Vcloud Networking Security DMZ Design Deployment Guide

Securing the DMZ with VMware vCloud Networking and Security
Design Approaches and Deployment Guidelines
Table of Contents Executive Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Challenges with the Current Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Legacy DMZ Segmentation Models.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 VMware Recommended Approach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Fully Collapsed DMZ .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Design Approach Alternatives Using vCloud Networking and Security. . . . . . . . . . . . 6 1. vCloud Networking and Security App Firewall for the Virtual Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2. vCloud Networking and Security Edge Gateway for the Virtual Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ Protection . . . . . . . . . . . . . . . . . 8 Deployment Overview for Each Design Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1. vCloud Networking and Security App Firewall for the Virtual Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. vCloud Networking and Security Edge Gateway for the Virtual Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3. (A) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionMultiple Network Segments (VLANs/VXLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3. (B) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionSingle Network Segment (Flat VLAN/VXLAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Deployment and Conguration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1. vCloud Networking and Security App Firewall for the Virtual Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 A. Setting Up Application Segmentation in the Fully Collapsed DMZ . . . . . 17 B. vCloud Networking and Security App Firewall Rule Object Types .. . . . . 17 C. vCloud Networking and Security App Firewall Rule Management .. . . . . 21 2. vCloud Networking and Security Edge Gateway for the Virtual Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 vCloud Networking and Security Edge Gateway Load Balancing. . . . . . . . . 29 vCloud Networking and Security Edge Gateway Firewall .. . . . . . . . . . . . . . . 31 vCloud Networking and Security Edge Gateway Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
TECH N I C AL WH ITE PAPE R / 2
3. (A) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionMultiple Network Segments (VLANs/VXLANs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3. (B) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionSingle Network Segment (Flat VLAN/VXLAN). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 vCloud Networking and Security Edge Gateway Load Balancing. . . . . . . . . 36 vCloud Networking and Security Edge Gateway Firewall . . . . . . . . . . . . . . . . 38 vCloud Networking and Security App Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . 38 vCloud Networking and Security Edge Gateway Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Appendix A Product Overview and Quick Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Appendix B Installation of vCloud Networking and Security Manager, vCloud Networking and Security App Firewall and vCloud Networking and Security Edge Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 vCloud Networking and Security Manager Installation and Setup . . . . . . . . . . . 41 vCloud Networking and Security App Firewall Installation and Setup .. . . . . . . 42 vCloud Networking and Security Edge Gateway Installation and Setup. . . . . . 44 Appendix C Manager Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Role-Based Access Control .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 System Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 System Restore .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Acknowledgments .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Executive Summary
This paper demonstrates how securing a virtual DMZ environment using VMware vCloud Networking and Security can help your organization reduce capital expenditure and increase agility, while building a cloud-ready, secure and scalable environment for business applications. It also highlights the different design approaches to securing business-critical applications and enables you to make suitable choices for your organization regarding the cloud. Further, it provides conguration guidance to help you with your deployment.
Introduction
VMware customer experience and independent analyst research demonstrate that it is possible to build a fully virtualized, secure, scalable and cost-effective DMZ using vCloud Networking and Security. This paper provides VMware customers with reference architectures and design and deployment guidance, helping them realize benets and mitigate risks. The vCloud Networking and Security product suite provides protection beyond the limitations of physical security in several signicant ways. Based on customer success with vCloud Networking and Security products over the past three years, including validation by well-known Qualied Security Assessors like PCI-certied Coalre, VMware recommends a fully collapsed DMZ approach and has identied three new deployment scenarios for DMZ environments in the virtual datacenter. A fully consolidated DMZ leverages all the advantages of compute, network and security virtualization and provides maximum benets.
Challenges with the Current Approach

Legacy DMZ Segmentation Models
Customers typically use one of the following deployment designs for their DMZ:
Internet
Internet
Internet
Firewall/LB/VPN IDS/IPS Firewall Firewall
Corporate Network
DMZ Application 1 DMZ Application 2
Corporate Network
Corporate Network
Web Tier App Tier
VM
VM
VM VM VM
Web Tier App Tier
VM
VM
VM VM VM
1. Purely Physical DMZ
VM
VM
VM
VM
DMZ Application 1
DMZ Application 2
DMZ Application 1
DMZ Application 2
2. Partially Collapsed DMZ with Physical Separation of Trust Zones
3. Partially Collapsed DMZ with Virtual Separation of Trust Zones
Figure 1. Legacy DMZ Designs
TYPe OF D e P LOY ment
1 . P U R e LY P H Y sica L D M Z
2 . Pa R tia L LY C O L L a P sed D M Z W it H P H Y sica L S e Pa R ati O n O F T R U st ZO nes
3 . Pa R tia L LY C O L L a P sed D M Z W it H V i R t Ua L S e Pa R ati O n O F T R U st ZO nes
Characteristics
No virtualization Application workloads and security that require dedicated hardware
Application workloads run on dedicated virtual clusters and security runs on dedicated hardware Server virtualization partial within tiers
Application workloads with different trust levels might run on shared clusters; security is enforced via physical devices Mixed trust mode deployment full server virtualization High compute utilization, server consolidation ratios CAPEX and OPEX benets Virtual machine placement and mobility limited by network availability Latency due to rewall enforcement at a physical perimeter Overprovisioning to accommodate scale of security services
Advantages
Proven approach Operational familiarity
Security model that does not change from model 1 Staged approach to full virtualization Not fully optimal in consolidation and utilization of resources CAPEX, OPEX and provisioning time benets not fully realized
Disadvantages
High CAPEX and OPEX Management complexity manual operations
Table 1. Comparison of Legacy DMZ Designs
All these approaches deploy network-based security in datacenters. In other words, they use various physical appliances placed in strategic locations on an infrequently changing network fabric. However, when this approach is used for a virtualized datacenter, it can lead to a signicant number of limitations. It cannot dynamically scale. All virtual environment traffic from multiple physical hosts is routed through a small number of physical devices. This limits the capacity available at those physical network security devices that become chokepoints. To handle the dynamic nature of the DMZ and traffic variations from new or existing applications, organizations typically must manage network security devices like IDS and rewall appliances. Because the physical appliances are xed-capacity devices, capacity is usually underor overprovisioned. The overprovisioning or reservation for future use results in underutilization of capacity and signicant increase of CAPEX. There is operational complexity and long provisioning time. Physical topologies are too rigid. One of the hallmarks of a virtual environment is the ability to change in response to the dynamic requirements of an organization. New projects, business cycles and unpredictable demand can be handled through load balancing, rapid provisioning and reconguration. Any solution based upon a static network topology is simply not compatible with these capabilities. Often, complex congurations are required at different network devices to create and provision new VLANs, trunk them at every location that the application virtual machine can move to and direct traffic to go through the rewalls, load balancers and so on. These steps are often time consuming, handled through ticketing systems and involve multiple teams, adding signicantly to the application provisioning time. This operational complexity and long provisioning time is not acceptable for a cloud-like environment. There is no intrahost virtual machine visibility. Traffic owing between virtual machines on the same VMware vSphere host might never touch the physical network and so it cannot be viewed by a physical security device.
The cost and complexity associated with managing physical security devices typically result in organizations deciding not to virtualize as aggressively as they might. In some cases, they deploy workloads without adequate protection. VMware customers have for the most part moved away from deployment option 1 and maintain a sizable degree of deployments in options 2 and 3, albeit with considerable overprovisioning and operational complexity. With virtualization and the advent of the cloud model of computing, static security must be replaced by a more dynamic set of security products.
VMware Recommended Approach

Fully Collapsed DMZ
Taking full advantage of virtualization technology, this approach virtualizes the entire DMZ. Virtual security devices replace and/or supplement physical security devices to provide required isolation for workloads deployed on a shared infrastructure. The fully collapsed DMZ conguration completely leverages consolidation benets and maximizes utilization as servers and security devices are virtualized in this conguration. The fully collapsed DMZ offers the following benets: Highest CAPEX and OPEX savings It provides the highest benet of price versus performance compared to other physical devicebased solutions. This is because the amount of physical-device capacity required in the system decreases through the avoidance of overprovisioning. In addition, consolidation using shared infrastructure eliminates the requirement for physical devices for every service or application. Suited to scale Its easier and cheaper to scale the environment because security capacity can be added on demand by increasing compute resources. Virtual security appliances make it possible to automatically handle dynamic inventory and conguration changes. Higher performance is achieved via a scale-up/ scale-out model using existing compute resources. More important, scale is not limited by the capacity of physical security devices. Higher visibility and controlVirtual security appliances are inherently VMware vSphere vMotion aware and enforce a consistent security posture as workloads migrate from host to host. Security policies are not restricted to physical location or boundaries. Firewall policies are set up using virtualization constructs to inspect and control traffic at either the virtual machine or application boundary and to minimize latency using distributed rewall enforcement points. This enables administrators to monitor and control virtual machine networks with comprehensive logging of all security events within the virtual datacenter. Operational and management simplicity Flexible provisioning and placement of virtual machines are not limited by VLAN availability or capacity and they adapt to the dynamic nature of the virtual environment. The cloud-ready architecture using shared infrastructure and virtual security devices enables organizations to migrate to internal private clouds with ease. Logical security perimeters protect virtual datacenters and enable the safe sharing of network resources in multitenant infrastructures.
Design Approach Alternatives Using vCloud Networking and Security

