VBLOCK SYSTEMS: VMWARE VIRTUAL FIREWALLS IMPLEMENTATION GUIDE

Transcription

1 VCE Word Template VBLOCK SYSTEMS: VMWARE VIRTUAL FIREWALLS IMPLEMENTATION GUIDE Version 1.0 December VCE Company, LLC. All Rights Reserved. 1

2 Copyright 2012 VCE Company Inc. All Rights Reserved VCE believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." VCE MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2

3 Contents Introduction... 5 About this document... 5 Scope... 6 Audience... 6 Feedback... 6 Technology overview... 7 Vblock Systems... 7 Compute components... 7 Network components... 8 Storage components... 8 Virtualization components... 8 Management components... 8 VMware vcloud Networking and Security... 9 VMware vcloud Networking and Security Edge... 9 VMware vcloud Networking and Security App... 9 VMware vcloud Networking and Security Manager...10 Architecture overview...11 Physical layout...11 Logical layout...12 Management VLAN...12 Test data VLANs...13 Hardware and software components...13 Design considerations...14 vcloud Networking and Security Manager configuration...15 Service virtual machine placement and network design...15 Communication with vcenter...16 Event logging...17 vcloud Networking and Security App with Data Security configuration...18 Firewall placement and design...18 Firewall event logging...18 Policy setup...19 vcloud Networking and Security Edge configuration...20 Placement and design...20 Interfaces and uplinks...21 Firewall event logging...21 Policy setup

4 Vblock System configuration...22 Virtualization configuration...22 Compute configuration...23 Network configuration...23 Storage design...25 Architecture validation...26 Test environment design...26 Test case 1: Core firewall functionality...27 Test procedure...27 Test results...28 Test case 2: vcloud Networking and Security Edge NAT policy...29 Test procedure...29 Test results...29 Test case 3: vcloud Networking and Security Manager high availability...30 Test procedure...30 Test results...30 Test case 4: Policy set and high-availability workload...30 Test procedure...30 Test results...31 Test case 5: Sensitive data discovery...31 Test procedure...31 Test results...32 Test case 6: Logging...32 Test procedure...32 Test results...33 Conclusion...35 Next steps...35 References

5 Introduction Network-based security has traditionally been implemented in data centers using various physical appliances placed in strategic locations on an infrequently changing network fabric. Virtualization and the dynamic nature of a virtual environment change this paradigm. Static security is being replaced by, or augmented with, a more dynamic set of security products that operate without restrictions related to physical location or boundaries. These virtual firewalls provide protection and benefits beyond the limitations of physical security. Converged infrastructure requires a different approach to firewalls. The traditional network control points where discrete firewalls could be inserted do not exist, requiring a change in the delivery of network access control functions. In addition, more information is available about the hosts participating in network traffic, creating new opportunities in how the changes are implemented. VMware vcloud Networking and Security includes two virtual firewall products: vcloud Networking and Security App (previously known as vshield App) and vcloud Networking and Security Edge (previously known as vshield Edge). These firewalls are frequently used with Vblock Systems. This paper discusses how to implement these firewalls into the Vblock System. About this document The Vblock Systems: VMware Virtual Firewalls Implementation Guide provides detailed deployment options for VMware virtual firewalls on Vblock Systems. It documents the setup process and recommends best practices for deploying App and Edge on the Vblock System. This document: Describes the technologies, hardware and software components, and architecture used in the solution. Provides design considerations and best practice recommendations for implementation. Describes the process of deploying vcloud Networking and Security App and Edge on the Vblock System. Demonstrates firewall functionality by confirming full control over administrative functions and the application of firewall and NAT policies. Demonstrates that deployment does not impact normal Vblock System administrative functions. Demonstrates high availability for vcloud Networking and Security Manager. Demonstrates highly available workloads and network access by confirming that policies accommodate workload movement. Addresses data loss protection functions in App with Data Security by showing how to create a policy and arrange the detection of the material. Validates logging behavior by confirming that the proper logs are produced and make it to the log server. 5

6 Scope This solution was validated on a Vblock System 300; however, it applies to the Vblock System 300 and 700. Audience This document is intended for use by people planning, implementing, administering, or auditing network access controls in environments containing Vblock Systems. It is relevant to deployments in every sector. Feedback To suggest documentation changes and provide feedback on this paper, send to docfeedback@vce.com. Include the title of this paper, the name of the topic to which your comment applies, and your feedback. 6

