VMware VSHIELD APP 1.0.0 UPDATE 1, vShield Manager 4.1.0 Update 1, vShield Endpoint 1.0.0 Update 1, vShield Zones 4.1.0 Update 1, vShield Edge 1.0.0 Update 1 Quick Start Manual

vShield Quick Start Guide

vShield Manager 4.1.0 Update 1

vShield Zones 4.1.0 Update 1

vShield Edge 1.0.0 Update 1

vShield App 1.0.0 Update 1

vShield Endpoint 1.0.0 Update 1

This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.

EN-000375-01

vShield Quick Start Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

Copyright © 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

2 VMware, Inc.

Contents

About This Book 5

1 Introduction to vShield 7

vShield Components at a Glance 7

vShield Manager 7
vShield Zones 7
vShield Edge 8
vShield App 9
vShield Endpoint 9

Deployment Scenarios 10

Protecting the DMZ 10
Isolating and Protecting Internal Networks 10
Protecting Virtual Machines in a Cluster 11
Common Deployments of vShield Edge 11
Common Deployments of vShield App 11

2 Preparing for Installation 13

System Requirements 13

Hardware 13
Software 13
Client and User Access 14

Deployment Considerations 14

Preparing Virtual Machines for vShield Protection 14
vShield Manager Uptime 15
Communication Between vShield Components 15
Hardening Your vShield Virtual Machines 15

3 Installing the vShield Manager and vShield Zones 17

Obtain the vShield Manager OVA File 17
Install the vShield Manager Virtual Appliance 17
Configure the Network Settings of the vShield Manager 18
Log In to the vShield Manager User Interface 19
Synchronize the vShield Manager with the vCenter Server 19
Register the vShield Manager Plug-In with the vSphere Client 20
Change the Password of the vShield Manager User Interface Default Account 20
Install vShield Zones 20
Where to Go Next 21

4 Installing vShield Edge, vShield App, and vShield Endpoint 23

Running vShield in Evaluation Mode 23
Preparing Your Virtual Infrastructure for vShield App, vShield Edge, and vShield Endpoint 23

Install vShield Component Licenses 24
Prepare All ESX Hosts 24
Prepare a vNetwork for Port Group Isolation 25
Install a vShield Edge 25

VMware, Inc. 3

vShield Quick Start Guide

Installing vShield Endpoint 27

vShield Endpoint Installation Workflow 27
Install the Thin Agent on the Guest Virtual Machine 27

Where to Go Next 28

Index 29

4 VMware, Inc.

About This Book

The vShield Quick Start Guide provides information about installing VMware® vShield™ into your VMware
Virtual Infrastructure environment.

Intended Audience

This book is intended for anyone who wants to install or use VMware vShield. The information in this book is
written for experienced Windows or Linux system administrators who are familiar with virtual machine
technology and datacenter operations. This book also assumes familiarity with VMware Virtual
Infrastructure, including vCenter™ Server 4.x, VMware ESX™ 4.x, and the vSphere Client.

VMware Technical Publications Glossary

VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions
of terms as they are used in VMware technical documentation go to http://www.vmware.com/support/pubs.

Document Feedback

VMware welcomes your suggestions for improving our documentation. If you have comments, send your
feedback to docfeedback@vmware.com.

VMware Infrastructure Documentation

The following documents comprise the vShield 2.0 documentation set:

 vShield Administration Guide

 vShield Quick Start Guide

 vShield API Programming Guide

You should also have access to the combined vCenter Server and ESX documentation set.

Technical Support and Education Resources

The following sections describe the technical support resources available to you. To access the current version
of this book and other books, go to http://www.vmware.com/support/pubs.

Online and Telephone Support

To use online support to submit technical support requests, view your product and contract information, and
register your products, go to http://www.vmware.com/support.

Customers with appropriate support contracts should use telephone support for the fastest response on
priority 1 issues. Go to http://www.vmware.com/support/phone_support.

VMware, Inc. 5

vShield Quick Start Guide

Support Offerings

To find out how VMware support offerings can help meet your business needs, go to

http://www.vmware.com/support/services.

VMware Professional Services

VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials
designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live
online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides
offerings to help you assess, plan, build, and manage your virtual environment. To access information about
education classes, certification programs, and consulting services, go to http://www.vmware.com/services.

