vGW Virtual Gateway - Juniper

Copyright © 2011, Juniper Networks, Inc

vGW Virtual Gateway

Administration Guide Release 4.5 Service Pack 3


Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. SOFTWARE LICENSE The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs. END USER LICENSE AGREEMENT READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”). 2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment. 3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions: a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller. b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis. c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the


purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses. d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period. e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services. The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller. 4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein. 5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement. 6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes. 7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software. 8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties. 9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control. 10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply


with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement. 11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. 12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable. 13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available. 14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html . 15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Administration Guide

Copyright © 2011, Juniper Networks, Inc i

Contents

Administration Guide .................................................................................................................... 1

SOFTWARE LICENSE ................................................................................................................... 2

END USER LICENSE AGREEMENT ............................................................................................. 2

Contents ..........................................................................................................................................i

About This Guide ........................................................................................................................... 1

Understanding the vGW Virtual Gateway ................................................................................. 1

Understanding Cloud Computing and the vGW Virtual Gateway ........................................................................ 1

Understanding Hypervisors and the vGW Virtual Gateway .................................................................................... 1

Understanding the VMware Infrastructure and the vGW Virtual Gateway ..................................................... 2

Understanding vSphere and the vGW Virtual Gateway ................................................................................. 2

Understanding VMware ESX and ESXi Hosts and the vGW Virtual Gateway ....................................... 2

Understanding vMotion and the vGW Virtual Gateway ................................................................................. 2

VGW Security Design VM Navigation ....................................................................................... 2

Button Bar ................................................................................................................................................................................. 4

VM Tree Pane ........................................................................................................................................................................... 5

Main Module ...................................................................................................................................7

Dashboard ................................................................................................................................................................................. 7

Status .......................................................................................................................................................................................... 8

Network Module ......................................................................................................................... 10

Time Interval ........................................................................................................................................................................... 11

Advanced Options ................................................................................................................................................................12

Table Sorting .......................................................................................................................................................................... 13

Firewall Module ........................................................................................................................... 14

Manage Policy Tab .............................................................................................................................................................. 14

Apply Policy Tab ................................................................................................................................................................... 16

Logs Tab .................................................................................................................................................................................. 18

Status and Configuration Tab ......................................................................................................................................... 18

Install Tab ................................................................................................................................................................................21

VMsafe Firewall + Monitoring Mode Security Installation ........................................................................... 22

VMsafe Monitoring Mode Security Installation ............................................................................................... 25

Bridge Mode Security Installation ........................................................................................................................ 25

Auto Secure VMs tab ......................................................................................................................................................... 26

IDS Module .................................................................................................................................. 28

IDS Setup Steps ................................................................................................................................................................... 28

Top Alerts Tab ...................................................................................................................................................................... 30

Alert Sources Tab ................................................................................................................................................................ 30

Alert Targets Tab ................................................................................................................................................................ 30

All Alerts Tab ......................................................................................................................................................................... 30

Introspection Module ................................................................................................................. 31

Applications Tab .................................................................................................................................................................. 31

vGW Virtual Gateway

ii Copyright © 2011, Juniper Networks, Inc

VMs Tab ...................................................................................................................................................................................33

Scan Status Tab .................................................................................................................................................................. 35

Scheduling Tab .................................................................................................................................................................... 36

Compliance Module ................................................................................................................... 39

Compliance Tab .................................................................................................................................................................. 39

Rules Tab ................................................................................................................................................................................. 41

Example 1 – Defining a Basic Compliance Rule .............................................................................................. 43

Example 2 – Defining an Advanced Compliance Rule with Custom Security Policies ................... 45

Reports Module .......................................................................................................................... 48

Generating Reports ............................................................................................................................................................. 48

Add/Edit Reports Tab ............................................................................................................................................... 48

Recent Reports Tab ................................................................................................................................................... 49

Custom Report Types ............................................................................................................................................... 49

Filters ................................................................................................................................................................................ 51

Scheduling Reports .................................................................................................................................................... 51

Settings Module ......................................................................................................................... 52

About Obtaining, Installing, and Managing vGW Virtual Gateway Licenses ............................................... 52

About vGW Virtual Gateway Licenses ............................................................................................................... 52

Installing Licenses in the vGW Security Design VM ....................................................................................... 53

vGW Application Settings ................................................................................................................................................ 53

Status & License ......................................................................................................................................................... 54

vCenter Integration .................................................................................................................................................... 54

Installation .................................................................................................................................................................... 55

Administrators ............................................................................................................................................................. 56

Active Directory ........................................................................................................................................................... 56

Machines ......................................................................................................................................................................... 57

High Availability ............................................................................................................................................................ 57

E-Mail and Reporting ................................................................................................................................................ 58

E-mail Settings and Configuration Parameters ............................................................................................. 58

Reporting Module Settings Configuration Parameters ............................................................................... 59

Security Settings .................................................................................................................................................................. 59

IDS Configuration ........................................................................................................................................................ 61

IDS Signatures .............................................................................................................................................................. 61

Alerting ............................................................................................................................................................................ 61

Protocols ......................................................................................................................................................................... 61

Protocol Groups .......................................................................................................................................................... 62

Groups ............................................................................................................................................................................. 62

Networks ........................................................................................................................................................................ 62

SRX Zones ..................................................................................................................................................................... 62

Appliance Settings .............................................................................................................................................................. 62

Updates .......................................................................................................................................................................... 62

Network Settings ........................................................................................................................................................ 63

Proxy Settings .............................................................................................................................................................. 63

Time Settings ............................................................................................................................................................... 63

Log Collection .............................................................................................................................................................. 63

Log Viewer ..................................................................................................................................................................... 64


Copyright © 2011, Juniper Networks, Inc iii

Support ........................................................................................................................................................................... 64

Firewall Policy ............................................................................................................................. 65

Policy Creation and Rule Precedence ......................................................................................................................... 66

Smart Groups ............................................................................................................................. 69

VMotion Support ..................................................................................................................................................................74

Enabling VMotion Support in Bridge Mode Installations (Non-VMsafe) ..............................................74

Configuring VMware HA and DRS .................................................................................................................................. 75

System Updates ......................................................................................................................... 76

Manually Applying System Updates ........................................................................................................................... 76

Using Batch Update to Update Multiple vGW Security VMs ............................................................................. 78

Status and Alerts ...................................................................................................................... 80

Status ....................................................................................................................................................................................... 80

Alerts ........................................................................................................................................................................................ 80

E-mail Alert Settings ........................................................................................................................................................... 81

SNMP Trap Settings ........................................................................................................................................................... 82

AutoConfig and Multicast Alerts ................................................................................................................................... 82

High Availability ......................................................................................................................... 83

The vGW Security Design VM High Availability ....................................................................................................... 83

vGW Security VM HA .......................................................................................................................................................... 84

Juniper Networks Product Interoperability ............................................................................ 85

About SRX Series Services Gateway Security Zones............................................................................................ 85

SRX Series Services Gateway Zones ........................................................................................................................... 86

Enabling the Junoscript Interface for vGW Virtual Gateway Access ...................................................... 86

Configuring an SRX object ...................................................................................................................................... 87

Configuring the vGW Virtual Gateway Automatic Zone Synchronization Process .......................... 88

About VM Zone Groupings ...................................................................................................................................... 89

About Populating VM Objects in the SRX Series Zone Address Books................................................. 89

Zone Validation Procedure ..................................................................................................................................... 89

STRM ........................................................................................................................................................................................ 90

About STRM ................................................................................................................................................................. 90

Configuring the vGW Security Design VM to Send Syslog and Netflow Data to Juniper Networks STRM ................................................................................................................................................................................ 91

Configuring STRM to Receive vGW Virtual Gateway Syslog and NetFlow Data ............................... 91

IDP ............................................................................................................................................................................................. 97

About Juniper Networks IDP Series Intrusion Detection and Prevention Appliances ...................... 97

Configuring the vGW Virtual Gateway and IDP Interoperation ................................................................ 98


Copyright © 2011, Juniper Networks, Inc 1

About This Guide

The purpose of this guide is to help you understand the features and operational tasks involved in using and managing the vGW Virtual Gateway. For information about initial installation of the vGW Virtual Gateway software, see the Juniper Networks vGW Virtual Gateway Installation Guide.

Understanding the vGW Virtual Gateway

This section gives background on concepts underlying the vGW Virtual Gateway, and it provides a brief description of the VMware® components that the vGW Virtual Gateway uses and runs on.

The vGW Virtual Gateway delivers a security solution for virtualized environments for both multi-tenant public and private clouds.

The vGW Virtual Gateway relies on a central management server known as the vGW Security Design VM, which manages one-to-many vGW Security VMs. Administrators log in to the management server, configure security policies, and then deploy them to the vGW Security VMs. Several modules (network visibility, firewall, VM introspection, compliance, and reporting) are combined in the vGW Virtual Gateway solution to provide complete virtualization security.

Understanding Cloud Computing and the vGW Virtual Gateway

A cloud is an Internet-based environment of computing resources including servers, software, and applications that can be accessed by individuals or businesses with Internet connectivity. Customers, referred to as tenants, can access resources that they need to run their business.

Clouds:

Allow customers to share the same infrastructure in order to gain price and performance advantages.

Provide customers with a pay-as-you-go lease-style investment versus buying all of the required hardware and software upfront themselves.

Allow businesses to scale easily and tier more services and functionality on an as-needed basis.

Whether for public clouds or private clouds, virtualized data centers must offer secure, discrete, virtual machine (VM) environments to their customers and organizations.

The vGW Virtual Gateway secures the virtual network in ways that physical security mechanisms protecting physical networks cannot do because physical network mechanisms do not have visibility into traffic transmission and communication between virtual machines.

Understanding Hypervisors and the vGW Virtual Gateway

In cloud computing, a hypervisor, also called a Virtual Machine Manager (VMM), is platform virtualization software that runs on a host computer. It allows multiple instances of a variety of operating systems, called guests, to run concurrently on the host within their own VMs and share virtualized hardware resources. It presents a virtual operating platform to the guest operating systems, and it manages their execution.

vGW Virtual Gateway

2 Copyright © 2011 Juniper Networks, Inc.

The vGW Virtual Gateway is a hypervisor-based virtualization security solution that uses technologies such as VM introspection to maintain deep knowledge of each VM. The vGW Virtual Gateway inserts a vGW kernel module in the hypervisor of each VMware ESX/ESXi host to be secured. From this vantage, the vGW Virtual Gateway can monitor the security of each VM and apply protections adaptively as changes to the VM security posture necessitate enforcement and alerting. It can also identify VMs on the network not secured by it.

By processing inspections in the VMware hypervisor kernel, the vGW Virtual Gateway provides fast throughput and continuous firewall protection as VMs are moved from one server to another.

Understanding the VMware Infrastructure and the vGW Virtual Gateway

The Juniper Networks vGW Virtual Gateway runs as integrated software on VMware vSphere servers.

Understanding vSphere and the vGW Virtual Gateway

VMware vSphere is a cloud operating system able to manage large pools of virtualized computing infrastructure, including software and hardware.

The vGW Virtual Gateway components integrate with the VMware vSphere infrastructure. Because the vGW Virtual Gateway is purpose-built to support virtualization, it synchronizes automatically with the VMware vCenter and it uses VMsafe to provide breakthrough levels of security and performance.

Understanding VMware ESX and ESXi Hosts and the vGW Virtual Gateway

The VMware ESX and ESXi hosts provide the foundation for building and managing a virtualized IT environment. These hypervisor hosts contain abstract processors, memory, storage and networking resources which are shared among multiple virtual machines that run unmodified operating systems and applications.

The vGW Virtual Gateway manages and secures ESX and ESXi hosts and the VMs that run on them.

Understanding vMotion and the vGW Virtual Gateway

VMware provides a feature called vMotion that allows for transition of active, or live, VMs from one physical server to another. VMs can be moved from one server to another to perform maintenance operations on the host. Also, they can be moved automatically when vMotion is triggered through Dynamic Resource Scheduler (DRS), which is used to evenly distribute system resource usage across physical servers.

Because VMs can be migrated between servers, their security levels can be compromised and lowered to those of the new system. A VM could be migrated to an unsecured zone or one with a lower trust level.

Unlike traditional firewalls, the vGW Virtual Gateway supports live migration by maintaining open connections and security throughout the event. The vGW Virtual Gateway ensures that appropriate security for a VM remains intact throughout migration.

VGW Security Design VM Navigation

The vGW Security Design VM provides security policy manipulation, network traffic analysis, and the information that you want to see regularly. The IP address to be accessed through a Web interface is available by clicking the summary tab of the vGW Security Design VM in VMware.



Figure 1 vGW Login Fields

Enter admin for username and the password that was set during installation. For more information, see the Juniper Networks vGW Virtual Gateway Installation Guide. The vGW Security Design VM opens showing the Main module screen and the vGW Virtual Gateway Dashboard as shown in the following figure.

Figure 2 Main Dashboard

You use the button bar and VM Tree pane to navigate throughout the vGW Virtual Gateway solution as described in the following sections.

vGW Virtual Gateway


To log out of the vGW Security Design VM, click logout in the upper right corner of the vGW Security Design VM screen.

If you use the default self-signed certificate, your browser will display a warning message. If you replace the certificate with a valid one, the warning message will not appear again. For details on replacing the certificate contact Juniper Networks Support.

Button Bar

The vGW Virtual Gateway button bar is shown in Figure 3.

Figure 3 Navigation Button Bar

The vGW Virtual Gateway navigation buttons are described in Table 1.

Table 1 Navigation Buttons

Icon Indicates

Main Combines status, alerts, and network activity into a single view.

See “Main Module” on page 7.

Network Displays a network activity summary, top protocols, sources, destinations, talkers, and connections.

See “Network Module” on page 10.

Firewall Manages and installs policies, and displays logs. See “Firewall Module” on page 14.

Introspection Scans systems and reports on the software running in each VM (operating systems, patch-levels, and applications).

See Introspection Module” on page 39

Compliance Monitors the virtual infrastructure against a predefined set of rules to guarantee all components are configured securely.

See Compliance Moduleon page 39.

Reports Produces detailed system and security reports. See “Reports Module” on page 48.

Settings Controls configuration settings, including passwords.

See “Settings Module” on page 52.

Note: When IDS is enabled, the IDS icon is also displayed on the Navigation button



VM Tree Pane

The VM Tree pane controls the display in the screen to the right. For example, to view the network activity for a single VM or a group of VMs: select the appropriate item in the tree. To view network traffic for all machines, select All Machines in the tree, and then click then the Network icon in the button bar. See Figure 4.

Figure 4 VM Tree Pane

At a high level there are four main groupings in the tree:

Policy Groups contains all security policy groups, including Global and Default policies as well as any groups defined by your administrator.

Monitoring Groups contains groups of machines that do not have a security policy associated with them.

Monitored/Secured VMs lists all VMs monitored by the vGW Virtual Gateway, those that have a firewall protecting their network traffic, or both.

Unsecured Machines lists all VMs not currently being analyzed or protected by the vGW Virtual Gateway solution.

Table 2 describes the icons showing state of monitored VMs.

Table 2 VM Icon States

Icon Indicates

The VM is a component of the vGW Virtual Gateway solution—either the vGW Security Design VM or the vGW Security VM.

The vGW Virtual Firewall is loaded on this VM and is protecting traffic to the VM based on the defined security policy.

vGW Virtual Gateway


Icon Indicates

The VM is being fully monitored, but it is not secure (for example, no firewall policy is loaded).

The system (VM or externally defined machine) is not being monitored and hasn’t been moved to ‘secured’ network. Note that network reports can display sessions between an unmonitored system and a monitored VM.

The vGW Virtual Gateway is unable to determine the IP address of the system. This could be because the system is powered down, suspended, or does not have VMware Tools installed.

Tip: You can manually define an IP address by clicking Settings -> vGW Application Settings -> Machines.

These VMs are compliant.

These VMs are not compliant.

This is a VMware component (for example, an ESX host).



Main Module

The Main module displays information from several areas of the application in a single screen. When the vGW Virtual Gateway detects new events and alerts, data and graphs in the Main screen automatically refresh. The Main screen contains two tabs in the upper right area of the screen.

Dashboard

Status

Dashboard

The Dashboard tab provides an at-a-glance view of how your system is behaving in both a graphical and table format.

vGW Status provides an overview of the current security status of your infrastructure. The vGW Virtual Gateway solution provides a status check for vCenter connectivity as well as overall vGW Virtual Gateway deployment status.