VMware recommends a fully collapsed DMZ approach using any of the three following deployment scenarios: 1. VMware vCloud Networking and Security App rewall for the virtual environment Deploy a vCloud Networking and Security App rewall behind the existing physical rewall/load balancing/VPN appliance to strengthen the security posture of the virtual environment and include intrahost virtual machine visibility. 2. VMware vCloud Networking and Security Edge gateway for the virtual environment Replace the physical rewall/load balancing/VPN appliance with a vCloud Networking and Security Edge gateway to secure DMZ applications, provide load balancing and VPN services, and enable rapid, secure scaling of cloud infrastructures.
3. vCloud Networking and Security Edge gateway and vCloud Networking and Security Edge App rewall for complete DMZ protection Replace the physical rewall/load balancing/VPN appliance with both a vCloud Networking and Security App rewall and vCloud Networking and Security Edge gateway for complete DMZ protection. A vCloud Networking and Security App rewall and vCloud Networking and Security Edge gateway together offer comprehensive security and traffic visibility for DMZ applications. In addition, the vCloud Networking and Security Edge gateway provides load balancing, VPN and other services to DMZ applications.
Internet
Firewall/LB/VPN IDS/IPS Firewall
Internet
Internet
IDS/IPS
Firewall
IDS/IPS
Firewall
Corporate Network
Corporate Network
Corporate Network
Web Tier App Tier
VM
VM
VM
VM
VM
Web Tier App Tier
VM
VM
VM
VM
VM
VM
VM
VM
VM
Web Tier App Tier

DMZ Application 2
VM
VM
VM
VM
VM
VM
VM
DMZ Application 1
DMZ Application 2
DMZ Application 1
DMZ Application 1
DMZ Application 2
Figure 2. DMZ Design Approaches Using vCloud Networking and Security
1. vCloud Networking and Security App Firewall for the Virtual Environment When to choose this approach: Pick this option to strengthen the security posture of your virtual environment by adding another layer of rewall security without increasing deployment complexity. Use it to manage intradatacenter traffic with a virtual firewall. Employ it to protect virtual machines from each other in a virtual environment. Choose it to gain visibility into the virtual environment to then map allowed and blocked traffic. Use it to gain centralized management of firewall rules that can replace port ACLs. Choose it to begin leveraging the benefits of full network and security virtualizationbuild trust of cross-functional teams. How to move to this approach: Deploy a vCloud Networking and Security App firewall behind the existing physical firewall. Choose options to keep your existing network design as is or to move all virtual machines to one flat VLAN/VXLAN. There is no network segmenting of tiers or of applications required. Create rules limiting traffic that can flow inside virtual machines on the same VLAN/VXLAN. Choose the following granular and easy options for rule management: - Move the rules that are restricting traffic between the different virtual machines of the datacenter from the physical perimeter rewall to the vCloud Networking and Security App rewall. This minimizes latency and leverages the benets of distributed enforcement points. - Use VMware vCenter containers like clusters and resource pools in firewall rules. - Create logical groups for further segmentation of traffic trust zones. - Choose the option to use IP sets to enable the migration of rules from the physical rewall.
2. vCloud Networking and Security Edge Gateway for the Virtual Environment When to choose this approach: Use this when you must tie multiple edge services like firewalling, VPN, NAT, DHCP and load-balancing capabilities to applications. This enables rapid, secure scaling of cloud infrastructures. Employ this for virtual datacenter traffic management to provide secure multitenancy and delegated management of the virtual environment. Use it when VMware vCloud Director is deployed in the virtual environment to simplify management leveraging the tight integration. How to move to this approach: Replace the physical firewall and introduce a vCloud Networking and Security Edge firewall, load balancing and VPN to secure DMZ applications. Use vCloud Networking and Security Edge gateway services to create logical security perimeters around applications/virtual datacenters (VDCs) and enable secure multitenancy. Put application virtual machines into separate internal VLANs/VXLANs for tier separation and connect them to the external interface. Tie the network isolation, load balancing and NAT configurations to the applications. Introduce rules to limit traffic flowing in and out of the VDC and between different VDCs. 3. vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ Protection When to choose this approach: Use this to strengthen the security posture for virtual, scalable cloud-like environments. Employ it to keep the application-level controls separate from the generic sanity rules that apply to the entire virtual environment. Use it to set the default security posture and still provide delegation to the application owner. For example, the use of a VMware vSphere vApp for vCloud Director in an environment provides a simplied, scalable provider-side control via the vCloud Networking and Security App rewall, along with consumer self-service/self-delegation via the vCloud Networking and Security Edge gateway. Employ it to gain benefits of the price versus performance curve using the fully virtualized rewalls approach. How to move to this approach: Deploy both a vCloud Networking and Security App firewall and vCloud Networking and Security Edge gateway instead of physical rewalls. Use a vCloud Networking and Security App firewall for virtual machinetovirtual machine traffic visibility and control in a network segment and a vCloud Networking and Security Edge gateway for application rules and perimeter rewalling (option 3A in the Deployment and Conguration section in this paper). Another method is to use a vCloud Networking and Security Edge gateway for rules traditionally put in at the physical perimeter and a vCloud Networking and Security App rewall for all application-level rules and virtual machinetovirtual machine traffic visibility (option 3B in the Deployment and Conguration section of this paper).
D e P LOY ment S cena R i O
B ene F its
T R ade - O F F s
vCloud Networking and Security App rewall for the virtual environment
Transparent introduction independent of existing network conguration allowed Simplied network design via at networks allowed Easier rewall rule management via logical grouping of workloads into zones; use of vCenter objects in rules Granular policy denition can inspect and control traffic at virtual machine vNIC Attachment of perimeter services like NAT, load balancing, and so on, to the application workloads Option to provide for self-delegation/self-service of rewall rules Ability to reuse investment in other vendor services via partner integration framework Ability to tie to VDC/vApp constructs from vCloud Director More granular options for consumer- and provider-side controls
Advanced services like NAT/ load balancing and so on, still maintained at physical perimeter
vCloud Networking and Security Edge gateway for the virtual environment
Possible requirement to renetwork application tiers
vCloud Networking and Security Edge gateway and vCloud Networking and Security App rewall for complete DMZ protection
Overhead of managing both vCloud Networking and Security App rewall and vCloud Networking and Security Edge gateway
Table 2. Comparison of DMZ Design Approaches Using vCloud Networking and Security
Deployment Overview for Each Design Approach

