Installing vGW Security VMs on ESX/ESXi Hosts

A vGW Security VM protects and secures virtual machines (VMs) on an ESX/ESXi host where it is installed. The vGW Security VM acts as a conduit to the vGW kernel module which it inserts into the hypervisor of the host that it protects when it is installed. The vGW Security Design VM pushes the appropriate security policy to the vGW Security VM which in turn inserts it into the vGW kernel module. All connections are processed and firewall security is enforced in the vGW Series kernel module. In other words, virtualized network traffic is secured and analyzed against the security policy in the vGW kernel module.

You deploy a vGW Security VM to each ESX/ESXi host in your environment that you want vGW Series to secure and monitor. The vGW Security VM protects VMs on that host and it gathers information about network traffic. It also maintains policy and logging information.

Securing an ESX/ESXi host with a vGW Security VM entails the following two parts:

To install the vGW Security VM on an ESX/ESXi host:

  1. Select the Settings module vGW Application Settings > Installation page.
  2. In the Unsecured Network pane, select the host in the data center that you want to secure with vGW Series. See Figure 112.

    You can secure only one host at a time.

    Figure 112: Securing an ESX/ESXi Host With a vGW Security VM

    Securing an ESX/ESXi Host With a vGW Security
VM

    An empty check box appears before each host that is able to run the vGW Series kernel module. These hosts are not yet protected, but the check box indicates that you can secure them.

  3. Click Secure.

    After you initiate the installation process, a message is displayed indicating that VMware might require putting the ESX/ESXi host into maintenance mode and rebooting it. See Figure 113. Note that the message shown in this figure might differ somewhat depending on the vGW Series version that you are installing.

    Figure 113: Installing a vGW Security VM on an ESX/ESXi Host

    Installing a vGW Security VM on an ESX/ESXi
Host
  4. Click OK.

    A dialog box is displayed allowing you to enter a name and specify other parameters for the vGW Security VM. See Figure 114.

    Figure 114: Specifying vGW Security Parameters During Installation

    Specifying vGW Security Parameters During
Installation

    Specify or select values for the following parameters:

    1. Enter a name for the vGW Security VM.
    2. Select the vGW Security VM security management interface addressing mode. The vGW Security Design VM communicates with the vGW Security VM management interface based on this addressing mode. This interface must be reachable by the management interface of the vGW Security Design VM.

      vGW Series supports both IPv4 and IPv6 address types. As such, the Installation Wizard for vGW Security VMs allows you to enter information for both types.

      Select values for:

      • IPv4
        • DHCP (Default): To obtain an IPv4 address, by default the vGW Security VM is configured to use DHCP. You do not need to specify additional information.
        • Static IP. If you select Static IP, you must specify a static IPv4 address and its network mask routing prefix, and the default gateway to assign to the vGW Security VM.
      • IPv6
        • DHCPv6 ( Default): To obtain an IPv6 address, by default the vGW Security VM is configured to use DHCPv6. You do not need to specify additional information.
        • Autoconfiguration. If you select Autoconfiguration, stateless address autoconfiguration is used to obtain the IPv6 address. It allows network devices attached to an IPv6 network to automatically acquire IP addresses and connect to the Internet without intermediate interaction with a DHCPv6 server.
        • Static IP. If you select Static IP, you must specify a static IPv6 address, including the IPv6 address prefix (the initial bits of the address that denote the network address, akin to a netmask), and the default gateway to use for it.

      By default, a dual stack vGW Security Design VM communicates with a vGW Security VM using the IPv4 protocol. However, you can use the vGW CLI to change the default IP protocol used by setting the center.dual.stack.default.communication.ipv4 parameter to false.

      center.dual.stack.default.communication.ipv4=false

      By default, this parameter is set to true. This parameter is relevant only if the vGW Security Design VM is configured for dual stack and one or more vGW Security VMs is also configured for dual stack. In all other cases, the protocol used is the one that is common to both the vGW Security Design VM and the vGW Security VM, and this parameter is irrelevant.

      You can configure the vGW Security VM not to use dual stack in the following way:

      • To use only IPv4 for vGW Security Design VM management communication with this vGW Security VM, disable IPv6. On the displayed list for the IPv6: box, select Disabled.
      • To use only IPv6 for vGW Security Design VM management communication with this vGW Security VM, disable IPv4. On the displayed list for the IPv4: box, select Disabled.

      How you configure addressing for the vGW Security VM affects its communication with the vGW Security Design VM management center. In an environment in which neither the vGW Security Design VM nor the vGW Security VM is configured for dual stack and the IP address types of their management interfaces are not the same, communication problems will occur. (For example, one interface might have an IPv6 address and the other might have an IPv4 address.) The vGW Security Design VM will not be able to connect to the vGW Security VM to carry out any procedures.

    3. Specify the port group to use to connect the vGW Security VM to the vGW Security Design VM.
    4. Specify the data store for the vGW Security VM.
    5. Specify if the hypervisor communication console should be monitored and if IDS should be used.

      The dialog box allows you to enable console (hypervisor) monitoring or console monitoring and IDS.

      • If you enable console monitoring, vGW Series monitors network traffic to the hypervisor console vNIC to ensure that inappropriate activity is not occurring.
      • If you enable both console monitoring and IDS traffic monitoring, network traffic to the hypervisor console is monitored and IDS traffic is mirrored to the IDS engine.

        Warning: To use this option, you must first install an IDS license.

        If at this point you do not enable console monitoring and IDS, you can do so later after you install a vGW Security VM. In that case, you use the Settings module Security Settings > Security VM Settings Network Monitoring tab and the IDS tab for a particular VM.

    6. Click Secure.

    After you click Secure, the vGW Series associates all virtual NICs (vNICs) for the relevant VMs with the vGW Series kernel module.

    VMware requires that the vNICS be disconnected and reconnected through a suspend and resume process. (VMs do not have access to the network during the few seconds that this process takes.) However, you can avoid the suspend and resume process by following the instructions covered in Disabling the vGW Series Suspend-Resume Process Enacted After a VM Is Unsecured.

    After you complete the installation, you might want to refine the configuration pertain to policy in the following ways:

After you define the vGW Security VM, vGW Series begins the vGW Security VM firewall installation on the selected host. It displays a progress report as it completes each task. If problems occur during the installation process, vGW Series displays messages describing them.

When the installation process is finished, vGW Series displays the list of completed tasks and the successful completion notice, as shown in Figure 115. Notice that in this case, as reported, it was not necessary to reboot the host.

Figure 115: vGW Security VM Installation Process Completion Notice

vGW Security VM Installation Process Completion
Notice

Related Documentation