1 / 191

vShield App and vShield Edge

vShield App and vShield Edge. Planning, Installation and Designing based on 5.0.1. From Preetam Zare http://vcp5.wordpress.com http://vShieldSuite.wordpress.com. Agenda –vShield App. Introduction to vShield Suite vShield Manager Installation, Configuration and Administration

angeni
Download Presentation

vShield App and vShield Edge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. vShield App and vShield Edge Planning, Installation and Designing based on 5.0.1 From Preetam Zare http://vcp5.wordpress.com http://vShieldSuite.wordpress.com

  2. Agenda –vShield App • Introduction to vShield Suite • vShield Manager Installation, Configuration and Administration • Planning and Installation of vShield App • vShield App Flow Monitoring • vShield App Firewall Management • vShield App Spoof Guard • Role Based Access Control (RBAC) Model of vShield • Deployment & Availability consideration

  3. Agenda –vShield Edge • Planning and Installation of vShield Edge • vShield Edge Services • DHCP • NAT • Firewall • VPN • Load Balancing • Static Routing • Scenarios • Deployment and Availability Considerations

  4. Data Center needs to be secured at different levels • Sprawl: hardware, FW rules, VLANs • Rigid FW rules • Performance bottlenecks Cost & Complexity At the vDC Edge • Firewall, VPN • Load balancers Perimeter Security Prevent unwanted access Internal Security VLAN 1 • VLAN or subnet based policies • Interior or Web application Firewalls Segment your services VLANs End Point Security • Anti-virus • Data Leak Protection Protect your data

  5. Why Security in Virtualized Datacenter? • Network security devices become chokepoints • Capacity is never right-sized • No intra-host virtual machine visibility • Audit trails are lacking • Physical topologies are too rigid • Current Security is static

  6. Traditional vSphere Infrastructure Setup Without Vshield INTERNET VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch L2-L3 Switch L2-L3 Switch Firewall Firewall Firewall vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 Load Balancer Load Balancer Load Balancer Switch Switch Switch Company C Company B Company A

  7. vSphere Infrastructure Setup Without Vshield INTERNET VPN Gateway VPN Gateway VPN Gateway L2-L3 Switch L2-L3 Switch L2-L3 Switch Firewall Firewall Firewall Load Balancer Load Balancer Load Balancer Switch Switch Switch vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 vSphere 5.0 Company C Company B Company A vSphere 5.0

  8. vShield Product Family Securing the Private Cloud End to End: from the Edge to the Endpoint vShield App Security Zone Endpoint = VM Edge vShield Edge vShield Endpoint vShield Manager Endpoint = VM - Create segmentation between workloads - Sensitive data discovery Secure the edge of the virtual datacenter Anti-virus processing Centralized Management DMZ Application 1 Application 2 VMware vSphere VMware vSphere

  9. What Is vShield Edge? vShield Edge secures the perimeter, “edge”, around a virtual datacenter. • Common vShield Edge deployments include: • Protecting the Extranet • Protecting multi-tenant cloud environments vShield Edge vShield Edge vShield Edge Tenant A Tenant C Tenant X Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance VMware vSphere Load balancer Firewall VPN 9

  10. vShield Edge Capabilities Edge functionality • Statefulinspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPSec) • Web Load Balancer • (NEW) Static Routing • (NEW) Certificate mode support for IPSEC VPN Management features • REST APIs for scripting • Logging of functions vShield Edge vShield Edge vShield Edge Tenant A Tenant C Tenant X Secure Virtual Appliance Secure Virtual Appliance Secure Virtual Appliance VMware vSphere Load balancer Firewall VPN 10

  11. Securing the Data Center Interior with vShield App • Key Benefits • Complete visibility and control to the Inter VM traffic enabling multi trust zones on same ESX cluster. • Intuitive business language policy leveraging vCenter inventory.

  12. vShield EndpointOffload Anti-virus Processing for Endpoints Benefits • Improve performance by offloading anti-virus functions in tandem with AV partners • Improve VM performance by eliminating anti-virus storms • Reduce risk by eliminating agents susceptible to attacks • Satisfy audit requirements with detailed logging of AV tasks

  13. Cloud Infrastructure Security- Defense in Depth • First Level of Defense- vShield Edge • Threat mitigation and blocks unauthorized external traffic • Suite of edge services • To secure the edge of the vDC Pepsi • Zoning within the ORG- vShield App • Policy applied to VM zones • Dynamic, scale-out operation • VM context based controls Coke • Compliance Check vShield App with data security • Discover PCI, PHI, PII sensitive data for virtual environment • Compliance posture check * * • AV agent offload- vShield Endpoint • Attain higher efficiency • Supports multiple AV solutions • Always ON AV scanning

  14. Agenda • Introduction to vShield Suite • vShield Manager Installation, Configuration and Administration • Planning and Installation of vShield App • vShield App Flow Monitoring • vShield App Firewall Management • Use Cases of vShield App • Design consideration of vShield App

  15. vShield Manager Introduction vShield manager consoleacts a central point to install, configure and maintain vShield components e.g. vShield Edge, vShield App and vShield Endpoint Vshield manager is pre-packaged as OVA appliance. vShield manager OVA file includes software to install vShield Edge, vShield App and vShield Endpoint. vShield Manager can run on a different ESX host from your vShield App and vShield Edge modules. vShield Manager leverages the VMware infrastructure SDK to display a copy of the vSphere client inventory.