1. vCloud Networking and Security App Firewall for the Virtual Environment In this deployment, the vCloud Networking and Security App rewall isolates and secures multiple DMZ applications on a single network segment.
DMZ Application 1
DMZ Application 2
App installed on every host in the cluster
Web Tier
App Tier
Web Tier
App Tier
VM
VM
VM
VM
VM
VM
VM
VM
.2
.3
.4
.5
.6
.7
.8
.9
192.168.1.0/24 DMZ-PortGroup
Figure 3. Logical Network View
The vCloud Networking and Security App firewall offers multiple sets of configurable ruleslayer 3 (L3) rules (General tab) and layer 2 (L2) rules (Ethernet tab). L2 rules control what higher-level protocols (like ARP, IPv6, PPP and so on) can communicate over L2. L3 rules control the specic L3 traffic based on IP addresses as well as L4 traffic based on TCP and UDP ports, and therefore related higher-layer application traffic, such as DHCP, HTTP, FTP and so on.
Figure 4. vCloud Networking and Security App Firewall Layer 2 Rules
The rst two L2 rules shown in Figure 4 ensure total isolation between DMZ Application 1 and Application 2. The third and fourth rules show microsegmentation of Web servers. In other words, one Web server cannot communicate with another Web server. If one of the Web servers is compromised, it cannot be used to directly attack the other servers. Even ARP and RARP will be denied.
The rst rule is set up to allow HTTP and HTTPS traffic to Web servers. The second and third rules allow Web server(s)toApp server(s) traffic only on App Port. The fourth rule allows RDP and syslog traffic to the IT Mgmt resource pool. All other traffic is blocked by the default deny rule at the end. Figure 5 also highlights the use of vCenter containers like vApps, resource pools and so on, in dening rules. 2. vCloud Networking and Security Edge Gateway for the Virtual Environment In this deployment, each vCloud Networking and Security Edge gateway is securing a single DMZ application deployed on multiple network segments. Web and App tiers of each DMZ application are deployed on separate networks. The vCloud Networking and Security Edge gateway provides rewall, load balancing, NAT and other services to the DMZ application.
TECH N I C AL WH ITE PAPE R / 1 0
DMZ Application 1
DMZ Application 2
192.168.1.0/24 App1-Web-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.1.0/24 App2-Web-Tier-PG
192.168.2.0/24 App1-App-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.2.0/24 App2-App-Tier-PG
.2
VM
192.168.110.0/24 SJDC-IT-Mgmt-PG
.1
.1
.1
.1
.1
Edge 10.20.181.173
Edge 10.20.181.172
Figure 7. DMZ Application 1 vCloud Networking and Security Edge Gateway Interfaces
The vCloud Networking and Security Edge gateway for DMZ Application 1 has three interfaces with IP addresses assigned, as shown in Figure 7. App1-Web-Tier (192.168.1.1) and App1-App-Tier (192.168.2.1) are Internal interfaces and External (10.20.181.173) is the Uplink interface. Web server virtual machines (192.168.1.2 and 192.168.1.3) use vCloud Networking and Security Edge gateway address 192.168.1.1 as the default gateway to access virtual machines on other internal networks or external resources. Similarly, App server virtual machines (192.168.2.2 and 192.168.2.3) use vCloud Networking and Security Edge gateway address 192.168.2.1 as the default gateway.
Figure 8. DMZ Application 2 vCloud Networking and Security Edge Gateway Interfaces
The vCloud Networking and Security Edge gateway for DMZ Application 2 has four interfaces with IP addresses assigned, as shown in Figure 8. App2-Web (192.168.1.1), App2-App (192.168.2.1) and IT-Mgmt-Apps (192.168.110.1) are Internal interfaces and External (10.20.181.172) is the Uplink interface.
Figure 9. DMZ Application 2 vCloud Networking and Security Edge Gateway Firewall Settings
The rst four rules shown in Figure 9 with the type Internal are autogenerated by VMware vCloud Networking and Security Manager. They allow the traffic generated by various vCloud Networking and Security Edge gateway services and High Availability (HA) heartbeat traffic to move between active and standby instances. The highlighted rules are created by the administrator. The External-to-LB-Web rule allows external traffic to Web services offered using the vCloud Networking and Security Edge gateway load balancer. The DMZ-Servers-to-External rule allows DMZ servers to access the Internet (in other words, to download patches). The Application2-Web-to-App rule allows communication from Web servers to application servers on the application server port.
Figure 10. vCloud Networking and Security Edge Gateway NAT Settings
The rst three entries shown in Figure 10 are autogenerated by vCloud Networking and Security Manager for load balancing and other services. The fourth and fth entries are added by the administrator to allow DMZ servers with private addresses to access the Internet. A single IP (external interface) address is used to represent all servers connecting out (IP masquerading).
Figure 11. vCloud Networking and Security Edge Gateway Load-Balancing Pool Settings
The vCloud Networking and Security Edge gateway provides load balancing for TCP, HTTP and HTTPS traffic. The Web servers of DMZ applications are accessible to users employing the vCloud Networking and Security Edge gateway load balancer. The Web servers of DMZ Application 2 are congured as a pool to service HTTP/HTTPS requests using a round-robin load-balancing algorithm, as shown in Figure 11.
Figure 12. vCloud Networking and Security Edge Gateway Load-Balancing Virtual Server Settings
The vCloud Networking and Security Edge gateway load balancer is congured, as shown in Figure 12, to receive Web requests on the external interface address 10.20.181.172 (virtual server IP address) and route them to the pool of Web servers attached to it. 3. (A) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionMultiple Network Segments (VLANs/VXLANs) In this deployment, the vCloud Networking and Security Edge gateway and vCloud Networking and Security App rewall together provide comprehensive DMZ protection. This is an extension of deployment option 2. Each vCloud Networking and Security Edge gateway secures a DMZ application deployed on multiple network segments and provides a perimeter (north-south traffic) rewall, load balancing, NAT and so on. In addition, the vCloud Networking and Security App rewall creates virtual machinetovirtual machine traffic visibility and control within a network segment.
192.168.1.0/24 App1-Web-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.1.0/24 App2-Web-Tier-PG
192.168.2.0/24 App1-App-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.2.0/24 App2-App-Tier-PG
.2
VM
192.168.110.0/24 SJDC-IT-Mgmt-PG
.1
.1
.1
.1
.1
Edge 10.20.181.173 10.20.181.172
Edge
The vCloud Networking and Security Edge gateway settings are the same as those seen earlier with deployment option 2.
The rst two L2 rules shown in Figure 14 create a microsegmentation of Web servers. In other words, one Web server cannot communicate with another Web server. If one of the Web servers is compromised, it cannot be used to directly attack the other servers. Even ARP and RARP will be denied.
Because the vCloud Networking and Security Edge gateway is protecting the traffic between the tiers of the DMZ application, vCloud Networking and Security App rewall L3 rules are set up with a default of Allow, as shown in Figure 15. A second level of rewalling is achieved by dening vCloud Networking and Security App rewall L3 rules if required. 3. (B) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionSingle Network Segment (Flat VLAN/VXLAN) This is an extension of deployment option 1. In this example, the vCloud Networking and Security App rewall secures two DMZ applications deployed on a single network segment. The vCloud Networking and Security Edge gateway provides perimeter rewalling, load balancing, NAT and so on.
DMZ Application 1
DMZ Application 2
Web Tier
App Tier
Web Tier
App Tier
VM
VM
VM
VM
VM
VM
VM
VM
.2
.3
.4
.5
.6
.7
.8
.9
.1
Edge 10.20.181.172 10.20.181.173

The vCloud Networking and Security App rewall settings are the same as those seen earlier with deployment option 1.
Figure 17. vCloud Networking and Security Edge Gateway Firewall Settings
The rst four rules in Figure 17 with the type Internal are autogenerated by vCloud Networking and Security Manager. These allow the traffic generated by various vCloud Networking and Security Edge gateway services and High Availability (HA) heartbeat traffic to move between active and standby instances. The highlighted rules are created by the administrator. The External-to-LB-Web rule allows external traffic to Web services offered using the vCloud Networking and Security Edge gateway load balancer. The DMZServers-to-External rule allows DMZ servers to contact the Internet (in other words, to download patches).
Figure 18. vCloud Networking and Security Edge Gateway Load Balancer Pool Settings
The Web servers of both DMZ applications are accessible to users using the vCloud Networking and Security Edge gateway load balancer. Two Web server pools are dened, as shown in Figure 18. There is one for each DMZ application, to service HTTP/HTTPS requests using a round-robin load-balancing algorithm.
Figure 19. vCloud Networking and Security Edge Gateway Load Balancer Virtual Server Settings
As shown in Figure 19, two virtual servers, one for each DMZ application, are designed to receive Web requests on the external interfaces (10.20.181.172 and 10.20.181.173) and route them to a pool of attached Web servers.
Figure 20. vCloud Networking and Security Edge Gateway NAT Settings
The rst ve entries shown in Figure 20 are autogenerated by vCloud Networking and Security Manager for load balancing and other services. The sixth entry, highlighted in Figure 20, is added by the administrator to allow DMZ servers with private addresses to access the Internet. A single IP (external interface) address is used to represent all servers connecting out (IP masquerading).
Deployment and Conguration Details

