vShield App and vShield Edge

Planning, Installation and Designing based on 5.0.1

From Preetam Zare http://vcp5.wordpress.com

http://vShieldSuite.wordpress.com

Confidential

© 2010 VMware Inc. All rights reserved

2

Agenda –vShield App

• Introduction to vShield Suite • vShield Manager Installation, Configuration and Administration • Planning and Installation of vShield App • vShield App Flow Monitoring • vShield App Firewall Management • vShield App Spoof Guard • Role Based Access Control (RBAC) Model of vShield • Deployment & Availability consideration Confidential

Preetam Zare

3

Agenda –vShield Edge

• Planning and Installation of vShield Edge • vShield Edge Services • • • • • • DHCP NAT Firewall VPN Load Balancing Static Routing • Scenarios • Deployment and Availability Considerations Confidential

Preetam Zare

4

Data Center needs to be secured at different levels

Perimeter Security • Sprawl: hardware, FW rules, VLANs

Cost & Complexity Prevent unwanted access

Internal Security

VLAN

1

VLANs

• VLAN or subnet based policies • Interior or Web application Firewalls

Segment your services

End Point Security • Anti-virus • Data Leak Protection

Protect your data

Preetam Zare

5

Why Security in Virtualized Datacenter?



Network security devices become chokepoints



Capacity is never right-sized



No intra-host virtual machine visibility



Audit trails are lacking



Physical topologies are too rigid



Current Security is static

Preetam Zare

6

Traditional vSphere Infrastructure Setup Without Vshield

INTERNET

VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch Firewall Load Balancer Switch L2-L3 Switch Firewall Load Balancer Switch L2-L3 Switch Firewall Load Balancer Switch

vSphere 5.0

vSphere 5.0

vSphere 5.0

vSphere 5.0

vSphere 5.0

vSphere 5.0

Company A Company B Company C

Preetam Zare

7

vSphere Infrastructure Setup Without Vshield

INTERNET

VPN Gateway VPN Gateway L2-L3 Switch Firewall Load Balancer Switch L2-L3 Switch Firewall Load Balancer Switch

vSphere 5.0

vSphere 5.0

vSphere 5.0

vSphere 5.0

vSphere 5.0

VPN Gateway L2-L3 Switch Firewall Load Balancer Switch

vSphere 5.0

Company A Company B Company C

Preetam Zare

8

vShield Product Family Securing the Private Cloud End to End: from the Edge to the Endpoint vShield App vShield Edge

Edge Secure the edge of the virtual datacenter between workloads - Sensitive data discovery

vShield Endpoint

Endpoint = VM Anti-virus processing

DMZ Application 1 Application 2 vShield Manager

Endpoint = VM Centralized Management

Preetam Zare

What Is vShield Edge?

vShield Edge

Tenant A

vShield Edge

Tenant C

Secure Virtual Appliance Secure Virtual Appliance vShield Edge

Tenant X

Secure Virtual Appliance vShield Edge secures the perimeter, “edge”, around a virtual datacenter.



Common vShield Edge



deployments include:

Protecting the Extranet  Protecting multi-tenant cloud environments Firewall Load balancer VPN

Preetam Zare

vShield Edge Capabilities vShield Edge

Tenant A

vShield Edge

Tenant C

Secure Virtual Appliance Secure Virtual Appliance vShield Edge

Tenant X

Secure Virtual Appliance Edge functionality

• Stateful inspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPSec) • • • Web Load Balancer

(NEW) Static Routing (NEW) Certificate mode support for IPSEC VPN Management features

• REST APIs for scripting • Logging of functions Firewall Load balancer VPN

Preetam Zare

Securing the Data Center Interior with vShield App



Key Benefits

• Complete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster.

• Intuitive business language policy leveraging vCenter inventory.

11

Preetam Zare

vShield Endpoint Offload Anti-virus Processing for Endpoints

Benefits • Improve performance by offloading anti-virus functions in tandem with AV partners • Improve VM performance by eliminating anti-virus storms • Reduce risk by eliminating agents susceptible to attacks • Satisfy audit requirements with detailed logging of AV tasks 12

Preetam Zare

Cloud Infrastructure Security- Defense in Depth

* *

First Level of Defense-

•

vShield Edge

Threat mitigation and blocks unauthorized external traffic • • Suite of edge services To secure the edge of the vDC

Zoning within the ORG-

•

vShield App

Policy applied to VM zones • Dynamic, scale-out operation • VM context based controls

Compliance Check

vShield App with data security

• Discover PCI, PHI, PII sensitive data for virtual environment • Compliance posture check

AV agent offload-

•

vShield Endpoint

Attain higher efficiency • • Supports multiple AV solutions Always ON AV scanning 13

Preetam Zare

Agenda

 

Introduction to vShield Suite vShield Manager Installation, Configuration and Administration



Planning and Installation of vShield App



vShield App Flow Monitoring



vShield App Firewall Management



Use Cases of vShield App



Design consideration of vShield App

14 Confidential

Preetam Zare

vShield Manager Introduction vShield manager console acts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield Endpoint Vshield manager is pre-packaged as OVA appliance.

vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint.

vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules.

vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory.