Compliance Status for All Machines shows the overall posture of all the VMs in your organization that might be violating compliance rules. The more VMs violating rules (high weighting), the farther the needle moves to the red. You can also select a different group in the tree to display compliance status for that particular group.

Top Talkers for All Machines displays network activity for the past hour. To graph data for a specific VM or group of VMs, select the appropriate VM or group in the VM Tree pane.

IDS Alerts graph displays high, medium, and low priority alerts for the past 24 hours, if IDS is configured. To view activity for a single VM or a group of VMs, select the appropriate item in VM Tree pane.

vGW Virtual Gateway


Status

The Status tab displays a summary of the vGW Virtual Gateway settings for each module. Here you can scan settings, alerts, and events. See Figure 5.

Figure 5 vGW Virtual Gateway Status in the Main Screen

vGW Status summarizes the settings for each module in your vGW Virtual Gateway solution. Status icons indicate the current state of each module. See Table 3 and Figure 6.

Table 3 vGW Status Icons

Icon Indicates

This vGW Virtual Gateway component is working properly.

One or more issues exist with this component. For example, maintenance settings may be incompatible or disabled, or firewalls might need updating. For more details, click more.

There are significant issues related to this component. For example, a module hasn’t loaded correctly. For more details, click more.

Security Alerts lists all alerts that have occurred in the vGW Virtual Gateway solution, apart from IDS alerts. Alerts are classified as high (H), medium (M), or low (L) depending on their severity. Click the Priority or Date column to sort the list. These alerts are primarily vGW Virtual Gateway system related events, such as the vGW Virtual Gateway version update alerts or alerts when failures in components are occurring.



System Status and Events displays recent events that have occurred in the vGW Virtual Gateway solution, including how many times events have occurred. Events are listed chronologically; the most recent event listed at the top of the table. For example, an event posts when vGW Security Design VM synchronizes with vCenter. Additional events can be viewed by accessing the vGW Security Design VM database.

In addition to the icons documented above, there is an overall health state icon that will appear when individual components are in need of attention. The icon shown in Figure 6 can be red or yellow depending on the underlying state of the various components it is monitoring. Roll the mouse pointer over the icon to see exactly which components are currently in need of attention.

Figure 6 Overall Status Icon

vGW Virtual Gateway


Network Module

The Network module displays network traffic for objects selected in the VM tree. The Network screen shown in Figure 7 has six tabs:

Summary

Top Protocols

Top Sources

Top Destinations

Top Talkers

Connections

Objects must have a known IP address, which is determined automatically if VMware Tools is installed on the VM. Otherwise, you can set the IP address manually by choosing Settings -> vGW Application Settings -> Machines.

At the top of this screen, you see a line graph that plots bandwidth usage for the top VMs in the report. A table below the graph provides detailed network data for the VMs selected in the VM Tree.

Figure 7 Network Summary Tab for All Machines



TIPS:

To display a VM’s connection view, click an individual line in a graph.

To display a filter for a protocol, click the protocol field.

For more detailed VMware resource and event information, select a single VM in the tree rather than a group of VMs, as shown in Figure 8.

Figure 8 Network Summary Tab for an Individual VM

Time Interval

To change the period for which network data is plotted in the line graph, choose a different interval from the Time Interval menu, and then click Update. See Figure 9.

Figure 9 Configuring Report Time Intervals

vGW Virtual Gateway


Real-time data from the last traffic interval populates the Total, In, Out, and Internal table columns. If you are charting protocols, sources, destinations, or talkers, the interval selected is used to calculate the minimum, maximum, and average figures in the table below the graph.

You can view historical data by specifying a custom time period. In the Time Interval menu, select Custom Time Period, and then enter dates in the From and To fields or use the calendar pop-up window to enter dates. If you do not specify a time, the field defaults to 00:00. See Figure 10.

Figure 10 Configuring a Custom Date Range

CAUTION: Depending on the size of the database and the resources available to the vGW Security Design VM, specifying a Custom Time Period can take several minutes to chart (30 minutes or more). When examining a large data set (for example, data from a month or more) it is best to use the vGW Virtual Gateway Reporting module instead.

Advanced Options

To show filtering options, click show advanced in the time interval bar. See Figure 11.

Figure 11 Advanced Filtering Options

Click the Filter 1 and Filter 2 menus to select filtering options, enter settings in their respective fields, and then click Update to refresh the graph and data based on your settings. Click Clear to reset filter fields.

NOTE: Configured filters affect all data in the graph and tables.

Other advanced options differ slightly depending on the tab you are viewing. Advanced options are described in Table 4.



Table 4 Advanced Options

Select To do this

Auto-refresh Refreshes data automatically every 60 seconds.

mark verified VMs Causes the vGW Virtual Gateway to automatically use the unique VMware ID/UUID as well as the IP address to validate connections are actually coming from the identified server. This protects against issues such as IP spoofing. VMs for which this extra validation occurred can be displayed in

the interface with a Display of this icon is enabled or disabled by the mark verified VMs setting.

multicast in table Includes multicast packets when monitoring. Because multicast packets are not destined for a specific host and are seen by all machines on the network, they are included in the connection session list for all the VMs. However, the amount of multicast traffic can be quite large and obscure sessions specific to a selected VM. To remove multicast from this view, clear the multicast in table check box.

To exit the advanced view, click show basic.

Table Sorting

You can sort table data in the Network screen by column. Drag the pointer over the column headings. When the pointer changes to the pointing hand, click the column heading to sort.

vGW Virtual Gateway


Firewall Module

The Firewall module is where you define, install, apply, and monitor security policies. The Firewall screen has six tabs:

Manage Policy

Apply Policy

Logs

Status and Configuration

Install

Auto Secure VMs

As in other vGW Virtual Gateway modules, you select items in the VM Tree to change data displayed in the Firewall screen. See Figure 12.

Figure 12 Firewall Screen

Manage Policy Tab

The Manage Policy tab is where you define and edit security policies. See Figure 13. To create a new rule, click a rule number in the # column, and then choose Add Rule Above or Add Rule Below. Rules are applied in order of execution from top to bottom. For more information on the vGW Virtual Gateway policy model, see “Firewall Policy” on page 65.



Figure 13 Adding Policy Rules

To configure policy settings, click table cells and edit the information using the pop-up dialog box. To quickly make selections in dialog box menus, type the first letter of the item you want to select. For example, typing “t” in the All Protocols menu takes you to telnet in the list. You can also type directly into the filter box to immediately find an item. If you want to define a policy that contains all but a few policies, click Advanced then negate this selection to enter All protocols except: in the Selected Protocols list, and then select one or more exception protocols and move them to the list. See Figure 14.

Figure 14 Creating Protocol Groups and Protocols from Dynamic Lists

Table 5 describes the policy configuration settings:

vGW Virtual Gateway


Table 5 Manage Policy Tab Options

This field Allows you to

Sources Define the object from which the connection originates.

Protocols Define which protocols are used in the rule. You can also dynamically create a new protocol or protocol group by selecting the appropriate option.

Action Allow the connection, drop the connection (silent drop), or reject the connection (drop traffic and send source a notification). In addition, you will see options here for redirecting or duplicating packets to third-party devices. See Settings -> Security Settings -> Global -> External Inspection Devices.

Logging Log the connection matching the rule, skip logging for this connection, or send an alert when this connection matches the rule. With the Alert option, the vGW Virtual Gateway sends e-mail messages or SNMP traps. For more information about configuring alerts, see “Alerts” on page 80.

Description Enter a description for this policy.

When you are finished entering or editing policy settings, click Save to save your changes in the vGW Security Design VM database.

CAUTION: You must apply policy changes in the Apply Policy tab for new rules to go into effect. You can apply rules immediately or during a maintenance window.

To delete an existing rule, disable (or reactivate) an existing rule, or move rules up or down in the list, click the rule number and choose the appropriate menu item. Disabled rules appear dimmed and are formatted with a strikethrough.

Apply Policy Tab

This policy installation screen allows you to push the security policies out to the firewall protecting various virtual machines in your infrastructure. The vGW Virtual Gateway analyzes both the existing policies, and the new policies, and presents a graphic stipulating what needs to occur (for example, which VMs need updated policies).

The policy installation process is driven by the VM Tree on the left-hand side. For example, if you want to install a policy on only a single VM, you can select the VM and click the Apply Policy tab.



Table 6 Policy Installation Icons

Icon Indicates

The policy is current and no further actions are necessary.

The VM is in a policy group, but cannot retrieve policies because it is not actually being protected by a vGW Virtual Gateway firewall. This usually indicates an error condition, which should be investigated.

The policy type does not exist for the VM. For example, there is no individual VM policy for that VM. You are not required to build individual VM policies for each VM.

The policy has been modified and needs to be deployed for that VM.

There is an error preventing policy installation. You may also see a grey check mark icon when there is a problem distributing a new policy (but the old one is working properly)

When you are ready to implement a policy, click either install or install all to push the policy out to the firewall. The policy is then deployed on one or more selected VMs. Figure 15 shows the Apply Policy tab.

Figure 15 Apply Policy Tab

TIP: Place the pointer over a policy status icon to display a tool tip that describes the icon.

vGW Virtual Gateway


Logs Tab

Firewall rules can be defined with notification options of Log, Don’t Log, and Alert. When you select Log or Alert for a rule, traffic that matches that rule is logged.

The Logs tab has an advanced option with a mark verified VMs setting. The vGW Virtual Gateway uses the unique VMware ID/UUID as well as an IP address to validate that connections are actually coming from the identified server, which protects the network from issues such as IP spoofing and DHCP

changes. VMs for which this extra validation is allowed are flagged with a . Use the mark verified VMs setting to display or hide this icon. Click Auto-refresh to refresh the log display automatically every 60 seconds. Figure 16 shows the Logs tab.

Figure 16 Firewall Logs

You can use filters to narrow the list of logs displayed or display only those logs related to a specific VM by selecting a VM in the VM Tree.

Status and Configuration Tab

The Status and Configuration tab displays a table listing all of the vGW Security VMs that are deployed. This screen is refreshed every 60 seconds showing how many logs have been processed, which VMs are being protected by the individual firewalls, and so on.

Status icons indicate the general state of the vGW Firewall module, the Network visibility module, and service console monitoring. Three different icons can appear in the status column simultaneously. Table 7 shows the principle states of each icon. You can place the pointer over icons to display tool tips that describe states not described here.



Table 7 Status and Configuration Icons

Icon Indicates

The firewall is online and communicating properly with the vGW Security Design VM.

The firewall is rebooting or having an issue connecting to the vGW Security Design VM. Use the tool tip to determine the exact error.

Check that the VM is powered on and IP connectivity (NTP, HTTPS and TCP 8443) exists between the vGW Security Design VM and the firewall.

You can also check that the module is loaded properly by clicking the vGW Security VM and checking for any fastpath installation error messages.

The system is configured to monitor the network and a firewall policy is implemented. The magnifying glass over the server is monitoring the hypervisor.

A time synch is taking place. Click Main -> Status -> System Events for more details.

You can select an individual vGW Security VM in the table to display more management-related options. However, while you are editing these new options, the Activity column will not update. The Activity column displays the number of firewall logs processed (received) as well as the IDS process rating (displayed in mbps), if IDS is configured. You must click Hide & Resume Refresh to continue incrementing the log count. See the following figure.

Figure 17 Status and Configuration Tab

After you click an entry in the table, additional options appear in the Status and Configuration tab. Each of those options is described in Table 8.

Table 8 Status and Configuration Options

Option Description

Firewall IP Configuration

The firewall VM in Bridge mode has three virtual network interfaces. Two of the interfaces are L2 bridging and do not have IP addresses. The third interface is used to communicate with the vGW Security Design VM and requires an IP address. You initially configure the IP address through the Firewall Install wizard when the firewall is first deployed. If later you choose to change the IP address, you can reconfigure it here. In VMsafe Mode, the vGW Security VM requires an IP address for communication with the vGW Security Design VM, which you configure here.

vGW Virtual Gateway


Option Description

Network Traffic Monitoring

In most cases, you will want to collect network traffic information for the vGW Virtual Gateway solution’s Network module. If you are interested in implementing only firewall protection for VMs, you can increase overall system performance by disabling network monitoring in this screen. This selection is relative to the particular firewall VM you are working with. If some firewall VMs still have this option enabled, they will continue collecting and displaying traffic statistics in the Network module screens.

Get Logs This option allows you to gather debug information in a tgz file for use with Juniper Networks technical support. This particular section will generate logs for the vGW Security VM you selected. To collect logs from the vGW Security Design VM, you must use the tool located in Settings -> Appliance Settings -> Log Collection.

After you click Start Collection, all relevant log files are collected from the vGW Security VM and compressed into a single file. If you select Download Log Collection, the log reaches Juniper Networks through e-mail or by posting it to a server. We recommend selecting Upload Collection to Juniper Networks. Choosing this option automatically encrypts the file using AES-256 and transfers it to a protected Juniper Networks server. You can include a comment on the uploaded file and there will be a unique ID for the log collection. Reference this ID in any support ticket or communication with Juniper Networks.

NetFlow Configuration

This option instructs the vGW Module to send NetFlow information directly to the NetFlow collector defined in Settings -> Security Settings -> Global. If this option is not selected, vGW modules send NetFlow information to the vGW Security Design VM, which then forwards it to the defined NetFlow collector. We recommend that you keep this option enabled for optimal performance.

Console Monitoring This option allows an administrator to activate the network traffic monitoring module (Monitor) or network traffic monitoring module with the IDS module (Monitor and IDS), if IDS is configured, for VMware service console connections. The vGW Virtual Gateway connects to the service console network and monitors traffic in and out of the system to make sure no inappropriate activity is occurring.

IDS Configuration (Bridge Mode Only)

By default, the vGW Virtual Gateway monitors traffic only for VMs that have been selected for security through the Firewall Install screen. In some cases, you may want to monitor systems that are not placed behind the firewall. To do so, you can enable this option when a Bridge Mode firewall on a VM network is deployed.

Software Update This is where each of the vGW Security VMs in your deployment can be updated. You can update individual vGW Security VMs or multiple VMs using a batch method. See “Updates” on page 62 for important information about using this feature and the order of operations to guarantee an upgrade without downtime.

Update Preferences Allows or disallows the vGW Virtual Gateway solution to periodically check with Juniper Networks update servers for the latest version of software. If a newer version is found, the Software Updates section will indicate a new version is available. Though the update can be downloaded automatically, the installation of the new version must be done manually.

Syslog Configuration

As is the case with NetFlow, the vGW Virtual Gateway can send syslog directly from the vGW Security VMs instead of having syslog sent to the vGW Security Design VM and then sent to the syslog collector. You can override the Global syslog configuration and select the destination syslog server IP address, as well as protocol and port.

Reboot This option allows an administrator to gracefully reboot the vGW Security VM without logging into the console.



Option Description

High Availability (VMsafe Mode Only)

In VMsafe Mode installations, there is a vGW Security VM responsible for interacting with the kernel module in the VMware host. The vGW security VM can be deployed in pairs in case the primary module (VM) fails. See “High Availability” on page 83 for details.

Install Tab

To gather and protect network traffic, vGW Security VMs are deployed on each ESX host to be monitored and secured. There are three vGW Control deployment options:

VMsafe Firewall + Monitoring: This mode (also displayed as VMsafe Firewall) is available to customers running vSphere 4.x. In this mode, the vGW Virtual Gateway solution loads a kernel module into the VMware hypervisor. This is the preferred mode.

VMSafe Monitoring: This mode is similar to VMsafe Firewall + Monitoring except that no firewall policy is loaded on the VMs. This allows you to deploy the solution and not be concerned that security policies will block traffic.

Bridge Firewall + Monitoring: In this mode the vGW Virtual Gateway solution runs as a virtual machine and bridges two virtual switches for secure connections. This is the only option for versions of ESX prior to 4.0 (vSphere).

Either VMsafe Mode is preferred when available, because they allow connections to be processed in the kernel, which is significantly faster. They also allow full protocol inspection and protection for all VMs. When two VMs are connected to the same protected virtual switch in Bridge Firewall + Monitoring mode, traffic flowing between them can be protected only with TCP RSTs.

In any mode, the vGW Virtual Gateway integrates without requiring IP address changes on protected VMs or installation of software on the Guest VM operating systems.

The Install tab has options for each installation mode (VMsafe Firewall + Monitoring, VMsafe Monitoring or Bridge Firewall + Monitoring) and can be used to add security to a port group, VM, or the entire vSwitch.

If you do not see all three options (and need an option that is not displayed), go to Settings -> Installation and make an appropriate selection.

vGW Virtual Gateway


The vGW Virtual Gateway solution queries the VMware vCenter system to pull all available datacenter network objects (ESX servers with vSwitches, Port Groups, and associated VMs) to populate this tab. See Figure 18.

Figure 18 Installing or Removing Objects from a Secured Network

You can deploy just one form of monitoring or a combination of all three across various ESX hosts. However, we recommend that you use VMsafe Firewall + Monitoring (also displayed as VMsafe Firewall) unless you never want any security policies to be loaded. In this case, you should opt for VMsafe Monitoring. If you cannot install with VMsafe because you do not have VMware 4.x, then choose Bridge Firewall + Monitoring.

All three installation methods are described in detail in the following sections. Follow the section relevant to your environment.

VMsafe Firewall + Monitoring Mode Security Installation

To implement a VMsafe Mode installation, select the VMsafe Firewall + Monitoring option, and then deploy using the following steps:

1. Install the vGW VMsafe kernel module into the VMware hypervisor.

a. Click the datacenter.

b. Next to the vSphere hosts capable of running VMsafe is a check box. Select the check box, and click Secure.

Figure 19 shows that vGW Virtual Gateway was never installed on the second ESX host, which is eligible for VMsafe-based installation because the appropriate check box is displayed. This process does not automatically secure VMs on that host as that selection process is completed later.

CAUTION: VMware requires that the vSphere host be put into maintenance mode and rebooted for the kernel module to be properly installed for versions of vGW Virtual Gateway prior to vGW 4.5 . In this case, the system prompts you before rebooting to allow you to move VMs to another vSphere host. If VMotion is active, VMs will move automatically and the process will continue without need for intervention. If you are installing vGW Virtual Gateway 4.5 or later you do not need to reboot. You can safely ignore any warning messages and continue with the process. The warning messages exist for older versions of the product.



Figure 19 VMsafe Kernel Installation

2. Enter the name for the vGW Security VM when prompted. This VM is installed on the ESX/vSphere host and will load the kernel module as well as maintain policy and logging. All connection enforcement occurs in the vGW VMsafe kernel module, which the vGW Security VM loads automatically. See Figure 20.

Figure 20 VMsafe Kernel Installation Firewall Parameters

vGW Virtual Gateway


Watch for vGW Virtual Gateway prophets during the installation process. The vGW Virtual Gateway prompts you if any issues occur or if any VMs need to be moved from the vSphere host prior to it being put in maintenance mode and rebooted. See Figure 21.

Figure 21 VMsafe Kernel Install Complete

3. Install the vGW Virtual Gateway on virtual switches, port groups, or individual VMs after the vGW Security VM and vGW VMsafe kernel module are properly installed. See Figure 22.

Figure 22 VMsafe Install Options for Individual VMs

4. Select the object or group you want to protect, and then click Secure.



VMsafe Monitoring Mode Security Installation

The installation process for VMsafe Monitoring is the same as the VMsafe Firewall + Monitoring Mode process. However, the end result is that VMs selected for protection do not load any security policies. This mode is primarily intended for evaluation of the product and is available so administrators can deploy the vGW Virtual Gateway solution and be assured that no incorrect security policies are loaded on VMs. This installation mode prevents an administrator from accidentally knocking a VM off the network, because an errant policy is blocking certain network traffic.

Bridge Mode Security Installation

To implement a Bridge Mode installation, select the Bridge Firewall + Monitoring option, and then deploy using the following steps:

CAUTION: Before completing the following steps, you should configure the security policy for your VMs. The default Global Policy rejects all inbound traffic. If this is too restrictive, you can create the appropriate policy first, and then move the systems to the secured network. For more information, see “Firewall Policy” on page 65.

1. Select the relevant object for security.

Essentially any port group or vSwitch can be selected for security, if you keep the following constraints in mind:

Do not move the vGW Security Design VM or Firewall VM into the protected network (vGW Virtual Gateway controls the traffic to these components automatically).

Do not select an entire vSwitch if it includes the vGW Security Design VM.

Do not select the VMware vCenter for inclusion in the secured network. To allow proper traffic, move the vCenter VM into a vGW Virtual Gateway-protected location using the VMware Infrastructure Client after a policy is in place. By default, the vGW Virtual Gateway rule base is configured to reject all inbound traffic.

The VMware Service Console and VMkernel Port Groups appear dimmed and unavailable for moving into the secured network. However, traffic to these networks can still be monitored and protected through security policies implemented on the VMs.

2. Click Secure. The Firewall VM Parameters dialog box appears.

Complete the options in the dialog box as follows:

a. Enter a Name for the Firewall VM. The vGW Virtual Gateway installer creates a VM from the vGW-BridgeSVM-Template.ovf with this name.

b. Select either DHCP/Dynamic or Static for the address of the Firewall VM interface. The Firewall VM uses three interfaces: two interfaces in bridging mode and one, which communicates with the vGW Security Design VM, over this dynamically or statically assigned IP address. Do not enter the IP address of the vGW Security Design VM. Enter a unique IP address for the Firewall VM interface. This IP address must be routable to the vGW Security Design VM’s IP address.

c. Select a Port Group for communication between the vGW Security VM and the vGW Security Design VM.

CAUTION: This port group must allow TCP 443 and TCP 8443 as well as NTP between the systems without filtering. It should also allow access to the VirtualCenter/vCenter system.

d. Select a datastore (FC SAN, iSCSI, NAS, or localstore).

vGW Virtual Gateway


NOTE: A local datastore location does not allow you to VMotion the vGW Security VM, but this is not required for the solution to work.

a. Select a hypervisor console communication option, if you want to monitor traffic to the console with the vGW Virtual Gateway Network or if you want to use both the Network module and the IDS module to monitor traffic.

b. Click Secure.

The vGW Virtual Gateway automatically configures the necessary settings to monitor and protect network traffic. If there are any issues during the installation process, the vGW Virtual Gateway displays an alert indicating what happened and providing information for correcting the problem. In most cases you can select Retry and continue the firewall installation. If no issues arise during the installation, the vGW Virtual Gateway displays a successful status message.

Auto Secure VMs tab

You can attach security policies to VMs automatically. You can specify that no VMs are secured, VMs in a specific group are secured, VMs with a policy or ones that are in a policy group are secured, or all VMs are secured. When you choose to secure VMs, you have the option of excluding a group within the selected group from being automatically secured.

Auto securing VMs streamlines policy application making it very efficient to ensure security throughout your virtual infrastructure. For example, suppose you define a Smart Group that watches for any VMs connected to a particular VMware resource pool (obtained through vi.resourcepool). When any VM is added to this resource pool by a VM administrator, a security policy is instantly installed without any intervention by the vGW Virtual Gateway administrator.

Figure 23 and Figure 24 show the definition of a sample Smart Group for this scenario. They also show the Auto Secure setting, which immediately implements policies on the VMs in that Smart Group, as well as any new VMs added to the resource pool and thus becoming members of the Smart Group.

Figure 23 Smart Group Definition Example



Figure 24 Auto Secure Group Selection

vGW Virtual Gateway


IDS Module

The vGW Virtual Gateway solution includes a fully integrated IDS engine that can be used to monitor all virtual network traffic or selectively monitor a subset of important VMs or protocols. The vGW Virtual Gateway matches the selected traffic to the signature database and flags any suspicious activity with high, medium, or low priority alerts.

The IDS screen has four tabs:

Top Alerts

Alert Sources

Alert Targets

All Alerts

Figure 25 IDS Screen

IDS Setup Steps

To activate the IDS engine:

1. Enable IDS via Settings -> Security Settings -> IDS Configuration.

2. Enable the signatures relevant to your environment in Settings -> Security Settings -> IDS Signatures.

3. Create and apply a firewall/security rule that offloads traffic to the IDS engine. The vGW Virtual Gateway allows you to be very granular about which traffic is scanned (for example, traffic to/from a certain VM or



traffic using different protocols). In the following example, all traffic is being inspected.

Figure 1 IDS Rule Activation

After you’ve completed the steps above (and made sure to apply the security policy rule change in the Apply Policy tab), the IDS engine begins flagging alerts when suspicious traffic occurs on the virtual network.

To verify that the IDS engine is working properly:

1. Open an http connection to a protected VM and make a request.

For example, enter http://10.10.10.10/php.exe. Assuming the VM is listening on port 80, this request for php.exe violates Signature ID 1773 (WEB-PHP php.exe access).

2. Click any rule violation posted on your screen to get more information about the alert.

vGW Virtual Gateway


Top Alerts Tab

The Top Alerts tab shows each of the alerts that have occurred in the given time period (For example, 24 hours). The alerts are organized as high, medium, and low with the total number sorting from most frequent to least frequent in the Total column. You can click the Alert Type column heading to show the details of each alert. Alert details include a description and signature ID. If you see an alert and want to know who generated the traffic or where it was destined, you can click the Alert Sources or Alert Targets text at the top of the details screen. Furthermore, if you want to change the priority level of an alert or stop seeing an alert altogether, you can change the settings for the Alert by editing it in Settings -> Security Settings -> IDS Signatures.

Alert Sources Tab

The Alert Sources tab shows which systems have generated traffic matching the IDS signatures in the vGW Virtual Gateway. These systems can be VMs or physical systems communicating on the virtual network. The columns show high, medium, and low alert counts as well as a total count. The system with the highest total count is displayed at the top of the list, but you can also resort the display by clicking the High, Medium, or Low columns. You can also click an alert name in the Alert Type column to get information about the specific attack.

Alert Targets Tab

The Alert Targets tab is similar to Alert Sources tab except this is a listing of the systems that are receiving the most attacks.

All Alerts Tab

The All Alerts tab shows a complete listing of each alert seen by the system for the configured Time Interval (by default 24 hours). You can click the alert type to show details for each alert. By default, the most recent events are displayed at the top of the screen and older events are shown at the bottom. Alerts are sorted by the Time column.

TIP: You can search the signatures list by Sig Id in the IDS Signatures settings screen.



Introspection Module

The Introspection screen helps you continuously monitor the software installed in all the Windows Guest VMs within the virtual infrastructure. Without installing any agent software into the Guest VMs, the vGW Virtual Gateway solution can determine which applications are installed, the operating system type (XP, 2003, and so on.), and applied updates (hotfixes).

The Introspection module currently works with only Windows VMs and relies on taking a snapshot of the VM and analyzing the snapshot. This methodology guarantees there is no adverse impact on the running VM during the scan. Once the scan is complete, the snapshot is immediately deleted. The scan does not use network packets to probe applications in the VM, similar to nonagent-based security scanners. Instead, native VMware interfaces are used to examine the disk contents. This allows the scan to be highly accurate and very fast. It takes only a few seconds for the vGW Virtual Gateway to analyze the installed applications.

The ability to determine exactly which applications are installed allows the security policy for those VMs to be precise and dynamically applied. For example, you can analyze the VMs to determine which ones are running the Apache webserver. Then, those and only those VMs can be placed into a Smart Group with a name such as “webservers.” This policy group can then be configured to allow communication through HTTP/HTTPS.

In addition, it is possible to understand which applications are installed or not installed in the environment. For example, you can quickly see which VMs do not have your AV client software and should thus be quarantined with a restrictive firewall policy.

Although the Introspection feature is not intended to replace a patch management solution, you can use the vGW Virtual Gateway capabilities in this area to determine if certain hotfixes are missing and then quarantine those hosts until the patch management solution deploys the proper updates.

The vGW Virtual Gateway groups the resulting introspection results by type (application, operating system, and hotfix) and provides both graphical summary comparisons as well as detailed statistics about the installed software in table format.

NOTE: You do not have to use the Firewall -> Install screen to deploy the vGW Virtual Gateway solution and use Introspection module capabilities. Introspection occurs through the vGW Security Design VM and vCenter integration and therefore does not require the deployment of a vGW Security VM.

TCP Port 902 must be open between the vGW Security Design VM and the ESX/ESXi hosts for Introspection to work properly

The Introspection screen has four tabs:

Applications

VMs

Scan Status

Scheduling

Applications Tab

The Applications tab displays the following information about software currently installed on VMs selected in the VM Tree.

vGW Virtual Gateway


Pie chart comparing the percentage of each type of operating system

Bar graph comparing the percentage of each type of application

Detailed list of each application

The Applications tab is designed to allow administrators to quickly determine which types of software are installed in the environment without regard to the exact VMs containing the software. This tab is where you go when you want to see what percentage of your VMs are running a particular application, service pack, or operating system. You can use this tab to discover which applications are installed on VMs or groups of VMs. In addition, this is where you can classify the software installed throughout the virtual environment. See Figure 26.

NOTE: If you select a group of VMs in the VM tree, the vGW Virtual Gateway summarizes the data in pie and bar charts. If you select a single VM, you see only detailed information in table format.

Figure 26 Applications Tab Showing Summary Data for All Machines

You can select one or more applications in the table and click Known, Unknown, Bad, or Unclassified to categorize applications running in the system.

This classification system allows you to monitor VM software state to determine if any VMs are running unauthorized or inappropriate software based on your designations.

Unknown and Unclassified categories are similar, but you use Unknown when you see an application but are unsure if it is appropriate. Unclassified should be used when the application simply hasn’t been examined yet. Newly installed applications initially show up as Unclassified.

Click Select All to select all applications running in the selected VMs. Select None to clear all selected applications. Click a column heading in the table to sort applications by name or vendor. The applications bar graph updates automatically as you change your selections.



VMs Tab

The VMs tab helps you monitor software installed on a selected VM or group of VMs. You can choose to display or hide information about the operating system and applications running in the VM, including details about installed service packs, and hotfixes.

This tab is useful in determining which VMs have certain types of software installed. For example, you would use this portion of the product if you want to see all the VMs that are running the Windows Server 2003 operating system or all the VMs that have a specific hotfix installed. You can also discover all VMs running an application such as Kazaa or Skype. Figure 27 shows all VMs that are not running VMware Tools. In this case, the search found just one VM named HR-Records.

Figure 27 VM Tab Showing Detail for a Group of VMs

vGW Virtual Gateway


To search for a specific item in the list by name or vendor, click the Name or Vendor column heading in the detail table, and then type the name of the software or vendor in the Text filter box. The list refreshes to show entries that match your text. See Figure 28

Figure 28 Search for VMs by Operating System Name

You can also search the system to find out which VMs contain specific software and filter by a group setting in the VM Tree. Select the group in the VM Tree, and then select one or more types of software in the table. For VMs with presence/absence of select Applications, and then choose All Present, Any Present, All Absent, Any Absent from the menu. A list of VMs meeting your criteria appears in the lower table. Figure 29 shows Windows XP is on three workstations that are part of the Monitored/Secured VMs group. Again, Introspection scanning does not require that the vGW Virtual Gateway firewall security is loaded on a VM, because the vGW Virtual Gateway can discover installed software regardless of firewall settings.



Figure 29 Display Machines Running Microsoft Windows

Scan Status Tab

The Scan Status tab lets you monitor disk scans of one or more VMs. The vGW Virtual Gateway performs a full analysis of a VM’s disk. If multiple disks exist in the Guest VM system, each is analyzed. This analysis uncovers installed applications, the operating system, and the service pack/patch level running on the VM. As stated previously, the scan technology employed by the vGW Virtual Gateway is highly accurate—rather than a network probe, the vGW Virtual Gateway performs an actual read of the disk file from the hypervisor. In addition, the scan is very fast. A typical VM scan takes less than 5 minutes and has no impact on the operational state of the VM, because scanning activity takes place on a snapshot of the system. The snapshot is then removed when the scan is complete.

You can display current information about all scans (those complete and those still pending) or only complete or pending scans. You can also run scans manually or cancel scans in progress. See Figure 30.

vGW Virtual Gateway


Figure 30 Scan Status Tab Showing Successful Scans

Select the radio buttons above the table to list all scans, completed scans, or pending scans. To run a scan on a selected VM or group of VMs, click Scan Now. To cancel a scan in progress, click Cancel Pending Scans.

Scheduling Tab

The Scheduling tab lets you define schedules to scan VMs at specified times. See Figure 31.



Figure 31 Scheduled Scans

To improve performance during peak periods, you can limit the number of concurrent scans by making a selection in the Max number of concurrent scans menu. We recommend running no more than two concurrent scans. To define a scan schedule, click Add, select options for this scan, and then click Save. See Table 9 and Figure 32.

Table 9 Scan Scheduling Options

Option Choose or Enter

Introspection Scope All Machines or Selected Group, and then choose a group from the list.

Introspection Event Schedule

Daily, and then enter the hour and minute you want the scan to begin.

Weekly, and then choose the day of the week and enter the hour and minute you want the scan to begin.

Monthly, and then choose day of the month and enter the hour and minute you want the scan to begin.

Max scan duration A length of time the scan must not exceed. The max scan duration option can be used to ensure no scans occur out of a maintenance window. The vGW Virtual Gateway completes a scan in progress, but will not begin subsequent scans in the list. Any pending scans are listed in the Scan Status tab and resume when the next scheduled time arrives.

If unable to scan… Next scheduled period to continue the scan at the next scheduled interval.

Next Day to continue the scan at the same time tomorrow.

vGW Virtual Gateway


Figure 32 Defining a Schedule

To delete a schedule, select the schedule in the list and click Delete.



Compliance Module

The Compliance module lets you monitor the compliance of your overall system with regard to industry best practices. In addition, this module lets you define your own rules that equate to organizational best practices (self defined compliance rather than industry defined like PCI, HIPAA, and so on.).

The Compliance module relies on a rule editor that enables an administrator to use multiple attributes discovered about the VMware infrastructure and associated VMs to build out criteria for each designed rule.

By using compliance rules to monitor key configuration parameters, vGW Virtual Gateway administrators can quickly ascertain the overall state of their virtual security system. For example, a compliance rule can be created that states no non-administrative VMs can be connected to a specific port group. Then any violation of the designated rules impact the overall compliance state and are visible in reports and status screens.

The Compliance screen has two tabs:

Compliance

Rules

Compliance Tab

The Compliance tab displays a compliance meter that indicates the current level of compliance for the VM or group of VMs selected in the VM tree as well as statistical data that was used to calculate the overall compliance level. The compliance meter refreshes automatically every 60 seconds to report the current compliance level.

If you selected a group in the VM tree, the compliance meter shows the overall compliance percentage for all VMs in the group. The table below the meter lists each VM by name and shows its individual compliance level. See Figure 33.

Figure 33 Compliance Statistics for a Group

vGW Virtual Gateway


To display the compliance rules associated with this group, click Show Rules. A table appears listing each rule by name, its weight, the number of VMs it is applied to, and the compliance status of the rule. See Figure 34.

Figure 34 Compliance Rules

To disable a rule, clear its check box. The compliance meter refreshes indicating the current level of compliance with the adjusted rule set.

You can double-click a rule in the table to display details about the rule.

If you selected a single VM in the VM tree, the compliance meter displays the current compliance of the individual machine plus the rules protecting it.



Rules Tab

The Rules tab is where you create and manage compliance rules. This tab includes a list of defined rules that includes the name of the rule, its weight, and any labels associated with it. Labels group rules in categories. See Figure 35.

Figure 35 List of Current Compliance Rules

You can narrow the list of rules displayed by making a selection in the Filter by menu.

NOTE: There are several pre-built compliance rules and templates included in the vGW Virtual Gateway solution that are useful in understanding how the Compliance module works. The predefined rule named VMware Tools is a good starting point.

vGW Virtual Gateway


To create a rule:

1. Click Add. The Add Rule dialog box opens as shown in Figure 36.

Figure 36 Add Rule Dialog Box

2. Define the rule. The available options are described in Table 10.

Table 10 Compliance Rule Creation Parameters

Option Do This

Compliance Scope

Select All Machines or Selected Group, and then choose a group from the list

Name Enter a name for the rule. Rule names can contain characters and numbers and should be descriptive, yet simple. You can describe the rule in more detail in the Comment field, if needed.

Comment Enter a description of the rule or any notes about it that might be helpful to someone who might use the rule.

Weight Enter a weight to be used when calculating the compliance level.

Generate Alert when compliance state changes

Select to have the vGW Virtual Gateway post a warning when the compliance level changes.

Compliance Groupings

Click Edit, move one or more labels to the Selected Labels list, and then click Apply.

Tip: To define additional labels, enter a name in the Add Labels box and click Add.



Option Do This

Create Groups For

Create groups comprised of members who meet or violate the designated match criteria (defined in the Matches field). You are not required to create groups, but if you do select one of the two options, you will by default create a nonpolicy, Smart Group. This group can be changed to a Policy group through Settings -> Security Settings -> Groups. The benefit to automatically creating a compliance-based group is that you can easily find VMs in the VM Tree using this criterion and use the group throughout the vGW Virtual Gateway solution.

Select Compliant VMs if you want to create a group for the VMs meeting the designated criteria.

Select Non-Compliant VMs to create a group for the VMs violating the designated match criteria.

Matches Select All if the VM must meet all criteria defined in field below or Any if the VM can meet any of the criteria defined in the field below, and then choose an attribute, choose an operator, and enter a value. (For example, vi.datacenter Equals HQ)

Click + to add another criterion to the rule

Click - to remove a criterion from the rule

Advanced Enter a selection query rather than define rules using the vGW Virtual Gateway user interface. For information about query syntax, see “Smart Groups” on page 69.

3. Click Test.

The vGW checks your criteria and posts a message in the Edit Rule dialog box indicating which VMs are included in the group (if any), given the criteria you specified.

4. Click Save.

NOTE: In addition to the items described in Table 10, you also have the option to disconnect VMs from the network on a compliance check. By default this option is hidden because if it is used incorrectly it can cause serious unintended network downtime. For example, if you incorrectly created a compliance rule with this action, you could knock all VMs offline including vCenter. To enable this compliance action, execute the following from within the web interface of the vGW Security Design VM. Once executed you will see a selection box called “Disconnect from the network when non compliant”.

http://<center_url>/compDisconnect?disconnect=true (or false)

Example 1 – Defining a Basic Compliance Rule

Suppose you want to create a compliance rule that states all webserver VMs should have version Apache 2.x installed because of known security issues in versions 1.x. You can set the vGW Virtual Gateway to trigger an alert when any webserver currently in production or brought online in the future has a version of Apache that is prior to 2.x.

1. Create a Smart Group that contains all webservers and is capable of having policy installed on it. (Select Settings -> Groups -> Add Smart Group.) In this example, the group has two members: corp-www-1 and corp-www-2. See Figure 37.

vGW Virtual Gateway


Figure 37 Smart Group for Webservers

2. Create a compliance rule that has a scope limited to the webserver group you created and searches the installed applications using VM Introspection for the vf.application containing Apache HTTP Server 2. Any VMs that do not have 2.x installed are displayed as non-Compliant VMs. In this example, corp-www-1 is running Apache HTTP Server 1.3.41 and corp-www-2 is running Apache HTTP Server 2.2.15. See Figure 38.

Figure 38 Smart Group Rule for Apache 2.x



3. Verify the Compliance module is properly monitoring the rule. Violations of this rule can be reported on using the vGW Virtual Gateway Reporting module and also generate alerts in Main -> Status screen. Alerts are created anytime a change occurs in the state. Alerts can also be sent to administrators through e-mail if Settings -> Alerting is configured properly. Alert messages are sent to the main source address, not the optional aliases. Figure 39 shows the Compliance module screen for the custom rule named Apache-Verification.

Figure 39 Smart Group Compliance State for Apache Rule Example

Example 2 – Defining an Advanced Compliance Rule with Custom Security Policies

This example takes the first scenario and modifies it slightly. Instead of just generating a compliance alert when a VM with the wrong version of Apache is brought onto the network, this example applies two different firewall policies: one for the up-to-date Apache server and one for the out-of-date Apache server.

First you create a security policy stating only webserver VMs with version 2.x of Apache installed can be connected to the network with HTTP and HTTPS. Then you additionally stipulate that webservers with any other Apache version are allowed to connect, but they must do so using HTTPS. The definition of WebServers here should include not just a naming parameter, but also verify Apache is actually installed.

vGW Virtual Gateway


1. Create a Smart Group that checks a naming convention for webservers but also validates that Apache is installed. Note this is just a monitoring group as the Policy Group option is not selected. See Figure 40.

Figure 40 Smart Group with Multiple Parameters and No Policy Assigned

2. Use the exact same Apache-Verification Rule created in example 1 (see “Smart Group Rule for Apache 2.x” on page 44).

3. Modify the Compliant and Non-Compliant Groups so that they can receive policy through Settings -> Groups, and then selecting the Policy Group check box. See Figure 41.

Figure 41 Enable Policy Groups on Auto-Generated Compliance Groups



4. Modify the firewall policy on each of the resulting groups (Apache-Verification_compliant) and (Apache-Verification_non_compliant) so the first one allows both HTTP and HTTPS and the second just allows HTTPS. The example in Figure 42 shows the firewall policy for the compliant VMs (HTTP/HTTPS) and also shows the members of each group and the overall group called “WebServers.”

Figure 42 Firewall Rules for Apache Compliant VMs

The compliance rule examples documented here are intended to highlight some of the capabilities of the vGW Virtual Gateway solution. Because compliance requirements vary in each virtual environment, there are many ways to define the associated rules. The vGW Virtual Gateway Compliance module has tremendous flexibility, which means it can be used to meet this range of requirements.

vGW Virtual Gateway


Reports Module

The Reports screen is where you create and modify automated reports and view recent reports.

NOTE: Before you create reports, you should configure e-mail and report settings. For more information, see “E-Mail and Reporting” on page 58.

Generating Reports

You can generate reports instantly or you can create reports that run at a specified time.

The Reports screen has two tabs:

Add/Edit Reports

Recent Reports

Add/Edit Reports Tab

The Add/Edit Reports tab is where you create reports. The tab is empty by default, but after you create one or more reports, they appear in the list.

To create a report:

1. Click Add.

2. Select the machines you want to report on or select All Machines to report on the entire virtual infrastructure.

3. Enter a name for the report and a description; for example, “Report1.”

NOTE: You cannot enter spaces or special characters (such as !$@# ) in the report name.

4. Specify the maximum number of entries the report should include.

5. Choose a time period to report on.

6. Choose an output format for the report, either PDF or CSV.

7. Specify whether the report should be saved on the current hard disk or e-mailed to a recipient.

NOTE: If you are e-mailing the report, you can specify to whom the report is sent (individual e-mail account, an e-mail alias, or multiple accounts separated by ‘,’). You can also specify the e-mail address that appear in the ‘From’ field on the e-mail.

8. Choose when the report is created: an instant report is generated immediately or you can schedule the report to run at a particular time or day. Where possible, we recommend scheduling reports to run during low utilization periods (off hours) as generating reports can consume significant system resources. For more information, see “Scheduling Reports” on page 51.

9. Choose a report type. There are several predefined reports included in the vGW Virtual Gateway solution, such as Executive Summary and Firewall. You can also create custom reports.

TIP: Select a report type to display a description of the report.



10. If you want to modify a predefined report type, select a report and click Customize to specify module-specific details to be included in the report. For more information, see “Custom Report Types” on page 49.

11. Click Generate Now or Save to create the report.

Each report is formatted in a high level header including the report name as well as the date the report was created. In addition, each report selected during the report creation process has the title, graph, and relevant table data. If you select more than one type of report, each one is included in the same PDF output file one after the other. See Figure 43.

Figure 43 PDF Report Output

Recent Reports Tab

The Recent Reports tab displays a list of previously created reports. To open a report, double-click the report in the list, and then choose to open it as a PDF file or save it to the hard disk.

Custom Report Types

When you create a custom report, you have the option of choosing specific settings for Network, Firewall, IDS, Introspection, and Compliance reports. The core attributes of these report types are also available as predefined reports. In other words, running a custom report is not the only way to get the information described in the following sections.

Network Reports

The vGW Virtual Gateway generates network reports by pulling information collected by its Network module. You can create the following network reports:

Top Talkers: Shows the machines generating the most traffic (combined source and destination traffic flows).

Top Destinations: Shows where the systems are most frequently communicating.

vGW Virtual Gateway


Top Protocols: Shows the most popular protocols in use on the virtual network.

Top Sources: Shows which systems are generating the most traffic.

Total Bytes: Similar to the Top Talkers report, but additionally shows which protocols are being used.

Firewall Reports

The vGW Virtual Gateway generates Firewall reports by pulling information collected by the Firewall module. Specifically, an administrator defines various firewall security rules for the VMs. When connections are made to or from these resources, the firewall logs the activity and makes it available to the Reporting module. You can create the following firewall security reports:

Top Accepted Destinations: Shows which machines in the destination field are accepting the highest number of connections, including source and destination fields for each firewall logging event.

Top Accepted Sources: Shows the machines in the source field that are accepting the highest number of connections.

Top Dropped or Rejected Destinations: Shows the machines in the destination field that are dropping or rejecting the highest number of connections. An action rule in a firewall rule can be Accept, Drop, or Reject.

Top Dropped or Rejected Sources: Shows the machines in the source field that are dropping or rejecting the highest number of connections.

IDS Reports

The vGW Virtual Gateway generates IDS reports by pulling information collected by its IDS module. These reports display a complete listing of all malicious or suspicious traffic on the virtual network.

Top Alerts: Shows alerts seen on the virtual network.

Alter Sources: Shows sources of attacks.

The number that you configured as the value for Maximum number of systems to include in report determines how many attacks are reported. For example, if you specified a value of 20 and 40 attacks occurred in the specified report time period, only 20 attacks would be reported.

Introspection Reports

The vGW Virtual Gateway generates Introspection reports by pulling information collected by the Introspection module. These reports display:

Known Applications: Shows applications defined by the administrator in the VM Introspection module as Known and typically equates to something that is good or allowed in the environment.

Unknown Applications: Shows applications that the administrator has set as something that needs investigating.

Bad Applications: Shows applications that the administrator has defined as bad and not allowed in the environment.

Unclassified Applications: Shows applications that have not been classified by the administrator. Unclassified is the default state when the vGW Virtual Gateway discovers an application it does not recognize on a VM.

Operating Systems: Shows operating systems installed on VMs in the environment. The vGW Virtual Gateway solution collects operating system information automatically, enabling you to run a report on all operating systems in the environment.



Compliance Reports

The vGW Virtual Gateway generates Compliance reports by pulling information collected by the Compliance module. These reports display information from the following compliance groupings:

DISA: Shows information related to Defense Information Systems Agency best practices.

NSA: Shows information related to National Security Agency best practices.

PCI: Shows information related to Payment Card Industry best practices.

VMware: Shows information related to VMware security best practices.

The resulting report shows three different summary tables containing information related to one or all of the compliance groupings selected above. For example, if you select just PCI and VMware you get three tables showing the values for those two compliance groupings. The first table shows all of the rules occurring in the selected groupings. The second table shows the groupings with summary information on rules, number of VMs, and status. The third table shows all of the VMs associated with the groupings.

Filters

The reports identified in the previous section may result in data that needs to be filtered to be more useful. The settings in the Report Selection definition (applies to most types of reports) allow you to filter the resulting data by Source IP, Destination IP, or Protocol. You can also filter out high, medium, and low priority alerts. This allows you to drill down and report on exactly the information you need.

NOTE: When you filter data, you cannot identify a VM by its name. You must specify the VMs IP address. The vGW Virtual Gateway matches entries in the database by IP address and includes IP addresses in the report. However, if the IP address is also a known valid VM, then the name of the VM is displayed in the resulting report as well.

If there is any matching data, the vGW Virtual Gateway always includes the filtered system—even if the system is not in the Top X listing parameters defined through ‘Maximum number of systems to include in the report’.

Scheduling Reports

If you want to query data from more than one day, you need to create a scheduled report. When you select the Daily at option, you create a report for 24 hours of data sent everyday at the specified time. When you select Weekly on, you create a report containing seven days worth of data once a week. When you select Monthly on, you create a report with a month’s worth of data sent on the day you specify.

NOTE: If a scheduled report fails to execute, an event is generated and posted in Main -> Status -> System Status and Events.

After you create a scheduled report, it appears in the Initial Report Display Page on the Add/Edit Reports tab. There you can edit or delete it as necessary.

vGW Virtual Gateway


Settings Module

The Settings module controls core vGW Virtual Gateway operations and allows for system configuration of the vGW Security Design VM virtual appliance. The Settings screen (see Figure 44) has three main sections, which appear in the VM Tree pane:

vGW Application Settings

Security Settings

Appliance Settings

Figure 44 Settings Screen

About Obtaining, Installing, and Managing vGW Virtual Gateway Licenses

To enable the vGW Virtual Gateway, you must:

Purchase a license for the vGW Security Design VM and separate licenses for its features.