6 VMware, Inc.

1

Introduction to vShield

This chapter introduces the VMware® vShield™ components you install.

The chapter includes the following topics:

 “vShield Components at a Glance” on page 7

 “Deployment Scenarios” on page 10

vShield Components at a Glance

VMware vShield is a suite of security virtual appliances built for VMware vCenter™ Server integration.
vShield is a critical security component for protecting virtualized datacenters from attacks and misuse helping
you achieve your compliance-mandated goals.

vShield includes virtual appliances and services essential for protecting virtual machines. vShield can be
configured through a web-based user interface, a vSphere Client plug-in, a command line interface (CLI), and
REST API.

vCenter Server includes vShield Manager and vShield Zones. The following vShield packages each require a
license:

 vShield Edge with Port Group Isolation

1

 vShield App

 vShield Endpoint

One vShield Manager manages multiple vShield Zones, vShield Edge, vShield App, and vShield Endpoint
instances.

vShield Manager

The vShield Manager is the centralized network management component of vShield, and is installed as a
virtual appliance on any ESX™ host in your vCenter Server environment. A vShield Manager can run on a
different ESX host from your vShield agents.

Using the vShield Manager user interface or vSphere Client plug-in, administrators install, configure, and
maintain vShield components. The vShield Manager user interface leverages the VMware Infrastructure SDK
to display a copy of the vSphere Client inventory panel, and includes the Hosts & Clusters and Networks
views.

vShield Zones

vShield Zones provides firewall protection for traffic between virtual machines. For each Zones Firewall rule,
you can specify the source IP, destination IP, source port, destination port, and service.

VMware, Inc. 7

vShield Quick Start Guide

vShield Edge

vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port
group, vDS port group, or Cisco

®

Nexus 1000V. The vShield Edge connects isolated, stub networks to shared
(uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud
environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).

Standard vShield Edge Services (Including Cloud Director)

 Firewall: Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection

for TCP, UDP, and ICMP.

 Network Address Translation: Separate controls for Source and Destination IP addresses, as well as TCP

and UDP port translation.

 Dynamic Host Configuration Protocol (DHCP): Configuration of IP pools, gateways, DNS servers, and

search domains.

Advanced vShield Edge Services

 Site-to-Site Virtual Private Network (VPN): Uses standardized IPsec protocol settings to interoperate with

all major firewall vendors.

 Load Balancing: Simple and dynamically configurable virtual IP addresses and server groups.

vShield Edge supports syslog export for all services to remote servers.

Figure 1-1. vShield Edge Installed to Secure a vDS Port Group

8 VMware, Inc.

Chapter 1 Introduction to vShield

vShield App

vShield App is an interior, vNIC-level firewall that allows you to create access control policies regardless of
network topology. A vShield App monitors all traffic in and out of an ESX host, including between virtual
machines in the same port group. vShield App includes traffic analysis and container-based policy creation.

vShield App installs as a hypervisor module and firewall service virtual appliance. vShield App integrates
with ESX hosts through VMsafe APIs and works with VMware vSphere platform features such as DRS,
vMotion, DPM, and maintenance mode.

vShield App provides firewalling between virtual machines by placing a firewall filter on every virtual
network adapter. The firewall filter operates transparently and does not require network changes or
modification of IP addresses to create security zones. You can write access rules by using vCenter containers,
like datacenters, cluster, resource pools and vApps, or network objects, like Port Groups and VLANs, to
reduce the number of firewall rules and make the rules easier to track.

You should install vShield App instances on all ESX hosts within a cluster so that VMware vMotion™
operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a
vShield App virtual appliance cannot be moved by using vMotion.

The Flow Monitoring feature displays allowed and blocked network flows at the application protocol level.
You can use this information to audit network traffic and troubleshoot operational.

vShield Endpoint

vShield Endpoint delivers an introspection-based antivirus solution. vShield Endpoint uses the hypervisor to
scan guest virtual machines from the outside without a bulky agent. vShield Endpoint is efficient in avoiding
resource bottlenecks while optimizing memory use.

vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus
vendor (VMware partners) on an ESX host.

Figure 1-2. vShield Endpoint Installed on an ESX Host

VMware, Inc. 9