VMware

vShield Zones 4.1 FAQ

Frequently Asked Questions

 

General

Can VMware vCenter be used to manage vShield solutions? Or do I need another management console

Yes, VMware vCenter can be used to manage vShield solutions. VMware vCenter is integrated with vShield solutions for a majority of features including policy definition and reporting. However, for deployment, the vShield Manager console is required to install the binaries for vShield Edge, vShield App, and vShield Endpoint. Development is already underway to integrate the vShield deployment process into the vCenter console.


Is vShield interoperable/integrated with VMware View Security Manager or Lab Manager?

The products are designed to work together but this configuration has not yet been tested, and therefore cannot be supported.


Is vShield interoperable with VMware vCloud Director?

All vShield products are designed to operate within virtual data center (vDC) environments created by using VMware vCloud Director. Specifically, vShield Edge technology is used by Virtual Cloud Director v1.0 to create secure perimeters around vDC resources for multi-tenant environments. This edge technology is referred to as "VMware vShield Edge for vCloud Director."

Refer to the vShield Edge section for more vShield Edge related questions.


How is role-based access control and separation of duties supported with vShield products?

Access control is provisioned in vCenter, where user IDs and privileges to various vSphere resources are assigned. Access can be restricted to specific vSphere resources based on port groups. In this release, it is not possible to restrict access based on vShield product (e.g. Edge, App, Endpoint) or by Security Groups.

For example, the VI administrator does not want the security administrator to have access to virtual machine administration, so he/she creates a security administrator profile, giving the user access to a specific port group, which allows access to anything related to that port group (even virtual machines).

The vShield 1.0 release was designed as a managed service model, but more granular access control features are being considered for subsequent releases.


What is the difference between vShield Edge and vShield App?

While both products provide virtual network firewall capabilities, their implementations are different and address different scenarios. vShield Edge creates a barrier between resources in a virtual datacenter and untrusted networks, such as other virtual datacenters in the same private cloud. In contrast, vShield App controls traffic between virtual machines within the same vDC and more specifically, on the same ESX host.


What is the difference between vShield Edge and vShield App, with respect to how firewall rules are written?

Both vShield Edge and vShield App follow a similar construct for defining firewall rules, with the use of source and destination groupings and a DENY/ALLOW enforcement action. There are a few fundamental differences:

  • vShield Edge enforces traffic between vNICs (port groups) while vShield App enforces traffic between virtual machines.
  • vShield Edge can only enforce based on TCP 5-tuple while vShield App can enforce based on TCP 5-tuple as well as Security Groups.
  • vShield Edge can only inspect based on static port number, with the exception of one application layer gateway (ALG) for FTP. In contrast, vShield App can enforce based on static port numbers as well as five applications Microsoft RPC, Linux RPC, Sun RPC, Oracle TNS, and FTP.


If a guest virtual machine is vMotioned to another ESX host, are all edge, application and endpoint security lost?

No, security policies can following virtual machines as long as vMotion is configured to require that these policies migrate. vMotion moves of a protected virtual machine are blocked if the target ESX is not enabled for the security solution. Make sure that the resource pool for vMotion of protected virtual machines contains only security enabled ESX hosts.


How do I leverage existing VLANs for use with vShield solutions?

Both vShield Edge and vShield App support VLANs, allowing enterprises to leverage their existing infrastructure. If port group isolation from vShield Edge is not used to separate different tenant networks, the enterprise can leverage VLANs for this purpose instead. For vShield App, if Security Groups are not used to separate resources with different security profiles, VLANs can be used to provide this segmentation.

In all cases where VLANs are used in vSphere environments, the enterprise should consider weighing the benefits between leveraging existing VLAN infrastructure versus gaining efficiencies through vShield segmentation.


How can I include physical hosts in virtual groupings (zones or Security Groups)?

Whether you've used vShield Zones or vShield App to create logical groupings around vSphere resources, you can extend these groupings to include physical hosts in your datacenter. There are two basic steps:

  1. VLAN configuration
  2. Default gateway configuration
The first step requires that both the physical hosts and virtual machines be assigned to the same Layer 2 VLAN, with no routed sub-interfaces (bridge mode). Second, the default gateway for each of the virtual machines must be set to the internal (trusted) interface of the vShield Edge virtual appliance.


If we have a large Layer 2 infrastructure (subnet), how do I partition the network without having to use VLANs?

vShield Edge can be used to partition networks by using port group isolation. By assigning groups of virtual machines to different port groups and then enabling the port group isolation feature, traffic from virtual machines is restricted to their own port group, or broadcast domain. This has the equivalent effect of implementing VLANs, with the need to provision physical ports on uplink switches and multiple switches for VLAN trunking (for availability).

vShield Manager v4.1


With what existing VMware products is vShield Manager 4.1 compatible?

vShield Manager 4.1 is compatible with:

  • (Required) vSphere: 4.0 U1 (BUILD 208167), 4.1 (including ESX, ESXi 4.1, 4.0)
  • vCenter Server: 4.0, 4.1
  • vShield App 1.0
  • vShield Edge 1.0
  • vShield Endpoint 1.0
  • vShield Zones 1.0


How is the vShield Manager installed or deployed?

The vShield Manager management platform is deployed as a virtual appliance using the vSphere Client and an OVA file. The OVA file is obtained through the standard download process for either evaluation or licensed use. For more details, please review the vShield Quick Start Guide.


Which ports must be made available on vShield Manager for it to operate properly?

The vShield Manager requires the following ports to be open:

  • REST API: 80/TCP and 443/TCP
  • SSH access to the CLI (not enabled by default): 22/TCP
  • Graphical User Interface: 80/TCP to 443/TCP and initiates connections to vSphere vCenter SDK.


Which web server platform is used by vShield Manager?

The vShield Manager 4.1 product requires apache-tomcat-6.0.20 web services as of August 2010 general availability (GA) date, but this is subject to change. The product is delivered as a virtual appliance and as such, the administrator does not need install or update operating system components, just as with any physical appliance.


Is the vShield Manager virtual appliance hardened against unauthorized access?

For the vShield Manager, which is not only the management console for all vShield products but also the general binary distribution for all vShield products, system hardening is especially important.

  • Development - Secure coding practices are followed.
  • Audit - A third-party vendor was used to audit the vShield solutions for security vulnerabilities.
  • Deployment - Details on how to harden the vShield Manager are provided in the vShield Quick Start Guide. In summary, the areas that need to be addressed are:
    • vShield Manager User Interface: Change default password
    • Command Line Interface: Change default password (same as vShield Manager User Interface)
    • REST Requests: Requires privileged access with a vShield Manager account
  • Post-Deployment - For any virtual machine running general purposes software such as operating systems or Web servers, it is necessary to apply the same security management lifecycle as would be applied in physical environments. This should include regular vulnerability scans against operating systems and applications especially commonly targeted Web applications and swift action to remediate these vulnerabilities.


Which client Web browser(s) are supported for vShield Manager?

vShield Manager can be accessed with any standard Web browser software but the following ones have been explicitly tested and confirmed to work with all features:

  • Internet Explorer 6.x and later
  • Mozilla Firefox 1.x and later
  • Safari 1.x or 2.x
Please refer to the vShield Quick Start Guide for latest information on browser support.


Can vShield Manager be backed up and restored? How?

All vShield products - Edge, App, Zones, Endpoint - have their configurations stored within the vShield Manager virtual appliance. There are multiple methods to backup vShield configurations, but the recommended methods are:

  • Using vShield Manager - GUI-based, easy to use
  • Using REST APIs - programmable, can be scripted/automated
You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup. You can, however, exclude system and audit log events. Backups are saved to a remote location that must be accessible by the vShield Manager. Backups can be executed according to a schedule or on demand. For more information, refer to the vShield Administration Guide.

VI administrators can use REST APIs (accessible via web interface) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations. For more information on REST APIs, refer to the vShield API Programming Guide.


Can a snapshot be taken of vShield Manager and then restored, as a backup process?

Although it is technically possible to snapshot a vShield Manager and then restore the image, this method is not preferred. Use the vShield Manager's backup and restore features.


Can firewall rules from another edge firewall solution (most likely physical) be imported into vShield? Or is there a migration tool for this?