Obtain entitlement license keys for the licenses.

Install the vGW Virtual Gateway features license keys and manage them.

The presence of an entitlement license key determines whether you can use a feature. For information about how to purchase software licenses for vGW Virtual Gateway features, contact your Juniper Networks sales representative.

About vGW Virtual Gateway Licenses

You can purchase licenses for the following vGW Virtual Gateway components:



vGW Security Design VM—You must purchase a license for the vGW Security Design VM. This component serves as the management center for the vGW Virtual Gateway.

Each ESX/ESXi host has a physical CPU socket count. For each host that you want to protect, you must purchase separate licenses equivalent in number to its CPU sockets. This requirement applies to the following features:

vGW Security VM —A vGW Security VM helps secure and monitor the ESX/ESXi host that it runs on, and it reports information back to the vGW Security Design VM.

High-availability (HA)—Allows for the deployment of primary and secondary vGW Security VMs and vGW Security Design VMs to maintain solution resiliency in the event of any single component failure.

Intrusion Detection System (IDS)—Allows you to examine virtual network traffic for malicious content or activity, for example, web attacks and distributed denial of service (DDOS) attacks.

Starting with two licenses, the number of licenses that you can purchase increases incrementally, depending on the license package. For Security VMs, HA, and IDS, licenses come in packages of 2, 10, 20, and upwards. You can also purchase a license for unlimited CPU sockets for each feature.

For all features except IDS, licenses are perpetual. For IDS, licenses are subscription-based. You can purchase a license for one year or for three years.

After you have the vGW Virtual Gateway privilege on your license managing system (LMS), you can generate licenses. The vGW Virtual Gateway license keys are long, random text strings that end with the equal sign (=).

Installing Licenses in the vGW Security Design VM

After you power-on the vGW Security Design VM, you run the vGW Virtual Gateway installation wizard. During this process, you are prompted for product license information.

If you purchased the vGW Virtual Gateway, you enter the license key for the vGW Security Design VM. After you install the license key, a serial number is presented. You can use the serial number for product support.

For each feature that you want to use, you must install an entitlement license key using the vGW Security Design VM. If the proper license keys do not exist, you cannot activate the feature or install an update.

You enter license keys in the Settings > vGW Application Settings > Status & License section of the vGW Security Design VM. You install and manage licenses in the Product Licensing section. You can also use this section to view existing licenses.

In addition to the 30-day evaluation license that is provided by default, an extended evaluation license for the vGW Virtual Gateway is available. Contact your sales representative for details. If you use an evaluation license and then purchase a subscription license or permanent license, you can delete your evaluation license and install the subscription license without disruption.

The evaluation license enables you to use all features except for IDS. If you want to evaluate the IDS feature, you must obtain a license with activation from your Juniper Network sales representative.

vGW Application Settings

vGW Application Settings are used to license the product, check status on the vGW Security Design VM, control access to VMware, and modify administrators. You can also configure various items such as machines and high availability, e-mail, and reporting settings.

vGW Virtual Gateway


Status & License

This subsection allows an administrator to view basic system status and configure licensing.

Database Status: This area displays the status of the internal database that stores all network session data. When the disk becomes nearly full, the oldest sessions are truncated from the database and this screen displays how far back session data stored in the database extends.

NOTE: By default, the disk that contains the vGW Virtual Gateway database is set to 8 GB. If the database is not holding enough information for your environment, you can increase its size. To do so, power down the vGW Security Design VM. In VMware, edit settings for the vGW Security Design VM and increase the size of the second disk. Start the vGW Security Design VM. When the vGW Security Design VM boots up, the new disk size is recognized and the database expands into the newly defined space.

Product Licensing: This area displays a table summarizing valid licenses for the Juniper Networks vGW Virtual Gateway. The licensing system is 'multi-key' meaning you can attach various licenses for features and feature counts to the system.

At minimum, you need to have a valid Management Center license (vGW Security Design VM).

Appliance Status: This area displays the version and last update information for the vGW Security Design VM. See “System Updates” on page 76 for more information on initiating an update.

Product Support: This area displays a link to the Juniper Networks product support website.

vCenter Integration

These settings control the interaction between the vGW Virtual Gateway and VMware:

vCenter Settings: This is the login information needed for the vGW Security Design VM to communicate with the VMware Virtual Center server (vCenter). The vGW Security Design VM uses the VMware Virtual Infrastructure APIs to:

o Obtain VM Inventory information

o Determine resource utilization status

o Determine events effecting the VMs

o Reconfigure the network settings (for example, create a new vSwitch or move port groups)

The account used by the vCenter must have RW access to the VMware Infrastructure, but you may use a custom account created in VMware. Using such an account makes it easier to identify and monitor change activities. In either case the account should have administrator privileges.

Update VMs: This triggers an immediate query from the vGW Security Design VM to vCenter to update the VMware inventory currently being used by the vGW Virtual Gateway solution. Normally, the vGW Security Design VM updates the VMs automatically. However, if important changes are made, the Update VMs option forces an immediate retrieval of VM changes.

o The vGW Security Design VM monitors and records newly created VMs, thus ensuring no loss of data. The VM update process allows the vGW Security Design VM to associate the new VM with its network traffic and add the new VM to the VM Tree.



o The vGW Virtual Gateway automatically selects the Update IP addresses as they change in vCenter. If not selected, IP addresses are not changed once they are initially retrieved or set manually. If you clear this check box, you must manually update the IP addresses.

Deleted VMs: The vGW Virtual Gateway solution can show any virtual machines it has seen over time even if they were deleted in VMware’s vCenter system repository. This capability exists so historic traffic records can be kept and a vGW Virtual Gateway administrator can see all the activity occurring in VMware. The persistency of VMs in the vGW Virtual Gateway interface can reveal any attempt by a malicious administrator or hacker to bring up a VM, perform an unauthorized activity, and then delete the VM to hide their tracks. If, however, you do not want the deleted VMs appearing in the vGW Virtual Gateway interface, you can clear the menu item here and they are hidden from view (though still available if reselected).

vGW Management Center Plugin: Use this button to install the vGW Virtual Gateway plugin into the vCenter interface. To install the plugin, click Register. To view and use the plugin, in the vSphere client interface choose Home -> Solutions and Applications. To uninstall the vGW Virtual Gateway Management Plugin, click Unregister.

NOTE: The vGW Virtual Gateway Management Center Plugin is for vSphere installations only and is not supported under ESX 3.5 or earlier.

Automatic Startup of the vGW Security Design VM and Firewall: Use this setting to enable or disable the startup of vGW Virtual Gateway components when an ESX system reboots. The vGW Virtual Gateway components are set to startup automatically by default.

Synchronize machine name: Changing the name of a VM in vCenter by default causes the name of the equivalent VM object in vGW Security Design VM to be changed to the same value. If you want to override this setting, you can clear the value in this area. For example, security administrators might want to use this override if they are not using the same naming convention as the VM team. The ability to override the default behavior is also useful if security administrators have created dynamic security policies using the name of the VM and they do not want those to be impacted by simple name changes in the vCenter.

Installation

You can install the vGW Virtual Gateway in Bridge Mode or VMsafe Mode. The following settings control the behavior of the vGW Virtual Gateway in each mode.

VMsafe Installation: Use this selection box to choose the template that is used to create the vGW Security VM for each ESX/vSphere host. In addition, choose an option for what happens to a VM when it motions to a host that does not support VMsafe and/or when there is an issue with the VMsafe installation on the host. The setting here lets you either pass all traffic for the VM without a security policy or drop all traffic. All traffic is allowed by default. In addition, there is an option to hide (deactivate) the Monitoring Only option for the Firewall -> Install screen.

Bridge Installation: Use this selection so that in Bridge mode, the vGW Virtual Gateway labels new components it creates in VMware with a short string for easy identification. You can choose the string to use as well as whether it is added as a prefix or suffix. In addition, you can define the template used during the Bridge mode Firewall installation process (The vGW Virtual Gateway dynamically creates the necessary firewall security VM from the selected template.)

There is a button in each section that controls the modes displayed in the Firewall -> Install tab of the product (Disable VMsafe or Disable Bridge).

vGW Virtual Gateway


Administrators

Different types of IT staff members may need to access the vGW Security Design VM interface for various purposes. For example, network engineers can make use of network statistics; security engineers can deploy policies; and so on. The vGW Virtual Gateway has a number of different user types built in to cover these scenarios.

Based on the type of user logged into the system, different menus are displayed in this screen. When Global Admin users are logged in, they can add new users. Other users are simply presented with a Change My Password dialog box, in which they can enter in a new password for themselves. Various privilege levels are described in Table 11.

Table 11 Account Types

Account Privileges

Global Admin Administrator with the highest level of system privileges including the ability to create additional administrators. The global administrator can perform all operations in the product including firewall installations. For example, they can select port groups and VMs for insertion and removal from a secured network.

VM Admin Administrators that can be given Modify policy and settings permissions. This setting allows changing firewall security policies (IDS or Firewall security policies) or (VM Introspection Compliance)..

Additional options include: Allow mirroring of inter-vm traffic (the ability to configure rules with external inspection devices), and Allow Introspection Scan (the ability to initiate a scan of a VM for application discovery).

In addition, it is possible to grant VM administrators the Install Firewall Policy privilege (the ability to actually distribute a policy after it has been changed and saved by an administrator who has privileges to modify security policies).

Network Monitoring Administrators that can see all Network related screens (for example, statistics and graphs), the Logs and Status and Configuration tabs of the Firewall screen, but no other screens in this section. These administrators cannot modify any Settings screens, but they can view IDS Alerts, if IDS is configured and they can view but not modify VM Introspection and Compliance results.

Active Directory

The vGW Virtual Gateway allows accounts to be read out of Active Directory instead of being stored locally in the vGW Security Design VM Database, allowing administrators to log in to the vGW Virtual Gateway solution using their Active Directory credentials. The vGW Virtual Gateway checks Active Directory and then allows or disallows login based on those settings.

The first step in setting up the vGW Virtual Gateway to work with Active Directory is to define the Name (or IP) of the Active Directory server.

Next, you need to set the appropriate port. By default, port TCP 389 is used and you need to make sure access to this port from the vGW Security Design VM to the Active Directory server is enabled on your network. In addition, the vGW Virtual Gateway is designed to only allow TLS encrypted and secured connections through port 389.

The Default Search Base is unique to each customer’s Active Directory installation and is in the form dc=domain-section-1, dc=domain-section-2 (for example, dc=corp, dc=com).



After selecting the Name/IP, port, and default search base, you can select Test or Save and you are shown the fingerprint to validate the destination of the communication and initiate all future communications through encryption.

Finally, you need to create users or groups, which are authenticated through the lookup to the configured Active Directory server. To complete this step, go to Settings -> vGW Application Settings -> Administrators, and then add administrators and set the authentication type to Internal, AD Individual User, or AD Group. AD Individual User means this account is authenticated with AD credentials and all of the privileges are applied according to defined vGW Virtual Gateway settings. The other option (AD Group) simply uses the name of an existing group in AD and assigns it privileges. The lookup authenticates users and determines if they are a member of the AD Group. If so, they are granted the appropriate privileges in the vGW Virtual Gateway.

Machines

This section allows you to define new machines for use in the vGW Virtual Gateway system or to edit settings for VMs that are discovered automatically.

vGW needs to know the IP address for hosts to correlate traffic information and can usually obtain this through VMware Tools. For systems without VMware Tools, an IP address can easily be defined manually by clicking the machine and editing the IP address field.

Unmonitored Machines are either external physical machines that have been manually added or virtual machines, which are visible in the vCenter inventory but are not on a vSwitch that is Monitored/Secured directly by the vGW solution.

It can be useful to add important physical hosts in this area, so you can see them in networking reports. If a host is defined here, it is shown in the network tables by its name, rather than its IP address. In addition, hosts defined here can be used in the firewall policy editor.

Unmonitored Machines can also be included in user-defined groups. If an external machine is selected in the VM Tree for a network report, only its traffic to monitored VMs is reported on, because this is the only traffic vGW can access.

NOTE: When you click a machine, the Edit Machine dialog box displays details about the host including its VMsafe protection status. You also have the option of changing the behavior of the product if it fails to connect to the kernel (failopen or failclosed).

High Availability

High availability allows for the configuration of a secondary vGW Security Design VM. To activate this option you need to import a secondary vGW Security Design VM in your vCenter from the OVF/OVA as described in the Juniper Networks vGW Virtual Gateway Installation Guide.

NOTE: You should do a secondary OVF/OVA import rather than clone the original vGW Security Design VM. The OVF/OVA import process will prompt you for a database disk. You can simply accept the 8GB size (even if your primary is configured for a larger size). The secondary does not store the same type of information as the primary and thus does not need more than 8 GB. Once the import is finished, you should not power on the newly created secondary VM.

After the VM is created (for example, vGW Security Design VM Secondary), you can select it in this dialog box and specify whether that system will use DHCP or static addressing.

For more information about the setup process, see “High Availability” on page 83.

vGW Virtual Gateway


E-Mail and Reporting

Here you configure the e-mail server and account information that is used throughout the vGW solution for distributing status and log messages and reports.

During the installation of the vGW Security Design VM, you are given the opportunity to configure the necessary parameters to generate automated reports. However, if you have not configured those parameters (or want to change settings), choose Settings -> vGW Application Settings -> E-Mail and Reporting, and then enter new settings. See Figure 45.

Figure 45 Reporting Module Configuration

E-mail Settings and Configuration Parameters

Only SMTP Server, SMTP Port, Mail Subject and Mail Content are required fields.

SMTP Server: Hostname or IP address where e-mail is sent.

SMTP Port: Port used by mailserver (common values are 25 or 465 for encrypted).

Authenticate: If authentication to the mail server is required, check this option.

TLS Authenticate: If the mail server uses TLS encryption, select this option.

SMTP User: If authentication is required, use this user account.

SMTP Password: The password for authenticated connections.

E-mail From: Text that appears in the From field in e-mail messages.

E-mail To: Text that appears in the To field in e-mail messages.



You can troubleshoot possible mail server configuration errors by clicking Test Mail Server before saving parameter changes.

Reporting Module Settings Configuration Parameters

Default e-mail From: Text that will appear in the From field of e-mail messages by default.

Mail Subject: Text you want inserted in the Subject line for messages sent by the Reporting module.

Mail Content: Text you want inserted in the content section of messages. (The report itself is attached as a PDF file.)

Security Settings

Security settings control the core functions of the vGW deployment. You can define many objects for use in security policies (for example, groups and networks) as well as the behavior of the system when processing information such as IPv6 or non-IP traffic. You can also control IDS settings in the Security Settings section.

Figure 46 Security Settings Module Configuration

Global

External Inspection Devices: This screen allows you to enter the name and IP address for devices to which traffic can be sent for further analysis (for example, external Intrusion Detection Systems and Network Analyzers). See Figure 47.

vGW Virtual Gateway


Figure 47 Configuring External Inspection Devices

The External Inspection Devices must be capable of terminating a GRE tunnel. To send traffic to the device, you must define a rule in the policy. See Figure 48.

Figure 48 Defining a Rule in the Policy to Send Traffic to an External Inspection Device

This configuration mirrors the traffic to the external device—it does not imply that traffic is accepted or rejected. You must decide whether to accept or reject the traffic in subsequent rules in the policy. The mirrored traffic shows up in logs if that is also configured with duplicate in the action field.

You can use third-party products by creating different rules for the type of traffic you want inspected and redirected.

Global Settings Rules: The firewall can be configured to deal with four types of traffic in different ways. The default firewall configuration drops IPv6 and non-IP traffic (for example, IPX). Multicast and Broadcast can be globally allowed (default) or dropped through this menu (with the option to log the traffic). This logging option here for multicast does not hide the log traffic from the graphs as. Here the setting controls whether this traffic creates connection logs in the Logs view.

