VShield is VMware's suite of security products, designed to provide built-in protection for ESX and ESXi.
The first product in this line was vShield Zones, which was part of the initial vSphere launch and provided basic virtual networking security. Since then, VMware has upgraded vShield Zones
- vShield Manager, which helps centralize management of vShield;
- vShield App, which provides additional virtual network security;
- vShield Edge, which offers security and gateway services to isolated virtual machines (VMs); and
- vShield Endpoint, which provides guest OS antivirus protection with a small footprint.
This suite, vShield 4.1, supports VMsafe application programming interfaces (APIs), which means that you don't need a vShield agent VM running inline to protect VMs on an isolated vSwitch. Instead of protection at the vSwitch level, vShield can now protect at the level of virtual network interface cards (NICs).
The new product line is impressive, but also more complex, and it can be difficult to understand each product and how each relates to the others. In this installment of our vShield series, let's look more closely at vShield Manager, Zones and App.
Deployed as a virtual appliance, vShield Manager manages the entire vCenter Server infrastructure and vShield components, which includes vShield agents that are deployed to each host.
VShield Manager supports High Availability and Distributed Resource Scheduler, so it can be moved from host to host. Once deployed, vShield Manager can be administered through a Web interface, a vCenter Server plug-in, command-line interface or even scripting, thanks to the Representational State Transfer (REST) API.
The REST API uses secure HTTP requests to make remote procedure calls through vShield Manager to create, modify or delete objects in vShield. It can also help automate the deployment of vShield.
VShield Zones provides basic virtual network firewalling for network traffic to and from virtual machines. It is deployed as a loadable kernel module (LKM) and virtual appliance to each host.
VShield Zones serves as an application-layer firewall for VM traffic based on definable policies. There are two types of rules that can be defined, which are based on the standard Open Systems Interconnection model: Layer 4 rules (the Transport Layer) and Layers 2 and 3 rules (Data Link/Network layers). Layer 4 rules can be configured on data center, cluster or port group objects. Layer 2/3 rules, on the other hand, can be set only on data center objects.
VShield Zones is both an IP-based, stateful firewall and an application-layer gateway. Layer 4 firewall rules are defined and enforced based on a sequence of five elements (5 tuple):
- source IP address;
- destination IP address;
- source port;
- destination port; and
- protocol (TCP/User Datagram Protocol).
A broad range of destination application protocols can be configured, as well. Firewall rules are enforced with top-to-bottom ordering. Think of firewall rules as a spreadsheet list. Once the firewall encounters traffic that matches a rule, it stops and uses the rule. The firewall then ignores the other rules, even if there is a rule match further down the list.
VShield App isn't really a separate product. Rather, vShield Zones turns into vShield App after applying an upgrade license key. It provides additional features and enhanced protection, including:
- Traffic between VMs can be inspected for flows that detail applications and protocols that are in use throughout the virtual infrastructure. Flow monitoring output defines the machines that are exchanging data, and over which application. This data includes the sessions, packets, and bytes transmitted per session. Session details include the sources, destinations, direction of sessions, applications and ports being used. Session details can be used to create App Firewall (vShield App's firewall) allow or deny rules.
- Security groups can be used to group relevant VMs by virtual NICs. After a security group is defined, it can be added to a firewall rule for protection.
- SpoofGuard authorizes the IP addresses reported by VMware Tools, and it can alter them, if necessary, to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of VMs collected from the VMX files and vSphere SDK. SpoofGuard operates separately from the App Firewall rules.
Once you upgrade to vShield App, the Zones Firewall link on the admin tab will change to App Firewall. And the Security Groups, SpoofGuard and Flow Monitoring links become active.
Stay tuned for part two of our vShield series, which discusses vShield Endpoint and Edge, as well as vShield licensing.
This was first published in February 2011