15 Confidential

vShield Manager –Central Management Console Central point of management. For RBAC model, stores flow data and manages Rule base Vshield Manager Automatic deployment of vShield app appliance via vshield manager

You can connect to vshield manager directly via web interface or via vcenter plug-in

Client vCenter VSPHERE VSPHERE VSPHERE

16 Management Network Confidential

Preetam Zare

Vshield Manager Communication Paths Vshield web console vShield Manager REST API --> TCP 80/443 SSH Client

Default Enabled Default disabled 17

vSphere Client TCP 443 Access to ESXi host TCP 902/903 TCP 443 vShield App Appliance

VSPHERE

vCenter

Management Network Confidential

Preetam Zare

vShield Manager Requirements Virtual Hardware

Memory CPU Disk Software Web Browser

Summary

3 GB 1 8 GB vShield OVA File IE6.x and Later, Mozilla Firewall 1.x and Later, Safari 1.x and 2.x

For latest interoperability information check here http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php

18 Confidential

Preetam Zare

Latest interoperability

19 Confidential

Preetam Zare

Permission



Permission to Add and Power on Virtual Machines



Access to datastores where vShield Suite will be deployed



DNS reverse look up entry is working for all ESXi host

20 Confidential

vShield Manager Installation



Multi-Step installation Process

 Obtain the vShield Manager OVA File  Install vShield Manager Virtual Appliance  Configure the Network Settings of the vShield Manager  Logon to the vShield Manager Interface  Synchronize the vShield Manager with the vCenter Server  Register vShield Manager Plug-in with vSphere Client  Change the default admin password of the vShield Manager 21 Confidential

Steps to Install vShield Manager



Open vSphere client, click File menu selects Deploy OVF Template as shown below

22 Confidential

Browse to locate OVA file

New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file you’ve downloaded from VMware’s site 23 Confidential

After selecting the OVA file, press Next. OVA file’s meta will be read and you will see screen below

24 Confidential

Enter name for vShield manager virtual machine and select location as mentioned below

25

Preetam Zare

Select Datastore

Strongly recommended to select shared Datastore so that vMotion, DRS and HA functionality can be used during planned & unplanned downtime.

26

Preetam Zare

Select disk format

27

Preetam Zare

Review the settings and close OVF templates

28

Preetam Zare

Virtual Machine Properties

29

Preetam Zare

Warning :Don’t upgrade VMware tools on vShield Manager Appliances

Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance.

30

Preetam Zare

Configure the Network Settings of the vShield Manager



Initial Network Configuration i.e. IP, DG and DNS must be done via CLI



Right Click vShield Manager Appliance & Select Open Console

31

Preetam Zare

Contd … Configure the Network Settings of the vShield Manager

32

Preetam Zare

Enter IP, Default Gateway and DNS Details

33 To enter Enabled type ‘enable’ To start wizard type ‘setup’ Enter IP Details Finally Press ‘y’ to confirm settings

Preetam Zare

Contd … Enter IP, Default Gateway and DNS Details

34

Preetam Zare

35

Getting Familiar With Vshield Manager Interface

Preetam Zare

36 Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS session

Log in to the vShield Manager user interface by using the username and the password admin default

.

Preetam Zare

Synchronizing the vShield Manager with the vCenter

Follow Domain\Username format if the user is domain user Don’t select this Enter vCenter Details and Press Save

Register vCenter extension to access vshield manager within vCenter

37

Preetam Zare

After vShield Manager and vCenter Are Connected After synch is completed, vCenter data is populated as seen below screen.

On the right hand of the screen we see confirmation that vSphere Inventory was successfully updated

38 vShield Manager doesn’t Appear as resource in the Inventory Panel of vShield Manager user Interface

Preetam Zare

Contd …After vShield Manager and vCenter Are Connected

39

Preetam Zare

Configure Date/Time for vShield Manager

40

Preetam Zare

Generate Tech Support Bundle

41

Preetam Zare

42

System Resource Utilization Of vShield Manager

Preetam Zare

Backup vShield Manager Configuration



You can backup the configuration & transfer to remote backup server over FTP



For one time backup Scheduled Backups must be Off.

Schedule Backup 43 Backup Directory on FTP Server

Preetam Zare

Backup vShield Manager Configuration –Backup files

vShield Manager Backup Files on FTP Server Backup Directory on FTP Server 44

Preetam Zare

vShield Manager via Web Browser Vs. vSphere Client Plug-in



You can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client.



It is your choice, whatever works best for you.



The functions that you cannot access from the vSphere Client such as

• Configuring the vShield Manager’s settings • Backing up the vShield Manager’s database • Configuring the vShield Manager’s users, and • The vShield Manager’s system events and audit logs.

• Configuration vShield App’s Spoof Guard, Fail Safe Mode and VM Exclusion list 45

Preetam Zare

46

DEMO/LAB vShield Manager

Preetam Zare

47

Agenda

•

Introduction to vShield Suite

•

vShield Manager Installation, Configuration and Administration

•

Planning and Installation of vShield App

•

vShield App Flow Monitoring

•

vShield App Firewall Management

•

vShield App Spoof Guard

•

Role Based Access Control (RBAC) Model of vShield

•

Deployment & Availability consideration of vShield App

Preetam Zare

vShield App Architecture

vShield App vSphere ESXi Host vSphere vShield App 

Hypervisor-Level Firewall

• Inbound/outbound connection control enforced at the virtual NIC level • Dynamic protection as virtual machines migrate • Protection against ARP spoofing ESXi Host vShield Manager vSphere Client vCenter Server 48

Preetam Zare

Before vShield App is Deployed VSPHERE HOST

vSwitch/vDS Switch 49

Preetam Zare

After vShield App is Deployed VSPHERE HOST

vSwitch/vDS Switch

vShield Hypervisor module All VM traffic is Passed via LKM & Inspected by vShield FW

50

Preetam Zare

Deploying vShield App vShield App

vSphere 5.0

vCenter 5.0

ESXi 5.0

vShield App vShield Manager

vSphere 5.0

ESXi 5.0

51

Preetam Zare

Install vShield Component Licenses

52

Preetam Zare

vShield App Installation Requirements

 

You must meet the following requirements.



