Understanding and Using the vGW Series Firewall Module

This topic covers the vGW Series Firewall module that allows you to create reusable and individual policy rules to use in building policies for groups of VMs and individual VMs. You also use the Firewall module to apply those policies to VMs.

Before it covers the Firewall module interface, this chapter explains the policy module concepts that are fundamental to constructing firewall policies.

This topic contains the following sections:

The Firewall Module and the VM Tree

The Firewall module of the vGW Security Design VM allows you to define, apply, and monitor security policies. To change the data displayed on a Firewall module page, select all, one, or more than one VM in the VM tree. If you select one or more VMs, but not all, information pertaining to only the selected VMs is displayed. Figure 35 shows information for only one VM.

Figure 35: Firewall Module Policy for One VM

Firewall Module Policy for One VM

Overview of the Firewall Policy Model

Security administrators of virtualized data centers invest a great deal of time and effort in planning their virtual infrastructures and building them out into group structures and categories to segment their VMs appropriately. The firewall policy model that they use to secure their virtualized infrastructure must be designed to accommodate the complexities that are intrinsic to the data center. Defining policy rules and building a firewall inside the middle of the data center differs in fundamental ways from building a perimeter firewall. Additionally, security for the virtualized data center infrastructure includes many challenges not the least of which is management of firewall policies for a large number of VMs.

The vGW Series Firewall policy used to secure the virtualized data center is modeled on the data center infrastructure overall, and it is purpose-built to meet its requirements.

Ultimately, every VM has its own complete firewall policy which is composed of some or all of these parts:

The combination of these parts gives a VM a unique firewall rule base. Figure 36 shows conceptualizes the nested Firewall policy model as it would apply to either Inbound traffic or Outbound traffic.

Figure 36: Policy Model

Policy Model

Global Policy, Group Policy, and Individual VM Policy Tiers

As with many firewalls, the vGW Series firewall policy rules are applied in a top-down fashion. But to ease management of a large number of VMs and to give you control over when rules are applied, the vGW Series firewall policy allows you to define policy at three tiers: the Global Policy tier, the Group Policy tier, and the VM Policy tier. You create a Global Policy and one or more Group Policy rules sets separately. vGW Series nests them appropriately for the individual VM when you create its policy. You can move policy rules within a tier to change precedence, controlling the order in which rules are executed.

At first glance the vGW Series firewall policy nesting model might seem complex, but its simplicity and usefulness becomes evident as you become familiar with the symmetry at the Global Policy and Group Policy tiers and the precedence relationship within a tier and among the tiers. The Global Policy tier has high-level and low-level sections that bound the policy; the Group Policy tier is nested within the Global Policy tier and it too has high-level and low-level sections. Individual VM Policy rules are nested at the center of a VM’s policy between the Group Policy high-level and low-level sections.

Although a VM policy could contain policy rules at all three tiers, it is not necessarily the case. The following sections cover each of the policy tiers in particular, but to gain an overall sense of how they can be combined to create a policy consider the following:

Global Policy and Group Policy rule sets contain Inbound and Outbound parts. See Figure 37.

Figure 37: Overview of a VM Firewall Policy

Overview of a VM Firewall Policy

Global Policy

You define a reusable Global Policy whose rules apply to every VM in your environment once–it is global. In that it is included in every VM’s policy, the Global Policy is very powerful.

Note: Although it is possible to delete all rules from the Global Policy, the concept of the Global Policy as applied before any other rules in the policy remains enforced. If you deleted all global rules, an empty Global Policy would be applied to the VM.

Not to diminish their usefulness, you should take care in creating rules at the Global Policy level for the very fact that they are inherited by everyone.

Both the Inbound and Outbound parts of a firewall policy contain Global Policy sections. As is the case with many firewall configurations, by default the Global policy is restrictive. It is configured to allow inbound dhcp traffic and then to reject all other inbound traffic.

You can think of the Global Policy as a template or a container for the other nested parts that will compose the entire firewall policy for any VM, keeping in mind that the Global Policy itself consists of rules.

For both the Inbound and Outbound parts of a firewall policy, the Global Policy is segmented into the following two sections:

Between the high-level and low-level sets of Global Policy rules is a placeholder that allows for nesting of Group Policy rule sets and individual VM Policy rules.

To create a Global Policy, you select GLOBAL POLICY under Policy Groups in the VM tree. The window shown in Figure 38is displayed.

