Yellow Bricks

by Duncan Epping

security

Excluding your vCenter Server from vShield App protection!

· ·

A while back I posted a hack to exclude your vCenter Server from vShield App protection. I discussed this hack with the vShield team and asked them if it would be possible to add similar functionality to vShield. I was pleasantly surprised when I noticed that they managed to slip it in to vShield App 5.0.1 release. What a quick turnaround! It is described how to do this on page 51 of the admin guide. I tested it myself ad here are the steps I took:

  1. Log in to the vShield Manager.
  2. Click Settings & Reports from the vShield Manager inventory panel.
  3. Click the vShield App tab.
  4. On the Exclusion List, click Add.
    Add Virtual Machines to Exclude dialog box opens.
  5. Click in the field next to Select and click the virtual machine you want to exclude.
  6. Click Select.
    The selected virtual machine is added to the list.
  7. Click OK

In my case I excluded both my WSX server and my vCenter Server instance:

Cloud Infrastructure Architecture Case Study – vSphere + vShield App

· ·

A white paper which I have worked on extensively has just been published. The case study takes a design / architecture approach and lists design considerations, requirements and assumptions throughout the document. I want to thank the people who worked with me on this document: Aidan Dalgleish, Frank Denneman, Matthew Northam, Venky Deshpande and Cormac Hogan. Below you can find more details… don’t forget to download it! I made sure it was available in various formats so each and everyone of you can read it on its favorite device.

Source – Cloud Infrastructure Architecture Case Study

Description: The VMware Cloud Infrastructure Architecture Case Study Series was developed to provide an understanding of the various components of the VMware Cloud Infrastructure Suite. The goal is to explain how these components can be used in specific scenarios, which are based on real-world customer examples and therefore contain real-world requirements and constraints. The VMware Cloud Infrastructure Suite consists of five technologies that together expand the capabilities and value that customers can realize from a virtualized infrastructure. This case study focuses on vSphere 5.0 and vShield App 5.0.

EPUB: http://www.vmware.com/files/pdf/techpaper/cloud-infrastructure-architecture.epub
MOBI: http://www.vmware.com/files/pdf/techpaper/cloud-infrastructure-architecture.mobi
PDF: http://www.vmware.com/files/pdf/techpaper/cloud-infrastructure-achitecture-case-study.pdf

Secured down your environment with vShield App and locked out of vCenter?

· ·

** Disclaimer: This is for educational purposes, please don’t make these .vmx changes in your environment as it is not supported! **

Yesterday I showed how to recover from a vShield App crash. Now bare in mind that this scenario is very rare. Today I decided to lock down my environment to the level where it was impossible to login to vCenter Server or vShield Manager. I added L2 and L3 “Any – Any” block rules to the Datacenter which hosts vCenter and vShield Manager. I needed to get access back to my vCenter host so I started digging and this is how I managed to get it back… it was a lot easier than expected:

  1. http://<ip-address-of-vShield-manager>
  2. remove/change rule

Was it really that simple? Yes it was, even after applying block rules I could still access vShield Manager. I wondered why so I started digging in to it.

If you look at the vShield Manager UI you will see that all VMs are listed except for vShield Manager and the vShield App FW VMs. The reason for this is that the vShield VMs are considered to be Service VMs. You can actually see this when you go to your Cluster in the vShield Manager UI and check the “Summary” as it will list the amount of Service VMs as shown in the screenshot below.

I wondered what caused these VMs to be listed as Service VMs so I looked at the .vmx file of the vShield VMs and spotted the following entries:

  • vShield Manager.vmx:
    vshield.vmtype = "Manager"
    vshield.vmversion = "5.0"
    vshield.vmbuild = "473791"
  • vShield App FW.vmx:
    vshield.vmtype = "Zones"
    vshield.vmversion = "3.0"
    vshield.vmbuild = "473791"

Another thing that I noticed in the .vmx file for vShield Manager is that it did not have a filter applied, in other words traffic goes straight to the VM. This was the reason traffic was not blocked by the rules we created. The next thing I wanted to test is what would happen if I would remove the filters from the vCenter VM and simply add the three .vmx entries that the vShield Manager had? The reason I wanted to test this is because I wanted to know if a filter would be applied or not.

