vShield App and vShield Edge

vShield App and vShield Edge
Planning, Installation and Designing based on 5.0.1 From Preetam Zare

Agenda –vShield App Introduction to vShield Suite
vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration

Agenda –vShield Edge Planning and Installation of vShield Edge
vShield Edge Services DHCP NAT Firewall VPN Load Balancing Static Routing Scenarios Deployment and Availability Considerations

Data Center needs to be secured at different levels
Perimeter Security Cost & Complexity At the vDC Edge Sprawl: hardware, FW rules, VLANs Rigid FW rules Performance bottlenecks Prevent unwanted access Firewall, VPN Load balancers Internal Security Segment your services VLAN or subnet based policies Interior or Web application Firewalls VLAN 1 VLANs The general, well-accepted approach to securing IT is to employ a layered approach, often referred to as “defense-in-depth”. Physical datacenters have been traditionally protected using a combination of hardware appliances external to the systems, along with agents that run inside a system’s OS. End Point Security Protect your data Anti-virus Data Leak Protection

Why Security in Virtualized Datacenter?
Network security devices become chokepoints Capacity is never right-sized No intra-host virtual machine visibility Audit trails are lacking Physical topologies are too rigid Current Security is static

Traditional vSphere Infrastructure Setup Without Vshield
INTERNET vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch vSphere 5.0 VPN Gateway Switch Load Balancer Firewall L2-L3 Switch Company A Company B Company C

vSphere Infrastructure Setup Without Vshield
INTERNET VPN Gateway Switch Load Balancer Firewall L2-L3 Switch VPN Gateway VPN Gateway Switch Load Balancer Firewall L2-L3 Switch L2-L3 Switch Firewall Load Balancer Switch vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 Company A Company B Company C vSphere 5.0

vShield Product Family
Securing the Private Cloud End to End: from the Edge to the Endpoint Security Zone vShield App - Create segmentation between workloads - Sensitive data discovery Edge vShield Edge Secure the edge of the virtual datacenter Endpoint = VM vShield Endpoint Anti-virus processing DMZ Application 1 Application 2 Endpoint = VM vShield Manager Centralized Management For vSphere-based environments, vShield solutions provide capabilities to secure the edge of the vDC, protect virtual applications from network-based threats, discover sensitive data residing in virtual machines, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security VMs. These new product offerings can start securing infrastructure almost immediately since all the underlying compute resources are already present in the vSphere environment. These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center. VMware vSphere VMware vSphere

What Is vShield Edge? vShield Edge secures the perimeter, “edge”, around a virtual datacenter. Common vShield Edge deployments include: Protecting the Extranet Protecting multi-tenant cloud environments vShield Edge vShield Edge vShield Edge Tenant A Tenant C Tenant X Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance VPN Load balancer Firewall VMware vSphere vShield Edge provides network-edge security and gateway services to isolate the virtual machines in a port group. Common deployments of vShield Edge include protecting access to a company’s Extranet. vShield Edge can also be used in a multi-tenant cloud environment where the vShield Edge provides perimeter security for each tenant’s virtual datacenters (or VDC). 9

vShield Edge Capabilities
Edge functionality Stateful inspection firewall Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP) Site to site VPN (IPSec) Web Load Balancer (NEW) Static Routing (NEW) Certificate mode support for IPSEC VPN Management features REST APIs for scripting Logging of functions vShield Edge vShield Edge vShield Edge Tenant A Tenant C Tenant X Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance VPN Load balancer Firewall VMware vSphere vShield Edge secures the edge of a virtual datacenter with firewalling, VPN, NAT, DHCP, and Web load-balancing capabilities that enable rapid, secure scaling of cloud infrastructures. Along with network isolation, these edge services create logical security perimeters around virtual datacenters and enable secure multi-tenancy. New features in vShield Edge include the ability to set up static routing, instead of requiring NAT for connections to the outside, as well as certificate-based VPN. 10

Securing the Data Center Interior with vShield App
Key Benefits Complete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster. Intuitive business language policy leveraging vCenter inventory. vShield App helps you overcome the challenges of securing the interior of your virtual datacenter. vShield App is software-based, it is deployed as a virtual appliance. As a result, vShield App is better than physically securing the virtual datacenter because it is a lot less expensive than buying a number of physical firewalls and segmenting them into different security zones. Also, with vShield App, you can create virtual firewalls with unlimited port density. vShield App provides complete visibility and control of inter-virtual machine traffic in logical security zones that you create. vShield App provides hypervisor-level introspection into the inter-VM traffic. vShield App enables multiple trust zones in the same ESX/ESXi cluster. vShield App also allows you to create intuitive, business language policies, using the vCenter Server inventory for convenience.

vShield Endpoint Offload Anti-virus Processing for Endpoints
Benefits Improve performance by offloading anti-virus functions in tandem with AV partners Improve VM performance by eliminating anti-virus storms Reduce risk by eliminating agents susceptible to attacks Satisfy audit requirements with detailed logging of AV tasks vShield Endpoint has not changed in vShield 5.0, but we expect more partners to provide solutions. (NOTE: check with product team for latest info)

Cloud Infrastructure Security- Defense in Depth
First Level of Defense- vShield Edge Threat mitigation and blocks unauthorized external traffic Suite of edge services To secure the edge of the vDC Coke Pepsi Zoning within the ORG- vShield App Policy applied to VM zones Dynamic, scale-out operation VM context based controls Compliance Check vShield App with data security Discover PCI, PHI, PII sensitive data for virtual environment Compliance posture check * * AV agent offload- vShield Endpoint Attain higher efficiency Supports multiple AV solutions Always ON AV scanning

