I guess a "Trust Zone" is a port group in practice? I would guess that the vShield VM can only inspect and apply rules to traffic leaving and entering the switch?
What about traffic between port groups in the same switch then? I would guess that is not checked by vShield either?
So.. When I think some more here.. I guess that a "Trust Zone" is actually a switch?
Also, does it catch all traffic? No matter what vlan/portgroup it is destined for?
/Henrik
I consolidated all of your most recent questions into one response. See below.
1) So.. Just to make sure.. Maybe a strange setup, but I guess it
proves my question. Two VMs with IP on the same net, say
192.168.0.19/24 and 192.168.0.20/24. No vlans anywhere. Each connected
to different vShielded vSwitch, but pNICs on the vSwitches connect to
the same pSwitch to make them reach eachother. Now, would a vShield
rule of DENY ALL 192.168.0.19/32 192.168.0.20/32 stop traffic between
them?
While this is a bit of a strange setup, it would block the traffic because the traffic would be passing through the vShield.
-
2) More of a geek question maybe, but still.. How does the vShield VM
really work? How can it pick up all traffic from all portgroups like
that without actually being a def.gw for the traffic? Is there some
cool vSwitch API that it uses?
It the vShield appliance connects to a promiscuous mode port group in order to see all the traffic and be able to bridge that traffic between the internal vSwitch and the external vSwitch.
-
3) Also, would it be a good practice to locate the vsmgmt portgroup and
the vShield mgmtinterface in the vSwitch used for VMKernel (ESXi)
administration? That switch is supposed to be well protected anyway, so
I guess it makes more sense than to locate those portgroups on an
"external" vSwitch? I realise you can do either way, but would this not
be a good idea given that vMotion traffic happens on yet another
dedicated switch and pNICs?
The only problem with that is that you may inadvertantly connect another VM to that portgroup that you shouldnt. At which point that VM would have direct access to the management network. It may be better to set it up in a seperate management zone and then open the proper ports so the manager can communicate with the vCenter server. Definitly you will want to use the new roles and permissions in vSphere to limit access the vsmgmt port group to only authorized individuals. By doing that you can mitigate the issue of the port group being on the same vswitch as the vmkernel portgroup, so in that case it may be OK. The real key is to protect that management network from regular VM traffic. However you accomplish really depends on your situation.
-
4) Sorry to spam you, but do you know what would happen if you were to
connect a pNIC to the vShield vSwitch that is created? Will traffic
rather go out that way or still via the vShield?
If you connected a pNIC to it and that pNIC were connected to a physical switch then yes the traffic would just go directly that way. Actually you would likely end up creating a loop in the network because the vShield will still be repeating that traffic out to the physical network as well. I'd have to test this to be sure, but I am fairly certain this would be a bad thing to do.
-
I guess intra VM traffic is also inspected .
Really? So it can via a singe "leg" (maybe via promiscous mode?) inspect even such traffic? Are you 100% sure? I wouild like to try it out, but I dont have the possibility just now.
Kind of impressive if it could apply rules to traffic that is not actually passing through the vShield VM?
/Henrik
No not 100% sure , but i am looking for that ... but stuck with some installation issue. Can't locate the Vshield Template from the drop down , while installing it from the manager GUI
In essense. a trust zone is to networks that are seperated by some form of layer 3/4 device. In other words you would need to route between those networks. 2 VLANs would be an example of that. vShield Zones will allow you to monitor traffic between port groups whether they are part of the same VLAN or not, but will only block traffic when it has to go out to a router to get between the port groups. Essentially if they are in seperate VLANs, they will have to go through a router and vShield Zones will be able to block that traffic.
I think the simplist way to look at it is that Zones is able to see and report on all traffic flows, but can only block based on normal layer 3 network constructs.
I hope this helps.
Ok! So I guess you can say that traffic needs to pass through a vShield to be controlled by its rules (which makes perfect sense) regardless of source/destination?
Two portgroups without vlans defined in the same switch would for example not be controlled? Or does such traffic "hit" the pNIC enough to be filtered by a vShield?
For sure, any traffic within a portgroup would not be controlled?