1. vCloud Networking and Security App Firewall for the Virtual Environment Install vCloud Networking and Security App rewall instances on all vSphere hosts within a cluster so that vSphere vMotion operations work and virtual machines remain protected as they migrate between vSphere hosts. Refer to the vCloud Networking and Security App rewall installation section in Appendix B for details. The vCloud Networking and Security App rewall monitors all traffic in and out of a vSphere host, including that between virtual machines in the same port group. The vCloud Networking and Security App rewall does this by placing a lter on every virtual network adaptor. In this section, we cover the following topics: A. Setting up application segmentation in the fully collapsed DMZ B. vCloud Networking and Security App rewall rule object types C. vCloud Networking and Security App rewall rules to isolate different application zones
A. Setting Up Application Segmentation in the Fully Collapsed DMZ The logical network representation of two fully collapsed DMZ Web applications is shown in Figure 21, where all tiers of two different Web applications are on the same network segment (VLAN/VXLAN).
DMZ Application 1
DMZ Application 2
Web Tier
App Tier
Web Tier
App Tier
VM
VM
VM
VM
VM
VM
VM
VM
.2
.3
.4
.5
.6
.7
.8
.9
The vCenter view of this setup is shown in Figure 22. All the virtual machines are connected to the same port group, DMZ-PortGroup. Using the vCloud Networking and Security App firewall rules, we can isolate the single broadcast domain into multiple zones. DMZ Application 1 and Application 2 are deployed as two different vApps, as shown. Each application has a separate vApp for Web tier and application tier servers.
Figure 22. vCenter View
B. vCloud Networking and Security App Firewall Rule Object Types The rules can include multiple sources, destinations and services. We can write access rules by using vCenter containers, like datacenters, clusters, resource pools and vApps, or network objects, like port groups, or other custom container objects such as security groups, IP sets or MAC sets. The containers enable rules to be dynamic. When a new virtual machine joins the container, the rules are applied automatically and we arent required to dene new rules. There is a default deny rule. This means that when a virtual machine is not in a security group, it will by default be unable to communicate until the security team moves it into a group.
Lets look at various container objects used in vCloud Networking and Security App rewall rules to decide what container might best suit your requirements. I. vApps A vApp is a vSphere container of virtual machines that also can be nested. In addition to segmentation, it provides resource allocation and start-up/shut-down order controls. A multitier application in a DMZ usually requires unique protocol ltering for each application, as well as unique security hardening, depending on the tier. This can easily be handled by dening a multilevel, nested vApp. The vApp containers set up for the two DMZ Web applications are shown in Figure 23. They are used in dening vCloud Networking and Security App rewall policies.
Figure 23. vCenter vApps Dened for DMZ Applications
II. Resource pools vSphere resource pools are containers designed to enable the sharing of compute and memory resources within groups of virtual machines. Because resource pools are often used to group closely associated virtual machines, such as those belonging to a particular department in a company, it is easy to leverage this group type for certain kinds of vCloud Networking and Security App rewall policies.
Figure 24. vCenter Resource Pools
III. Services and service groups A service is a protocol-port combination and a service group is a combination of two or more services. You can dene rewall rules for services and service groups. Figure 25 shows the creation of a service for the application server port 8080.
Figure 25. Service Creation
Service groups enable us to combine multiple services and service groups to reduce the number of rules required. Figure 26 shows the service group Web Ports combining HTTP and HTTPS services.
Figure 26. Service Group Creation
IV. MAC sets and IP sets MAC sets are groupings of MAC addresses and IP sets are groupings of IP addresses. Figures 27 and 28 show the creation of an IP set.
Figure 27. Creation of Grouping Objects
Figure 28. Creation of IP Addresses Grouping Object
V. Security groups We can create access control policies based on logical constructs such as security groups, not just physical constructs such as IP addresses. Security groups are the most exible of the containers. This is because they can include other groupings, such as datacenters, clusters, vApps and resource pools, as well as other objects, such as virtual machines, virtual network adaptors, port groups and IP/MAC address sets. This enables users to create groupings based on any number of factors, such as type of application, scope of compliance and so on. Figure 29 shows the creation of a security group. It can combine IP addresses, vApps, resource pools, port groups, datacenters, vNICs and so on.
Figure 29. Security Group Creation
C. vCloud Networking and Security App Firewall Rule Management The vCloud Networking and Security App rewall offers multiple sets of congurable rules. Figure 30 illustrates the use of L3 rules (General tab) and L2 rules (Ethernet tab). L2 rules control which higher-level protocols (like ARP, IPv6, PPP and so on) can communicate over L2. L3 rules control the specic L3 traffic based on IP addresses, as well as L4 traffic based on TCP and UDP ports, and therefore related higher-layer application traffic, such as DHCP, HTTP, FTP and so on. By assessing what communication is required between applications and each tier of the application, it is possible to create L2 rules that block all unnecessary traffic. After locking down unnecessary traffic, L3 rules can restrict necessary traffic channels to required ports and protocols. The rst two L2 rules shown in Figure 30 illustrate total isolation between DMZ Application 1 and Application 2 using vApp containers. All traffic originating from one DMZ application to another is blocked by these vCloud Networking and Security App rewall rules. The third and fourth rules in Figure 30 show microsegmentation of Web servers. In other words, one Web server cannot communicate with another Web server. If one of the Web servers is compromised, it cannot be used to directly attack the other servers. Even ARP and RARP will be denied. If Log is enabled, as in the Action settings shown here, a syslog message is sent from the vCloud Networking and Security App rewall to the congured syslog server when that action is taken. The last rule species a default Allow L2 rule. This is because L2 rules operate before L3 rules and a default deny L2 rule would not allow any traffic ow out of any virtual machine.
The vCloud Networking and Security App rewall segments each of the DMZ application tiers using L3 rules by opening only the required ports and protocols between the tiers. We will show the vCloud Networking and Security App rewall rules that must be used to open the ports and protocols identied in Figure 31 for the DMZ applications to function properly.
Figure 31. Ports and Protocols Used by the DMZ Applications
The following L3 rewall rules are set up as shown in Figure 32 for the two DMZ applications to function properly and to access ControlCenter, a virtual machine running in the IT Mgmt resource pool. Allow HTTP and HTTPS traffic to Web servers (rule 1: External-to-DMZ-Web). Allow Application 1 Web server to Application 1 App server traffic on App Port (rule 2: App1-Web-to-App). Allow Application 2 Web server to Application 2 App server traffic on App Port (rule 3: App2-Web-to-App). Allow RDP and syslog traffic to the IT Mgmt resource pool (rule 4: RDP-Syslog-to-IT-Mgmt). Block all other traffic (rule 5: Default Rule).
The External-To-DMZ security group currently contains the It Mgmt and SJDC Sales VDI resource pools, as shown in Figure 33. The administrator can add additional vCenter containers to this security group to allow access as required.
Figure 33. Security Group Details
vCloud Networking and Security App rewall rules are enforced in top-to-bottom ordering. Ethernet (L2) rules are enforced before General (L3) rules. The vCloud Networking and Security App rewall checks each traffic session against the top rule in the rewall rule table before moving down the subsequent rules in the table. The rst rule in the table that matches the traffic parameters is enforced. Figure 34 shows the rule precedence for L2 and L3 rules dened for securing the two DMZ applications.
1. Ethernet (Layer 2)
1. Application 1 to Application 2 2. Application 2 to Application 1 3. App1 Web Tier Microsegment 4. App2 Web Tier Microsegment 5. Default Rule
2. General (Layer 3)
1. External-to-DMZ-Web 2. App1-Web-to-App 3. App2-Web-to-App 4. RDP-Syslog-to-IT-Mgmt 5. Default Rule
Figure 34. Rule Precedence for L2 and L3 Rules
As shown, a vCloud Networking and Security App rewall provides a centralized management rule table that is in line with the industry standard interfaces and workows for managing a distributed rewall. Following are the best practices to use a vCloud Networking and Security App rewall in the environment: 1. Regularly monitor the allowed/denied ows in ow monitoring to ensure that rewall rules are set up correctly. 2. Use SpoofGuard to protect from spoofing/DoS attacks. 3. Save the vCloud Networking and Security App rewall conguration periodically to revert to an older version. Flow Monitoring The Flow Monitoring feature of the vCloud Networking and Security App rewall provides the required visibility and monitoring by displaying network activity between virtual machines at the application protocol level.
You can use this information to audit network traffic, dene and rene rewall policies, and identify threats to your network. Flow Monitoring is a traffic analysis tool providing a detailed view of the traffic on the virtual network that has passed through a vCloud Networking and Security App rewall. The Flow Monitoring output denes which machines are exchanging data and the application used. This data includes the number of sessions, packets and bytes transmitted per session. Session details include sources, destinations and direction of sessions, applications and ports being used. Session details can be used to create rewall allow or block rules. We can use Flow Monitoring as a forensic tool to detect rogue services and examine outbound sessions.
Figure 35. Flow Monitoring Dashboard
In Figure 35, the bar on the top of the page shows the percentage of allowed traffic in green, blocked traffic in red and traffic blocked by SpoofGuard in orange. Traffic statistics are displayed in the following three tabs: Top Flows displays the total incoming and outgoing traffic per service over the specified time period. The top ve services are displayed. Top Destinations displays incoming traffic per destination over the specified time period. The top five destinations are displayed. Top Sources displays outgoing traffic per source over the specified time period. The top five sources are displayed. Clicking the Details link on the Flow Monitoring tab shows traffic ows for various services. The Allowed Flows tab displays the allowed traffic and the Blocked Flows tab displays the blocked traffic.
Figure 36. Flow Monitoring Details View
Clicking an item in the Flow Monitoring table shows the rules that allowed or blocked that traffic ow. Click the Add Rule link to create a new allow or block rule for the ow.
Figure 37. Add/Edit Rules Using Flow Monitoring Data
An added rule appears at the top, as shown in Figure 38.
Figure 38. Rule Added from Flow Monitoring Data
After rule 1 was added, SSH from ControlCenter to WebServer1 works. We can see this in the Allowed Flows.
Figure 39. Flow Monitoring Allowed Flows After Adding Allow SSH Rule
SpoofGuard SpoofGuard is an advanced protection provided by a vCloud Networking and Security App rewall against man-in-the-middle attacks, such as ARP cache poisoning. It is an L2 security feature that enables the administrator to verify IP/MAC pairs for every virtual network adaptor. By using SpoofGuard, an administrator can manually or automatically inspect and reject new MAC/IP pairs. Crafted packets from a compromised virtual machine in the DMZ, with altered IP or MAC addresses, will be dropped right at the virtual network interface. SpoofGuard is enabled in the vSphere datacenter context.
There are two options: 1. Automatically trust IP assignments on their rst use. Use this to automatically trust IP assignments to virtual NICs upon their first use, as recognized by VMware Tools. Subsequent changes require manual review and approval. 2. Manually approve all assignments. Use this to review and approve every change in IP assignment, including the first use.
Figure 40. SpoofGuard Settings
Using the SpoofGuard tab, the administrator can verify the MAC address, IP address, virtual machine name, approver and approval date details, as shown in Figure 41.
Figure 41. SpoofGuard Spoong Details
Reverting to a Previous vCloud Networking and Security App Firewall Conguration vCloud Networking and Security Manager saves the vCloud Networking and Security App rewall settings each time new rewall rules are published. Clicking Publish Changes causes vCloud Networking and Security Manager to save the previous conguration with a time stamp before applying the changes. These congurations are available from the Show History drop-down list. vCloud Networking and Security Manager saves the previous ten congurations.
Figure 42. vCloud Networking and Security App Firewall Show and Load History Options
Use the Load History option shown in Figure 43 to revert the vCloud Networking and Security App firewall conguration to a previous version.
Figure 43. vCloud Networking and Security App Firewall Load History
2. vCloud Networking and Security Edge Gateway for the Virtual Environment In this deployment, we are using a vCloud Networking and Security Edge gateway to secure a DMZ application. A separate vCloud Networking and Security Edge gateway is deployed for each DMZ application. The Web and App tiers of each DMZ application are connected to internal interfaces of vCloud Networking and Security Edge. The Web and App tiers of the DMZ application are deployed on separate network segments, as shown in Figure 44.
DMZ Application 1
DMZ Application 2
192.168.1.0/24 App1-Web-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.1.0/24 App2-Web-Tier-PG
192.168.2.0/24 App1-App-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.2.0/24 App2-App-Tier-PG
.2
VM
192.168.110.0/24 SJDC-IT-Mgmt-PG
.1
.1
.1
.1
.1
Edge 10.20.181.173 10.20.181.172
Edge
vCloud Networking and Security Edge gateway interface views for both vCloud Networking and Security Edge gateway instances in this deployment are shown in Figure 45 and Figure 46. Notice that overlapping private addresses are used for both DMZ applications. The vCloud Networking and Security Edge gateway for DMZ Application 1 has three interfaces with IP addresses assigned. App1-Web-Tier (192.168.1.1) and App1-App-Tier (192.168.2.1) are Internal interfaces and External (10.20.181.173) is the Uplink interface. The Web server virtual machines (192.168.1.2 and 192.168.1.3) use vCloud Networking and Security Edge gateway address 192.168.1.1 as the default gateway to access virtual machines on other internal networks or external resources. Similarly, the App server virtual machines (192.168.2.2 and 192.168.2.3) use vCloud Networking and Security Edge gateway address 192.168.2.1 as the default gateway.
Figure 45. vCloud Networking and Security Edge Gateway Interfaces for DMZ Application 1
The vCloud Networking and Security Edge gateway for DMZ Application 2 has four interfaces with IP addresses assigned. App2-Web (192.168.1.1), App2-App (192.168.2.1) and IT-Mgmt-Apps (192.168.110.1) are Internal interfaces and External (10.20.181.172) is the Uplink interface. The ControlCenter virtual machine on the IT-Mgmt-Apps network segment is used for testing.
Figure 46. vCloud Networking and Security Edge Gateway Interfaces for DMZ Application 1
The vCenter virtual machineto-network map is shown in Figure 47. Highlighted are the port groups and vCloud Networking and Security Edge gateway instances to which the DMZ application virtual machines are connected.
WebServer 2
AppServer 2
WebServer 1
App1-Web-Tier-PG AppServer 1 none AppServer 1
App2-App-Tier-PG
SJDC-Edge3-0 App1-App-Tier-PG SJDC-Edge2-1
WebServer 1 App2-Web-Tier-PG SJDC-Edge2
SJDC-Edge3-1
AppServer 2
WebServer 2 Static 01 CA Server
SJDC-IT-Mgmt-PG Control Center
Figure 47. vCenter Virtual Machineto-Network Map
vCloud Networking and Security Edge Gateway Load Balancing The vCloud Networking and Security Edge gateway provides load balancing for TCP, HTTP and HTTPS traffic. The Web servers of DMZ applications are accessible to users employing a vCloud Networking and Security Edge gateway load balancer. Table 3 summarizes the vCloud Networking and Security Edge gateway load-balancing schemes, health check options and persistence mechanisms.
P R OtO c O L
O P ti O ns Avai L ab L e
Load-balancing schemes
HTTP HTTPS (SSL pass-through) TCP
URI, round robin, source IP hash, least connection Round robin, source IP hash, least connection Round robin, source IP hash, least connection HTTP, TCP SSL, TCP TCP Cookie based SSL session ID None
Health check options
HTTP HTTPS TCP
Persistence mechanisms
HTTP HTTPS TCP
Table 3. Edge Gateway Load-Balancing Schemes, Health Check Options and Persistence Mechanisms
The Web servers of DMZ Application 1 are congured as a pool to service HTTP/HTTPS requests using a round-robin algorithm, as shown in Figure 48.
Figure 48. Load-Balancing Pool MembersDMZ Application 1
The vCloud Networking and Security Edge gateway load balancer is congured to detect Web requests on the external interface address (virtual server IP address) and route them to a pool of Web servers attached to it. The vCloud Networking and Security Edge gateway load-balancing virtual server conguration for DMZ Application 1 is shown in Figure 49.
Figure 49. Load-Balancing Virtual ServerDMZ Application 1
The Web servers of DMZ Application 2 are congured as a pool to service HTTP/HTTPS requests using a round-robin algorithm, as shown in Figure 50.
Figure 50. Load-Balancing Pool MembersDMZ Application 2
vCloud Networking and Security Edge gateway load-balancing virtual server conguration for DMZ Application 2 is shown in Figure 51.
Figure 51. Load-Balancing Virtual ServerDMZ Application 2
vCloud Networking and Security Edge Gateway Firewall In this deployment, the vCloud Networking and Security Edge gateway provides security for traffic going in and out of the DMZ as well as between tiers of the DMZ. At the vCloud Networking and Security Edge gateway rewall, the default policy is to deny all the traffic. Exceptions are added to enable servers to contact the outside network (in order to download patches). This allows traffic from an external network to services offered in the DMZ and allows traffic between various vCloud Networking and Security Edge gateway interfaces. The rewall conguration for both of the vCloud Networking and Security Edge gateways is shown in Figure 52 and Figure 53. Rules with the type Internal are autogenerated by vCloud Networking and Security Manager to allow the traffic generated by various vCloud Networking and Security Edge gateway services and High Availability (HA) heartbeat traffic to move between active and standby vCloud Networking and Security Edge gateway instances. Rules are executed from top to bottom. When a matching rule is found, the action to accept or deny is applied and the rest of the rules are not executed. The highlighted rules are created by the administrator. The External-to-LB-Web rule enables traffic from outside to Web services offered using the vCloud Networking and Security Edge gateway load balancer. The DMZ-Servers-to-External rule allows DMZ servers to access the Internet (in other words, to download patches). The Application1-Web-to-App and Application2-Web-to-App rules allow communication from Web servers to application servers on the application server port.
Figure 52. vCloud Networking and Security Edge Gateway Firewall CongurationDMZ Application 1
Figure 53. vCloud Networking and Security Edge Gateway Firewall CongurationDMZ Application 2
Services and service groups represent ports and protocols used in rules. App-Port-Protocol used in rule 6 (Application2-Web-to-App) in Figure 53 is a user-dened service, as shown in Figure 54. A majority of the services listed in Figure 54 are predened for convenience and ease of use.
Figure 54. vCloud Networking and Security Edge Gateway Services View
In the rewall rules, App2-Web-IPs, App2-App-IPs and App2-LB-VIP are user-dened Grouping Objects, as shown in Figure 55. Grouping Objects are used to represent a collection of IP addresses, MAC addresses, or a security group containing other Grouping Objects. The Grouping Objects having the name starting with internal are autogenerated by vCloud Networking and Security Manager.
Figure 55. vCloud Networking and Security Edge Gateway Grouping Objects View
vCloud Networking and Security Edge Gateway Network Address Translation In order for DMZ servers with private addresses to be able to access the public Internet, the Source NAT feature of vCloud Networking and Security Edge gateway is employed to allow all servers in the DMZ to connect to the outside network. A single IP address is used to represent all servers connecting out (IP masquerading). The highlighted portion in the following screenshots show the SNAT conguration on both of the vCloud Networking and Security Edge gateways. Other DNAT entries shown here are autogenerated by vCloud Networking and Security Manager for load balancing and other services.
Figure 56. vCloud Networking and Security Edge Gateway NAT ViewDMZ Application 1
Figure 57. vCloud Networking and Security Edge Gateway NAT ViewDMZ Application 2
3. (A) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionMultiple Network Segments (VLANs/VXLANs) In this deployment, we are adding virtual machinetovirtual machine traffic rewalling within a network segment and ow monitoring capability using a vCloud Networking and Security App rewall to deployment option 2 described in previous section. Logical representation of this deployment is shown in Figure 58. A vCloud Networking and Security App rewall is installed on all the hosts in the cluster.