Agenda vShield Manager Installation, Configuration and Administration
Introduction to vShield Suite vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management Use Cases of vShield App Design consideration of vShield App

vShield Manager Introduction
vShield manager console acts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield Endpoint Vshield manager is pre-packaged as OVA appliance. vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint. vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules. vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory. vShield manager is pre-requisite

vShield Manager –Central Management Console
You can connect to vshield manager directly via web interface or via vcenter plug-in Client Central point of management. For RBAC model, stores flow data and manages Rule base Automatic deployment of vShield app appliance via vshield manager vCenter VSPHERE VSPHERE VSPHERE Management Network

Vshield Manager Communication Paths
SSH Client Vshield web console REST API --> TCP 80/443 SSH Access to CLI TCP 22 Default Enabled SSH Access to CLI TCP 22 Default disabled vShield Manager TCP 22 UDP 123 Access to ESXi host TCP 902/903 vShield App Appliance TCP 443 vSphere Client VSPHERE TCP 443 vCenter Management Network

vShield Manager Requirements
Virtual Hardware Summary Memory 3 GB CPU 1 Disk 8 GB Software vShield OVA File Web Browser IE6.x and Later, Mozilla Firewall 1.x and Later, Safari 1.x and 2.x For latest interoperability information check here

Latest interoperability

Permission Permission to Add and Power on Virtual Machines
Access to datastores where vShield Suite will be deployed DNS reverse look up entry is working for all ESXi host

vShield Manager Installation
Multi-Step installation Process Obtain the vShield Manager OVA File Install vShield Manager Virtual Appliance Configure the Network Settings of the vShield Manager Logon to the vShield Manager Interface Synchronize the vShield Manager with the vCenter Server Register vShield Manager Plug-in with vSphere Client Change the default admin password of the vShield Manager

Steps to Install vShield Manager
Open vSphere client, click File menu selects Deploy OVF Template as shown below

Browse to locate OVA file
New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file you’ve downloaded from VMware’s site

After selecting the OVA file, press Next
After selecting the OVA file, press Next. OVA file’s meta will be read and you will see screen below

Enter name for vShield manager virtual machine and select location as mentioned below

Select Datastore Strongly recommended to
select shared Datastore so that vMotion, DRS and HA functionality can be used during planned & unplanned downtime.

Select disk format

Review the settings and close OVF templates

Virtual Machine Properties

Warning :Don’t upgrade VMware tools on vShield Manager Appliances
Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance.

Configure the Network Settings of the vShield Manager
Initial Network Configuration i.e. IP, DG and DNS must be done via CLI Right Click vShield Manager Appliance & Select Open Console

Contd… Configure the Network Settings of the vShield Manager

Enter IP, Default Gateway and DNS Details
To enter Enabled type ‘enable’ To start wizard type ‘setup’ Enter IP Details Finally Press ‘y’ to confirm settings

Contd … Enter IP, Default Gateway and DNS Details

Getting Familiar With Vshield Manager Interface

Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS session Log in to the vShield Manager user interface by using the username admin and the password default.

Synchronizing the vShield Manager with the vCenter
Enter vCenter Details and Press Save Follow Domain\Username format if the user is domain user Don’t select this Register vCenter extension to access vshield manager within vCenter

After vShield Manager and vCenter Are Connected
On the right hand of the screen we see confirmation that vSphere Inventory was successfully updated After synch is completed, vCenter data is populated as seen below screen. vShield Manager doesn’t Appear as resource in the Inventory Panel of vShield Manager user Interface

Contd …After vShield Manager and vCenter Are Connected

Configure Date/Time for vShield Manager

Generate Tech Support Bundle

System Resource Utilization Of vShield Manager

Backup vShield Manager Configuration
You can backup the configuration & transfer to remote backup server over FTP For one time backup Scheduled Backups must be Off. Schedule Backup Backup Directory on FTP Server

Backup vShield Manager Configuration –Backup files
on FTP Server Backup Directory on FTP Server

vShield Manager via Web Browser Vs. vSphere Client Plug-in
You can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client. It is your choice, whatever works best for you. The functions that you cannot access from the vSphere Client such as Configuring the vShield Manager’s settings Backing up the vShield Manager’s database Configuring the vShield Manager’s users, and The vShield Manager’s system events and audit logs. Configuration vShield App’s Spoof Guard, Fail Safe Mode and VM Exclusion list

DEMO/LAB vShield Manager

Agenda Introduction to vShield Suite
vShield Manager Installation, Configuration and Administration Planning and Installation of vShield App vShield App Flow Monitoring vShield App Firewall Management vShield App Spoof Guard Role Based Access Control (RBAC) Model of vShield Deployment & Availability consideration of vShield App

vShield App Architecture
Hypervisor-Level Firewall Inbound/outbound connection control enforced at the virtual NIC level Dynamic protection as virtual machines migrate Protection against ARP spoofing vShield App vShield App vSphere vSphere vShield Manager ESXi Host ESXi Host vShield App is a hypervisor-level firewall. You can control inbound and outbound communication between virtual NICs, whether they are on the same virtual machine or on different virtual machines. Note that a virtual machine can be multi-homed, which means it can have multiple vNICs. Therefore, each vNIC can have its own security policy to prevent certain types of traffic from passing. vShield App is independent of network topology. Firewall capabilities are built in to vShield App and security policies follow the virtual machine if it migrates to a different host in the cluster. vSphere Client vCenter Server

Before vShield App is Deployed
VSPHERE HOST vSwitch/vDS Switch

After vShield App is Deployed
VSPHERE HOST vSwitch/vDS Switch vShield Hypervisor module All VM traffic is Passed via LKM & Inspected by vShield FW

Deploying vShield App vSphere 5.0 vSphere 5.0 vShield App vShield App
Manager vSphere 5.0 vSphere 5.0 vCenter 5.0 ESXi 5.0 The next task is to install vShield App on each ESXi host that you want to protect in your vSphere environment. vShield App uses vShield Manager5.0. The steps that we will take to install a vShield App instance on an ESXi host are to add a management port group for the vShield instances to use, install vShield App on each host, and verify that the functions specific to vShield App, such as flow monitoring and security groups, are enabled. ESXi 5.0 Browser Based Session vClient Based Session