External Logging: vGW Virtual Gateway Virtual Gateway security software supports sending logs to third-party syslog servers. You can enable this setting here and all traffic that matches a log firewall rule is written to the vGW Virtual Gateway logs and also written to the destination syslog server. It is possible to customize the syslog format as well. The configuration can be overridden through the individual vGW Security VM for the host. (Firewall -> Status & Configuration)



NetFlow Configuration: All connection flow information can be sent through NetFlow Version 9 by enabling the setting and selecting an IP address and a port. Ports 2055 and 9990-9999 are commonly used. Configuration here can be overridden through the individual vGW Security VM module for the host (Firewall -> Status & Configuration). Both NetFlow and Syslog are compatible with Juniper Networks STRM.

Infrastructure Configuration Enforcement: VMware requires a special network for communication between the vGW Security VM and VMsafe. This network should not have VMs connected to it that are not part of the VMsafe communication process. If someone does connect a VM to this network, this option allows you to disconnect the VM for heightened security.

IDS Configuration

IDS Settings: You can turn on IDS by selecting the enable check box here. In addition, various ports can be used to pass HTTP and SSL traffic, so Altor allows you to specify which ports should be analyzed as HTTP or SSL based on your environment.

IDS Updates: There are two ways in which you can get IDS signature updates. You can have Auto Update turned on and apply the updates from the Altor servers automatically to your local environment or you can download them and apply them manually. The other option is to write or define custom signatures and import them into the Altor solution manually. In order to get IDS updates from Altor Networks, you must purchase and install an appropriate license.

IDS Signatures

Custom Signatures: Normally there won’t be any entries in this field as it is populated after you manually upload custom signatures (see Settings -> Security Settings -> IDS Configuration).

vGW Virtual Gateway Networks: This section shows all the signature categories that are part of the standard vGW Virtual Gateway IDS configuration. You can activate or deactivate entire categories by clicking the icon next to the category name and selecting the green check or red x. Furthermore, if you want to enable or disable individual signatures within a category, you can click the category and then enable or disable the relevant signatures. You can also change the priority level on the signatures (high, medium, low) by clicking a rule category, and then clicking a rule. This is also where you can view the specific signature that is used (select Show Raw Signature).

Alerting

E-Mail Alert Settings: Configuration for sending E-Mail alerts. For more information, see “Status and Alerts” on page 80.

SNMP Trap Settings: Configuration for sending SNMP traps to external monitoring systems. For more information, see “Status and Alerts” on page 80.

Alerts: You can clear autoconfig address and/or multicast alerts and click Save to hide these alert types in the Main -> Status -> System Status and Events screen.

Protocols

By default, all of the IANA registered protocols are listed in the protocols table. Custom protocols or other application protocols that are not IANA registered can be added to this table, so they are shown by name in network reports rather than being displayed by port or protocol.

vGW Virtual Gateway


You can define your own non-TCP and non-UDP protocol as well (for example, gre, ipsec) and define protocol ranges (for example, Custom App / TCP / 8000-8005).

Protocol Groups

You can combine a number of protocols into a Protocol Group so it can be used in Firewall Policy creation (for example, for Global, Group, or Individual VMs). To do so, click Add, enter a name for the group, and select the appropriate protocols, and then click Save.

Groups

The groups setting allows you to create groups of resources used by various modules in the vGW Virtual Gateway solution. There are two main types of groups:

Static Groups are manually created by administrators. You can create a Static Group as a collection of any type of defined vGW Virtual Gateway objects (for example, networks, VMs, or external physical systems).

Smart Groups are created automatically and maintained dynamically by the vGW Virtual Gateway solution based on a set of parameters you define. The vGW Virtual Gateway continuously analyzes both the vGW Virtual Gateway and VMware database of objects based on your parameters. Objects meeting the parameters you define are inserted into (or removed from) these groups automatically.

Either type of group can optionally be associated with a security policy. Policy association is controlled by the Policy Group option available when you define the group. Groups that do not have a policy associated with them appear in the Monitoring Groups section of the VM Tree. You can use this setting if you simply want to see how a group of VMs are interacting on the network and do not want to protect their traffic.

Another option is to have the policy applied to a Policy Group automatically. There is a setting to determine if the group is assigned a policy in either Automatic or Manual mode. Selecting Automatic results in any policy changes for those group members getting pushed without administrative intervention (for example, without an administrator using the Firewall -> Apply Policy Tab).

Many security tasks can be automated when the proper group structure is in place. For more information, see “Smart Groups” on page 69.

Networks

The Networks setting allows you to define network objects for use in the security policy. You can define by IP Range or Subnet Mask.

SRX Zones

This section lets you create interoperability with physical SRX Systems. For more information, see “Error! Reference source not found.” on page Error! Bookmark not defined..

Appliance Settings

The appliance settings control the operating system and system configuration items for the vGW Security Design VM.

Updates

This section updates the virtual appliance operating system and vGW Virtual Gateway system files that form the vGW Security Design VM. You can update individual Security VMs through the Firewall -> Status and Configuration tab or unattended Batch process.



Software Update: Shows the last time vGW Virtual Gateway checked for and installed an update. You can click Check for Updates to manually check for updates. After the update check finishes, you can then apply the new files. For more information, see “System Updates” on page 76.

Update Preferences: Enables the vGW Security Design VM to automatically check Juniper Networks vGW Virtual Gateway internet update servers for the latest software.

Batch Updates: Lets you update multiple vGW Security VMs immediately or at a scheduled time. For more information see “Using Batch Update to Update Multiple vGW Security VMs” on page 78.

Network Settings

Here you can change the Host Name for the vGW Security Design VM and also decide if you want to use DHCP or static addressing.

By default the vGW Security Design VM has only one virtual NIC. The IP address can be configured here.

In some cases, it may be necessary to add additional interfaces to the vGW Security Design VM (for example, if the VMware vCenter system exists on a completely isolated network). To do this, add a virtual NIC through VMware and configure both interfaces using this menu.

NOTE: The first interface (Interface 1) must be used to communicate with the vGW Security VMs. In addition, you must define the interface that leads to the proper default gateway.

Proxy Settings

If a proxy is required to make outbound http/https connections, you can enter the IP address, port, and user credentials. The vGW Virtual Gateway sends HTTPS (TCP 443) requests to Juniper Networks vGW internet update servers to pull the latest available software.

Time Settings

Correct system time settings are crucial to the proper operation of the vGW Virtual Gateway solution. The vGW Security Design VM must have the correct time zone and access to an NTP server. All system logs, security logs, security policy deployment, and so on are time-stamped and thus it is important to make sure the time setting is accurate. vGW Security VMs deployed synchronize their time settings from the Security Design vGW.

If you do not have an internal NTP server you can use the preconfigured NTP servers or another NTP server on the Internet. Any entry you do not want can simply be deleted from the interface.

Log Collection

In some cases, it may be necessary to troubleshoot the vGW Security Design VM system. Juniper Networks Support can use the information generated by running the Collection Tool available in this section of the user interface. This tool generates numerous log and system files from the vGW Security Design VM in a TGZ file that can then be referenced in a trouble ticket or e-mailed to Support.

There is an additional Collection Tool option for each vGW Security VM, which can be generated in the Firewall -> Status & Configuration tab. As is the case with the vGW Security VM log collection, the following information also applies to the vGW Security Design VM log collection.

vGW Virtual Gateway


After you select Start Collection, all relevant log files are collected from the vGW Security Design VM and are compressed into a single file. You are then given an option to download the log collection, in which case you can send the file to Juniper Networks through e-mail or post the log collection on a server. The other, preferred option is to upload the collection to Juniper Networks. Choosing this option automatically encrypts the file (through AES-256) and transfers it to a protected vGW Virtual Gateway server. Under this method, a unique ID is assigned to the log collection and you can include a comment on the uploaded file. Reference the ID in any tickets or communication with Juniper Networks Support.

Log Viewer

You can use the Log Viewer to select various system and application logs for basic system activity monitoring and troubleshooting. You can also select the number of lines that are displayed in the viewer.

Support

Here you can reboot the vGW Security Design VM, restart the vGW Virtual Gateway services, enable or disable debugging flags used for troubleshooting, and enable or disable SSH remote access to the vGW Security Design VM.

If Debug Flags is ever enabled, it is important to return to this screen after the log files are collected and select Debugging OFF, because the debug setting generates many log files and could cause disk space usage issues.

When you enable SSH, you can administer the vGW Virtual Gateway solution through an SSH client (for example, putty). This allows security teams to access the command line of the vGW Virtual Gateway components (vGW Security Design VM and vGW Security VMs) without having to use the vSphere Client.

When you access the vGW Security Design VM or vGW Security VM(s) through SSH, you are presented with a command-line interface. The command-line interface supports a variety of system options. Enter ? or help at the command-line prompt for a list of supported vGW Virtual Gateway commands.



Firewall Policy

The vGW Virtual Gateway Firewall policy uses a three-tiered model, to allow for broad policy definition and reusability, while still allowing for flexibility of per-VM policy creation. See Figure 49.

Figure 49 Three-Tiered Firewall Policy Model

The three policy tiers are:

Global policy: Rules that are common to ALL VMs within your infrastructure. These may include corporate security policy items, such as restricting telnet access to any machine. The global policy can also be used for emergency response rules, such as when a new vulnerability is identified. All access to a given service can be easily blocked while servers are being patched to protect against the exploit.

Group policy: Policy applied to groups of similar VMs, for example all World Wide Web (WWW) server VMs might use the same group policy. This way, a new WWW server added to the WWW server group inherits the group policy.

VM policy: A VM Policy is unique to a particular VM (for example, to allow a certain service running only on this VM or to protect a specific VM, such as one running an older operating system version that has known vulnerable services.

A VM’s full policy is the combination of these three layers of policy. By using all three policy tiers, you can manage VM policies very efficiently and minimize the amount of administration needed for new VMs.

Default Policy: Newly created VMs that do not have individual policies or a group association are automatically assigned the Default Policy. This allows flexibility in setting a new VM’s network access. Note that application of default policy is dependent on where the VM is deployed. If less than the complete vSwitch was secured, the rule set includes the policies of all three tiers. You can click the show all link at the top of the policy to expand and display the full rule set. See Figure 50.

vGW Virtual Gateway


Figure 50 Default Policy Model

Figure 51 shows a full policy for a VM.

Figure 51 Full Policy for a VM

Policy Creation and Rule Precedence

The vGW Virtual Gateway network policy editor explicitly displays the order of the rules applied when combining policies from different sources. A placeholder in the VM and Group policies indicates rule precedence.

By placing a rule below the VM/Group Policy placeholder, you are allowing exceptions to be created for a VM or Group of VMs. This could be something such as “SNMP connections should be allowed to all VMs, for monitoring and management purposes, but if a machine has a vulnerable or buggy SNMP daemon, it can be blocked in its individual VM policy.” See Figure 52.



Figure 52 Policy Creation and Rule Precedence

The example in Figure 52 shows that the file-sharing protocol Kazaa is rejected. Because the rule rejecting this protocol is located above the VM/Group Policy placeholder in the list, vGW Virtual Gateway rejects the protocol before considering any VM/Group Policy.

The rule that rejects the telnet protocol is placed below the VM/Group Policy placeholder. A VM may require telnet access, but unless an explicit VM or Group policy accepts telnet, vGW Virtual Gateway rejects it.

It is also possible to have multiple groups (such as Fileservers and MIS-Systems) and VMs can be a member of each group. You set the precedence of the different groups when you create them through Settings -> Security Settings -> Groups. In Figure 53, the Fileservers group is listed at the top because its order of precedence is set to one. The VM is however a member of two groups and will also get the MIS –Systems policies.

vGW Virtual Gateway


Figure 53 Group Precedence



Smart Groups

In most organizations, the virtual environment is very dynamic. New virtual machines can be easily created from templates, virtual switches can be reconfigured, and systems often move from one physical host to another. The dynamic nature of this environment, coupled with the fact that IT teams are often already understaffed, necessitates a security solution that can adapt automatically. Clearly, not all organizations will want all of their security policies to be changed in an automated manner, as explicit authorization for some changes is a crucial requirement. The vGW Virtual Gateway solution gives administrators complete control because security changes can be applied automatically and instantly, or simple alerts can be generated signaling the need for manual intervention.

To give administrators the ability to automate the application of security and the ability to recognize that their environment is changing, the vGW Virtual Gateway uses a feature called Smart Groups. This feature allows for the creation of a group of VMs that changes based on administratively defined criteria. VMs that suddenly have a configuration change that meets predefined criteria can be added to or removed from groups within seconds. For example, if a VM administrator associates the virtual network interface of a VM to the corporate production network, you can immediately apply a set of firewall rules to protect that system.

Smart Group creation options (the parameters used to define the group) are obtained from two locations: namely, the vGW Security Design VM attributes and vCenter attributes. The vGW Virtual Gateway Security Design VM can discover items such as which applications are installed on a VM (through VM Introspection) while VMware’s vCenter identifies attributes such as the port group to which the virtual network interface is connected. There are numerous attributes each classified into “vf” (vGW-based) and “vi” (vCenter-based) categories as described in Table 12.

NOTE: The following values are returned for the Type field specified in Table 12:

Boolean: True or False

Integer: Numeric value

String: Free-form text string

Multi String: Multiple string values concatenated together with separators such as commas, semicolons or slashes

Multi Value: Pull-down selection of available choices

Table 12 Smart Group Attributes

Attribute name Type Description Comments

vf.app_count_bad Integer Number of applications on a VM that are classified as bad.

vf.app_count_known Integer Number of applications on a VM that are classified as known.

Vf.app_count_unclassified Integer Number of applications on a VM that are unclassified.

vf.app_count_unknown Integer Number of applications on a VM that are classified as unknown.

vGW Virtual Gateway



vf.application String Application installed on a VM. The text string for the application including name, version, vendor. For example, "MSXML 6.0 Parser, 6.10.1129.0, Microsoft Corporation."

vf.description String Text string description of a VM, as defined in vGW Settings in the Machines screen.

vf.firewall String Is this VM a vGW Security VM? None, Bridge or VMsafe; None matches on all VMs except vGW Security VMs.

vf.group Multi String

Comma separated string of all the vGW groups to which a VM belongs.

For example, finance, Windows, PCI.

vf.has_installed_group_policy Boolean Does the VM have a nondefault group policy installed?

vf.has_installed_policy Boolean Does the VM have an installed security policy?

Policy is either nondefault group policy or VM policy.

vf.hotfix Multi String

Hotfix installed on a VM.

vf.monitored Boolean Is a VM currently being monitored by vGW? This is true if the VM is secured (a secured VM is also monitored by default).

vf.name String Name as defined in the vGW Virtual Gateway GUI.

vf.os String OS installed on a VM.

vf.secured Boolean Is a VM currently secured by vGW?

vf.secured_active Boolean Is the VM actively being protected by vGW? Unlike vf.secured which tells you if the vGW Virtual Gateway has been configured to protect this VM, this value can tell you if the VM is currently being protected (that is, it is on the network and a Security VM is actively protecting traffic to the VM). Same as Status and Configuration view.

vf.tag String Tag associated with this VM, semicolon separated.

For example: finance;pci=true;audited=true

Tags are defined in the vGW Virtual Gateway Settings within the Machine configuration.

vf.type Multi Value

What type of machine object is this? VM, ESX Server, vGW VM, External Machine.

vf.vmsafeconfig Multi Value

VMsafe failure mode for this VM. failOpen, failClose.

vi.attribute Multi String

The attribute values that are defined in the annotation box in VI.

Encoded as multiple strings attribute=value.

vi.cluster String Cluster containing a VM If the ESX is not in a cluster, it is null.

vi.datacenter String Data Center in vCenter where a VM is housed.

vi.folder Multi String

The folder containing a VM in vCenter. Folders may be nested, in which case the string is a slash separated path, for example /Finance/Production/.

vi.host String ESX host hosting a VM.

vi.ipv4 IPv4 (multi value)

The IPs as known on a VM. Can be coded as single or range. Examples include: 192.168.10.1 or 192.168.10-11.23-55.




vi.memory_inspection Boolean Is VMsafe memory and CPU API enabled for this VM?

vi.name String Name of this VM as defined in vCenter.

vi.notes String Annotation free text notes attached to the VM in vCenter.

vi.numvnic Integer Number of connected vNICs.

vi.os String Operating system defined for the VM in vCenter.

Single string, operating system plus full version

Note: Unlike vf.os, this value is manually set by the administrator and, therefore, can be incorrect. vf.os retrieves the actual OS running on the VM.

vi.pg_security.forgedtransmits Boolean Is a VM connected to a port group that allows forged MAC addresses (MACs other than those defined in the VMX)?

vi.pg_security.macchanges Boolean Is a VM connected to a port group that allows reception of unknown MAC addresses (MACs other than defined in the VMX)?

vi.pg_security.promiscuous Boolean Is a VM connected to a promiscuous port group?

vi.portgroup Multi String

The connected port group. For running/suspended VMs, these are the port groups that are actually connected.

