vShield App and vShield Edge Planning, Installation and Designing based on 5.0.1 From Preetam Zare http://vcp5.wordpress.com http://vShieldSuite.wordpress.com
Agenda –vShield App • Introduction to vShield Suite • vShield Manager Installation, Configuration and Administration • Planning and Installation of vShield App • vShield App Flow Monitoring • vShield App Firewall Management • vShield App Spoof Guard • Role Based Access Control (RBAC) Model of vShield • Deployment & Availability consideration
Agenda –vShield Edge • Planning and Installation of vShield Edge • vShield Edge Services • DHCP • NAT • Firewall • VPN • Load Balancing • Static Routing • Scenarios • Deployment and Availability Considerations
Data Center needs to be secured at different levels • Sprawl: hardware, FW rules, VLANs • Rigid FW rules • Performance bottlenecks Cost & Complexity At the vDC Edge • Firewall, VPN • Load balancers Perimeter Security Prevent unwanted access Internal Security VLAN 1 • VLAN or subnet based policies • Interior or Web application Firewalls Segment your services VLANs End Point Security • Anti-virus • Data Leak Protection Protect your data
Why Security in Virtualized Datacenter? • Network security devices become chokepoints • Capacity is never right-sized • No intra-host virtual machine visibility • Audit trails are lacking • Physical topologies are too rigid • Current Security is static
Traditional vSphere Infrastructure Setup Without Vshield INTERNET VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch L2-L3 Switch L2-L3 Switch Firewall Firewall Firewall vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 Load Balancer Load Balancer Load Balancer Switch Switch Switch Company C Company B Company A
vSphere Infrastructure Setup Without Vshield INTERNET VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch L2-L3 Switch L2-L3 Switch Firewall Firewall Firewall Load Balancer Load Balancer Load Balancer Switch Switch Switch vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 Company C Company B Company A vSphere 5.0
vShield Product Family Securing the Private Cloud End to End: from the Edge to the Endpoint vShield App Security Zone Endpoint = VM Edge vShield Edge vShield Endpoint vShield Manager Endpoint = VM - Create segmentation between workloads - Sensitive data discovery Secure the edge of the virtual datacenter Anti-virus processing Centralized Management DMZ Application 1 Application 2 VMware vSphere VMware vSphere
What Is vShield Edge? vShield Edge secures the perimeter, “edge”, around a virtual datacenter. • Common vShield Edge deployments include: • Protecting the Extranet • Protecting multi-tenant cloud environments vShield Edge vShield Edge vShield Edge Tenant A Tenant C Tenant X Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance VMware vSphere Load balancer Firewall VPN 9
vShield Edge Capabilities Edge functionality • Statefulinspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPSec) • Web Load Balancer • (NEW) Static Routing • (NEW) Certificate mode support for IPSEC VPN Management features • REST APIs for scripting • Logging of functions vShield Edge vShield Edge vShield Edge Tenant A Tenant C Tenant X Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance VMware vSphere Load balancer Firewall VPN 10
Securing the Data Center Interior with vShield App • Key Benefits • Complete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster. • Intuitive business language policy leveraging vCenter inventory.
vShield EndpointOffload Anti-virus Processing for Endpoints Benefits • Improve performance by offloading anti-virus functions in tandem with AV partners • Improve VM performance by eliminating anti-virus storms • Reduce risk by eliminating agents susceptible to attacks • Satisfy audit requirements with detailed logging of AV tasks
Cloud Infrastructure Security- Defense in Depth • First Level of Defense- vShield Edge • Threat mitigation and blocks unauthorized external traffic • Suite of edge services • To secure the edge of the vDC Pepsi • Zoning within the ORG- vShield App • Policy applied to VM zones • Dynamic, scale-out operation • VM context based controls Coke • Compliance Check vShield App with data security • Discover PCI, PHI, PII sensitive data for virtual environment • Compliance posture check * * • AV agent offload- vShield Endpoint • Attain higher efficiency • Supports multiple AV solutions • Always ON AV scanning
Agenda • Introduction to vShield Suite • vShield Manager Installation, Configuration and Administration • Planning and Installation of vShield App • vShield App Flow Monitoring • vShield App Firewall Management • Use Cases of vShield App • Design consideration of vShield App
vShield Manager Introduction vShield manager consoleacts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield Endpoint Vshield manager is pre-packaged as OVA appliance. vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint. vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules. vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory.