Install vShield Component Licenses

vShield App Installation Requirements
You must meet the following requirements. Deploy one vShield Manager system per vCenter Server Deploy one vShield App instance per ESXi host. You must be using vCenter Server version 5.0. And, you must have the vShield Manager OVA file Hardware Summary Memory 1 GB (Automatically reserved) CPU 2 vCPU Disk Space 5 GB

Contd … vShield App Installation Requirements
vCenter Privileges: Access to the vSphere Client. Ability to add and power on virtual machines Ability to access the datastore holding the virtual machine’s files, and to copy files to this datastore. Make sure that cookies are enabled in order to access the vShield Manager. Web browser Version Internet Explorer 6.x and later Mozilla Firefox 1.x and later Safari 1.x or 2.x

Steps to Install vShield App

Select Installation Parameters for vShield App
Warning displayed This port group must be able to reach the port group that the vShield Manager is connected to.

vShield Installation In Progress

vShield App Hardware Configuration
is always Appended with the name of ESXi host

Verifying vShield App Installation
After installing the vShield App service on the ESXi host, go to the vShield Manager user interface to verify that the service has been installed. In the vShield Manager inventory panel, select the datacenter, then select the App Firewall tab. The App Firewall tab indicates whether or not the vShield App service is enabled on a host.

Verifying vShield App Installation –Memory reservation

Verifying vShield App Installation –Virtual Machine Protection
VM’s with protected Icon. This is only visible Via web interface

Verifying vShield App Installation –vShield App FW status

vShield App Packet flow
VM sends the packet out as a part of the Telnet protocol, its intercepted by the virtual network adapter-level FW & is FWD to the vShield App on that host. VM sends the packet out as a part of the Telnet protocol, its intercepted by the virtual network adapter-level FW & is FWD to the vShield App on that host. The virtual network adapter-level firewall sends the packet to vswitch port group PG-X. The virtual network adaptor-level firewall intercepts the packet and forwards it to the vShield App appliance. The virtual network adaptor-level firewall sends the packet to the VM The vswitch on Host 2 receives the packet. The vswitch looks up the MAC address and accordingly sends the traffic out to the virtual machine on Host .2 The vshield App appliance inspects the packet. If the security profile allows the packet to flow through, the packet is sent back to the virtual network adaptor-level firewall. The vSwitch looks up the MAC address and accordingly sends the traffic out on the up-link port of Host 1. The external infrastructure that involves physical switches will carry this packet on VLAN 1000. The external switch sends the packet to the Host 2 network adapter based on the MAC address table.

Flow Monitoring Introduction
Inter-virtual Machine Communications All traffic on protected virtual machine is directed to virtual network adapter level firewall, this actually equips vShield APP FW to read the packets moving in and out of virtual machines. Data displayed in Graphical Tabular Format Tabular format is further divided into allowed and block traffic as shown in next slide

Flow Monitoring –Tabular Format
Data displayed below can be used to learn the type of traffic flowing in and out of VM. Then we can use this data for creating or blocking the rule.

Flow Monitoring – View And Interpret Charts And Reports

Flow Monitoring – Traffic categorization based on Protocol/Application
You can select a specific traffic type, such as FTP, HTTP, LDAP. To view a certain traffic type in the charts, display the application drop down list and select desired protocol/application

Flow Monitoring – Key advantages
Analysis of Inter-VM traffic can be easily done You can dynamically create rules right from flow monitoring console This can be of great help for debugging network related problem as you can enable logging for every individual virtual machine as on needed basis.

Installing vShield App & Flow monitoring
DEMO/LAB Installing vShield App & Flow monitoring

Introduction vShield App Firewall
vNIC‐level firewall vShield App installs as a hypervisor module and firewall service virtual appliance Places a firewall filter on every virtual NIC. IP-based stateful firewall No Network changes or IP changes vShield App can create and enforce logical (i.e. not just VLAN or physical subnet) application boundaries all the way down to layer 2 vShield App provides a centralized and hierarchical App firewall service for ESXi hosts. It is an interior, vNIC‐level firewall that allows you to create access control policies regardless of network topology. A vShield App monitors all traffic in and out of an ESXi host, including between virtual machines in the same port group. vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App provides firewalling capability between virtual machines by placing a firewall filter on every virtual NIC. It implements an IP-based stateful firewall and application layer gateway for a broad range of protocols including Oracle, FTP, and RPC. The firewall filter operates transparently and does not require network changes or modification of IP addresses to create security zones.

vShield App Firewall Rules : L2 and L3 rules
Firewall Protection Through Access Policy Enforcement The App Firewall Tab Represents The vShield App Firewall Access Control List. L2 Rules Monitor ICMP, IPv6, PPP, ARP traffic. L3 Rules Monitors DHCP, FTP, SNMP HTPP. L3 rules also monitors application specific traffic (Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP) You can configure Layer 3 and Layer 2 rules at the datacenter level only. By default, all L3, and L2 traffic is allowed to pass. vShield App provides firewall protection through access policy enforcement. Policies can be created automatically from the Flow Monitoring report. Or, policies can be created manually from the App Firewall tab. The App Firewall tab represents the vShield App firewall access control list. The App Firewall tab offers two sets of configurable rules: Layer 3 (L3) rules and Layer 2 (L2) rules. Layers refer to layers of the Open Systems Interconnection (OSI) Reference Model. L3 rules govern TCP and UDP transport of Layer 7, or application‐specific traffic. The protocols that L3 rules monitor are DHCP, DNS, FTP, HTTP, and SNMP. L3 rules also monitor application specific traffic including Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP. These rules improve security by opening ports only as needed. L2 rules monitor traffic from protocols such as ICMP and ARP. Layer 2 firewall protects against multiple types of attacks, e.g., password sniffing, DHCP snooping, ARP spoofing/poisoning attacks, and so on. You can configure Layer 3 and Layer 2 rules at the datacenter level only. By default, all L3, and L2 traffic is allowed to pass.

