Securing Hybrid Clouds with VMware vshield Edge VPNs. A Guide for Providers of vcloud Powered Services

Similar documents
VMware vcloud Networking and Security Overview

Helping Customers Move Workloads into the Cloud. A Guide for Providers of vcloud Powered Services

VMware vcloud Air Networking Guide

VMware vcloud Networking and Security

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Expert Reference Series of White Papers. vcloud Director 5.1 Networking Concepts

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

vcloud Director User's Guide

What s New in VMware vcloud Director 1.5

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

vshield Administration Guide

Monitoring Hybrid Cloud Applications in VMware vcloud Air

Installing and Configuring vcloud Connector

Introduction to Security and PIX Firewall

What s New in VMware Site Recovery Manager 6.1

IPsec VPN Application Guide REV:

vcloud Networking and Security Sales and Partner Use Only What is the VMware vcloud Networking and Security Product?

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

vshield Quick Start Guide

21.4 Network Address Translation (NAT) NAT concept

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Using IPsec VPN to provide communication between offices

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

VMware vcloud Air Security TECHNICAL WHITE PAPER

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

vshield Quick Start Guide

Virtual Data Centre. User Guide

Microsoft Azure Configuration

What s New with VMware vcloud Director 5.1

VMware vsphere 5.0 Evaluation Guide

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

ReadyNAS Remote White Paper. NETGEAR May 2010

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Hyper-V Network Virtualization Gateways - Fundamental Building Blocks of the Private Cloud

How do I set up a branch office VPN tunnel with the Management Server?

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

vshield Quick Start Guide vshield Manager 4.1 vshield Edge 1.0 vshield App 1.0 vshield Endpoint 1.0

Public Cloud Service Definition

vsphere Replication for Disaster Recovery to Cloud

Configuring SonicOS for Microsoft Azure

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Installing and Configuring vcloud Connector

VMware vshield Zones R E V I E W E R S G U I D E

Mobile Secure Desktop Maximum Scalability, Security and Availability for View with F5 Networks HOW-TO GUIDE

VMware Solutions for Small and Midsize Business

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Security Technology: Firewalls and VPNs

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Deployment Guide. Deploying F5 BIG-IP Global Traffic Manager on VMware vcloud Hybrid Service

The VPNaaS Plugin for Fuel Documentation

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Implementing a Hybrid Cloud Strategy

Data Center Migration Lift and Shift Use Case Scenario

VMware vcloud Service Definition for a Public Cloud. Version 1.6

vcloud Air Advanced Networking Services Guide

Quick Start - Virtual Private Cloud in Germany and Australia

Data Center Micro-Segmentation

HIPAA/HITECH Compliance Using VMware vcloud Air

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Network Address Translation (NAT) Good Practice Guideline

White Paper. SSL vs. IPSec. Streamlining Site-to-Site VPN Deployments

VMware vcloud Director for Service Providers

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Virtualized Network Services SDN solution for enterprises

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

VPN. Date: 4/15/2004 By: Heena Patel

Installing Intercloud Fabric Firewall

Virtualized Network Services SDN solution for service providers

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Hybrid Cloud for Development and Testing with VMware vcloud Air

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

vrealize Operations Management Pack for vcloud Air 2.0

VMware vshield App Design Guide TECHNICAL WHITE PAPER

CCNA Security 1.1 Instructional Resource

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

vsphere Replication for Disaster Recovery to Cloud

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Telepresence in an IPv6 World. Simplify the Transition

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

Branch Office Desktop

How to Create a Multi-user Content Management Platform with Drupal in a vcloud Environment. A VMware Cloud Evaluation Reference Document

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Firewall Troubleshooting

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Microsegmentation Using NSX Distributed Firewall: Getting Started

vcloud Suite Licensing

vrealize Automation Load Balancing

Transcription:

Securing Hybrid Clouds with VMware vshield Edge VPNs A Guide for Providers of vcloud Powered Services Technical WHITE PAPER

Securing Hybrid Clouds with VMware vshield Edge VPNs Table of Contents Introduction.... 3 VMware vshield Edge... 3 Virtual Private Networks Enable Hybrid Clouds.... 4 Use Cases.... 5 Prerequisites.... 5 Establishing Single-Site and Multi-Site VPNs.... 6 Establishing Enterprise-to-Site VPNs.... 8 Conclusion...10 For More Information.... 10 VMware Contact Information.... 10 Providing Feedback.... 10 TECHNICAL WHITE PAPER / 2

Securing Hybrid Clouds with VMware vshield Edge VPNs Introduction Security is a top concern among organizations evaluating cloud service providers. While most service providers allow customers to implement their own security measures, few of them have comprehensive security tools to offer their customers. Among these tools, one of the most important to customers and service providers alike is the ability to securely interconnect physical and virtual datacenters with virtual private networks (VPNs). VPNs are important tools that enable enterprise IT organizations to securely connect their own physical, virtual, and cloud environments to virtual datacenters hosted by service providers and thus create secure hybrid clouds. With connectivity to public clouds secured by VPN, organizations can freely move everything including test, development, production, and overflow workloads into the cloud without having to worry about loss or corruption of data in transit. From the enterprise datacenter s perspective, a virtual datacenter in the public cloud is simply another subnet in its network topology. For cloud service providers, supporting VPNs makes it easier to attract customers and garner more of their workloads, increasing revenue and strengthening partnerships with customers. Fortunately, providers of vcloud Powered services have the VPN capability of VMware vshield Edge integrated into VMware vcloud Director 1.5. Using a self-service GUI, customers can securely interconnect their enterprise datacenters with virtual datacenters in the cloud. With vshield Edge, customers can first secure their virtual datacenters using the product s perimeter security features, and then secure communication between datacenters using the product s VPN capabilities. The result is that customers can treat their service providers as seamless extensions of their own datacenters, making cloud adoption straightforward and secure. This white paper reviews the capabilities of vshield Edge, and the common use cases for using VPNs in hybrid cloud environments. It then proceeds to illustrate the simplicity and ease with which customers of vcloud Powered services can securely interconnect their datacenters. VMware vshield Edge VMware vshield Edge is a network security solution for virtual datacenters hosted by vcloud Director 1.5 to provide customers with their own dedicated set of securely isolated virtual resources. It provides essential security capabilities such as network security gateway services and Web load balancing for performance and availability vshield Edge works in concert with vcloud Director to automate and accelerate the secure provisioning of datacenters in multitenant cloud infrastructures. Functions such as gateway services are accessible through vcloud Director GUIs, and some (such as Web load balancing) require accessing vshield Edge GUIs. vcloud Director separates duties for security and virtual infrastructure administrators, limiting access only to authorized administrators. VMware vshield Edge provides firewall, VPN, Web load balancing, network address translation (NAT), and DHCP services to virtual datacenters. Deployed as a virtual appliance, it can be positioned to protect the perimeter of a virtual datacenter while acting as the termination point for VPNs. It can also be used to implement network segmentation within virtual datacenters, allowing network infrastructure to scale along with virtual infrastructure. vshield Edge can be used to securely interconnect multiple virtual datacenters, and because it implements an industry-standard IPsec-based VPN, it can connect to physical VPN appliances at enterprise datacenter sites. The integration of vshield Edge and vcloud Director is important for both providers of vcloud Powered services and their customers. The integration: Allows security features to be provisioned by customers with a self-service model Reduces administration overhead for providers of vcloud Powered services Limits sharing of customer information (such as pre-shared VPN keys) with the service provider, increasing TECHNICAL WHITE PAPER / 3

Securing Hybrid Clouds with VMware vshield Edge VPNs security for customers Allows virtual networks to be scaled along with virtual infrastructure by allowing additional vshield Edge appliances to be deployed as needed Provides customer usage information to VMware vcenter Chargeback for customer billing purposes While the integration with vcloud Director does enable self-service provisioning of many vshield Edge features, it does not support self service for Web load balancing or static routing (firewalling without also using NAT). These features could be offered as additional value-added services by providers of vcloud Powered services. Both Load Balancing and VPN options require a vshield Edge premium license. Virtual Private Networks Enable Hybrid Clouds Hybrid clouds interconnect multiple clouds over public networks, whether the clouds are private clouds hosted at customer sites, or multiple public clouds. The functionality of vshield Edge VPNs allows multiple clouds to be interconnected securely, thus making them work as if they are extensions of a single datacenter. The network topologies include the following: Multi-Site vcloud Deployment vshield Edge VPNs can connect multiple VMware vcloud deployments. For example, an enterprise private cloud can be securely connected to the organization s virtual datacenter in a service provider s public cloud (Figure 1). Similarly, virtual datacenters hosted by multiple vcloud Powered service providers can be interconnected. These examples secure communication between clouds over public networks. Single-Site VMware vcloud Deployment vshield Edge VPNs can connect different virtual datacenters hosted by the same service provider, even hosted in the same vcloud Director instance (Figure 1). This example secures communication between networks hosted on shared infrastructure. Provider of vcloud Powered Services Secure Single-Site Virtual Private Network Enterprise Datacenter with vcloud Deployment Secure Multi-Site Virtual Private Networks vshield Edge Applance Figure 1. Multi-site and single-site deployments interconnect multiple vshield Edge appliances. T ECHNICAL W HI T E P A P E R / 4

Securing Hybrid Clouds with VMware vshield Edge VPNs Enterprise Site to vcloud Deployment vshield Edge VPNs can securely connect enterprises with fixed router or firewall-based VPNs to virtual datacenters hosted by providers of vcloud Powered services (Figure 2). Because vshield Edge supports industry-standard IPsec-based VPNs, a wide range of devices, including those from Check Point, Cisco, and Juniper, can be used to terminate the VPN at the enterprise location Provider of vcloud Powered Services Enterprise Datacenter with Physical VPN Appliance vshield Edge Applance Secure Virtual Private Network Enterprise Datacenter Physical IPsec VPN Appliance Figure 2. Enterprise site to vcloud deployments connect physical VPN appliances to vshield Edge instances. Use Cases The network topologies that providers of vcloud Powered services are most likely to encounter involve two use cases for vshield Edge VPNs: Connecting multiple virtual datacenters regardless of location. This single use case supports both multi-site and single-site vcloud deployments and connecting private clouds in enterprise environments with virtual datacenters hosted by providers of vcloud Powered services. Connecting enterprise datacenters with virtual datacenters. This is a common use case for organizations wishing to augment their own capacity with the capacity of a public cloud. From the standpoint of implementing these use cases with vshield Edge VPNs, the main difference is the endpoints. In the first case, both endpoints are vshield Edge appliances located at the perimeter of a virtual datacenter. In the second case, a vshield Edge appliance establishes a VPN with a physical device located in an enterprise datacenter. Prerequisites In order to establish a site-to-site VPN, a small number of prerequisites must be fulfilled: Each VPN appliance, whether a vshield Edge instance or a physical appliance, must have a fixed IP address that makes the appliances visible to each other. In the case of multi-site VPNs, this requires public IP addresses. In the case of single-site VPNs, private addresses can be used as long as the appliances are on the same network or the addresses are routable. The vshield Edge appliance must allow the following protocols to pass: Encapsulating Security Payload (ESP) (protocol 50), Internet Key Exchange (IKE) (UDP port 500), and UDP port 4500 for NAT traversal. Note that establishing a VPN does not automatically establish perimeter security. The vshield Edge appliance must be configured to deny any unauthorized traffic in order to fully secure the remote site. TECHNICAL WHITE PAPER / 5

Securing Hybrid Clouds with VMware vshield Edge VPNs About NAT Traversal The use cases discussed in this paper handle NAT Traversal, a situation where there network address translation is interposed between the two vshield Edge gateway devices. NAT Traversal overcomes the problems inherent in encrypting IPsec ESP packets that include translated addresses that must be modified in the payload, thus causing checksum errors and other incompatibilities. NAT Traversal provides the mechanism for network peers to discover if there are NAT devices between them, and allows the peers to set up a UDP tunnel to transport the ESP packet. NAT Traversal does this by inserting a UDP header and a NAT Traversal header between the original IP header and ESP header. These added fields provide enough information for the recipient to reconstruct the original packet, and intermediate NAT devices can then perform port-translations using the UDP header. NAT Traversal and all the other IPsec protocols including IKE and ESP only pass between the vshield Edge devices. The internal virtual machines communicating to the vshield Edge devices do not need to be aware of the existence of the tunnel. Establishing Single-Site and Multi-Site VPNs This is the simplest use case because when the two VPN endpoints are supported by vshield Edge the software can automatically exchange shared-secret authentication credentials and the VPN setup is almost fully automated. The topology, including IP addressing, for this example is illustrated in Figure 3. 172.16.1.1 10.149.64.7 10.150.24.201 172.16.2.1 172.16.1.0/24 vshield Edge Appliance Public Network vshield Edge Applance 172.16.2.0/24 Figure 3. Single-site and multi-site VPN example topology and addressing. 1. In the vcloud Director Organization Portal, open the Configure Services dialog for the virtual datacenter s external network. 2. In the Configure Services dialog, enable the site-to-site VPN and add a tunnel to another network. TECHNICAL WHITE PAPER / 6

Securing Hybrid Clouds with VMware vshield Edge VPNs 3. Give the VPN a descriptive name, and choose A Network in Another Organization to prepare a multi-site VPN, or A Network in This Organization to prepare a VPN within the same virtual datacenter. 4. The dialog that pops up will ask for credentials for the remote site s vcloud Director Organization Portal. It then uses the credentials to log into the remote site, prepare it to accept the VPN, and exchange sharedsecret authentication credentials. TECHNICAL WHITE PAPER / 7

Securing Hybrid Clouds with VMware vshield Edge VPNs 5. Another dialog will pop up asking to confirm the remote peer network, and once this is selected the site-tosite VPN will be operational. Confirm that this is the case on both sites being interconnected by checking Operational status on the Site-to-Site VPN tab. Establishing Enterprise-to-Site VPNs This use case is slightly more complex because the VPN appliance at the enterprise location must be configured following the manufacturer s instructions before the VPN is established from the vshield Edge appliance. The topology and addressing for this example is illustrated in Figure 4. Enterprise Datacenter 172.16.1.1 10.149.64.1 10.150.24.201 172.16.2.1 172.16.1.0/24 Physical IPsec VPN Appliance Public Network vshield Edge Applance 172.16.2.0/24 Figure 4. Enterprise-to-site VPN example topology and addressing. 1. Configure an IPsec VPN on the physical appliance at the enterprise site. Use shared secret authentication and capture the shared secret for use when configuring the vshield Edge appliance. Certificate-based authentication is supported by vshield Edge, however the interface provided to organization administrators does not support this function. If certificate-based authentication is needed, the cloud service provider would have to set up the VPN manually. TECHNICAL WHITE PAPER / 8

Securing Hybrid Clouds with VMware vshield Edge VPNs 2. Open the Configure Services dialog from the virtual datacenter s external network. Enable the site-to-site VPN. 3. Set up the VPN to A Remote Network. Give the VPN a descriptive name, and select A Remote Network. Fill in the information describing the enterprise VPN appliance, select an encryption protocol to match the enterprise VPN appliance s setup, and provide the shared secret that was captured during the physical appliance setup. TECHNICAL WHITE PAPER / 9

Securing Hybrid Clouds with VMware vshield Edge VPNs 4. Once the site-to-site VPN is set up the tunnel status will be reported as Operational in the Configure Services dialog Conclusion The industry-standard, IPsec-based VPN functionality built into vshield Edge enables providers of vcloud Powered services to break down a barrier that keeps enterprises from fully embracing public clouds: security. Using vshield Edge appliances to protect the perimeter of virtual datacenters, and then to interconnect them using VPNs, customers have the capability to establish the same security in their cloud deployments as they do in their physical ones. With customers using a self-service interface to support their own security needs, and chargeback mechanisms in place, providers of vcloud Powered services have another value-added service that can attract more business and build stronger relationships with customers. For More Information For more information on VMware vshield Edge, please visit http://www.vmware.com. For more information on vshield Edge VPNs, please refer to VMware vshield Edge and vshield App Reference Design Guide at http:// www.vmware.com/go/vshield-design-guide. VMware Contact Information For additional information, VMware s global network of solutions providers is ready to assist. If you would like to contact VMware directly, you can reach a sales representative at 1-877-4VMWARE (650-475-5000 outside North America) or email sales@vmware.com. When emailing, please include the state, country, and company name from which you are inquiring. Providing Feedback VMware appreciates your feedback on the material included in this guide, and in particular, would be grateful for any guidance on the following topics: How useful was the information in this guide? What other specific topics would you like to see covered? Please send your feedback to vcloudpowered@vmware.com, with Securing Hybrid Clouds with VMware vshield Edge VPNs in the subject line. Thank you for your help in making this guide a valuable resource. TECHNICAL WHITE PAPER / 10

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-WP-VSPP-vSHLD-VPN-USLET-101

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information