Figure 38: Global Policy

Global Policy

Group Policy

Most of the daily policy management that security administrators of virtualized environments carry out is at the group level. Most likely you have structured your environment along lines of groups of VM with similar characteristics and you want to apply a similar policy to VMs that are members of a group.

Note: In the nested model, a VM might belong to a Policy Group and inherit the Group Policy rules defined for that group, but it also might have its own individual VM Policy rules that contribute to its overall firewall policy rule base.

For example, you might organize VMs into functional groups such as Web servers and database servers, and you might want to apply a different set of policy rules to each group. In your environment, you might create different groups for MS Windows systems versus Linux systems. To apply the appropriate security, you could define a different Group Policy for each of them.

The Group Policy concept allows you to define policy rules that are relevant to the VMs that comprise the group. As new VMs are created and added to a Policy Group, the Group Policy associated with the group is applied to them.

A VM might belong to multiple Policy Groups. For example, a VM might be a Windows VM and belong to the Windows group, but it also might be used as a Web server and belong to the Web servers group. In this case, the VM gets the Group Policy rules for both groups.

The Group Policy tier, too, has high level and low level sections, and the section in which you position a rule has bearing on the precedence it takes in regard to rest of the rules in the policy.

Individual VM Policy Rules

At the center the entire firewall policy for an individual VM are any particular VM Policy rules that you define for that VM. Until this point, the firewall policy for an individual VM is composed of reusable parts–the Global Policy, and, if the VM belongs to any Policy Groups, Group Policy rules.

When the policy for a VM includes one or more VM Policy rules but it does not include Group Policy rules, the VM inherits the Default Policy rules, in addition to the individual ones. Later if it becomes a member of a group, then it inherits that groups Group Policy rules, and the Default Policy rules no longer apply.

You can also apply individual VM Policy rules to a VM policy for particular purposes, in which case the VM’s policy is distinguished from that of others in its group. For example, you might want RADIUS access to a VM that is not applied at the Global Policy or Group Policy levels. To accomplish that, in the VM’s firewall policy, you would define an Inbound VM Policy rule that allowed RADIUS access to the VM.

Policy-per-vNIC

The vGW Series policy module also allows you to configure separate policies for individual vNICS, for VMs that include multiple vNICs. For details, see the following topics:

Firewall Policy Structure and Policy Rules Precedence

The vGW Series Firewall policy model is premised on a pre-post concept that allows you to manage rules execution precedence. Consider again the nested structure of a firewall policy:

It is this structure that allows you to manipulate the order in which rules are executed for the individual VM firewall policy.

The vGW Series Firewall policy model is premised on a pre-post concept that allows you to manage rules execution precedence. Rules are executed in a top-down fashion:

The vGW Series Policy model affords you extensive, flexible control over the order in which rules are executed. You can move rules up and down within their sets; you can move rules from a low-level section of one tier to that tier’s high-level section or the opposite, and you can reorganize individual VM Policy rules.

For example:

When you nest rules for a VM’s firewall policy, take into account precedence among the various levels of the policy. Suppose that as the data center administrator you will always want management access into the VM. The Inbound low-level Group Policy section for a Windows VM group includes a rule that allows management access to the VM. However, you understand that another administrator could create a firewall policy for an individual VM that is a member of the Windows VMs group. That administrator could define a VM Policy rule for the individual VM that would reject management access to the VM, effectively denying access. Because the Group Policy rule allowing access is in the low-level section of the Group Policy rule set, the individual VM Policy rule would override it.

To ensure that you always have management access, you could affect the precedence in the policy for any VM that belongs to that group by moving the rule that allows management access up from the low-level Group Policy section to the high-level Group Policy section. To do so, the click the rule number in the low-level Group Policy and select Move Rule Up from the drop-down list.

Viewing the Complete Policy Rule Base for a VM

Each VM protected by a vGW firewall policy can be thought of as having its own firewall policy. The resulting full policy for a VM always includes a Global Policy, it includes Group Policies if it belongs to Policy Groups, and it includes VM Policy rules that are individual to it.

After you have created a firewall policy for a VM or you want to understand its policy, you can expand it to see the entire rule base. To do, select the Firewall module and select the VM in the VM tree to display its firewall policy. Then click show-all on the upper-right side of the VM Policy window. See Figure 39.