No, there is no industry standard format for firewall rules, thus migration from one solution to another requires manual effort. That being said, writing firewall rules in vShield is similar to legacy methods and significantly easier.


Can firewall rules be backed up and restored? How?

There are multiple methods to backup firewall rules. The recommended methods are:

  • via vShield Manager user interface
  • via REST APIs, which can be scripted/automated
You can back up and restore your vShield Manager data, which can include system configuration, events, and audit log tables. Configuration tables are included in every backup. You can, however, exclude system and audit log events. Backups are saved to a remote location that must be accessible by the vShield Manager. Backups can be executed according to a schedule or on demand. For more information, refer to the vShield Administration Guide.

VI administrators can use REST APIs (accessible via web interface client) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations. For more information on REST APIs, refer to the vShield API Programming Guide.


vShield Edge


With what existing VMware products is vShield Edge compatible?

  • (Required) vSphere: 4.0 U1 (BUILD 208167), 4.1 (including ESX, ESXi 4.1, 4.0)
  • vCenter Server: 4.0, 4.1
  • Virtual Cloud Director (Virtual Cloud Director) v1.0


Is vShield Edge compatible with earlier versions of ESX (3.0, 3.5) and vCenter (2.5)?

vShield Edge is not compatible with these earlier versions of ESX and vCenter. Customers are encouraged to upgrade to current versions of vCenter and vSphere (including ESX 4.0, 4.1) to benefit from security and other advanced virtual data center management capabilities.


Can VMware vShield Edge for vCloud Director be upgraded to VMware vShield Edge?

VMware vShield Edge for vCloud Director is based on vShield Edge technology. Customers can upgrade their edge security features from their Virtual Cloud Director deployments to a full version of vShield Edge while keeping configurations intact. Upgrade software and SKU (license) are required.


What is the difference between vShield Edge and vShield Edge for vCloud Director?

The difference between the built-in edge security in VMware Virtual Cloud Director (vShield Edge for vCloud Director) and vShield Edge (more advanced version) is that VPN and load balancing functionality are not included in vShield Edge for vCloud Director.

The VMware vShield Edge for vCloud Director solution offers edge firewall, network address translation (NAT) and DHCP features.


How is vShield Edge change-aware? Can you vMotion the vShield Edge appliance?

Like any guest virtual machine, the vShield Edge virtual appliance can be vMotioned to retain all edge security policies. As a best practice, port group isolation is recommended.

vMotion moves of a protected virtual machine are blocked if the target ESX is not enabled for the security solution. Make sure that the resource pool for vMotion of protected virtual machines contains only security enabled ESX hosts. In the case of vShield Edge, the edge policies must be replicated to the target ESX.


Can a vShield Edge have more than one trusted network interface (vNIC)?

No, the vShield Edge comes with only one trusted interface (vNIC) at this time. Support for additional vNICs will be considered based on customer and market demand.

vMotion moves of a protected virtual machine are blocked if the target ESX is not enabled for the security solution. Make sure that the resource pool for vMotion of protected virtual machines contains only security enabled ESX hosts. In the case of vShield Edge, the edge policies must be replicated to the target ESX.


Can vShield App firewall rules be defined by using logical names for source and destination groups of virtual machines?

No, the vShield Edge firewall only supports rules based on the TCP 5-tuple (Source IP address, Destination IP address, Source Port, Destination port, protocol). This is sufficient for edge firewall functionality since more of the policies are written based on two groups: trusted (internal) and untrusted (from the Internet). For firewall features which allow the use of logical names, review the capabilities of VMware vShield App.


How many firewall rules are supported per vShield Edge?

Functionally, the vShield Edge firewall supports 2000 firewall rules. In practice, VI administrators might consider reviewing their firewall rules to simplify, where possible, if their rules start approaching this number.


What are the current ALG (application layer gateway) or application-aware features supported by the vShield Edge firewall?

vShield Edge currently supports FTP through its application-aware capabilities. FTP support is necessary for the network edge given that the FTP service uses port 21 as a control port and various ephemeral (or transient) ports for data transfer. FTP is also commonly used for remote access from untrusted or external networks.


