VMware

VMware vShield Zones Release Notes

vShield Zones 1.0 Update 2 | 03/15/2012 | Build 638154


vShield Zones is an application-aware firewall built for VMware vCenter Server integration. vShield Zones inspects client-server communications and inter-virtual-machine communication to provide detailed traffic analytics and application-aware firewall protection. vShield Zones is a critical security component for protecting virtualized datacenters from attacks and misuse helping you achieve your compliance-mandated goals.

These release notes contain the following sections:

What's New in This Release

vShield Zones 1.0 Update 2 adds usability enhancements, a new deployment option, and bug and security fixes.

Integration with Cisco Nexus 1000V Series Switches
  • Enables installation of vShield Zones virtual machines on Cisco Nexus 1000V Series switches.
  • Protects virtual machines on Nexus 1000V switches.
  • Participates in Virtual Service Domains.

Port Range Enforcement in VM Wall Rules

  • Enables identification of source and destination port ranges in VM Wall Layer 4 rules.
  • Enforces rules for dynamic services such as RPC and FTP.

Updating vShield Zones 1.0 Update 1 to 1.0 Update 2

vShield Zones updates are available as offline updates. When an update is made available, you can download the update to your PC, and then upload and install the update by using the vShield Manager user interface. For more on the update process, refer to the vShield Zones Administration Guide.

Known Issues

The following are known issues with vShield Zones:
  • vShield Agent Installation Fails
    If vShield agent installation fails during installation from the vShield Manager, check the following:
    • Can the vShield Manager MGMT interface communicate with the vShield MGMT interface? The vShield Manager must be able to communicate with the vShield tom complete installation. If these two IP addresses cannot communicate, installation fails. If the vShield Manager MGMT interface has been tagged with a VLAN ID, then the vShield MGMT interface must also be tagged with this ID. You can specify the VLAN ID during vShield installation in the Specify associated VLAN ID (optional) field.
    • Is the vShield datastore available? During installation, you selected a datastore for the configuration file of the vShield. If the datastore is unavailable during installation, installation fails.
    • If installation fails for any other reason, there might be an issue with the vShield Manager when creating the initial configuration file of the new vShield. If you have checked the previous issues and installation fails, reboot the vShield Manager virtual appliance and retry vShield installation when the vShield Manager powers on. If installation fails after a reboot, contact technical support.

Resolved Issues

The following issues are resolved in this release:
  • vShield Manager Cross-Site Request Forgery vulnerability
    The vShield Manager interface has a Cross-Site Request Forgery vulnerability. This flaw allows for inadvertently forwarding of requests to the server in case the logged-on user is tricked into visiting a malicious link. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1514 to this issue.
  • CLI setup command does not accept 12-bit IP addresses (461186)
    The vShield Zones CLI setup command did not accept 12-bit IP addresses (for example, 192.168.101.100) in the IP Address field. If you entered a 12-bit IP address, the following error message was returned: Invalid, please enter again. This was documented in KB 1013964.
  • VM Wall does not allow addition of rules for /26 subnet and subnets /16 and below (469544)
    VM Wall did not allow addition of rules that included a /26 IP address or /16 and below IP addresses.

Configuration Notes

Installation

  • Do Not Power On vShield Virtual Machine After Installation from OVF
    After installing the vShield OVF, do not power on the vShield virtual machine that was created. You must convert this virtual machine into a template. This template is referenced by the vShield Manager. vShield instances are powered on when installed from the vShield Manager.
  • Install VMware Tools on All vShield Zones Virtual Machines
    VMware Tools is a suite of utilities that improves the performance of guest operating systems and enhances virtual machine management. For best results, install VMware Tools in all of your vShield Zones virtual machines.
  • Installing vShield Zones in a vNetwork Distributed Switch Environment Requires Manual Installation
    If you plan to install vShield Zones in a vNetwork Distributed Switch environment, you must install each vShield agent instance manually. Refer to the vShield Zones Administration Guide.

Role and Permissions

  • vShield Manager UI User Accounts Are Not Linked to CLI User Accounts
    The default user account for the vShield Manager user interface is not linked to the default CLI user account for a vShield Zones virtual machine. These accounts are managed separately. Also, the default CLI user account is unique to each vShield Zones virtual machine.

vSphere Client Plug-in

  • Registering the vShield Manager as a vSphere Client Plug-in
    You can register the vShield Manager user interface as a vSphere Client plug-in. You must close your vSphere Client session before sending the plug-in request from the vShield Manager user interface.

VM Flow

  • Clicking Delete All Flows Deletes All Traffic Statistics Permanently
    If you click Delete All Flows from the VM Flow tab for a datacenter container, all traffic sessions for that container are deleted permanently. Typically, this option is only used when moving your vShield Zones deployment from a lab environment to a production environment. If you must maintain a history of traffic sessions, do not use this feature.