Securing vCloud Using the vCloud Networking and Security App Firewall

Exclusive offer: get 50% off this eBook here
VMware vCloud Security

VMware vCloud Security — Save 50%

Make your datacenter secure and compliant at every level with VMware vCloud Networking and Security with this book and ebook

£14.99    £7.50
by Prasenjit Sarkar | November 2013 | Enterprise Articles

In this article by Prasenjit Sarkar, author of the book VMware vCloud Security, we will focus on creating access control policies based on logical constructs such as VMware vCenter Server containers and VMware vCloud Networking and Security Security Groups, but not just physical constructs such as IP addresses.

(For more resources related to this topic, see here.)

Creating a vCloud Networking and Security App firewall rule

In this article, we will create a VMware vCloud Networking and Security App firewall rule that restricts inbound HTTP traffic destined for a web server:

  1. Open the vCloud Networking and Security Manager URL in a supported browser, or it can also be accessed from the vCenter client.
  2. Log in to vCloud Networking and Security as admin.
  3. In the vCloud Networking and Security Manager inventory pane, go to Datacenters | Your Datacenter.
  4. In the right-hand pane, click on the App Firewall tab.
  5. Click on the Networks link.
  6. On the General tab, click on the + link.
  7. Point to the new rule Name cell and click on the + icon.
  8. In the rule Name panel, type Deny HTTP in the textbox and click on OK.
  9. Point to the Destination cell and click on the + icon.
  10. In the input panel, perform the following actions:
    1. Go to IP Addresses from the drop-down menu.
    2. At the bottom of the panel, click on the New IP Addresses link.
    3. In the Add IP Addresses panel, configure an address set that includes the web server.
    4. Click on OK.
  11. Point to the Service cell and click on the + icon.
  12. In the input panel, perform the following actions:
    1. Sort the Available list by name.
    2. Scroll down and go to the HTTP service checkbox.
    3. Click on the blue right-arrow to move the HTTP service from the Available list to the Selected list.
    4. Click on OK.
  13. Go to the Action cell and click on the + icon.
  14. In the input panel, click on Block and Log.
  15. Click on OK.
  16. Click on the Publish Changes button, located above the rules list, on the green bar.

In general, create firewall rules that meet your business needs. In addition, you might consider the following guidelines:

  • Where possible, when identifying the source and destination, take advantage of vSphere groupings in your vCenter Server inventory, such as the datacenter, cluster, and vApp. By writing rules in terms of these groupings, the number of firewall rules is reduced, which makes the rules easier to track and less prone to configuration errors.
  • If a vSphere grouping does not suit your needs because you need to create a more specialized group, take advantage of security groups. Like vSphere groupings, security groups reduce the number of rules that you need to create, making the rules easier to track and maintain.
  • Finally, set the action on the default firewall rules based on your business policy. For example, as a security best practice, you might deny all traffic by default. If all traffic is denied, vCloud Networking and Security App drops all incoming and outgoing traffic. Allowing all traffic by default makes your datacenter very accessible, but also insecure.

vCloud Networking and Security App – flow monitoring

Flow monitoring is a traffic analysis tool that provides a detailed view of the traffic on your virtual network and that passed through a vCloud Networking and Security App. The flow monitoring output defines which machines are exchanging data and over which application. This data includes the number of sessions, packets, and bytes transmitted per session. Session details include sources, destinations, direction of sessions, applications, and ports used.

Session details can be used to create firewall rules to allow or block traffic.

You can use flow monitoring as a forensic tool to detect rogue services and examine outbound sessions.

The main advantages of flow monitoring are:

  • You can easily analyze inter-VM traffic
  • Dynamic rules can be created right from the flow monitoring console
  • You can use it for debugging network related problems as you can enable logging for every individual virtual machine on an as-needed basis

You can view traffic sessions inspected by a vCloud Networking and Security App within the specified time span. The last 24 hours of data are displayed by default; the minimum time span is 1 hour, and the maximum is 2 weeks.