For a stopped VM, this is the port group that is connected upon power-on.

vi.portgroup.all Multi String

All port groups a VM is configured to use. Includes connected and non-connected port groups.

vi.powerstate Multi Value

What is the current power state of this VM? poweredOn, poweredOff, suspended, NA.

vi.resourcepool String Resource pool VM is a member of in vCenter.

vi.vapp Multi String

vApp group VM is a member of in vCenter.

vi.vlan Integer (multi value)

VLANs of connected port groups. VMs with multiple vNICs may be connected to multiple VLANs, in which case vi.vlan==1 means "if ANY vNICs are connected to VLAN 1".

vi.vlan.all Integer (multi value)

VLANs of all interfaces. Lists all VLANs in use.

vi.vmci_enabled Boolean Is VMCI (shared memory communications) enabled for this VM?

vi.vmsafe_configured Boolean Is VMsafe firewall security enabled for this VM?

vi.vmsafe_dvfilter Multi String

The dvfilters protecting this VM. vGW Virtual Gateway as well as other non-vGW products using VMsafe are reported.

vi.vmwaretools.running Boolean Is VMware Tools running on this VM?

vi.vmwaretools.uptodate Boolean Is the version of VMware Tools installed on this VM up to date?

vi.vswitch Multi String

vSwitch VM is connected to.

vGW Virtual Gateway


To build a Smart Group using the attributes in the table, use the editor located in Settings -> Groups -> Add Smart Group. This editor has two modes. The default is Basic mode. Basic mode lets you select one to many attributes and assign an All or Any constraint. You simply add rules by clicking the + sign.

Figure 54 shows a group of webservers created when both the VMware vCenter name (vi.name) contains www and the VM has an application named Apache installed on it. This information is obtained through VI Introspection and is stored in vf.application.

Figure 54 Smart Group Editor in Basic Mode

Figure 54 also shows that the Smart Group can obtain a firewall policy because Policy Group is selected. Policy changes for this group need to be applied manually by selecting Manual here and through Settings -> Firewall -> Apply Policy.

The editor’s Advanced mode allows you to write regular expressions to construct more complicated scenarios. Figure 55 shows the simple WebServers example entered in the advanced mode.

Figure 55 Smart Group editor in Advanced Mode



The selection query field allows you to define expressions based on a simple set of operators. In general, VMs have attributes. You can write an expression in the context of each VM (getting its attributes) and if the expression evaluates True, the VM becomes part of the group.

Table 13 describes the various Smart Group attribute types and operators.

Table 13 Advanced Smart Group Attributes

Attribute Type Supported Operators

String The most common attribute type.

Contains (~), Not-Contains (!~), Equals (=), Not-Equals (!=), Matches RegExp (=~).

Full wildcard support such as name =”finance-*” is recognized.

Numerical Equals (=), Greater than (>), Not-Equals (!=), Less-Than (<), In (in), Not in (not_in).

IP Equals (=), In (in), Not in (not_in).

Boolean Equals (=), Not-Equals (!=) Return value is either true or false. For example, vf.secured = false or vf.secured != true.

Multi Contains (~), Not-Contains (!~), Equals (=), Not-Equals (!=), Matches RegExp (=~).

Group Contains (~), Not-Contains (!~), Equals (=), Not-Equals (!=), Matches RegExp (=~).

NOTE: You can combine parameters with the and operator. Examples: vf.os=”Windows XP” and vi.datacenter != “string” vi.name =~ “finance-*” and vf.group != “string”

Also you can do wildcard matches (provided you match on a full string). Examples: .*WWW.* - Match VMs with WWW anywhere in the name” ^Corp.* - Match VMs starting with Corp .*1$ - Match VMs ending with “1” .*Tier-[1-3].* - Match VMs with Tier-1/2/3” ^[ABC].* - Match VMs starting with A, B, or C

vGW Virtual Gateway


VMotion Support

The vGW Virtual Gateway fully supports VMotion, and can immediately sense when a VMotion event has occurred (either through a manual move or through VMware’s DRS). When the vGW Virtual Gateway recognizes a new virtual machine on an ESX server (either through VMotion or simple creation of a new VM), it assigns and enforces the correct policies to the newly positioned system (including global, group, and individual VM policies). The vGW Virtual Gateway maintains the state table for the connections and places the appropriate restrictions on the inbound and outbound traffic to the VM.

Very little needs to be configured by an administrator to enable VMotion support with the vGW Virtual Gateway. The general recommendations and warnings are as follows:

The VM being VMotioned must be on shared storage (for example, NAS). However, vGW Security VMs (also known as Firewalls) do not need to be on a NAS because they do not move. The vGW Virtual Gateway uses unique Port Groups to make sure the Modules do not migrate. The vGW Virtual Gateway also sets the vGW Security VMs in vCenter to a DRS automation level of Disabled. You can verify settings in VMware through Edit Settings on Cluster -> Virtual Machine Options.

The vGW Security Design VM (Primary and/or Secondary) should be placed on the NAS and set up to motion as appropriate for your environment.

The vGW Virtual Gateway and the VMware Dynamic Power Management feature (DPM) are not currently compatible unless you manually shut down the vGW Security VM.

For vGW Virtual Gateway installations using a VMsafe deployment, no explicit VMotion configuration is necessary.

For Bridge Mode installations, use the procedure described in “Enabling VMotion Support in Bridge Mode Installations (Non-VMsafe)” on page74.

Enabling VMotion Support in Bridge Mode Installations (Non-VMsafe)

The following edit needs to be performed on the Virtual Center system (as per http://kb.vmware.com/kb/1006701). Virtual Center validates VM and ESX configurations when performing VMotion migrations. The default checks do not allow VMotion for VMs on internal networks (vSwitches not connected to physical NICs), because it is assumed these VMs cannot move and still maintain their network state. The vGW Virtual Gateway does manage the VM policy and network session state through VMotion migrations, so this setting tells the Virtual Center to allow migrations for internal networks.

1. Connect to the console of the server running Virtual Center.

2. Add the following text to the configuration file vpxd.cfg in Virtual Center. It should be located at the end of the file, but still within the <config> section. The vpxd.cfg file is typically located in: c:\documents and settings\All Users\Application Data\VMware\VMware VirtualCenter\vpxd.cfg

3. Restart the Virtual Center for the change to take effect.



There are no other special edits that need to be made on any objects or menus in the vGW Security Design VM. After the two items are configured, the vGW Virtual Gateway is capable of securely supporting VMotion events.

Configuring VMware HA and DRS

VMware HA can be set to start vGW Virtual Gateway components on different ESX hosts in the event of a failure. For the vGW Security Design VM, this automatic moving and restarting is fine. However, for each vGW Virtual Gateway component on the ESX hosts (vGW Security VMs), it is important that they do not move to a new host. Not only is it unnecessary to move the components (they are each only responsible for protecting VMs on a given host, so if the host is down then there is nothing to protect), it can be detrimental if, after a failure, the vGW Virtual Gateway components are not moved back into their original positions.

NOTE: The following settings should be configured automatically by vGW. They are included here for reference purposes.

1. Turn VMware HA off for each vGW Virtual Gateway component (other than the vGW Security Design VM) by using vSphere/vCenter client. Select the Cluster object -> Edit Settings -> VMware HA -> Virtual Machine Options -> (select each Juniper Networks vGW Security VM) -> VM Restart Priority (set to disabled) and Host Isolation Response (set to Leave VM Powered on).

2. Turn VMware DRS off for each vGW Virtual Gateway component (other than the vGW Security Design VM) by using vSphere/vCenter Client. Select the Cluster object -> Edit Settings -> VMware DRS -> Virtual Machine Options -> Automation Level (set to disabled).

vGW Virtual Gateway


System Updates

The vGW Virtual Gateway solution has a built-in mechanism to update any component of the architecture with new security protections, bug fixes, and other enhancements. You can update vGW Security VMs individually or you can use Batch Update to update multiple Security VMs, either immediately or at a scheduled time.

CAUTION: In Bridge Mode, it is important that you VMotion any protected VMs to another ESX host or protected vSwitch prior to updating the vGW Security VM, so no downtime occurs for the VMs being protected by the firewall. In some cases, vGW Virtual Gateway firewall updates require services to be stopped and/or force a reboot of the VM firewall. You can leverage VMotion to make sure no connectivity to your systems is lost and all VMs remain protected throughout the update process.

Manually Applying System Updates

Follow Steps 1 and 2 for the vGW Security Design VM and Step 3 for each of the vGW Security VMs in your infrastructure:

1. Make sure a proper entitlement key exists on the vGW Security Design VM. Without an entitlement key, you cannot activate and install an update. You obtain the entitlement key when you purchase the product and software subscription contract. Inset the entitlement key in the Settings -> vGW Application Settings -> Status & License section. This area also allows you to see the update status of the vGW Security Design VM.

2. If an update for the vGW Security Design VM is required, navigate to Settings -> Appliance Settings -> Updates in the vGW Virtual Gateway interface. You can then click Check for Updates to query the Juniper Networks update servers. If an update exists, click Update Now to apply the changes. The vGW Virtual Gateway will download updates from Juniper Networks as needed. In some cases), a reboot of the vGW Security Design VM. To do an online update as described here, the vGW Security Design VM virtual machine must have connectivity to Juniper Networks Update servers (HTTPS - TCP 443). However, it is possible to do an offline update by clicking Advanced. After you’ve obtained the update ISO from Juniper Networks Support and have mounted it on the virtual machine, select Offline Update. See Figure 56.



Figure 56 Offline Updates

vGW Virtual Gateway


3. Update each of the vGW Security VMs by navigating to the Firewall -> Status and Configuration tab, select the firewall in the table. You are presented with additional menu options. As with the vGW Security Design VM update, you can update the individual firewalls by clicking Check for Updates. You may need to scroll to see information about software updates. See Figure 57.

Figure 57 Firewall Status in the Status and Configuration tab

Using Batch Update to Update Multiple vGW Security VMs

You can use the batch update feature to update multiple vGW Security VMs in one process. The vGW Security VMs can be VMsafe or Bridge mode based. With the batch update feature, you can specify:

Selected updates run immediately, one after the other

Selected updates run at a scheduled time

To set up batch updates:



1. If you do not see the Updates screen, select Settings -> Appliance Settings -> Updates. See Figure 58.

Figure 58 Batch Update Configuration Settings

2. Under Batch updates, enter the Custom Product version, and then select the vGW Security VMs you want to update.

3. If you want the update to run when the ESX host is in Maintenance mode, choose an appropriate setting.

4. Do one of the following:

If you want the batch update to begin now, for Start Time, select Now, and then click Schedule Update.

If you want the batch update to begin at a scheduled time, select Later, enter a start date, start time, and optionally an end time and an e-mail account to which an update status message is sent when the update is either complete or interrupted. Then click Schedule Update.

If you specify an end time, the vGW Virtual Gateway will complete any update that is in progress when the end time is reached, but will not begin any new vGW Security VM updates. If you specified an e-mail address for Status email, a message is sent indicating which vGW Security VMs were updated and which are pending.

vGW Virtual Gateway


Status and Alerts

The vGW Virtual Gateway can display several status icons within the user interface and several mechanisms for sending alerts, so administrators know exactly what is happening on the virtual network.

Status

The vGW Virtual Gateway Web interface displays a yellow or red status icon to indicate an event or configuration issue that merits attention. See Figure 59.

Figure 59 Status Icon

Click the status icon to display the Status tab in the Main screen.

The sections of the product that have triggered a status change are displayed with most important status changes at the top shown in red. For details on the status issues, click the more link next to the status summary line. See Figure 60.

Figure 60 Details on the vGW Virtual Gateway Status

Alerts

The vGW Virtual Gateway can send alerts when the log field in a rule in a security policy is set to Alert or Custom E-Mail Alert Tag and a connection matching this rule is seen on the network.



In Figure 61, rule three is a Custom E-mail Alert Tag (sending e-mail to the MIS department). Rule two is set to send an SNMP trap as well as an e-mail alert.

Figure 61 Alerts Used in Rules

In addition to alerts generated by security rules, vGW will monitor High, Medium and Low Security events (displayed through Main -> Status) and report those Alerts out through the settings here (that is, through E-Mail, SNMP trap, or both).

In both cases, alerts use the settings found in Settings -> Security Settings -> Alerting. See Figure 62.

Figure 62 Alert Settings

You can choose to send an e-mail alert and an SNMP trap, only e-mail alerts, or only SNMP traps.

E-mail Alert Settings

Enable e-mail alerts by providing the mail relay server IP address as well as the source and destination e-mail addresses. The aggregation time is the gap between successive notifications. See Figure 63.

vGW Virtual Gateway


You are not required to configure multiple e-mail recipients. However, four custom e-mail alert tags can be created that point to different e-mail aliases or individual e-mail accounts (or a combination of the two). These custom tags can then be specified in the security policy editor. In Figure 62, one tag was created that was called MIS.

Figure 63 Custom E-Mail Alert Tags

If you want to send both an e-mail alert and an SNMP trap on a single rule, you can do so by using the standard alert icon. However, only the e-mail addresses listed in the Recipients Addresses are used. In other words, custom tags cannot be used when sending e-mail and SNMP alerts.

SNMP Trap Settings

SNMP traps can be set through Version 1 or Version 2. You must enter the SNMP server address and community string. You can again set the aggregation time (the delay between successive events), if wanted.

AutoConfig and Multicast Alerts

By default the vGW Virtual Gateway solution is configured to alert when autoconfig addresses are discovered (Settings screen -> Security Settings -> Alerting). No alert is automatically sent when Multicast is seen (though this can be enabled).

o Autoconfig addresses: When a machine does not have an IP address configured or cannot acquire a DHCP lease, it defaults to an autoconfig address in the 169.254.*.* range. This setting often represents a configuration problem or an issue with the DHCP service.

o Multicast: Many hosts use multicast packets to advertise their presence on the network as well as broadcast information regarding which services they offer and configuration data. This information is often not needed, so it can be undesirable for servers to provide it. In addition, there are security issues related to advertising the services a machine has available.



High Availability

There are two types of High availability (HA) options in the vGW Virtual Gateway solution. The first is high availability for the vGWSecurity Design VM. The second is high availability of the vGW Security VM.

In general, the vGW Virtual Gateway HA is compatible with VMware HA. For example, any regular VM in the virtual environment can be configured with VMware HA and still be security protected by the vGW Virtual Gateway Solution. In addition, the vGWSecurity Design VM can be configured by VMware for HA or FT. It is not possible (or necessary) to configure VMware HA or FT on the vGW Security VMs. VMware vCenter Heartbeat can be used without impact to vGW.

The main difference between the vGW Virtual Gateway HA and VMware HA is that VMware HA will bring up a mirrored copy of the original (potentially OS crashed) VM on another host, whereas the vGW Virtual Gateway maintains two different operating systems and checks the health between these systems. Therefore if for some reason an OS or service crash occurred in the vGW VM, the secondary component could take over functionality (instead of bringing up a mirrored crashed VM on another host).

The two types of vGW Virtual Gateway HA (the vGW Security Design VM and the vGW Security VM) are covered in detail in the sections that follow.

The vGW Security Design VM High Availability

The vGW Security Design VM is the main point of control for the entire vGW Virtual Gateway infrastructure. The vGW Security Design VM is responsible for presenting the user interface, distributing policy to the vGW Virtual Gateway modules, consolidating logging, hosting the network monitoring database, and other important functions.

If the vGW Security Design VM is unavailable (for example, it has been turned off or it crashed), an administrator cannot make configuration changes to the infrastructure and newly created VMs or VMs moving through VMotion/DRS cannot retrieve the correct security policy (in Bridge mode).

The vGW Virtual Gateway system’s primary or secondary option for management allows the secondary vGW Security Design VMW to continue serving up policy until the primary can be brought back online. This allows all normal network activity to continue without interruption. Specifically, new VMs powered on the ESX/ESXi host retrieve policy rather than defaulting to VMsafe failure mode, In Bridge Mode VMotioned VMs can retrieve policy (with VMsafe this happens automatically without Center interaction).

To install a secondary vGW Security Design VM, you must build another VM from the vGW Security Design VM OVF/OVA (or TGZ file).