Deploy one vShield Manager system per vCenter Server



Deploy one vShield App instance per ESXi host.

You must be using vCenter Server version 5.0.

And, you must have the vShield Manager OVA file Hardware

Memory CPU Disk Space

Summary

1 GB (Automatically reserved) 2 vCPU 5 GB 53

Preetam Zare

Contd … vShield App Installation Requirements

 

vCenter Privileges:



Access to the vSphere Client.

Ability to add and power on virtual machines Ability to access the datastore holding the virtual machine’s files, and to copy files to this datastore.

Web browser

Internet Explorer Mozilla Firefox Safari

Version

6.x and later 1.x and later 1.x or 2.x 

Make sure that cookies are enabled in order to access the vShield Manager.

54

Preetam Zare

Steps to Install vShield App

55

Preetam Zare

Select Installation Parameters for vShield App Warning displayed This port group must be able to reach the port group that the vShield Manager is connected to.

56

Preetam Zare

vShield Installation In Progress

57

Preetam Zare

vShield App Hardware Configuration

58 vShield App is always Appended with the name of ESXi host

Preetam Zare

Verifying vShield App Installation

59

Preetam Zare

Verifying vShield App Installation –Memory reservation

60

Preetam Zare

Verifying vShield App Installation –Virtual Machine Protection

61 VM’s with protected Icon. This is only visible Via web interface

Preetam Zare

Verifying vShield App Installation –vShield App FW status

62

Preetam Zare

63

Agenda

•

Introduction to vShield Suite

•

vShield Manager Installation, Configuration and Administration

•

Planning and Installation of vShield App

•

vShield App Flow Monitoring

•

vShield App Firewall Management

•

vShield App Spoof Guard

•

Role Based Access Control (RBAC) Model of vShield

•

Deployment & Availability consideration of vShield App

Preetam Zare

vShield App Packet flow VM sends the packet out as a part of the Telnet protocol, its intercepted by the virtual network adapter-level FW & is FWD to the vShield App on that host.

The virtual network adaptor-level firewall sends the packet to the VM VM sends the packet out as a part of the Telnet protocol, its intercepted by the virtual network adapter-level FW & is FWD to the vShield App on that host.

The virtual network adapter-level firewall sends the packet to vswitch port group PG-X.

The virtual network adaptor-level firewall intercepts the packet and forwards it to the vShield App appliance.

The vshield App appliance inspects the packet. If the security profile allows the packet to flow through, the packet is sent back to the virtual network adaptor-level firewall.

The vSwitch looks up the MAC address and accordingly sends the traffic out on the up-link port of Host 1.

The vswitch on Host 2 receives the packet. The vswitch looks up the MAC address and accordingly sends the traffic out to the virtual machine on Host .2

The external infrastructure that involves physical switches will carry this packet on VLAN 1000.

64

The external switch sends the packet to the Host 2 network adapter based on the MAC address table.

Preetam Zare

Flow Monitoring Introduction



Inter-virtual Machine Communications



All traffic on protected virtual machine is directed to virtual network adapter level firewall, this actually equips vShield APP FW to read the packets moving in and out of virtual machines.



Data displayed in

• Graphical • Tabular Format • Tabular format is further divided into allowed and block traffic as shown in next slide 65

Preetam Zare

Flow Monitoring –Tabular Format



Data displayed below can be used to learn the type of traffic flowing in and out of VM. Then we can use this data for creating or blocking the rule.

66

Preetam Zare

Flow Monitoring – View And Interpret Charts And Reports

67

Preetam Zare

Flow Monitoring – Traffic categorization based on Protocol/Application

68

Preetam Zare

Flow Monitoring – Key advantages



Analysis of Inter-VM traffic can be easily done



You can dynamically create rules right from flow monitoring console



This can be of great help for debugging network related problem as you can enable logging for every individual virtual machine as on needed basis.

69

Preetam Zare

70

DEMO/LAB

Installing vShield App & Flow monitoring

Preetam Zare

71

Agenda

•

Introduction to vShield Suite

•

vShield Manager Installation, Configuration and Administration

•

Planning and Installation of vShield App

•

vShield App Flow Monitoring

•

vShield App Firewall Management

•

vShield App Spoof Guard

•

Role Based Access Control (RBAC) Model of vShield

•

Deployment & Availability consideration of vShield App

Preetam Zare

Introduction vShield App Firewall



vNIC

‐

level firewall



vShield App installs as a hypervisor module and firewall service virtual appliance



Places a firewall filter on every virtual NIC.



IP-based stateful firewall



No Network changes or IP changes

• vShield App can create and enforce logical (i.e. not just VLAN or physical subnet) application boundaries all the way down to layer 2 72

Preetam Zare

vShield App Firewall Rules : L2 and L3 rules



Firewall Protection Through Access Policy Enforcement



The App Firewall Tab Represents The vShield App Firewall Access Control List.



L2 Rules Monitor

• ICMP, IPv6, PPP, ARP traffic.



L3 Rules Monitors

• DHCP, FTP, SNMP HTPP. • L3 rules also monitors application specific traffic (Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP) 

You can configure Layer 3 and Layer 2 rules at the datacenter level only.



By default, all L3, and L2 traffic is allowed to pass.

