VMware vShield App
Protect Applications from Network-Based Attacks

Overview:

VMware vShield™ App, part of the VMware vShield family of virtualization security products, protects applications in the virtual datacenter from networkbased attacks. Organizations gain visibility and control over network communications between virtual machines. Policy enforcement is agile, because it is based on logical constructs such as VMware vCenter™ containers and vShield security groups—not just physical constructs such as IP addresses. vShield App eliminates dependence on hardware and legacy controls such as VLANs, resulting in reduced hardware and policy sprawl that is cost-effective and goes beyond the limitations of physical security. Also included is VMware vShield Endpoint, which offloads antivirus file scanning, minimizing antivirus "storms."

Key Benefits

• Increase visibility and control over network communications between virtual machines
• Eliminate the need for dedicated hardware and VLANs to separate security groups from one another.
• Optimize hardware resource utilization while maintaining strong security.
• Simplify compliance through comprehensive logging of all virtual machine network activity.

vShield App enables granular policy enforcement using security groups.

vShield App is a hypervisor-based application-aware firewall solution for virtual datacenters. Administrators can meet regulatory compliance audits by using this product to scan datacenters, clusters or resource pools for sensitive data.

The product plugs directly into VMware vSphere® to protect against internal network-based threats and reduce the risk of policy violations within the corporate security perimeter. To accomplish this, vShield App uses application-aware firewalling with deep packet inspection and connection control based on source and destination IP addresses.

It also simplifies policy control by enabling IT to rapidly create business-relevant security groups, and its flow-monitoring controls help IT analyze virtual machine network traffic and dynamically enforce security group policies. Administrators can centrally manage vShield App through the included vShield Manager console, which integrates seamlessly with VMware vCenter Server to facilitate unified security management for virtual datacenters.

The product also eliminates dependence on hardware and legacy controls such as vLANs, resulting in reduced hardware and policy sprawl that is cost-effective and goes beyond the limitations of physical security.

How Does vShield App Work?

vShield App installs on each vSphere host, controlling and monitoring all network traffic on the host, even for packets that never cross a physical network interface card (NIC). vShield App can create and enforce policies based on administrator-defined, business-relevant security groups instead of physical boundaries or static assumptions about application deployments. It also provides a centralized interface that leverages vCenter Server to consistently apply these policies across multiple vSphere hosts in the virtual datacenter.

How is vShield App Used?

• Provide application-aware protection – Administrators can define and enforce granular policies for all traffic that crosses a virtual NIC, increasing visibility over internal virtual datacenter traffic while helping to eliminate detours to physical firewalls.
• Maintain change-aware protection – Firewall protection is continuous as virtual machines migrate from host to host, helping to ensure that network topology changes do not impact
• Efficiently manage dynamic policies – Administrators have a rich context for defining and refining internal firewall policies as business needs evolve over time.
• Reduce botnet risks – Security administrators can protect against botnets and other attacks by dynamically allocating ports to trusted applications.
• Control access to shared resources – Security administrators can restrict access to shared services such as storage and backup on vSphere hosts according to IP address.
• Accelerate IT compliance – Visibility and control over virtual machine network security increases, and logging and auditing controls enable enterprises to demonstrate compliance with internal policies and external regulatory requirements.

Key Features:

Firewalls

• Hypervisor-level firewall provides inbound and outbound connection control enforced at the virtual NIC level through hypervisor inspection, supporting multihomed virtual machines.
• Layer 2 firewall (also known as a transparent firewall) protects against multiple types of attacks, such as password sniffing, DHCP snooping, Address Resolution Protocol (ARP) spoofing or poisoning attacks. It also provides complete isolation of SNMP traffic.
• Protection can be enforced according to network, application port, protocol type (TCP, UDP) or application type.
• Protection is dynamic as virtual machines migrate.
• IP-based stateful firewall and application layer gateway supports a broad range of protocols, including Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP. The gateway improves security by opening sessions (ports) only as needed. For a complete list of supported protocols, see the VMware vShield Administration Guide.

Flow Monitoring

• Administrators can observe network activity between virtual machines to help define and refine firewall policies, identify botnets, and secure business processes through detailed reporting of application traffic (application, sessions, bytes).

Security Groups

• Administrators can define business-relevant groupings of any virtual machines by their virtual NICs

Policy Management

• vShield Manager provides control of product features, many of which are also accessible through the vCenter Server interface.
• Administrators can enforce policies on security groups, vCenter Server groupings and TCP-5 tuple (source IP, destination IP, source port, destination port, protocol).
• Representational State Transfer (REST) APIs provide a programmable interface for management and policy enforcement.
• vShield App supports integration with enterprise security management tools.

