TheVMinator
Expert
Expert

What is the Right vShield Product for this Scenario?

Jump to solution

Currently we are attempting to design a solution for creating segmentation of traffic within the virtual environment analagous to how it is segmented by VLANs on the physical network.

(see previous dissusion)

http://communities.vmware.com/thread/284130?tstart=0

I've come to understand that vShield App provides this functionality through "security groups" which can be used to create logical groupings of VMs in sphere that can only communicate with other VMs in their own group. In effect, security groups define the limits of a broadcast domain in the same way a VLAN does on the physical layer, but in a solution that is much more flexible and configurable.

As one of the goals was not to have to use NAT or a virtual firewall, we did not want to use the vShield Edge method of creating these groups which would force the VM's to have to have internal IP addresses used inside the virtual firewall and external IP addresses used outside of it- every VM should have only one IP address.

So analyzing the three different products of the vShield suite I came to this understanding given the requirements above

- vShield App - would work

- vShield Edge - won't work

- vShield Zones - don't think will work

So now the remaining question is - vShield App does not come with even the most full-featured vmware license but must be purchased separately. vShield Zones does come with our license version (Enterprise version).

Can vShield Zones or any other free product be made to function in a similar way to vShield App to meet these requirements without the additional cost? In addition, we want to continue to keep using HA and FT without the solution we deploy inhibiting FT or HA.

Thanks again for your input.

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership

Hello,

You need to understand how each of these products work.....

vShield App uses VMsafe to in effect place a FW just before each vNIC (on ingress to the VM) and consequently just after the vNIC on outgress from the VM. This FW sits between the vNIC and the vSwitch Portgroup to which it is attached. VMsafe appliances (whether App, Altor Networks, Checkpoint, Reflex Systems, IBM VSS, or TrendMicro Deep Security) require a driver to be installed within the vmkernel (hypervisor). As such there are NO free versions of this functionality. VMware controls what can be placed within the hypervisor, etc. In effect, VMsafe-net provides a packet filtering firewall per vNIC.

vShield Zones, vShield Edge provide a packet filtering firewall between two portgroups on the same vSwitch or between two different vSwitches. Zones and Edge are based on in-line firewall mechanisms much like Smoothwall, m0n0wall, ipcop, etc.

So you need to design with these two points in mind. VMsafe-net applications such as vShield App are per vNIC firewalls while vShield Zones/Edge are per Portgroup firewalls which encompass quite a few vNICs.

So if you had multiple Trust Zones and wanted to use vShield App, you would set the policy per vNIC (and therefore your VMs within any Trust Zone could live pretty much anywhere, you rely on VMsafe-net to do the heavy lifting).

However, with vShield Zones you set policy per portgroup/vSwitch combination. Each trust zone would in effect live on their own vSwitch/portgroup. I prefer vSwitch when setting up this type of trust zone(s) actually. In essence, each host would have a vSwitch for each trust zone and each trust zone would be protected by vShield Zones.

You need to decide at what granularity you wish to define the policy for your trust zones. At the vSwitch or at the vNIC.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
1 Reply
Texiwill
Leadership
Leadership

Hello,

You need to understand how each of these products work.....

vShield App uses VMsafe to in effect place a FW just before each vNIC (on ingress to the VM) and consequently just after the vNIC on outgress from the VM. This FW sits between the vNIC and the vSwitch Portgroup to which it is attached. VMsafe appliances (whether App, Altor Networks, Checkpoint, Reflex Systems, IBM VSS, or TrendMicro Deep Security) require a driver to be installed within the vmkernel (hypervisor). As such there are NO free versions of this functionality. VMware controls what can be placed within the hypervisor, etc. In effect, VMsafe-net provides a packet filtering firewall per vNIC.

vShield Zones, vShield Edge provide a packet filtering firewall between two portgroups on the same vSwitch or between two different vSwitches. Zones and Edge are based on in-line firewall mechanisms much like Smoothwall, m0n0wall, ipcop, etc.

So you need to design with these two points in mind. VMsafe-net applications such as vShield App are per vNIC firewalls while vShield Zones/Edge are per Portgroup firewalls which encompass quite a few vNICs.

So if you had multiple Trust Zones and wanted to use vShield App, you would set the policy per vNIC (and therefore your VMs within any Trust Zone could live pretty much anywhere, you rely on VMsafe-net to do the heavy lifting).

However, with vShield Zones you set policy per portgroup/vSwitch combination. Each trust zone would in effect live on their own vSwitch/portgroup. I prefer vSwitch when setting up this type of trust zone(s) actually. In essence, each host would have a vSwitch for each trust zone and each trust zone would be protected by vShield Zones.

You need to decide at what granularity you wish to define the policy for your trust zones. At the vSwitch or at the vNIC.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos