vShield Edge

Report
vShield App and vShield Edge
Planning, Installation and Designing based on 5.0.1
From Preetam Zare
http://vcp5.wordpress.com
http://vShieldSuite.wordpress.com
Confidential
© 2010 VMware Inc. All rights reserved
Agenda –vShield App
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration
2
Confidential
Preetam Zare
Agenda –vShield Edge
• Planning and Installation of vShield Edge
• vShield Edge Services
•
•
•
•
•
•
DHCP
NAT
Firewall
VPN
Load Balancing
Static Routing
• Scenarios
• Deployment and Availability Considerations
3
Confidential
Preetam Zare
Data Center needs to be secured at different levels
Perimeter Security
• Sprawl: hardware, FW rules, VLANs
Firewall,
VPN
• •Rigid
FW rules
Load balancers
• •Performance
bottlenecks
Cost & Complexity
PreventAtunwanted
access
the vDC Edge
Internal Security
VLAN 1
• VLAN or subnet based policies
• Interior or Web application Firewalls
Segment your services
VLANs
End Point Security
• Anti-virus
• Data Leak Protection
4
Protect your data
Preetam Zare
Why Security in Virtualized Datacenter?






5
Network security devices become chokepoints
Capacity is never right-sized
No intra-host virtual machine visibility
Audit trails are lacking
Physical topologies are too rigid
Current Security is static
Preetam Zare
Traditional vSphere Infrastructure Setup Without Vshield
INTERNET
VPN Gateway
vSphere 5.0
VPN Gateway
L2-L3 Switch
L2-L3 Switch
L2-L3 Switch
Firewall
Firewall
Firewall
Load Balancer
Load Balancer
Load Balancer
Switch
Switch
Switch
vSphere 5.0
Company A
6
VPN Gateway
vSphere 5.0
vSphere 5.0
Company B
vSphere 5.0
vSphere 5.0
Company C
Preetam Zare
vSphere Infrastructure Setup Without Vshield
INTERNET
VPN Gateway
vSphere 5.0
VPN Gateway
L2-L3 Switch
L2-L3 Switch
L2-L3 Switch
Firewall
Firewall
Firewall
Load Balancer
Load Balancer
Load Balancer
Switch
Switch
Switch
vSphere 5.0
Company A
7
VPN Gateway
vSphere 5.0
vSphere 5.0
Company B
vSphere 5.0
vSphere 5.0
Company C
Preetam Zare
vShield Product Family
Securing the Private Cloud End to End: from the Edge to the Endpoint
vShield Edge
Edge
Secure the edge of
the virtual datacenter
DMZ
Application 1
vShield App
Security Zone
- Create segmentation
between workloads
- Sensitive data discovery
vShield Endpoint
Endpoint = VM
Anti-virus processing
Application 2
vShield Manager
Endpoint = VM
Centralized Management
8
Preetam Zare
What Is vShield Edge?
vShield
Edge
Tenant A
Secure
Virtual
Appliance
Tenant C
Secure
Virtual
Appliance
Firewall
99
vShield
Edge
vShield
Edge
Tenant X
Secure
Virtual
Appliance
Load balancer
vShield Edge secures the
perimeter, “edge”, around a
virtual datacenter.
 Common vShield Edge
deployments include:
 Protecting the Extranet
 Protecting multi-tenant cloud
environments
VPN
Preetam Zare
vShield Edge Capabilities
vShield
Edge
Tenant A
Secure
Virtual
Appliance
vShield
Edge
Tenant C
Secure
Virtual
Appliance
vShield
Edge
Tenant X
Secure
Virtual
Appliance
Edge functionality
• Stateful inspection firewall
• Network Address Translation (NAT)
• Dynamic Host Configuration
Protocol (DHCP)
• Site to site VPN (IPSec)
• Web Load Balancer
• (NEW) Static Routing
• (NEW) Certificate mode support
for IPSEC VPN
Management features
• REST APIs for scripting
• Logging of functions
Firewall
10
10
Load balancer
VPN
Preetam Zare
Securing the Data Center Interior with vShield App
 Key Benefits
• Complete visibility and
control to the Inter VM
traffic enabling multi trust
zones on same ESX
cluster.
• Intuitive business
language policy
leveraging vCenter
inventory.
11
Preetam Zare
vShield Endpoint
Offload Anti-virus Processing for Endpoints
Benefits
• Improve performance by offloading anti-virus functions in
tandem with AV partners
• Improve VM performance by eliminating anti-virus
storms
• Reduce risk by eliminating agents susceptible to attacks
• Satisfy audit requirements with detailed logging of AV
tasks
12
Preetam Zare
Cloud Infrastructure Security- Defense in Depth
First Level of Defense- vShield Edge
• Threat mitigation and blocks unauthorized
external traffic
• Suite of edge services
• To secure the edge of the vDC
Zoning within the ORG- vShield App
• Policy applied to VM zones
• Dynamic, scale-out operation
• VM context based controls
Compliance Check vShield App with data
security
• Discover PCI, PHI, PII sensitive data for virtual
environment
*
*
• Compliance posture check
AV agent offload- vShield Endpoint
• Attain higher efficiency
• Supports multiple AV solutions
• Always ON AV scanning
13
Preetam Zare
Agenda
 Introduction to vShield Suite
 vShield Manager Installation, Configuration and Administration
 Planning and Installation of vShield App
 vShield App Flow Monitoring
 vShield App Firewall Management
 Use Cases of vShield App
 Design consideration of vShield App
14
Confidential
Preetam Zare
vShield Manager Introduction
vShield manager console acts a central point to install, configure and
maintain vShield components e.g. vShield Edge, vShield App and
vShield Endpoint
Vshield manager is pre-packaged as OVA appliance.
vShield manager OVA file includes software to install vShield Edge,
vShield App and vShield Endpoint.
vShield Manager can run on a different ESX host from your vShield
App and vShield Edge modules.
vShield Manager leverages the VMware infrastructure SDK to
display a copy of the vSphere client inventory.
15
Confidential
Preetam Zare
vShield Manager –Central Management Console
Vshield Manager
Central point of
management.
For RBAC
model, stores
flow data and
manages Rule
base
You can connect to
vshield manager directly
via web interface or via
vcenter plug-in
Client
Automatic
deployment of
vShield app
appliance via
vshield manager
vCenter
VSPHERE
VSPHERE
VSPHERE
Management Network
16
Confidential
Preetam Zare
Vshield Manager Communication Paths
SSH Client
Vshield web
console
Default
Enabled
Default
disabled
REST API --> TCP 80/443
vShield
Manager
vShield App
Appliance
Access to ESXi host
TCP 902/903
TCP 443
vSphere
Client
VSPHERE
TCP 443
vCenter
Management Network
17
Confidential
Preetam Zare
vShield Manager Requirements
Virtual Hardware
Summary
Memory
3 GB
CPU
1
Disk
8 GB
Software
vShield OVA File
Web Browser
IE6.x and Later, Mozilla Firewall 1.x and Later,
Safari 1.x and 2.x
For latest interoperability information check here
http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php
18
Confidential
Preetam Zare
Latest interoperability
19
Confidential
Preetam Zare
Permission
 Permission to Add and Power on Virtual Machines
 Access to datastores where vShield Suite will be deployed
 DNS reverse look up entry is working for all ESXi host
20
Confidential
Preetam Zare
vShield Manager Installation
 Multi-Step installation Process
Obtain the vShield Manager OVA File
Install vShield Manager Virtual Appliance
Configure the Network Settings of the vShield Manager
Logon to the vShield Manager Interface
Synchronize the vShield Manager with the vCenter Server
Register vShield Manager Plug-in with vSphere Client
Change the default admin password of the vShield Manager
21
Confidential
Preetam Zare
Steps to Install vShield Manager
 Open vSphere client, click File menu selects Deploy OVF Template
as shown below
22
Confidential
Preetam Zare
Browse to locate OVA file
New windows will open,
We will need to provide OVF file, in our case it is OVA file.
Select browse and locate the OVA file you’ve downloaded
from VMware’s site
23
Confidential
Preetam Zare
After selecting the OVA file, press Next. OVA file’s meta will be
read and you will see screen below
24
Confidential
Preetam Zare
Enter name for vShield manager virtual machine and select
location as mentioned below
25
Preetam Zare
Select Datastore
Strongly recommended to
select shared Datastore so that
vMotion, DRS and HA functionality
can be used during planned &
unplanned downtime.
26
Preetam Zare
Select disk format
27
Preetam Zare
Review the settings and close OVF templates
28
Preetam Zare
Virtual Machine Properties
29
Preetam Zare
Warning :Don’t upgrade VMware tools on vShield Manager
Appliances
Each vShield virtual appliance includes VMware Tools. Do not upgrade or
uninstall the version of VMware Tools included with a vShield virtual
appliance.
30
Preetam Zare
Configure the Network Settings of the vShield Manager
 Initial Network Configuration i.e. IP, DG and DNS must be done via
CLI
 Right Click vShield Manager Appliance & Select Open Console
31
Preetam Zare
Contd… Configure the Network Settings of the vShield Manager
32
Preetam Zare
Enter IP, Default Gateway and DNS Details
To enter Enabled type ‘enable’
To start wizard type ‘setup’
Enter IP Details
Finally Press ‘y’ to
confirm settings
33
Preetam Zare
Contd … Enter IP, Default Gateway and DNS Details
34
Preetam Zare
Getting Familiar With Vshield Manager
Interface
35
Preetam Zare
Open a Web browser window and type the IP address assigned to the vShield
Manager. The vShield Manager user interface opens in an SSL/HTTPS session
Log in to the vShield Manager
user interface
by using the username admin
and the password default.
36
Preetam Zare
Synchronizing the vShield Manager with the vCenter
Follow Domain\Username
format if the user is domain user
Enter vCenter
Details and Press
Save
Don’t select this
Register vCenter extension to access
vshield manager within vCenter
37
Preetam Zare
After vShield Manager and vCenter Are Connected
After synch is completed, vCenter data is
On the right hand of the screen we see confirmation
that vSphere Inventory was successfully updated
populated as seen below screen.
vShield Manager doesn’t
Appear as resource in the
Inventory Panel of
vShield Manager user
Interface
38
Preetam Zare
Contd …After vShield Manager and vCenter Are Connected
39
Preetam Zare
Configure Date/Time for vShield Manager
40
Preetam Zare
Generate Tech Support Bundle
41
Preetam Zare
System Resource Utilization Of vShield Manager
42
Preetam Zare
Backup vShield Manager Configuration
 You can backup the configuration & transfer to remote backup
server over FTP
 For one time backup Scheduled Backups must be Off.
Schedule Backup
43
Backup Directory
on FTP Server
Preetam Zare
Backup vShield Manager Configuration –Backup files
vShield Manager
Backup Files
on FTP Server
Backup Directory
on FTP Server
44
Preetam Zare
vShield Manager via Web Browser Vs. vSphere Client Plug-in
 You can manage vShield Appliance from the vShield Manager user
interface, and also you can manage vShield Appliance from the
vSphere Client.
 It is your choice, whatever works best for you.
 The functions that you cannot access from the vSphere Client such
as
• Configuring the vShield Manager’s settings
• Backing up the vShield Manager’s database
• Configuring the vShield Manager’s users, and
• The vShield Manager’s system events and audit logs.
• Configuration vShield App’s Spoof Guard, Fail Safe Mode and VM Exclusion
list
45
Preetam Zare
DEMO/LAB vShield Manager
46
Preetam Zare
Agenda
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
47
Preetam Zare
vShield App Architecture
vShield
App
vShield
App
 Hypervisor-Level
Firewall
• Inbound/outbound
connection control enforced
at the virtual NIC level
vSphere
vSphere
• Dynamic protection as virtual
machines migrate
• Protection against ARP
spoofing
ESXi Host
vSphere
Client
48
vShield
Manager
ESXi Host
vCenter
Server
Preetam Zare
Before vShield App is Deployed
VSPHERE
HOST
49
vSwitch/vDS Switch
Preetam Zare
After vShield App is Deployed
VSPHERE
HOST
vShield
Hypervisor
module
50
vSwitch/vDS Switch
All VM traffic is
Passed via LKM &
Inspected by
vShield FW
Preetam Zare
Deploying vShield App
vShield
App
vShield
App
vSphere 5.0
vShield
Manager
vSphere 5.0
vCenter 5.0
ESXi 5.0
51
ESXi 5.0
Preetam Zare
Install vShield Component Licenses
52
Preetam Zare
vShield App Installation Requirements
You must meet the following requirements.
 Deploy one vShield Manager system per vCenter Server
 Deploy one vShield App instance per ESXi host.
 You must be using vCenter Server version 5.0.
 And, you must have the vShield Manager OVA file
53
Hardware
Summary
Memory
1 GB (Automatically reserved)
CPU
2 vCPU
Disk Space
5 GB
Preetam Zare
Contd … vShield App Installation Requirements
vCenter Privileges:
 Access to the vSphere Client.
 Ability to add and power on virtual machines
 Ability to access the datastore holding the virtual machine’s files, and to
copy files to this datastore.
Web browser
Version
Internet Explorer
6.x and later
Mozilla Firefox
1.x and later
Safari
1.x or 2.x
 Make sure that cookies are enabled in order to access the vShield
Manager.
54
Preetam Zare
Steps to Install vShield App
55
Preetam Zare
Select Installation Parameters for vShield App
Warning displayed
This port group must be able to
reach the port group that the
vShield Manager
is connected to.
56
Preetam Zare
vShield Installation In Progress
57
Preetam Zare
vShield App Hardware Configuration
vShield App
is always
Appended with the
name of ESXi host
58
Preetam Zare
Verifying vShield App Installation
59
Preetam Zare
Verifying vShield App Installation –Memory reservation
60
Preetam Zare
Verifying vShield App Installation –Virtual Machine Protection
VM’s with protected
Icon. This is only visible
Via web interface
61
Preetam Zare
Verifying vShield App Installation –vShield App FW status
62
Preetam Zare
Agenda
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
63
Preetam Zare
vShield App Packet flow
VM sends the packet out as a part of the
Telnet protocol, its intercepted
by the virtual network adapter-level FW
& is FWD to the vShield App on that host.
The virtual network adaptor-level
firewall sends the packet to the VM
The vshield App appliance inspects the packet. If the
security profile allows the packet to flow through, the
packet is sent back to the virtual network adaptor-level
firewall.
VM sends the packet out as a part of the
Telnet protocol, its intercepted
by the virtual network adapter-level FW
& is FWD to the vShield App on that host.
The virtual network adapter-level firewall sends the
packet to vswitch port group PG-X.
The virtual network adaptor-leve
firewall intercepts the packet and
forwards it to the vShield App
appliance.
The vswitch on Host 2 receives the
packet. The vswitch looks up the
MAC address and accordingly
sends the traffic out to the virtual
machine on Host .2
The vSwitch looks up the MAC address and accordingly
sends the traffic out on the up-link port of Host 1.
The external infrastructure that involves physical
switches will carry this packet on VLAN 1000.
64
The external switch sends the packet to the Host 2
network adapter based on the MAC address table.
Preetam Zare
Flow Monitoring Introduction
 Inter-virtual Machine Communications
 All traffic on protected virtual machine is directed to virtual
network adapter level firewall, this actually equips vShield APP FW
to read the packets moving in and out of virtual machines.
 Data displayed in
• Graphical
• Tabular Format
• Tabular format is further divided into allowed and block traffic as shown in next slide
65
Preetam Zare
Flow Monitoring –Tabular Format
 Data displayed below can be used to learn the type of traffic
flowing in and out of VM. Then we can use this data for creating or
blocking the rule.
66
Preetam Zare
Flow Monitoring – View And Interpret Charts And Reports
67
Preetam Zare
Flow Monitoring – Traffic categorization based on
Protocol/Application
68
Preetam Zare
Flow Monitoring – Key advantages
 Analysis of Inter-VM traffic can be easily done
 You can dynamically create rules right from flow monitoring
console
 This can be of great help for debugging network related problem as
you can enable logging for every individual virtual machine as on
needed basis.
69
Preetam Zare
DEMO/LAB
Installing vShield App & Flow monitoring
70
Preetam Zare
Agenda
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
71
Preetam Zare
Introduction vShield App Firewall
 vNIC‐level firewall
 vShield App installs as a hypervisor module and firewall service
virtual appliance
 Places a firewall filter on every virtual NIC.
 IP-based stateful firewall
 No Network changes or IP changes
• vShield App can create and enforce logical (i.e. not just VLAN or physical
subnet) application boundaries all the way down to layer 2
72
Preetam Zare
vShield App Firewall Rules : L2 and L3 rules
 Firewall Protection Through Access Policy Enforcement
 The App Firewall Tab Represents The vShield App Firewall Access
Control List.
 L2 Rules Monitor
• ICMP, IPv6, PPP, ARP traffic.
 L3 Rules Monitors
• DHCP, FTP, SNMP HTPP.
• L3 rules also monitors application specific traffic (Oracle, Sun Remote
Procedure Call (RPC), Microsoft RPC, LDAP and SMTP)
 You can configure Layer 3 and Layer 2 rules at the datacenter level
only.
 By default, all L3, and L2 traffic is allowed to pass.
73
Preetam Zare
Hierarchy of vShield App Firewall Rules
 Enforced Top to Bottom
 The first rule in the table that matches the traffic parameters is
enforced.
 System defined rules can’t be deleted or add, you can only change
the action element i.e. to Allow (default) or Deny
74
Preetam Zare
2
All Layer 3 Rules Are
Applied Second
In Layer 3 –High 4
Precedence rules
are applied first
In Layer 3 –Low 5
Precedence rules
are applied Second
In Layer 3 –System6
Defined rules are
applied last
All Layer 2 Rules
Are Applied First
In Layer 2 –High 1
Precedence rules
are applied first
75
In Layer 2 –System3
Defined rules are
applied last
1
In Layer 2 –Low 2
Precedence rules
are applied Second
Preetam Zare
Container-Level and Custom Priority Precedence
76
Preetam Zare
How to define Firewall Policy Rule
 Firewall policies contains 5 pieces of information
77
Preetam Zare
vSphere Groupings
 vSphere groupings can also be based on network objects,
specifically port groups and VLANs
78
Preetam Zare
Firewall Rules Example 1: Using vSphere Groupings
 When you specify a container as the source or destination, all IP
addresses within that container are included in the rule.
79
Preetam Zare
Firewall Rules Example 2: Using vSphere Grouping
80
Preetam Zare
How To Create A Firewall Rule –Step 1
81
Preetam Zare
How To Create A Firewall Rule –Step 2
Enter source
Enter Destination and
other details
82
Preetam Zare
How To Create A Firewall Rule –Step 2 Contd
Server inside
"WinXP01Server18" group
Server outside
"Fort" datacenter
Server Inside "WinXP01-Server18" group cannot access system outside Fort
datacenter on RARP protocol, this traffic is logged.
83
Preetam Zare
How To Create A Firewall Rule –Step 3 Publishing Rule
84
Preetam Zare
Create rule using MAC Set and IP Set
 You can also define rules based on MAC and IP Set.
 Where do we use this type of rules?
• When you want to configure a rule based on virtual machine identity i.e. MAC
Set, IP Set and Port Group.
• In this case even if Virtual machine follows any part of resource pool, rule will
always apply.
• Same is not true when you define rules based on resource pool, vApp or
cluster. The moment VM is moved from the resource pool to another resource
pool, rule no longer applies.
85
Preetam Zare
Creating MAC Set
Scope field is automatically selected
1. Enter Name of the group
2. Optionally enter description
3. Enter MAC Addresses as shown in
below screen.
4. Press Ok
86
Preetam Zare
Creating IP Set
Scope field is automatically selected
1. Enter Name of the group
2. Optionally enter description
3. Enter IP Addresses as shown in
below screen.
4. Press Ok
87
Preetam Zare
After MAC Set is created
 Below screen shows when the group configuration is complete.
You use Edit and Delete button to change the IP/MAC set
88
Preetam Zare
vSphere Grouping -Example
WinXP01RuleSet
192.168.1.105
89
Medical
Records
Resource Pools
192.168.1.125
Preetam Zare
Creating rule based on IP/Mac Set
 Select datacenter, on right hand side select Layer 3 rule (IP set) or
layer 2 rule (MAC set) here.
 Select add rule and enter the details as shown next slide
90
Preetam Zare
Anything inside Medical Records
cannot access IP's defined inside rule
"WinXP01-Server18-IP i.e.
192.168.1.105, 192.168.1.125
If you select outside, then medical
records can access only IP's defined
inside rule "WinXP01-Server18-IP
91
Preetam Zare
Creating Security Group –Step 1
92
Preetam Zare
Creating Security Group –Step 2
NIC level
grouping is
possible
93
Preetam Zare
Creating Rule based on Security Group
 Press Ok
 Publish the rule
94
Preetam Zare
Rule based vSphere Security Group –Port Group
 Logical Rule translates into physical world explained below
 Even if the VM’s are same Datacenter, Cluster, ESXi, Resource
Pool or vApp they cannot communicate
95
Preetam Zare
Advantages of Security Groups
 vShield App allows you to create custom containers known as
security groups.
 You assign virtual machines to security groups by assigning their
vNICs to the appropriate group. Then, you can use the security
group in the source or destination field of an App Firewall rule.
 The key benefit of security groups is the ease of creating different
trust zones. Whether through the use of vSphere objects or
through the use of manually configured security groups, the key
benefit is ease of protection and quality of protection through the
use of logical zoning as opposed to carving up a network to
provide network isolation.
96
Preetam Zare
Best Practices: Firewall Rules
 Create Firewall Rules That Meet Your Business & Security Needs
 Identify source and destination. Take full advantage of vSphere
Grouping
 Use vSphere Security group only when you create rule based on
vSphere Grouping
 By default vShield FW allows incoming and outgoing traffic, As a
best practice you may want to deny all traffic
97
Preetam Zare
Building Firewall Rules
Option A: More Restrictive
• vShield installs with default “allow” rule
• Build rules based on Application/Vendor’s port guide
• Monitor, document, validate traffic flows via vShield Flows
• Adjust rules as necessary
• Change default rule to “deny”
Option B: Less Restrictive
• vShield installs with default “allow” rule
• Build rules between communicating VMs
• Allows all traffic between selected VMs
• Monitor, document, validate traffic flows via vShield Flows
• Adjust rules as necessary
• Change default rule to “deny”
98
Preetam Zare
Logging and auditing
 vShield App has its own logging mechanism.
 Logging can be great help in troubleshooting app appliance.
 Auditing of traffic which was either allowed or blocked can be
configured per rule set. You’ve to enable logging for every rule you
configure.
 Logs are captured and retained for one year. Logs more than one
year are overwritten.
Note that enabling logging for rules that match a high amount of traffic can impact performance. Therefore, it is a
good idea to be selective of the rules that you want to log.
99
Preetam Zare
vShield Manager event logging –Audit Logs
 All the actions
performed by all
vshield users is
captured in events
and available for
audit.
 Logging is done for
operations related to
system.
E.g. appliance is
down/rebooted or
unreachable. If the app
appliance is unreachable it
will be unreachable to vshield
manager.
100
Preetam Zare
vShield Manager event logging –Audit Logs
 Events are further categorized as informational or critical as shown
below
101
Preetam Zare
All vShield App
configuration
parameters are
available only when
you select host on
left hand side
102
Preetam Zare
Configuring Syslog Server for vShield App Contd…
Three log levels are available
1. Alert
2. Emergency
3. Critical
If you select Emergency, then only emergency-level events are sent to
the syslog server. If you select Critical, then critical-, alert-, and
emergency-level events are sent to the syslog server.
103
Preetam Zare
Interpreting Logs Of Traffic Rule –Example 1




104
proto= protocol
vesxi27=host at which alerts are observed
L2=Layer2 protocol
DROP=traffic is dropped
Preetam Zare
Interpreting Logs Of Traffic Rule –Example 2




105
proto= ICMP protocol
vesxi27=host at which alerts are observed
L3=Layer3 protocol
DROP=traffic is dropped
Preetam Zare
Reverting to previous vShield App Firewall configuration
 Automatic mechanism to create backup of firewall rules
configuration
 vShield Manager takes snapshots each time new rule is committed
 Previous configuration can be easily reverted via drop down menu
106
Preetam Zare
Agenda
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
107
Preetam Zare
Role-Based Access Control
New in vShield Manager 5.0
Role
Privilege Summary
Super user (admin)
vShield operations and security: Everything
related to vShield product
vShield admin
vShield operations only: installation,
configuration of virtual appliances, ESX
host modules, etc.
Security admin
Auditor
108
vShield security only: Policy definition,
reports for edge, app, endpoint, data
security
Read-only access to vShield operations
and security settings
Confidential
Preetam Zare
RBAC: Scope
To vSphere
Administrators
To vSphere
Administrators
Role-based access control (RBAC) enables clear separation of workflow for
virtual infrastructure and security administrators. RBAC provides flexibility in
delegating administration across resource pools and security groups, improving
security of applications and data.
109
Preetam Zare
LAB/DEMO
 Firewall Lab
 Reverting To Previous Vshield App Firewall Configuration
 User Creations And Configurations
110
Preetam Zare
Agenda
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
111
Preetam Zare
Spoof Guard
 Why to use spoof guard?
• To reduce man in the middle attack which is referred as IP & MAC Spoofing
 How does it work?
• VM’s IP addresses are collected during synchronization cycle that happens
between vshield and vCenter via vSphere API.
• If the IP address is modified in the VM and it doesn’t matches with the Spoof
Guard collected data, VM is isolated and not allowed to communicate outside.
• It works in datacenter context and it disabled by default
112
Preetam Zare
Enable Spoof Guard
 Click Edit to enable it. Select Enable first and then select the option as per your requirement.
113
Preetam Zare
Spoof Guard – IP Address Monitoring and Management
 IP Address is collected can be monitored and manage
automatically or manually
1. Automatically Trust IP Assignments On Their First Use
- IP is gathered when first time VM is powered ON. This data is read via VMware tools.
- Once the list is populated it is push down to vShield app virtual appliance, which then
inspects every packet originating out of a network adapter for the prescribed IP. If
these do not match, the packet is simply dropped.
- This operates separately from app firewall rules.
2. Manually Inspect and Approve All IP Assignments Before Use
- In this mode all traffic is block until you approve MAC-to-IP address assignment.
NB: SpoofGuard inherently trusts the MAC addresses of virtual machines from
the VMX files and vSphere SDK.
114
Preetam Zare
Spoof Guard : View and Approve IP
Lists the IP addresses
where the current IP
address does not match
the published IP address.
IP address changes
that require
approval before
traffic can flow to or
from these VM
List of all
validated IP
addresses
115
Preetam Zare
Contd … Spoof Guard –View and Approve IP
116
Preetam Zare
Agenda
• Introduction to vShield Suite
• vShield Manager Installation, Configuration and Administration
• Planning and Installation of vShield App
• vShield App Flow Monitoring
• vShield App Firewall Management
• vShield App Spoof Guard
• Role Based Access Control (RBAC) Model of vShield
• Deployment & Availability consideration of vShield App
117
Preetam Zare
vShield Manager Deployment Consideration
 Do not host vShield manager on the same cluster which it is
responsible to manage. If vShield Manager is deployed within the
infrastructure it is protecting you will suffer circular
dependencies*.
E.g. An inadvertent configuration error could result in a unmanageable environment if the
vShield Manager appliance were to loose connectivity or were prevented from
communicating with other components due to a misconfigured security policy
 You cannot use VMware FT to protect vShield manager if vShield
app is deployed. This only applies if vShield app is deployed from
the vShield manager in question
 A vShield manager instance must be deployed for each vCenter in
use
* Starting vShield 5.0.1 you can exclude vShield manager from the host.
118
Preetam Zare
Enter inside VMX
file
119
Preetam Zare
vShield Manager Placement Consideration – Option 1
 Shared Management Cluster Model isolates the management
from being impacted by Production Cluster hardware failure issues.
•
•
•
•
•
•
•
vCenter Server/Appliance
vCenter Database
vShield Manager
vCenter Update Manager
Active Directory
DNS
Syslog Server
Management Cluster
AD/DNS
/DHCP
VCDB/V
UMDB
vCenter
5.0
vSphere 5.0
120
Production Cluster
Edge App FW
Edge App FW
vShield
Manager
vSphere 5.0
Preetam Zare
vShield Manager Deployment Consideration – Option 2
 Cross-Managed Cluster Model will provide isolation similar to
management cluster
Production Cluster A
App
Edge FW
App
Edge FW
vSphere 5.0
121
Production Cluster B
Edge
vShield
Manager
vShield
Manager
vCenter
5.0
vCenter
5.0
App
FW
App
Edge FW
vSphere 5.0
Preetam Zare
vShield Manager Deployment Consideration – Option 3
 Single cluster model with vShield Manager exclusion*
Production Cluster
Edge
Edge
App FW
App FW
Disables
vApp
Protecting
using
Exclusion
list
vShield
Manager
vCenter 5.0
vSphere 5.0
122
Preetam Zare
VM Exclusion introduced in vShield 5.0.1
 With 5.0.1, there is now a option to exclude VM. This has the effect
of disabling all vShield App protection for the excluded VM
including Spoof Guard
 This exclusion list is applied across all vShield App installations
within the specified vShield Manager. If a virtual machine has
multiple vNICs, all of them are excluded from protection.
