vSphere Security: A Tour of the vSphere vShield SuiteBy Jason Nash
One area of confusion for many VMware administrators is the VMware vShield suite of technologies. In fact, many do not even realize they have part of this suite included with their Advanced, Enterprise, or Enterprise Plus license. To be honest, and fair to the aforementioned administrators, VMware isn’t always clear in their messaging about vShield.
So let’s go through what the vShield suite offers and how you can take advantage of it in your environment.
The vShield suite is a complimentary set of technologies. At first glance they may appear to overlap, but they do not. The suite is made up of the following products:
- vShield Manager
- vShield Zones
- vShield App
- vShield Edge
- vShield Endpoint
Let’s take a look at each one of these.
The first thing we need to talk about is how you manage all these pieces and parts. Thankfully, VMware provides a single management and control appliance for vShield, and that is vShield Manager. You just deploy a Linux-based appliance and you’re ready. From vShield Manager you deploy, configure, and monitor all other vShield pieces via a simple web interface.
The first one is vShield Zones, and many of you probably already have licenses for this as it’s included in vSphere Advanced, Enterprise, and Enterprise Plus. It’s a very powerful, and easy to use, virtual firewall. Ever wanted to be able to firewall virtual machines from each other or from other physical systems? This is for you! It’s simple and effective.
vShield Zones allows you to define access rules using standard 5-tuple rule sets. The 5-tuples are:
- Source Address
- Destination Address
- Source Port
- Destination Port
When you deploy vShield Zones to a vSphere host a “service VM” is installed. That VM is the gatekeeper for traffic flowing in and out of the system and it is what applies the security policies. It’s lightweight and not something you have to manage, but it does use some resources.
The only downside to vShield Zones is that the rule sets are all IP based. You may be saying “Well, yeah… it’s a firewall, right?” but wouldn’t it be nice if you could define rule sets against logical collections of VMs?
If you answered “Yes!” to that question then you should look at vShield App. vShield App isn’t really another product, it’s an enhancement to vShield Zone. So you will purchase licenses on a per-VM basis that you apply in vCenter and it turns vShield Zones in to vShield App. With that you get some really cool features.
First, you can now define rule sets against logical groups of VMs. These can be groups that you create, maybe a set of VMs with similar applications and security requirements, or use other existing groupings such as vApp. This way you can create one ruleset and apply it to many VMs based on business or application requirements, not just IP addresses or subnet ranges.
Second, you get a lot more insight into what your VMs are doing on the network. vShield App shows you which protocols are flowing across your virtual switches, traffic levels, and other really useful information if you want to see what your VMs are doing. It takes vShield Zones to the next level.
While vShield Zones and App provide VM or application level network security, Edge moves out to the perimeter. Maybe you need to separate environments or have a multi-tenant configuration, and that’s where Edge comes in. Edge provides this segmentation while also providing “common services” to the VMs inside the perimeter. These services are:
- Network Address Translation (NAT)
- Site-to-Site VPN
- Web Load-balancing
- Stateful Firwalling
While it’s easy to see how this applies to a multi-tenant solution, such as a managed service provider with many customers, it can also be used by a single organization with internal groups that have different security requirements and need separation.
Endpoint has been the forgotten vShield component, mainly because it’s not really a product or something you can just implement and use. Think of it like vStorage APIs. By themselves they don’t really do much but pair them with a good 3rd party application and you get some really cool functionality.
vShield Endpoint provides hypervisor level guest security. What I mean by that is that you can provide anti-malware, deep packet inspection, intrusion detection/prevention, etc to a guest operating system without installing complex agents inside those VMs. Instead, as data moves through the hypervisor it is inspected and permitted or denied. It does this by using a “service VM” installed on each vSphere host, very much like vShield Zones/App.
What 3rd party tools take advantage of this? Right now the most popular is Trend Micro’s Deep Security that provides anti-malware, DPI, and anti-virus protection to VMs. While making the administrator’s life simpler by not having to deploy complex agents to each VM it also helps to GREATLY reduce resources. By using these tools you can cut the resources required for this protection by 50% over doing it the old way with agents. Wow! Think about what that means for a really dense VDI environment!
Get Started with the vSphere vShield Suite
Hopefully this helps demystify the vShield suite for you. The key thing to remember is that they are a complementary set of products and technologies. You can deploy these in a layered approach to apply very configurable security policies. While not everyone needs all of the components, you can pick and choose exactly what you want.
In my new vSphere Security Training we look at these components and dive deep in to vShield Manager, vShield Zones, vShield Endpoint, and Trend Micro’s Deep Security.
About the Author
Jason Nash (VCP4, CISSP, RHCE, CCNP, VCDX #49) has over 15 years of industry experience and is currently the Data Center Solutions Principal at Varrow, a leader in virtualization, storage, and DR located in the southeast. Before Varrow, Jason was a Platform Architect at a large investment bank where he helped to develop the organization’s IT strategy. He has published several books on networking, Windows, and Linux. Jason was designated a vExpert by VMware and holds a BS in Networking Technology and a MS in Information Security.
Author's Website: http://jasonnash.wordpress.com/