Instead of (ab)using my vCenter VM for this (I might need it later on) I created a test VM. I booted up the VM to see if it would get the filter and made sure the rules I created were applied. I couldn’t access the VM as expected as the filter and the rules were applied. I powered it off, removed the filter, added the three entries (vShield Manager) and booted up the VM… No changes were made to the VM and I could still access it. Is this useful for your production environment? No it is not, as it is definitely not recommended to make changes like these as it is totally unsupported and could lead to unexpected results. It is nice to know though…

vShield App broke down on the host that is running vCenter now what?

· ·

I was playing around with vShield App and I locked out my vCenter VM which happened to be hosted on the cluster which was protected by vShield App. Yes I know that it is not recommended, but I have a limited amount of compute resources in my lab and I can’t spare a full server just for vCenter so I figured I would try it anyway and by breaking stuff I learn a lot more.

I wanted to know what happened when my vShield App virtual machine would fail. So I killed it and of course I couldn’t reach vCenter anymore. The reason for this being is the fact that a so-called dvfilter is used. The dvfilter basically captures the traffic, sends it to the vShield App VM which inspects it and then sends it to the VM (or not depending on the rules). As I killed my vShield App VM there was no way it would work. If I would have had my vCenter available I would just vMotion the VMs to another host and the problem would be solved, but it was my vCenter which was impacted by this issue. Before I started digging myself I did a quick google and I noticed this post by vTexan. He had locked himself out by creating strict rules, but my scenario was different. What were my options?

Well there are multiple options of course:

  1. Move the VM to an unprotected host
  2. Disarm the VM
  3. Uninstall vShield

As I did not have an unprotected host in my cluster and did not want to uninstall vShield I had only 1 option left. I figured it couldn’t be too difficult and it actually wasn’t:

  1. Connect your vSphere Client to the ESXi host which is running vCenter
  2. Power Off the vCenter VM
  3. Right click the vCenter VM and go to “Edit Settings”
  4. Go to the Options tab and click General under Advanced
  5. Click Configuration Parameters
  6. Look for the “ethernet0.filter0” entries and remove both values
  7. Click Ok, Ok and power on your vCenter VM

As soon as your vCenter VM is booted you should have access to vCenter again. Isn’t that cool? What would happen if your vShield App would return? Would this vCenter VM be left unprotected? No it wouldn’t, vShield App would actually notice it is not protected and add the correct filter details again so that the vCenter VM will be protected. If you want to speed this process up you could of course also vMotion the VM to a host which is protected. Now keep in mind that while you do the vMotion it will insert the filter again which could cause the vCenter VM to disconnect. In all my tests so far it would reconnect at some point, but that is no guarantee of course.

Tomorrow I am going to apply a security policy which will lock out my vCenter Server and try to recover from that… I’ll keep you posted.

** Disclaimer: This is for educational purposes, please don’t try this at home… **

vShield App and layering your design

· ·

I started diving in to vShield App and one thing that I like about vShield App is that it allows you to use different types of objects to apply your policies to. Never really put too much thought in to it, but considering the world is more and more changing to policy based management this fits right in. I just wanted to share something that I was working on, any feedback / thoughts are welcome…

The VMware Cloud Infrastructure aims to reduce operational overhead and lower Total Cost of Ownership (TCO) by simplifying management tasks and abstracting complex processes. The focus of this architecture, as indicated by our customer requirements, is resource aggregation and isolation through the use of pools for each of the crucial pillars: network, storage and compute. Each of the three pillars will be carved in to multiple units of consumption with priority allocated based on their service level agreement. This will be achieved by leveraging core functionality offered by vSphere 5.0. Subsequently vShield App will be used to isolate each of the different type of workloads. As a hypervisor-based application-aware firewall solution, vShield App allows defining policies to logical, dynamic application boundaries (security groups) instead of physical boundaries.

This resource and security layering method will allow for a fast and safe deployment of new workloads.

Each of the different types of resources are carved up in to different groups for each of the respective workload types. A virtual machine, or vApp, will be deployed in one of the three different compute and security groups after which a specific networking group will be selected and a storage tier. Compute, Security and Network  group types are currently defined based on the different type of workloads this virtual infrastructure will host. In the future additional blocks may be added based on the requirements of the internal customers and the different types of workloads being deployed…