Hierarchy of vShield App Firewall Rules
Enforced Top to Bottom The first rule in the table that matches the traffic parameters is enforced. System defined rules can’t be deleted or add, you can only change the action element i.e. to Allow (default) or Deny A vShield App checks each traffic session against the top rule in the App Firewall table before moving down the subsequent rules in the table.

2 4 5 6 1 1 2 3 All Layer 3 Rules Are Applied Second
In Layer 3 –High Precedence rules are applied first 4 In Layer 3 –Low Precedence rules are applied Second 5 In Layer 3 –System Defined rules are applied last 6 All Layer 2 Rules Are Applied First 1 In Layer 2 –High Precedence rules are applied first 1 In Layer 2 –Low Precedence rules are applied Second 2 In Layer 2 –System Defined rules are applied last 3

Container-Level and Custom Priority Precedence

How to define Firewall Policy Rule
Firewall policies contains 5 pieces of information

vSphere Groupings vSphere groupings can also be based on network objects, specifically port groups and VLANs

Firewall Rules Example 1: Using vSphere Groupings
When you specify a container as the source or destination, all IP addresses within that container are included in the rule.

Firewall Rules Example 2: Using vSphere Grouping

How To Create A Firewall Rule –Step 1

How To Create A Firewall Rule –Step 2
Enter source Enter Destination and other details

How To Create A Firewall Rule –Step 2 Contd
Server inside "WinXP01-Server18" group Server outside "Fort" datacenter Server Inside "WinXP01-Server18" group cannot access system outside Fort datacenter on RARP protocol, this traffic is logged.

How To Create A Firewall Rule –Step 3 Publishing Rule

Create rule using MAC Set and IP Set
You can also define rules based on MAC and IP Set. Where do we use this type of rules? When you want to configure a rule based on virtual machine identity i.e. MAC Set, IP Set and Port Group. In this case even if Virtual machine follows any part of resource pool, rule will always apply. Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies. You can also define rules based on MAC and IP Set. Both follow same procedure to create rule, all we have to select is IP range or MAC range. Before let’s understand where do we use this type of rules. Virtual machine is identified port group, MAC address and IP Address. If you want to configure a rule based on virtual machine identity then MAC Set, IP Set and Port Group set are right types of rules to configure. In this case even if Virtual machine follows any part of resource pool, cluster rule will always apply. Same is not true when you define rules based on resource pool, vApp or cluster. The moment VM is moved from the resource pool to another resource pool, rule no longer applies.

Creating MAC Set Scope field is automatically selected
1. Enter Name of the group 2. Optionally enter description 3. Enter MAC Addresses as shown in below screen. 4. Press Ok

Creating IP Set Scope field is automatically selected
1. Enter Name of the group 2. Optionally enter description 3. Enter IP Addresses as shown in below screen. 4. Press Ok

After MAC Set is created
Below screen shows when the group configuration is complete. You use Edit and Delete button to change the IP/MAC set

vSphere Grouping -Example
Medical Records Resource Pools WinXP01-RuleSet

Creating rule based on IP/Mac Set
Select datacenter, on right hand side select Layer 3 rule (IP set) or layer 2 rule (MAC set) here. Select add rule and enter the details as shown next slide

Anything inside Medical Records cannot access IP's defined inside rule "WinXP01-Server18-IP i.e.
, If you select outside, then medical records can access only IP's defined inside rule "WinXP01-Server18-IP

Creating Security Group –Step 1

Creating Security Group –Step 2
NIC level grouping is possible

Creating Rule based on Security Group
Press Ok Publish the rule

Rule based vSphere Security Group –Port Group
Logical Rule translates into physical world explained below Even if the VM’s are same Datacenter, Cluster, ESXi, Resource Pool or vApp they cannot communicate

Advantages of Security Groups
vShield App allows you to create custom containers known as security groups. You assign virtual machines to security groups by assigning their vNICs to the appropriate group. Then, you can use the security group in the source or destination field of an App Firewall rule. The key benefit of security groups is the ease of creating different trust zones. Whether through the use of vSphere objects or through the use of manually configured security groups, the key benefit is ease of protection and quality of protection through the use of logical zoning as opposed to carving up a network to provide network isolation.

Best Practices: Firewall Rules
Create Firewall Rules That Meet Your Business & Security Needs Identify source and destination. Take full advantage of vSphere Grouping Use vSphere Security group only when you create rule based on vSphere Grouping By default vShield FW allows incoming and outgoing traffic, As a best practice you may want to deny all traffic In general, create firewall rules that meet your business needs. In addition, you might consider the following guidelines: Where possible, when identifying the source and destination, take advantage of vSphere groupings in your vCenter Server inventory, such as the datacenter, cluster, vApp. By writing rules in terms of these groupings, the number of firewall rules is reduced, which makes the rules easier to track and less prone to configuration error. If a vSphere grouping does not suit your needs because you need to create a more specialized group, then take advantage of security groups. Like vSphere groupings, security groups reduces the number of rules that you need to create, making the rules easier to track and maintain. Finally, set the action on the default firewall rules based on your business policy. For example, as a security best practice, you might deny all traffic by default. If all traffic is denied, then vShield App drops all incoming and outgoing traffic. Allowing all traffic by default makes your datacenter very accessible, but also insecure.