 The vShield Manager and service virtual machines are
automatically excluded from vShield App protection.
Caveat: A caveat is that the MAC/IP pairs for excluded VM will still
show up in the Spoof guard tab of the UI, even though the
functionality is disabled.
123
Preetam Zare
How to Exclude VM from vShield App
124
Preetam Zare
After FailSafe is enabled,
VM’s are powered ON are
fast suspended and
resumed, while Powered
OFF VM’s are just
reconfigured
125
Preetam Zare
VMX entry for
Web01 before
FailSafe is
enabled
VMX entry for
Web01 After
FailSafe is
enabled
126
Preetam Zare
vShield App Deployment Consideration
 vShield App must be deployed and running on every host in the
cluster that protected virtual machines may migrate to.
 Renaming vShield App security virtual machine is not supported.
Doing so it will render it unmanageable as vShield Manager uses
the name it assigned at the point of provisioning to manage the
vShield App security virtual machine
 Use vShield app security groups to tier servers of same functions
(DC, Webserver, DB Server etc.). This will simplify firewall
configuration and rules
127
Preetam Zare
Availability Consideration
vShield App
128
Preetam Zare
Availability Considerations: vShield Manager
 What If vShield Manager appliance is unavailable
• First and foremost zero impact
• All existing rules of vShield App are enforced
• Logs are sent to syslog server
• Only impact is, New rules or changes to existing rules cannot be made
• In addition, the flow-monitoring data might be lost, depending on the duration
of the failure.
• vShield Manager backup can be used to restore via backup
 What If host which is hosting vShield Manager appliance is
unavailable
 vShield manager is HA and DRS aware and can take full advantage of it. In this case
vShield Manager will automatically restart to another host
129
Preetam Zare
Availability Considerations: vShield App
 What If vShield App appliance is unavailable
• All traffic to and from the protected virtual machines hosted on the host on
which vShield App was running is blocked *
• At process level, built-in watch dog restarts the failed processes
• VMware HA virtual machine monitoring will detect (via VMware tools and
network packets) and restart fail vshield app.
• vCenter Alarm is triggered if VM migrates onto a host where vShield Appliance
is not installed
 What If host which is hosting vShield App appliance is unavailable
 DRS is disabled for vShield App
 Except for vshield App VM, protected VM’s are restarted on another host and they get
automatically protected assuming the host is installed with vShield App
* From vShield 5.0.1 , you have option to disable this behavior, though strongly not recommended
130
Preetam Zare
vShield App: DRS and HA Settings
 The HA restart priority for the vShield App appliance is set to high.
This is to ensure it is the first to restart during failure over event. It
makes sure that its running before the VMs its protecting .
 vShield vApp should never be moved to another host. Therefore
during installation DRS is automatically disabled for vShield vApp
 If the host is put in maintenance mode, vShield App automatically
shuts down and automatically restarts when host exits
maintenance mode.
 You cannot use FT to protect vShield Manger when vShield App is
deployed, vShield Manager used linked clones and snapshots as
part of the deployment process for the vShield Firewall Service
Appliance virtual machines.
131
Preetam Zare
Verifying vShield App Installation – HA Restart Priority
132
Preetam Zare
Verifying vShield App Installation –DRS is Disabled
133
Preetam Zare
vShield App Industry Best Practices
 vShield App provides security protection for virtual machines
 Firewall rule groups will need to be translated from the old firewall
into vShield Manager
 Set up roles and responsibilities within vShield Manager that only
allow the minimum of permissions to perform required functions by
administrators.
• E.g. Give vSphere Administrator ability to install vShield Suite via vShield
Admin role and ability view rule via Auditor Role
 Ensure audit logs are reviewed regularly
134
Preetam Zare
Contd .. vShield App Industry Best Practices
 Define a thorough test plan
 Penetration testing and external auditing
 Consider creating an application group that contains the ports
• For example you might create an application group called WEB containing
both TCP 80 and 443.
 Ensure that vShield Edge and vShield App appliances send all their
logs to a centralized Syslog server or infrastructure.
 Consider mirroring the logs to an alternate site
135
Preetam Zare
Contd … vShield App Industry Best Practices
 Use the vShield REST API’s to back up the firewall rule base .
 Use the REST API’s to turn off rule logging when troubleshooting
and implementation processes are complete unless there is a
reason to leave it enabled.
 If you are replicating the infrastructure to a DR site ensure that
vShield Edge and vShield App are set up appropriately at the DR
site and that you have a process to ensure the rule base is up to
date.
 Updates and changes to the DR site can be automated using the
vShield REST API’s, which can also be integrated with VMware
vCenter Site Recovery Manager.
 vShield App and Host Profiles
136
Preetam Zare
Agenda –vShield Edge
• Planning and Installation of vShield Edge
• vShield Edge Services
•
•
•
•
•
•
DHCP
NAT
Firewall
VPN
Load Balancing
Static Routing
• Scenarios
• Deployment and Availability Considerations
137
Preetam Zare
Introduction
 Protects the edge of infrastructure
 Common Gateway Services
• DHCP
• VPN
• NAT
• Static Routing
• Load Balancing
 Common Deployment Models
• DMZ
• VPN Extranets
• Multi-Tenant Cloud Environment
138
Preetam Zare
Logical View of vShield Edge
Network Isolation
happens at Port group
Level
139
Preetam Zare
Port group Isolation based on VLAN
 With VLAN isolation, vShield Edge is used to secure port groups
with a standard VLAN configuration.
