vShield App Unexpected Firewall Rule Application


We recently experienced some confusion when creating vShield App firewall rules, so I figured that it would make for a good post.  For those who are unaware, vShield App (which is now a component of the vCloud Networking and Security solution) is a virtual firewall.  Rather than being a traditional firewall though, which allows for rules based on either layer 2 or layer 3 constructs, this firewall integrates with vCenter and so can have rules based on vCenter constructs.  At first glance, this is a little confusing, but once you become familiar with the concept it becomes very empowering.

We have a motley collection of Port Groups in this VDI environment.  Each Port Group needs different firewall rules to be applied to it.  We have a “production” Port Group where the bulk of the customer’s employees sit, we have an “internet only” Port Group for external users and we have a whole bunch of Port Groups that are in between those two extremes for consultants, which allow that consultant access to the infrastructure that they need while blocking general access.  Oh, and I forgot to mention, this is all being done on the same Layer 2 VLAN, within the same DHCP scope.  When we want a new security context, vShield allows us to simply create another Port Group with our needed rules, rather than requiring that we go through the much more laborious process of carving out a new Layer 2 space.

So, we’ve got this awesome design and are implementing it in a POC.  We have our 2 most basic Port Groups created, each with appropriate rules.  The “Production” port group is simple: Any Source to Any Destination on Any Port = Allowed. 

The Internet Only Port Group is more difficult.  You see, we say “internet only” but the fact of the matter is that these are still Windows desktops in the domain, to which we will connect users via PCoIP.  After much time spent looking at WindowsServices Network Port Requirements, we had created a set of rules to allow the basic windows functions to work (that included domain user authentication, DNS, KMS, NTP and PCoIP).  At the end of the list, we put a rule that said “Inside this Port Group Source to Inside Our Server Subnets Destination = Blocked”  With all of those rules in place, we were expecting that the desktop would be able to contact the internal infrastructure for authentication/licensing/PCoIP purposes, but could not access it for anything else.  External networks, such as the internet, should still be available.

That behavior, however, was not manifesting on a test desktop.  We placed a desktop on the “Production” Port Group and, as expected, it could talk to anything.  When moved onto the “Internet Only” Port Group however… it still talked to anything.  We poked around at all sorts of things, trying to figure out what was happening, but eventually we called VMware support and got our answer.

Even though the GUI shows a hierarchy, the system doesn’t actually process the rules in that fashion.  Unless you start creating additional Namespaces on the various Port Groups, you have a single firewall with a single set of rules.  What was happening in our environment was that “Any/Any:Allowed” rule on the “Production” Port Group was allowing Any Source to talk to Any Destination, even when the VMs were on our “Internet Only” Port Group.  This was happening because the two Port Groups were in the same Namespace and so the firewall was simply receiving a rule that said that Any Source could talk to Any Destination.  The fix, from a procedural perspective, is very easy – don’t create an “Any/Any” rule.  In our case, what we were really trying to do was “Inside Production Source to Any Destination = Allowed”.  Once we set the rule up that way, the “Internet Only” Port Group actually started applying its firewall rules correctly and so everything started working as intended.

If anyone is interested, we understood this behavior with the help of the following process.  We logged into the console of a vShield appliance and used the “show vmwall rules 1002” command, which displays the list of all rules in that Namespace (1002 is the default Namespace).  It quickly became apparent that our Source/Destination specifications did not respect the object on which they were defined, and so we simply redefined them to specify that object and were good to go.

Comments

Post a Comment

Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,

Popular posts from this blog

PowerShell Sorting by Multiple Columns

PowerShell's Sort-Object cmdlet is super useful, especially when preparing output for human consumption.  A few people have found my blog while looking for more information about its use, specifically while looking for how to sort by multiple columns (well, properties, technically).  I've never done so (much less written about it), so I hope those folks found answers elsewhere.  But, it got me curious... and it turns out that it's really easy. The Technet article on Sort-Object has the answer directly spelled out: just use commas to create a list of properties to sort by (in order to precedence).  Let's look at some examples!  First, prepare a variable with some good sortable data: $myData = get-eventlog System -newest 25 And then we can get to sorting!  Say you want to sort primarily by EntryType (Warning, Information, Error) and then by Source.  Easy-peasy: $myData | sort EntryType,Source How about if you want it to be in descending order?  Yeah, there&
Read more

Clone a Standard vSwitch from one ESXi Host to Another

One of my customers is standardizing the configurations on their HP C7000 enclosures (they've been set up at various sites by various administrators with varying involvement from the architecture team).  As such, we need to stand up some temporary resources so that we can take down the main enclosure for reconfiguration.  That's fine, we can easily ship a smaller enclosure to each site for temporary compute resources.  Some of the sites are using Standard vSwitches, so we need to be able to quickly copy the networking configuration over from their existing blades to these new, slightly different blades.  As I see it, we had 2 good options: 1) Capture a Host Profile with the desired vSwitch configuration.  Delete every other component of the Host Profile so that only the networking section is applied; design the new ESXi hosts so that the vSwitches'll work with the old vmnic-to-vswitch configurations. 2) Write a script to clone the vSwitch from ones ESXi host to another.
Read more

Deleting Orphaned (AKA Zombie) VMDK Files

A problem that most Virtualization Administrators need to deal with is Orphaned VMDK files (or Zombie VMDK files, as some people call them).  These are Virtual Machine hard drive files that are just hanging out, taking up storage, but are attached to no VMs.  How can this happen?  Well, the most common way is when an administrator needs to delete a VMDK but isn't quite ready to commit... so, after pressing "remove", they select "remove from virtual machine" rather than "remove and delete files".  The intent is always good: "I want to be able to restore this if it turns out to be necessary... so I'll just come back and delete it next week if nothing breaks!"  But, of course, next week something else happens and the file doesn't get deleted.  After a little while, it turns into "which files did I rename, again?" and nothing seems to happen. So, how do you deal with these orphaned files?  Well, a few years ago I found a scrip
Read more