VMware’s new vCloud Networking and Security 5.1 (formerly known as vShield) has multiple components — vShield App, vShield App with Data Security, vShield Edge, and vShield Endpoint — all of which are managed by vShield Manager. For this post, I focus on the vShield App and Data Security components. Data Security is not really a part of vShield App, but it is referred to as vShield App with Data Security in the documentation. All of my configurations for this tutorial were done in a vSphere 5.1 environment.

Installing vShield Networking and Security

1. Download the VMware-vshield.ova from VMware’s site.

2. Create a new port group on your Virtual Distributed Switch. You can call it whatever you like, but this network will be used for vShield.

3. Deploy the downloaded .ova from your vSphere client (Figure A).
Figure A

Click the image to enlarge.

4. Follow the wizard and, when it asks you to configure networking, make sure you choose the new portgroup you’ve configured.

5. Power on the appliance, and open the console to finish the rest of the initial configuration.

6. Log in to the CLI interface with the default credentials admin/default.

7. Enter the command ‘enable’ and when prompted enter the password ‘default’ again.

8. Enter the command ‘setup’.

9. Follow the prompts to finish the setup wizard.

10. Log out and open a browser. Browse to the IP that you assigned to the Manager appliance and log in with the admin/default credentials again.

11. Click the Edit buttons to configure the Lookup Service, vCenter Server, NTP Server, and Syslog server if you like. (The DNS servers should already be configured.) After these settings are configured, you will see the left panel get populated with data from your vCenter server.

Installing vShield App

vShield App is essentially a firewall for your virtual machines and virtual apps. You may use vShield App for flow control monitoring and for configuring firewall rules to protect your applications from attacks. The idea is to install vShield App on each host, and let it run for a while during your peak production hours; then you can look at the traffic to decide how you want to create firewall rules to protect your virtual machines from the outside or even from each other. Follow these instructions to install vShield App.

1. Log in to vShield Manager and expand the Datacenters folder and for each host install vShield App. It will take a few minutes to install. If you’re using the old vSphere Client, there is a vShield tab you can click on to get to the manager (Figure B).
Figure B

Click the image to enlarge.

2. You can manage things like Flow Monitoring and the App Firewall by clicking the Datacenter or a VM in the vShield Manager window.

3. To see the Flow Monitoring, click the Flow Monitoring tab and this will show you the traffic in your virtual environment. You can see Top Flows, Top Destinations, and Top Sources.

4. By clicking the Details link, you can choose to look at either Allowed Flows or Blocked Flows.

5. Click the App Firewall tab to configure firewall rules for your Datacenter or VM.

  • a. Click the + sign.
  • b. When a rule appears, click the + within the Name field to name the rule.
  • c. Click the + sign within the Source field to specify a source.
  • d. Click the + sign within the Destination field to specify a destination (Figure C).
  • e. Click the + sign within the Service field to specify what service you’d like to allow or block.
  • f. In the Action field select whether you’d like to allow or block.
  • g. Click Publish Changes to apply the rule.

Figure C

Click the image to enlarge.

Installing vShield Data Security

vShield Data Security gives you even more detailed reports about security events and compliance. It allows you to compare compliance with all sorts of standard regulations. Follow these instructions to install vShield Data Security.

1. In vShield Manager, click a host, and then click the Install link next to vShield Data Security. I ran into an issue where after I clicked install, it said “Invalid Operation, Page Cannot Be Displayed.” I had to follow this VMware KB article to get it to work.

2. This brings you to a page that allows you to pick the Datastore where the logs will be stored and the management port group, and you can optionally put in a management IP address, which I did. Click Install on this page, and give it several minutes to install.

3. In vShield Manager, click the Data Security option in the left and then click the Policy button. Here you can create scanning policies and start a scan.

5. Click the Datacenter or a VM and then click the Data Security tab to see detailed security events (Figure D).
Figure D

Click the image to enlarge.

In future posts I will cover the other components of vCloud Networking and Security 5.1: vShield Edge and vShield Endpoint.