192.168.1.0/24 App1-Web-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.1.0/24 App2-Web-Tier-PG
192.168.2.0/24 App1-App-Tier-PG
.2
VM
VM
.3
.2
VM
VM
.3
192.168.2.0/24 App2-App-Tier-PG
.2
VM
192.168.110.0/24 SJDC-IT-Mgmt-PG
.1
.1
.1
.1
.1
Edge 10.20.181.173
Edge 10.20.181.172
The vCloud Networking and Security Edge gateway rewall, load balancing, and NAT conguration is the same as that shown in the previous section. The only difference from the previous section is the addition of the vCloud Networking and Security App rewall. vCloud Networking and Security App rewall L2 (Ethernet) rules used for east-west traffic control are shown in Figure 59. Rule 1 (App1 Web Tier Microsegment) and rule 2 (App2 Web Tier Microsegment) ensure microsegmentation of Web servers. In other words, one Web server cannot communicate with another Web server. If one of the Web servers is compromised, it cannot be used to directly attack the other servers.
Figure 59. vCloud Networking and Security App Firewall L2 Rules
Because the vCloud Networking and Security Edge gateway is protecting the traffic between the tiers of the DMZ application, vCloud Networking and Security App rewall L3 (General) rules are set up with a default Allow, as shown in Figure 60. A second level of rewalling can be achieved by dening vCloud Networking and Security App rewall L3 rules if required.
3. (B) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ ProtectionSingle Network Segment (Flat VLAN/VXLAN) This is an extension of deployment option 1, in which we are replacing a physical perimeter rewall with a vCloud Networking and Security Edge gateway to provide perimeter security and load balancing, in addition to NAT and other services, to the DMZ applications. The logical representation of this deployment is shown in Figure 61.
DMZ Application 1
DMZ Application 2
Web Tier
App Tier
Web Tier
App Tier
VM
VM
VM
VM
VM
VM
VM
VM
.2
.3
.4
.5
.6
.7
.8
.9
.1
Edge 10.20.181.172 10.20.181.173