/Henrik
Ok! So I guess you
can say that traffic needs to pass through a vShield to be controlled
by its rules (which makes perfect sense) regardless of
source/destination?
-
Correct. Traffic must pass through the vShield so it can block traffic.
Two portgroups without vlans defined in the same switch would for
example not be controlled? Or does such traffic "hit" the pNIC enough
to be filtered by a vShield?
-
The traffic never will hit the pNIC if two VMs on the same vSwitch (even if they are in different portgroups, but have the same VLAN tag) talk to each other, so it will never pass through the vShield appliance.
For sure, any traffic within a portgroup would not be controlled?
-
Correct.
Thanks for the quick reply. I'm really trying to get this.
1) So.. Just to make sure.. Maybe a strange setup, but I guess it proves my question. Two VMs with IP on the same net, say 192.168.0.19/24 and 192.168.0.20/24. No vlans anywhere. Each connected to different vShielded vSwitch, but pNICs on the vSwitches connect to the same pSwitch to make them reach eachother. Now, would a vShield rule of DENY ALL 192.168.0.19/32 192.168.0.20/32 stop traffic between them?
2) More of a geek question maybe, but still.. How does the vShield VM really work? How can it pick up all traffic from all portgroups like that without actually being a def.gw for the traffic? Is there some cool vSwitch API that it uses?
/Henrik
Also, would it be a good practice to locate the vsmgmt portgroup and the vShield mgmtinterface in the vSwitch used for VMKernel (ESXi) administration? That switch is supposed to be well protected anyway, so I guess it makes more sense than to locate those portgroups on an "external" vSwitch? I realise you can do either way, but would this not be a good idea given that vMotion traffic happens on yet another dedicated switch and pNICs?
/Henrik
Sorry to spam you, but do you know what would happen if you were to connect a pNIC to the vShield vSwitch that is created? Will traffic rather go out that way or still via the vShield?
/Henrik
I consolidated all of your most recent questions into one response. See below.
1) So.. Just to make sure.. Maybe a strange setup, but I guess it
proves my question. Two VMs with IP on the same net, say
192.168.0.19/24 and 192.168.0.20/24. No vlans anywhere. Each connected
to different vShielded vSwitch, but pNICs on the vSwitches connect to
the same pSwitch to make them reach eachother. Now, would a vShield
rule of DENY ALL 192.168.0.19/32 192.168.0.20/32 stop traffic between
them?
While this is a bit of a strange setup, it would block the traffic because the traffic would be passing through the vShield.
-
2) More of a geek question maybe, but still.. How does the vShield VM
really work? How can it pick up all traffic from all portgroups like
that without actually being a def.gw for the traffic? Is there some
cool vSwitch API that it uses?
It the vShield appliance connects to a promiscuous mode port group in order to see all the traffic and be able to bridge that traffic between the internal vSwitch and the external vSwitch.
-
3) Also, would it be a good practice to locate the vsmgmt portgroup and
the vShield mgmtinterface in the vSwitch used for VMKernel (ESXi)
administration? That switch is supposed to be well protected anyway, so
I guess it makes more sense than to locate those portgroups on an
"external" vSwitch? I realise you can do either way, but would this not
be a good idea given that vMotion traffic happens on yet another
dedicated switch and pNICs?
The only problem with that is that you may inadvertantly connect another VM to that portgroup that you shouldnt. At which point that VM would have direct access to the management network. It may be better to set it up in a seperate management zone and then open the proper ports so the manager can communicate with the vCenter server. Definitly you will want to use the new roles and permissions in vSphere to limit access the vsmgmt port group to only authorized individuals. By doing that you can mitigate the issue of the port group being on the same vswitch as the vmkernel portgroup, so in that case it may be OK. The real key is to protect that management network from regular VM traffic. However you accomplish really depends on your situation.
-
4) Sorry to spam you, but do you know what would happen if you were to
connect a pNIC to the vShield vSwitch that is created? Will traffic
rather go out that way or still via the vShield?