Figure 39: VM Policy Expanded Rule Base

VM Policy Expanded Rule Base

The Firewall Module Tabs

This section covers the Firewall module tabs that you use to create and apply policies and

The Manage Policy Tab

The Manage Policy tab allows you to define and edit security policies. See Figure 40.

To create a new policy rule using the Manage Policy Tab:

  1. Click a rule number in the # column. Figure 40 shows an Outbound rule added to the policy for the Corp-AD-Primary VM.

    Figure 40: Manage Policy Tab

    Manage Policy Tab
  2. Select Add Rule Above or Add Rule Below.

    Rules are applied in order of execution from top to bottom.

  3. To configure policy settings, click table cells and edit the information using the pop-up dialog box.
  4. To quickly make selections in the dialog box, type the first letter of the item you want to select. See Figure 41.

    Figure 41: Using the Dialog Box Filter to Add Firewall Rules

    Using the Dialog Box Filter to Add
Firewall Rules

    To immediately select an item, type directly into the filter box.

To define a policy that contains all protocols except for a few:

  1. Click Advanced.
  2. Enter All protocols except: in the Selected Protocols list.
  3. Select one or more exception protocols, and move them to the list.

Table 5 describes the policy configuration settings.

Table 5: Firewall Policy Configuration Settings

This field

Allows you to . . .

Sources

Define the object from which the connection originates.

Protocols

Define which protocols are used in the rule.

You can also dynamically create a new protocol or protocol group by selecting the appropriate option.

Action

Allow the connection, drop the connection (silent drop), or reject the connection (drop traffic and send the source a notification).

In addition, you can redirect or duplicate packets to third-party devices. See Settings > Security Settings > Global > External Inspection Devices.

Logging

Log the connection matching the rule, skip logging for this connection, or send an alert when this connection matches the rule.

The Alert option directs the vGW Series to send e-mail messages or SNMP traps.

See “Alerts” on page 80.

Description

Enter a description for the policy.

When you have finished entering or editing policy settings, click Save to save your changes in the vGW Security Design VM database.

Caution: For new rules to take effect, you must apply policy changes using the Apply Policy tab. You can apply rules immediately or during maintenance.

To delete or disable/deactivate an existing rule, click the rule number and choose the appropriate option. Disabled rules appear dimmed and are shown with a strike-through mark.

The Apply Policy Tab

The Apply Policy tab allows you to push security policies out to the firewall to protect the VMs in your infrastructure.

You can use the VM tree on the left side of the screen to control the VMs that the policy is applied to. See Figure 42.

Figure 42: Apply Policy Tab

Apply Policy Tab

See Table 6 for a list of icons displayed for VMs on the Apply Policy page.

Table 6: Firewall Policy Icons

Icon

Indicates that

The policy is current and no further actions are required.

The VM is in a policy group, but it cannot retrieve policies because it is not protected by a vGW Security VM firewall. This usually indicates an error condition that you should investigate.

The policy type does not exist for the VM. For example, an individual VM policy for that VM is not configured.

You are not required to build individual VM policies for each VM.

The policy has been modified, and it needs to be deployed for the VM.

An error condition exists that prevents installation of the policy. When a policy distribution problem exists but the old policy works properly, a check mark icon might be displayed.

Tip: Place the pointer over a policy status icon to display a tool tip that describes the icon.

When you are ready to implement a policy, click either install or install all to push the policy out to the firewall. This action causes the policy to be deployed on the selected VMs or the vNICs of the VMs, if the Policy per vNIC feature is used.

The Logs Tab

You can define Firewall rules to specify Log, Don’t Log, and Alert notification options. When you select Log or Alert for a rule, traffic that matches that rule is logged. Figure 43 shows the Logs tab.

For the Logs tab, you can use an advanced option that includes a mark verified VMs setting. The vGW Series uses the unique VMware ID/UUID in addition to an IP address to validate that connections are coming from the identified server. This feature protects the network from issues such as IP spoofing and DHCP changes. VMs for which this extra validation is allowed are flagged with an asterisk (*). Use the mark verified VMs setting to display or hide the icon. Click Auto-refresh to refresh the log displayed automatically every 60 seconds.

Figure 43: Firewall Module Logs Tab

Firewall Module Logs Tab

You can use filters to refine the log entries that are displayed. To display only those logs related to a specific VM, select the VM in the VM tree pane.

Related Documentation