While trying to cook up a way to secure client hosted VM’s I thought of this layout. A Virtual Firewall Appliance that creates an IPsec tunnel back to the client network. Then placing the client virtuals on a dedication vSwitch.
Has anyone tried something like this? I hope that VI4 / vSphere will include a way to make this a reality. I figure a downside of just creating a infrastructure with some kind of m0n0wall appliance is the appliance would need to move from host to host in a DRS/HA cluster. I bet with some scripting and/or affinity rules I might be able to keep them together. It would be good of the new infrastructure would have layer 3 or firewall capability that would exist across the cluster. Then you would not have to worry about vMotioning a virtual firewall around.
Maybe someone has a better way to do this? Am I over thinking it? I would want this best way of assuring clients their data doesn’t mix at any point physical or virtual unless it is in the VPN tunnel.
Hiya,
Good thought. I have seen a similar layout, however not with a firewall appliance, but with the Bluelane VirtualShield Inline Patching appliance (they have now been purchased by VMWare). A couple of thoughts from when I looked into this:
1. Their model was to have an appliance (in your case the VPN Firewall) on each host, set to not participate in VMotion. I think this may be the better scenario as I don’t know of any way to make sure that machines with an affinity move at identical times (so that the firewall is always present and there is limited drop outs)
2. There was an extra setting that needed to be applied so that a VM attached to a vSwicth that doesn’t have a pNIC attached to it. See http://communities.vmware.com/thread/89240;jsessionid=606864BA1A3CBACB94BB40B1E6341B52?tstart=26550 for information that needs to be applied to the vpxd.cfg file on teh Virtual Center to allow the VM to migrate.
Hope this helps and starts things moving in the right direction
Hiya,Good thought. I have seen a similar layout, however not with a firewall appliance, but with the Bluelane VirtualShield Inline Patching appliance (they have now been purchased by VMWare). A couple of thoughts from when I looked into this:1. Their model was to have an appliance (in your case the VPN Firewall) on each host, set to not participate in VMotion. I think this may be the better scenario as I don’t know of any way to make sure that machines with an affinity move at identical times (so that the firewall is always present and there is limited drop outs)2. There was an extra setting that needed to be applied so that a VM attached to a vSwicth that doesn’t have a pNIC attached to it. See http://communities.vmware.com/thread/89240;jsessionid=606864BA1A3CBACB94BB40B1E6341B52?tstart=26550 for information that needs to be applied to the vpxd.cfg file on teh Virtual Center to allow the VM to migrate.Hope this helps and starts things moving in the right direction
Hi,
This issue has been addressed with this new technology called VMSafe (http://www.vmware.com/technology/security/vmsafe.html)
Look at VM Protection from Thirdbrigade.com to see how they deal with security within vSwitch for instance.
Rgds,
Hi,This issue has been addressed with this new technology called VMSafe (http://www.vmware.com/technology/security/vmsafe.html)Look at VM Protection from Thirdbrigade.com to see how they deal with security within vSwitch for instance.Rgds,
VMSafe are the API’s that will hopefully allow partners to create this kind of appliance or software, however this is still a very new API and we’re waiting on partners to use this API.
I’ve had a look at thirdbrigade and their product sounds good, however the main item that the post was about was trying to maintain data isolation between the client and the virtual switch. Rather than trying to deploy a Firewall or IDS on each VM, the poster wants to create an IPSEC tunnel from within the Virtual Environment to the Firewall. This would avoid a single pNIC to Port Group configuration requirement as each Port Group could have it’s own IPSEC tunnel established on it’s own VLAN down the Trunked ports.
An interesting idea, and may need to be tested further.
VMSafe are the API’s that will hopefully allow partners to create this kind of appliance or software, however this is still a very new API and we’re waiting on partners to use this API.I’ve had a look at thirdbrigade and their product sounds good, however the main item that the post was about was trying to maintain data isolation between the client and the virtual switch. Rather than trying to deploy a Firewall or IDS on each VM, the poster wants to create an IPSEC tunnel from within the Virtual Environment to the Firewall. This would avoid a single pNIC to Port Group configuration requirement as each Port Group could have it’s own IPSEC tunnel established on it’s own VLAN down the Trunked ports.An interesting idea, and may need to be tested further.
Thanks for the suggestions. I am going to try to make this work. The VMsafe API would be the framwork to make this work natively. From what I can see no one is doing it yet to provide Ipsec all the way to the vSwitch.
I have a feeling this is the directions things will be going with all the Cisco/VMware integration.
Thanks for the suggestions. I am going to try to make this work. The VMsafe API would be the framwork to make this work natively. From what I can see no one is doing it yet to provide Ipsec all the way to the vSwitch.I have a feeling this is the directions things will be going with all the Cisco/VMware integration.