Understanding the vGW Series Firewall Module

This topic covers the vGW Series Firewall module that allows you to create reusable and individual policy rules to use in building policies for groups of VMs and individual VMs. You also use the Firewall module to apply those policies to VMs.

Before it covers the Firewall module interface, this chapter explains the policy module concepts that are fundamental to constructing firewall policies.

This topic contains the following sections:

The Firewall Module and the VM Tree

The Firewall module of the vGW Security Design VM allows you to define, apply, and monitor security policies. To change the data displayed on a Firewall module page, select all, one, or more than one VM in the VM tree. If you select one or more VMs, but not all, information pertaining to only the selected VMs is displayed. Figure 54 shows information for a single VM.

Figure 54: Firewall Module Policy for a Single VM

Firewall Module Policy for a Single VM

Overview of the Firewall Policy Model

Security administrators of virtualized data centers invest a great deal of time and effort in planning their virtual infrastructures and building them out into group structures and categories to segment their VMs appropriately. The firewall policy model that they use to secure their virtualized infrastructure must be designed to accommodate the complexities that are intrinsic to the data center. Defining policy rules and building a firewall inside the middle of the data center differs in fundamental ways from building a perimeter firewall. Additionally, security for the virtualized data center infrastructure includes many challenges not the least of which is management of firewall policies for a large number of VMs.

The vGW Series Firewall policy used to secure the virtualized data center is modeled on the data center infrastructure overall, and it is purpose-built to meet its requirements.

Ultimately every VM has its own complete firewall policy, which is composed of some or all of these parts:

The combination of these parts gives a VM a unique firewall rule base.

Global Policy, Group Policy, and Individual VM Policy Tiers

As with many firewall designs, the vGW Series firewall policy rules are applied in a top-down fashion. To ease management of a large number of VMs and to give you control over when rules are applied, the vGW Series firewall policy allows you to define policy at three tiers: the Global Policy tier, the Group Policy tier, and the VM Policy tier. You create a Global Policy and one or more Group Policy rule sets separately. vGW Series nests them appropriately for the individual VM when you create its policy. You can move policy rules within a tier to change precedence, controlling the order in which rules are executed.

At first glance the vGW Series firewall policy nesting model might seem complex, but its simplicity and usefulness become evident as you become familiar with the symmetry at the Global Policy and Group Policy tiers and the precedence relationship within a tier and among the tiers. The Global Policy tier has high-level and low-level sections that bound the policy; the Group Policy tier is nested within the Global Policy tier and it too has high-level and low-level sections. Individual VM Policy rules are nested at the center of a VM’s policy between the Group Policy high-level and low-level sections.

Although a VM policy could contain policy rules at all three tiers, it is not necessarily the case. The following sections cover each of the policy tiers in particular, but to gain an overall sense of how they can be combined to create a policy consider the following:

Ultimately every VM has its own complete firewall policy, which is composed of some or all of these parts:

Global Policy and Group Policy rule sets contain Inbound and Outbound parts.

Global Policy

You define a reusable Global Policy whose rules apply to every VM in your environment once–it is global. In that it is included in every VM’s policy, the Global Policy is very powerful.

Note: Although it is possible to delete all rules from the Global Policy, the concept of the Global Policy as applied before any other rules in the policy remains enforced. If you deleted all global rules, an empty Global Policy would be applied to the VM.

Not to diminish their usefulness, you should take care in creating rules at the Global Policy level for the very fact that they are inherited by everyone.

Both the Inbound and Outbound parts of a firewall policy contain Global Policy sections. As is the case with many firewall configurations, by default the Global policy is restrictive. It is configured to allow inbound DHCP traffic and then to reject all other inbound traffic.

You can think of the Global Policy as a template or a container for the other nested parts that will compose the entire firewall policy for any VM, keeping in mind that the Global Policy itself consists of rules.

For both the Inbound and Outbound parts of a firewall policy, the Global Policy is segmented into the following two sections:

Between the high-level and low-level sets of Global Policy rules is a placeholder that allows for nesting of Group Policy rule sets and individual VM Policy rules.

To create a Global Policy, you select GLOBAL POLICY under Policy Groups in the VM tree. The page shown in Figure 55 is displayed.