  16. vShield Manager –Central Management Console Vshield Manager You can connect to vshield manager directly via web interface or via vcenter plug-in Client Central point of management. For RBAC model, stores flow data and manages Rule base Automatic deployment of vShield app appliance via vshield manager vCenter VSPHERE VSPHERE VSPHERE Management Network

  17. Vshield Manager Communication Paths SSH Client Vshield web console REST API --> TCP 80/443 SSH Access to CLI TCP 22 Default Enabled SSH Access to CLI TCP 22 Default disabled TCP 22 vShield Manager UDP 123 Access to ESXi host TCP 902/903 vShield App Appliance TCP 443 VSPHERE vSphere Client TCP 443 vCenter Management Network

  18. vShield Manager Requirements For latest interoperability information check here http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php

  19. Latest interoperability

  20. Permission • Permission to Add and Power on Virtual Machines • Access to datastores where vShield Suite will be deployed • DNS reverse look up entry is working for all ESXi host

  21. vShield Manager Installation • Multi-Step installation Process • Obtain the vShield Manager OVA File • Install vShield Manager Virtual Appliance • Configure the Network Settings of the vShield Manager • Logon to the vShield Manager Interface • Synchronize the vShield Manager with the vCenter Server • Register vShield Manager Plug-in with vSphere Client • Change the default admin password of the vShield Manager

  22. Steps to Install vShield Manager • Open vSphere client, click File menu selects Deploy OVF Template as shown below

  23. Browse to locate OVA file New windows will open, We will need to provide OVF file, in our case it is OVA file. Select browse and locate the OVA file you’ve downloadedfrom VMware’s site

  24. After selecting the OVA file, press Next. OVA file’s meta will be read and you will see screen below

  25. Enter name for vShield manager virtual machine and select location as mentioned below

  26. Select Datastore Strongly recommended to select shared Datastoreso that vMotion, DRS and HA functionality can be used during planned & unplanned downtime.

  27. Select disk format

  28. Review the settings and close OVF templates

  29. Virtual Machine Properties

  30. Warning :Don’t upgrade VMware tools on vShield Manager Appliances Each vShield virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a vShield virtual appliance.

  31. Configure the Network Settings of the vShield Manager • Initial Network Configuration i.e. IP, DG and DNS must be done via CLI • Right Click vShield Manager Appliance & Select Open Console

  32. Contd… Configure the Network Settings of the vShield Manager

  33. Enter IP, Default Gateway and DNS Details To enter Enabled type ‘enable’ To start wizard type ‘setup’ Enter IP Details Finally Press ‘y’ to confirm settings

  34. Contd … Enter IP, Default Gateway and DNS Details

  35. Getting Familiar With Vshield Manager Interface

  36. Open a Web browser window and type the IP address assigned to the vShield Manager. The vShield Manager user interface opens in an SSL/HTTPS session Log in to the vShield Manager user interface by using the username admin and the password default.

  37. Synchronizing the vShield Manager with the vCenter Enter vCenter Details and Press Save Follow Domain\Username format if the user is domain user Don’t select this Register vCenter extension to access vshield manager within vCenter

  38. After vShield Manager and vCenter Are Connected On the right hand of the screen we see confirmation that vSphere Inventory was successfully updated After synch is completed, vCenter data is populated as seen below screen. vShield Manager doesn’t Appear as resource in the Inventory Panel of vShield Manager user Interface

  39. Contd …After vShield Manager and vCenter Are Connected

  40. Configure Date/Time for vShield Manager

  41. Generate Tech Support Bundle

  42. System Resource Utilization Of vShield Manager

  43. Backup vShield Manager Configuration • You can backup the configuration & transfer to remote backup server over FTP • For one time backup Scheduled Backups must be Off. Schedule Backup Backup Directory on FTP Server

  44. Backup vShield Manager Configuration –Backup files vShield Manager Backup Files on FTP Server Backup Directory on FTP Server

  45. vShield Manager via Web Browser Vs. vSphere Client Plug-in • You can manage vShield Appliance from the vShield Manager user interface, and also you can manage vShield Appliance from the vSphere Client. • It is your choice, whatever works best for you. • The functions that you cannot access from the vSphere Client such as • Configuring the vShield Manager’s settings • Backing up the vShield Manager’s database • Configuring the vShield Manager’s users, and • The vShield Manager’s system events and audit logs. • Configuration vShield App’s Spoof Guard, Fail Safe Mode and VM Exclusion list

  46. DEMO/LAB vShield Manager

  47. Agenda • Introduction to vShield Suite • vShield Manager Installation, Configuration and Administration • Planning and Installation of vShield App • vShield App Flow Monitoring • vShield App Firewall Management • vShield App Spoof Guard • Role Based Access Control (RBAC) Model of vShield • Deployment & Availability consideration of vShield App

  48. vShield App Architecture vSphere vSphere • Hypervisor-Level Firewall • Inbound/outbound connection control enforced at the virtual NIC level • Dynamic protection as virtual machines migrate • Protection against ARP spoofing vShieldApp vShieldManager vShieldApp ESXi Host ESXi Host vSphere Client vCenter Server

  49. Before vShield App is Deployed VSPHERE HOST vSwitch/vDS Switch

  50. After vShield App is Deployed VSPHERE HOST vSwitch/vDS Switch vShield Hypervisor module All VM traffic is Passed via LKM & Inspected by vShield FW

More Related