If an existing physical edge firewall is being used to protect virtual machines, what configuration changes have to be made to those virtual machines to switch to vShield Edge services?

The steps required to switch these virtual machines to vShield Edge protection are:

  • Put all the vNICs of the virtual machines into a port group.
  • Install vShield Edge on this internal port group.
  • Connect the external port group to an uplink switch.


Can vShield Edge firewall rules be exported to another vShield Edge?

Yes, vShield Edge firewall rules can be replicated to another vShield Edge instance. All of the configuration information is stored by the vShield Manager, which would be used to backup and restore these configurations. REST APIs can also be used to save and restore configurations.


Does this VPN solution support site-to-site encryption/VPN?

Yes, vShield Edge provides a site-to-site VPN solution.


Does this VPN solution provide for user remote access?

No, the vShield Edge does not support VPN for remote access.


What protocols are supported by the VPN solution?

The vShield Edge is based on IKE (key exchange) and IPSEC protocols, common standards for VPN technology.


What key exchange algorithm is used to establish the secure tunnel between sites?

The key exchange algorithm used is Diffie-Hellman, IKE-based.


Does the VPN solution do certificate-based (main mode)?

No, this release does not support certificate-based (main mode).


Is main mode w/ pre-shared secret supported??

Yes, main mode with pre-shared secret is supported.


Is aggressive mode supported?

No, aggressive mode is not supported.


vShield App


With what existing VMware products is vShield App v1.0 compatible?

vShield App is compatible with:

  • (Required) vSphere: 4.0, 4.1 (including ESX, ESXi 4.1, 4.0)
  • vCenter Server: 4.0, 4.1


Is vShield App compatible with earlier versions of ESX (3.0, 3.5) and vCenter (2.5)

vShield App is not compatible with these earlier versions of ESX and vCenter. Customers are encouraged to upgrade to current versions of vCenter and vSphere (including ESX 4.0 and 4.1) to benefit from security and other advanced virtual datacenter management capabilities.


How are vShield App and vApps related?

These two products are not related apart from the fact that they are deployed on vSphere environments. vShield App protects applications (on virtual machines) from network-based threats by monitoring and enforcing traffic between virtual machines. vApps represent a logical entity comprising one or more virtual machines, which uses the industry standard Open Virtualization Format to specify and encapsulate all components of a multi-tier application as well as the operational policies and service levels associated with it. These two concepts can coexist, and vShield App firewall policies can be written to control traffic between virtual machines that contain vApps.


Can vShield App firewall rules be backed up and restored? How?

Administrators can use REST APIs (accessible via web interface) to export XML files containing the firewall rules. These XML files are used both to export and to restore firewall configurations.


How is vShield App change-aware?

Virtualized environments are dynamic by their very nature. Virtual machines are created, deleted, disabled, moved, etc. based on business and IT requirements. vShield security policies must protect virtual machines throughout their lifecycle. In this sense, vShield App is change-aware such that firewall policies continue to be enforced regardless of where the virtual machine is moved.

This is possible since the policies themselves can be written without knowledge of the IP address and instead they can use any vCenter groupings ( for example) or Security Groups (groups of vNICs). So a policy which says that no traffic from a group of PCI compliant VMs can go to end user/VDI VMs will continue to be enforced even when those VMs are reassigned IP addresses. Furthermore, if these virtual machines are vMotioned to another physical host, the policies can also be retained, as long as the vMotion policy indicates that the vShield policy must be maintained.


How are secure web (HTTPS) sessions handled?

The vShield App firewall accepts HTTPS (secure Web) connections for inbound/outbound traffic, if the firewall rule is written to allow it. No ALG for HTTPS is included at this time since no HTTP/HTTPS proxy has been developed to allow inspection of the content in the secure Web connection.


Can vShield App firewall rules be defined by using logical names instead of IP addresses or networks?

Yes, Security Groups can be created as logical names for groups of VMs. These are administrator-defined, business-relevant groupings of any virtual machines by their virtual NICs. For example, group around all VMs associated with credit card data can be created, allowing for more logical policy definition to address PCI DSS.