Figure 55: Global Policy

Global Policy

Group Policy

Most of the daily policy management that security administrators of virtualized environments carry out is at the group level. Most likely you have structured your environment along lines of groups of VM with similar characteristics and you want to apply a similar policy to VMs that are members of a group.

Note: In the nested model, a VM might belong to a Policy Group and inherit the Group Policy rules defined for that group, but it also might have its own individual VM Policy rules that contribute to its overall firewall policy rule base.

For example, you might organize VMs into functional groups such as Web servers and database servers, and you might want to apply a different set of policy rules to each group. In your environment, you might create different groups for MS Windows systems versus Linux systems. To apply the appropriate security, you could define a different Group Policy for each of them.

The Group Policy concept allows you to define policy rules that are relevant to the VMs that comprise the group. As new VMs are created and added to a Policy Group, the Group Policy associated with the group is applied to them.

A VM might belong to multiple Policy Groups. For example, a VM might be a Windows VM and belong to the Windows group, but it also might be used as a Web server and belong to the Web servers group. In this case, the VM gets the Group Policy rules for both groups.

Individual VM Policy Rules

At the center of the entire firewall policy for an individual VM are any particular VM Policy rules that you define for that VM. Until this point, the firewall policy for an individual VM is composed of reusable parts–the Global Policy and, if the VM belongs to any Policy Groups, Group Policy rules.

You can apply individual VM Policy rules to a VM policy for particular purposes that distinguish that VM’s policy from others. For example, you might want RADIUS access to a VM that is not applied at the Global Policy or Group Policy levels. To accomplish that, in the VM’s firewall policy, you would define an Inbound VM Policy rule that allowed RADIUS access to the VM.

Default Policy

A newly created VM that does not have individual policy rules or group policy rules associated with it is automatically assigned the Default Policy. Also, when the policy for a VM includes one or more VM Policy rules but it does not include Group Policy rules, the VM inherits the Default Policy rules, in addition to the individual ones. Later if it becomes a member of a group, then it inherits that group’s Group Policy rules, and the Default Policy rules no longer apply.

By default, the Default Policy does not contain any policy rules. It is assumed that you will define the policy that you want to use as the default.

Quarantine Policy

When a VM is infected by a virus and the scanning configuration specifies “Quarantine the VM”, the VM is put in the Quarantine policy group. The Quarantine Policy that you define is applied to all VMs in the Quarantine policy group. When you remove the VM from the group, the Quarantine policy is removed.

To remove the VM from the Quarantine policy group, use the Main module Quarantine tab. Select the VM, and click Un-quarantine.

For details on how the parts of the quarantine process work together for a quarantined VM, see “Understanding Quarantined VMs and How to Manage Them” on page 152.

Firewall Policy Structure and Policy Rules Precedence

The vGW Series Firewall policy model is premised on a pre-post concept that allows you to manage rules execution precedence.

Consider the nested structure of a firewall policy. To summarize the order, a firewall policy has inbound and outbound sections. The Inbound section contains the high-level Global Policy rules followed by, the Group Policy rules, then the individual VM Policy rules, and finally the default Global Policy rules. The default Global Policy rules consist of a rule to allow DHCP traffic, a rule to allow certain types of ICPMv6 traffic, and, at the bottom, a rule to reject all other inbound traffic. The outbound section contains the same parts in the same order, only its Global Policy section contains a single rule that allows VMs to initiate outbound connections.

high-level Global Policy

At the top of the Inbound section is the high-level Global Policy tier, containing any global policies that you add.

high-level Group Policy

Beneath it is the high-level Group Policy section containing any of Policy Groups rule sets that apply to the individual VM that you want executed before the individual VM Policy rules.

VM Policy

Beneath it is the high-level VM Policy section containing any individual rules that you define for the VM whose policy you are creating.

low-level Group Policy

Beneath it is the low-level Group Policy section containing any group rule sets for the VM that you want to be executed after its individual ones.

Default Global Policy

The default Global Policy rules consist of a rule to allow DHCP traffic, a rule to allow certain types of ICPMv6 traffic, and, at the bottom, a rule to reject all other inbound traffic.