The vCenter view of this setup is shown in Figure 62. The virtual machines belonging to DMZ applications and the vCloud Networking and Security Edge gateway (the SJDC-Edge2 and SJDC-Edge2-1 HA pair) are connected to the same port group, DMZ-PortGroup.
Figure 62. vCenter Virtual Machineto-Network Map
The vCloud Networking and Security Edge gateway interface view for the deployment is shown in Figure 63. vCloud Networking and Security Edge gateway interface address 192.168.1.1 shown in the gure acts as the default gateway address for all the virtual machines of the DMZ applications connected to DMZ-PortGroup.
Figure 63. vCloud Networking and Security Edge Gateway Interface View
vCloud Networking and Security Edge Gateway Load Balancing

vCloud Networking and Security Edge gateway provides load balancing for TCP, HTTP and HTTPS traffic. The Web servers of DMZ applications are accessible using the vCloud Networking and Security Edge gateway load balancer. The Web servers of both of the DMZ applications are congured as separate pools to service HTTP/HTTPS requests using a round-robin algorithm, as shown in Figure 64.
Figure 64. vCloud Networking and Security Edge Gateway Load Balancer Pools
Figure 65. vCloud Networking and Security Edge Gateway Load Balancer Pool ServersApplication 1
Figure 66. vCloud Networking and Security Edge Gateway Load Balancer Pool ServersApplication 2
The vCloud Networking and Security Edge gateway load balancer is congured to receive Web requests on the external interface address (virtual server IP address) and route them to a pool of Web servers attached to it. The vCloud Networking and Security Edge gateway load balancer virtual server conguration is shown in Figure 67. NOTE: The vCloud Networking and Security Edge gateway load balancer implicitly handles the destination NAT for the Web servers, so it is not required to congure this separately in the NAT section.
Figure 67. vCloud Networking and Security Edge Gateway Load Balancer Virtual Servers
There are two separate places where a rewall is congured to block traffic. The vCloud Networking and Security Edge gateway provides perimeter security for traffic going in and out (north-south traffic) of the DMZ by monitoring it at the vCloud Networking and Security Edge gateway interfaces. The vCloud Networking and Security App rewall restricts traffic within the DMZ (east-west traffic) to and from individual virtual machines.
vCloud Networking and Security Edge Gateway Firewall

At the vCloud Networking and Security Edge gateway internal interface, the default policy is to deny all traffic. Exceptions are added to enable servers to access the Internet (in order to download patches), to allow traffic from outside networks to services offered and to allow traffic between various vCloud Networking and Security Edge gateway interfaces. The vCloud Networking and Security Edge gateway rewall conguration is shown in Figure 68.
Figure 68. vCloud Networking and Security Edge Gateway Firewall Conguration
Rules with the type Internal are autogenerated by vCloud Networking and Security Manager to allow the traffic generated by various vCloud Networking and Security Edge gateway services and High Availability (HA) heartbeat traffic to go between active and standby vCloud Networking and Security Edge gateway instances. Rules are executed from top to bottom. When a matching rule is found, the action to accept or deny is applied and the rest of the rules are not executed. The highlighted rules are created by the administrator. Rule 5 (External-to-LB-Web) enables traffic from outside to Web services offered using the vCloud Networking and Security Edge load balancer. Rule 6 (DMZ-Servers-to-External) allows DMZ servers to access the Internet (in other words, to download patches).
vCloud Networking and Security App Firewall

vCloud Networking and Security App rewall L2 (Ethernet) rules used for east-west traffic control are shown in Figure 69. These rules are identical to those seen earlier with DMZ deployment option 1.
vCloud Networking and Security App rewall L3 (General) rules used for east-west traffic control are shown in Figure 70. Rules 1, 2, 3, 4 and 6 are the same as those seen earlier with DMZ deployment option 1. Rule 5 (Internal-to-External) is added to allow DMZ servers to access the Internet to download patches.
vCloud Networking and Security Edge Gateway Network Address Translation

