Really? So it can via a singe "leg" (maybe via promiscous mode?) inspect even such traffic? Are you 100% sure? I wouild like to try it out, but I dont have the possibility just now.

Kind of impressive if it could apply rules to traffic that is not actually passing through the vShield VM?

/Henrik

No not 100% sure , but i am looking for that ... but stuck with some installation issue. Can't locate the Vshield Template from the drop down , while installing it from the manager GUI

Ok! So I guess you can say that traffic needs to pass through a vShield to be controlled by its rules (which makes perfect sense) regardless of source/destination?

Two portgroups without vlans defined in the same switch would for example not be controlled? Or does such traffic "hit" the pNIC enough to be filtered by a vShield?

For sure, any traffic within a portgroup would not be controlled?

/Henrik

Ok! So I guess you

can say that traffic needs to pass through a vShield to be controlled

by its rules (which makes perfect sense) regardless of

source/destination?

-

Correct. Traffic must pass through the vShield so it can block traffic.

Two portgroups without vlans defined in the same switch would for

example not be controlled? Or does such traffic "hit" the pNIC enough

to be filtered by a vShield?

-

The traffic never will hit the pNIC if two VMs on the same vSwitch (even if they are in different portgroups, but have the same VLAN tag) talk to each other, so it will never pass through the vShield appliance.

For sure, any traffic within a portgroup would not be controlled?

-

Correct.

Thanks for the quick reply. I'm really trying to get this.

1) So.. Just to make sure.. Maybe a strange setup, but I guess it proves my question. Two VMs with IP on the same net, say 192.168.0.19/24 and 192.168.0.20/24. No vlans anywhere. Each connected to different vShielded vSwitch, but pNICs on the vSwitches connect to the same pSwitch to make them reach eachother. Now, would a vShield rule of DENY ALL 192.168.0.19/32 192.168.0.20/32 stop traffic between them?

2) More of a geek question maybe, but still.. How does the vShield VM really work? How can it pick up all traffic from all portgroups like that without actually being a def.gw for the traffic? Is there some cool vSwitch API that it uses?

/Henrik

Also, would it be a good practice to locate the vsmgmt portgroup and the vShield mgmtinterface in the vSwitch used for VMKernel (ESXi) administration? That switch is supposed to be well protected anyway, so I guess it makes more sense than to locate those portgroups on an "external" vSwitch? I realise you can do either way, but would this not be a good idea given that vMotion traffic happens on yet another dedicated switch and pNICs?

/Henrik

Sorry to spam you, but do you know what would happen if you were to connect a pNIC to the vShield vSwitch that is created? Will traffic rather go out that way or still via the vShield?

/Henrik

Just to add to Rob's answer to question:

4) Sorry to spam you, but do you know what would happen if you were to

connect a pNIC to the vShield vSwitch that is created? Will traffic

rather go out that way or still via the vShield?

This is not a recommended configuration and it will cause a network loop.

Excellent and fast answers! All points awarded. Btw, I just tried to connect a pNic to the vShield switch. It bypasses the vshield and I reached out to the internet when I wasn't supposed to. Now we know that for a fact..

/Henrik

-- While this is a bit of a strange setup, it would block the traffic because the traffic would be passing through the vShield.

So.. Sorry to bump this to the top again, but I want to be 1000% sure. In the first answer, you say that routng is required for filter to stop the traffic. But in my example, no routing is going on? Still it gets stopped? Slightly confused again..

/Henrik

What we were originally talking about was a single virtual switch with VMs in the same VLAN. In that case the traffic never leaves that virtual switch when those VMs need to communicate with each other. Therefore the traffic never passes through the vShield, but by it. So we cannot provide inline security. In your latest example though you mention that you would have VMs that are part of the same broadcast domain, but are sitting on different hosts. In that case the traffic has to pass through the vShield and at that point it can provide inline security because the traffic is passing through it. My point about the traffic needing to be routed is based on the first example where VMs are "living" on the same vSwitch. For traffic for those VMs to be blocked they would have to be in different VLANs which would cause the traffic to be routed for them to communicate. This would force the traffic to pass through the vShield, which would allow it to provide inline security.

Perfect answer! Thanks. I just wanted to get clear on the requirement of routing. I just talked to one of out network-guys at work, and he mentioned that it was probable that routing was needed in order for it to be able to filter stuff on higher layers (3/4), but I am glad to hear that vShield is smart enough to be able to handle filtering even though traffic is merely flowing straight through it. According to him, this is usually a requirement in the physical world of switches, and yet again I am happy to learn that virtualization is better than physical stuff.

Many thanks for your replies, I now think I have a clear understanding of the features of vShield.

My next thought here is how long we will have to install this separately and treat it as a separate VM at all? Its my guess, but I would not be very surprised if all this functionality moves straight into the vSwitch itself and is managed via the VIC as any other function.. VI 5.0? Maybe called vSquare?

/Henrik

Each time I think I got it all, I find something new.

1) If I check the box "log" on a rule, this means that this info is sent to the specified syslog server? There is no local logging going on that I can find?

2) When defining a L4 VM Wall rule, you specify Destination Application (like HTTP). Does this mean that it actually checks to see that is really IS an HTTP stream, and not, say, a Telnet session using port 80?

/Henrik

Actually it will log locally on the vShield where the traffic was captured. You can get to that by going to click on the vShield object in the tree on the left then click on the Configuration Tab and then Click on the System Status link and flinally the Show Logs link..

The rules are based on layer 4 port numbers and not the applications. The exception to this are for applications like RPC that use ephemeral ports and are opened on an on demand basis.

1) If I check the box"log" on a rule, this means that this info is sent to the specified syslog server? There is no local logging going on that I can find?

Checking the 'log' box on a rule will send this to the specified syslog server and will add it to the vmwall log. Two things to add here:

a)Make sure the syslog log level is set to 'Info'

b)The vmwall log can be found by selecting the vShield on the left hand side tree --> Configuration tab --> System Status --> VMwall Show Logs at the bottom of the page.

2) When defining a L4 VM Wall rule, you specify Destination Application(like HTTP). Does this mean that it actually checks to see that is really IS an HTTP stream, and not, say, a Telnet session using port 80?

In this case the vShield will not do protocol conformance testing to verify that it is HTTP traffic, if say the rule was configured to block, it willl block any traffic sent on port 80. Protocol conformance testing can lead to false positives and is more of an IDS/IPS functionality.

Ah! Great! Is that log recycled to not fill the drive?

/Henrik