What is the current list of protocols supported by this application-aware firewall (ALG)?

vShield App currently supports Microsoft RPC, Sun RPC, Linux RPC, Oracle TNS, and FTP, and numerous other well-known protocols.


Is there (ALG) application-aware firewall support for LDAP, SMTP and other protocols?

Not all protocols require ALG support. ALGs are only required for applications (or protocols) with ephemeral or transient port allocation. Protocols such as LDAP (port 389 or 636 for secure LDAP) and SMTP (port 25) use static port numbers, so firewall rules can easily be written using these numbers.


Can vShield App firewall rules be exported to another vShield App? To another application firewall?

Yes, vShield App firewall rules can be replicated to another vShield App instance. All of the configuration information is stored by the vShield Manager, which would be used to backup and restore these configurations. REST APIs can also be used to save and restore configurations. None of these methods, however, can be used with third party products.


Can vShield App support multiple ESX hosts per App instance?

No, by design, there is only one vShield App per ESX host. The solution is deployed as a loadable kernel module (LKM), which is on a per ESX host basis.


Can vShield App support multiple vShield App instances per ESX host?

No, by design, there is only one vShield App per ESX host. The solution is deployed as a loadable kernel module (LKM), which is on a per ESX host basis.


What options are there to minimize downtime of a vShield App service?

Standard methods for ensuring uptime of a ESX host, such as built-in fault tolerance features, are recommended. In addition, continuous monitoring of system status for the vShield App service can help identify problems as they occur and allow time to restart the service.


Can a vShield App service go down without the entire ESX host going down?

Yes, the vShield App is deployed as a loadable kernel module and can be disabled without the entire ESX host going down. Enterprises should monitor event logs for this service to ensure that the service is operational, using the System Status information. If there is an outage, the service can be restarted via the vShield Manager GUI or through the REST API.


Are my virtual machines still protected if I vMotion them to another ESX host?

Yes, if you install a vShield App on each ESX host in your vCenter environment, you can migrate machines between ESX hosts using vMotion without weakening the security posture. vShield App instances cannot be migrated to other ESX hosts, thus each instance maintains state for the traffic on its ESX host.


vShield Endpoint


With what existing VMware products is vShield Endpoint compatible?

vShield Endpoint is compatible with:

  • (Required) vSphere: 4.1 (including ESX, ESXi 4.1)
  • vCenter Server 4.1
  • VMware View v4.5


Is vShield Endpoint compatible with earlier versions of ESX (3.0, 3.5) and vCenter (2.5)?

vShield Endpoint is not compatible with these earlier versions of ESX and vCenter. Customers are encouraged to upgrade to current versions of vCenter and vSphere (including ESX 4.0, 4.1) to benefit from security and other advanced virtual data center management capabilities.


Is vShield Endpoint compatible with VMware View 4.1?

vShield Endpoint is not compatible with VMware View 4.1. Customers are encouraged to upgrade to VMware View v4.5.


What is the EPSEC API and how is it related to vShield Endpoint?

The EPSEC API enables Trend Micro partners with endpoint security solutions to leverage introspection at the hypervisor layer. The EPSEC API provides a rich set of capabilities to access specific file activities within the hypervisor. Some of these include:

  1. Intercept access to file (when it is accessed for copy, execution, etc.)
  2. Read files (for scheduled and on-access scans)
  3. Remediation (enforce a file overwrite, deletion, quarantine, etc.)
For prospective technology partners, a more detailed description of the EPSEC APIs can be obtained by contacting the VMware Partner Programs: http://www.vmware.com/partners/programs/.


How does vShield Endpoint provide endpoint security vendors more secure access to vSphere-based virtual machines?

The vShield Endpoint solution architecture isolates critical anti-virus protection from general purpose computing virtual machines. The core anti-virus engine is contained within a hardened virtual appliance (or security virtual machine [SVM]) provided by a VMware partner. The workload virtual machines themselves do not contain any anti-virus software but rather a small driver to restrict access to the security virtual machine to key antivirus functions such as file scanning, signature updates, and remediation (e.g. file quarantine). The combination of the isolated security virtual machine and the EPSEC API for restricted access to the SVM make the solution more secure then legacy methods, which require one antivirus engine per virtual machine.


