Securing Hybrid Clouds with VMware vshield Edge VPNs. A Guide for Providers of vcloud Powered Services

Transcription

1 Securing Hybrid Clouds with VMware vshield Edge VPNs A Guide for Providers of vcloud Powered Services Technical WHITE PAPER

2 Securing Hybrid Clouds with VMware vshield Edge VPNs Table of Contents Introduction VMware vshield Edge... 3 Virtual Private Networks Enable Hybrid Clouds Use Cases Prerequisites Establishing Single-Site and Multi-Site VPNs Establishing Enterprise-to-Site VPNs Conclusion...10 For More Information VMware Contact Information Providing Feedback TECHNICAL WHITE PAPER / 2

3 Securing Hybrid Clouds with VMware vshield Edge VPNs Introduction Security is a top concern among organizations evaluating cloud service providers. While most service providers allow customers to implement their own security measures, few of them have comprehensive security tools to offer their customers. Among these tools, one of the most important to customers and service providers alike is the ability to securely interconnect physical and virtual datacenters with virtual private networks (VPNs). VPNs are important tools that enable enterprise IT organizations to securely connect their own physical, virtual, and cloud environments to virtual datacenters hosted by service providers and thus create secure hybrid clouds. With connectivity to public clouds secured by VPN, organizations can freely move everything including test, development, production, and overflow workloads into the cloud without having to worry about loss or corruption of data in transit. From the enterprise datacenter s perspective, a virtual datacenter in the public cloud is simply another subnet in its network topology. For cloud service providers, supporting VPNs makes it easier to attract customers and garner more of their workloads, increasing revenue and strengthening partnerships with customers. Fortunately, providers of vcloud Powered services have the VPN capability of VMware vshield Edge integrated into VMware vcloud Director 1.5. Using a self-service GUI, customers can securely interconnect their enterprise datacenters with virtual datacenters in the cloud. With vshield Edge, customers can first secure their virtual datacenters using the product s perimeter security features, and then secure communication between datacenters using the product s VPN capabilities. The result is that customers can treat their service providers as seamless extensions of their own datacenters, making cloud adoption straightforward and secure. This white paper reviews the capabilities of vshield Edge, and the common use cases for using VPNs in hybrid cloud environments. It then proceeds to illustrate the simplicity and ease with which customers of vcloud Powered services can securely interconnect their datacenters. VMware vshield Edge VMware vshield Edge is a network security solution for virtual datacenters hosted by vcloud Director 1.5 to provide customers with their own dedicated set of securely isolated virtual resources. It provides essential security capabilities such as network security gateway services and Web load balancing for performance and availability vshield Edge works in concert with vcloud Director to automate and accelerate the secure provisioning of datacenters in multitenant cloud infrastructures. Functions such as gateway services are accessible through vcloud Director GUIs, and some (such as Web load balancing) require accessing vshield Edge GUIs. vcloud Director separates duties for security and virtual infrastructure administrators, limiting access only to authorized administrators. VMware vshield Edge provides firewall, VPN, Web load balancing, network address translation (NAT), and DHCP services to virtual datacenters. Deployed as a virtual appliance, it can be positioned to protect the perimeter of a virtual datacenter while acting as the termination point for VPNs. It can also be used to implement network segmentation within virtual datacenters, allowing network infrastructure to scale along with virtual infrastructure. vshield Edge can be used to securely interconnect multiple virtual datacenters, and because it implements an industry-standard IPsec-based VPN, it can connect to physical VPN appliances at enterprise datacenter sites. The integration of vshield Edge and vcloud Director is important for both providers of vcloud Powered services and their customers. The integration: Allows security features to be provisioned by customers with a self-service model Reduces administration overhead for providers of vcloud Powered services Limits sharing of customer information (such as pre-shared VPN keys) with the service provider, increasing TECHNICAL WHITE PAPER / 3

