alphaspirit - Fotolia


Using a VMware firewall as part of a defense-in-depth strategy

While it is not the Holy Grail of network security, VMware firewall technologies are critical components of protecting a virtual data center. Expert Paul Henry explains why.

The application of ingress and egress filtering at the border router is a critical first layer of defense in a VMware-based virtual data center. This approach has not only clearly raised the bar in terms of security, but also provided a great secondary benefit by reducing traffic load prior to the data center by discarding unnecessary traffic.

However, in terms of network security, there is no magic bullet; simply put, no single security product or technology is the Holy Grail. The industry has long recognized that a layered but manageable security implementation is the best approach to keeping an enterprise and its systems safe.

In this article, I will examine how enterprises can use the application of VMware firewall technologies to augment a layered defense-in-depth strategy.

vCloud Networking and Security

The formidable set of VMware legacy security technologies -- vShield Edge, vShield App and vShield Data Security -- have been combined into the current vCloud Networking and Security product offering. The set consists of the following security components:

  • vCloud Networking and Security Edge (formerly known as vShield Edge)
  • vCloud Networking and Security App (formerly known as vShield App)
  • vCloud Networking and Security Data Security (formerly known as vShield Data Security)

Perimeter protection

A layered but manageable security implementation is the best approach to keeping an enterprise and its systems safe.

We begin at the perimeter of the data center with vCloud Networking and Security Edge to provide for segmentation of "zones of trust." This can be as broad as affording isolation between tenants within a multitenant environment, or as granular as DMZ and/or VPN extranet isolation within a single tenant environment.

Firewall filtering within vCloud Networking and Security Edge goes beyond common IP address filtering.

Beyond the expected filtering capability, other available features of vCloud Networking and Security Edge include the many expected common services needed at the perimeter:

  • DHCP (dynamically assigned from a defined pool or bind a specific address to a server)
  • VPN (IPsec and SSL)
  • NAT (static and dynamic)
  • Load balancing (basic HTTP (80) and HTTPS (443) load balancing)

Application protection

The next layer of defense places security components directly in front of the application you are intending to protect.

First, it is important to point out that the vShield App firewall is not a layer 7 firewall and is limited to filtering at layer 2 and layer 3 only. That said, vShield App has a couple of unique features worth noting:

  • Flow monitoring provides great insight into network and application traffic flows.
  • SpoofGuard prevents unknown VMs from sending or receiving traffic unless explicitly in the vShield policy.

While not your traditional layer 7 application firewall, the vShield App firewall does go beyond traditional IP address filtering by allowing policies to be created based on logical constructs, such as vCenter server containers and vShield security groups.

Data protection

VMware vCloud Networking and Security affords little protection at layer 7. Hence, it is not the Holy Grail.

vCloud Networking and Security Data Security is an easy-to-use GUI-driven data loss prevention (DLP) software that provides for sensitive data scanning and alerting. The product is based in part on RSA DLP technology and includes 80 templates of regulations -- such as personally identifiable information, PCI DSS cardholder data and protected health information -- from around the world (North America, EMEA, Asia-Pacific). The product makes easy work out of classifying data within guest VMs and affords complete visibility into your data.

Closing thoughts

While VMware vCloud Networking and Security goes a long way in raising the bar in terms of data center security, remember that it affords little protection at layer 7. Hence, it -- like most other security offerings -- is not the Holy Grail; it will still be necessary to layer in additional protections to complement your vCloud Networking and Security deployment and have a full defense-in-depth strategy.

Examples of risks you will still face -- and that you should plan to mitigate in the current threat environment after deployment of VMware firewall technologies -- would be SQL injection and cross-site request forgery (CSRF) attacks. SQL injection risks are perhaps best mitigated by taking advantage of built-in features (i.e., Apache includes the Mod Security Application Firewall that affords protection from common attacks, including SQL injection). CSRF attacks can be mitigated by enabling the Apache Tomcat CSRF prevention filter.

About the author:
Paul Henry is a senior instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure/process control supporting power generation, and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide. He is also a principal at vNet Security LLC, and serves as a retained security expert for multiple financial and healthcare firms.

Next Steps

Do you need a virtual firewall? Learn more here

Dig Deeper on Cloud Network Security Trends and Tactics