It is this structure that allows you to manipulate the order in which rules are executed for the individual VM firewall policy. The vGW Series Policy model affords you extensive, flexible control over the order in which rules are executed. You can move rules up and down within their sets; you can move rules from a low-level section of one tier to that tier’s high-level section or the opposite, and you can reorganize individual VM Policy rules.

Rules are executed in a top-down fashion:

For example:

When you nest rules for a VM’s firewall policy, take into account precedence among the various levels of the policy. For example, consider a policy for a VM whose inbound low-level Group Policy section includes a rule that allows management access to the VM. Suppose that as the data center administrator you will always want management access to the VM. However, you understand that another administrator could create a firewall policy intended for an individual VM that is a member of the Windows VMs group as part of the group policy. That administrator could define a VM Policy rule for the individual VM that would reject management access to the VM, effectively denying you access. Because the Group Policy rule allowing access is in the low-level section of the Group Policy rule set, the individual VM Policy rule would override it.

To ensure that you always have management access, you could affect the precedence in the policy for any VM that belongs to that group by moving the rule that allows management access up from the low-level Group Policy section to the high-level Group Policy section. To do so, click the rule number in the low-level Group Policy and select Move Rule Up from the list.

Viewing the Complete Policy Rule Base for a VM

Each VM protected by a vGW firewall policy can be thought of as having its own firewall policy. The resulting full policy for a VM always includes a Global Policy, Group Policies if the VM belongs to Policy Groups, and individual VM Policy rules that are specific to it.

After you have created a firewall policy for a VM or you want to understand its policy, you can expand it to see its entire rule base. To do this, select the Firewall module. In the VM tree, select the VM. On the upper-right side of the VM Policy page, click show-all . See Figure 56.

Figure 56: VM Policy Expanded Rule Base

VM Policy Expanded Rule Base

The Manage Policy Tab

The Manage Policy tab allows you to define and edit security policies. The Manage Policy page shows the policy configured for the group of VMs or the VM that is selected in the VM tree. To change the data displayed on the Manage Policy page, select a different object in the VM tree. You can select all machines, a group, or an individual VM. Figure 57 shows the policy for the Corp-AD-Primary VM.

Figure 57: Firewall Module Manage Policy Page

Firewall Module Manage Policy Page

This section contains the following parts:

Policy Per vNIC and Dual Stack

A single VM may have multiple vNICs attached to it. In the case of a dual stack, a VM would have a vNIC with an IPv4 address and an IPv6 address bound to it.

vGW Series provides a feature called Policy per vNIC that allows you to define separate policies for individual vNICs attached to the same VM. You can configure separate policies for individual vNICs, separate policies for some of them while leaving others unsecured, or you can use the same policy for all of them.

Using the Policy per vNIC feature, you can handily apply different policy rules to vNICs passing IPv4 traffic from those used for IPv6 traffic even when the vNICs are attached to the same VM. To apply the rule to all traffic of a type, you could use the predefined terms Any-IPv4 and Any-IPv6.

Creating a Policy Rule

To create a policy rule:

  1. Click a rule number in the rule numbers (#) column.
  2. Select Add Rule Above or Add Rule Below. See Figure 58.

    Figure 58: Adding a Rule

    Adding a Rule

    Note: Rules are applied in order of execution from top to bottom.

  3. Configure policy settings by clicking the table cells and editing the information using the dialog box.

    For example, to specify a protocol for the rule, click the default value Any, which displays a dialog box. To quickly make selections, type the first letter of the item that you want to select in the filter field. See Figure 59.

    Typing the letter t in the All Protocols dialog box scrolls to the telnet selection in the list.

    Figure 59: Using the Dialog Box Filter to Add Terms for policy rules

    Using the Dialog Box Filter to Add
Terms for policy rules

    To immediately select an item, type directly into the Filter box.

To define a policy that contains all protocols except for a few:

  1. Click Advanced at the bottom of the dialog box.
  2. Click Negate this selection.

    As a result, “All protocols except” is displayed at the top of the Selected Protocols list.

  3. For each protocol or protocol group that you want to exclude from the policy rule, select the object and click the right arrow to move it to the list.
  4. Click Apply, when you are finished.
  5. When you have finished entering or editing all policy settings, click Save to save your changes in the vGW Security Design VM database.