4 Securing Hybrid Clouds with VMware vshield Edge VPNs security for customers Allows virtual networks to be scaled along with virtual infrastructure by allowing additional vshield Edge appliances to be deployed as needed Provides customer usage information to VMware vcenter Chargeback for customer billing purposes While the integration with vcloud Director does enable self-service provisioning of many vshield Edge features, it does not support self service for Web load balancing or static routing (firewalling without also using NAT). These features could be offered as additional value-added services by providers of vcloud Powered services. Both Load Balancing and VPN options require a vshield Edge premium license. Virtual Private Networks Enable Hybrid Clouds Hybrid clouds interconnect multiple clouds over public networks, whether the clouds are private clouds hosted at customer sites, or multiple public clouds. The functionality of vshield Edge VPNs allows multiple clouds to be interconnected securely, thus making them work as if they are extensions of a single datacenter. The network topologies include the following: Multi-Site vcloud Deployment vshield Edge VPNs can connect multiple VMware vcloud deployments. For example, an enterprise private cloud can be securely connected to the organization s virtual datacenter in a service provider s public cloud (Figure 1). Similarly, virtual datacenters hosted by multiple vcloud Powered service providers can be interconnected. These examples secure communication between clouds over public networks. Single-Site VMware vcloud Deployment vshield Edge VPNs can connect different virtual datacenters hosted by the same service provider, even hosted in the same vcloud Director instance (Figure 1). This example secures communication between networks hosted on shared infrastructure. Provider of vcloud Powered Services Secure Single-Site Virtual Private Network Enterprise Datacenter with vcloud Deployment Secure Multi-Site Virtual Private Networks vshield Edge Applance Figure 1. Multi-site and single-site deployments interconnect multiple vshield Edge appliances. T ECHNICAL W HI T E P A P E R / 4

5 Securing Hybrid Clouds with VMware vshield Edge VPNs Enterprise Site to vcloud Deployment vshield Edge VPNs can securely connect enterprises with fixed router or firewall-based VPNs to virtual datacenters hosted by providers of vcloud Powered services (Figure 2). Because vshield Edge supports industry-standard IPsec-based VPNs, a wide range of devices, including those from Check Point, Cisco, and Juniper, can be used to terminate the VPN at the enterprise location Provider of vcloud Powered Services Enterprise Datacenter with Physical VPN Appliance vshield Edge Applance Secure Virtual Private Network Enterprise Datacenter Physical IPsec VPN Appliance Figure 2. Enterprise site to vcloud deployments connect physical VPN appliances to vshield Edge instances. Use Cases The network topologies that providers of vcloud Powered services are most likely to encounter involve two use cases for vshield Edge VPNs: Connecting multiple virtual datacenters regardless of location. This single use case supports both multi-site and single-site vcloud deployments and connecting private clouds in enterprise environments with virtual datacenters hosted by providers of vcloud Powered services. Connecting enterprise datacenters with virtual datacenters. This is a common use case for organizations wishing to augment their own capacity with the capacity of a public cloud. From the standpoint of implementing these use cases with vshield Edge VPNs, the main difference is the endpoints. In the first case, both endpoints are vshield Edge appliances located at the perimeter of a virtual datacenter. In the second case, a vshield Edge appliance establishes a VPN with a physical device located in an enterprise datacenter. Prerequisites In order to establish a site-to-site VPN, a small number of prerequisites must be fulfilled: Each VPN appliance, whether a vshield Edge instance or a physical appliance, must have a fixed IP address that makes the appliances visible to each other. In the case of multi-site VPNs, this requires public IP addresses. In the case of single-site VPNs, private addresses can be used as long as the appliances are on the same network or the addresses are routable. The vshield Edge appliance must allow the following protocols to pass: Encapsulating Security Payload (ESP) (protocol 50), Internet Key Exchange (IKE) (UDP port 500), and UDP port 4500 for NAT traversal. Note that establishing a VPN does not automatically establish perimeter security. The vshield Edge appliance must be configured to deny any unauthorized traffic in order to fully secure the remote site. TECHNICAL WHITE PAPER / 5

6 Securing Hybrid Clouds with VMware vshield Edge VPNs About NAT Traversal The use cases discussed in this paper handle NAT Traversal, a situation where there network address translation is interposed between the two vshield Edge gateway devices. NAT Traversal overcomes the problems inherent in encrypting IPsec ESP packets that include translated addresses that must be modified in the payload, thus causing checksum errors and other incompatibilities. NAT Traversal provides the mechanism for network peers to discover if there are NAT devices between them, and allows the peers to set up a UDP tunnel to transport the ESP packet. NAT Traversal does this by inserting a UDP header and a NAT Traversal header between the original IP header and ESP header. These added fields provide enough information for the recipient to reconstruct the original packet, and intermediate NAT devices can then perform port-translations using the UDP header. NAT Traversal and all the other IPsec protocols including IKE and ESP only pass between the vshield Edge devices. The internal virtual machines communicating to the vshield Edge devices do not need to be aware of the existence of the tunnel. Establishing Single-Site and Multi-Site VPNs This is the simplest use case because when the two VPN endpoints are supported by vshield Edge the software can automatically exchange shared-secret authentication credentials and the VPN setup is almost fully automated. The topology, including IP addressing, for this example is illustrated in Figure /24 vshield Edge Appliance Public Network vshield Edge Applance /24 Figure 3. Single-site and multi-site VPN example topology and addressing. 1. In the vcloud Director Organization Portal, open the Configure Services dialog for the virtual datacenter s external network. 2. In the Configure Services dialog, enable the site-to-site VPN and add a tunnel to another network. TECHNICAL WHITE PAPER / 6

7 Securing Hybrid Clouds with VMware vshield Edge VPNs 3. Give the VPN a descriptive name, and choose A Network in Another Organization to prepare a multi-site VPN, or A Network in This Organization to prepare a VPN within the same virtual datacenter. 4. The dialog that pops up will ask for credentials for the remote site s vcloud Director Organization Portal. It then uses the credentials to log into the remote site, prepare it to accept the VPN, and exchange sharedsecret authentication credentials. TECHNICAL WHITE PAPER / 7

8 Securing Hybrid Clouds with VMware vshield Edge VPNs 5. Another dialog will pop up asking to confirm the remote peer network, and once this is selected the site-tosite VPN will be operational. Confirm that this is the case on both sites being interconnected by checking Operational status on the Site-to-Site VPN tab. Establishing Enterprise-to-Site VPNs This use case is slightly more complex because the VPN appliance at the enterprise location must be configured following the manufacturer s instructions before the VPN is established from the vshield Edge appliance. The topology and addressing for this example is illustrated in Figure 4. Enterprise Datacenter /24 Physical IPsec VPN Appliance Public Network vshield Edge Applance /24 Figure 4. Enterprise-to-site VPN example topology and addressing. 1. Configure an IPsec VPN on the physical appliance at the enterprise site. Use shared secret authentication and capture the shared secret for use when configuring the vshield Edge appliance. Certificate-based authentication is supported by vshield Edge, however the interface provided to organization administrators does not support this function. If certificate-based authentication is needed, the cloud service provider would have to set up the VPN manually. TECHNICAL WHITE PAPER / 8

9 Securing Hybrid Clouds with VMware vshield Edge VPNs 2. Open the Configure Services dialog from the virtual datacenter s external network. Enable the site-to-site VPN. 3. Set up the VPN to A Remote Network. Give the VPN a descriptive name, and select A Remote Network. Fill in the information describing the enterprise VPN appliance, select an encryption protocol to match the enterprise VPN appliance s setup, and provide the shared secret that was captured during the physical appliance setup. TECHNICAL WHITE PAPER / 9

10 Securing Hybrid Clouds with VMware vshield Edge VPNs 4. Once the site-to-site VPN is set up the tunnel status will be reported as Operational in the Configure Services dialog Conclusion The industry-standard, IPsec-based VPN functionality built into vshield Edge enables providers of vcloud Powered services to break down a barrier that keeps enterprises from fully embracing public clouds: security. Using vshield Edge appliances to protect the perimeter of virtual datacenters, and then to interconnect them using VPNs, customers have the capability to establish the same security in their cloud deployments as they do in their physical ones. With customers using a self-service interface to support their own security needs, and chargeback mechanisms in place, providers of vcloud Powered services have another value-added service that can attract more business and build stronger relationships with customers. For More Information For more information on VMware vshield Edge, please visit For more information on vshield Edge VPNs, please refer to VMware vshield Edge and vshield App Reference Design Guide at VMware Contact Information For additional information, VMware s global network of solutions providers is ready to assist. If you would like to contact VMware directly, you can reach a sales representative at VMWARE ( outside North America) or sales@vmware.com. When ing, please include the state, country, and company name from which you are inquiring. Providing Feedback VMware appreciates your feedback on the material included in this guide, and in particular, would be grateful for any guidance on the following topics: How useful was the information in this guide? What other specific topics would you like to see covered? Please send your feedback to vcloudpowered@vmware.com, with Securing Hybrid Clouds with VMware vshield Edge VPNs in the subject line. Thank you for your help in making this guide a valuable resource. TECHNICAL WHITE PAPER / 10

11 VMware, Inc Hillview Avenue Palo Alto CA USA Tel Fax Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-WP-VSPP-vSHLD-VPN-USLET-101