7 Technology overview This solution uses the following hardware and software components and technologies: Vblock Systems VMware vcloud Networking and Security Vblock Systems VCE represents the next evolution of IT, one focused on the next generation data center and the future of cloud computing. VCE seeks to eliminate the challenges that consume today s data center resources. VCE designs and delivers Vblock Systems, which seamlessly integrate leading compute, network and storage technologies. Through intelligent discovery, awareness and automation, Vblock Systems provide the highest levels of virtualization and application performance. Vblock Systems are unique in their ability to be managed as a single entity with a common interface that provides customers end-toend visibility. The Vblock System 300 is an agile and efficient data center class system, providing flexible and scalable performance. It features a high-density, compact fabric switch, tightly integrated fabric-based blade servers, and best-in-class unified storage. The Vblock System 700 is an enterprise-class mission-critical system for the world s most demanding workloads and service levels. It includes the industry s best director-class fabric switch, the most advanced fabric-based blade server, and the most trusted storage platform. Each Vblock System has a base configuration, which is a minimum set of compute and storage components as well as fixed network resources. Within the base configuration, certain hardware aspects can be customized. Together, the components offer balanced CPU, I/O bandwidth, and storage capacity relative to the compute and storage arrays in the system. For more information, go to Compute components The compute components in Vblock Systems are built on the Cisco Unified Computing System (UCS) line of products. The individual components include one or more blade server chassis, included compute blades, I/O modules, and the fabric interconnects that connect the unified fabric to the rest of the environment. 7

8 Network components The network components in Vblock Systems consist of various models of Cisco Nexus and MDS storage switches. This includes the Cisco Nexus 7000 Series, Cisco Nexus 5000 Series, Cisco Nexus 1000V, Cisco Catalyst 3000 Series, and the Cisco MDS 9000 Series switches. Storage components Vblock Systems are built with either EMC VNX or Symmetrix VMAX-based storage arrays. The 300 series systems ship with VNX-based arrays and the 700 series systems ship with VMAX arrays. Virtualization components Virtualization components include VMware ESXi, VMware vcenter Server, and VMware vsphere. Management components All Vblock System 300 and 700 models include an Advanced Management Pod (AMP). The AMP provides a single management point for Vblock Systems that provides the following benefits: Monitors and manages Vblock System health, performance, and capacity Provides fault isolation for management Eliminates Vblock System resource overhead Provides a clear demarcation point for remote operations The AMP has two deployment options: mini-amp and high availability (HA) AMP. The mini-amp is an economical single-server system with reduced costs for switches and licenses and optional packages for networking, backups, and data duplication. The HA AMP is a two-server system that uses a local disk to boot VMware vsphere ESXi and shared storage for the Vblock Systems management servers. It is designed to be a highly available, out-of-band management environment. In addition to the components described above, the AMPs leverage Cisco UCS rack-mount servers, Cisco Catalyst 3000 Series switches, and EMC storage. 8

9 VMware vcloud Networking and Security VMware vcloud Networking and Security provides software-defined networking and security services. It consists of the following components, all managed centrally through VMware vcenter and VMware vcloud Director: vcloud Networking and Security Edge (previously known as vshield Edge) vcloud Networking and Security App (previously known as vshield App) vcloud Networking and Security Data Security (previously known as vshield Data Security) vcloud Networking and Security Manager vcloud Networking and Security is built with virtual security appliances. Network traffic from virtual workloads passes through these appliances, which apply services such as firewalling and load balancing. There are two vcloud Networking and Security virtual appliance types: Edge appliance establishes a perimeter gateway for network traffic to enter and leave a virtual datacenter; also known as north-south traffic. App firewall provides protection directly in front of one of more virtual machines and is frequently used to regulate traffic between the virtual machines; also known as east-west traffic. VMware vcloud Networking and Security Edge vcloud Networking and Security Edge secures the edge, or perimeter, of a virtual data center with firewalling, VPN, NAT, DHCP, and web load-balancing capabilities that enable rapid, secure scaling of virtualized infrastructures. Along with network isolation, these services create logical security perimeters around virtual data centers and enable secure multi-tenancy. Edge is compatible with port groups on the vnetwork Standard Switch (VSS), vnetwork Distributed Switch (vds), and the Cisco Nexus 1000V switch. Edge management is supported through the vcloud Networking and Security Manager Web interface and the vcloud Networking and Security Manager plug-in to VMware vcenter Server. The Edge virtual appliance supports multiple user-defined interfaces, including external and internal network interfaces. Internal interfaces connect to the secured inside port group and are the gateway for all protected virtual machines in this port group. External interfaces connect to an uplink port group that has access to a shared corporate network or a service provider access-layer network. VMware vcloud Networking and Security App vcloud Networking and Security App protects applications from network-based threats in the virtual data center with a hypervisor-level application firewall and administrator-defined security groups to enforce granular segmentation between applications. It provides firewalling between virtual machines by placing a firewall filter on every virtual network adapter and implements an IP-based stateful firewall and application layer gateway for a broad range of protocols. This firewall filter operates transparently and does not require network changes or modifications of IP addresses. 9