Is the vShield Endpoint Security Virtual Machine (SVM) hardened?

The vShield Endpoint LKM and in-guest driver are hardened by design, in that they only allow controlled access to the hypervisor layer using the EPSEC API. The other solution components, vShield Manager and the partner SVM, require some further hardening.

  • For the SVM: The anti-virus vendor with the EPSEC-integrated solution provides the security virtual machine (or security virtual appliance). It is at the discretion of the vendor as to what measures must be taken to harden the security virtual machine. Some methods may include building on a configurable, Linux-based OS, removing unnecessary services, implementing a firewall and intrusion prevention service, and locking down remote access to SSH. For specific hardening features, contact the anti-virus vendors that have delivered integrations with the EPSEC API.
  • For vShield Manager: Details on how to harden the vShield Manager are provided in the vShield Quick Start Guide. The areas that need to be addressed are:
    • vShield Manager User Interface: Change default password
    • Command Line Interface: Change default password (same as vShield Manager User Interface)
    • REST Requests: Requires privileged access with a vShield Manager account


How do the vShield Endpoint components get deployed in this new architecture?

In the legacy approach, anti-virus software is deployed in each virtual machine. With vShield Endpoint, anti-virus software is delivered by using a different approach, given that the solution comprises three components: the driver in each workload virtual machine, the Loadable Kernel Module (LKM) per vSphere host, and the partner SVM.

First, the partner SVM is deployed to the vSphere host. Then the vShield Endpoint driver (referred to as thin agent in product documentation), and then the LKM is deployed on the vSphere host a single security virtual machine (virtual appliance, per host) from a 3rd-party vendor which has completed sufficient integration with the EPSEC APIs. With the exception of a small driver in each guest virtual machine, which can be deployed once using vCenter Templates or other distribution mechanisms, no other software needs to be deployed on the virtual host.

For more details on installation, please refer to the vShield Quick Start Guide.


How does the memory footprint change on the virtual host with vShield Endpoint?

As explained in the deployment description, vShield Endpoint avoids the linear growth of memory utilization by restricting AV deployment to a single virtual machine per host. The vShield Endpoint driver is negligible in size relative to the AV software and essentially becomes part of the VDI image.

Specific numbers on memory footprint vary depending on the antivirus vendor offering, but using some sample data based on current partner integrations, but following chart shows expected results for memory utilization savings by going from a legacy approach to the vShield Endpoint approach. In this example, 256MB per virtual machine is assumed for anti-virus memory in the legacy approach. With vShield Endpoint, the partner SVM (virtual appliance) allocated 2GB of memory for anti-virus and other functions (such as integrated firewall and IPS, for security hardening). The memory footprint for the AV solution drops from several hundred megabytes to a less than 5 MB, for the vShield Endpoint driver which offloads AV functions to the SVM.


Are there any plans to put the vShield Endpoint Driver into VM Tools?

Yes, the vShield Endpoint Driver is being considered for inclusion in VMware Tools, as an update to vSphere 4.1. For specific release timeframe, contact Product Management for vShield Endpoint.


Do I need to update vShield Endpoint? If yes, how often is this necessary?

vShield Endpoint comprises three components: the driver in each workload virtual machine, the Loadable Kernel Module per vSphere host, and the partner SVM. Any updates to VMware components can be found on http://www.vmware.com/support/. The vShield Manager can be used to update the vShield components, upload an update, and view update history. In practice, these updates are not very frequent. Refer to the vShield Admin Guide for more information on updating.

The partner SVM needs to be updated as often as typical anti-virus software needs to be updated, to ensure an up-to-date anti-virus engine and signature/pattern files. This is determined by the partner solution.


Do I need a separate policy management interface for vShield Endpoint versus other vShield solutions?

No, vShield Endpoint can be managed using vShield Manager, just as the other vShield products are managed. Specifically, the LKM, driver, and SVM are all deployed by vShield Manager. The only exception is the management interface for the anti-virus policies, which is provisioned by the anti-virus vendor. The second point is a key benefit since information security analysts who are accustomed to writing security policies with existing solutions do not have to change their processes for virtualized environments.


Last updated 28-Feb-2011 6:00 pm