For DMZ servers with private addresses to reach out to the public Internet, the Source NAT feature of the vCloud Networking and Security Edge gateway is employed to allow all systems in the DMZ to connect to the outside network. A single IP address is used to represent all systems connecting out (IP masquerading). The highlighted portion shows the SNAT conguration. Other DNAT entries are autogenerated by the vCloud Networking and Security Edge gateway for load balancing and VPN services.
Figure 71. vCloud Networking and Security Edge Gateway NAT Rules
Appendix
Appendix A Product Overview and Quick Links
This guide applies to version 5.1 of the vCloud Networking and Security product suite. vCloud Networking and Security consists of the following components: vCloud Networking and Security Edge, vCloud Networking and Security App rewalls, VXLAN, VMware vCloud Networking and Security Data Security and Ecosystem Framework, all managed centrally through vCenter and vCloud Director. For more information, go to http://www.vmware.com/products/datacenter-virtualization/vcloud-network-security/ features.html. vCloud Networking and Security Manager vCloud Networking and Security Manager is the centralized network management component and is installed as a virtual appliance on any vSphere host in a VMware vCenter Server environment. Using the vCloud Networking and Security Manager user interface or VMware vSphere Client plug-in, administrators install, congure and maintain vCloud Networking and Security components. A vCloud Networking and Security App rewall is a hypervisor-based rewall that protects applications in the virtual datacenter from network-based attacks. Using a vCloud Networking and Security App rewall, organizations gain visibility and control over network communications between virtual machines. A vCloud Networking and Security App rewall installs as a hypervisor module and rewall service virtual appliance. Common deployments of a vCloud Networking and Security App rewall include tighter security controls and segmentation of trust zones inside a virtual environment like the DMZ, mixed trust zones, virtual datacenters and so on. A vCloud Networking and Security Edge gateway provides network edge security and gateway services to isolate a virtualized network. You install a vCloud Networking and Security Edge gateway at a datacenter level and can add up to 10 internal and uplink interfaces. The vCloud Networking and Security Edge gateway connects isolated networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT and load balancing. Common deployments of a vCloud Networking and Security Edge gateway include use in the DMZ, VPN extranets and multitenant cloud environments where the vCloud Networking and Security Edge gateway provides perimeter security for virtual datacenters (VDCs).
vCloud Networking and Security App rewall
vCloud Networking and Security Edge gateway
Table 4. vCloud Networking and Security Manager, vCloud Networking and Security App Firewall and vCloud Networking and Security Edge Gateway
For a more detailed description of the components, refer to the vShield Installation and Upgrade Guide or vShield Administration Guide. The technical papers and other documents mentioned in this guide are available from the documentation main page. Visit https://www.vmware.com/support/pubs/vshield_pubs.html. The appropriate installation and deployment is determined by factors such as actual network size, conguration and specic customer requirements. This document provides only reference architecture recommendations in an example scenario. Contact the VMware Sales Engineering group for assistance designing your VMware software deployment.
Appendix B Installation of vCloud Networking and Security Manager, vCloud Networking and Security App Firewall and vCloud Networking and Security Edge Gateway
vCloud Networking and Security Manager Installation and Setup To use a vCloud Networking and Security App rewall and vCloud Networking and Security Edge gateway, we must rst install vCloud Networking and Security Manager and connect it with a vCenter Server instance. For detailed installation steps, refer to the installation and upgrade guide.1 Each vCloud Networking and Security Manager appliance manages a single vCenter Server environment. The NTP server congured in vCloud Networking and Security Manager is used by all vCloud Networking and Security App rewall and vCloud Networking and Security Edge gateway instances.
Figure 72. vCloud Networking and Security Manager Conguration
The management interfaces of vCloud Networking and Security components should be placed in a common network such as the vSphere management network. vCloud Networking and Security Manager requires connectivity to the vCenter server, vSphere host, vCloud Networking and Security App rewall and vCloud Networking and Security Edge gateway instances, VMware vCloud Networking and Security Endpoint module and vCloud Networking and Security Data Security virtual machine.
1 .
VISIT
HTTP: / / WWW. vMWARE. COM/ PDF/ vSHIELD _ 5 1
_ QUICKSTART. PDF.
vCloud Networking and Security App Firewall Installation and Setup After vCloud Networking and Security Manager is installed and connected to vCenter, we will see the Network Virtualization and vShield plug-ins at the datacenter level, as shown in Figure 73.
Figure 73. vCenter Datacenter Plug-in Tabs
At the host level, we will only see the vShield plug-in. We can install a vCloud Networking and Security App rewall, as well as vCloud Networking and Security Endpoint and vCloud Networking and Security Data Security components.
Figure 74. vCenter Host vShield Tab View
Click Install, and respond to prompts for details about the Datastore, Management Port Group and vCloud Networking and Security App rewall IP address.
Figure 75. vCloud Networking and Security App Firewall Installation
We require a unique IP address for the management port of each vCloud Networking and Security App rewall virtual appliance. This IP address should be reachable from vCloud Networking and Security Manager and usually on the management network used for vCenter and vSphere host management interfaces. The reader should refer to the VMware Administration Guide for complete vCloud Networking and Security App rewall installation and conguration steps. 2 Setting Up vCloud Networking and Security App Firewall with Syslog Servers The vCloud Networking and Security App rewall virtual appliance supports syslog export to remote servers. After the vCloud Networking and Security App rewall is installed, syslog servers can be congured, as shown in Figure 76. Congure your syslog server to reside on a separate host so that you can access logs even in case of a host failure.
Figure 76. vCloud Networking and Security App Firewall Syslog Server Conguration
Excluding Virtual Machines from vCloud Networking and Security App Firewall Protection We can exclude a set of virtual machines from vCloud Networking and Security App rewall protection. This exclusion list is applied across all vCloud Networking and Security App rewall installations within the specied vCloud Networking and Security Manager appliance. If a virtual machine has multiple vNICs, all of them are excluded from protection. vCloud Networking and Security Manager and service virtual machines (vCloud Networking and Security App rewall, vCloud Networking and Security Edge gateway and vCloud Networking and Security Data Security virtual machines) are automatically excluded from vCloud Networking and Security App rewall protection. You should exclude the vCenter server to allow traffic to ow freely. Excluding virtual machines from vCloud Networking and Security App rewall protection is useful for instances where the vCenter server resides in the same cluster in which the vCloud Networking and Security App rewall is being utilized. After this feature is enabled, no traffic from excluded virtual machines will go through the vCloud Networking and Security App rewall appliance.
2.
VISIT
_ ADMIN. PDF.
Log in to vCloud Networking and Security Manager and use the Exclusion List settings shown in Figure 77 to exclude virtual machines from vCloud Networking and Security App rewall protection.
Figure 77. vCloud Networking and Security App Firewall Exclusion List
vCloud Networking and Security Edge Gateway Installation and Setup After vCloud Networking and Security Manager is installed and connected with vCenter, the vCloud Networking and Security Edge gateway can be installed from the Network Virtualization tab seen at the datacenter level by clicking add (+), as shown in Figure 78.
Figure 78. vCloud Networking and Security Edge Gateway Installation
The vCloud Networking and Security Edge gateway install wizard prompts you for the required settings. A summary of settings for a vCloud Networking and Security Edge gateway deployed in High Availability (HA) mode is shown in Figure 79.
Figure 79. vCloud Networking and Security Edge Gateway Installation Settings Summary
The reader should refer to the VMware Administration Guide for complete vCloud Networking and Security Edge gateway installation and conguration steps. 3 Setting Up Syslog Server in vCloud Networking and Security Edge A vCloud Networking and Security Edge gateway can send the syslog messages to central syslog servers, which enables control over the logging on a per-feature basis. Figure 80 shows the syslog server congured for a vCloud Networking and Security Edge gateway instance.
Figure 80. vCloud Networking and Security Edge Gateway Syslog Server Conguration
Setting Up DNS Relay in vCloud Networking and Security Edge The vCloud Networking and Security Edge gateway internal interface can be congured as the DNS server for the virtual machines using a vCloud Networking and Security Edge gateway as the default gateway. When a virtual machine sends a DNS resolution request on an internal interface, the vCloud Networking and Security Edge gateway relays that request to the congured DNS servers. The vCloud Networking and Security Edge gateway returns the DNS resolution detail to the virtual machine. The DNS servers to which the vCloud Networking and Security Edge gateway forwards DNS requests can be congured, as shown in Figure 81.
3.
VISIT
_ ADMIN. PDF.
Figure 81. vCloud Networking and Security Edge Gateway DNS Server Conguration
Appendix C Manager Operations