 Isolation of virtual machines is provided exclusively by VLANs in
Layer 2.
When To Use VLAN Isolation
When to use


Network infrastructure build around VLANs
Physical machines need to participate in
protected network
Virtual Switch Support



vSS
vDS
Cisco nexus 1000v
140
Preetam Zare
Access Aggregation layer
VLAN-126
VLAN-135
VLAN-108
Internet FacingVLAN-108
INTERNAL
INTERFACE
EXTERNAL
INTERFACE
EXTERNAL
INTERFACE
INTERNAL
INTERFACE
PG-CORP1 (VLAN-126)
PG-CORP2 (VLAN-135)
VMware vSphere
141
Preetam Zare
vCloud Director Network Isolation
 VM Identity is used to isolate a group of VMs from other VMs
 All VM’s on Single Layer-2 domain but are isolated by assigning
them to different port groups
 Traffic between VMs in the same port group is allowed, but traffic
between VMs across different port groups is not allowed by a
virtual switch
 This port group isolation feature is supported ONLY on a
distributed virtual switch (vDS), but not on a standard switch (vSS)
or Cisco Nexus 1000V
142
Preetam Zare
vCDNI -Communication Between Tenants Across The Host
The key point is that although the virtual machines of tenant X and
tenant Z are on the same Layer 2 domain, their networks are isolated
from each other by vShield Edge.
143
Preetam Zare
vCDNI -Communication Between Tenants Within The Host
 VMs traffic is isolated from each other because they are on
different secured, port groups. As a result, communication must
flow through the vShield Edge virtual machines of both tenants. All
traffic flows over the Provider VLAN, VLAN 100.
144
Preetam Zare
vCDNI –VM’s Communication of same Tenant
 VM’s Freely need to communicate without need to go through
vShield Edge VM and Provider VLAN
145
Preetam Zare
Advantages of vCloud Director Network Isolation (vCDNI)
 Using cloud network isolation instead of VLAN isolation, the
vShield environment is simpler to scale.
 Provisioning cloud network isolation can be automated with scripts
that use the vShield REST APIs.
 Finally, a key advantage that cloud network isolation has over
VLAN isolation is that cloud network isolation does not need any
complex configuration at the Aggregation layer.
146
Preetam Zare
Protecting Extranet: VPN Services
147
Preetam Zare
vShield Edge: DHCP Services
148
Preetam Zare
vShield Edge: NAT Services
149
Preetam Zare
vShield Edge Services: Load Balancer Services
150
Preetam Zare
vShield Edge Services: Firewall Services
151
Preetam Zare
vShield Edge Firewall Rules and Direction
Incoming Traffic on both the
Interfaces is blocked by default
EXTERNAL
INTERFACE
EXTERNAL
INTERFACE:
INCOMING
vShield Edge
EXTERNAL
INTERFACE:
OUTGOING
Outgoing Traffic on both the
Interfaces is allowed by default
152
INTERNAL
INTERFACE:
INCOMING
INTERNAL
INTERFACE:
OUTGOING
INTERNAL
INTERFACE
Preetam Zare
vShield Edge Firewall Rules and Direction -Example
External
Interface
172.16.2.0/24
Subnet
153
Internal
Interface
PRIVATE
Traffic incoming
PORT
GROUP
172.16.1.0/24
Subnet
Preetam Zare
VSHIELD EDGE SERVICES – STATIC ROUTING
 Most networks have a single router called the default gateway . If a
network has a default gateway, the nodes on the network can send
traffic to the gateway and the gateway will then forward the traffic
to the destination.
 All machines in a network have a routing table. A Routing table is a
list of destination networks and the router that carries traffic to that
destination.
 Manually adding routes to a routing table is called static routing.
 Some networks may have more than one router. The nodes in the
network have to be aware of which networks those routers can
accept traffic for. The nodes store this information in their routing
table.
 In a network, you can create a static routing either internal network
or external network.
154
Preetam Zare
Static Routing between two vApp
APPLICATION 2
APPLICATION 1
172.16.2.10
172.16.1.10
PG- APP-1
Internal Interface
192.168.1.232
PG- APP-2
172.16.1.1
Internal Interface
External Interface
192.168.1.233
172.16.2.1
External Interface
PG- PUBLIC
155
Preetam Zare
Installing vShield Edge for Application 1
Installing
vShield Edge
Application for
APP1
156
Preetam Zare
vShield Edge Installed for for Application 1 and Application 2
157
Preetam Zare
Configure Static Route for APP1 Network
It is the
network APP1
want to reach
It is the
gateway of
Destination
network
158
Preetam Zare
Configure Static Route for APP2 Network
It is the
network APP2
want to reach
It is the
gateway of
Destination
network
159
Preetam Zare
Static Route Set Up for APP1 & APP2 Network
APPLICATION 2
APPLICATION 1
172.16.2.10
172.16.1.10
PG- APP-1
Internal Interface
192.168.1.232
PG- APP-2
172.16.1.1
Internal Interface
External Interface
192.168.1.233
172.16.2.1
External Interface
PG- PUBLIC
160
Preetam Zare
Configuring Firewall Rule to Allow APP1 and APP2 Network to
Communicate with Each Other
APPLICATION 1
APPLICATION 2
172.16.2.10
172.16.1.10
PG- APP-1
PG- APP-2
Internal Interface
172.16.1.1
192.168.1.232
Internal Interface
External Interface
192.168.1.233
172.16.2.1
External Interface
PG- PUBLIC
Outgoing Traffic allowed by default
161
Preetam Zare
Configuring Firewall Rule to Allow APP1 and APP2 Network to
Communicate with Each Other
APPLICATION 1
APPLICATION 2
172.16.2.10
172.16.1.10
PG- APP-1
PG- APP-2
Internal Interface
172.16.1.1
192.168.1.232
Internal Interface
172.16.2.1
External Interface
192.168.1.233
External Interface
PG- PUBLIC
162
Preetam Zare
Rules
defined at
APP-1 FW
Rules
defined at
APP-2 FW
163
Preetam Zare
Ping and Tracert
request from
APP1 VM
164
Preetam Zare
Ping and Tracert
request from
APP2 VM
165
Preetam Zare
How To Configure NAT Services
SCENARIO
 Customer wish to access Web Server Web01 which sits inside the
DMZ network of CORP A
 Web Server Web01 sits in 10.1.1.x/24 network and has been
assigned IP by vShield Edge DHCP Services as 10.1.1.10
 Customer’s wants to access Web Server Web01. Customer network
is 192.168.1.x/24
 We can configure NAT
166
Preetam Zare
vShield Edge Configured to Meet Customer Scenario
Private Switch
INTERNAL
Web02
Web01
10.1.1.11 10.1.1.10
167
1. DCHP
Service
2. NAT Service
3. FW Rules
Internal
Interface:
10.1.1.1
vShield
Edge
vSwitch Connected to External
Network
External
External
Interface:
192.168.1.135
192.168.1.x
Preetam Zare
Configure DHCP
168
Preetam Zare
Use SNAT when
Internal IP needs
to be translated
into External IP.
