vShield Zones 1.0 FAQ

Frequently Asked Questions


Is this product related to the acquisition of Blue Lane Technologies in 2008?

Yes. VMware vShield Zones is built on key technologies and software from Blue Lane Technologies, which VMware acquired in October 2008. vShield Zones is built on a mature network security platform that has been deployed by over 100 enterprise customers since 2004. However, vShield Zones is a new product with network protection functions distinct from previous virtual patching offerings from Blue Lane.

What is VMsafe? Is this product based on VMsafe?

VMsafe is an API and partner program launched in early 2008 to enable security vendors to leverage key technologies coming in future versions of VMware’s virtualization platform. At a basic level, the APIs enable security vendors access to the introspective capability of the hypervisor to provide better protection to virtual machines. Introspection gives a security virtual appliance “x-ray vision” into what is happening inside virtual machines to monitor and protect against malicious activity.

This edition of vShield Zones is not yet integrated with VMsafe, but VMware’s plan is to leverage the same benefits of VMsafe technology to enhance network monitoring and protection.

Why did VMware release a security product if security vendors were already doing so?

VMware developed vShield Zones to accelerate delivery of some critical services needed to deploy security to virtual networks. As virtual datacenter deployments have expanded and are evolving into cloud-based service models, customers expressed the need to segment access to sensitive data into varying trust levels in the enterprise or isolate multiple customers or constituents in multi-tenant cloud environments. VMware felt there was a need for some fundamental capabilities close to the platform to partition the interior of the shared virtual network and resource pools, while security vendors could develop these capabilities plus their differentiated best-of-breed features.

What is the architecture of vShield Zones?

vShield Zones has two components: the vShield Manager and the vShield agents. Both components are packaged as virtual appliances, which are pre-packaged virtual machines. The vShield Manager can be deployed on any ESX host that has access to the management network of the ESX hosts. You can install a vShield agent on any vSwitch that has a dedicated physical NIC. Thus, you can install multiple vShield agents on a single ESX host. The vShield Manager performs the steps of deploying the vShield agents onto each vSwitch after the admin has chosen the vSwitch on which to deploy. The vShield Manager provides a central point of management for all vShield agents. By using the web-based interface of the vShield Manager, you can monitor network traffic, configure firewall rules, and perform other management tasks. You never need to access the vShield agents directly. This information is detailed in Introduction to vShield Zones.

How does vShield Zones provide network protection and monitoring?

When a vShield agent is installed on a vSwitch, a new internal-only vSwitch is created to act as a filter for traffic to the virtual machines on that host. The virtual machines are moved off of the existing vSwitch (referred to as the unprotected vSwitch) onto the new vSwitch (referred to as the protected vSwitch). This protected vSwitch has no physical NICs connected. The vShield is inserted between these vSwitches to bridge traffic, and is responsible for forwarding packets between the physical NICs and the virtual machines. The vShield monitors all ingress and egress traffic, as well as the traffic between the virtual machines on the protected vSwitch. Each vShield includes a management interface for communication with the vShield Manager. The management interface is connected to a dedicated portgroup that is created during installation on the unprotected vSwitch. This information is detailed in Introduction to vShield Zones.

At which OSI Layer does vShield Zones work?

You can create firewall rules and monitor sessions at the Application Layer, as well as at the Transport Layer and Network Layer.

How does having a deep understanding of protocols help when creating a firewall?

Here are a couple of examples:

  1. Microsoft Windows uses numerous protocols (RPC over SMB, RPC over TCP, NetBios). Traditional firewalls require that you create a rule for each protocol used for Microsoft Windows OS communication. With vShield Zones, you can set a single rule that provides protection across all common Microsoft Windows protocols in a single bundle. Within this bundle is the knowledge of how to handle each protocol.
  2. Certain protocols and applications use dynamically allocated port ranges (FTP, MS-RPC, etc). To allow these services to work with traditional firewalls, you have to open a range of ports used by these applications, which can then be exploited because the ports are well known. An understanding of these protocols allowed the team to integrate this knowledge into the vShield and allow it to open ports on the fly as they are required and then close them once they are no longer in use. This leaves fewer ports open and does not require you to configure all of these details. You simply need to know the name of the service (FTP, RPC) and select whether to allow or deny it accordingly.

What is the scope of monitoring and blocking in vShield Zones?

Monitoring (VM Flow) is performed at the datacenter, cluster, portgroup, VLAN, and virtual machine levels. Blocking (VM Wall) is enforced at the datacenter, cluster, and VLAN levels.

If the vShield Manager goes down, do the vShield agents stop protecting the virtual machines?

No. The vShield Manager provides management and reporting. The vShield agents provide monitoring data and enforce firewall rules. In the event the vShield Manager is unavailable for some time, each vShield can queue data and send it to the vShield Manager once it is available.

If a vShield agent stops working, does it leave the virtual machines exposed?

No. Since each vShield bridges traffic between the protected and unprotected vSwitches, if a vShield agent were to go down then all of the virtual machines become isolated off the network. These isolated virtual machines can still communicate with each other.

How does vShield Zones work with VMotion? Does it break the state of a connection?

Each vShield agent in a cluster shares information about the virtual machines being protected. When a virtual machine migrates from behind vShield-1 to behind vShield-2, vShield-1 passes the information for the virtual machine to vShield-2 providing continuous, uninterrupted protection. To use vShield Zones with VMotion, you must add an entry to the vCenter configuration file (vpxd.cfg) and restart the vCenter service. This is documented in the vShield Zones Administration Guide.

Can I save my vShield Zones configuration? Does this include my firewall rules?

Yes. You can back up the configuration of vShield Zones, including firewall rules, and restore the entire saved configuration later. You can also save your current firewall rules separately. Thus, if the creation of new rules does not meet your expectations, you can restore a previous set of rules. These features are described in the vShield Zones Administration Guide.

Can I add my own port mappings for application awareness?

Yes. By using the Edit Port Mappings feature under the VM Flow tab at the datacenter level, you can define an application-port pair used by your organization. This feature is described in the vShield Zones Administration Guide.

Last updated 21-May-2009 6:00 pm