10 App installs as a hypervisor module and firewall service virtual appliance on each ESXi host in the cluster hosting the protected virtual machines. The hypervisor module places a vnic-level firewall enforcement point for the traffic to and from the virtual machines. App extends into Sensitive Data Discovery (available in vcloud Networking and Security App with Data Security). Data Security scans virtual workloads for sensitive data, such as credit card information, and reports violations of regulations, such as PCI-DSS, enabling IT organizations to quickly assess the state of compliance with regulations from around the world. It also provides a management console for selecting regulations to be used in compliance scans, and includes templates of regulations, including PCI-DSS (Payment Card Industry Data Security Standard), HIPAA to access Private Health Information (PHI), and so forth. VMware vcloud Networking and Security Manager vcloud Networking and Security Manager is the central point of control for all features and capabilities of the vcloud Networking and Security product. It integrates with VMware vcenter to offer role-based access control and administrative delegation in a unified framework for managing virtualization security. It promotes IT compliance with centralized logging and reporting and supports integration of vcloud Networking and Security with third-party solutions using the REST APIs. vcloud Networking and Security Manager is designed to install, configure, and manage all vcloud Networking and Security features. The user interface offers configuration and data-viewing options for App and Edge. Tight integration with vcenter Manager allows users to view all underlying vsphere resource pools. 10

11 Architecture overview This section describes the physical and logical solution architecture. Physical layout Figure 1 shows the Vblock System setup used to validate this solution. It consists of a Vblock System 300 and an AMP. Figure 1. Physical configuration Management virtual machines including Cisco Nexus 1000V Virtual Supervisor Module (VSM), vcloud Networking and Security (vcns) Manager, a Jump Host (to access the test environment), VMware vcenter, and VMware Update Manager (VUM) all reside on the AMP host. The test workload cluster of two ESXi 5 hosts (B200 M2 blades) is part of the UCS chassis. An App firewall Service Virtual Machine (SVM) and a Data Security SVM are installed on each ESXi host. In addition to the App firewall, an Edge virtual appliance is installed for each cluster for perimeter firewall services. (These VMware component virtual machines are highlighted in Figure 1). 11

12 Logical layout Figure 2 shows the logical configuration of the components used to implement the VMware vcloud Networking and Security firewall solution on a Vblock System. Figure 2. Logical configuration Management VLAN The vcenter server, vcloud Networking and Security Manager virtual appliance, and Nexus 1000V SVM all reside on the management VLAN network on VLAN 111. This management network is also seen across the Vblock System ESXi cluster hosts. The App and Data security SVMs have one portgroup (PG) that is part of the same network on VLAN 111. This allows for communication between the vcloud Networking and Security Manager and the virtual firewall virtual machines. 12

13 Test data VLANs The test environment consists of a cluster of two ESXi servers, each of which host test virtual machines (customer workload) that reside on VLAN 132 and VLAN 133. The Edge firewall has its internal secured port-groups as part of these data networks (VLANs 132/133) with an uplink portgroup going out to the outside world. This makes the Edge firewall the default gateway for all of the virtual machine traffic entering and leaving the cluster. The intra-virtual machine traffic is inspected by the App firewall and the Data Security scanning component. Hardware and software components The following table lists the hardware used to validate this solution. Resource Description Compute Cisco UCS B-Series Blades (B230M2) Cisco UCS M81KR Virtual Interface Card converged network adapter Cisco UCS 6120 fabric interconnects (6120 version 2.0 [2q]) Cisco UCS 5108 Blade Server chassis Network Cisco Nexus 5548UP Series IP switches 5.1(3)N1(1a) Cisco Nexus 1000V VSM and VEM virtual switch 4.2(1)SV1(5.1) Cisco MDS 9148 Multilayer Fabric Switch 5.2(2a) Storage EMC VNX Series Unified Storage with EMC Unisphere VNX for file , VNX for Block Management (AMP) Cisco Catalyst 3560-X Switch Cisco C200 High-Density Rack Server (48 GB RAM and 4 TB of storage) The following table lists the software used to validate this solution. Resource Description Version Virtualization VMware vsphere 5 VMware ESXi build and vcenter Server build Management EMC PowerPath/VE 5.7 Security EMC Unisphere Cisco UCS Manager VMware vsphere Server Enterprise Plus VMware ESXi VMware vcloud Networking and Security (Manager, App, Data Security, and Edge) VMware vshield Endpoint Note: We installed Endpoint as a prerequisite for Data Security. Otherwise, it is out of scope for this paper. V (2q) Build build build

