In mid-2010, VMware revamped vShield into a security suite that protects virtual infrastructure. Part one of this series covered vShield Manager, Zones and App; part two focused on vShield Edge and Endpoint and vShield licensing costs. Now part three explains how to install vShield Manager, a virtual security appliance.
Implementing VMware vShield begins with the installation of vShield Manager, which can control security for an entire vCenter environment (but not for other vCenter Server instances.)
Installing vShield Manager
VShield Manager is available as a 550 MB download from VMware's website, and it's packaged as a virtual appliance that contains every vShield component. To start, deploy the Open Virtualization Appliance (OVA) file by clicking File, then Deploy OVF Template. Select the vShield OVA file and complete the wizard by providing the following information:
- a name for the virtual machine (VM);
- the host for it to reside on; and
- a data store and network for the virtual network interface card in the vShield Manager to which to map.
The network-mapping part of the wizard displays nonservice/management console and non-VMkernel networks. So if you have only one network on your vSwitches, the wizard will choose it automatically, without offering alternatives.
For maximum security, place vShield Manager on an isolated management network that has connectivity to vCenter Server and every vShield agent VM on the secured hosts. Also, you shouldn't use the same port group as the host's service/management console or VMkernel.
Configuring vShield Manager
Once the virtual security appliance has been deployed, power it on and configure the network information. The default username is admin, and the password is default. After logging in, enter Enabled mode (which is a more privileged mode that's similar to su) by typing enable. The default password for Enabled mode is also default. Type setup and enter the requested network information, then log out and log back in to make the changes take effect.
Next, test the network connectivity by pinging the default gateway. Through a Web browser, navigate to the IP address that you entered for vShield Manager and log in to the vShield interface. The login username and password is the same as the command-line interface (admin and default), but note that the vShield interface is a separately maintained account.
Sync vShield Manager with vCenter Server by entering the vCenter Server information on the Configuration tab. This action enables vShield Manager to read the initial inventory (i.e., hosts, VMs, clusters, virtual network interface cards) from the vCenter Server, and it also keeps them synchronized.
The last step is to register the vShield Manager plug-in with the vSphere client. You can manage vShield by connecting directly to vShield Manager through the Web user interface (UI), but it's much easier to use the vShield Client.
To enable this capability, click Register on the Configuration tab, then close the vSphere Client. Once you restart it, you will see tabs for vShield on the Datacenter, Cluster, Host and Port Group objects. You can also access the Web user interface within vCenter Server by selecting the homepage and clicking the vShield icon, under Solutions and Applications.
The next section will cover how to install vShield Zones and vShield App.