73

Preetam Zare

Hierarchy of vShield App Firewall Rules



Enforced Top to Bottom



The first rule in the table that matches the traffic parameters is enforced.



System defined rules can’t be deleted or add, you can only change the action element i.e. to Allow (default) or Deny

74

Preetam Zare

75 In Layer 3 –High 4 Precedence rules are applied first In Layer 3 –System Defined rules are 6 applied last In Layer 2 –High 1 Precedence rules are applied first In Layer 2 –System Defined rules are 3 applied last All Layer 3 Rules Are 2 Applied Second All Layer 2 Rules 1 Are Applied First In Layer 3 –Low Precedence rules 5 are applied Second In Layer 2 –Low Precedence rules 2 are applied Second

Preetam Zare

Container-Level and Custom Priority Precedence

76

Preetam Zare

How to define Firewall Policy Rule



Firewall policies contains 5 pieces of information

77

Preetam Zare

vSphere Groupings



vSphere groupings can also be based on network objects, specifically port groups and VLANs

78

Preetam Zare

Firewall Rules Example 1: Using vSphere Groupings



When you specify a container as the source or destination, all IP addresses within that container are included in the rule.

79

Preetam Zare

Firewall Rules Example 2: Using vSphere Grouping

80

Preetam Zare

How To Create A Firewall Rule –Step 1

81

Preetam Zare

How To Create A Firewall Rule –Step 2

Enter source Enter Destination and other details 82

Preetam Zare

How To Create A Firewall Rule –Step 2 Contd Server inside "WinXP01 Server18" group Server outside "Fort" datacenter

83 Server Inside "WinXP01-Server18" group cannot access system outside Fort datacenter on RARP protocol, this traffic is logged.

Preetam Zare

How To Create A Firewall Rule –Step 3 Publishing Rule

84

Preetam Zare

Create rule using MAC Set and IP Set



You can also define rules based on MAC and IP Set.



Where do we use this type of rules?

• When you want to configure a rule based on virtual machine identity i.e. MAC Set, IP Set and Port Group. • In this case even if Virtual machine follows any part of resource pool, rule will always apply. • Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies.

85

Preetam Zare

Creating MAC Set

86 Scope field is automatically selected 1. Enter Name of the group 2. Optionally enter description 3. Enter MAC Addresses as shown in below screen. 4. Press Ok

Preetam Zare

Creating IP Set

87

Scope

field is automatically selected 1. Enter

Name

of the group 2. Optionally enter description 3. Enter

IP Addresses

as shown in below screen. 4. Press

Ok

Preetam Zare

After MAC Set is created



Below screen shows when the group configuration is complete. You use Edit and Delete button to change the IP/MAC set

88

Preetam Zare

vSphere Grouping -Example

WinXP01 RuleSet

192.168.1.105

192.168.1.125

89 Medical Records Resource Pools

Preetam Zare

Creating rule based on IP/Mac Set



Select datacenter, on right hand side select Layer 3 rule (IP set) or layer 2 rule (MAC set) here.



Select add rule and enter the details as shown next slide

90

Preetam Zare

91

Anything inside Medical Records cannot access IP's defined inside rule "WinXP01-Server18-IP i.e.

192.168.1.105, 192.168.1.125

If you select outside, then medical records can access only IP's defined inside rule "WinXP01-Server18-IP

Preetam Zare

Creating Security Group –Step 1

92

Preetam Zare

Creating Security Group –Step 2

NIC level grouping is possible 93

Preetam Zare

Creating Rule based on Security Group



Press Ok



Publish the rule

94

Preetam Zare

Rule based vSphere Security Group –Port Group



Logical Rule translates into physical world explained below



Even if the VM’s are same Datacenter, Cluster, ESXi, Resource Pool or vApp they cannot communicate

95

Preetam Zare

96

Advantages of Security Groups



vShield App allows you to create custom containers known as security groups.



You assign virtual machines to security groups by assigning their vNICs to the appropriate group. Then, you can use the security group in the source or destination field of an App Firewall rule.



The key benefit of security groups is the ease of creating different trust zones. Whether through the use of vSphere objects or through the use of manually configured security groups, the key benefit is ease of protection and quality of protection through the use of logical zoning as opposed to carving up a network to provide network isolation.

Preetam Zare

Best Practices: Firewall Rules



Create Firewall Rules That Meet Your Business & Security Needs



Identify source and destination. Take full advantage of vSphere Grouping



Use vSphere Security group only when you create rule based on vSphere Grouping



By default vShield FW allows incoming and outgoing traffic, As a best practice you may want to deny all traffic

97

Preetam Zare

Building Firewall Rules Option A: More Restrictive

• vShield installs with default “allow” rule • Build rules based on Application/Vendor’s port guide • Monitor, document, validate traffic flows via vShield Flows • Adjust rules as necessary • Change default rule to “deny”

Option B: Less Restrictive

• vShield installs with default “allow” rule • Build rules between communicating VMs • Allows all traffic between selected VMs • Monitor, document, validate traffic flows via vShield Flows • Adjust rules as necessary • Change default rule to “deny” 98

Preetam Zare

Logging and auditing



vShield App has its own logging mechanism.



Logging can be great help in troubleshooting app appliance.



Auditing of traffic which was either allowed or blocked can be configured per rule set. You’ve to enable logging for every rule you configure.



Logs are captured and retained for one year. Logs more than one year are overwritten. Note that enabling logging for rules that match a high amount of traffic can impact performance. Therefore, it is a good idea to be selective of the rules that you want to log.

99

Preetam Zare

vShield Manager event logging –Audit Logs



All the actions performed by all vshield users is captured in events and available for audit.



