In this article by Mike Greer, the author of vSphere Security Cookbook, we will cover the following topics:

• Installing vShield App
• Configuring vShield App
• Configuring vShield App Flow Monitoring

(For more resources related to this topic, see here.)

Introduction

In most modern operating systems exists the capability to install a firewall on the host itself. The rules configured in a host-based firewall manage the traffic at the host level, and provide an additional layer of defense along with network firewalls and intrusion detection systems. Multiple layers of security provide a complete defense-in-depth architecture. The concept of defense-in-depth builds layers of security providing protection, should another layer fail or be compromised.

The second component of the vShield family to be configured that we’ll discuss is vShield App. vShield App is a host-based layer 2 firewall that is implemented at the vNIC level of the hypervisor. vShield App presents itself as a virtual appliance in the vCenter management tool. For each protected ESXi host, there is an associated vShield App virtual machine that runs on the said host. To protect the entire virtualization environment managed by vCenter, it is important to install vShield App on each ESXi host in the datacenter. Failure to protect each host will allow the opportunity for virtual machines to be moved to an unprotected host either by vMotion or manually. In the event where DRS is being used, it is very likely that virtual machines will be moved to an unprotected host, assuming that it has resources available and there is a high load on adjacent hosts.

Installing vShield App

The vShield App is required to provide host-level security and firewall services to each individual ESXi host. This process must be completed on each ESXi host individually.

Getting ready

A Core Infrastructure Suite (CIS) or vCloud Networking and Security (vCNS) license must be installed prior to installing vShield App and vShield Edge.

vShield App is installed per ESXi host, and vShield Manager must have been previously installed as a prerequisite.

In order to proceed, we require access to vShield Web Console. The client can be run on any modern Windows or Mac desktop operating system or server operating system.

vShield Web Console requires Adobe Flash, which is not supported on Linux operating systems at this time.

Ensure the account used for login has administrative rights to vShield Manager.

How to do it…

Perform the following steps:

1. We’ll open the vShield Manager Web Console and log in with an administrative account.
2. Navigate to Datacenter | Lab Cluster | esx5501.training.lab within vShield Manager.
   

   Ensure the ESXi host targeted for installation is not hosting the VM running vCenter. A connection is required to vCenter and the installation of vShield App will disrupt the network connection to the ESXi host.

3. Locate vShield App from the Summary tab.
4. Click on Install next to vShield App.

   

5. Select the Datastore to hold the vShield App service information. In our example, we’ll use datastore1.
6. Select the available Management Port Group that can communicate with the vShield Manager installed previously. In our example, we’ll use Internal Network.
7. Enter the vShield App IP address. In our example, we’ll use 192.168.10.30.
   

   The IP address of the vShield App must be unique and not previously assigned.

8. Enter the Netmask. In our example, we’ll use 255.255.255.0.
9. Enter the Default Gateway. In our example, we’ll use 192.168.10.1.
10. Ensure the vShield Endpoint checkbox is cleared.
11. Click on the Install button.
    
12. The status will be shown during the installation, as shown in the following screenshot:
    
13. Verify the completion of the setup with no errors.
    

    If an error occurs, the details regarding the error will be highlighted in yellow and begin with vShield App installation encountered error while installing service VM <error details>.

    

14. Repeat this process for additional ESXi hosts. If vCenter is running on an ESXi host, use vMotion to migrate that VM to another host prior to installation.

How it works…

vShield App provides firewall functionality to an ESXi host by installing a virtual appliance that is tied to the local host. The virtual appliance is stored on the local datastore to the host. Each firewall appliance is named with the host name included for clarity. In our example, we installed on the ESXi host named esx5501.training.lab and the corresponding firewall appliance is named vShield-FW-esx5501.training.lab.

One important point to consider is if the vShield App fails on a particular ESXi host and the default rule is set to deny, then all traffic will be denied to the host which can make troubleshooting difficult.

If a vShield App installation fails and requires manual removal, the process to remove the failed install will require the ESXi host to be rebooted in the process. As a result, all virtual machines running on the host will need to be migrated to other nodes of the cluster or powered down.

Configuring vShield App

There are several important configurations to set in the vShield App management Web Console. Configuring Fail Safe Mode sets the actions that will be taken if the vShield App fails or is down. The Fail Safe Mode can either be set to allow or block. Excluding virtual machines such as vCenter is key to allow proper functionality since it will exclude any virtual machine from firewall rules.

Getting ready

In order to proceed, we require access to vShield Web Console. The client can be run on any modern Windows or Mac desktop operating system or server operating system.

vShield Web Console requires Adobe Flash, which is not supported on Linux operating systems at this time.

Ensure the account used for log in has administrative rights to vShield Manager.

How to do it…

Viewing current status is the first step in assessing the state of the vShield App. Once the app is verified to be in a healthy state, additional configurations can be accomplished by performing the following steps:

1. Launch vSphere Client using an account with administrative rights. For our example, view the following:
2. Choose Home | Inventory | Hosts and Clusters from the menu bar.
3. Navigate to Datacenter | Lab Cluster | esx5501.training.lab.
4. Select the vShield tab.
5. Expand vShield-FW-esx5501.training.lab (192.168.10.30).
6. Note the Status: In Sync status, there are two options to either Force Sync or Restart.
7. Current Management Port Information is displayed including the packet, byte, and error information.
8. Syslog Servers can be added by an IP Address.

Configuring the Fail Safe Policy allows traffic to flow or be blocked should the vShield App firewall be down or offline for any reason.

1. Navigate to Settings & Reports | vShield App within vShield Manager.
2. Click on Change under Fail Safe. This step will lead to the following screen:
3. Click on Yes.
4. Note that Default Fail Safe Configuration set to Block is now changed to Allow.
   

   In a production situation, there are few times the fail safe setting will be changed to Allow. In a small test environment, should the vShield App be unavailable; all connectivity to the ESXi host will be blocked by default.

Configuring the Exclusion List allows certain virtual machines to function without host based firewall rules being applied to them. This can be done by performing the following steps:

1. Navigate to Settings & Reports | vShield App within vShield Manager.
2. Click on Add under Exclusion List.
3. Select a virtual machine to exclude from vShield App (in our case, it is a Linked vCenter server). Click on Add.
4. Click on OK.
5. Click on OK in the next dialog box to confirm.
6. The selected virtual machine is now excluded from protection

How it works…

The vShield App host firewall is installed per ESXi host and automatically named by the installation program to include the name of the host. It is also important to note that when a host is put into the maintenance mode, the vShield firewall must be shut down in order to let the host successfully achieve the maintenance mode.

Current Status provides a single view of the firewall associated with the host including the traffic status displayed by packet count, link, and admin status. One important status check is if the firewall is in sync with vShield Manager. Should the firewall fall out of sync, it can be forced to sync and if that fails, the option for restart is also present on the status page.

Fail Safe Policy is an important consideration should the vShield App virtual appliance fail for any reason. The default setting is to block all traffic and this might seem like a good idea at the outset. Careful consideration should be given on setting this flag, depending on what type of virtual machines are running on a specific host or cluster. In the situation where mission critical applications are running on virtual machines within an internal cluster or host, it will make sense to allow traffic if the vShield App were down. The average time it will take to identify and remediate the failure could cause a significant impact on the amount of business lost.

Exclusion List, as the name implies, allows certain virtual machines to remain outside the protection of the vShield App firewall. Critical infrastructure such as DNS or Domain Controllers are good candidates to be added to the exclusion list. vCenter servers should always be added to the exclusion list.

Configuring vShield App Flow Monitoring

The vShield App Flow Monitoring is a traffic analysis tool that provides statistics and graphs of the traffic on the virtual network as it passes through a host running vShield App. The information collected and displayed by Flow Monitoring is detailed to the protocol level and is very useful in spotting unwanted traffic flows.

Getting ready

In order to proceed, we require access to the vShield App through the vSphere Client plugin. The plugin can be enabled through the Plug-ins menu in the vSphere Client. This client can be run on any modern Windows desktop operating system or server operating system.

The vShield vSphere Client plugin requires Adobe Flash, which is not supported on Linux operating systems at this time.

Ensure the vCenter account used for login has administrative rights to vShield Manager.

How to do it…

To view the current traffic flow, launch vSphere Client using an account with administrative rights. For our example view the following:

1. Navigate to Home | Inventory | Hosts and Clusters from the menu bar.
2. Navigate to Datacenter andclick on the vShield tab.
3. Select Flow Monitoring.
4. Note that the Summary information is displayed by default.

   Summary Information

5. Click on Details to view detailed information.
6. Allowed Flows and Blocked Flows are available to view.
7. Select DNS-UDP to identify the host lookup traffic on port 53.
8. Click on Add Rule for Rule Id 1002.
9. By changing Action from Allow to Block, a firewall rule can be modified to block the DNS traffic from the web server to the DNS Server.
10. Click on Cancel.

How it works…

The Flow Monitoring component of vShield App, in addition to providing great detail, is able to create vShield App firewall rules on the fly. As shown in the preceding example, we were able to identify the DNS traffic from our web server accessing an internal DNS server. Due to our governance rules, servers accessed in the DMZ are not allowed to request DNS from internal servers. Implementing a firewall rule adds a control to this policy and gets easily implemented once the administrator noticed the request.

The ability to view traffic by Top Flows, Top Destinations, and Top Sources is very valuable when troubleshooting a problem or tracking down a virus or trojan that is attempting to send valuable information outside the organization during a breach.

Summary

This article has thus covered how to set up and configure vShield App.

Resources for Article:

---

Further resources on this subject:

• Introduction to Veeam® Backup & Replication for VMware [article]
• VMware vCenter Operations Manager Essentials – Introduction to vCenter Operations Manager [article]
• Introduction to vSphere Distributed switches [article]

---