VBLOCK SYSTEMS: VMWARE VIRTUAL FIREWALLS IMPLEMENTATION GUIDE

VCE Word Template

1

© 2013 VCE Company, LLC. All Rights Reserved.

VBLOCK

™

SYSTEMS: VMWARE VIRTUAL

FIREWALLS IMPLEMENTATION GUIDE

Version 1.0

December 2012

www.vce.com

2

© 2013 VCE Company, LLC. All Rights Reserved.

Copyright © 2012 VCE Company Inc. All Rights Reserved

VCE believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." VCE MAKES NO

REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR

3

© 2013 VCE Company, LLC. All Rights Reserved.

Contents

Introduction ... 5

About this document ... 5

Scope ... 6

Audience ... 6

Feedback ... 6

Technology overview ... 7

Vblock

Systems ... 7

Compute components ... 7

Network components ... 8

Storage components ... 8

Virtualization components ... 8

Management components ... 8

VMware vCloud Networking and Security ... 9

VMware vCloud Networking and Security Edge ... 9

VMware vCloud Networking and Security App ... 9

VMware vCloud Networking and Security Manager ...10

Architecture overview ...11

Physical layout ...11

Logical layout ...12

Management VLAN ...12

Test data VLANs ...13

Hardware and software components ...13

Design considerations ...14

vCloud Networking and Security Manager configuration ...15

Service virtual machine placement and network design ...15

Communication with vCenter ...16

Event logging ...17

vCloud Networking and Security App with Data Security configuration ...18

Firewall placement and design ...18

Firewall event logging ...18

Policy setup ...19

vCloud Networking and Security Edge configuration ...20

Placement and design ...20

Interfaces and uplinks ...21

Firewall event logging ...21

4

© 2013 VCE Company, LLC. All Rights Reserved.

Vblock System configuration ...22

Virtualization configuration ...22

Compute configuration...23

Network configuration ...23

Storage design ...25

Architecture validation ...26

Test environment design ...26

Test case 1: Core firewall functionality ...27

Test procedure ...27

Test results ...28

Test case 2: vCloud Networking and Security Edge NAT policy ...29

Test procedure ...29

Test results ...29

Test case 3: vCloud Networking and Security Manager high availability ...30

Test procedure ...30

Test results ...30

Test case 4: Policy set and high-availability workload ...30

Test procedure ...30

Test results ...31

Test case 5: Sensitive data discovery ...31

Test procedure ...31

Test results ...32

Test case 6: Logging ...32

Test procedure ...32

Test results ...33

Conclusion ...35

Next steps ...35

5

© 2013 VCE Company, LLC. All Rights Reserved.

Introduction

Network-based security has traditionally been implemented in data centers using various physical appliances placed in strategic locations on an infrequently changing network fabric. Virtualization and the dynamic nature of a virtual environment change this paradigm. Static security is being replaced by, or augmented with, a more dynamic set of security products that operate without restrictions related to physical location or boundaries. These virtual firewalls provide protection and benefits beyond the limitations of physical security.

Converged infrastructure requires a different approach to firewalls. The traditional network control points where discrete firewalls could be inserted do not exist, requiring a change in the delivery of network access control functions. In addition, more information is available about the hosts participating in network traffic, creating new opportunities in how the changes are implemented. VMware vCloud Networking and Security includes two virtual firewall products: vCloud Networking and Security App (previously known as vShield App) and vCloud Networking and Security Edge (previously known as vShield Edge). These firewalls are frequently used with Vblock™ Systems. This paper discusses how to implement these firewalls into the Vblock System.

About this document

The Vblock™ Systems: VMware Virtual Firewalls Implementation Guide provides detailed deployment options for VMware virtual firewalls on Vblock Systems. It documents the setup process and

recommends best practices for deploying App and Edge on the Vblock System. This document:

 Describes the technologies, hardware and software components, and architecture used in the solution.

 Provides design considerations and best practice recommendations for implementation.  Describes the process of deploying vCloud Networking and Security App and Edge on the

Vblock System.

 Demonstrates firewall functionality by confirming full control over administrative functions and the application of firewall and NAT policies. Demonstrates that deployment does not impact normal Vblock System administrative functions.

 Demonstrates high availability for vCloud Networking and Security Manager.

 Demonstrates highly available workloads and network access by confirming that policies accommodate workload movement.

 Addresses data loss protection functions in App with Data Security by showing how to create a policy and arrange the detection of the material.

6

© 2013 VCE Company, LLC. All Rights Reserved.

Scope

This solution was validated on a Vblock System 300; however, it applies to the Vblock System 300 and 700.

Audience

This document is intended for use by people planning, implementing, administering, or auditing network access controls in environments containing Vblock Systems. It is relevant to deployments in every sector.

Feedback

To suggest documentation changes and provide feedback on this paper, send email to

[email protected]. Include the title of this paper, the name of the topic to which your comment

7

© 2013 VCE Company, LLC. All Rights Reserved.

Technology overview

This solution uses the following hardware and software components and technologies:  Vblock Systems

 VMware vCloud Networking and Security

Vblock

Systems

VCE represents the next evolution of IT, one focused on the next generation data center and the future of cloud computing. VCE seeks to eliminate the challenges that consume today’s data center resources.

VCE designs and delivers Vblock Systems, which seamlessly integrate leading compute, network and storage technologies. Through intelligent discovery, awareness and automation, Vblock Systems provide the highest levels of virtualization and application performance. Vblock Systems are unique in their ability to be managed as a single entity with a common interface that provides customers’ end-to-end visibility.

The Vblock System 300 is an agile and efficient data center class system, providing flexible and scalable performance. It features a high-density, compact fabric switch, tightly integrated fabric-based blade servers, and best-in-class unified storage.

The Vblock System 700 is an enterprise-class mission-critical system for the world’s most demanding workloads and service levels. It includes the industry’s best director-class fabric switch, the most advanced fabric-based blade server, and the most trusted storage platform.

Each Vblock System has a base configuration, which is a minimum set of compute and storage components as well as fixed network resources. Within the base configuration, certain hardware aspects can be customized. Together, the components offer balanced CPU, I/O bandwidth, and storage capacity relative to the compute and storage arrays in the system.

For more information, go to http://www.vce.com.

Compute components

8

© 2013 VCE Company, LLC. All Rights Reserved.

Network components

The network components in Vblock Systems consist of various models of Cisco Nexus and MDS storage switches. This includes the Cisco Nexus 7000 Series, Cisco Nexus 5000 Series, Cisco Nexus 1000V, Cisco Catalyst 3000 Series, and the Cisco MDS 9000 Series switches.

Storage components

Vblock Systems are built with either EMC VNX or Symmetrix VMAX-based storage arrays. The 300 series systems ship with VNX-based arrays and the 700 series systems ship with VMAX arrays.

Virtualization components

Virtualization components include VMware ESXi, VMware vCenter Server, and VMware vSphere.

Management components

All Vblock System 300 and 700 models include an Advanced Management Pod (AMP). The AMP provides a single management point for Vblock Systems that provides the following benefits:

 Monitors and manages Vblock System health, performance, and capacity  Provides fault isolation for management

 Eliminates Vblock System resource overhead

 Provides a clear demarcation point for remote operations

The AMP has two deployment options: mini-AMP and high availability (HA) AMP.

 The mini-AMP is an economical single-server system with reduced costs for switches and licenses and optional packages for networking, backups, and data duplication.

 The HA AMP is a two-server system that uses a local disk to boot VMware vSphere ESXi and shared storage for the Vblock Systems management servers. It is designed to be a highly available, out-of-band management environment.

9

© 2013 VCE Company, LLC. All Rights Reserved.

VMware vCloud Networking and Security

VMware vCloud Networking and Security provides software-defined networking and security services. It consists of the following components, all managed centrally through VMware vCenter and VMware vCloud Director:

 vCloud Networking and Security Edge (previously known as vShield Edge)  vCloud Networking and Security App (previously known as vShield App)

 vCloud Networking and Security Data Security (previously known as vShield Data Security)  vCloud Networking and Security Manager

vCloud Networking and Security is built with virtual security appliances. Network traffic from virtual workloads passes through these appliances, which apply services such as firewalling and load balancing.

There are two vCloud Networking and Security virtual appliance types:

 Edge appliance establishes a perimeter gateway for network traffic to enter and leave a virtual datacenter; also known as north-south traffic.

 App firewall provides protection directly in front of one of more virtual machines and is frequently used to regulate traffic between the virtual machines; also known as east-west traffic.

VMware vCloud Networking and Security Edge

vCloud Networking and Security Edge secures the edge, or perimeter, of a virtual data center with firewalling, VPN, NAT, DHCP, and web load-balancing capabilities that enable rapid, secure scaling of virtualized infrastructures. Along with network isolation, these services create logical security

perimeters around virtual data centers and enable secure multi-tenancy. Edge is compatible with port groups on the vNetwork Standard Switch (VSS), vNetwork Distributed Switch (vDS), and the Cisco Nexus 1000V switch. Edge management is supported through the vCloud Networking and Security Manager Web interface and the vCloud Networking and Security Manager plug-in to VMware vCenter Server.

The Edge virtual appliance supports multiple user-defined interfaces, including external and internal network interfaces. Internal interfaces connect to the secured inside port group and are the gateway for all protected virtual machines in this port group. External interfaces connect to an uplink port group that has access to a shared corporate network or a service provider access-layer network.

VMware vCloud Networking and Security App

10

© 2013 VCE Company, LLC. All Rights Reserved.

App installs as a hypervisor module and firewall service virtual appliance on each ESXi host in the cluster hosting the protected virtual machines. The hypervisor module places a vNIC-level firewall enforcement point for the traffic to and from the virtual machines.

App extends into Sensitive Data Discovery (available in vCloud Networking and Security App with Data Security). Data Security scans virtual workloads for sensitive data, such as credit card information, and reports violations of regulations, such as PCI-DSS, enabling IT organizations to quickly assess the state of compliance with regulations from around the world. It also provides a management console for selecting regulations to be used in compliance scans, and includes

templates of regulations, including PCI-DSS (Payment Card Industry–Data Security Standard), HIPAA to access Private Health Information (PHI), and so forth.

VMware vCloud Networking and Security Manager

vCloud Networking and Security Manager is the central point of control for all features and capabilities of the vCloud Networking and Security product. It integrates with VMware vCenter to offer role-based access control and administrative delegation in a unified framework for managing virtualization security. It promotes IT compliance with centralized logging and reporting and supports integration of vCloud Networking and Security with third-party solutions using the REST APIs.

11

© 2013 VCE Company, LLC. All Rights Reserved.

Architecture overview

This section describes the physical and logical solution architecture.

Physical layout

Figure 1 shows the Vblock System setup used to validate this solution. It consists of a Vblock System 300 and an AMP.

Figure 1. Physical configuration

Management virtual machines including Cisco Nexus 1000V Virtual Supervisor Module (VSM), vCloud Networking and Security (vCNS) Manager, a Jump Host (to access the test environment), VMware vCenter, and VMware Update Manager (VUM) all reside on the AMP host.

12

© 2013 VCE Company, LLC. All Rights Reserved.

Logical layout

Figure 2 shows the logical configuration of the components used to implement the VMware vCloud Networking and Security firewall solution on a Vblock System.

Figure 2. Logical configuration

Management VLAN

13

© 2013 VCE Company, LLC. All Rights Reserved.

Test data VLANs

The test environment consists of a cluster of two ESXi servers, each of which host test virtual machines (customer workload) that reside on VLAN 132 and VLAN 133. The Edge firewall has its internal secured groups as part of these data networks (VLANs 132/133) with an uplink port-group going out to the outside world. This makes the Edge firewall the default gateway for all of the virtual machine traffic entering and leaving the cluster. The intra-virtual machine traffic is inspected by the App firewall and the Data Security scanning component.

Hardware and software components

The following table lists the hardware used to validate this solution. Resource Description

Compute  Cisco UCS B-Series Blades (B230M2)

 Cisco UCS M81KR Virtual Interface Card converged network adapter 2.1.2.22

 Cisco UCS 6120 fabric interconnects (6120 version 2.0 [2q])  Cisco UCS 5108 Blade Server chassis

Network  Cisco Nexus 5548UP Series IP switches 5.1(3)N1(1a)

 Cisco Nexus 1000V VSM and VEM virtual switch 4.2(1)SV1(5.1)  Cisco MDS 9148 Multilayer Fabric Switch 5.2(2a)

Storage  EMC VNX Series Unified Storage with EMC Unisphere VNX for file 7.0.53-2, VNX for Block 05.31.000.5.716

Management (AMP)  Cisco Catalyst 3560-X Switch

 Cisco C200 High-Density Rack Server (48 GB RAM and 4 TB of storage)

The following table lists the software used to validate this solution.

Resource Description Version

Virtualization VMware vSphere 5 VMware ESXi 5.0.0 build-768111 and vCenter Server 5.0.0 build-755629

Management EMC PowerPath/VE 5.7

EMC Unisphere V1.1.32

Cisco UCS Manager 2.0(2q)

VMware vSphere Server Enterprise Plus Build 5.0.0 build-755629

VMware ESXi 5.0.0 build-768111

Security VMware vCloud Networking and Security (Manager, App, Data Security, and Edge)

5.1

VMware vShield Endpoint

Note: We installed Endpoint as a pre-requisite for Data Security. Otherwise, it is out of scope for this paper.

14

© 2013 VCE Company, LLC. All Rights Reserved.

Design considerations

This section contains design considerations, sizing requirements, and best practice recommendations for implementing VMware virtual firewalls on Vblock Systems.

When configuring vCloud Networking and Security to deploy on Vblock Systems, there are decisions that need to be made, including:

 Where to install (AMP or Vblock System blade)  Integration with VMware vCenter

 Workload high availability through vCloud Networking and Security Manager  Distributed virtual switch options

 How to set up policies (data centers, cluster, resource pools, vApps, IP addresses, security groups)

 Where and at what level to send logs

This section contains design considerations and best practice recommendations around these decisions and more. Use the information in the following table as a guide:

Decision Considerations For more information, go to this section:

Where to install Because Manager is a management component of the vCloud Networking and Security solution, it can be placed on the Vblock System AMP with other

management virtual machines. If not using the AMP, the vCloud Networking and Security Manager service virtual machine (SVM) can be placed in the Vblock System itself.

Install vCloud Networking and Security App on each ESXi host that needs protection for east-west traffic. Install vCloud Networking and Security Edge based on requirements for perimeter security. In our test lab, we installed it at the cluster level in the Vblock System, protecting north-south traffic across the test virtual machines.

vCloud Networking and Security Manager configuration

vCloud Networking and Security App with Data Security configuration vCloud Networking and Security Edge configuration

vCenter integration Configure vCloud Networking and Security Manager to connect to VMware vCenter. Integration with vCenter allows Manager to display the VMware infrastructure inventory.

vCloud Networking and Security Manager configuration Workload high availability through vCloud Networking and Security Manager

In order to use the high availability functionality of vCloud Networking and Security Manager, we recommend installing it on a cluster of two or more ESXi hosts. This allows the Manager SVM to migrate from one host to another in case of host failure. It is also required to have shared storage between the hosts in the cluster to allow for vMotion.

15

© 2013 VCE Company, LLC. All Rights Reserved.

Decision Considerations For more information, go to this section:

Distributed virtual switch option

The Nexus 1000V switch is standard in Vblock Systems and is used as the distributed virtual switch. Create port profiles on the Nexus 1000V switch for all management traffic and for the internal and uplink interfaces of vCloud Networking and Security Edge.

Network configuration

Policy setup and firewall rules

All policy creation for the vCloud Networking and Security App and Edge firewalls is done only at the data center level. Depending on your requirements, source and destinations can be an IP address, resource pools, security groups, vNIC groups, and so forth.

Policy setup section in vCloud Networking and Security App with Data Security

configuration

Policy setup section vCloud Networking and Security Edge configuration

Firewall event logging

View firewall logs locally using flow monitor in vCloud Networking and Security App or send logs to an external syslog server for forensic analysis and troubleshooting. We recommend logging at the warning level to capture all important messages without constraining the firewalls.

vCloud Networking and Security Manager configuration, vCloud Networking and Security App with Data Security

configuration, and vCloud Networking and Security Edge configuration sections on how to set up syslog server and logging levels on each of the vCloud Networking and Security components

vCloud Networking and Security Manager configuration

 Service virtual machine (SVM) placement and network design  Communication with vCenter

 Event logging

Service virtual machine placement and network design

vCloud Networking and Security Manager installs as a service virtual machine (SVM) on an ESXi host in vCenter. Best practice recommendation for this component is a high-availability setup, which requires installation on a cluster of two (or more) ESXi hosts.

16

© 2013 VCE Company, LLC. All Rights Reserved.

Note: To ensure proper communication between Manager and the other virtual firewall components, you must consider network and compute configuration. These are discussed in the Network configuration and Compute configuration sections.

Figure 3. vCloud Networking and Security Manager SVM installed in the AMP cluster

Note: To ease customer's transition from vShield 5.0 to vCloud Network and Security and ensure continuity, the user interface for vCloud Network and Security still refers to the capabilities using existing vShield product names.

Communication with vCenter

Once Manager is installed, we recommend connecting to vCenter Server from Manager. This enables Manager to display the VMware infrastructure inventory.

17

© 2013 VCE Company, LLC. All Rights Reserved.

Event logging

We enabled syslog and configured it to forward logs to an external server on port 514.

Figure 5. Syslog configuration

To ensure all log traffic is stamped with the same time source, we configured NTP using Manager. This follows best practice recommendations for forensic analysis and troubleshooting.

18

© 2013 VCE Company, LLC. All Rights Reserved.

vCloud Networking and Security App with Data Security configuration

 Firewall placement and design  Firewall event logging

 Policy setup

Firewall placement and design

We installed the App firewall as a service virtual machine on each ESXi host in the Vblock System. We also installed a data security SVM on each host. Before installing Data Security SVMs, we installed Endpoint on each ESXi host.

Each App and Data Security SVM pair requires two IP addresses. We placed these SVMs on the distributed management VLAN (111) port group that runs across the AMP and the Vblock System virtual switches. This ensured proper communication of the App and Data Security SVMs with vCloud Networking and Security Manager.

Firewall event logging

vCloud Networking and Security App provides two ways to view firewall logs: flow monitor and syslog server. We used flow monitor to review allowed and blocked flows and see such useful information as top sources and top destinations.

19

© 2013 VCE Company, LLC. All Rights Reserved.

We enabled syslog and configured an external server to collect firewall logs. We set syslog levels to

Warning per best practice recommendations. We did the following to configure syslog on App:

1. In the vSphere Client, selected Inventory > Hosts and Clusters.

1. Selected a host from the resource tree.

2. Clicked the vShield tab.

3. In the Service Virtual Machines area, expanded the vShield App SVM.

4. In the Syslog Servers area, typed the IP address of the syslog server.

5. From the Log Level drop-down list, selected the event level at and above which to send vShield App events to the syslog server. Setting this to Warning level is recommended.

6. Clicked Save to save the new settings.

7. Following best practices for troubleshooting and proper event log analysis, we synchronized time between vCloud Networking and Security Manager and App. We used the set clock command from the App CLI.

Policy setup

All App policies and firewall rules can only be created at the data center level. The App Firewall menu provides options to create L2 and L3/4 rules separately.

We selected the vShield tab in vCenter for the test data center and selected the App Firewall menu to add firewall policies. Source and destination for each individual rule can range from an IP address, network, data center, cluster, or virtual machine to a resource pool, a vApp, or a security group. The services allowed or denied by the rule can be selected from a pre-configured Services menu or by creating a new set of services per customer requirements.

20

© 2013 VCE Company, LLC. All Rights Reserved.

vCloud Networking and Security Edge configuration

 Placement and design  Interfaces and uplinks  Firewall event logging  Policy setup

Placement and design

We added Edge as a virtual appliance to an ESXi host in the Vblock System. Edge can be placed on a cluster to provide a high-availability setup. An Edge appliance can be added at the cluster or

resource pool level. Design varies depending on requirements and the virtual data center setup. In this test environment, we installed Edge as a service virtual machine on a two-host cluster in the Vblock System.

You can add, edit, or delete appliances. An Edge instance remains offline until at least one appliance has been added to it; therefore, you must add at least one appliance before deploying it. We

performed the following procedure to add an appliance:

1. In the vSphere Client, selected Inventory > Hosts and Clusters.

2. Selected a datacenter resource from the Inventory panel.

3. Clicked the Network Virtualization tab.

4. Clicked the Edges link.

5. Clicked the Configure tab.

6. Clicked the Settings link.

7. In Edge Appliances, clicked Add.

8. In the Add Edge Appliance dialog box, selected the cluster or resource pool and datastore for the appliance.

9. Selected the host on which the appliance is to be added.

10. Selected the vCenter folder within which the appliance is to be added.

11. Clicked Add.

21

© 2013 VCE Company, LLC. All Rights Reserved.

Interfaces and uplinks

vCloud Networking and Security Edge installed in a data center can have up to 10 internal or uplink interfaces. An Edge appliance must have at least one internal interface before it can be deployed. For this setup, we configured Edge with the following:

 Two internal interfaces connecting to secured port groups  One uplink interface to the external network

You must add at least one internal interface for high availability to work.

Figure 8. Edge interfaces and uplinks

Firewall event logging

We enabled syslog and configured an external server to collect the firewall logs. We set syslog levels to Warning per best practice recommendations. We performed the following to configure syslog on Edge:

1. In the vSphere Client, selected Inventory > Hosts & Clusters.

2. Selected a data center resource from the Inventory panel.

3. Clicked the Network Virtualization tab.

4. Clicked the Edges link.

5. Double-clicked the vShield Edge instance for which we wanted to specify the syslog servers.

6. Clicked the Status tab.

7. In the Details panel, clicked Change next to syslog servers.

8. Typed the IP address of both remote syslog servers.

22

© 2013 VCE Company, LLC. All Rights Reserved.

Policy setup

Edge policies and firewall rules can be created only at the data center level. The Firewall menu provides options to create L2 and L3/4 rules separately.

We selected the Network Virtualization tab in vCenter for the test data center and clicked the deployed Edge firewall. We then accessed the Firewall menu to add policies.

Source and destination for each rule can be either an IP address or a vNIC group. Additionally, a source port can be specified. The services allowed or denied by the rule can be selected from a pre-configured Services menu or by creating a new set of services per customer requirements.

We created Edge firewall rules using test virtual machine IP addresses as source and destinations and standard service protocols where applicable. These are shown in the Architecture validation section for the Edge test cases.

Vblock System configuration

This section describes configuring Vblock Systems to work with vCloud Networking and Security firewalls.

Virtualization configuration

To ensure vCloud Networking and Security Manager high availability, we configured the AMP ESXi server as a cluster of two (or more) hosts. This allows the Manager SVM to be moved (through vMotion) from one host in the cluster to another.

For accurate logging, we synchronized time between the ESXi hosts, vCenter Server, and various virtual machines by enabling NTP. This is a best practice for troubleshooting and forensic analysis. On the AMP ESXi, we enabled NTP by performing the following steps:

1. Logged in to vCenter server.

2. Selected Host and Clusters view and clicked the AMP ESXi host.

3. Clicked the Configuration tab and then clicked Time Configuration.

4. Selected Properties > Options > General and selected to stop and start automatically.

5. Selected NTP Settings and entered the IP address of the NTP server.

23

© 2013 VCE Company, LLC. All Rights Reserved.

On the vCenter server virtual machine, we enabled NTP by performing the following steps:

1. Double-clicked the VMware tools icon at the bottom right of the vCenter screen.

2. Selected Time synchronization between the virtual machine and the host operating

system.

Compute configuration

To ensure proper communication between the compute and network components, we created on the UCS server each newly defined VLAN used by the management and data traffic of the vCloud Networking and Security components.

Figure 9. VLANs created

Network configuration

To ensure proper communication between the App SVM, the Data Security SVM, and vCloud Networking and Security Manager, we created a common control/management VLAN (111). This VLAN runs across the vSphere distributed switch in the AMP and the Nexus 1000V switch in the UCS compute environment.

24

© 2013 VCE Company, LLC. All Rights Reserved.

vlan 111 name Management_vlan ! interface Vlan111 ip address 10.5.111.1 255.255.255.0 !

We created a port-profile for this VLAN on the Nexus 1000V VSM, as shown below: port-profile type vethernet Management_111

vmware port-group switchport mode access switchport access vlan 111 no shutdown

state enabled

We created two additional VLANs to carry the workload data traffic across the network. We configured port profiles for these VLANs on the Nexus 1000V VSM. VLANs 132 and 133 also serve as the secured port groups for the two internal interfaces of the Edge firewall.

port-profile type vethernet DataVlan132 vmware port-group

switchport mode access switchport access vlan 132 no shutdown

state enabled

port-profile type vethernet DataVlan133 vmware port-group

switchport access vlan 133 switchport mode access no shutdown

25

© 2013 VCE Company, LLC. All Rights Reserved.

We placed the Edge uplink port group on a routable VLAN (135) in the test environment running across the management switch, the UCS server, and the Nexus 1000V switch. We configured a port profile on the Nexus 1000V for this VLAN 135.

port-profile type vethernet DataVlan135 vmware port-group

switchport mode access switchport access vlan 135 no shutdown

state enabled

To provide synchronized time between the various components (including the vCloud Networking and Security SVMs, vCenter server, ESXi hosts, and network devices), we configured an NTP server on a virtual machine residing on the AMP cluster. This ensures accurate analysis of event logs.

Storage design

To ensure vCloud Networking and Security Manager high availability functionality, we configured the shared storage (VM-Shared) on the AMP cluster, as shown in the screenshot below. This allows for VMware vMotion to move the vCloud Networking and Security Manager SVM from one failed host to another in the cluster without loss of service.

26

© 2013 VCE Company, LLC. All Rights Reserved.

Architecture validation

We performed the following tests to validate vCloud Networking and Security firewalls on a Vblock System.

Test name Objective

Firewall functionality Validate core firewall functions of the App and Edge firewalls using test virtual machines and a set of allow/block rules to monitor traffic flow and access

vCloud Networking and Security Edge NAT policy

Confirm NAT translations are being applied to incoming and outgoing test virtual machine traffic on the Edge firewall

vCloud Networking and Security Manager high availability

Validate high availability for vCloud Networking and Security Manager by performing basic testing (such as failover and failback)

App policy set and high availability workload

Validate highly available workloads and network access by confirming that App firewall policies accommodate workload movement

Sensitive data discovery Demonstrate use of sensitive data discovery functions in vCloud Networking and Security App with Data Security by showing policy creation, execution, and reporting

Logging Validate logging behavior of the App and Edge firewalls

Test environment design

The test environment was used as set up and described in the Architecture overview and Design considerations sections.

The following table contains VLAN and IP address information for the test virtual machines and solution components referenced in the test cases.

Component VLAN IP Address Description

Test VMA-1 132 10.5.132.90 Workload virtual machine Test VMA-2 132 10.5.132.91 Workload virtual machine Test VMB-1 133 10.5.133.90 Workload virtual machine Test VMB-2 133 10.5.133.91 Workload virtual machine

Host-10 130 10.5.130.10 ESXi server

Host-11 130 10.5.130.11 ESXi server

vCNS Mgr 111 10.5.111.90 vCloud Networking and Security Firewall Manager App-10 111 10.5.111.92 vCloud Networking and Security App Service

virtual machine on host 10

DataSec-10 111 10.5.111.93 Data Security Service virtual machine on host 10 App-11 111 10.5.111.94 vCloud Networking and Security App Service

27

© 2013 VCE Company, LLC. All Rights Reserved.

Component VLAN IP Address Description

DataSec-11 111 10.5.111.95 vCloud Networking and Security App Service virtual machine on host 11

EdgeGW-IN-01 132 10.5.132.98 Edge internal interface 1 EdgeGW-IN-02 133 10.5.133.98 Edge internal interface 2 EdgeGW Uplink 135 10.5.135.98 Edge uplink (outside) interface

Tools used for testing include:  Putty for SSH sessions

 Common Web browsers for GUI access

 VMware vSphere client for vCenter inventory and virtual firewall configuration activities While this solution works on any Vblock System 300 or 700 using the HA AMP or mini-AMP, it was validated on a Vblock System 300.

Test case 1: Core firewall functionality

This test case validates the core firewall functions of the App and Edge firewalls. Test objectives were to demonstrate proper access control for all traffic inspected by the App and Edge firewalls based on the policy set and rule definition.

Test procedure

1. Created two security groups by combining Test VMA-1 and Test VMA-2 into VMA objects, and Test VMB-1 and Test VMB-2 into VMB objects. These objects were used as source and destinations for policy setup.

2. Created a firewall rule for App that allows remote desktop protocol (RDP) sessions from VMA to VMB security groups and denied access to all other traffic. The following screenshot shows the rule definition:

28

© 2013 VCE Company, LLC. All Rights Reserved.

4. Verified the applied firewall rules by generating RDP and ICMP traffic from source to destination virtual machines.

5. Initiated a continuous ping from VMA-1 to VMB-1 and VMB-2 virtual machines.

Test results

 The App firewall successfully blocked traffic, as shown below:

29

© 2013 VCE Company, LLC. All Rights Reserved.

Test case 2: vCloud Networking and Security Edge NAT policy

This test case confirms that NAT translations are applied to incoming and outgoing virtual machine traffic on the Edge firewall. Test objectives were to demonstrate source and destination NAT policy creation and verify execution for traffic passing through Edge.

Test procedure

1. Defined NAT policy for Edge by accessing the Network Virtualization tab and selecting the deployed Edge virtual firewall to define the NAT policy.

2. Created source NAT and destination NAT policies for Edge to illustrate proper translation functionality. The screenshot below shows the policy definitions.

Test results

30

© 2013 VCE Company, LLC. All Rights Reserved.

Test case 3: vCloud Networking and Security Manager high

availability

This test case validates high availability for vCloud Networking and Security Manager. Test objectives were to show zero downtime for workload traffic and firewall functionality during migration of Manager from one host to another.

Test procedure

1. Installed the Manager virtual appliance on the AMP, which contains a cluster of two ESXi hosts using shared storage and a vSphere Distributed Switch.

2. Migrated the virtual machine from the original host to the secondary host on the AMP cluster.

3. Generated traffic between the test virtual machines to monitor downtime and firewall functionality.

Test results

 The Manager virtual appliance was successfully moved (using vMotion) to the secondary host.  During the migration, there was no loss of traffic between the test virtual machines. The App and

Edge firewalls continued to function normally.

 During the migration, access to the vCloud Networking and Security Manager GUI was lost and firewall rules could not be created during this time. Downtime was minimal and did not affect the virtual firewalls or workloads.

Test case 4: Policy set and high-availability workload

This test case validates highly available workloads and network access. Test objectives included simulating a high-availability workload environment and verifying that the App firewall policy moves with a virtual machine when it is migrated to another host.

Test procedure

1. Created a Deny rule to block traffic from test VMB-1 to VMA-1. See below for rule definition.

31

© 2013 VCE Company, LLC. All Rights Reserved.

3. Generated a continuous ping from the source to the destination virtual machine during this entire time.

Test results

 Per the rule definition, all traffic, including ICMP, from VMB-1 to VMA-1, was blocked by the App firewall.

 Test VMB-1 was successfully moved (using vMotion) to the secondary ESXi host with minimal downtime.

 Traffic continued to be blocked even after the vMotion migration was completed, indicating that the App policy followed the virtual machine from one host to another and denied all traffic going to VMA-1 per the rule set.

Test case 5: Sensitive data discovery

This test case demonstrates the use of sensitive data discovery functions in vCloud Networking and Security App with Data Security. Test objectives included creating and reporting the scanning policy executed by the Data Security SVM against a target virtual machine.

Test procedure

1. Set a policy to detect compliance for the PCI regulation standards (PCI-DSS, as shown in the screenshot below).

2. Selected a security group (VMA objects) as a target area for scans.

32

© 2013 VCE Company, LLC. All Rights Reserved.

4. Placed a trigger file on VMA-1 to demonstrate and verify proper data security scanning.

Test results

 Successfully viewed scanning results under the Reports section of Data security.

 The report showed the completion date and time as well as a violation count for PCI. This indicated that the scan successfully picked up on the trigger file and reported expected results.

Test case 6: Logging

This test case validates logging behavior of the App and Edge firewalls. App firewall logging was verified using the Flow Monitor feature in the App firewall and an external syslog server. Test objectives included the following:

- Reviewing syslog using Flow Monitor feature in the App firewall. This feature provides useful flow (port, protocol, number of sessions) information on traffic through each of the test virtual machines. Built-in reports, such as top sources and top destinations, are readily available for review.

 Sending syslogs to an external syslog server, running on a virtual machine in the AMP from both the App and Edge firewalls, for review.

Test procedure

1. For event log test on the App firewall, selected the primary or secondary ESXi host and accessed the vShield tab.

2. Set up syslog configuration in the Service Virtual Machines section.

33

© 2013 VCE Company, LLC. All Rights Reserved.

The following screenshots show syslog setup on the App firewall.

4. Configured syslog server and logging levels on the Edge firewall, as shown in the following screenshot:

5. Used a syslog server as the external syslog collector to verify proper logging from the vCloud Networking and Security firewalls.

6. Used the Flow Monitor feature on the App firewall to review allowed and blocked flows.

Test results

 The firewalls logged any pass-through traffic and forwarded the syslogs to the syslog collector. The syslog also included Rule ID information to reference back the exact firewall rule that triggered the event.

34

© 2013 VCE Company, LLC. All Rights Reserved.

35

© 2013 VCE Company, LLC. All Rights Reserved.

Conclusion

Converged infrastructure requires a different approach to firewalls. The traditional network control points where discrete firewalls could be inserted do not exist, requiring a change in the delivery of network access control functions. The VMware vCloud Networking and Security product line includes two virtual firewalls: App and Edge, which offer protection and benefits beyond the limitations of physical security.

The Vblock Solution for VMware Virtual Firewalls demonstrates a tight integration of the vCloud Networking and Security components with the Vblock System, enabling simplified administration and preserving secure administrative practices. These virtual firewalls help monitor and control traffic within or to and from a Vblock System environment.

In this guide, we provided a high-level description of the solution components and architecture, examined key design considerations and best practices for implementation, and demonstrated validation for each of the key features required for successful deployment of vCloud Networking and Security firewalls on Vblock Systems.

Next steps

To learn more about this and other solutions, contact a VCE representative or visit www.vce.com.

References

For supporting and additional information, refer to the following for additional information:  VMware vCloud Networking and Security overview

http://www.vmware.com/products/datacenter-virtualization/vcloud-network-security/overview.html

 VMware vCloud Network and Security documentation

http://www.vmware.com/support/pubs/vshield_pubs.html

 VMware vShield Administration Guide

www.vmware.com/pdf/vshield_51_admin.pdf

 VMware vShield Installation and Upgrade Guide

© 2013 VCE Company, LLC. All Rights Reserved.

ABOUT VCE

VCE, formed by Cisco and EMC with investments from VMware and Intel, accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the Vblock Systems, delivers the industry's only fully integrated and fully virtualized cloud infrastructure system. VCE solutions are available through an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating, and managing IT infrastructure.

For more information, go to http://www.vce.com.