Basics
Here I will start
covering the basics of vShield components and operations.
vShield Manager
It’s a VA deployed
from OVA template and used to manage other vShield components. There are three
methods to connect to vShield manager:
- Web Console
- vSphere Plug-in
- CLI
Note: vShield
manager can be running in different ESXi host than vShield App or Edge.
vShield Edge
This is used to
provide security services at network edge. Its similar to Cisco ASA Firewall in
physical networks. Each vSS Port Group, vDS Port
Group, or N1KV Port Profile are protected by a vShield Edge. Another
typical used in multi-tenant cloud environments is to isolate between OvDCs or
PvDCs.
vShield Edge can
provide L2L & SSL VPN, Firewall Services, Load Balancing, DHCP & NAT
Services, HA, Routing.
Very Important:
vShield Edge will filter the traffic crossing the physical host ONLY. Traffic within one PG or between internal PGs won't be filtered by
vShield Edge. Even if
you try to make the external network for Edge as another internal PG, this
won't work unless you create one VM as routing device. In this case it will
work.
vShield App
This component is
used to provide security services at vNIC Level. Using analogue with physical
firewalls you can call it L2/L3 firewall (even within one VLAN). Each packet or
frame entering or existing vNIC will be scanned against vShield App rules.
vShield APP is
composed of two components which are vShield App module installed in the
hypervisor and firewall service VA (not a VM). Its also supporting DRS,
vMotion, DPM, and maintenance mode, But you need
to install vShield App in all nodes within a cluster.
Note: vShield
App uses VMsafe API to integrate with ESXi hypervisor.
vShield App VA
can't be migrated using vMotion
vShield Endpoint
This component
offloads Anti-Virus and Anti-Malware processing into VA. Like vShield App,
vShield Endpoint is installed as a module in hypervisor while the VA is
provided by third-party security vendors.
Summary of all
components:
Migrate vShield Components
- vShield Manager and Edge can be migrated between ESXi hosts using DRS, vMotion, and HA.
- vShield App and Endpoint can't be migrated. Therefore, you need to deselect Move powered off and suspended virtual machines to other hosts in the cluster check box to ensure these virtual appliances are not migrated when ESXi hosts goes down/maintenance.
Important Note:
vShield Manager must be always available for Cloud to be up and running. In
case its not available, the whole cloud services won't be available. In vCD 1.5
an option has been introduced to bypass this option.
For any vShield component, don't
upgrade its VMTools or uninstall it to avoid miss-operation
vShield Installation
vShield Manager
The first component
to install is vShield Manager. The OVA template can be download from VMware
website and it can't deployed using vSphere Client.
Once the deployment
is completed, you need to login to the VA using CLI default account to
configure Management Network Settings.
- Login using username: admin/password: default.
- Type enable and use password: default.
- Type Setup to start configuring basic networking settings.
Once management
network is ready, use web-access to connect to vShield Manager (https://#IPADDR#). The first step is to attach
vShield Manager with vCenter Server. Next step will be registering vShield
Plugin with vSphere to start accessing vShield Manager using vSphere Client.
From there you start
configuring basic settings including DNS, NTP, Time Zone, Logging, Backup,
Users/Privileges, etc.
Before proceeding
with installation of vShield components, you should upload each component
license. Assuming that you have the Lic Keys:
- In vSphere Client navigate to Home > Licensing.
- From the Management tab, select Asset.
- Right-click CIS or vCNS asset and select Change license key.
vShield App
The second component
to be installed is vShield App.
vShield App
installation will cause interruption in network connections for the host where
it will be installed. Therefore, migrate your vCenter Server and its DB from
this host. vCenter and its DB should be available during installation. Also vShield
Manager should be migrated.
As a prerequisite for vShield
App installation, it should be having reachability to vShield Manager and
vCenter
To install vShield
App, from vSphere Client Select an ESXi host
from the inventory tree > Click the vShield tab > Accept the security
certificate > Click Install for the vShield App service.
Note: For Stateless ESXi hosts,
some tuning is required. Please refer to installation guide.
vShield Edge
Prerequisites
- You need to have one PG (vSS, vDS, or N1K PP) to be used as vShield Edge External Network. Compared to ASA, this represents the outside interface of the firewall.
- VMs should be grouped in one PG (vSS, vDS, or N1K PP) to be used as vShield Edge Internal Network.
Note:
Communication between vShield Manager and vShield Edge is happening at VMkernal
level and no using IP communication
Since vShield Edge
is filtering traffic crossing the physical host, it will create one VM ONLY when installed.
To install vShield Edge, from vSphere Client
navigate to Home > Inventory > Networking
> Select Desired dvPG > Click vShield Edge Tab. From there you
start deploying vShield Edge for this dvPG providing the details for Internal
and External PGs.
Once vShield Edge is
installed, you can start managing it from the same tab.
vShield Endpoint
As a starting step,
you need to install Endpoint VIB package in each ESXi host similar to vShield
App. The next step will be installing AV third party server as well as
installing VMTools in each machine to be protected. VMTools include vShield
Thin Agent which is responsible for communication with AV server.
vShield Edge will
open some ports in ESXi host firewall to allow communication between Thin Agent
and AV VA through hypervisor.
