VMware vShield App best practices list

After a couple of recent projects that implemented vShield app in various ways I thought it would be good to start building a list of best practices. These are some of the suggestions that I have collected in working with different customers and VMware people. I will continue to update as new things come to light.

Consider reading my list of vCloud best practices when you are done with this list, since they are used together often.

vShield Manager

  • Do not deploy vShield manager appliance to a cluster that it will be protecting, can cause connection to itself and vCenter to be lost. (With vShield 5.0.1 you can exclude the appliance from protection, but I would still avoid)
  • Access to default services like DNS, syslog, NTP and other similar services that all your VMs need access to should be created as Layer 3 low precedence rules at the datacenter level.
  • To provide additional resiliency beyond HS considering using Fault Tolerance (FT) for protecting vShield Manager

 

vShield App instances (Appliances)

  • ¬†When deploying use local datastore on host if available to prevent accidental vMotion
  • Consider setting DRS host affinity to make sure the vShield app appliance does not get vMotioned off of host, DRS is disabled by default for the appliance VM.
  • Follow vSphere hardening recommendations for virtual switches
  • Use Security Groups to group together server of same functions (Domain controllers, Web server, DB server etc.)
  • Ensure that the HA restart priority for the vShield App appliance is set to high to ensure it is the first to restart, making sure that its running before the VMs its protecting are started.

 

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

How vShield App updates rules on appliances

While working on a recent project this question came up. If you create new vShield App rules in vShield manager how does it push these rules out to the vShield App appliances?

As an example you have a large environment with several clusters and you create and publish some new rules that affect only a couple of VMs. Will vShield manager push the rules out to every App appliance in the vCenter Datacenter, every cluster or just the cluster or host that has the VMs affected?

The answer is vShield manager only pushes out the rule updates to the vShield appliances that are affected. So only the ones that are protecting the VMs that the new rules apply to. As an example you can create vShield App rules at the datacenter level, cluster level, port group or per vNic. So based on what level the rule was created at and which App appliances are protecting that level determines where the rules are pushed to.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

How to upgrade vShield manager

As part of my lab upgrade process of updating all the vCloud parts I wanted to document the vShield Manager update steps. Since vShield manager is a VMware appliance it has a database that holds your rules and settings that are distributed out to the various vShield App and Edge devices that you are using. So if you just did a rip and replace with the appliance to get to the new version you would break a lot of things and have to recreate your rules and re-deploy the agents to hosts. This would be a very bad thing in a production install. This is why you should use the update feature built in the vShield manager console. You can review my post on upgrading the vCloud appliance also.

To update vShield manager you need to download the gZip package from VMware. When you look at the download options for vShield there is an OVF package that deploys a fresh version of the appliance or there is a zipped package that you use for updates. Grab the update package and use for the next step.

In Figure 1 below you can see that after logging into the management page of the vShield Manager appliance you need to navigate to the “Settings & Reports” option in the left tree. Then choose the updates tab and then upload settings. This will present you with the option to upload the zipped update file that you downloaded earlier.

Figure 1 - vShield manager update

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More

What is all included in the VMware vShield Family of products

Today at VMworld 2010 VMware announces the new family of vShield products. The new products to this family are vShield Endpoint, vShield App and vShield Edge. Each product has been designed for a few core functions that are helping to facilitate and secure the IT as a Service model that VMware is promoting with its new vCloud Director solution. These security related products are going to secure, make management easier and help move down the patch to a cloud infrastructure.

I will try and provide some more details about each product below gathering any details that are available as of today. In the image below are some of the concerns that VMware is address based on what Enterprises have been telling them.

vShield Endpoint – vShield Endpoint provides on-host antivirus and malware protection that reduces performance latency and eliminates the need to maintain individual security agents in each and every virtual machine, helping to simplify security administration while minimizing the risk of malware infections. Datasheet

vShield App -VMware vShield App protects applications in the virtual datacenter from network-based threats. vShield App gives organizations the ability to create and manage business-relevant policies that adapt to dynamic cloud environments. It also provides deep visibility into network communications between virtual machines and granular enforcement through security groups. Datasheet

vShield Edge – vShield Edge is a network gateway solution that protects the edges of the virtual datacenter with DCHP, network address translation (NAT), firewalling, load balancing, site-to-site VPN, port group isolation and other capabilities that help organizations maintain proper segmentation between different organizational units. Datasheet

vShield Manager – Included with all vShield products, vShield Manager provides a central point of control for managing, deploying, reporting, logging and integrating third-party security services. Working in conjunction with vCenter Server, vShield Manager also enables role-based access control and administrative delegation as part of a unified framework for managing virtualization security.

vShield Zones – VMware vShield Zones, included with vSphere, provides basic protection from network-based threats in virtual datacenters, with application firewalling and policy management based on administrator-defined zones, using basic traffic information such as the source IP address, the destination port, and so on.

Here is a quote from a VMware product release.

Enterprise Partner Extranets – vShield lets enterprises extend their networks and application resources to branch offices, home offices and business partner sites through site-to-site VPN services that offer simplified provisioning, streamline administrative tasks and improve scalability. All traffic between sites is encrypted using IPsec to maintain the confidentiality and integrity of all site-to-site communications.

vShield Product Family Brochure

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Read More
%d bloggers like this: