The vCloud Networking and Security App firewall offers multiple sets of configurable rules. Figure 30 illustrates the use of L3 rules (General tab) and L2 rules (Ethernet tab). L2 rules control which higher-level protocols (like ARP, IPv6, PPP and so on) can communicate over L2. L3 rules control the specific L3 traffic based on IP addresses, as well as L4 traffic based on TCP and UDP ports, and therefore related higher-layer application traffic, such as DHCP, HTTP, FTP and so on. By assessing what communication is required between applications and each tier of the application, it is possible to create L2 rules that block all
unnecessary traffic. After locking down unnecessary traffic, L3 rules can restrict necessary traffic channels to required ports and protocols.
The first two L2 rules shown in Figure 30 illustrate total isolation between DMZ Application 1 and Application 2 using vApp containers. All traffic originating from one DMZ application to another is blocked by these vCloud Networking and Security App firewall rules. The third and fourth rules in Figure 30 show
microsegmentation of Web servers. In other words, one Web server cannot communicate with another Web server. If one of the Web servers is compromised, it cannot be used to directly attack the other servers. Even ARP and RARP will be denied. If Log is enabled, as in the Action settings shown here, a syslog message is sent from the vCloud Networking and Security App firewall to the configured syslog server when that action is taken. The last rule specifies a default Allow L2 rule. This is because L2 rules operate before L3 rules and a default deny L2 rule would not allow any traffic flow out of any virtual machine.
Figure 30. vCloud Networking and Security App Firewall Layer 2 Rules
The vCloud Networking and Security App firewall segments each of the DMZ application tiers using L3 rules by opening only the required ports and protocols between the tiers. We will show the vCloud Networking and Security App firewall rules that must be used to open the ports and protocols identified in Figure 31 for the DMZ applications to function properly.
Figure 31. Ports and Protocols Used by the DMZ Applications
The following L3 firewall rules are set up as shown in Figure 32 for the two DMZ applications to function properly and to access ControlCenter, a virtual machine running in the IT Mgmt resource pool.
• Allow HTTP and HTTPS traffic to Web servers (rule 1: External-to-DMZ-Web).
• Allow Application 1 Web server to Application 1 App server traffic on App Port (rule 2: App1-Web-to-App).
• Allow Application 2 Web server to Application 2 App server traffic on App Port (rule 3: App2-Web-to-App).
• Allow RDP and syslog traffic to the IT Mgmt resource pool (rule 4: RDP-Syslog-to-IT-Mgmt).
• Block all other traffic (rule 5: Default Rule).
Figure 32. vCloud Networking and Security App Firewall Layer 3 Rules
The External-To-DMZ security group currently contains the It Mgmt and SJDC Sales VDI resource pools, as shown in Figure 33. The administrator can add additional vCenter containers to this security group to allow access as required.
Figure 33. Security Group Details
vCloud Networking and Security App firewall rules are enforced in top-to-bottom ordering. Ethernet (L2) rules are enforced before General (L3) rules. The vCloud Networking and Security App firewall checks each traffic session against the top rule in the firewall rule table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. Figure 34 shows the rule precedence for L2 and L3 rules defined for securing the two DMZ applications.
1. Ethernet (Layer 2)
1. Application 1 to Application 2 2. Application 2 to Application 1 3. App1 Web Tier Microsegment
Figure 34. Rule Precedence for L2 and L3 Rules
As shown, a vCloud Networking and Security App firewall provides a centralized management rule table that is in line with the industry standard interfaces and workflows for managing a distributed firewall. Following are the best practices to use a vCloud Networking and Security App firewall in the environment:
1. Regularly monitor the allowed/denied flows in flow monitoring to ensure that firewall rules are set up correctly.
2. Use SpoofGuard to protect from spoofing/DoS attacks.
3. Save the vCloud Networking and Security App firewall configuration periodically to revert to an older version.
Flow Monitoring
The Flow Monitoring feature of the vCloud Networking and Security App firewall provides the required visibility and monitoring by displaying network activity between virtual machines at the application protocol level.
You can use this information to audit network traffic, define and refine firewall policies, and identify threats to your network.
Flow Monitoring is a traffic analysis tool providing a detailed view of the traffic on the virtual network that has passed through a vCloud Networking and Security App firewall. The Flow Monitoring output defines which machines are exchanging data and the application used. This data includes the number of sessions, packets and bytes transmitted per session. Session details include sources, destinations and direction of sessions, applications and ports being used. Session details can be used to create firewall allow or block rules. We can use Flow Monitoring as a forensic tool to detect rogue services and examine outbound sessions.
Figure 35. Flow Monitoring Dashboard
In Figure 35, the bar on the top of the page shows the percentage of allowed traffic in green, blocked traffic in red and traffic blocked by SpoofGuard in orange.
Traffic statistics are displayed in the following three tabs:
• Top Flows displays the total incoming and outgoing traffic per service over the specified time period. The top five services are displayed.
• Top Destinations displays incoming traffic per destination over the specified time period. The top five destinations are displayed.
• Top Sources displays outgoing traffic per source over the specified time period. The top five sources are displayed.
Clicking the Details link on the Flow Monitoring tab shows traffic flows for various services. The Allowed Flows tab displays the allowed traffic and the Blocked Flows tab displays the blocked traffic.
Figure 36. Flow Monitoring Details View
Clicking an item in the Flow Monitoring table shows the rules that allowed or blocked that traffic flow. Click the Add Rule link to create a new allow or block rule for the flow.
Figure 37. Add/Edit Rules Using Flow Monitoring Data
An added rule appears at the top, as shown in Figure 38.
Figure 38. Rule Added from Flow Monitoring Data
After rule 1 was added, SSH from ControlCenter to WebServer1 works. We can see this in the Allowed Flows.
Figure 39. Flow Monitoring Allowed Flows After Adding Allow SSH Rule
SpoofGuard
SpoofGuard is an advanced protection provided by a vCloud Networking and Security App firewall against man-in-the-middle attacks, such as ARP cache poisoning. It is an L2 security feature that enables the administrator to verify IP/MAC pairs for every virtual network adaptor. By using SpoofGuard, an
administrator can manually or automatically inspect and reject new MAC/IP pairs. Crafted packets from a compromised virtual machine in the DMZ, with altered IP or MAC addresses, will be dropped right at the virtual network interface. SpoofGuard is enabled in the vSphere datacenter context.
There are two options:
1. Automatically trust IP assignments on their first use.
Use this to automatically trust IP assignments to virtual NICs upon their first use, as recognized by VMware Tools™. Subsequent changes require manual review and approval.
2. Manually approve all assignments.
Use this to review and approve every change in IP assignment, including the first use.
Figure 40. SpoofGuard Settings
Using the SpoofGuard tab, the administrator can verify the MAC address, IP address, virtual machine name, approver and approval date details, as shown in Figure 41.
Figure 41. SpoofGuard Spoofing Details
Reverting to a Previous vCloud Networking and Security App Firewall Configuration
vCloud Networking and Security Manager saves the vCloud Networking and Security App firewall settings each time new firewall rules are published. Clicking Publish Changes causes vCloud Networking and Security Manager to save the previous configuration with a time stamp before applying the changes. These configurations are available from the Show History drop-down list. vCloud Networking and Security Manager saves the previous ten configurations.
Figure 42. vCloud Networking and Security App Firewall Show and Load History Options
Use the Load History option shown in Figure 43 to revert the vCloud Networking and Security App firewall configuration to a previous version.
Figure 43. vCloud Networking and Security App Firewall Load History
2. vCloud Networking and Security Edge Gateway for the Virtual Environment
In this deployment, we are using a vCloud Networking and Security Edge gateway to secure a DMZ application. A separate vCloud Networking and Security Edge gateway is deployed for each DMZ application. The Web and App tiers of each DMZ application are connected to internal interfaces of vCloud Networking and Security Edge. The Web and App tiers of the DMZ application are deployed on separate network segments, as shown in Figure 44.
192.168.1.0/24
vCloud Networking and Security Edge gateway interface views for both vCloud Networking and Security Edge gateway instances in this deployment are shown in Figure 45 and Figure 46. Notice that overlapping private addresses are used for both DMZ applications. The vCloud Networking and Security Edge gateway for DMZ Application 1 has three interfaces with IP addresses assigned. App1-Web-Tier (192.168.1.1) and App1-App-Tier (192.168.2.1) are Internal interfaces and External (10.20.181.173) is the Uplink interface. The Web server virtual machines (192.168.1.2 and 192.168.1.3) use vCloud Networking and Security Edge gateway address 192.168.1.1 as the default gateway to access virtual machines on other internal networks or external resources. Similarly, the App server virtual machines (192.168.2.2 and 192.168.2.3) use vCloud Networking and Security Edge gateway address 192.168.2.1 as the default gateway.
Figure 45. vCloud Networking and Security Edge Gateway Interfaces for DMZ Application 1
The vCloud Networking and Security Edge gateway for DMZ Application 2 has four interfaces with IP addresses assigned. App2-Web (192.168.1.1), App2-App (192.168.2.1) and IT-Mgmt-Apps (192.168.110.1) are Internal interfaces and External (10.20.181.172) is the Uplink interface. The ControlCenter virtual machine on the IT-Mgmt-Apps network segment is used for testing.
Figure 46. vCloud Networking and Security Edge Gateway Interfaces for DMZ Application 1
The vCenter virtual machine–to-network map is shown in Figure 47. Highlighted are the port groups and vCloud Networking and Security Edge gateway instances to which the DMZ application virtual machines are connected.
vCloud Networking and Security Edge Gateway Load Balancing
The vCloud Networking and Security Edge gateway provides load balancing for TCP, HTTP and HTTPS traffic. The Web servers of DMZ applications are accessible to users employing a vCloud Networking and Security Edge gateway load balancer. Table 3 summarizes the vCloud Networking and Security Edge gateway load-balancing schemes, health check options and persistence mechanisms.
proToCol opTIoN S AVAIl AB lE
Load-balancing schemes HTTP URI, round robin, source IP hash,
least connection
HTTPS (SSL pass-through) Round robin, source IP hash, least connection
TCP Round robin, source IP hash,
least connection
Health check options HTTP HTTP, TCP
HTTPS SSL, TCP
TCP TCP
Persistence mechanisms HTTP Cookie based
HTTPS SSL session ID
TCP None
Table 3. Edge Gateway Load-Balancing Schemes, Health Check Options and Persistence Mechanisms
The Web servers of DMZ Application 1 are configured as a pool to service HTTP/HTTPS requests using a round-robin algorithm, as shown in Figure 48.
Figure 48. Load-Balancing Pool Members—DMZ Application 1
The vCloud Networking and Security Edge gateway load balancer is configured to detect Web requests on the external interface address (virtual server IP address) and route them to a pool of Web servers attached to it. The vCloud Networking and Security Edge gateway load-balancing virtual server configuration for DMZ Application 1 is shown in Figure 49.
Figure 49. Load-Balancing Virtual Server—DMZ Application 1
The Web servers of DMZ Application 2 are configured as a pool to service HTTP/HTTPS requests using a round-robin algorithm, as shown in Figure 50.
Figure 50. Load-Balancing Pool Members—DMZ Application 2
vCloud Networking and Security Edge gateway load-balancing virtual server configuration for DMZ Application 2 is shown in Figure 51.
Figure 51. Load-Balancing Virtual Server—DMZ Application 2
vCloud Networking and Security Edge Gateway Firewall
In this deployment, the vCloud Networking and Security Edge gateway provides security for traffic going in and out of the DMZ as well as between tiers of the DMZ.
At the vCloud Networking and Security Edge gateway firewall, the default policy is to deny all the traffic.
Exceptions are added to enable servers to contact the outside network (in order to download patches). This allows traffic from an external network to services offered in the DMZ and allows traffic between various vCloud Networking and Security Edge gateway interfaces. The firewall configuration for both of the vCloud Networking and Security Edge gateways is shown in Figure 52 and Figure 53. Rules with the type Internal are autogenerated by vCloud Networking and Security Manager to allow the traffic generated by various vCloud Networking and Security Edge gateway services and High Availability (HA) heartbeat traffic to move between active and standby vCloud Networking and Security Edge gateway instances. Rules are executed from top to bottom. When a matching rule is found, the action to accept or deny is applied and the rest of the rules are not executed.
The highlighted rules are created by the administrator. The External-to-LB-Web rule enables traffic from outside to Web services offered using the vCloud Networking and Security Edge gateway load balancer. The DMZ-Servers-to-External rule allows DMZ servers to access the Internet (in other words, to download patches). The Application1-Web-to-App and Application2-Web-to-App rules allow communication from Web servers to application servers on the application server port.
Figure 52. vCloud Networking and Security Edge Gateway Firewall Configuration—DMZ Application 1
Figure 53. vCloud Networking and Security Edge Gateway Firewall Configuration—DMZ Application 2
Services and service groups represent ports and protocols used in rules. App-Port-Protocol used in rule 6 (Application2-Web-to-App) in Figure 53 is a user-defined service, as shown in Figure 54. A majority of the services listed in Figure 54 are predefined for convenience and ease of use.
Figure 54. vCloud Networking and Security Edge Gateway Services View
In the firewall rules, App2-Web-IP’s, App2-App-IP’s and App2-LB-VIP are user-defined Grouping Objects, as shown in Figure 55. Grouping Objects are used to represent a collection of IP addresses, MAC addresses, or a security group containing other Grouping Objects. The Grouping Objects having the name starting with internal are autogenerated by vCloud Networking and Security Manager.
Figure 55. vCloud Networking and Security Edge Gateway Grouping Objects View
vCloud Networking and Security Edge Gateway Network Address Translation
In order for DMZ servers with private addresses to be able to access the public Internet, the Source NAT feature of vCloud Networking and Security Edge gateway is employed to allow all servers in the DMZ to connect to the outside network. A single IP address is used to represent all servers connecting out (IP masquerading). The highlighted portion in the following screenshots show the SNAT configuration on both of the vCloud Networking and Security Edge gateways. Other DNAT entries shown here are autogenerated by vCloud Networking and Security Manager for load balancing and other services.
Figure 56. vCloud Networking and Security Edge Gateway NAT View—DMZ Application 1
Figure 57. vCloud Networking and Security Edge Gateway NAT View—DMZ Application 2
3. (A) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ Protection—Multiple Network Segments (VLANs/VXLANs)
In this deployment, we are adding virtual machine–to–virtual machine traffic firewalling within a network segment and flow monitoring capability using a vCloud Networking and Security App firewall to deployment option 2 described in previous section. Logical representation of this deployment is shown in Figure 58.
A vCloud Networking and Security App firewall is installed on all the hosts in the cluster.
192.168.1.0/24
The vCloud Networking and Security Edge gateway firewall, load balancing, and NAT configuration is the same as that shown in the previous section. The only difference from the previous section is the addition of the vCloud Networking and Security App firewall.
vCloud Networking and Security App firewall L2 (Ethernet) rules used for east-west traffic control are shown in Figure 59. Rule 1 (App1 Web Tier Microsegment) and rule 2 (App2 Web Tier Microsegment) ensure
microsegmentation of Web servers. In other words, one Web server cannot communicate with another Web server. If one of the Web servers is compromised, it cannot be used to directly attack the other servers.
Figure 59. vCloud Networking and Security App Firewall L2 Rules
Because the vCloud Networking and Security Edge gateway is protecting the traffic between the tiers of the DMZ application, vCloud Networking and Security App firewall L3 (General) rules are set up with a default Allow, as shown in Figure 60. A second level of firewalling can be achieved by defining vCloud Networking and Security App firewall L3 rules if required.
Figure 60. vCloud Networking and Security App Firewall L3 Rules
3. (B) vCloud Networking and Security Edge Gateway and vCloud Networking and Security App Firewall for Complete DMZ Protection—Single Network Segment (Flat VLAN/VXLAN)
This is an extension of deployment option 1, in which we are replacing a physical perimeter firewall with a vCloud Networking and Security Edge gateway to provide perimeter security and load balancing, in addition to NAT and other services, to the DMZ applications. The logical representation of this deployment is shown in Figure 61.
App installed on every host in the cluster
192.168.1.0/24 DMZ-PortGroup
.2 .3 .4 .5
DMZ Application 1
Web Tier App Tier
VM VM VM VM
.6 .7 .8 .9
DMZ Application 2
Web Tier App Tier
VM VM VM VM
10.20.181.172 10.20.181.173
Edge .1
Figure 61. Logical Network View
The vCenter view of this setup is shown in Figure 62. The virtual machines belonging to DMZ applications and the vCloud Networking and Security Edge gateway (the SJDC-Edge2 and SJDC-Edge2-1 HA pair) are connected to the same port group, DMZ-PortGroup.
Figure 62. vCenter Virtual Machine–to-Network Map
The vCloud Networking and Security Edge gateway interface view for the deployment is shown in Figure 63.
vCloud Networking and Security Edge gateway interface address 192.168.1.1 shown in the figure acts as the default gateway address for all the virtual machines of the DMZ applications connected to DMZ-PortGroup.
Figure 63. vCloud Networking and Security Edge Gateway Interface View
vCloud Networking and Security Edge Gateway Load Balancing
vCloud Networking and Security Edge gateway provides load balancing for TCP, HTTP and HTTPS traffic.
The Web servers of DMZ applications are accessible using the vCloud Networking and Security Edge gateway load balancer. The Web servers of both of the DMZ applications are configured as separate pools to service HTTP/HTTPS requests using a round-robin algorithm, as shown in Figure 64.
Figure 64. vCloud Networking and Security Edge Gateway Load Balancer Pools
Figure 65. vCloud Networking and Security Edge Gateway Load Balancer Pool Servers—Application 1
Figure 66. vCloud Networking and Security Edge Gateway Load Balancer Pool Servers—Application 2
The vCloud Networking and Security Edge gateway load balancer is configured to receive Web requests on the external interface address (virtual server IP address) and route them to a pool of Web servers attached to it. The vCloud Networking and Security Edge gateway load balancer virtual server configuration is shown in Figure 67.
NOTE: The vCloud Networking and Security Edge gateway load balancer implicitly handles the destination NAT for the Web servers, so it is not required to configure this separately in the NAT section.
NOTE: The vCloud Networking and Security Edge gateway load balancer implicitly handles the destination NAT for the Web servers, so it is not required to configure this separately in the NAT section.