Building Firewall Rules
Option A: More Restrictive vShield installs with default “allow” rule Build rules based on Application/Vendor’s port guide Monitor, document, validate traffic flows via vShield Flows Adjust rules as necessary Change default rule to “deny” Option B: Less Restrictive Build rules between communicating VMs Allows all traffic between selected VMs

Logging and auditing vShield App has its own logging mechanism.
Logging can be great help in troubleshooting app appliance. Auditing of traffic which was either allowed or blocked can be configured per rule set. You’ve to enable logging for every rule you configure. Logs are captured and retained for one year. Logs more than one year are overwritten. Note that enabling logging for rules that match a high amount of traffic can impact performance. Therefore, it is a good idea to be selective of the rules that you want to log. App has its own logging mechanism. Logging can be great help in troubleshooting app appliance. Logging is done for events related to system. For example appliance is down/rebooted or unreachable. If the app appliance is unreachable it will be unreachable to vshield manager. Events are further categorized as informational or critical as shown below Auditing of traffic which was either allowed or blocked can be configured per rule set. You’ve to enable logging for every rule you configure. All the actions performed by all vshield users is captured in events and available for audit. These logs are captured and retained for one year. Logs more than one year are overwritten.

vShield Manager event logging –Audit Logs
All the actions performed by all vshield users is captured in events and available for audit. Logging is done for operations related to system. E.g. appliance is down/rebooted or unreachable. If the app appliance is unreachable it will be unreachable to vshield manager.

vShield Manager event logging –Audit Logs
Events are further categorized as informational or critical as shown below

All vShield App configuration parameters are available only when you select host on left hand side

Configuring Syslog Server for vShield App Contd…
Three log levels are available Alert Emergency Critical If you select Emergency, then only emergency-level events are sent to the syslog server. If you select Critical, then critical-, alert-, and emergency-level events are sent to the syslog server.

Interpreting Logs Of Traffic Rule –Example 1
proto= protocol vesxi27=host at which alerts are observed L2=Layer2 protocol DROP=traffic is dropped

Interpreting Logs Of Traffic Rule –Example 2
proto= ICMP protocol vesxi27=host at which alerts are observed L3=Layer3 protocol DROP=traffic is dropped

Reverting to previous vShield App Firewall configuration
Automatic mechanism to create backup of firewall rules configuration vShield Manager takes snapshots each time new rule is committed Previous configuration can be easily reverted via drop down menu

Role-Based Access Control New in vShield Manager 5.0
Privilege Summary vShield operations and security: Everything related to vShield product Super user (admin) vShield operations only: installation, configuration of virtual appliances, ESX host modules, etc. vShield admin vShield security only: Policy definition, reports for edge, app, endpoint, data security Security admin A new feature in vShield Manager 5.0 that applies to all vShield solutions is role-based access controls. All the vShield products now employ RBAC to limit what individual people can do when they log in to vShield Manager. This provides critical separation-of-duties capabilities. Read-only access to vShield operations and security settings Auditor Confidential

RBAC: Scope To vSphere Administrators To vSphere Administrators
Role-based access control (RBAC) enables clear separation of workflow for virtual infrastructure and security administrators. RBAC provides flexibility in delegating administration across resource pools and security groups, improving security of applications and data.

LAB/DEMO Firewall Lab Reverting To Previous Vshield App Firewall Configuration User Creations And Configurations

Spoof Guard Why to use spoof guard? How does it work?
To reduce man in the middle attack which is referred as IP & MAC Spoofing How does it work? VM’s IP addresses are collected during synchronization cycle that happens between vshield and vCenter via vSphere API. If the IP address is modified in the VM and it doesn’t matches with the Spoof Guard collected data, VM is isolated and not allowed to communicate outside. It works in datacenter context and it disabled by default

Enable Spoof Guard Click Edit to enable it. Select Enable first and then select the option as per your requirement.

Spoof Guard – IP Address Monitoring and Management
IP Address is collected can be monitored and manage automatically or manually Automatically Trust IP Assignments On Their First Use IP is gathered when first time VM is powered ON. This data is read via VMware tools. Once the list is populated it is push down to vShield app virtual appliance, which then inspects every packet originating out of a network adapter for the prescribed IP. If these do not match, the packet is simply dropped. - This operates separately from app firewall rules. Manually Inspect and Approve All IP Assignments Before Use - In this mode all traffic is block until you approve MAC-to-IP address assignment. NB: SpoofGuard inherently trusts the MAC addresses of virtual machines from the VMX files and vSphere SDK.

Spoof Guard : View and Approve IP
Lists the IP addresses where the current IP address does not match the published IP address. IP address changes that require approval before traffic can flow to or from these VM List of all validated IP addresses

Contd … Spoof Guard –View and Approve IP
When you want to approve the IP, go to IP assignments that require my review and approval or select Require Approval link. You now see difference in Approved IP and Currently Seen IP.

vShield Manager Deployment Consideration
Do not host vShield manager on the same cluster which it is responsible to manage. If vShield Manager is deployed within the infrastructure it is protecting you will suffer circular dependencies*. E.g. An inadvertent configuration error could result in a unmanageable environment if the vShield Manager appliance were to loose connectivity or were prevented from communicating with other components due to a misconfigured security policy You cannot use VMware FT to protect vShield manager if vShield app is deployed. This only applies if vShield app is deployed from the vShield manager in question A vShield manager instance must be deployed for each vCenter in use * Starting vShield you can exclude vShield manager from the host. The issue is that in certain portions of the install process the vCenter Server and vShield Manager virtual machines could end up being mistakenly cut off from communication with the infrastructure they were managing.