Logging is done for operations related to system. E.g. appliance is down/rebooted or unreachable. If the app appliance is unreachable it will be unreachable to vshield manager.

100

Preetam Zare

vShield Manager event logging –Audit Logs



Events are further categorized as informational or critical as shown below

101

Preetam Zare

All vShield App configuration parameters are available only when you select host on left hand side

102

Preetam Zare

Configuring Syslog Server for vShield App Contd … Three log levels are available 1.

Alert 2.

3.

Emergency Critical

If you select Emergency, then only emergency-level events are sent to the syslog server. If you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server.

103

Preetam Zare

Interpreting Logs Of Traffic Rule –Example 1



proto= protocol



vesxi27=host at which alerts are observed



L2=Layer2 protocol



DROP=traffic is dropped

104

Preetam Zare

Interpreting Logs Of Traffic Rule –Example 2



proto= ICMP protocol



vesxi27=host at which alerts are observed



L3=Layer3 protocol



DROP=traffic is dropped

105

Preetam Zare

Reverting to previous vShield App Firewall configuration



Automatic mechanism to create backup of firewall rules configuration



vShield Manager takes snapshots each time new rule is committed



Previous configuration can be easily reverted via drop down menu

106

Preetam Zare

107

Agenda

•

Introduction to vShield Suite

•

vShield Manager Installation, Configuration and Administration

•

Planning and Installation of vShield App

•

vShield App Flow Monitoring

•

vShield App Firewall Management

•

vShield App Spoof Guard

•

Role Based Access Control (RBAC) Model of vShield

•

Deployment & Availability consideration of vShield App

Preetam Zare

Role-Based Access Control New in vShield Manager 5.0

Role Privilege Summary Super user (admin)

vShield operations and security: Everything related to vShield product

vShield admin

vShield operations only: installation, configuration of virtual appliances, ESX host modules, etc.

Security admin Auditor

vShield security only: Policy definition, reports for edge, app, endpoint, data security Read-only access to vShield operations and security settings

108 Confidential

Preetam Zare

RBAC: Scope To vSphere Administrators

109

Role-based access control (RBAC) enables clear separation of workflow for virtual infrastructure and security administrators. RBAC provides flexibility in delegating administration across resource pools and security groups, improving security of applications and data. To vSphere Administrators

Preetam Zare

110

LAB/DEMO



Firewall Lab



Reverting To Previous Vshield App Firewall Configuration



User Creations And Configurations

Preetam Zare

111

Agenda

•

Introduction to vShield Suite

•

vShield Manager Installation, Configuration and Administration

•

Planning and Installation of vShield App

•

vShield App Flow Monitoring

•

vShield App Firewall Management

•

vShield App Spoof Guard

•

Role Based Access Control (RBAC) Model of vShield

•

Deployment & Availability consideration of vShield App

Preetam Zare

Spoof Guard



Why to use spoof guard?

• To reduce man in the middle attack which is referred as IP & MAC Spoofing 

How does it work?

• VM’s IP addresses are collected during synchronization cycle that happens between vshield and vCenter via vSphere API. • If the IP address is modified in the VM and it doesn’t matches with the Spoof Guard collected data, VM is isolated and not allowed to communicate outside.

• It works in datacenter context and it disabled by default 112

Preetam Zare

Enable Spoof Guard



Click Edit to enable it. Select Enable first and then select the option as per your requirement.

113

Preetam Zare

Spoof Guard – IP Address Monitoring and Management



IP Address is collected can be monitored and manage automatically or manually

1.

Automatically Trust IP Assignments On Their First Use IP is gathered when first time VM is powered ON. This data is read via VMware tools. Once the list is populated it is push down to vShield app virtual appliance, which then inspects every packet originating out of a network adapter for the prescribed IP. If these do not match, the packet is simply dropped. - This operates separately from app firewall rules.

2.

Manually Inspect and Approve All IP Assignments Before Use - In this mode all traffic is block until you approve MAC-to-IP address assignment.

NB:

SpoofGuard inherently trusts the MAC addresses of virtual machines from the VMX files and vSphere SDK. 114

Preetam Zare

Spoof Guard : View and Approve IP Lists the IP addresses where the current IP address does not match the published IP address.

IP address changes that require approval before traffic can flow to or from these VM List of all validated IP addresses

115

Preetam Zare

Contd … Spoof Guard –View and Approve IP

116

Preetam Zare

117

Agenda

•

Introduction to vShield Suite

•

vShield Manager Installation, Configuration and Administration

•

Planning and Installation of vShield App

•

vShield App Flow Monitoring

•

vShield App Firewall Management

•

vShield App Spoof Guard

•

Role Based Access Control (RBAC) Model of vShield

•

Deployment & Availability consideration of vShield App

Preetam Zare

vShield Manager Deployment Consideration



Do not host vShield manager on the same cluster which it is responsible to manage. If vShield Manager is deployed within the infrastructure dependencies*.

it is protecting you will suffer circular

E.g. An inadvertent configuration error could result in a unmanageable environment if the vShield Manager appliance were to loose connectivity or were prevented from communicating with other components due to a misconfigured security policy



You cannot use VMware FT to protect vShield manager if vShield app is deployed. This only applies if vShield app is deployed from the vShield manager in question



A vShield manager instance must be deployed for each vCenter in use

118

* Starting vShield 5.0.1 you can exclude vShield manager from the host.

Preetam Zare

119 Enter inside VMX file

Preetam Zare

vShield Manager Placement Consideration –

Option 1



Shared Management Cluster Model isolates the management from being impacted by Production Cluster hardware failure issues.

