Chapter 2. Securing Your vCloud Using the vCloud Networking and Security App Firewall
The general, well-accepted approach to securing IT is to employ a layered approach—shown in the following figure—often referred to as defense-in-depth. Physical datacenters have traditionally been protected using a combination of hardware appliances external to the system and agents that run within a system's operating system.
The use of technologies such as firewalls, Intrusion Protection System (IPS), and Intrusion Detection System (IDS) greatly enhances the corporate security environment when deployed and managed effectively. Inclusion of these is critical to the corporate IT defense-in-depth strategy as mentioned earlier.
Without a doubt, this is one of the most important aspects of a security and defense-in-depth strategy. The term defense-in-depth has been used extensively in a myriad of security papers over the years in one way or another, but the key message is still the same—providing multiple levels...
vCloud Networking and Security App Firewall – use case
vCloud Networking and Security App helps you overcome the challenges of securing the interior of your virtual datacenter.
The vCloud Networking and Security App Firewall is comprised of three entities and vCloud Networking and Security Manager, which provides centralized management for all vCloud Networking and Security products.
Within the context of vCloud Networking and Security App Firewall, the vCloud Networking and Security Manager is a centralized management console, which allows users to do the following activities:
Defining firewall policies to control the traffic in/out of the environment
Defining SpoofGuard policies
Defining Namespace configuration (also known as realm)
Viewing the historical flow data going in/out of the environment
Managing the lifecycle of the vCloud Networking and Security App appliance
The three components of vCloud Networking and Security App Firewall are as follows:
vCloud Networking and Security App – communication flow
Let us look at the communication flow in between various actors in vCloud Networking and Security deployment, such as vCloud Networking and Security Manager, vSphere Client, REST API, and vCloud Networking and Security App appliance. The following diagram shows the ports used and the way the communication happens:
By default, you cannot manage vCloud Networking and Security Manager using SSH as it is disabled by default. Also as a best practice, you should segment vCloud Networking and Security Manager traffic from non-management traffic. vCloud Networking and Security Manager handles the bulk of management communications for vCloud Networking and Security, including vCloud Networking and Security App. Downloading and uploading files, such as flow monitoring files from vCloud Networking and Security App appliances to vCloud Networking and Security Manager, is done over the ESXi host's local link, 127.0.0.1.
Now let us look at typical...
Installing vCloud Networking and Security App
The next task is to install vCloud Networking and Security App on each ESXi host that you want to protect in your vSphere environment. vCloud Networking and Security App uses vCloud Networking and Security Manager 5.1. The steps that we will take to install a vCloud Networking and Security App instance on an ESXi host are to add a management port group for the vCloud Networking and Security instances to use, install vCloud Networking and Security App on each host, and verify that the functions specific to vCloud Networking and Security App, such as flow monitoring and security groups, are enabled.
The following figure is a typical vCloud Networking and Security App deployment model:
You need to install vCloud Networking and Security App on each ESXi host that has virtual machines that you want to protect. As a prerequisite, you need to verify that you have a unique IP address for the management port of each vCloud Networking and Security App appliance...
vCloud Networking and Security App – firewall management
vCloud Networking and Security App comes with a distributed firewall that can protect all workloads from network threats. You can use either containers or individual workloads to apply segmentation. vCloud Networking and Security App will be effective when the vCloud Networking and Security Manager plugin is installed in the vCenter Server and the vCloud Networking and Security App agent gets installed on the ESXi host and uses the VMSAFE API for hypervisor protection.
vCloud Networking and Security App provides a centralized and hierarchical firewall service for ESXi hosts. The vCloud Networking and Security App interface with VM's virtual
NIC (network interface card) allows you to create access control policies regardless of network topology. All traffic in and out of an ESXi host, including between virtual machines in the same port group, will be monitored by your vCloud Networking and Security App because vCloud Networking and...
vCloud Networking and Security App – flow monitoring
Flow monitoring is a traffic analysis tool that provides a detailed view of the traffic on your virtual network and that passed through a vCloud Networking and Security App. The flow monitoring output defines which machines are exchanging data and over which application. This data includes the number of sessions, packets, and bytes transmitted per session. Session details include sources, destinations, direction of sessions, applications, and ports used.
Session details can be used to create firewall rules to allow or block traffic.
You can use flow monitoring as a forensic tool to detect rogue services and examine outbound sessions.
The main advantages of flow monitoring are:
You can easily analyze inter-VM traffic
Dynamic rules can be created right from the flow monitoring console
You can use it for debugging network related problems as you can enable logging for every individual virtual machine on an as-needed basis
You can view traffic sessions...
We have successfully installed and configured vCloud Networking and Security App, which is a hypervisor-based firewall that protects applications from network-based attacks.
vCloud Networking and Security App works with vSphere to provide protection, no matter where a virtual machine resides in a cluster. Virtual machines can be excluded from vCloud Networking and Security App protection.
We also learned that vCloud Networking and Security App firewall controls traffic based on the security group that contains vSphere objects in addition to network objects. We have also learned about flow monitoring, which is a traffic analysis tool that provides a detailed view of the traffic that passes through a vCloud Networking and Security App.
In the next chapter, we will talk about VMware vShield Endpoint and how we can use it to protect your cloud workloads from virus attacks. We will describe the benefits of vShield Endpoint and show how to monitor vShield Endpoint health status.
