Installation and configuration
Using the 14-day free trial, I downloaded the single 248 MB file in Open Virtualization Archive (OVA) format. The file can be imported directly into VirtualCenter as a virtual machine using VMware Converter (although version 3.0.3 or higher is required). (Helpful tip: download the installation guide. It provides an excellent step-by-step guide to installing and configuring the product.) Once I completed the steps in the VMware Converter import wizard, the import process took only a few minutes to complete. I then logged in to VirtualCenter.
The VMC appliance is configured for 1 GB of RAM and a 4 GB virtual disk file. It runs on Red Hat Linux and uses a MySQL database located on the appliance to store its data. Once I powered up the VM, it booted to the following screen so I could begin the setup configuration.
I entered 'OK' to begin the setup and then typed 'B' for the basic setup. The first part of the setup was for the network configuration. It attempted to auto-detect network settings (presumably to use DHCP) and after it failed to find a DHCP server it prompted me for an IP address, Netmask, default gateway, management interface name (en0) and DNS server.
The next part of the setup was to configure the optional SSH access so that the setup helper could be accessed remotely. If you choose to enable this, you must set a password for the default "reflex" user.
Next, you'll be prompted to enter a username for the administrative account, which are the credentials used for using the VMC client. Once this is configured, additional users can be configured using the GUI.
The last part of the setup process involves configuring a support label, which is the common name for the VMC server. You can choose to accept the default of "vsc" or enter your own name. After the confirmation prompt for applying the new settings, the configuration is written and you'll be back at the default welcome screen. At this point the server is ready to go.
I then loaded my Web browser and entered the IP address that I assigned to the VMC appliance during the configuration. The page that displayed looks almost identical to the default Web access page for an ESX host or VC server.
The next step is to create a template on an ESX host that can be used to deploy Virtual Security Appliance (VSA) virtual machines on every ESX host. From the welcome page, I downloaded the 2 K configuration (vmx) and 24 MB disk file (vmdk) for the Virtual Security Appliance onto my PC so I could use Converter again to load them on the ESX host. A VSA is required on every ESX host that is to be monitored by VMC. I then fired up Converter again, selected the VMX file as my source, ignored the warning about configuring the source image, accepted the default settings, chose my VC server as a destination, selected an ESX server, gave it a name (Reflex VSA Template), selected a datastore (shared storage is preferred so all ESX hosts can see it), left the four configured NICs the way they were (they are configured later) and made sure the setting for powering on the VM afterwards was not selected.
The Converter import took less than a minute. Afterward, the VM was loaded onto the ESX host. I selected the VM in the VMware Infrastructure Client and chose the option to convert it to a template. The final step is to download the 72 MB VMC Client to my PC. This is the client that is used to log in to and manage the VMC application. I ran the installation, accepted the licensing agreement, select an install directory and the client installed. I then loaded the client and the login window appeared.
After providing the login credentials that I entered as part of the initial setup, I was connected to the VMC server and the main screen was presented with a blank topology as shown below.
Adding VirtualCenter to Virtualization Management Center
Before you can begin using VMC, you need to add your VirtualCenter server to it so it can discover your environment. I clicked the Administration button at the top of the screen and then selected VMS (Virtual Management Server) and hit the Add button.
Once it added to my server it harvested all the environment information from VirtualCenter. When I went back to the topology view and clicked the Refresh button, the network topology of my environment displayed. At this point, you should download the user guide which takes over where the installation guide leaves off and provides information on using the product. Start to finish, the entire installation is very quick. It took less than 30 minutes to install and configure.
Navigating Virtualization Management Center
The default Logical view shows your VMs grouped by cluster and networking regardless of which server in the cluster they reside on. This view abstracts the physical hosts that make up the virtual environment and shows only the virtual network. If you have a lot of ESX hosts, this can result in a large number of objects being displayed. Using the mouse scroll wheel, I was able to zoom in and out of the map. After reading the documentation I discovered that you can also hold down the right mouse button to move the map around.
You can choose an option to optimize the logical view; doing this groups together common object types and collapses the elements. You can also switch to the Inventory view, which shows individual components and provides the ability to drill down into the virtualization host. This view differs from the Logical view in that it shows the relationship of the virtual objects to their physical hosts.
Along the bottom of the screen is a slide bar that provides the ability to see any changes that have occurred in your environment over a period of time. Revisions are automatically created when there are changes to the virtual inventory or changes to the guest VMs. This allows you to look at things like changes to vSwitch configurations or VM NIC changes. One great feature is the ability to send alerts for configuration changes. Currently with ESX you can't limit access to vSwitches, but with VMC you can at least configure alerts to let you know when someone has plugged a VM into a vSwitch.
Deploying the analyzer on your host VMs
The next step, which provides the ability to monitor and protect VMs, is to deploy the VSA on the hosts that have VMs that you wish to monitor. There are two ways this can be done: The first is using an Inline mode that inserts VSA between selected virtual machines and the network by creating a set of shadow switches and port groups. After selecting this mode, VMC will create a background job to deploy VSA and move the desired VM to a new protected virtual network. No loss of connectivity will occur during this process. This mode must be used if blocking or policy enforcement is desired.
In Inline mode, a new internal-only vSwitch is created without any NICs. The VSA is then connected to this vSwitch and the original vSwitch. The same port groups for the VMs are created on the internal-only vSwitch. Finally, the VMs are moved to the new internal-only vSwitch. All network traffic must now route through the VSA to get to the VMs. Normally this would cause VMotion to malfunction, which does not work if a VM is plugged into an internal-only vSwitch. There is, however, a VirtualCenter configuration parameter (VMOnVirtualIntranet set to false) that can be added to the vpxd.cfg file to allow this. I didn't see any mention of this parameter in the documentation but I did find it in the online knowledgebase.
The second method is to use the Monitor mode. It requires no virtual network configuration changes and provides monitoring and alerting, only without the ability to block attacks as they happen. After you select a deployment mode you provide network configuration for the VSA appliance. The VSA is then deployed to the host server, automatically configured and then powered on.
Using Virtualization Management Center's features
Once you've deployed the VSA you can start using the many other features that this product provides. I was initially a bit overwhelmed by the granularity that the product can be configured for, but after using it for a while I became more comfortable. One of the first things I did was activate an alert for large ping packets. I then configured a PC to send 64 K ping packets to a VM and saw the alerts start to appear in the VMC console. Because I was in monitor mode it would only alert and not block the traffic.
Next I moved a VM from one port group on a vSwitch to another. I then ran a VM events report and saw that it picked up on the change and provided detailed information on it. I then configured an email alert filtering on the vnic.network keyword and changed the port again and it sent me an email right away as shown below. This is a very useful feature for being alerted when your virtual networking configuration changes.
There is a lot more that you can do with this product and I have barely scratched the surface of its capabilities. I look forward to getting more experience with it and exploring some of its more advanced features and functionality. Overall I found that the product was extremely easy to set up and configure. Getting comfortable with it can take some time as the interface is not entirely intuitive, but once you have used the product for a while it becomes much easier to use. The few technical questions that I had on using the product were quickly answered by Reflex Security's support group. If you're looking for a security product to help monitor and protect your virtual networks I recommend that you check Virtual Security Center out.
ABOUT THE AUTHOR: Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forum and maintains VMware-land.com, a VI3 information site.
This was first published in October 2008