Use DNAT when
External IP needs
to be translated
into Internal IP.
169
Preetam Zare
Open Firewall Ports to allow NAT Traffic
170
Preetam Zare
Private Switch
INTERNAL
Web02
Web01
10.1.1.11 10.1.1.10
171
1. DCHP
Service
2. NAT Service
3. FW Rules
Internal
Interface:
10.1.1.1
vShield
Edge
vSwitch Connected to External
Network
External
External
Interface:
192.168.1.135
192.168.1.x
Preetam Zare
vShield Edge Deployment Considerations
 Only HTTP(80) round-robin load balancing is currently supported
 Each vShield Edge instance supports up to a maximum of 10 siteto-site VPN sessions
 VMware strongly recommends you protect vShield Edge
appliances using HA and DRS features. In the event of a cluster
host going offline while running vShield Edge appliance, the
appliance is restarted on another host in the cluster
172
Preetam Zare
Traditional Layer2 Segmentation
PG 1
PG 2
PG 3
VLAN 11
VLAN 12
VLAN 13
vSwitch/vDS
Physical Switch
173
Preetam Zare
Cloud Network Isolation (CNI) Segmentation
PG 1
VLAN 1
PG 2
VLAN 1
VMs on one PG cannot talk to VMs
on another PG at Layer 2. Even if
they share same VLAN
PG 3
VLAN 1
vDS
Physical Switch
174
Preetam Zare
Method 1 –Using VLAN per organization
HOST 1
ORG C : LAN 72
ORG A : LAN 72
ORG B : LAN 81
ORG C : LAN 72
ORG A : LAN 72
HOST 2
ORG B : LAN 81
Internet
Facing
175
Preetam Zare
ORG A : LAN 72
SOX
Multi
Tenant
PCI
ORG C : LAN 63
HIPPA
Method 2 –Using Mixed Trust Model
ORG B : LAN 81
ORG Z : LAN 54
Single
Tenant
Internet
Facing
176
Preetam Zare
ORG Z : LAN 54
Tenant-1
ORG Z : LAN 54
SOX
HIPPA
PCI
Web
DBA
Mail
Method 3 –Single VLAN Multi Tenant
Tenant-2
CNI
Single VLAN
Segmentation via App
Internet
Facing
177
Internet
Facing
Preetam Zare
Performance Statistics
178
Preetam Zare
Difference between vShield Edge and vShield app
vShield Edge
vShield App
Deployed per port group
Deployed per host
Enforcement between virtual
datacenter and untrusted networks
Enforcement between VMs
Change - aware
Stateful, application level firewall
Five-tuple rule based policies
Site to Site VPN (IPSEC), DHCP, NAT, Hypervisor-based firewall, flow
Firewall, Load Balancing, Cloud
monitoring, security groups
Network Isolation
179
Preetam Zare
Can firewall rules be backed up and restored? How?
 There are multiple methods to backup firewall rules. The
recommended methods are:
• via vShield Manager user interface
• via REST APIs, which can be scripted/automated
 You can back up and restore your vShield Manager data, which can
include system configuration, events, and audit log tables.
Configuration tables are included in every backup.
VI administrators can use REST APIs (accessible via web interface
client) to export XML files containing the firewall rules. These XML
files are used both to export and to restore firewall configurations.
180
Preetam Zare
REST API -BASICS
 The vShield REST API uses HTTP Requests
 HTTP Requests are often executed by a script or higher level
language
 vShield REST API Workflows
• Make an HTTP Request (Typically GET,PUT,POST or DELETE) against
vShield Manager URL
• Response could be XML or HTTP Response code
• XML Response is generally a link or other information about the state of object
• HTTP Response code indicates whether the request is succeeded or failed.
 vShield Manager requires TCP port 80/443 to be opened for the
vShield REST API request to pass through
181
Preetam Zare
Executing REST API using REST Client
182
Preetam Zare
183
Preetam Zare
184
Preetam Zare
185
Preetam Zare
Working with IP Sets using vShield REST API
186
Preetam Zare
Reading IP Sets
https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-2
https://192.168.140.135/api/2.0/services/ipset/scope/datacenter-81
187
Preetam Zare
188
Preetam Zare
XML Format to Create IP Set
POST https://<vsm-ip>/api/2.0/services/ipset/datacenter-2
189
<ipset>
Automatically create
<objectId />
<type>
<typeName />
</type>
<description>
New Description
</description>
<name>TestIPSet2</name>
<revision>0</revision>
<objectTypeName />
<value>10.112.201.8-10.112.201.14</value>
</ipset>
Preetam Zare
Create IP Set
190
Preetam Zare
191
Preetam Zare

similar documents