Installing vGW Security VMs on ESX/ESXi Hosts
A vGW Security VM protects and secures virtual machines (VMs) on an ESX/ESXi host where it is installed. The vGW Security VM acts as a conduit to the vGW kernel module which it inserts into the hypervisor of the host that it protects when it is installed. The vGW Security Design VM pushes the appropriate security policy to the vGW Security VM which in turn inserts it into the vGW kernel module. All connections are processed and firewall security is enforced in the vGW Series kernel module. In other words, virtualized network traffic is secured and analyzed against the security policy in the vGW kernel module.
You deploy a vGW Security VM to each ESX/ESXi host in your environment that you want vGW Series to secure and monitor. The vGW Security VM protects VMs on that host and it gathers information about network traffic. It also maintains policy and logging information.
Securing an ESX/ESXi host with a vGW Security VM entails the following two parts:
- First you must install a vGW Security VM on the ESX/ESXi host to be secured. It is during this process that the vGW Security VM inserts the kernel module into the hypervisor of the ESX/ESXi host. This topic covers that process.
- Next you must select the VMs on the secured host that
you want vGW Series to protect with a firewall policy and other features.
The vGW Security VM obtains the policy for the VM from the vGW Security
Design VM and provides the vGW Series kernel (hypervisor) module with
it.
See Securing and Unsecuring Virtual Machines Using the vGW Security Design VM for details on the second part of the process.
To install the vGW Security VM on an ESX/ESXi host:
- Select the Settings module vGW Application Settings > Installation page.
- In the Unsecured Network pane, select the host
in the data center that you want to secure with vGW Series. See Figure 112.
You can secure only one host at a time.
Figure 112: Securing an ESX/ESXi Host With a vGW Security VM
An empty check box appears before each host that is able to run the vGW Series kernel module. These hosts are not yet protected, but the check box indicates that you can secure them.
- Click Secure.
After you initiate the installation process, a message is displayed indicating that VMware might require putting the ESX/ESXi host into maintenance mode and rebooting it. See Figure 113. Note that the message shown in this figure might differ somewhat depending on the vGW Series version that you are installing.
Figure 113: Installing a vGW Security VM on an ESX/ESXi Host
- Click OK.
A dialog box is displayed allowing you to enter a name and specify other parameters for the vGW Security VM. See Figure 114.
Figure 114: Specifying vGW Security Parameters During Installation
Specify or select values for the following parameters:
- Enter a name for the vGW Security VM.
- Select the vGW Security VM security management interface
addressing mode. The vGW Security Design VM communicates with the
vGW Security VM management interface based on this addressing mode.
This interface must be reachable by the management interface of the
vGW Security Design VM.
vGW Series supports both IPv4 and IPv6 address types. As such, the Installation Wizard for vGW Security VMs allows you to enter information for both types.
Select values for:
- IPv4
- DHCP (Default): To obtain an IPv4 address, by default the vGW Security VM is configured to use DHCP. You do not need to specify additional information.
- Static IP. If you select Static IP, you must specify a static IPv4 address and its network mask routing prefix, and the default gateway to assign to the vGW Security VM.
- IPv6
- DHCPv6 ( Default): To obtain an IPv6 address, by default the vGW Security VM is configured to use DHCPv6. You do not need to specify additional information.
- Autoconfiguration. If you select Autoconfiguration, stateless address autoconfiguration is used to obtain the IPv6 address. It allows network devices attached to an IPv6 network to automatically acquire IP addresses and connect to the Internet without intermediate interaction with a DHCPv6 server.
- Static IP. If you select Static IP, you must specify a static IPv6 address, including the IPv6 address prefix (the initial bits of the address that denote the network address, akin to a netmask), and the default gateway to use for it.
By default, a dual stack vGW Security Design VM communicates with a vGW Security VM using the IPv4 protocol. However, you can use the vGW CLI to change the default IP protocol used by setting the center.dual.stack.default.communication.ipv4 parameter to false.
center.dual.stack.default.communication.ipv4=false
By default, this parameter is set to true. This parameter is relevant only if the vGW Security Design VM is configured for dual stack and one or more vGW Security VMs is also configured for dual stack. In all other cases, the protocol used is the one that is common to both the vGW Security Design VM and the vGW Security VM, and this parameter is irrelevant.
You can configure the vGW Security VM not to use dual stack in the following way:
- To use only IPv4 for vGW Security Design VM management communication with this vGW Security VM, disable IPv6. On the displayed list for the IPv6: box, select Disabled.
- To use only IPv6 for vGW Security Design VM management communication with this vGW Security VM, disable IPv4. On the displayed list for the IPv4: box, select Disabled.
How you configure addressing for the vGW Security VM affects its communication with the vGW Security Design VM management center. In an environment in which neither the vGW Security Design VM nor the vGW Security VM is configured for dual stack and the IP address types of their management interfaces are not the same, communication problems will occur. (For example, one interface might have an IPv6 address and the other might have an IPv4 address.) The vGW Security Design VM will not be able to connect to the vGW Security VM to carry out any procedures.
- IPv4
- Specify the port group to use to connect the vGW Security VM to the vGW Security Design VM.
- Specify the data store for the vGW Security VM.
- Specify if the hypervisor communication console should
be monitored and if IDS should be used.
The dialog box allows you to enable console (hypervisor) monitoring or console monitoring and IDS.
- If you enable console monitoring, vGW Series monitors network traffic to the hypervisor console vNIC to ensure that inappropriate activity is not occurring.
- If you enable both console monitoring and IDS traffic monitoring, network traffic to the hypervisor console
is monitored and IDS traffic is mirrored to the IDS engine.
Warning: To use this option, you must first install an IDS license.
If at this point you do not enable console monitoring and IDS, you can do so later after you install a vGW Security VM. In that case, you use the Settings module Security Settings > Security VM Settings Network Monitoring tab and the IDS tab for a particular VM.
- Click Secure.
After you click Secure, the vGW Series associates all virtual NICs (vNICs) for the relevant VMs with the vGW Series kernel module.
VMware requires that the vNICS be disconnected and reconnected through a suspend and resume process. (VMs do not have access to the network during the few seconds that this process takes.) However, you can avoid the suspend and resume process by following the instructions covered in Disabling the vGW Series Suspend-Resume Process Enacted After a VM Is Unsecured.
After you complete the installation, you might want to refine the configuration pertain to policy in the following ways:
- By default, each vNIC has a restrictive default security policy. You can use the Firewall module’s Manage Policy tab to make the policy less restrictive.
- You can use the Policy per vNIC feature to configure separate firewall policies for individual vNICs on the same VM. For details on the feature, see Understanding the vGW Series Policy per vNIC Feature and Configuring the vGW Series Policy per vNIC Feature.
After you define the vGW Security VM, vGW Series begins the vGW Security VM firewall installation on the selected host. It displays a progress report as it completes each task. If problems occur during the installation process, vGW Series displays messages describing them.
When the installation process is finished, vGW Series displays the list of completed tasks and the successful completion notice, as shown in Figure 115. Notice that in this case, as reported, it was not necessary to reboot the host.
Figure 115: vGW Security VM Installation Process Completion Notice
