VMware

VMware vShield Release Notes

vShield 4.1 | 30 AUG 2010 | Build 287872


For organizations that want to leverage the benefits of cloud computing without sacrificing security, control or compliance, the VMware vShield family of security solutions provides comprehensive protection for virtual datacenters and cloud environments. vShield enables customers to strengthen application and data security, improve visibility and control, and accelerate IT compliance efforts across the organization.

vShield includes virtual appliances and services essential for protecting virtual machines. vShield can be configured through a web based user interface, a vSphere Client plug-in, a command line interface (CLI), and REST API.

These release notes contain the following sections:

What's New in This Release

vShield 4.1 adds new components and usability enhancements.

  • New License-Based Components
    • vShield Edge: vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port group, vDS port group, or Cisco Nexus 1000V. The vShield Edge connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing. The key features of vShield Edge are as follows:
      • Stateful Inspection Firewall
        Inbound and outbound connection control with rules based on source and destination IP address and port
      • Network Address Translation
        • IP address translation to/from the virtualized environment
        • Masquerading of virtual datacenter IP addresses to untrusted locations
      • Dynamic Host Configuration Protocol
        • Automatic IP address provisioning to virtual machines in vSphere environments
        • Administrator-defined parameters: address pools, lease times, dedicated IP addresses, etc.
      • Site-to-Site VPN
        • Secure communication between virtual datacenters (or edge security virtual machines)
        • IPsec VPN based on the Internet Key Exchange (IKE) protocol
      • Web Load Balancing
        • Inbound load balancing for all HTTP traffic
        • Round-robin algorithm
        • Support for sticky sessions
      • Port Group Isolation
        • Enforced at hypervisor layer to restrict traffic within a virtual datacenter to specified port groups
        • Same effect as VLANs in virtual or physical switch environments
      • Flow Statistics
        • Virtual datacenter resource utilization metered and attributed back to tenant
        • Statistics accessible through REST APIs and leveraged in service provider chargeback applications
      • Policy Management
        Support for integration with enterprise IT security management tools
    • vShield App: vShield App is an interior, vNIC-level firewall that allows you to create access control policies regardless of network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual machines in the same port group. vShield App includes traffic analysis and container-based policy creation. The key features of vShield App are as follows:
      • Hypervisor-Level Firewall
        • Inbound/outbound connection control enforced at the virtual NIC level through hypervisor inspection, supporting multihomed virtual machines
        • Ability to enforce based on network, application port, protocol type (TCP, UDP), application type
        • Dynamic protection as virtual machines migrate
        • IP-based stateful firewall and application layer gateway for a broad range of protocols including Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP
      • Flow Monitoring
        Ability to observe network activity between virtual machines to help define and refine firewall policies, identify botnets and secure business processes through detailed reporting of application traffic (application, sessions, bytes)
      • Security Groups
        Administrator-defined, business-relevant groupings of any virtual machines by their virtual NICs
      • Policy Management
        • Policy enforcement on security groups, vCenter containers, and TCP 5 tuple (source IP, destination IP, source port, destination port, protocol)
        • Programmable interface for management and policy enforcement using REST APIs
        • Support for integration with enterprise security management tools
    • vShield Endpoint: vShield Endpoint delivers an introspection-based antivirus solution. vShield Endpoint uses the hypervisor to scan guest virtual machines from the outside without a bulky agent. vShield Endpoint is efficient in avoiding resource bottlenecks while optimizing memory use. The key features of vShield Endpoint are as follows:
      • Antivirus and Anti-Malware Offloading
        • File scanning and other tasks are offloaded from virtual machines to a security virtual machine.
        • VMware Endpoint ESX Module manages communication between virtual machines and the security virtual machine, using introspection at the hypervisor layer.
      • Antivirus and Anti-Malware Service Across Virtual Machines
        Antivirus engine and signature files are only updated within the security virtual machine, but policies can be applied across all virtual machines on a vSphere host.
      • Enforce Remediation
        • Pre-defined policies dictate whether a malicious file should be deleted, quarantined or otherwise handled.
        • vShield Endpoint driver manages file remediation activity within the virtual machine.
      • Partner Integrations
        Integration of vShield Endpoint with security virtual machine solutions from VMware partners is facilitated through VMware EPSEC, which provides a library and API for introspection into file activity at the hypervisor layer.
      • Policy and Configuration Management
        • vShield Manager provides full-featured configuration of vShield Endpoint policies.
        • vCenter activates vShield capabilities on vSphere.
        • REST APIs allow customized integration of vShield Endpoint capabilities into solutions.
  • Usability Enhancements
    • Broader vSphere Client Integration: After registering the vShield Manager as a vSphere Client plug-in, you can use the vSphere Client to install and configure vShield components and features.
    • System Management via REST API: You can install and manage vShield components via REST API. For more information, see the vShield API Programming Guide.