14 Design considerations This section contains design considerations, sizing requirements, and best practice recommendations for implementing VMware virtual firewalls on Vblock Systems. When configuring vcloud Networking and Security to deploy on Vblock Systems, there are decisions that need to be made, including: Where to install (AMP or Vblock System blade) Integration with VMware vcenter Workload high availability through vcloud Networking and Security Manager Distributed virtual switch options How to set up policies (data centers, cluster, resource pools, vapps, IP addresses, security groups) Where and at what level to send logs This section contains design considerations and best practice recommendations around these decisions and more. Use the information in the following table as a guide: Decision Considerations For more information, go to this section: Where to install vcenter integration Workload high availability through vcloud Networking and Security Manager Because Manager is a management component of the vcloud Networking and Security solution, it can be placed on the Vblock System AMP with other management virtual machines. If not using the AMP, the vcloud Networking and Security Manager service virtual machine (SVM) can be placed in the Vblock System itself. Install vcloud Networking and Security App on each ESXi host that needs protection for east-west traffic. Install vcloud Networking and Security Edge based on requirements for perimeter security. In our test lab, we installed it at the cluster level in the Vblock System, protecting north-south traffic across the test virtual machines. Configure vcloud Networking and Security Manager to connect to VMware vcenter. Integration with vcenter allows Manager to display the VMware infrastructure inventory. In order to use the high availability functionality of vcloud Networking and Security Manager, we recommend installing it on a cluster of two or more ESXi hosts. This allows the Manager SVM to migrate from one host to another in case of host failure. It is also required to have shared storage between the hosts in the cluster to allow for vmotion. vcloud Networking and Security Manager configuration vcloud Networking and Security App with Data Security configuration vcloud Networking and Security Edge configuration vcloud Networking and Security Manager configuration vcloud Networking and Security Manager configuration Storage design 14

15 Decision Considerations For more information, go to this section: Distributed virtual switch option Policy setup and firewall rules Firewall event logging The Nexus 1000V switch is standard in Vblock Systems and is used as the distributed virtual switch. Create port profiles on the Nexus 1000V switch for all management traffic and for the internal and uplink interfaces of vcloud Networking and Security Edge. All policy creation for the vcloud Networking and Security App and Edge firewalls is done only at the data center level. Depending on your requirements, source and destinations can be an IP address, resource pools, security groups, vnic groups, and so forth. View firewall logs locally using flow monitor in vcloud Networking and Security App or send logs to an external syslog server for forensic analysis and troubleshooting. We recommend logging at the warning level to capture all important messages without constraining the firewalls. Network configuration Policy setup section in vcloud Networking and Security App with Data Security configuration Policy setup section vcloud Networking and Security Edge configuration vcloud Networking and Security Manager configuration, vcloud Networking and Security App with Data Security configuration, and vcloud Networking and Security Edge configuration sections on how to set up syslog server and logging levels on each of the vcloud Networking and Security components vcloud Networking and Security Manager configuration vcloud Networking and Security Manager configuration includes: Service virtual machine (SVM) placement and network design Communication with vcenter Event logging Service virtual machine placement and network design vcloud Networking and Security Manager installs as a service virtual machine (SVM) on an ESXi host in vcenter. Best practice recommendation for this component is a high-availability setup, which requires installation on a cluster of two (or more) ESXi hosts. In this test environment, we installed vcloud Networking and Security Manager SVM on a two-host cluster in the AMP server. Since Manager is a management component of the vcloud Network and Security solution, we placed it on the Vblock System AMP (mini-amp), along with other management virtual machines (Nexus 1000V VSM, Jump host, AD server, VUM, and the vcenter server). The Manager SVM can also be placed in the Vblock System itself if the AMP is not in use. 15

16 Note: To ensure proper communication between Manager and the other virtual firewall components, you must consider network and compute configuration. These are discussed in the Network configuration and Compute configuration sections. Figure 3. vcloud Networking and Security Manager SVM installed in the AMP cluster Note: To ease customer's transition from vshield 5.0 to vcloud Network and Security and ensure continuity, the user interface for vcloud Network and Security still refers to the capabilities using existing vshield product names. Communication with vcenter Once Manager is installed, we recommend connecting to vcenter Server from Manager. This enables Manager to display the VMware infrastructure inventory. Figure 4. VMware infrastructure inventory 16