    Warning: For new policy rules to take effect, you must apply the policy changes using the Apply Policy tab. You can apply rules immediately or during maintenance.

To delete or disable/deactivate an existing rule, click the rule number and choose the appropriate option. Disabled rules appear dimmed and are shown with a strike-through mark.

Table 7 describes the policy configuration settings.

Table 7: Firewall Policy Configuration Settings

Field

Function

Sources

Define the object from which the connection originates.

Protocols

Define which protocols are used in the rule.

You can also dynamically create a new protocol or protocol group by selecting the appropriate option.

Action

Allow the connection, drop the connection (silent drop), or reject the connection (drop traffic and send source a notification).

In addition, you can redirect or duplicate packets to third-party devices using Settings > Security Settings > Global > External Inspection Devices.

See Configuring Global Settings Using the vGW Series Settings Module (VMware).

Logging

Log the connection matching the rule, skip logging for this connection, or send an alert when this connection matches the rule.

The Alert option directs the vGW Series to send e-mail messages or SNMP traps.

See “Alerts” on page 80.

Description

Enter a description for the policy.

The Apply Policy Tab

The Apply Policy tab allows you to push security policies out to the vGW Security VM firewall to protect the VMs in your infrastructure. When you create or modify a policy, it is not applied to the VM automatically. For new policy rules to take effect, you must apply the policy changes using the Apply Policy tab. You can apply rules immediately or during maintenance.

You use the VM tree on the left side of the Apply Policy page to select the VMs to apply policies to.

Reflecting the hierarchy in which you create a VM policy, the Apply Policy table shows:

To install a policy on one or more selected VMs:

  1. Select the Install check box at the right of the title bar.
  2. Select the check box in the Install column at the right of the VM’s row.
  3. Click Install at the bottom of the page.

    To install policies for all VMs, click the Install check box at the top of the column, then clickInstall All. To install policies for all Groups, click Install All Groups.

Figure 60 shows the Apply Policy page.

Figure 60: Firewall Apply Policy Page

Firewall Apply Policy Page

See Table 8 for a list of icons displayed for VMs on the Apply Policy page.

Table 8: Firewall Policy Icons

Icon

Indicates that

The policy is current and no further actions are required.

The VM is in a policy group, but it cannot retrieve policies because it is not protected by a vGW Security VM firewall. This usually indicates an error condition that you should investigate.

The policy type does not exist for the VM. For example, an individual VM policy for that VM is not configured.

You are not required to build individual VM policies for each VM.

The policy has been modified, and it needs to be deployed for the VM.

An error condition exists that prevents installation of the policy. When a policy distribution problem exists but the old policy works properly, a check mark icon might be displayed.

Tip: Place the pointer over a policy status icon to display a tool tip that describes the icon.

When you are ready to implement a policy, click either install or install all to push the policy out to the firewall. This action causes the policy to be deployed on the selected VMs or the vNICs of the VMs, if the Policy per vNIC feature is used.

Note: When you attempt to apply a policy to a vNIC that is not secured and that belongs to a protected VM, the policy is not applied. The following message is displayed:

“Policy was compiled and saved. This VM is currently not associated with a firewall, so the policy is not being immediately loaded on a firewall. This could be because the VMs migrated to an unprotected host or are powered off. Once the VM will be associated to a firewall, the corresponding saved policy will be enforced.”

The Logs Tab

You can define policy rules to specify Log, Don’t Log, and Alert notification options. When you select Log or Alert for a rule, traffic that matches that rule is logged. Figure 61 shows the Logs tab.

For the Logs tab, you can use an advanced option that includes a mark verified VMs setting. vGW Series uses the unique VMware ID/UUID in addition to an IP address to validate that connections are coming from the identified server. This feature protects the network from issues such as IP spoofing and DHCP changes. VMs for which this extra validation is allowed are flagged with an asterisk (*). You can use the mark verified VMs setting to display or hide the icon. Click Auto-refresh to refresh the log displayed automatically every 60 seconds.

The log entries show both IPv4 and IPv6 addresses.

Figure 61: Firewall Module Logs Tab

Firewall Module Logs Tab

You can use filters to refine the display of log entries. To display only those logs related to a specific VM, select the VM in the VM tree pane.

Related Documentation