Installation Notes for This Release

Before you install this release:

  • Read the vShield Quick Start Guide for guidance on installing vShield. This guide contains information about all requirements and procedures to set up vShield.
  • Read the vShield Administration Guide for workflows describing vShield system management, such as setting up firewall protection, analyzing traffic sessions, configuring edge services, and event and status monitoring.
  • Read the vShield API Programming Guide for instructions on managing your vShield deployment via REST API.

Upgrading to vShield 4.1

VMware vShield 4.1 is a completely new package and must be installed separately from vShield Zones 1.0 Update 1. You should uninstall the previous version of vShield before installing vShield 4.1.

Known Issues

The following are known issues with vShield 4.1:
  • vShield Manager
    • Problem: If you backup the vShield Manager and perform a restore of that backup on the same or different vShield Manager virtual machine, any vShield Zones or vShield App instances cannot reconnect with the vShield Manager.
      Workaround: Restart your vShield Zones/App instances and force sync from the vShield Manager user interface for each instance.

    • Problem:In the SSL Certificates feature in the vShield Manager user interface, if you set Algorithm to DSA and Keysize to 2048, keypair generation fails. If you do not configure a new setting, you will not be able to login to the vShield Manager subsequently.
      Workaround: The maximum keysize for DSA is 1024. Configure and save new settings.

    • Problem:When configuring a vShield Edge DNAT or firewall rule, if the selected Protocol is ICMP (any variation) and Port/Range contains 0 or any other number, saving the rule throws this error: "Specified protocol cannot be associated with port. Invalid port in rule."
      Workaround: If you select ICMP from Protocol, you must enter any in the Port/Range fields.

    • Problem:After configuring a vShield Edge service (e.g., Load Balancer, VPN), the service shows as "Not configured" on the status page.
      Workaround: Click Refresh Now to retrieve the latest configuration.

    • Problem: Port groups which are assigned Private VLANs (PVLANs) are shown under VLAN-0 in vShield Manager user interface Network view. You will not be able to configure firewall rules for PVLANs or port groups with PVLANs.
      Workaround: You can configure a firewall rule for VLAN-0. Otherwise, do not use PVLANs with vShield.

  • vShield Edge
    • Problem:If a vShield Edge is removed (not uninstalled) from the vSphere Client immediately after installation, an attempt to uninstall the vShield Edge virtual machine results in a null pointer exception.
      Workaround: Uninstall the vShield Edge by using the Uninstall option in the vSphere Client (Home > Inventory > Networking > Edge > Uninstall) or via REST request only. In most cases, vShield virtual machines should not be manually removed or deleted from the vCenter inventory.

  • vShield Zones or vShield App
    • Problem:If a vShield Zones/App is powered off, checking the status under the Summary tab in the vShield Manager user interface for the ESX host throws the following error: Unknown error occurred.
      Workaround: Verify the powered off state of the vShield Zones/App virtual machine in the vSphere Client. If it is powered on, verify that you can reach the vShield Manager from the vShield Zones/App via the network. If the vShield Manager cannot be reached, there is a networking error. Verify if IP addresses are in the same subnet. If the vShield Zones/App virtual machine is powered off, you must manually power on the virtual machine and force sync from the vShield Manager user interface.

    • Problem: If an ESX host is (hard) rebooted, a vShield Zones or vShield App virtual machine does not power on after reboot.
      Workaround: You must manually power on the vShield Zones or vShield App virtual machine. You must then force sync with the vShield Manager.

    • Problem: If a vShield Zones or vShield App install fails due to the vShield virtual machine failing to power on, an attempt to uninstall the powered off vShield virtual machine also fails.
      Workaround: You must delete this vShield virtual machine manually before attempting another installation.

  • vShield Endpoint
    • Problem: When the on demand scan (ODS) is active running it will affect these three scenarios:
      1) Attempting to unmount a hard drive during ODS gives an error message that the drive is in use.
      2) Shutting down the OS does not complete while running an ODS on the floppy until the ODS is finished.
      3) Shutting down the OS does not complete while running an ODS on a USB drive until the ODS is finished.
      Workaround: None.

    • Problem: After deploying an SVM to an ESX host, the Endpoint Status panel does not report the status of that SVM. This is because the vShield Manager does not propagate some configuration parameters to the SVM until an inventory change occurs in the vCenter Server.
      Workaround: Perform an inventory change in the vCenter Server, such as suspending and then resuming that virtual machine.

    • Problem: Hot adding and hot removing SCSI disks from a protected VM may interfere with vShield Endpoint operations.
      Workaround: Before (hot) removing a SCSI disk from a protected VM make sure that the it is not used by the vShield Endpoint Thin Agent. For example, if the disk you are about to remove is scsi(0,5) make sure that you do not have the following line SCSI0:5.filters=VFILE in the configuration for the protected VM. Also, before (hot) adding a disk to a protected VM make sure that you add it with a scsi bus id higher than the scsi disk that is currently used for . For example, if the disk used for vShield Endpoint Thin Agent is scsi(0:5), then the new disk should have a scsi bus id larger than 5, e.g., scsi(0,8)..

    • Problem: After the vShield Manager is rebooted, a series of alarms are created when the EPSec status page is displayed in the vSphere client. If these alarms already exist, an error message will be displayed in the vSphere client.
      Workaround: None. These errors are informational only and do not affect the operation of the EPSec status page.

    • Problem: The EPSec status page contains a table that displays alarms. When the table is filtered by severity type, the table data displays correctly, but the total number of records is incorrect. For example, if 36 total records were filtered to display just 30 records, the toolbar still shows the message "Displaying 1 - 30 of 36 records."
      Workaround: None.

    • Problem: On the EPSec status page, events may be reported for the wrong VM if two or more VMs share the same BIOS UUID.
      Workaround: Change the UUID of one or more of the virtual machines. See KB 1002403.

    • Problem: When an SVM is registered with the vShield manager, the vShield Manager attempts to reconfigure templates and fails. The 'recent tasks' screen in the vSphere client will show the error message "The operation is not supported on the object".
      Workaround: None.

    • Problem: The guest driver creates a temporary files in systemroot%\temp\vmware\eps010. If read permissions are removed from this directory then certain vShield Endpoint operations that require large data transfers may fail.
      Workaround: Ensure the directory is globally readable.

    • Problem: In order to remediate a read-only file, vShield Endpoint removes the file's read-only attribute. This attribute will not be restored after the file has been remediated.
      Workaround: None.

Resolved Issues

Since VMware vShield 4.1 is a completely new package and is not backwards compatible with vShield 1.0 Update 1 or earlier, there are no applicable resolved issues for this version.

Configuration Notes

Installation

  • Uninstalling vShield Components
    You must move the vShield Manager virtual machine before uninstalling vShield Zones/vShield App, vShield Endpoint, or Port Group Isolation from the ESX host on which the vShield Manager resides. Uninstallation of these components requires the ESX host to enter maintenance mode. The vShield Manager must be up at all times, thus cannot be subject to maintenance mode or reboot.
  • Do Not Upgrade or Uninstall VMware Tools on vShield Virtual Machines
    VMware Tools is a suite of utilities that improves the performance of guest operating systems and enhances virtual machine management. A specific installation of VMware Tools has been installed on all vShield virtual machines. Do not change or remove VMware Tools from a vShield virtual machine.

Firewall

  • Using any in Firewall Rules
    For vShield Edge firewall rules, type any in all lower case letters. For Zones Firewall and App Firewall rules, type ANY in all upper case letters.

User Account Management

  • vShield Manager UI User Accounts Are Not Linked to vShield CLI User Accounts
    The default user account for the vShield Manager user interface is not linked to the default CLI user account for any vShield virtual machine. These accounts are managed separately. Also, the default CLI user account is unique to each vShield virtual machine.
  • Cannot Change the Password of the CLI admin User Account, Create a New CLI User and Delete admin User
    You cannot change the password of the admin user account in the vShield CLI. You should create a new CLI user account and remove the admin account to secure access to the CLI on each vShield virtual machine.
    User account management in the CLI conforms to the following rules.
    • You can create CLI user accounts. Each created user account has administrator-level access to the CLI.
    • You cannot change the password for any CLI user account on a vShield Manager or vShield App virtual machine. If you need to change a CLI user account password, you must delete the user account, and then re-add it with a new password. However, you can change the CLI password of any user account on the vShield Edge via REST API.
    • The CLI admin account password and the Privileged mode password are managed separately. The default Privileged mode password is the same for each CLI user account. You should change the Privileged mode password to secure access to the CLI configuration options.

vSphere Client Plug-In

  • Registering the vShield Manager as a vSphere Client Plug-in
    You can register the vShield Manager user interface as a vSphere Client plug-in. You must exit your vSphere Client session before sending the plug-in registration request from the vShield Manager user interface. After registering as a vSphere plug-in, restart the vSphere Client. You can now install and configure vShield components from the vSphere Client.

Flow Monitoring

  • Clicking Delete All Flows Deletes All Traffic Statistics Permanently
    If you click Delete All Flows from the Flow Monitor tab for a datacenter container, all traffic sessions for that container are deleted permanently. Typically, this option is only used when moving your vShield deployment from a lab environment to a production environment. If you must maintain a history of traffic sessions, do not use this feature.

VPN

  • Only alphanumeric characters are allowed for site and tunnel names.

Top of Page