1. Import the vGW Security Design VM. Load the OVF/OVA file for the vGW Security Design VM through the VMware VirtualCenter/vSphere Client (File -> Virtual Appliance -> Import). vGW

2. Take the defaults for the virtual appliance import.

CAUTION: The OVF import process prompts you for a database disk. You can simply accept the 8 GB size (even if your primary is configured for a larger size). The secondary will not store the same type of information as the primary and thus does not need more than 8 GB. Once the import is finished, you should not power on the newly created secondary VM.

3. Open the primary management center and select the secondary VM in the High Availability section. Select Settings -> vGW Application Settings -> High Availability.

vGW Virtual Gateway


NOTE: If you have not done a VM update from the vGW interface (Settings -> vGW Application Settings -> vCenter Integration -> Update VMs) you may need to do so before the Secondary VM is recognized by the vGW solution.

4. Enter either DHCP or Static as the IP address.

5. Click Save.

The secondary management VM is automatically powered on and configured. This process takes approximately ten minutes. After these operations complete, you can log in to the Secondary Management center through the IP address specified in step 4.

The vGW Virtual Gateway solution monitors connectivity between the two management stations and initiates a promotion of the secondary system, if there is no response for three minutes. When the primary is brought back online (that is, after it is recovered or the host it was on is repaired) it automatically retakes the primary role. The solution is not designed to replace normal backing up operations (it is expected the primary will be brought back online quickly – it is not possible to rebuild a primary from a secondary so again proper backing up of the VM is necessary).

vGW Security VM HA

In addition to having a secondary management center, it is important to have some redundancy at the Security VM level. When using a VMsafe installation, it is possible to have a primary and secondary vGW Security VM. The vGW Security VM is installed on each ESX host and designed to interface with the hypervisor directly.

CAUTION: Secondary Security VMs are only supported in VMsafe mode installations not Bridge mode.

Having a secondary vGW Security VM means that if the primary goes down, no logging, network reporting, security alerting, or VM protection is lost.

To install a secondary vGW Security VM, you must build another virtual machine from the original vGW Security VM. Unlike the case of creating a secondary management center, when you create the new Security VM, the vGW Virtual Gateway solution simply clones the existing Security VM.

To clone the existing Security VM:

1. Click Firewall -> Status and Configuration.

2. Select the firewall you want to duplicate and scroll down until you see High Availability. See Figure 64.

3. Click Configure.

4. Input the details for the secondary control module, which is built by cloning the primary. Include the appropriate IP addressing information, management network, and datastore location.



Figure 64 High Availability Settings

It is not as important to have backups of the vGW Security VMs as it is for the vGW Security Design VM (new vGW Security VMs can be deployed from the templates if necessary – this cannot be done however for the vGW Security Design VM.

Juniper Networks Product Interoperability

The Juniper Networks vGW Virtual Gateway was designed and implemented for virtualized environments, in particular hypervisor-based deployments. However, it allows you to integrate your virtualized deployment with the security mechanisms and other resources that you deploy to protect your physical assets.

Integration between the physical and virtual domains allows for end-to-end security insight, protection, and management.

This section covers the vGW Virtual Gateway integration with other Juniper Networks products, including:

SRX Series Gateway security zones

Security Threat Response Manager (STRM)

Intrusion Detection and Prevention (IDP)

About SRX Series Services Gateway Security Zones

A security zone is a collection of one or more network segments on SRX Series devices requiring the regulation of inbound and outbound traffic through policies.

Security zones are logical entities to which one or more interfaces on the SRX Series device are bound.

On a single SRX Series device, you can configure multiple security zones, dividing the network into segments to which you can apply various security options to satisfy the needs of each segment. You can define many security zones, bringing finer granularity to your physical network security design—and without deploying multiple security appliances to do so.

From the perspective of security policies, traffic enters into one security zone and goes out on another security zone. This combination of a from-zone and a to-zone is defined as a context. Each context contains an ordered list of policies.

vGW Virtual Gateway


SRX Series devices support many types of security zones.

SRX Series Services Gateway Zones

The vGW Virtual Gateway SRX Series zones synchronization feature provides an automated way to link the vGW Virtual Gateway virtual security layer with the SRX Series Services Gateway physical device and network security.

The SRX Series zone feature simplifies VM-to-zone mapping by importing zones configured on SRX Series devices into the virtual environment.

You can use these zone assignments to:

Apply zone policies to use between VMs.

Integrate zones with compliance checking to ensure that VMs are attached only to authorized zones.

The process that the vGW Virtual Gateway undertakes to synchronize SRX Series zones with the VMs entails many steps. It defines:

An SRX object. This entails obtaining zone configuration information from the SRX Series device, mapping zones to the SRX Series interface, and associating VLANs or network ranges with each zone.

Zones as Smart Groups within the vGW Virtual Gateway based on the VLANs and the networks associated with each zone.

It also validates that Smart Groups dynamically associate each VM with the appropriate zone. This process allows for policy enforcement between VMs and zones compliance validations.

Enabling the Junoscript Interface for vGW Virtual Gateway Access

To allow the vGW Virtual Gateway to gain access to the SRX Series device for zone synchronization, you must enable the Junoscript XML scripting API. To do so:

1. Generate a digital Secure Sockets Layer (SSL) Certificate and install it on the SRX Series device.

a. Enter the following openssl command in your SSH command-line interface on a BSD or Linux system on which openssl is installed. The openssl command generates a self-signed SSL certificate in the privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted 1024-bit RSA private key to the specified file.

% openssl req -x509 -nodes -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

b. When prompted, type the appropriate information in the identification form. For example, type US for the county name.

c. Display the contents of the file that you created:

cat mycert.pem

d. Install the SSL certificate on the SRX Series device. Copy the file containing the certificate from the BSD or Linux system to the SRX Series device. To install the certificate using the CLI, enter the following statement in configuration mode:

[edit] user@host# set security certificates local mycert load-key-file mycert.pem

2. Configure HTTPS web-management using the mycert certificate:



[edit]

user@host# set system services web-management https local-certificate mycert user@srx# set system services web-management https interface ge-0/0/0.0

user@srx# set system services web-management https port 443

3. Configure the IP address for the interface, if it is not already configured.

4. Enable Junoscript communications using the newly created certificate:

[edit]

user@srx# set system services xnm-ssl local-certificate mycert

Configuring an SRX object

To create a new SRX Series zone object using the vGW Security Design VM interface:

1. Select the Settings module.

a. In the Security Settings box on the left pane, select SRX Zones.

b. Click the Add button on the lower right side of the screen.

c. In the Filter box, enter a name for your SRX object, and click Add.

d. Specify the following information for the SRX object in the Add SRX Zone box:

o Name: A short descriptive name for the SRX object. This name is used in VM zone labels.

o Host: Device management IP address on the SRX Series device used to connect to the vGW Security Design VM.

o Port: TCP port used to connect to the SRX Series device through the Junoscript interface.

o Login ID and Password: Credentials used to authenticate to the SRX Series device. The account for the SRX object requires read access to the SRX Series device’s zones, interface, network, and routing configuration. Optionally, it requires write access to the Address Book for each zone to populate it with VM entries.

o If you do not want the system enter VM objects into the SRX Series device’s address book, it is not necessary to provide write access.

o VMs associated with this SRX Series device: This parameter specifies the scope against which VMs are assessed for the SRX Series device. It defines VMs that are relevant to the device.

You must provide this information for each SRX Series device that is protected by the virtual or if only a subset of VMs are behind an SRX Series device.

vGW Virtual Gateway


To define synchronization intervals and relevant interfaces, click Load Zones at the bottom of the Add SRX Zone box after you save the SRX object.

Figure 65 Edit SRX Zone Dialog Box

Configuring the vGW Virtual Gateway Automatic Zone Synchronization Process

After the zone synchronization process has completed, a list of zones that the vGW Virtual Gateway retrieved is displayed. You can select the zones to import into the vGW Virtual Gateway as VM zone groupings.

You can configure zone synchronization to automatically poll the SRX Series device for zone updates.

To control synchronization update, specify values for the following parameters:

Update Frequency: How often to query the SRX Series device for updates (interval).

Relevant Interfaces: Select the SRX Series devices interfaces to be monitored by the virtual network. The vGW Virtual Gateway automatically discovers any new zones assigned to the relevant interfaces and adds them to the vGW Virtual Gateway for monitoring.



Figure 66 Configuring the Synchronization Update Process

About VM Zone Groupings

SRX Series device zones that participate in the synchronization process are automatically created in the vGW Virtual Gateway as VM Smart Groups. A Smart Group is created based on the following parameters:

VLANs associated with the SRX Series device interface.

The subnet defined on the SRX Series device interface and routes defined within a zone.

If the zone synchronization configuration includes a VMs associated selection, the group you select is included in the Smart Group.

About Populating VM Objects in the SRX Series Zone Address Books

The vGW Virtual Gateway SRX Series zones synchronization feature allows VM records to be populated in the SRX Series address book for the zone that the VM belongs to. This allows the VM-to-zone mapping validation to occur within the context of the SRX Series device management.

When a VM record is added to an SRX Series device’s zone address book, it is created with the name of the VM as defined in vCenter. A string is pre-pended to the name of the VM in its address book entry to indicate that it is an auto-generated VM record. By default, the string “VM-“ is used, but you can change the name in the synchronization dialog box.

Zone Validation Procedure

When the VM zone attachment information is accessible within the vGW Virtual Gateway management, you can incorporate it into the policy automation and compliance checking procedures.

For VMs that do not meet compliance requirements, immediate action can be taken. You can create a non-compliant group and group policy to lock out non-compliant VMs from the network. Any non-compliant VMs will be added to this group.

vGW Virtual Gateway


The following figure shows an example configuration that uses the DB zone of an SRX Series device in the DMZ as the scope of VMs to be assessed. It defines the required criteria for that zone: the VM must be tagged as DMZ-authorized, the VM name must follow the database naming requirement, and so forth.

The figure shows the scope set to the DB zone. The action specifies that non-compliant VMs are to be added to the “Non-Compliant VMs” group to be quarantined and that an alert is to be issued.

Figure 67 Zone Validation Example

STRM

Integration of Juniper Network’s vGW Virtual Gateway with its Security Threat Response Manager (STRM) provides for defense-in-depth control in the virtualized server environment.

About STRM

The vGW Virtual Gateway and Security Threat Response Manager (STRM) integration:

Brings STRM benefits such as centralized log and event management, network wide threat detection, and compliance reporting to the virtualized data center.

Allows the vGW Virtual Gateway to provide STRM with logs, events, and statistics on traffic between virtual machines.

This integration gives you a single-pane, comprehensive, and consistent view of your physical and virtual infrastructure.

Juniper Networks vGW Virtual Gateway and STRM implementations have two points of integration.

The vGW Virtual Gateway exports:

Firewall logs and events to STRM through Syslog,

Statistics on traffic between virtual machines through Netflow.



Configuring the vGW Security Design VM to Send Syslog and Netflow Data to Juniper Networks STRM

To configure the vGW Security Design VM to send Syslog and Netflow information to STRM:

1. Configure external logging in the vGW Security Design VM Settings module.

a. Select Settings -> Firewall Settings -> Global -> External Logging.

b. Specify the IP address of STRM.

2. On the same screen, configure Netflow.

Enter the IP address of STRM in the “NetFlow Configuration” as shown the following figure.

Figure 68 Configure Juniper Networks vGW Virtual Gateway to send Syslog and NetFlow to STRM

Configuring STRM to Receive vGW Virtual Gateway Syslog and NetFlow Data

1. Download the STRM device extension for vGW:

a. Navigate to the Juniper Networks Support page. From the Juniper Networks main page, select the Support tab.

b. In the left column, select Download Software.

c. In the Security box, select vGW (Altor).

d. Select the Software tab.

e. Right-click the file called XML Specification for STRM and save the file. Do not open the XML file in a browser to view it. If you open file, it might be corrupted.

2. Log into the STRM user interface.

vGW Virtual Gateway


3. Navigate to Config -> Sensor Device Extensions -> Add a Device Extension.

Figure 69 Adding Juniper Networks vGW Virtual Gateway Device Extension to STRM

4. Add a device extension for Juniper Networks vGW Virtual Gateway with the specifications shown in the following figure.

5. Click Browse and select the file you downloaded (XML Specification for STRM).

6. Click Upload to upload the device extension. The device extension is shown in the Extension Document list.

7. Click Save and continue.



Figure 70 Add Juniper Networks vGW Virtual Gateway Device Extension into STRM

8. In the Administration Console, choose Sensor Devices to add Juniper Networks vGW as a sensor device.

This action defines the Syslog records source.

9. Select Add a sensor device, and add the sensor device as a Universal DSM.

a. Specify the vGW Security Design VM IP address in the Device Hostname/IP field.

b. Select the Device Extension for Juniper Networks vGW Virtual Gateway that you specified previously.

vGW Virtual Gateway


c. Configure the rest of the options. You can specify any name and description.

Figure 71 Add Juniper Networks vGW Virtual Gateway Sensor Device

10. In the STRM Event Viewer screen, choose Raw Events Display option.

a. Locate a log record generated by Juniper Networks vGW with “action=allow”, and double-click to get to the “Event Details” screen.

b. Select the “Map Event” icon to map the vGW event to the STRM QID.



Figure 72 Map Juniper Networks vGW Virtual Gateway to STRM QID

11. Repeat the preceding for Juniper Networks vGW Virtual Gateway records with “action=reject” and “action=drop” with STRM QID 11750269 as shown in Figure 73.

After you complete this step, Juniper Networks vGW Virtual Gateway logs should be available in STRM.

vGW Virtual Gateway


Figure 73 Map Juniper Networks vGW Virtual Gateway Event to STRM QID



Figure 74 and Error! Reference source not found. show NetFlow statistics and yslog exported from Juniper Networks vGW Virtual Gateway to STRM.

Figure 74 Flow Viewer in STRM

IDP

You can configure the Juniper Networks vGW Virtual Gateway to interoperate with its IDP product. The vGW Virtual Gateway works with standalone IDP devices. It can also work with the GRE termination capabilities available in SRX Series IDP 11.1 and later releases.

NOTE: Currently the vGW Virtual Gateway interoperates with IDP in passive mode only, that is, pure IDP.

About Juniper Networks IDP Series Intrusion Detection and Prevention Appliances

Juniper Networks IDP Series Intrusion Detection and Prevention Appliances provide features that protect the network from a wide range of attacks. Using stateful intrusion detection and prevention techniques, the IDP Series provides protection against worms, trojans, spyware, keyloggers, and other malware. Its feature set includes stateful signature detection, protocol and anomaly detection, QoS/DiffServ marking, VLAN-aware rules, role-based administration, separation of domains and management activities, IDP Reporter, and traffic pattern profilng.

vGW Virtual Gateway


Configuring the vGW Virtual Gateway and IDP Interoperation

Before you configure interoperability between the vGW Virtual Gateway and IDP, you must configure the Intrusion Detection System as an external inspection device and an appropriate redirection rule for it using the Global section of the Security Settings module.

The External Inspective Devices screen allows you to enter the name and IP address of the device to which traffic is sent for further analysis.

1. Log into the NSM for your environment.

2. Create a Security Policy for the Inter-VM communication.

a. In the notification section of the policy, select Logging.

b. Enable the policy for traffic between any source and destination.

c. Set the action to None.

You can inspect traffic anomalies between VMs using this security policy. See Figure 75.

Figure 75 Juniper Networks Security Policy

3. Enable GRE Decapsulation support on the IDS Device for which you created the security policy.

4. Select Device Manager -> Security Devices.

5. Select Sensor Settings -> Run-Time Parameters.

6. Select Enable GRE decapsulation support See Figure 76.



Figure 76 GRE Decapsulation on Sensor Settings

To verify that you set the parameter correctly, enter the following command on the command line of the IDP device:

user@host# scio const -s s0 get sc_gre_decapsulation

After you have completed these steps, you can test the configurationOnce the above steps are complete (including the creation of the External Inspection Device and relevant security policy in vGW Security Design VM) you can test the configuration by triggering any attack in the Juniper Networks database. In Figure 77 a simple port scan (through nmap) was issued and it can be seen in the Juniper Networks event log viewer.

vGW Virtual Gateway


Figure 77 Juniper Networks System Correctly Writing a Log for the Attack (test through nmap port scan)

vGW Virtual Gateway - Juniper

Documents

Transcript of vGW Virtual Gateway - Juniper