VMware vShield - 5.0 Quick Start Guide
vShield Quick Start Guide
vShield Manager 5.0
vShield App 5.0
vShield Edge 5.0
vShield Endpoint 5.0
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000695-01
vShield Quick Start Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010, 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
About this Book 5
Introduction to vShield 7
1
vShield Components at a Glance 7
Deployment Scenarios 10
Preparing for Installation 13
2
System Requirements 13
Deployment Considerations 14
Installing the vShield Manager 17
3
Obtain the vShield Manager OVA File 17
Install the vShield Manager Virtual Appliance 17
Configure the Network Settings of the vShield Manager 18
Log In to the vShield Manager User Interface 19
Synchronize the vShield Manager with the vCenter Server 19
Register the vShield Manager Plug-In with the vSphere Client 20
Change the Password of the vShield Manager User Interface Default Account 20
Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data
4
Security 21
Running vShield Licensed Components in Evaluation Mode 21
Preparing Your Virtual Infrastructure for vShield App, vShield Edge, vShield Endpoint, and vShield
Data Security 21
Installing vShield Endpoint 24
Installing vShield Data Security 25
Uninstalling vShield Components 27
5
Uninstall a vShield App Virtual Appliance 27
Uninstall a vShield Edge from a Port Group 27
Uninstall a vShield Data Security Virtual Machine 28
Uninstall a vShield Endpoint Module 28
Upgrading vShield 29
6
Upgrade the vShield Manager 29
Upgrade vShield App 30
Upgrade vShield Edge 30
Upgrade vShield Endpoint 30
Upgrade vShield Data Security 31
Index 33
VMware, Inc. 3
vShield Quick Start Guide
4 VMware, Inc.
About this Book
This manual, the vShield Quick Start Guide, describes how to install and configure the VMware®vShield™
system by using the vShield Manager user interface, the vSphere Client plug-in, and command line interface
(CLI). The information includes step-by-step configuration instructions, and suggested best practices.
Intended Audience
This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
The information in this manual is written for experienced system administrators who are familiar with virtual
machine technology and virtual datacenter operations. This manual assumes familiarity with VMware
Infrastructure 4.x, including VMware ESX, vCenter Server, and the vSphere Client.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions
of terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs.
Document Feedback
VMware welcomes your suggestions for improving our documentation. If you have comments, send your
feedback to docfeedback@vmware.com.
Technical Support and Education Resources
The following technical support resources are available to you. To access the current version of this book and
other books, go to http://www.vmware.com/support/pubs.
Online and Telephone
Support
Support Offerings
VMware Professional
Services
VMware, Inc. 5
To use online support to submit technical support requests, view your product
and contract information, and register your products, go to
http://www.vmware.com/support.
Customers with appropriate support contracts should use telephone support
for the fastest response on priority 1 issues. Go to
http://www.vmware.com/support/phone_support.html.
To find out how VMware support offerings can help meet your business needs,
go to http://www.vmware.com/support/services.
VMware Education Services courses offer extensive hands-on labs, case study
examples, and course materials designed to be used as on-the-job reference
tools. Courses are available onsite, in the classroom, and live online. For onsite
pilot programs and implementation best practices, VMware Consulting
vShield Quick Start Guide
Services provides offerings to help you assess, plan, build, and manage your
virtual environment. To access information about education classes,
certification programs, and consulting services, go to
http://www.vmware.com/services.
6 VMware, Inc.
Introduction to vShield 1
This chapter introduces the VMware® vShield™ components you install.