17 Event logging We enabled syslog and configured it to forward logs to an external server on port 514. Figure 5. Syslog configuration To ensure all log traffic is stamped with the same time source, we configured NTP using Manager. This follows best practice recommendations for forensic analysis and troubleshooting. Figure 6. NTP configuration 17

18 vcloud Networking and Security App with Data Security configuration This section describes how we configured the following: Firewall placement and design Firewall event logging Policy setup Firewall placement and design We installed the App firewall as a service virtual machine on each ESXi host in the Vblock System. We also installed a data security SVM on each host. Before installing Data Security SVMs, we installed Endpoint on each ESXi host. Each App and Data Security SVM pair requires two IP addresses. We placed these SVMs on the distributed management VLAN (111) port group that runs across the AMP and the Vblock System virtual switches. This ensured proper communication of the App and Data Security SVMs with vcloud Networking and Security Manager. Firewall event logging vcloud Networking and Security App provides two ways to view firewall logs: flow monitor and syslog server. We used flow monitor to review allowed and blocked flows and see such useful information as top sources and top destinations. Figure 7. Flow monitor 18

19 We enabled syslog and configured an external server to collect firewall logs. We set syslog levels to Warning per best practice recommendations. We did the following to configure syslog on App: 1. In the vsphere Client, selected Inventory > Hosts and Clusters. 1. Selected a host from the resource tree. 2. Clicked the vshield tab. 3. In the Service Virtual Machines area, expanded the vshield App SVM. 4. In the Syslog Servers area, typed the IP address of the syslog server. 5. From the Log Level drop-down list, selected the event level at and above which to send vshield App events to the syslog server. Setting this to Warning level is recommended. 6. Clicked Save to save the new settings. 7. Following best practices for troubleshooting and proper event log analysis, we synchronized time between vcloud Networking and Security Manager and App. We used the set clock command from the App CLI. Policy setup All App policies and firewall rules can only be created at the data center level. The App Firewall menu provides options to create L2 and L3/4 rules separately. We selected the vshield tab in vcenter for the test data center and selected the App Firewall menu to add firewall policies. Source and destination for each individual rule can range from an IP address, network, data center, cluster, or virtual machine to a resource pool, a vapp, or a security group. The services allowed or denied by the rule can be selected from a pre-configured Services menu or by creating a new set of services per customer requirements. We created custom security groups of VMA and VMB virtual machines for testing purposes. These are referenced in the Architecture validation section for App test cases. 19

20 vcloud Networking and Security Edge configuration This section describes how we configured the following: Placement and design Interfaces and uplinks Firewall event logging Policy setup Placement and design We added Edge as a virtual appliance to an ESXi host in the Vblock System. Edge can be placed on a cluster to provide a high-availability setup. An Edge appliance can be added at the cluster or resource pool level. Design varies depending on requirements and the virtual data center setup. In this test environment, we installed Edge as a service virtual machine on a two-host cluster in the Vblock System. You can add, edit, or delete appliances. An Edge instance remains offline until at least one appliance has been added to it; therefore, you must add at least one appliance before deploying it. We performed the following procedure to add an appliance: 1. In the vsphere Client, selected Inventory > Hosts and Clusters. 2. Selected a datacenter resource from the Inventory panel. 3. Clicked the Network Virtualization tab. 4. Clicked the Edges link. 5. Clicked the Configure tab. 6. Clicked the Settings link. 7. In Edge Appliances, clicked Add. 8. In the Add Edge Appliance dialog box, selected the cluster or resource pool and datastore for the appliance. 9. Selected the host on which the appliance is to be added. 10. Selected the vcenter folder within which the appliance is to be added. 11. Clicked Add. After adding the Edge appliance to the test cluster, it was set as deployed. Since this is a two-host cluster, the installation picks a host on which to place the Edge service virtual machine. 20

21 Interfaces and uplinks vcloud Networking and Security Edge installed in a data center can have up to 10 internal or uplink interfaces. An Edge appliance must have at least one internal interface before it can be deployed. For this setup, we configured Edge with the following: Two internal interfaces connecting to secured port groups One uplink interface to the external network You must add at least one internal interface for high availability to work. Figure 8. Edge interfaces and uplinks Firewall event logging We enabled syslog and configured an external server to collect the firewall logs. We set syslog levels to Warning per best practice recommendations. We performed the following to configure syslog on Edge: 1. In the vsphere Client, selected Inventory > Hosts & Clusters. 2. Selected a data center resource from the Inventory panel. 3. Clicked the Network Virtualization tab. 4. Clicked the Edges link. 5. Double-clicked the vshield Edge instance for which we wanted to specify the syslog servers. 6. Clicked the Status tab. 7. In the Details panel, clicked Change next to syslog servers. 8. Typed the IP address of both remote syslog servers. 9. Clicked Add to save the configuration. 21

22 Policy setup Edge policies and firewall rules can be created only at the data center level. The Firewall menu provides options to create L2 and L3/4 rules separately. We selected the Network Virtualization tab in vcenter for the test data center and clicked the deployed Edge firewall. We then accessed the Firewall menu to add policies. Source and destination for each rule can be either an IP address or a vnic group. Additionally, a source port can be specified. The services allowed or denied by the rule can be selected from a preconfigured Services menu or by creating a new set of services per customer requirements. We created Edge firewall rules using test virtual machine IP addresses as source and destinations and standard service protocols where applicable. These are shown in the Architecture validation section for the Edge test cases. Vblock System configuration This section describes configuring Vblock Systems to work with vcloud Networking and Security firewalls. Virtualization configuration To ensure vcloud Networking and Security Manager high availability, we configured the AMP ESXi server as a cluster of two (or more) hosts. This allows the Manager SVM to be moved (through vmotion) from one host in the cluster to another. For accurate logging, we synchronized time between the ESXi hosts, vcenter Server, and various virtual machines by enabling NTP. This is a best practice for troubleshooting and forensic analysis. On the AMP ESXi, we enabled NTP by performing the following steps: 1. Logged in to vcenter server. 2. Selected Host and Clusters view and clicked the AMP ESXi host. 3. Clicked the Configuration tab and then clicked Time Configuration. 4. Selected Properties > Options > General and selected to stop and start automatically. 5. Selected NTP Settings and entered the IP address of the NTP server. 6. Clicked OK, selected NTP Client Enabled, and clicked OK. 22

23 On the vcenter server virtual machine, we enabled NTP by performing the following steps: 1. Double-clicked the VMware tools icon at the bottom right of the vcenter screen. 2. Selected Time synchronization between the virtual machine and the host operating system. Compute configuration To ensure proper communication between the compute and network components, we created on the UCS server each newly defined VLAN used by the management and data traffic of the vcloud Networking and Security components. Figure 9. VLANs created Network configuration To ensure proper communication between the App SVM, the Data Security SVM, and vcloud Networking and Security Manager, we created a common control/management VLAN (111). This VLAN runs across the vsphere distributed switch in the AMP and the Nexus 1000V switch in the UCS compute environment. We created VLAN 111 in the Catalyst 3560 management switch, along with its corresponding switched virtual interface (SVi) acting as the default gateway for all traffic residing on this VLAN. The following shows the creation of VLAN 111: 23

24 vlan 111 name Management_vlan! interface Vlan111 ip address ! We created a port-profile for this VLAN on the Nexus 1000V VSM, as shown below: port-profile type vethernet Management_111 vmware port-group switchport mode access switchport access vlan 111 no shutdown state enabled We created two additional VLANs to carry the workload data traffic across the network. We configured port profiles for these VLANs on the Nexus 1000V VSM. VLANs 132 and 133 also serve as the secured port groups for the two internal interfaces of the Edge firewall. port-profile type vethernet DataVlan132 vmware port-group switchport mode access switchport access vlan 132 no shutdown state enabled port-profile type vethernet DataVlan133 vmware port-group switchport access vlan 133 switchport mode access no shutdown state enabled 24

25 We placed the Edge uplink port group on a routable VLAN (135) in the test environment running across the management switch, the UCS server, and the Nexus 1000V switch. We configured a port profile on the Nexus 1000V for this VLAN 135. port-profile type vethernet DataVlan135 vmware port-group switchport mode access switchport access vlan 135 no shutdown state enabled To provide synchronized time between the various components (including the vcloud Networking and Security SVMs, vcenter server, ESXi hosts, and network devices), we configured an NTP server on a virtual machine residing on the AMP cluster. This ensures accurate analysis of event logs. Storage design To ensure vcloud Networking and Security Manager high availability functionality, we configured the shared storage (VM-Shared) on the AMP cluster, as shown in the screenshot below. This allows for VMware vmotion to move the vcloud Networking and Security Manager SVM from one failed host to another in the cluster without loss of service. Figure 10. Shared storage configuration 25