• • • • • • •

vCenter Server/Appliance vCenter Database vShield Manager vCenter Update Manager Active Directory DNS Syslog Server Management Cluster AD/DNS /DHCP VCDB/V UMDB vCenter 5.0

vSphere 5.0

vShield Manager Edge App FW Production Cluster Edge App FW

vSphere 5.0

120

Preetam Zare

vShield Manager Deployment Consideration – Option 2



Cross-Managed Cluster Model will provide isolation similar to management cluster Edge App FW Production Cluster A Edge App FW vShield Manager vCenter 5.0

vSphere 5.0

121

vShield Manager vCenter 5.0

Production Cluster B Edge App FW Edge App FW

vSphere 5.0

Preetam Zare

vShield Manager Deployment Consideration – Option 3



Single cluster model with vShield Manager exclusion* Edge App FW

Disables vApp Protecting using Exclusion list

vShield Manager vCenter 5.0

Production Cluster Edge App FW

vSphere 5.0

122

Preetam Zare

VM Exclusion introduced in vShield 5.0.1



With 5.0.1, there is now a option to exclude VM. This has the effect of disabling all vShield App protection for the excluded VM including Spoof Guard



This exclusion list is applied across all vShield App installations within the specified vShield Manager. If a virtual machine has multiple vNICs, all of them are excluded from protection.



The vShield Manager and service virtual machines are automatically excluded from vShield App protection.

Caveat: A caveat is that the MAC/IP pairs for excluded VM will still show up in the Spoof guard tab of the UI, even though the functionality is disabled.

123

Preetam Zare

How to Exclude VM from vShield App

124

Preetam Zare

125 After FailSafe is enabled, VM’s are powered ON are fast suspended and resumed, while Powered OFF VM’s are just reconfigured

Preetam Zare

126 VMX entry for Web01 before FailSafe is enabled VMX entry for Web01 After FailSafe is enabled

Preetam Zare

vShield App Deployment Consideration



vShield App must be deployed and running on every host in the cluster that protected virtual machines may migrate to.



Renaming vShield App security virtual machine is not supported. Doing so it will render it unmanageable as vShield Manager uses the name it assigned at the point of provisioning to manage the vShield App security virtual machine



Use vShield app security groups to tier servers of same functions (DC, Webserver, DB Server etc.). This will simplify firewall configuration and rules

127

Preetam Zare

128

Availability Consideration

vShield App

Preetam Zare

Availability Considerations: vShield Manager



What If vShield Manager appliance is unavailable

• First and foremost zero impact • All existing rules of vShield App are enforced • Logs are sent to syslog server • Only impact is, New rules or changes to existing rules cannot be made • In addition, the flow-monitoring data might be lost, depending on the duration of the failure.

• vShield Manager backup can be used to restore via backup 

What If host which is hosting vShield Manager appliance is unavailable

 vShield manager is HA and DRS aware and can take full advantage of it. In this case vShield Manager will automatically restart to another host 129

Preetam Zare

Availability Considerations: vShield App



What If vShield App appliance is unavailable

• All traffic to and from the protected virtual machines hosted on the host on which vShield App was running is blocked * • At process level, built-in watch dog restarts the failed processes • VMware HA virtual machine monitoring will detect (via VMware tools and network packets) and restart fail vshield app. • vCenter Alarm is triggered if VM migrates onto a host where vShield Appliance is not installed 

What If host which is hosting vShield App appliance is unavailable

 DRS is disabled for vShield App  Except for vshield App VM, protected VM’s are restarted on another host and they get automatically protected assuming the host is installed with vShield App * From vShield 5.0.1 , you have option to disable this behavior, though strongly not recommended 130

Preetam Zare

vShield App: DRS and HA Settings



The HA restart priority for the vShield App appliance is set to high. This is to ensure it is the first to restart during failure over event. It makes sure that its running before the VMs its protecting .



vShield vApp should never be moved to another host. Therefore during installation DRS is automatically disabled for vShield vApp



If the host is put in maintenance mode, vShield App automatically shuts down and automatically restarts when host exits maintenance mode.



You cannot use FT to protect vShield Manger when vShield App is deployed, vShield Manager used linked clones and snapshots as part of the deployment process for the vShield Firewall Service Appliance virtual machines.

131

Preetam Zare

Verifying vShield App Installation – HA Restart Priority

132

Preetam Zare

Verifying vShield App Installation –DRS is Disabled

133

Preetam Zare

vShield App Industry Best Practices



vShield App provides security protection for virtual machines



Firewall rule groups will need to be translated from the old firewall into vShield Manager



Set up roles and responsibilities within vShield Manager that only allow the minimum of permissions to perform required functions by administrators.

• E.g. Give vSphere Administrator ability to install vShield Suite via vShield Admin role and ability view rule via Auditor Role 

Ensure audit logs are reviewed regularly

134

Preetam Zare

Contd .. vShield App Industry Best Practices



Define a thorough test plan



Penetration testing and external auditing



Consider creating an application group that contains the ports

• For example you might create an application group called WEB containing both TCP 80 and 443.



Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure.



Consider mirroring the logs to an alternate site

135

Preetam Zare

Contd … vShield App Industry Best Practices



Use the vShield REST API’s to back up the firewall rule base .



Use the REST API’s to turn off rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled.



If you are replicating the infrastructure to a DR site ensure that vShield Edge and vShield App are set up appropriately at the DR site and that you have a process to ensure the rule base is up to date.