Enter inside VMX file

vShield Manager Placement Consideration – Option 1
Shared Management Cluster Model isolates the management from being impacted by Production Cluster hardware failure issues. vCenter Server/Appliance vCenter Database vShield Manager vCenter Update Manager Active Directory DNS Syslog Server Production Cluster Edge App FW Edge App FW Management Cluster Highly Recommended AD/DNS/DHCP VCDB/VUMDB vCenter 5.0 vShield Manager The management cluster may also include virtual machines or have access to servers that provide infrastructure services such as directory (LDAP), timekeeping (NTP), networking (DNS, DHCP), logging (syslog), and security. Component databases, if running on the same platform, can be placed on the same database server if sized properly. For example, the databases used by vCloud Director, vCenter Server, and vCenter Chargeback can run on the same database server. Both the management cluster and resource groups reside in the same physical site to provide a consistent level of service. This minimizes latency issues, which could arise in a multi-site environment if workloads move between sites over a slower or less reliable network. vSphere 5.0 vSphere 5.0

vShield Manager Deployment Consideration – Option 2
Cross-Managed Cluster Model will provide isolation similar to management cluster Edge App FW Production Cluster A vSphere 5.0 Edge App FW Production Cluster B vSphere 5.0 vShield Manager vShield Manager vCenter 5.0 vCenter 5.0

vShield Manager Deployment Consideration – Option 3
Single cluster model with vShield Manager exclusion* Edge App FW Production Cluster vCenter 5.0 vShield Manager vSphere 5.0 Disables vApp Protecting using Exclusion list

VM Exclusion introduced in vShield 5.0.1
With 5.0.1, there is now a option to exclude VM. This has the effect of disabling all vShield App protection for the excluded VM including Spoof Guard This exclusion list is applied across all vShield App installations within the specified vShield Manager. If a virtual machine has multiple vNICs, all of them are excluded from protection. The vShield Manager and service virtual machines are automatically excluded from vShield App protection. Caveat: A caveat is that the MAC/IP pairs for excluded VM will still show up in the Spoof guard tab of the UI, even though the functionality is disabled.

How to Exclude VM from vShield App

After FailSafe is enabled, VM’s are powered ON are fast suspended and resumed, while Powered OFF VM’s are just reconfigured

VMX entry for Web01 before FailSafe is enabled
VMX entry for Web01 After FailSafe is enabled

vShield App Deployment Consideration
vShield App must be deployed and running on every host in the cluster that protected virtual machines may migrate to. Renaming vShield App security virtual machine is not supported. Doing so it will render it unmanageable as vShield Manager uses the name it assigned at the point of provisioning to manage the vShield App security virtual machine Use vShield app security groups to tier servers of same functions (DC, Webserver, DB Server etc.). This will simplify firewall configuration and rules

Availability Consideration
vShield App

Availability Considerations: vShield Manager
What If vShield Manager appliance is unavailable First and foremost zero impact All existing rules of vShield App are enforced Logs are sent to syslog server Only impact is, New rules or changes to existing rules cannot be made In addition, the flow-monitoring data might be lost, depending on the duration of the failure. vShield Manager backup can be used to restore via backup What If host which is hosting vShield Manager appliance is unavailable vShield manager is HA and DRS aware and can take full advantage of it. In this case vShield Manager will automatically restart to another host

Availability Considerations: vShield App
What If vShield App appliance is unavailable All traffic to and from the protected virtual machines hosted on the host on which vShield App was running is blocked * At process level, built-in watch dog restarts the failed processes VMware HA virtual machine monitoring will detect (via VMware tools and network packets) and restart fail vshield app. vCenter Alarm is triggered if VM migrates onto a host where vShield Appliance is not installed What If host which is hosting vShield App appliance is unavailable DRS is disabled for vShield App Except for vshield App VM, protected VM’s are restarted on another host and they get automatically protected assuming the host is installed with vShield App * From vShield , you have option to disable this behavior, though strongly not recommended

vShield App: DRS and HA Settings
The HA restart priority for the vShield App appliance is set to high. This is to ensure it is the first to restart during failure over event. It makes sure that its running before the VMs its protecting . vShield vApp should never be moved to another host. Therefore during installation DRS is automatically disabled for vShield vApp If the host is put in maintenance mode, vShield App automatically shuts down and automatically restarts when host exits maintenance mode. You cannot use FT to protect vShield Manger when vShield App is deployed, vShield Manager used linked clones and snapshots as part of the deployment process for the vShield Firewall Service Appliance virtual machines. Disable DRS (If not already disabled): On Vshield app virtual appliance DRS is disabled by default. It is recommended to pin the VM to the host it was deployed. The reason for this is app firewall correlates with the security rules and data path for virtual machines on that host. This mandates that a vshield app virtual machine should never be moved from that host. Also app is installed on every host.

Verifying vShield App Installation – HA Restart Priority

Verifying vShield App Installation –DRS is Disabled

vShield App Industry Best Practices
vShield App provides security protection for virtual machines Firewall rule groups will need to be translated from the old firewall into vShield Manager Set up roles and responsibilities within vShield Manager that only allow the minimum of permissions to perform required functions by administrators. E.g. Give vSphere Administrator ability to install vShield Suite via vShield Admin role and ability view rule via Auditor Role Ensure audit logs are reviewed regularly vShield App provides security protection for virtual machines and not host management interfaces, vMotion, network storage, or VMware Fault Tolerance network communications. Inspection and monitoring of inter-vm traffic on the same port group and host, and inter-host traffic is very important when customers are trying to meet compliance Firewall rule groups will need to be translated from the old firewall into vShield Manager and then used as the basis for the rules. This can cut down the number of individual rules necessary to provide the same level of security.

Contd .. vShield App Industry Best Practices
Define a thorough test plan Penetration testing and external auditing Consider creating an application group that contains the ports For example you might create an application group called WEB containing both TCP 80 and 443. Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure. Consider mirroring the logs to an alternate site Define a thorough test plan that will test all the necessary applications and rules that are required. Penetration testing and external auditing would also be advised to ensure that the solution minimizes any potential security risks. If you have a common group of ports that are assigned to multiple objects consider creating an application group that contains the ports, for example you might create an application group called WEB containing both TCP 80 and 443. Ensure that vShield Edge and vShield App appliances send all their logs to a centralized Syslog server or infrastructure. Consider mirroring the logs to an alternate site to ensure availability of logs in case of incident investigation or response if something happens to the primary site. Consider using a tool such as Splunk, RSA enVision or similar to visualize and correlate log events and highlight any possible events of interest.