The bar at the top of the page shows the percentage of allowed traffic in green and blocked traffic in red.

Examining flow monitoring statistics

Let us examine the statistics for the Top Flows, Top Destinations, and Top Sources categories.

  1. Open the vCloud Networking and Security Manager URL in a supported browser.
  2. Log in to vCloud Networking and Security as admin.
  3. In the vCloud Networking and Security Manager inventory pane, go to Datacenters | Your Datacenter.
  4. In the right-hand pane, click on the Network Virtualization link.
  5. Click on the Networks link.
  6. In the networks list, click on the network where you want to monitor the flow.
  7. Click on the Flow Monitoring button.
  8. Verify that Flow Monitoring | Summary is selected.
  9. On the far right side of the page, across from the Summary and Details links, click on the Time Interval Change link.
  10. On the Time Interval panel, select the Last 1 week radio button and click on Update.
  11. Verify that the Top Flows button is selected.
  12. Use the Top Flows table to determine which flow has the highest volume of bytes and which flow has the highest volume of packets.
  13. Use the mouse wheel or the vertical scroll bar to view the graph.
  14. Point to the apex of three different colored lines and determine which network protocol is reported.
  15. Scroll to the top of the form and click on the Top Destinations button.
  16. Use the Top Destinations table to determine which destination has the highest volume of incoming bytes and which destination has the highest volume of packets.
  17. Use the mouse wheel or the vertical scroll bar to view the graph.
  18. Scroll to the top of the form and click on the Top Sources button.
  19. Use the Top Sources table to determine which source has the highest volume of bytes and which source has the highest volume of packets.
  20. Use the mouse wheel or the vertical scroll bar to view the graph.

Summary

In this article we learned how to create access control policies based on logical constructs such as VMware vCenter Server containers and VMware vCloud Networking and Security Security Groups, but not just physical constructs such as IP addresses.

Resources for Article:


Further resources on this subject:


VMware vCloud Security Make your datacenter secure and compliant at every level with VMware vCloud Networking and Security with this book and ebook
Published: October 2013
eBook Price: £14.99
Book Price: £24.99
See more
Select your format and quantity:

About the Author :


Prasenjit Sarkar

Prasenjit Sarkar (@stretchcloud) is a senior member of technical staff at VMware Service Provider Cloud R&D, where he provides architectural oversight and technical guidance for designing, implementing, and testing VMware's Cloud datacenters. He is an author, R&D guy, and a blogger focusing on virtualization, Cloud computing, storage, networking, and other enterprise technologies. He has more than 10 years of expert knowledge in R&D, professional services, alliances, solution engineering, consulting, and technical sales with expertise in architecting and deploying virtualization solutions and rolling out new technologies and solution initiatives. His primary focus is on VMware vSphere Infrastructure and Public Cloud using VMware vCloud Suite. His aim is to own the entire life cycle of a VMware based IaaS (SDDC), especially vSphere, vCloud Director, vShield Manager, and vCenter Operations. He was one of the VMware vExperts of 2012 and is well known for his acclaimed virtualization blog http://stretch-cloud.info. He holds certifications from VMware, Cisco, Citrix, Red Hat, Microsoft, IBM, HP, and Exin. Prior to joining VMware, he served other fine organizations (such as Capgemini, HP, and GE) as a solution architect and infrastructure architect.

Books From Packt


 Instant VMware Player for Virtualization [Instant]
Instant VMware Player for Virtualization [Instant]

VMware ESXi 5.1 Cookbook
VMware ESXi 5.1 Cookbook

VMware View Security Essentials
VMware View Security Essentials

Instant VMware View Virtualization How-to [Instant]
Instant VMware View Virtualization How-to [Instant]

 Implementing VMware vCenter Server
Implementing VMware vCenter Server

VMware vSphere 5.1 Cookbook
VMware vSphere 5.1 Cookbook

Implementing VMware Horizon View 5.2
Implementing VMware Horizon View 5.2

VMware ThinApp 4.7 Essentials
VMware ThinApp 4.7 Essentials


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software