Securing vCloud Using the vCloud Networking and Security App Firewall

VMware vCloud Security


October 2013

$10.00

If you’re familiar with Vmware vCloud, this is the book you need to take your security capabilities to the ultimate level. With a comprehensive, problem-solving approach it will help you create a fully protected private cloud.

(For more resources related to this topic, see here.)

Creating a vCloud Networking and Security App firewall rule

In this article, we will create a VMware vCloud Networking and Security App firewall rule that restricts inbound HTTP traffic destined for a web server:

  1. Open the vCloud Networking and Security Manager URL in a supported browser, or it can also be accessed from the vCenter client.
  2. Log in to vCloud Networking and Security as admin.
  3. In the vCloud Networking and Security Manager inventory pane, go to Datacenters | Your Datacenter.
  4. In the right-hand pane, click on the App Firewall tab.
  5. Click on the Networks link.
  6. On the General tab, click on the + link.
  7. Point to the new rule Name cell and click on the + icon.
  8. In the rule Name panel, type Deny HTTP in the textbox and click on OK.
  9. Point to the Destination cell and click on the + icon.
  10. In the input panel, perform the following actions:
    1. Go to IP Addresses from the drop-down menu.
    2. At the bottom of the panel, click on the New IP Addresses link.
    3. In the Add IP Addresses panel, configure an address set that includes the web server.
    4. Click on OK.
  11. Point to the Service cell and click on the + icon.
  12. In the input panel, perform the following actions:
    1. Sort the Available list by name.
    2. Scroll down and go to the HTTP service checkbox.
    3. Click on the blue right-arrow to move the HTTP service from the Available list to the Selected list.
    4. Click on OK.
  13. Go to the Action cell and click on the + icon.
  14. In the input panel, click on Block and Log.
  15. Click on OK.
  16. Click on the Publish Changes button, located above the rules list, on the green bar.

In general, create firewall rules that meet your business needs. In addition, you might consider the following guidelines:

  • Where possible, when identifying the source and destination, take advantage of vSphere groupings in your vCenter Server inventory, such as the datacenter, cluster, and vApp. By writing rules in terms of these groupings, the number of firewall rules is reduced, which makes the rules easier to track and less prone to configuration errors.
  • If a vSphere grouping does not suit your needs because you need to create a more specialized group, take advantage of security groups. Like vSphere groupings, security groups reduce the number of rules that you need to create, making the rules easier to track and maintain.
  • Finally, set the action on the default firewall rules based on your business policy. For example, as a security best practice, you might deny all traffic by default. If all traffic is denied, vCloud Networking and Security App drops all incoming and outgoing traffic. Allowing all traffic by default makes your datacenter very accessible, but also insecure.

vCloud Networking and Security App – flow monitoring

Flow monitoring is a traffic analysis tool that provides a detailed view of the traffic on your virtual network and that passed through a vCloud Networking and Security App. The flow monitoring output defines which machines are exchanging data and over which application. This data includes the number of sessions, packets, and bytes transmitted per session. Session details include sources, destinations, direction of sessions, applications, and ports used.

Session details can be used to create firewall rules to allow or block traffic.

You can use flow monitoring as a forensic tool to detect rogue services and examine outbound sessions.

The main advantages of flow monitoring are:

  • You can easily analyze inter-VM traffic
  • Dynamic rules can be created right from the flow monitoring console
  • You can use it for debugging network related problems as you can enable logging for every individual virtual machine on an as-needed basis

You can view traffic sessions inspected by a vCloud Networking and Security App within the specified time span. The last 24 hours of data are displayed by default; the minimum time span is 1 hour, and the maximum is 2 weeks.

The bar at the top of the page shows the percentage of allowed traffic in green and blocked traffic in red.

Examining flow monitoring statistics

Let us examine the statistics for the Top Flows, Top Destinations, and Top Sources categories.

  1. Open the vCloud Networking and Security Manager URL in a supported browser.
  2. Log in to vCloud Networking and Security as admin.
  3. In the vCloud Networking and Security Manager inventory pane, go to Datacenters | Your Datacenter.
  4. In the right-hand pane, click on the Network Virtualization link.
  5. Click on the Networks link.
  6. In the networks list, click on the network where you want to monitor the flow.
  7. Click on the Flow Monitoring button.
  8. Verify that Flow Monitoring | Summary is selected.
  9. On the far right side of the page, across from the Summary and Details links, click on the Time Interval Change link.
  10. On the Time Interval panel, select the Last 1 week radio button and click on Update.
  11. Verify that the Top Flows button is selected.
  12. Use the Top Flows table to determine which flow has the highest volume of bytes and which flow has the highest volume of packets.
  13. Use the mouse wheel or the vertical scroll bar to view the graph.
  14. Point to the apex of three different colored lines and determine which network protocol is reported.
  15. Scroll to the top of the form and click on the Top Destinations button.
  16. Use the Top Destinations table to determine which destination has the highest volume of incoming bytes and which destination has the highest volume of packets.
  17. Use the mouse wheel or the vertical scroll bar to view the graph.
  18. Scroll to the top of the form and click on the Top Sources button.
  19. Use the Top Sources table to determine which source has the highest volume of bytes and which source has the highest volume of packets.
  20. Use the mouse wheel or the vertical scroll bar to view the graph.

Summary

In this article we learned how to create access control policies based on logical constructs such as VMware vCenter Server containers and VMware vCloud Networking and Security Security Groups, but not just physical constructs such as IP addresses.

Resources for Article:


Further resources on this subject:


Books to Consider

comments powered by Disqus