Updates and changes to the DR site can be automated using the vShield REST API’s, which can also be integrated with VMware vCenter Site Recovery Manager.



vShield App and Host Profiles

136

Preetam Zare

137

Agenda –vShield Edge

• Planning and Installation of vShield Edge • vShield Edge Services • • • • • • DHCP NAT Firewall VPN Load Balancing Static Routing • Scenarios • Deployment and Availability Considerations

Preetam Zare

Introduction



Protects the edge of infrastructure



Common Gateway Services

• DHCP • VPN • NAT • Static Routing • Load Balancing 

Common Deployment Models

• DMZ • VPN Extranets • Multi-Tenant Cloud Environment 138

Preetam Zare

Logical View of vShield Edge

139

Network Isolation happens at Port group Level

Preetam Zare

Port group Isolation based on VLAN



With VLAN isolation, vShield Edge is used to secure port groups with a standard VLAN configuration.



Isolation of virtual machines is provided exclusively by VLANs in Layer 2. When to use When To Use VLAN Isolation

  Network infrastructure build around VLANs Physical machines protected network need to participate in

Virtual Switch Support

   vSS vDS Cisco nexus 1000v 140

Preetam Zare

Access Aggregation layer VLAN-126 VLAN-135 VLAN-108

141

PG-CORP1 (VLAN-126) Internet FacingVLAN-108

VMware vSphere

PG-CORP2 (VLAN-135)

Preetam Zare

vCloud Director Network Isolation



VM Identity is used to isolate a group of VMs from other VMs



All VM’s on Single Layer-2 domain but are isolated by assigning them to different port groups



Traffic between VMs in the same port group is allowed, but traffic between VMs across different port groups is not allowed by a virtual switch



This port group isolation feature is supported ONLY on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V

142

Preetam Zare

vCDNI -Communication Between Tenants Across The Host The key point is that although the virtual machines of tenant X and tenant Z are on the same Layer 2 domain, their networks are isolated from each other by vShield Edge.

143

Preetam Zare

vCDNI -Communication Between Tenants Within The Host



VMs traffic is isolated from each other because they are on different secured, port groups. As a result, communication must flow through the vShield Edge virtual machines of both tenants. All traffic flows over the Provider VLAN, VLAN 100.

144

Preetam Zare

vCDNI –VM’s Communication of same Tenant



VM’s Freely need to communicate without need to go through vShield Edge VM and Provider VLAN

145

Preetam Zare

Advantages of vCloud Director Network Isolation (vCDNI)



Using cloud network isolation instead of VLAN isolation, the vShield environment is simpler to scale.



Provisioning cloud network isolation can be automated with scripts that use the vShield REST APIs.



Finally, a key advantage that cloud network isolation has over VLAN isolation is that cloud network isolation does not need any complex configuration at the Aggregation layer.

146

Preetam Zare

Protecting Extranet: VPN Services

147

Preetam Zare

vShield Edge: DHCP Services

148

Preetam Zare

vShield Edge: NAT Services

149

Preetam Zare

vShield Edge Services: Load Balancer Services

150

Preetam Zare

vShield Edge Services: Firewall Services

151

Preetam Zare

vShield Edge Firewall Rules and Direction EXTERNAL INTERFACE Incoming

Traffic on both the Interfaces is blocked by default

EXTERNAL INTERFACE: INCOMING EXTERNAL INTERFACE: OUTGOING

vShield Edge

INTERNAL INTERFACE: INCOMING INTERNAL INTERFACE: OUTGOING Outgoing

Traffic on both the Interfaces is allowed by default

INTERNAL INTERFACE

152

Preetam Zare

vShield Edge Firewall Rules and Direction -Example

External Interface Internal Interface

172.16.2.0/24 Subnet PRIVATE PORT GROUP 172.16.1.0/24 Subnet

153

Preetam Zare

VSHIELD EDGE SERVICES – STATIC ROUTING



Most networks have a single router called the default gateway . If a network has a default gateway, the nodes on the network can send traffic to the gateway and the gateway will then forward the traffic to the destination.



All machines in a network have a routing table. A Routing table is a list of destination networks and the router that carries traffic to that destination.



Manually adding routes to a routing table is called static routing.



Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table.



In a network, you can create a static routing either internal network or external network.

154

Preetam Zare

Static Routing between two vApp APPLICATION 1 172.16.1.10

PG- APP-1 Internal Interface 172.16.1.1

APPLICATION 2 172.16.2.10

PG- APP-2 Internal Interface 172.16.2.1

155

192.168.1.232

External Interface PG- PUBLIC 192.168.1.233

External Interface

Preetam Zare

Installing vShield Edge for Application 1 Installing vShield Edge Application for APP1

156

Preetam Zare

vShield Edge Installed for for Application 1 and Application 2

157

Preetam Zare

Configure Static Route for APP1 Network It is the network APP1 want to reach It is the gateway of Destination network

158

Preetam Zare

Configure Static Route for APP2 Network It is the network APP2 want to reach It is the gateway of Destination network

159

Preetam Zare

Static Route Set Up for APP1 & APP2 Network APPLICATION 1 172.16.1.10

PG- APP-1 Internal Interface 172.16.1.1

APPLICATION 2 172.16.2.10

PG- APP-2 Internal Interface 172.16.2.1

160

192.168.1.232

External Interface PG- PUBLIC 192.168.1.233

External Interface

Preetam Zare

Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other APPLICATION 1 APPLICATION 2 172.16.1.10

