Manage Learn to apply best practices and optimize your operations.

Quick tips for managing vShield Zones

There are a number of gotchas that can occur if you don't set up vShield Zones correctly, but you can avoid them with these pointers.

VMware addressed the growing virtual machine (VM) security concern with two vSphere releases: VMsafe and vShield Zones. While VMsafe's application programming interfaces are designed to help third-party vendors create virtualization security products that better secure VMware ESX, vShield Zones is a security tool targets the VMware administrator.

VShield Zones is essentially a virtual firewall designed to protect VMs and analyze virtual network traffic. This three-part series describes vShield Zones, explains how to install it and provides useful management tips.

If you opt to use vShield Zones you should be aware of its usage limitations; it is not as polished of a product as, for example, VMware Data Recovery, and there are a variety of areas in which a new vSphere administrator could use some pointers. In this article, I've listed out what I've discovered so far to ease your experience using vSphere in its current release.

This is the final installation of a three-part series on vShield Zones. If you're just joining us, you may also want to read part one, an overview of vShield Zones, and part two, installing and configuring vShield Zones.

VMware Tools
The vSphere Client will report that VMware Tools is not installed on the vShield Manager and agent virtual machines (VMs). Do not attempt to install VMware Tools on those VMs as it is not required and the performance optimization that VMware Tools provides is already built in to the vShield Zones VMs.

Memory and CPU reservations
The agents are not true privileged VMs but should be treated as such. While they do have memory reservations by default they do not for the CPU. Consider using shares or reservations to guarantee CPU resources for the agents.

VMkernel and service consoles
VShield Zones was built to protect virtual machines, not the VMkernel or service console. Do not install an agent on a service console or VMkernel vSwitch.

Pre-installed network interface cards
Do not remove the pre-installed network interface cards (NICs) from either the vShield Manager or the agent VMs. If you do remove and add NICs on a vShield agent you must uninstall the vShield Zones agent and reinstall it. If you remove the NICs from a vShield Manager you may have to reinstall your entire vShield Zones deployment to ensure communication between vShield agents and the vShield Manager. Do not reconfigure the hardware or decrease the allotted resources of a vShield Zones Manager or agent VM as they have already been optimized for vCenter Server.

VMs protected by vShield are supported by VMotion, but you must first make sure you have an agent on the host that you are moving the VM to and that your port groups have matching configurations. By default you cannot VMotion a VM connected to an internal-only (no NICs) vSwitch, so you must configure vCenter Server to allow this by editing the vpxd.cfg file and adding a VMOnVirtualIntranet parameter (details on how to do this are in the vShield Zones administration guide appendix).

VMotion does not support vShield agents, but does support the vShield Manager. You do not want the vShield agents to move to other hosts, so be sure to disable Distributed Resource Scheduler and High Availability (HA) on the individual vShield agent VMs. You can't run Data Protection Manager on hosts that are running vShield agents (see the vShield release notes for more information on this.)

Local and shared disks
The vShield Manager and agent VMs can be installed to local disk or shared disk. It's best to install the manager to a shared disk if possible so you can leverage VMotion and HA. Since the agents cannot be moved from the host its best to install them to local disk if you can.

VSwitch disruptions
When deploying vShield agents your VMs will not be disrupted as they are moved from one vSwitch to another. In my testing I only saw one missed response while doing a continuous ping on a VM during the agent deployment operation.

Demilitarized zones (DMZs)
VShield Zones give you more options and better protection when designing a DMZ environment on your hosts. An upcoming VMware white paper will cover architectural options that you can use when utilizing vShield Zones in a DMZ configuration.

If the vSheild manager or agents are powered off...
If the vShield Manager is powered off it will not affect the vShield agent operation or the protected VMs. In the event the vShield Manager is unavailable for some time, each vShield agent can queue data and send it to the vShield Manager once it is available. If a vShield agent is powered off, however, all VMs in the protected zone will lose network connectivity. It is a good idea to limit who can access and control the agent VM in vCenter Server and to set the VM for automatic startup when the host is rebooted or powered on.

VSphere Client plug-in
There is a vSphere Client plug-in available for vShield Zones, but all it does is launch the Web interface.

Virtual switches and distributed virtual switches
VShield Zones supports both standard virtual switches, also known as vSwitches, and Distributed vSwitches. The agent install will automatically configure standard vSwitches, but you have to manually configure Distributed vSwitches (see the vShield Administration Guide for instructions).

Changing default passwords
You should change the default passwords for the manager and agents as soon as possible; doing this will not affect either manager-vCenter or manager-agent communication. Be aware that the manager user accounts in the Web user interface are different from the command-line interface user accounts. Even though they both use the admin username and the password by default, they are separate accounts and are managed in different ways.

You can use the Web user interface to change the manager password for users. For instructions on doing this see Securing vShield Zones CLI user accounts and the Privileged mode. You can also add users to the manager using the Web user interface.

You can back up and restore your vShield Manager data, which can include system configuration, events and audit log tables. Backups are saved to a remote location that must be accessible by the vShield Manager. Backups can be configured on the Configuration tab of the vShield Manager UI.

Time integrity
After installing and initializing the vShield Manager, you can configure it to point to an external network time protocol (NTP) server for time integrity service. By default, the vShield Manager configures each installed vShield agent to use the vShield Manager's IP address for NTP service. You cannot change the NTP server assignment of vShield agents.

Log files
If you need to access support log files for troubleshooting purposes, the log files for the vShield Manager and agents can be downloaded using the vShield Manager user interface by selecting the Configuration tab and then the Support option. When you click the initiate button to download a log file, the logs are packaged and can be downloaded to your workstation. The log is compressed and has the proprietary file extension .blsl (Blue Lane Support Log) ,and can be opened using a decompression utility like WinZip.

VShield Zones version updates
VShield Zones version updates will be released periodically. They can be applied using the vShield Manager user interface on the Update tab. Once an update is released you can download it to your PC and then upload it using the vShield Manager user interfacec. The vShield Manager should be updated first, followed by the vShield agents. You will be notified on the Update Status screen whether a reboot of the manager or agents is required after the update is installed. Be sure and reboot the vShield Manager first before you reboot any of the agents.

Closing thoughts
Future versions of vShield Zones will offer better integration and usability as well as increased functionality to better protect your virtual environment. Some of the upcoming features include the ability to enable High Availability for the vShield agents, so if they fail they will be automatically restarted on the same host. Additionally, when VMsafe is integrated with vSphere, you will no longer have to use the agents inline at the vSwitch level as the agents will integrate into the virtual NICs of each VM.

Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forums and maintains, a VI3 information site.

Dig Deeper on Securing a VMware environment

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.