External IP needs to be translated into Internal IP. 170 Preetam Zare Open Firewall Ports to allow NAT Traffic 171 Preetam Zare 10.1.1.11 Internal Interface: 10.1.1.1 Private Switch vSwitch Connected to External Network External INTERNAL 192.168.1.x 10.1.1.10 External Interface: 192.168.1.135 vShield Edge 1. DCHP Service 2. NAT Service 3. FW Rules Web01 Web02 172 Preetam Zare vShield Edge Deployment Considerations Only HTTP(80) round-robin load balancing is currently supported Each vShield Edge instance supports up to a maximum of 10 site- to-site VPN sessions VMware strongly recommends you protect vShield Edge appliances using HA and DRS features. In the event of a cluster host going offline while running vShield Edge appliance, the appliance is restarted on another host in the cluster 173 Preetam Zare Traditional Layer2 Segmentation PG 1 VLAN 11 PG 2 VLAN 12 PG 3 VLAN 13 vSwitch/vDS Physical Switch 174 Preetam Zare Cloud Network Isolation (CNI) Segmentation PG 1 VLAN 1 PG 2 VLAN 1 PG 3 VLAN 1 vDS Physical Switch
VMs on one PG cannot talk to VMs on another PG at Layer 2. Even if they share same VLAN
175 Preetam Zare Method 1 Using VLAN per organization HOST 1 HOST 2 ORG A : LAN 72 ORG B : LAN 81 ORG C : LAN 72 ORG C : LAN 72 ORG A : LAN 72 ORG B : LAN 81 Internet Facing 176 Preetam Zare Method 2 Using Mixed Trust Model Multi Tenant Single Tenant ORG A : LAN 72 ORG B : LAN 81 ORG C : LAN 63 P C I
H I P P A
S O X
Internet Facing ORG Z : LAN 54 177 Preetam Zare Method 3 Single VLAN Multi Tenant Internet Facing Tenant-2 P C I
H I P P A
S O X
ORG Z : LAN 54 Tenant-1 M a i l
D B A
W e b
ORG Z : LAN 54 Internet Facing CNI Single VLAN Segmentation via App 178 Preetam Zare Performance Statistics
179 Preetam Zare Difference between vShield Edge and vShield app vShield Edge vShield App Deployed per port group Deployed per host Enforcement between virtual datacenter and untrusted networks Enforcement between VMs Change - aware Stateful, application level firewall Five-tuple rule based policies Site to Site VPN (IPSEC), DHCP, NAT, Firewall, Load Balancing, Cloud Network Isolation Hypervisor-based firewall, flow monitoring, security groups 180 Preetam Zare Can firewall rules be backed up and restored? How? There are multiple methods to backup firewall rules. The recommended methods are: via vShield Manager user interface via REST APIs, which can be scripted/automated You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup.
VI administrators can use REST APIs (accessible via web interface client) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations. 181 Preetam Zare REST API -BASICS The vShield REST API uses HTTP Requests HTTP Requests are often executed by a script or higher level language vShield REST API Workflows Make an HTTP Request (Typically GET,PUT,POST or DELETE) against vShield Manager URL Response could be XML or HTTP Response code XML Response is generally a link or other information about the state of object HTTP Response code indicates whether the request is succeeded or failed. vShield Manager requires TCP port 80/443 to be opened for the vShield REST API request to pass through 182 Preetam Zare Executing REST API using REST Client
183 Preetam Zare
184 Preetam Zare
185 Preetam Zare
186 Preetam Zare Working with IP Sets using vShield REST API
189 Preetam Zare XML Format to Create IP Set <ipset> <objectId /> <type> <typeName /> </type> <description> New Description </description> <name>TestIPSet2</name> <revision>0</revision> <objectTypeName /> <value>10.112.201.8-10.112.201.14</value> </ipset> POST https://<vsm-ip>/api/2.0/services/ipset/datacenter-2 Automatically created 190 Preetam Zare Create IP Set