IP Addressing

• Flexible IP addressing includes the ability to use the same IP address in multiple tenant zones to simplify provisioning.

Logging and Auditing

• Logging is based on industry-standard syslog format.
• REST APIs and vShield Manager provide access to logging and auditing tools.
• Administrator defines logging on and off for firewalls at rule level.

VMware vShield App FAQs:

1. Which existing VMware products are compatible with VMware vShield App?

vShield App is compatible with:

• (Required) vSphere 4.1 (including ESX, ESXi 4.1, 4.0), 5.0
• vCenter Server 4.0, 4.1, 5.0
• vShield Edge 1.0, 5.0
• vShield Endpoint 1.0, 5.0

2. Is vShield App compatible with earlier versions of VMware ESX (3.0, 3.5) and VMware vCenter (2.5)

vShield App is not compatible with these earlier versions of VMware ESX and VMware vCenter. Customers are encouraged to upgrade to current versions of VMware vCenter and VMware vSphere (including ESX 4.0, 4.1) to benefit from security and other advanced virtual datacenter management capabilities.

3. What are the main use cases for vShield App?

There are two key use cases for the vShield App product:

• Protect every VM from hackers and malware
• Create trust zones to segment applications

Enterprises must comply with industry regulations and corporate policies by deploying production and development applications in a shared infrastructure with:

• Traffic segmentation between applications
• Strict monitoring and enforcement of rules on inter-VM communications
• Ability to maintain security policies with VM movement
• Compliance to various audit requirements

4. What is the relationship between vShield Edge and vShield App?

While both products provide virtual network firewall capabilities, their implementations are different and address different use cases. vShield Edge creates a barrier between resources in a virtual datacenter and un-trusted networks, such as other virtual datacenters in the same private cloud. In contrast, vShield App controls traffic between virtual machines AND between the virtual and physical datacenters. The following table summarizes key differences between the two products.

Attribute	vShield Edge	vShield App
Purpose	Secure traffic between the virtual data center and un-trusted networks	Secure traffic between virtual machines within a single vSphere host
Deployment	Virtual Appliance	Loadable Kernel Module (hypervisor level)
Features
Security	Firewall, VPN	Firewall
Firewall	Stateful, IP-based, 5-tuple*	Application-based, 5-tuple plus use of Security Groups
NAT, DHCP Services	Yes	No
Availability	Load Balancing across VMs	No
Use Cases
Site-to-site VPN to Connect Partners	Yes	No
Multi-Tenant Hosting Service	Yes	No
Securing Business-Critical Applications	No	Yes

* A 5-tuple is defined as the combination of Source IP address, Destination IP address, Source Port, Destination port, protocol.

5. How are vShield App and VMware vShield Endpoint related?

Both vShield App and VMware vShield Endpoint protect vSphere-based virtual machines. vShield App is a self-contained solution that provides visibility and control over network communications between virtual machines.  vShield App also includes vShield Endpoint. vShield Endpoint is an enabling technology used in conjunction with third-party endpoint security solutions. This technology enables the offload of anti-virus processing from workload virtual machines to a dedicated security virtual machine. Please read the respective datasheets for these products for more information.

6. What are the similarities and differences between the various VMware security solutions?

There are four solutions for virtualized network security on vSphere-based environments:

• vShield App
• vShield App with Data Security
• vShield Edge
• vShield Endpoint

The following table summarizes a comparison of key features for these products:

Feature	vShield Edge	vShield App	vShield App with Data Security	vShield Endpoint
Deployment Method	Per port group	Per host	Per host	Per host
Enforcement	Between virtual datacenter and un-trusted networks	Between virtual machines	Between virtual machines	Within the guest virtual machine
Anti-virus, Anti-malware	No	Yes	Yes	Yes
Site-to-Site VPN	Yes	No	No	No
NAT, DHCP services	Yes	No	No	No
Load balancing	Yes	No	No	No
Sensitive Data Discovery	No	No	Yes	No
Stateful firewall	Yes	Yes	Yes	No
Change-Aware	Yes*	Yes	Yes	No
Hypervisor-based firewall	No	Yes	Yes	No
Application firewall	No	Yes	Yes	No
Flow Monitoring	No	Yes	Yes	No
Groupings for policy enforcement	Only 5-tuple** based policies	1) 5-tuple 2) Security Groups: resource pools, folders, containers and other vSphere groupings	1) 5-tuple 2) Security Groups: resource pools, folders, containers and other vSphere groupings	Any available vCenter groupings for virtual machines

* Edge security and services are maintained within the host where the edge appliance is deployed. If the virtual appliance were moved to another host, the edge security policies would need to be updated.