PG- APP-1 172.16.2.10

PG- APP-2 Internal Interface 172.16.1.1

Internal Interface 172.16.2.1

192.168.1.232

External Interface PG- PUBLIC Outgoing

Traffic allowed by default 161

192.168.1.233

External Interface

Preetam Zare

Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other APPLICATION 1 APPLICATION 2 172.16.1.10

PG- APP-1 172.16.2.10

PG- APP-2 Internal Interface 172.16.1.1

Internal Interface 172.16.2.1

162

192.168.1.232

External Interface PG- PUBLIC 192.168.1.233

External Interface

Preetam Zare

Rules defined at APP-1 FW

163

Rules defined at APP-2 FW

Preetam Zare

164

Ping and Tracert request from APP1 VM

Preetam Zare

165

Ping and Tracert request from APP2 VM

Preetam Zare

How To Configure NAT Services SCENARIO



Customer wish to access Web Server Web01 which sits inside the DMZ network of CORP A



Web Server Web01 sits in 10.1.1.x/24 network and has been assigned IP by vShield Edge DHCP Services as 10.1.1.10



Customer’s wants to access Web Server Web01. Customer network is 192.168.1.x/24



We can configure NAT

166

Preetam Zare

vShield Edge Configured to Meet Customer Scenario

Private Switch INTERNAL

1. DCHP Service 2. NAT Service 3. FW Rules

vSwitch Connected to External

Web02 10.1.1.11

Web01 10.1.1.10

Internal Interface:

10.1.1.1

vShield Edge External Interface:

192.168.1.135

Network External 192.168.1.x

167

Preetam Zare

Configure DHCP

168

Preetam Zare

169

Use SNAT when Internal IP needs to be translated into External IP. Use DNAT when External IP needs to be translated into Internal IP.

Preetam Zare

Open Firewall Ports to allow NAT Traffic

170

Preetam Zare

171 Private Switch INTERNAL

1. DCHP Service 2. NAT Service 3. FW Rules

vSwitch Connected to External

Web02 10.1.1.11

Web01 10.1.1.10

Internal Interface:

10.1.1.1

vShield Edge External Interface:

192.168.1.135

Network External 192.168.1.x

Preetam Zare

vShield Edge Deployment Considerations



Only HTTP(80) round-robin load balancing is currently supported



Each vShield Edge instance supports up to a maximum of 10 site to-site VPN sessions



VMware strongly recommends you protect vShield Edge appliances using HA and DRS features. In the event of a cluster host going offline while running vShield Edge appliance, the appliance is restarted on another host in the cluster

172

Preetam Zare

Traditional Layer2 Segmentation PG 1

VLAN 11

PG 2

VLAN 12

vSwitch/vDS

PG 3 VLAN 13

Physical Switch

173

Preetam Zare

Cloud Network Isolation (CNI) Segmentation PG 1 VLAN 1 PG 2

VLAN 1

vDS

PG 3 VLAN 1 VMs on one PG cannot talk to VMs on another PG at Layer 2. Even if they share same VLAN 174

Physical Switch

Preetam Zare

Method 1 –Using VLAN per organization ORG C : LAN 72 HOST 1 ORG C : LAN 72 HOST 2 ORG B : LAN 81 ORG A : LAN 72 ORG B : LAN 81 ORG A : LAN 72

175

Internet Facing

Preetam Zare

Method 2 –Using Mixed Trust Model ORG C : LAN 63 Multi Tenant ORG A : LAN 72 ORG B : LAN 81 ORG Z : LAN 54 Single Tenant

176

Internet Facing

Preetam Zare

Method 3 –Single VLAN Multi Tenant

177

ORG Z : LAN 54 Internet Facing ORG Z : LAN 54 Tenant-1

CNI Single VLAN Segmentation via App

Tenant-2 Internet Facing

Preetam Zare

Performance Statistics

178

Preetam Zare

Difference between vShield Edge and vShield app vShield Edge Deployed per port group vShield App Deployed per host Enforcement between virtual datacenter and untrusted networks Enforcement between VMs Change - aware Stateful, application level firewall Five-tuple rule based policies Site to Site VPN (IPSEC), DHCP, NAT, Firewall, Load Balancing, Cloud Network Isolation Hypervisor-based firewall, flow monitoring, security groups

179

Preetam Zare

Can firewall rules be backed up and restored? How?



There are multiple methods to backup firewall rules. The recommended methods are:

• via vShield Manager user interface • via REST APIs, which can be scripted/automated 

You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup. VI administrators can use REST APIs (accessible via web interface client) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations.

180

Preetam Zare

REST API -BASICS



The vShield REST API uses HTTP Requests



HTTP Requests are often executed by a script or higher level language



vShield REST API Workflows

• Make an HTTP Request (Typically GET,PUT,POST or DELETE) against vShield Manager URL • Response could be XML or HTTP Response code • XML Response is generally a link or other information about the state of object • HTTP Response code indicates whether the request is succeeded or failed.



vShield Manager requires TCP port 80/443 to be opened for the vShield REST API request to pass through

181

Preetam Zare

Executing REST API using REST Client

182

Preetam Zare

183

Preetam Zare

184

Preetam Zare

185

Preetam Zare

Working with IP Sets using vShield REST API

186

Preetam Zare

Reading IP Sets https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-2 https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-81

187

Preetam Zare

188

Preetam Zare

XML Format to Create IP Set

POST https:///api/2.0/services/ipset/datacenter-2

189

New Description TestIPSet2 0

Automatically created

10.112.201.8-10.112.201.14

Preetam Zare

Create IP Set

190

Preetam Zare

191

Preetam Zare