• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Yellow Bricks

by Duncan Epping

  • Home
  • ESXTOP
  • Stickers/Shirts
  • Privacy Policy
  • About
  • Show Search
Hide Search

Blocking or allowing traffic when vShield App is down?

Duncan Epping · Mar 19, 2012 ·

I did a couple of articles about vShield App a couple of months back. One of them explained how to get around a situation where vShield App would be down, as in this case of traffic would be blocked. Since then I spoke to multiple customers who asked me if it was possible to configure vShield App in such a way that traffic would be allowed when an issue occurred with vShield App. Although this goes against best practices and I would not recommend this, I can understand why some customers would want to do this. Luckily for them vShield App 5.0.1 now offers a setting that allows you to do this:

  1. Go to vShield within vCenter
  2. Click “Settings & Reports”
  3. Click the “vShield App” tab
  4. Click “Change” under “Failsafe”
  5. Click “Yes” when asked if you would like to change the setting

Together with the option to exclude VMs from being protected by vShield App and the automatic restart of vShield App appliances in the case of a failure it seems that my feature requests were fulfilled.

 

Share it:

  • Tweet

Related

cloud 5.0.1, firewall, security, VMware, vshield, vshield app, vSphere

Reader Interactions

Comments

  1. Xander says

    19 March, 2012 at 10:07

    I think you want to allow all traffic to go through when vShield is down. I think many customers don’t want to have their production environment down because of a vShield bug or failure. On the other side, it’s a security risk..

  2. Duncan Epping says

    19 March, 2012 at 10:23

    I don’t agree and I think neither would many security officers. But the feature is there now, I just wanted to call it out and hope people will use it wisely and think before changing it.

  3. Greg says

    19 March, 2012 at 10:30

    I agree with Duncan I think the last thing you’d want is to allow all traffic when the firewall or vshield in this case is down. However our customers may have some use cases that require this behavior and now they at least have the option.

  4. Xander says

    19 March, 2012 at 10:34

    Many customers use vShield in addition to other security solutions. I think when vShield would go down once or twice due to bugs or something like that people (e.g. customers) would like to let the traffic go through when it’s down. It’s all specific to a customers solution. (I think :-))

  5. nvizor says

    19 March, 2012 at 12:01

    Hi,

    Is there a way to allow traffic for one group of VMs and block traffic for another group of VMs when vShield App is down.

    Thanks,
    nvizor

  6. James Hess says

    19 March, 2012 at 15:22

    “this goes against best practices and I would not recommend this”

    I would disagree with that; it’s _someone’s_ preferred practice for sure, especially for organizations with certain security requirements, but not generally accepted best practice. Your application owners don’t necessarily agree that an outage or stop of business is acceptable in case of a vShield failure.

    In so much as a network outage is a security violation (loss of availability), just as bad an intrusion is a security violation, both can cost a serious amount of money. A 10 minute outage for an e-commerce site is a real large tangible cost; a 10 minute period during which there is a greater risk of intrusion is more of a theoretical cost.

    Yes, by allowing traffic in case of failure there would be some loss of vShield protection during the outage. You can have an alert triggered for that minimize the outage; vShield should not be your environment’s only defense, and you can speak to the probability of an attack while vShield is down versus the certainty of a business impact that loss of availability will have.

    • Duncan Epping says

      20 March, 2012 at 09:07

      I bet many security officers would not agree with that… anyway, I am just mentioning the best practice from a security stance. This should always be adapted to meet your own requirements and constraints.

Primary Sidebar

About the author

Duncan Epping is a Chief Technologist in the Office of CTO of the Cloud Platform BU at VMware. He is a VCDX (# 007), the author of the "vSAN Deep Dive", the “vSphere Clustering Technical Deep Dive” series, and the host of the "Unexplored Territory" podcast.

Upcoming Events

Feb 9th – Irish VMUG
Feb 23rd – Swiss VMUG
March 7th – Dutch VMUG
May 24th – VMUG Poland
June 1st – VMUG Belgium

Recommended Reads

Sponsors

Want to support Yellow-Bricks? Buy an advert!

Advertisements

Copyright Yellow-Bricks.com © 2023 · Log in