Contd … vShield App Industry Best Practices
Use the vShield REST API’s to back up the firewall rule base . Use the REST API’s to turn off rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled. If you are replicating the infrastructure to a DR site ensure that vShield Edge and vShield App are set up appropriately at the DR site and that you have a process to ensure the rule base is up to date. Updates and changes to the DR site can be automated using the vShield REST API’s, which can also be integrated with VMware vCenter Site Recovery Manager. vShield App and Host Profiles Use the vShield REST API’s in addition to the vShield Manager backup functionality to back up the firewall rule base and store this in a version controlled repository such as SVN or CVS. Use the REST API’s to turn off accept rule logging when troubleshooting and implementation processes are complete unless there is a reason to leave it enabled.

Agenda –vShield Edge Planning and Installation of vShield Edge
vShield Edge Services DHCP NAT Firewall VPN Load Balancing Static Routing Scenarios Deployment and Availability Considerations

Introduction Protects the edge of infrastructure
Common Gateway Services DHCP VPN NAT Static Routing Load Balancing Common Deployment Models DMZ VPN Extranets Multi-Tenant Cloud Environment

Logical View of vShield Edge
Network Isolation happens at Port group Level

Port group Isolation based on VLAN
With VLAN isolation, vShield Edge is used to secure port groups with a standard VLAN configuration. Isolation of virtual machines is provided exclusively by VLANs in Layer 2. When To Use VLAN Isolation When to use Network infrastructure build around VLANs Physical machines need to participate in protected network Virtual Switch Support vSS vDS Cisco nexus 1000v It is up to the administrator to ensure that the VLANs are configured properly across all hosts.

Access Aggregation layer
VLAN-126 VLAN-135 VLAN-108 Access Aggregation layer EXTERNAL INTERFACE INTERNAL EXTERNAL INTERFACE INTERNAL PG-CORP1 (VLAN-126) PG-CORP2 (VLAN-135) VMware vSphere Internet FacingVLAN-108 Each tenant is assigned its own VLAN for each of the respective tenant’s virtual machine traffic It is important to note that this VLAN separation of traffic between tenants provides Layer 2 isolation at the aggregation layer. But, VLAN isolation does not provide security from attacks at Layer 3 and above. To protect from higher layer network attacks, the vShield Edge virtual appliance acts as a firewall. The vShield Edge virtual machine is deployed per tenant. On the internal port group PG-CORP1, all virtual machines belonging to tenant CORP1 are connected to this port group and are allowed to communicate with each other without having to go through the vShield Edge firewall. If a virtual machine on the tenant CORP1 network wants to access external devices, then traffic has to flow through the vShield Edge virtual machine. And, depending on the security rules defined in the vShield Edge firewall, the access will be either allowed or denied.

vCloud Director Network Isolation
VM Identity is used to isolate a group of VMs from other VMs All VM’s on Single Layer-2 domain but are isolated by assigning them to different port groups Traffic between VMs in the same port group is allowed, but traffic between VMs across different port groups is not allowed by a virtual switch This port group isolation feature is supported ONLY on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V When a virtual machine is deployed in the virtual infrastructure, it is assigned a MAC address and an IP address. In addition, it is connected to a specific port group of a virtual switch. IP address may not be assigned in all cases but other two unique parameters can always identify virtual machines. So any virtual machine that gets deployed must be associated with a port group on a virtual switch. This fact is used to isolate a group of virtual machines from other virtual machines. Administrators now can use one subnet (single layer-2 domain) to place all their virtual machines and can provide isolation within a group of virtual machines by assigning them to different port groups. Traffic between virtual machines in the same port group is allowed, but traffic between virtual machines across different port groups is not allowed by a virtual switch. This port group isolation feature is supported on a distributed virtual switch (vDS), but not on a standard switch (vSS) or Cisco Nexus 1000V. In a vDS, a port group definition can span across the entire datacenter, so an isolated virtual network through port groups can also span across the complete datacenter.

vCDNI -Communication Between Tenants Across The Host
The key point is that although the virtual machines of tenant X and tenant Z are on the same Layer 2 domain, their networks are isolated from each other by vShield Edge.

vCDNI -Communication Between Tenants Within The Host
VMs traffic is isolated from each other because they are on different secured, port groups. As a result, communication must flow through the vShield Edge virtual machines of both tenants. All traffic flows over the Provider VLAN, VLAN 100.

vCDNI –VM’s Communication of same Tenant
VM’s Freely need to communicate without need to go through vShield Edge VM and Provider VLAN

Advantages of vCloud Director Network Isolation (vCDNI)
Using cloud network isolation instead of VLAN isolation, the vShield environment is simpler to scale. Provisioning cloud network isolation can be automated with scripts that use the vShield REST APIs. Finally, a key advantage that cloud network isolation has over VLAN isolation is that cloud network isolation does not need any complex configuration at the Aggregation layer.

Protecting Extranet: VPN Services

vShield Edge: DHCP Services

vShield Edge: NAT Services

vShield Edge Services: Load Balancer Services

vShield Edge Services: Firewall Services

vShield Edge Firewall Rules and Direction
Incoming Traffic on both the Interfaces is blocked by default EXTERNAL INTERFACE EXTERNAL INTERFACE: INCOMING vShield Edge INTERNAL INTERFACE: INCOMING EXTERNAL INTERFACE: OUTGOING INTERNAL INTERFACE: OUTGOING Outgoing Traffic on both the Interfaces is allowed by default INTERNAL INTERFACE

vShield Edge Firewall Rules and Direction -Example
External Interface Internal Interface /24 Subnet PRIVATE PORT GROUP Traffic incoming /24 Subnet

vShield Edge services – Static routing
Most networks have a single router called the default gateway . If a network has a default gateway, the nodes on the network can send traffic to the gateway and the gateway will then forward the traffic to the destination. All machines in a network have a routing table. A Routing table is a list of destination networks and the router that carries traffic to that destination. Manually adding routes to a routing table is called static routing. Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table. In a network, you can create a static routing either internal network or external network. Some networks may have more than one router. The nodes in the network have to be aware of which networks those routers can accept traffic for. The nodes store this information in their routing table.

Static Routing between two vApp
APPLICATION 1 APPLICATION 2 PG- APP-1 PG- APP-2 Internal Interface Internal Interface External Interface External Interface PG- PUBLIC

Installing vShield Edge for Application 1
Installing vShield Edge Application for APP1

vShield Edge Installed for for Application 1 and Application 2

Configure Static Route for APP1 Network
It is the network APP1 want to reach It is the gateway of Destination network

Configure Static Route for APP2 Network
It is the network APP2 want to reach It is the gateway of Destination network

Static Route Set Up for APP1 & APP2 Network

Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other
APPLICATION 1 APPLICATION 2 PG- APP-1 PG- APP-2 Internal Interface Internal Interface External Interface External Interface PG- PUBLIC Outgoing Traffic allowed by default

Configuring Firewall Rule to Allow APP1 and APP2 Network to Communicate with Each Other

Rules defined at APP-1 FW Rules defined at APP-2 FW

Ping and Tracert request from APP1 VM

Ping and Tracert request from APP2 VM

How To Configure NAT Services
SCENARIO Customer wish to access Web Server Web01 which sits inside the DMZ network of CORP A Web Server Web01 sits in x/24 network and has been assigned IP by vShield Edge DHCP Services as Customer’s wants to access Web Server Web01. Customer network is x/24 We can configure NAT

vShield Edge Configured to Meet Customer Scenario
Internal Interface: Private Switch vSwitch Connected to External Network External INTERNAL x External Interface: vShield Edge DCHP Service NAT Service FW Rules Web01 Web02

Configure DHCP

Use SNAT when Internal IP needs to be translated into External IP.
Use DNAT when External IP needs to be translated into Internal IP.

Open Firewall Ports to allow NAT Traffic

vSwitch Connected to External Network
Internal Interface: Private Switch vSwitch Connected to External Network External INTERNAL x External Interface: vShield Edge DCHP Service NAT Service FW Rules Web01 Web02

vShield Edge Deployment Considerations
Only HTTP(80) round-robin load balancing is currently supported Each vShield Edge instance supports up to a maximum of 10 site- to-site VPN sessions VMware strongly recommends you protect vShield Edge appliances using HA and DRS features. In the event of a cluster host going offline while running vShield Edge appliance, the appliance is restarted on another host in the cluster

Traditional Layer2 Segmentation
PG 1 VLAN 11 PG 2 VLAN 12 PG 3 VLAN 13 vSwitch/vDS Physical Switch

Cloud Network Isolation (CNI) Segmentation
VMs on one PG cannot talk to VMs on another PG at Layer 2. Even if they share same VLAN PG 1 VLAN 1 PG 2 VLAN 1 PG 3 VLAN 1 vDS Physical Switch

Method 1 –Using VLAN per organization
HOST 1 HOST 2 ORG C : LAN 72 ORG C : LAN 72 ORG A : LAN 72 ORG B : LAN 81 ORG A : LAN 72 ORG B : LAN 81 Internet Facing

Method 2 –Using Mixed Trust Model
Multi Tenant ORG C : LAN 63 SOX PCI HIPPA ORG A : LAN 72 ORG B : LAN 81 ORG Z : LAN 54 Single Tenant Internet Facing

Method 3 –Single VLAN Multi Tenant
Mail DBA Web ORG Z : LAN 54 Tenant-2 PCI HIPPA SOX ORG Z : LAN 54 CNI Single VLAN Segmentation via App Internet Facing Internet Facing

Performance Statistics

Difference between vShield Edge and vShield app
Deployed per port group Deployed per host Enforcement between virtual datacenter and untrusted networks Enforcement between VMs Change - aware Stateful, application level firewall Five-tuple rule based policies Site to Site VPN (IPSEC), DHCP, NAT, Firewall, Load Balancing, Cloud Network Isolation Hypervisor-based firewall, flow monitoring, security groups

Can firewall rules be backed up and restored? How?
There are multiple methods to backup firewall rules. The recommended methods are: via vShield Manager user interface via REST APIs, which can be scripted/automated You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup. VI administrators can use REST APIs (accessible via web interface client) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations.

REST API -BASICS The vShield REST API uses HTTP Requests
HTTP Requests are often executed by a script or higher level language vShield REST API Workflows Make an HTTP Request (Typically GET,PUT,POST or DELETE) against vShield Manager URL Response could be XML or HTTP Response code XML Response is generally a link or other information about the state of object HTTP Response code indicates whether the request is succeeded or failed. vShield Manager requires TCP port 80/443 to be opened for the vShield REST API request to pass through

Executing REST API using REST Client

Working with IP Sets using vShield REST API

Reading IP Sets

XML Format to Create IP Set
POST <ipset> <objectId /> <type> <typeName /> </type> <description> New Description </description> <name>TestIPSet2</name> <revision>0</revision> <objectTypeName /> <value> </value> </ipset> Automatically created

Create IP Set

vShield App and vShield Edge

Similar presentations

Presentation on theme: "vShield App and vShield Edge"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

vShield App and vShield Edge

Similar presentations

Presentation on theme: "vShield App and vShield Edge"— Presentation transcript:

Similar presentations

About project

Feedback