This chapter includes the following topics:
n
“vShield Components at a Glance,” on page 7
n
“Deployment Scenarios,” on page 10
vShield Components at a Glance
VMware vShield is a suite of security virtual appliances built for VMware vCenter Server integration. vShield
is a critical security component for protecting virtualized datacenters from attacks and misuse helping you
achieve your compliance-mandated goals.
vShield includes virtual appliances and services essential for protecting virtual machines. vShield can be
configured through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI), and
REST API.
vCenter Server includes vShield Manager. The following vShield packages each require a license:
n
vShield App
n
vShield App with Data Security
VMware, Inc.
n
vShield Edge
n
vShield Endpoint
One vShield Manager manages multiple vShield App, vShield Edge, vShield Endpoint, and vShield Data
Security instances.
n
vShield Manager on page 8
The vShield Manager is the centralized network management component of vShield, and is installed as
a virtual appliance on any ESX™ host in your vCenter Server environment. A vShield Manager can run
on a different ESX host from your vShield agents.
n
vShield App on page 8
vShield App is a hypervisor-based firewall that protects applications in the virtual datacenter from
network based attacks. Organizations gain visibility and control over network communications between
virtual machines. You can create access control policies based on logical constructs such as VMware
vCenter™ containers and vShield security groups—not just physical constructs such as IP addresses. In
addition, flexible IP addressing offers the ability to use the same IP address in multiple tenant zones to
simplify provisioning.
7
vShield Quick Start Guide
n
vShield Edge on page 9
vShield Edge provides network edge security and gateway services to isolate the virtual machines in a
port group, vDS port group, or Cisco Nexus 1000V. The vShield Edge connects isolated, stub networks
to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and
Load Balancing. Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multitenant Cloud environments where the vShield Edge provides perimeter security for Virtual Datacenters
(VDCs).
n
vShield Endpoint on page 10
vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual
appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual
machine) doesn't go offline, it can continuously update antivirus signatures thereby giving uninterrupted
protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines
that went offline) are immediately protected with the most current antivirus signatures when they come
online.
n
vShield Data Security on page 10
vShield Data Security provides visibility into sensitive data stored within your organization's virtualized
and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that
sensitive data is adequately protected and assess compliance with regulations around the world.
vShield Manager
The vShield Manager is the centralized network management component of vShield, and is installed as a virtual
appliance on any ESX™ host in your vCenter Server environment. A vShield Manager can run on a different
ESX host from your vShield agents.
Using the vShield Manager user interface or vSphere Client plug-in, administrators install, configure, and
maintain vShield components. The vShield Manager user interface leverages the VMware Infrastructure SDK
to display a copy of the vSphere Client inventory panel, and includes the Hosts & Clusters and Networks
views.
vShield App
vShield App is a hypervisor-based firewall that protects applications in the virtual datacenter from network
based attacks. Organizations gain visibility and control over network communications between virtual
machines. You can create access control policies based on logical constructs such as VMware vCenter™
containers and vShield security groups—not just physical constructs such as IP addresses. In addition, flexible
IP addressing offers the ability to use the same IP address in multiple tenant zones to simplify provisioning.
You should install vShield App on each ESX host within a cluster so that VMware vMotion operations work
and virtual machines remain protected as they migrate between ESX hosts. By default, a vShield App virtual
appliance cannot be moved by using vMotion.
The Flow Monitoring feature displays network activity between virtual machines at the application protocol
level. You can use this information to audit network traffic, define and refine firewall policies, and identify
botnets.
8 VMware, Inc.
Chapter 1 Introduction to vShield
vShield Edge
vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port
group, vDS port group, or Cisco Nexus 1000V. The vShield Edge connects isolated, stub networks to shared
(uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud
environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).
Standard vShield Edge Services (Including Cloud Director)
Firewall
Network Address
Translation
Dynamic Host
Configuration Protocol
(DHCP)
Supported rules include IP 5-tuple configuration with IP and port ranges for
stateful inspection for TCP, UDP, and ICMP.
Separate controls for Source and Destination IP addresses, as well as TCP and
UDP port translation.
Configuration of IP pools, gateways, DNS servers, and search domains.
Advanced vShield Edge Services
Site-to-Site Virtual
Private Network (VPN)
Load Balancing
vShield Edge supports syslog export for all services to remote servers.
Figure 1-1. vShield Edge Installed to Secure a vDS Port Group
Uses standardized IPsec protocol settings to interoperate with all major firewall
vendors.
Simple and dynamically configurable virtual IP addresses and server groups.