26 Architecture validation We performed the following tests to validate vcloud Networking and Security firewalls on a Vblock System. Test name Firewall functionality vcloud Networking and Security Edge NAT policy vcloud Networking and Security Manager high availability App policy set and high availability workload Sensitive data discovery Logging Objective Validate core firewall functions of the App and Edge firewalls using test virtual machines and a set of allow/block rules to monitor traffic flow and access Confirm NAT translations are being applied to incoming and outgoing test virtual machine traffic on the Edge firewall Validate high availability for vcloud Networking and Security Manager by performing basic testing (such as failover and failback) Validate highly available workloads and network access by confirming that App firewall policies accommodate workload movement Demonstrate use of sensitive data discovery functions in vcloud Networking and Security App with Data Security by showing policy creation, execution, and reporting Validate logging behavior of the App and Edge firewalls Test environment design The test environment was used as set up and described in the Architecture overview and Design considerations sections. The following table contains VLAN and IP address information for the test virtual machines and solution components referenced in the test cases. Component VLAN IP Address Description Test VMA Workload virtual machine Test VMA Workload virtual machine Test VMB Workload virtual machine Test VMB Workload virtual machine Host ESXi server Host ESXi server vcns Mgr vcloud Networking and Security Firewall Manager App vcloud Networking and Security App Service virtual machine on host 10 DataSec Data Security Service virtual machine on host 10 App vcloud Networking and Security App Service virtual machine on host 11 26

27 Component VLAN IP Address Description DataSec vcloud Networking and Security App Service virtual machine on host 11 EdgeGW-IN Edge internal interface 1 EdgeGW-IN Edge internal interface 2 EdgeGW Uplink Edge uplink (outside) interface Tools used for testing include: Putty for SSH sessions Common Web browsers for GUI access VMware vsphere client for vcenter inventory and virtual firewall configuration activities While this solution works on any Vblock System 300 or 700 using the HA AMP or mini-amp, it was validated on a Vblock System 300. Test case 1: Core firewall functionality This test case validates the core firewall functions of the App and Edge firewalls. Test objectives were to demonstrate proper access control for all traffic inspected by the App and Edge firewalls based on the policy set and rule definition. Test procedure 1. Created two security groups by combining Test VMA-1 and Test VMA-2 into VMA objects, and Test VMB-1 and Test VMB-2 into VMB objects. These objects were used as source and destinations for policy setup. 2. Created a firewall rule for App that allows remote desktop protocol (RDP) sessions from VMA to VMB security groups and denied access to all other traffic. The following screenshot shows the rule definition: 3. Created a similar set of rules for Edge to verify functionality. The following screenshot shows the firewall rule definition: 27

28 4. Verified the applied firewall rules by generating RDP and ICMP traffic from source to destination virtual machines. 5. Initiated a continuous ping from VMA-1 to VMB-1 and VMB-2 virtual machines. Test results The App firewall successfully blocked traffic, as shown below: An RDP session was successfully initiated from VMA-1 to VMB-2 per the Allow App firewall rule. The same results were seen and proper access control was verified for the Edge rule set. 28

29 Test case 2: vcloud Networking and Security Edge NAT policy This test case confirms that NAT translations are applied to incoming and outgoing virtual machine traffic on the Edge firewall. Test objectives were to demonstrate source and destination NAT policy creation and verify execution for traffic passing through Edge. Test procedure 1. Defined NAT policy for Edge by accessing the Network Virtualization tab and selecting the deployed Edge virtual firewall to define the NAT policy. 2. Created source NAT and destination NAT policies for Edge to illustrate proper translation functionality. The screenshot below shows the policy definitions. Test results An SSH session was initiated from VMA-1 with the original internal IP address to the aggregate switch. The translated external IP address was seen on the switch, indicating source IP address translation per the source NAT rule. 29

30 Test case 3: vcloud Networking and Security Manager high availability This test case validates high availability for vcloud Networking and Security Manager. Test objectives were to show zero downtime for workload traffic and firewall functionality during migration of Manager from one host to another. Test procedure 1. Installed the Manager virtual appliance on the AMP, which contains a cluster of two ESXi hosts using shared storage and a vsphere Distributed Switch. 2. Migrated the virtual machine from the original host to the secondary host on the AMP cluster. 3. Generated traffic between the test virtual machines to monitor downtime and firewall functionality. Test results The Manager virtual appliance was successfully moved (using vmotion) to the secondary host. During the migration, there was no loss of traffic between the test virtual machines. The App and Edge firewalls continued to function normally. During the migration, access to the vcloud Networking and Security Manager GUI was lost and firewall rules could not be created during this time. Downtime was minimal and did not affect the virtual firewalls or workloads. Test case 4: Policy set and high-availability workload This test case validates highly available workloads and network access. Test objectives included simulating a high-availability workload environment and verifying that the App firewall policy moves with a virtual machine when it is migrated to another host. Test procedure 1. Created a Deny rule to block traffic from test VMB-1 to VMA-1. See below for rule definition. 2. Migrated VMB-1 to the secondary host on the test cluster (vshield Cluster as shown in the screenshot below) to simulate a high-availability workload environment. 30