Role-Based Access Control Setting Up Users Multiple individuals often manage security operations. Management of the overall system is delegated to different personnel according to some logical categorization. However, permission to carry out tasks is limited only to users with the appropriate rights to specific resources. From the User section of vCloud Networking and Security Manager, shown Figure 82, we can delegate such resource management to users by granting applicable rights.
Figure 82. vCloud Networking and Security ManagerSetting Up Users
vCloud Networking and Security Manager supports the Single Sign On (SSO) service, which authenticates users from other identity services such as AD, NIS and LDAP. Integrating with SSO improves the security of user authentication for vCenter users and enables vCloud Networking and Security Manager to authenticate users from other identity services such as AD, NIS and LDAP. To use this, the SSO service must be installed on the vCenter server. In addition, an NTP server must be specied so that the SSO server time and the vCloud Networking and Security Manager time are in sync. Figure 83 shows how to set up the SSO lookup service. Type the name or IP address of the host that has the lookup service and change the port number if required. The Lookup Service URL is displayed based on the specied host and port. Type the SSO username and password. This enables vCloud Networking and Security Manager to register itself with the Security Token Service server.
Figure 83. vCloud Networking and Security Manager SSO Service
Within the vCloud Networking and Security Manager user interface, the role of a user denes the actions they are enabled to perform on a given resource. It determines the authorized activities of the user on that resource, ensuring that they have access only to the functions necessary to complete applicable operations. When we assign a role to an SSO user, vCenter authenticates the user with the identity service congured on the SSO server. If the SSO server is not congured or is not available, the user is authenticated either locally or with Active Directory, based on the vCenter conguration. Figure 84 shows vCenter user joe as unable to access the vShield tab because no role has been assigned to him on vCloud Networking and Security Manager.
Figure 84. vCloud Networking and Security Access Denied Message
The following gures illustrate the steps that must be taken to assign the Enterprise Administrator role to vCenter user joe.
Figure 85. vCloud Networking and Security ManagerUser Creation
Click Next and assign a role.
Figure 86. vCloud Networking and Security ManagerRole Assignment
Table 5 shows the details of each of the roles supported.

ROLe Pe R missi O ns
Enterprise Administrator vShield Administrator Security Administrator
vCloud Networking and Security operations and security vCloud Networking and Security operations only; for example, install virtual appliances, congure port groups vCloud Networking and Security only; for example, dene data security policies, create reports for vCloud Networking and Security modules Read only
Auditor
Table 5. vCloud Networking and Security Manager Roles
Next, limit the scope for the user if required. The scope of a role determines what resources a particular user can view. The scopes in Table 6 are available for users.
ScOPe D esc R i P ti O n
No restriction Limited access
Access to the entire vCloud Networking and Security system Limited access to the port group, datacenter or vCloud Networking and Security Edge gateway
Table 6. vCloud Networking and Security ManagerUser Scope
The Enterprise Administrator and vShield Administrator roles can be assigned only to vCenter users, and their access scope is global (no restrictions).
Figure 87. vCloud Networking and Security ManagerUser Scope Assignment
After selecting the Enterprise Administrator role in vCloud Networking and Security Manager, user joe is able to access the vShield tab in vCenter, as shown in Figure 88.
Figure 88. vShield Tab Access to New User
System Backup We can back up vCloud Networking and Security Manager data, which can include system conguration, events, and audit log tables. Conguration tables are included in every backup. However, we can exclude system and audit log events. vCloud Networking and Security Manager saves backups to a remote location that is accessible by FTP or SFTP. Backups can be executed according to a schedule or on demand.
The setup screen for on-demand backup is shown in Figure 89.
Figure 89. vCloud Networking and Security ManagerSetting Up Backup
After the backup is complete, you will see a listing for the backup.
Figure 90. vCloud Networking and Security ManagerBackup Details
On the backup server, you will see two filesa binary backup file and a backup properties file.
Figure 91. vCloud Networking and Security ManagerBackup Information on Backup Server
System Restore We can restore a backup only on a freshly deployed vCloud Networking and Security Manager appliance. To restore an available backup, the backup server IP address, User Name, Password and Backup Directory fields in the Backups screen must have values that identify the location of the backup to be restored. If the backup le contains system event and audit log data, that data is also restored. Figure 92 shows the newly deployed vCloud Networking and Security Manager appliance with Backups screen congured.
Figure 92. vCloud Networking and Security ManagerSystem Restore
Select the check box for the backup to restore and click Restore. The message shown in Figure 93 will appear.
Figure 93. vCloud Networking and Security ManagerRestore Operation
Monitor the vCloud Networking and Security Manager console for the system restart. After it is complete we can log in to the Web interface and verify that vCloud Networking and Security Manager is restored.
Figure 94. vCloud Networking and Security ManagerRestore System Events
About the Authors

Shubha Bheemarao is a product manager at VMware. She is responsible for vCloud security. Ranga Maddipudi is a senior technical marketing manager within the Cloud Infrastructure Technical Marketing group at VMware. His focus is on vCloud Networking and Security. Follow Rangas blogs at http://blogs.vmware.com/vsphere/networking Follow Ranga on Twitter: @vcloudnetsec
Acknowledgments
The authors would like to thank Charu Chaubal, Dean Coza, Rob Randell, James Senicka and Grant Suzuki of VMware for their input and technical review of this white paper.
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-GDL-vCLD-NETWRK-SECRITY-A4-101 Docsouce: OIC-12VM008.15

Vcloud Networking Security DMZ Design Deployment Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vcloud Networking Security DMZ Design Deployment Guide

Uploaded by

Copyright:

Available Formats

Securing the DMZ with VMware vCloud Networking and Security

Design Approaches and Deployment Guidelines

Securing the DMZ with VMware vCloud Networking and Security

TECH N I C AL WH ITE PAPE R / 2

Securing the DMZ with VMware vCloud Networking and Security

TECH N I C AL WH ITE PAPE R / 3

Securing the DMZ with VMware vCloud Networking and Security

Challenges with the Current Approach

Firewall/LB/VPN IDS/IPS Firewall Firewall

Firewall/LB/VPN IDS/IPS Firewall Firewall

Firewall/LB/VPN IDS/IPS Firewall Firewall

Web Tier App Tier

Web Tier App Tier

1. Purely Physical DMZ

2. Partially Collapsed DMZ with Physical Separation of Trust Zones

3. Partially Collapsed DMZ with Virtual Separation of Trust Zones

Figure 1. Legacy DMZ Designs

TECH N I C AL WH ITE PAPE R / 4

Securing the DMZ with VMware vCloud Networking and Security

TYPe OF D e P LOY ment

2 . Pa R tia L LY C O L L a P sed D M Z W it H P H Y sica L S e Pa R ati O n O F T R U st ZO nes

3 . Pa R tia L LY C O L L a P sed D M Z W it H V i R t Ua L S e Pa R ati O n O F T R U st ZO nes

No virtualization Application workloads and security that require dedicated hardware

Proven approach Operational familiarity

High CAPEX and OPEX Management complexity manual operations

Table 1. Comparison of Legacy DMZ Designs

TECH N I C AL WH ITE PAPE R / 5

Securing the DMZ with VMware vCloud Networking and Security

VMware Recommended Approach

Design Approach Alternatives Using vCloud Networking and Security

TECH N I C AL WH ITE PAPE R / 6

Securing the DMZ with VMware vCloud Networking and Security

Firewall/LB/VPN IDS/IPS Firewall

Web Tier App Tier

Web Tier App Tier

Web Tier App Tier

Figure 2. DMZ Design Approaches Using vCloud Networking and Security

TECH N I C AL WH ITE PAPE R / 7

Securing the DMZ with VMware vCloud Networking and Security

TECH N I C AL WH ITE PAPE R / 8

Securing the DMZ with VMware vCloud Networking and Security

D e P LOY ment S cena R i O

Possible requirement to renetwork application tiers

Deployment Overview for Each Design Approach

App installed on every host in the cluster

Figure 3. Logical Network View

TECH N I C AL WH ITE PAPE R / 9

Securing the DMZ with VMware vCloud Networking and Security

Figure 4. vCloud Networking and Security App Firewall Layer 2 Rules

Figure 5. vCloud Networking and Security App Firewall Layer 3 Rules

TECH N I C AL WH ITE PAPE R / 1 0

Securing the DMZ with VMware vCloud Networking and Security

TECH N I C AL WH ITE PAPE R / 11

Securing the DMZ with VMware vCloud Networking and Security

TECH N I C AL WH ITE PAPE R / 12

Securing the DMZ with VMware vCloud Networking and Security

Edge 10.20.181.173 10.20.181.172

Figure 13. Logical Network View

TECH N I C AL WH ITE PAPE R / 13

Securing the DMZ with VMware vCloud Networking and Security

App installed on every host in the cluster

Edge 10.20.181.172 10.20.181.173

TECH N I C AL WH ITE PAPE R / 14