VMware vShield 5, the latest version of the company’s security suite, launched with the release of vSphere 5 in August. Before you get started using VMware vShield 5, it’s important to learn about the new VMware security features and how to install this version.
Seven things you need to know about vShield 5 (before you install it)
Here are seven things you need to know about VMware vShield, if you’ve never used any version of it before. (If you’re interested in upgrading to VMware vShield 5 from your current version, jump ahead to my list of new features.) Understanding the basics of VMware vShield is the first step toward installing it.
1. VMware vShield is really a suite made up of vShield App, vShield App with Data Security, vShield Edge, vShield Endpoint and vShield Manager. You can buy pieces of it in a “vShield bundle,” since not everyone needs all the components.
2. VMware vShield is one of the required components for building a VMware private cloud, because it provides the secure multi-tenant functionality, allowing multiple companies to use the same virtual infrastructure and connect clouds together.
3. VMware vShield Manager is a virtual appliance used to manage vShield App, Edge and Endpoint.
4. VMware vShield App is a hypervisor-based application-aware firewall that controls traffic and data on the virtual network. It’s a Layer 4 firewall that works at the virtual network card interface-level. That means that it not only understands IP addresses and port numbers, but it also recognizes application traffic such as HTTP, SMTP, SQL and many more. Even better, VMware vShield App uses rules that follow VMs as they move from host to host with, say, vMotion.
If you use vShield App, there is a new option for it called vShield App Data Security, which looks into traffic flowing on the virtual network, finds sensitive company, employee or credit card data, and prevents that data from getting into the wrong hands.
5. VMware vShield Edge protects the perimeter of the virtual infrastructure and connects private virtual infrastructures to public clouds to create hybrid clouds. Whereas vShield App protects inside the virtual network, vShield Edge controls what goes in and out of the network.
6. VMware vShield Endpoint offers integration with third-party antivirus tools, allowing you to offload antivirus scanning from the VMs to a security-specific VM. If you are using desktop virtualization, vShield Endpoint is an excellent way to offload tasks that would otherwise tax VM performance.
7. You may also be wondering about VMware vShield Zones. This component was around before the rest of the VMware security suite. VShield Zones is a basic virtual firewall that uses IP addresses and port numbers to filter traffic on the virtual network -- a much more basic form of vShield App.
Unlike all the other VMware vShield security products, Zones isn’t sold separately. It is included with vSphere Enterprise and Enterprise Plus licenses. However, vShield Zones was released in 2009 and hasn’t been updated since. Version 1.0 is compatible with vSphere 5, but since it would appear VMware isn’t releasing many updates to it, I recommend bypassing Zones and starting with App, Edge and Endpoint.
Top 5 features in VMware vShield 5
Aside from its compatibility with vSphere 5, there are numerous new features in VMware vShield 5.
1. VMware vShield App with data security allows you to scan the virtual infrastructure to identify sensitive company data and prevent it from leaving the company. The data security option is an ideal way to enforce PCI compliance.
2. Support for multi-tenancy (overlapping IP addresses).
3. Enhanced security groupings for more granular control.
4. Improved overall performance.
5. VMware vShield Manager offers an improved user interface.
Downloading and installing VMware vShield 5
Whether you are using vShield App or Edge, you must first install the vShield Manager. From there, you can install, configure and maintain the various pieces that make up VMware vShield 5. You can manage VMware security features through a vSphere Client plug-in or the command line, but you first need the vShield Manager up and running to deploy vShield.
You can access the installed vShield Manager through your Web browser to perform initial configuration. Note that the default vShield Manager username and password credentials are “admin” and “default.”
The basic process for installing vShield Manager is:
- Download vShield Manager from VMware.com (a 60-day evaluation is available with vSphere 5).
- Deploy the vShield Manager virtual appliance through the vSphere Client (connected to vCenter).
- Power on the vShield Manager VM.
- Connect to the vShield Manager console through the vSphere Client and log in.
- In the console, use the enable command (using the same default password) and then run setup. Also, configure IP networking for the vShield Manager.
- Connect your Web browser to the vShield Manager VM.
- Tell vShield Manager about your vCenter server by providing your vCenter host name/IP and vCenter administrative credentials.
- Register the vShield Manager plug-in with the vSphere Client.
Now you are ready to install vShield Edge, App, Endpoint or vShield App Data Security. You’ll need license keys for each of these VMware security components, or you’ll have to use evaluation keys. From here, you can deploy vShield App or Edge virtual appliances on each of your ESXi servers.
For a nice video on how to install vShield App, see Eric Sloof’s video on this topic.