** A 5-tuple is defined as the combination of Source IP address, Destination IP address, Source Port, Destination port, protocol.

Support:

VMware Production Support & Subscription

Technical Support, 24 Hour Sev 1 Support -- 7 days a week.

Focused, 24-Hour Support For Production Environments

• Global, 24x7 support for Severity 1 issues
• Fast response times for critical issues
• Unlimited number of support requests
• Remote Support
• Online access to documentation and technical resources, knowledge base, discussion forums
• Product updates and upgrades

Overview

VMware Production Support is designed with your production environments in mind. Our global support centers are staffed around the clock to provide you access to our industry-leading expertise in virtualization and years of experience supporting virtual infrastructure products in real-world customer environments. We are committed to delivering enterprise-class, worldwide support with a single objective in mind: your success.

VMware Basic Support & Subscription Service

Technical Support, 12 Hours/Day, per published Business Hours, Mon. thru Fri.

Weekday Support for Test, Dev and Non-Critical Deployments

• Global, 12x5 access to support
• Unlimited number of support requests
• Remote Support
• Online access to documentation and technical resources, knowledge base, discussion forums
• Product updates and upgrades

Overview

VMware Basic Support is designed for non-critical applications and platforms that require support during normal business hours. Our global support centers have been strategically placed to provide you with fast and efficient access to the support center in your region. Each center is staffed with engineers that can provide industry-leading expertise in virtualization and years of experience supporting virtual infrastructure products in real-world customer environments. We are committed to delivering enterprise-class, worldwide support with a single objective in mind: your success.

Feature	Production Support	Basic Support
Hours of Operation	24 Hrs/Day 7 Days/Wk 365 Days/Yr 1	12 Hrs/Day Mon–Fri 1
Length of Service	1 or 3 Years	1 or 3 Years
Product Updates	Yes	Yes
Product Upgrades	Yes	Yes
Products Supported	All Products (excluding VMware Fusion and Player)	All Products (excluding VMware Fusion and Player)
Method of Access	Telephone/ Web	Telephone/ Web
Response Method	Telephone/ Email	Telephone/ Email
Remote Support	Yes	Yes
Access to VMware Web site	Yes	Yes
Access to VMware Discussion Forums and Knowledge Base	Yes	Yes
Max Number of Support Admins per Contract	6	4
Number of Support Requests	Unlimited	Unlimited
Target Response Times Critical (Severity 1 Major (Severity 2) Minor (Severity 3) Cosmetic (Severity 4)	30 minutes or less: 24x7 4 business hours 8 business hours 12 business hours	4 business hours 8 business hours 12 business hours 12 business hours
Business Hours North America and Latin America Alaska, Hawaii South America (NASA) Europe, Middle East, Africa (EMEA Asia, Pacific Rim, Japan (APJ) Australia/New Zealand	Monday - Friday 6 a.m. to 6 p.m. (local time zone) 6 a.m. to 6 p.m. (PST/PDT) 6 a.m. to 6 p.m. (EST/EDT) 7 a.m. to 7 p.m. (GMT/GMT+1) 8:30 a.m. to 8:30 p.m. (Singapore Time) 7 a.m. to 7 p.m. (Sydney AET)	Monday - Friday 6 a.m. to 6 p.m. (local time zone) 6 a.m. to 6 p.m. (PST/PDT) 6 a.m. to 6 p.m. (EST/EDT) 7 a.m. to 7 p.m. (GMT/GMT+1) 8:30 a.m. to 8:30 p.m. (Singapore Time) 7 a.m. to 7 p.m. (Sydney AET)

1Hours of operation for Gemstone are Monday - Friday, 8 a.m. to 5 p.m. (PST/PDT) globally.
1Hours of operation for VMware Go Pro and vCenter Protect products are 7 a.m. to 7 p.m. (CST/CDT), except holidays.
1Hours of operation for VMware IT Business Management and IT Financial Management are 8 a.m. to 5 p.m. (EST/EDT/GMT) except holidays.
1Hours of operation for Socialcast are 6 a.m. to 6 p.m. (PST/PDT).

Documentation:

Download the VMware vShield App Datasheet (PDF).

Download the VMware vShield Brochure (PDF).