31 3. Generated a continuous ping from the source to the destination virtual machine during this entire time. Test results Per the rule definition, all traffic, including ICMP, from VMB-1 to VMA-1, was blocked by the App firewall. Test VMB-1 was successfully moved (using vmotion) to the secondary ESXi host with minimal downtime. Traffic continued to be blocked even after the vmotion migration was completed, indicating that the App policy followed the virtual machine from one host to another and denied all traffic going to VMA-1 per the rule set. Test case 5: Sensitive data discovery This test case demonstrates the use of sensitive data discovery functions in vcloud Networking and Security App with Data Security. Test objectives included creating and reporting the scanning policy executed by the Data Security SVM against a target virtual machine. Test procedure 1. Set a policy to detect compliance for the PCI regulation standards (PCI-DSS, as shown in the screenshot below). 2. Selected a security group (VMA objects) as a target area for scans. 3. Defined a set of file extensions to monitor during scanning. The following screenshot shows the policy creation: 31

32 4. Placed a trigger file on VMA-1 to demonstrate and verify proper data security scanning. Test results Successfully viewed scanning results under the Reports section of Data security. The report showed the completion date and time as well as a violation count for PCI. This indicated that the scan successfully picked up on the trigger file and reported expected results. Test case 6: Logging This test case validates logging behavior of the App and Edge firewalls. App firewall logging was verified using the Flow Monitor feature in the App firewall and an external syslog server. Test objectives included the following: - Reviewing syslog using Flow Monitor feature in the App firewall. This feature provides useful flow (port, protocol, number of sessions) information on traffic through each of the test virtual machines. Built-in reports, such as top sources and top destinations, are readily available for review. Sending syslogs to an external syslog server, running on a virtual machine in the AMP from both the App and Edge firewalls, for review. Test procedure 1. For event log test on the App firewall, selected the primary or secondary ESXi host and accessed the vshield tab. 2. Set up syslog configuration in the Service Virtual Machines section. 3. Defined an IP address and a logging level of Warning. 32

33 The following screenshots show syslog setup on the App firewall. 4. Configured syslog server and logging levels on the Edge firewall, as shown in the following screenshot: 5. Used a syslog server as the external syslog collector to verify proper logging from the vcloud Networking and Security firewalls. 6. Used the Flow Monitor feature on the App firewall to review allowed and blocked flows. Test results The firewalls logged any pass-through traffic and forwarded the syslogs to the syslog collector. The syslog also included Rule ID information to reference back the exact firewall rule that triggered the event. Allowed and blocked traffic was also viewed under the Flow Monitor section of the App firewall, as shown below: 33

34 34

35 Conclusion Converged infrastructure requires a different approach to firewalls. The traditional network control points where discrete firewalls could be inserted do not exist, requiring a change in the delivery of network access control functions. The VMware vcloud Networking and Security product line includes two virtual firewalls: App and Edge, which offer protection and benefits beyond the limitations of physical security. The Vblock Solution for VMware Virtual Firewalls demonstrates a tight integration of the vcloud Networking and Security components with the Vblock System, enabling simplified administration and preserving secure administrative practices. These virtual firewalls help monitor and control traffic within or to and from a Vblock System environment. In this guide, we provided a high-level description of the solution components and architecture, examined key design considerations and best practices for implementation, and demonstrated validation for each of the key features required for successful deployment of vcloud Networking and Security firewalls on Vblock Systems. Next steps To learn more about this and other solutions, contact a VCE representative or visit References For supporting and additional information, refer to the following for additional information: VMware vcloud Networking and Security overview VMware vcloud Network and Security documentation VMware vshield Administration Guide VMware vshield Installation and Upgrade Guide 35

36 ABOUT VCE VCE, formed by Cisco and EMC with investments from VMware and Intel, accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the Vblock Systems, delivers the industry's only fully integrated and fully virtualized cloud infrastructure system. VCE solutions are available through an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating, and managing IT infrastructure. For more information, go to Copyright 2012 VCE Company, LLC. All rights reserved. Vblock and the VCE logo are registered trademarks or trademarks of VCE Company, LLC and/or its affiliates in the United States or other countries. All other trademarks used herein are the property of their respective owners.