vShield Manager –Central Management Console Vshield Manager You can connect to vshield manager directly via web interface or via vcenter plug-in Client Central point of management. For RBAC model, stores flow data and manages Rule base Automatic deployment of vShield app appliance via vshield manager vCenter VSPHERE VSPHERE VSPHERE Management Network
Vshield Manager Communication Paths SSH Client Vshield web console REST API --> TCP 80/443 SSH Access to CLI TCP 22 Default Enabled SSH Access to CLI TCP 22 Default disabled TCP 22 vShield Manager UDP 123 Access to ESXi host TCP 902/903 vShield App Appliance TCP 443 VSPHERE vSphere Client TCP 443 vCenter Management Network
vShield Manager Requirements For latest interoperability information check here http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php
Permission • Permission to Add and Power on Virtual Machines • Access to datastores where vShield Suite will be deployed • DNS reverse look up entry is working for all ESXi host
vShield Manager Installation • Multi-Step installation Process • Obtain the vShield Manager OVA File • Install vShield Manager Virtual Appliance • Configure the Network Settings of the vShield Manager • Logon to the vShield Manager Interface • Synchronize the vShield Manager with the vCenter Server • Register vShield Manager Plug-in with vSphere Client • Change the default admin password of the vShield Manager
Steps to Install vShield Manager • Open vSphere client, click File menu selects Deploy OVF Template as shown below
Browse to locate OVA file New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file you’ve downloadedfrom VMware’s site
After selecting the OVA file, press Next. OVA file’s meta will be read and you will see screen below
Enter name for vShield manager virtual machine and select location as mentioned below
Select Datastore Strongly recommended to select shared Datastoreso that vMotion, DRS and HA functionality can be used during planned & unplanned downtime.
Warning :Don’t upgrade VMware tools on vShield Manager Appliances Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance.
Configure the Network Settings of the vShield Manager • Initial Network Configuration i.e. IP, DG and DNS must be done via CLI • Right Click vShield Manager Appliance & Select Open Console
Enter IP, Default Gateway and DNS Details To enter Enabled type ‘enable’ To start wizard type ‘setup’ Enter IP Details Finally Press ‘y’ to confirm settings
Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS session Log in to the vShield Manager user interface by using the username admin and the password default.
Synchronizing the vShield Manager with the vCenter Enter vCenter Details and Press Save Follow Domain\Username format if the user is domain user Don’t select this Register vCenter extension to access vshield manager within vCenter
After vShield Manager and vCenter Are Connected On the right hand of the screen we see confirmation that vSphere Inventory was successfully updated After synch is completed, vCenter data is populated as seen below screen. vShield Manager doesn’t Appear as resource in the Inventory Panel of vShield Manager user Interface
Backup vShield Manager Configuration • You can backup the configuration & transfer to remote backup server over FTP • For one time backup Scheduled Backups must be Off. Schedule Backup Backup Directory on FTP Server
Backup vShield Manager Configuration –Backup files vShield Manager Backup Files on FTP Server Backup Directory on FTP Server
vShield Manager via Web Browser Vs. vSphere Client Plug-in • You can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client. • It is your choice, whatever works best for you. • The functions that you cannot access from the vSphere Client such as • Configuring the vShield Manager’s settings • Backing up the vShield Manager’s database • Configuring the vShield Manager’s users, and • The vShield Manager’s system events and audit logs. • Configuration vShield App’s Spoof Guard, Fail Safe Mode and VM Exclusion list
Agenda • Introduction to vShield Suite • vShield Manager Installation, Configuration and Administration • Planning and Installation of vShield App • vShield App Flow Monitoring • vShield App Firewall Management • vShield App Spoof Guard • Role Based Access Control (RBAC) Model of vShield • Deployment & Availability consideration of vShield App
vShield App Architecture vSphere vSphere • Hypervisor-Level Firewall • Inbound/outbound connection control enforced at the virtual NIC level • Dynamic protection as virtual machines migrate • Protection against ARP spoofing vShieldApp vShieldManager vShieldApp ESXi Host ESXi Host vSphere Client vCenter Server
Before vShield App is Deployed VSPHERE HOST vSwitch/vDS Switch
After vShield App is Deployed VSPHERE HOST vSwitch/vDS Switch vShield Hypervisor module All VM traffic is Passed via LKM & Inspected by vShield FW