In the end of last year VMware acquired Blue Lane Technologies, a security focused company. Blue Lane had a product called Virtual Shield. The product has been rebranded in very short time and will be released very soon as VMware vShield Zones.
This session was presented by Allwyn Sequeira, Senior Director, Security at VMware (formerly VP Engineering at Blue Lane).
Up till now we could choose from host security and network security in order to protect your VM’s. With the introduction of vShield zones you add an extra layer (mezzanine) between the hypervisor and guest virtual machines. Essentially vShield Zones is a tool to provide security isolation (firewall functionality) between network zones within the virtual infrastructure and with a visibility function to perform flow analysis. This will give visibility to all communication between systems within the virtual infrastructure and to all communications coming in from the outside into the virtual environment. vShield Zones is an agent less solution (regarding guest vm’s) so no guest agent is required within virtual machines. So no footprint on guest VM, the zones are distributed across ESX hosts.
In the picture below you will find an overview of vShield Zones.
The deployment of vShield zones contains four easy steps. The first step is the integration of the vShield Manager virtual appliance (download it in ovf-format) with vCenter. Step two is to provision the vShield Manager to use vCenter to communicate to the virtual environment. Another reason to make vCenter highly available using vCenter Heartbeat. Step three uses the manager to deploy the zones agents across the different hosts and discover the virtual environment. The fourth and last step is the configuration of the firewall (set rules etc.) and monitor your environment.
If you look at virtual center after deployment of vShield Zones you can see a situation as displayed in the picture below.
In the left you see the situation before deployment of the vShield Zones and on the right the situation after deployment which shows the protected zones. The zones are fairly secure, only the manager has an IP (the manager is marked red, the zone agents green and do not have an IP)
This is how virtual security in a schematic overview looks like when you have deployed completely:
From within the vShield Zones Management Console you can easily tell which VMs are unprotected. And per VM it shows the host it resides on and points out which hosts the VM potentially can move to with their security state. This way you can instantly see if the hosts where the VM can move to, live up to the security policies you’ve setup.
vShield Zones agent must be seen as a layer 2 device (such as a repeater), so no intelligence is build into the zones agent.
Implementation of firewall rules is relatively simple, you can click on the cluster or datacenter to set rules at that level (high priority security rules), furthermore you can set rules at lower levels, cluster or VM level for example. The rules you can set are application aware (DHCP/FTP/HTTP etc..) and can be set live.
Next to a host and server perspective user interface (objects) as explained above, there also is a network perspective user interface in vShield Zones Manager where you can set rules at vLan-level, port group, network segment, etc.
Now with vShield Zones for every given VM you can see the allowed traffic per TCP an UDP, both incoming and outbound. This is especially good for VDI scenario’s and thus also is addressing inter-VM traffic. vShield Zones also has historical and real time flow charts available for analysis.
Looking at a functional level here are some examples of functionality:
- Partition VMs into secure zones, and isolate them
- Enable admins to access VMs in these zones via ssh
- Disable ftp access, enable windows access
- Create rules at data center, cluster, vlan and vm levels
- Monitor traffic at different levels, between security zones
- Monitor session/traffic by app, VI groups, VMs
- Easily deny traffic that should not be allowed
- DMZ-in-a-box, to go
The first release will not VMsafe enabled yet, the first VMsafe enabled version will not be available before the end of 2009 or beginning of 2010. Also not all functionality Bluelane offered (patching from the Bluelane PatchPoint product for example) will be operational in the VMware product as VMware explicitly stated it will not offer security content. With update manager for example they rely on a third party database (Shavlik) for their security content. The first version of vShield Zones released, will be available as a virtual appliance with a seperate management interface, in later releases vShield Zones will be integrated and part of the product. The release will be close to the release of vSphere. The more closer we get to the release date, the more details will be made available.
The vShield Zones tool can help to get your system compliant, especially the zoning between the different segments is a pro. For example separating different application and data sets in order to comply with rules (i.e. PCI- or Healthcare-privacy rules) in a way that you can enforce that information is not entering or leaving a certain zone. That said, vShield Zones must be seen as a regular firewall, the big advantage however is that it will be part of the product (vSphere).