VMware, Inc. 9
vShield Quick Start Guide
vShield Endpoint
vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance
delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) doesn't go
offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual
machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are
immediately protected with the most current antivirus signatures when they come online.
vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus
vendor (VMware partners) on an ESX host. The hypervisor scans guest virtual machines from the outside,
removing the need for agents in every virtual machine. This makes vShield Endpoint efficient in avoiding
resource bottlenecks while optimizing memory use.
Figure 1-2. vShield Endpoint Installed on an ESX Host
vShield Data Security
vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and
cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive
data is adequately protected and assess compliance with regulations around the world.
Deployment Scenarios
Using vShield, you can build secure zones for a variety of virtual machine deployments. You can isolate virtual
machines based on specific applications, network segmentation, or custom compliance factors. Once you
determine your zoning policies, you can deploy vShield to enforce access rules to each of these zones.
n
Protecting the DMZ on page 11
The DMZ is a mixed trust zone. Clients enter from the Internet for Web and email services, while services
within the DMZ might require access to services inside the internal network.
10 VMware, Inc.
Chapter 1 Introduction to vShield
n
Isolating and Protecting Internal Networks on page 11
You can use a vShield Edge to isolate an internal network from the external network. A vShield Edge
provides perimeter firewall protection and edge services to secure virtual machines in a port group,
enabling communication to the external network through DHCP, NAT, and VPN.
n
Protecting Virtual Machines in a Cluster on page 12
You can use vShield App to protect virtual machines in a cluster.
n
Common Deployments of vShield Edge on page 12
You can use a vShield Edge to isolate a stub network, using NAT to allow traffic in and out of the network.
If you deploy internal stub networks, you can use vShield Edge to secure communication between
networks by using LAN-to-LAN encryption via VPN tunnels.
n
Common Deployments of vShield App on page 12
You can use vShield App to create security zones within a vDC. You can impose firewall policies on
vCenter containers or Security Groups, which are custom containers you can create by using the vShield
Manager user interface. Container-based policies enable you to create mixed trust zones clusters without
requiring an external physical firewall.
Protecting the DMZ
The DMZ is a mixed trust zone. Clients enter from the Internet for Web and email services, while services
within the DMZ might require access to services inside the internal network.
You can place DMZ virtual machines in a port group and secure that port group with a vShield Edge. vShield
Edge provides access services such as firewall, NAT, and VPN, as well as load balancing to secure DMZ
services.
A common example of a DMZ service requiring an internal service is Microsoft Exchange. Microsoft Outlook
Web Access (OWA) commonly resides in the DMZ cluster, while the Microsoft Exchange back end is in the
internal cluster. On the internal cluster, you can create firewall rules to allow only Exchanged-related requests
from the DMZ, identifying specific source-to-destination parameters. From the DMZ cluster, you can create
rules to allow outside access to the DMZ only to specific destinations using HTTP, FTP, or SMTP.
Isolating and Protecting Internal Networks
You can use a vShield Edge to isolate an internal network from the external network. A vShield Edge provides
perimeter firewall protection and edge services to secure virtual machines in a port group, enabling
communication to the external network through DHCP, NAT, and VPN.
Within the secured port group, you can install a vShield App instance on each ESX host that the vDS spans to
secure communication between virtual machines in the internal network.
If you utilize VLAN tags to segment traffic, you can use App Firewall to create smarter access policies. Using
App Firewall instead of a physical firewall allows you to collapse or mix trust zones in shared ESX clusters.
By doing so, you gain optimal utilization and consolidation from features such as DRS and HA, instead of
having separate, fragmented clusters. Management of the overall ESX deployment as a single pool is less
complex than having separately managed pools.
For example, you use VLANs to segment virtual machine zones based on logical, organizational, or network
boundaries. Leveraging the Virtual Infrastructure SDK, the vShield Manager inventory panel displays a view
of your VLAN networks under the Networks view. You can build access rules for each VLAN network to
isolate virtual machines and drop untagged traffic to these machines.
VMware, Inc. 11
Loading...