If you connected a pNIC to it and that pNIC were connected to a physical switch then yes the traffic would just go directly that way. Actually you would likely end up creating a loop in the network because the vShield will still be repeating that traffic out to the physical network as well. I'd have to test this to be sure, but I am fairly certain this would be a bad thing to do.
-
Just to add to Rob's answer to question:
4) Sorry to spam you, but do you know what would happen if you were to
connect a pNIC to the vShield vSwitch that is created? Will traffic
rather go out that way or still via the vShield?
This is not a recommended configuration and it will cause a network loop.
Excellent and fast answers! All points awarded. Btw, I just tried to connect a pNic to the vShield switch. It bypasses the vshield and I reached out to the internet when I wasn't supposed to. Now we know that for a fact..
/Henrik
-- While this is a bit of a strange setup, it would block the traffic because the traffic would be passing through the vShield.
So.. Sorry to bump this to the top again, but I want to be 1000% sure. In the first answer, you say that routng is required for filter to stop the traffic. But in my example, no routing is going on? Still it gets stopped? Slightly confused again..
/Henrik
What we were originally talking about was a single virtual switch with VMs in the same VLAN. In that case the traffic never leaves that virtual switch when those VMs need to communicate with each other. Therefore the traffic never passes through the vShield, but by it. So we cannot provide inline security. In your latest example though you mention that you would have VMs that are part of the same broadcast domain, but are sitting on different hosts. In that case the traffic has to pass through the vShield and at that point it can provide inline security because the traffic is passing through it. My point about the traffic needing to be routed is based on the first example where VMs are "living" on the same vSwitch. For traffic for those VMs to be blocked they would have to be in different VLANs which would cause the traffic to be routed for them to communicate. This would force the traffic to pass through the vShield, which would allow it to provide inline security.
Perfect answer! Thanks. I just wanted to get clear on the requirement of routing. I just talked to one of out network-guys at work, and he mentioned that it was probable that routing was needed in order for it to be able to filter stuff on higher layers (3/4), but I am glad to hear that vShield is smart enough to be able to handle filtering even though traffic is merely flowing straight through it. According to him, this is usually a requirement in the physical world of switches, and yet again I am happy to learn that virtualization is better than physical stuff.
Many thanks for your replies, I now think I have a clear understanding of the features of vShield.
My next thought here is how long we will have to install this separately and treat it as a separate VM at all? Its my guess, but I would not be very surprised if all this functionality moves straight into the vSwitch itself and is managed via the VIC as any other function.. VI 5.0? Maybe called vSquare?
/Henrik
Each time I think I got it all, I find something new.
1) If I check the box "log" on a rule, this means that this info is sent to the specified syslog server? There is no local logging going on that I can find?
2) When defining a L4 VM Wall rule, you specify Destination Application (like HTTP). Does this mean that it actually checks to see that is really IS an HTTP stream, and not, say, a Telnet session using port 80?
/Henrik
Actually it will log locally on the vShield where the traffic was captured. You can get to that by going to click on the vShield object in the tree on the left then click on the Configuration Tab and then Click on the System Status link and flinally the Show Logs link..
The rules are based on layer 4 port numbers and not the applications. The exception to this are for applications like RPC that use ephemeral ports and are opened on an on demand basis.
1) If I check the box"log" on a rule, this means that this info is sent to the specified syslog server? There is no local logging going on that I can find?
Checking the 'log' box on a rule will send this to the specified syslog server and will add it to the vmwall log. Two things to add here:
a)Make sure the syslog log level is set to 'Info'
b)The vmwall log can be found by selecting the vShield on the left hand side tree --> Configuration tab --> System Status --> VMwall Show Logs at the bottom of the page.
2) When defining a L4 VM Wall rule, you specify Destination Application(like HTTP). Does this mean that it actually checks to see that is really IS an HTTP stream, and not, say, a Telnet session using port 80?
In this case the vShield will not do protocol conformance testing to verify that it is HTTP traffic, if say the rule was configured to block, it willl block any traffic sent on port 80. Protocol conformance testing can lead to false positives and is more of an IDS/IPS functionality.
Ah! Great! Is that log recycled to not fill the drive?
/Henrik