VMware vShield Edge
Secure the Edge of the Datacenter

Overview:

VMware vShield™ Edge, part of the VMware vShield family of virtualization security products, provides comprehensive perimeter network security for virtual datacenters. vShield Edge integrates seamlessly with VMware vSphere® and includes essential network gateway services that organizations can use to quickly and securely scale their cloud infrastructures.

Key Benefits

• Reduce cost and complexity by eliminating multiple special-purpose appliances and by rapidly provisioning network gateway services.
• Ensure policy enforcement with built-in edge network security and services.
• Increase scalability and performance with one edge per organization or tenant.
• Simplify IT compliance with detailed logging.
• Streamline management using a full-featured interface that integrates with VMware vCenter™ Server and leading enterprise security solutions.

vShield Edge secures traffic between virtual datacenters with built-in perimeter security.

What is vShield Edge?

vShield Edge is an edge network security solution for virtual datacenters. It provides essential security capabilities such as network security gateway services and Web load balancing for performance and availability. The solution plugs directly into vSphere and leverages built-in features such as fault tolerance and high availability for unparalleled resiliency.

Administrators can centrally manage vShield Edge through the included vShield Manager console, which integrates seamlessly with vCenter Server to facilitate unified security management for virtual datacenters. vShield Edge also works in concert with VMware vCloud™ Director to automate and accelerate the secure provisioning of virtual datacenters in multitenant cloud infrastructures. Separation of duties for security and virtual infrastructure administrators limits access only to authorized resources.

How Does vShield Edge Work?

Deployed as a virtual appliance, vShield Edge provides firewall, VPN, Web load balancer, network address translation (NAT) and DHCP services to monitor packet headers for source and destination IP addresses. Depending on policy, it can deny or allow connections, initiate and terminate VPN sessions, perform network address translation, or inspect data by source or destination port and protocol type (TCP or UDP).

How is vShield Edge Used?

• Consolidate edge security hardware – vShield Edge allows customers to provision edge security services using existing vSphere resources, eliminating the need for edge security hardware to "air-gap" vSphere hosts.
• Rapidly and securely provision virtual datacenter perimeters – vShield Edge allows organizations to easily create secure, logical, hardware-independent perimeters ("edges") around virtual datacenter environments, making it easier to leverage shared network resources in multitenant IT infrastructures.
• Protect data confidentiality over shared networks – vShield Edge provides site-to-site VPN with 256-bit encryption to protect the confidentiality of all data transmitted across virtual datacenter perimeters.
• Ensure performance and availability of Web services – vShield Edge efficiently manages inbound Web traffic across virtual machine clusters and includes Web load balancing capabilities that customers can deploy with edge security, or separately.
• Facilitate compliance management – vShield Edge provides the necessary controls, such as detailed event logging and flow statistics, which enterprises need to demonstrate compliance with corporate policies, along with industry and government regulations.

Key Features:

Firewall

• Perimeter (Layer 3) firewall, which does not require network address translation
• Stateful inspection firewall, with inbound and outbound connection control rules based on the following parameters:
  • IP address – source/destination IP address
  • Ports – source/destination port
  • Protocol – type (TCP or UDP)

Network Address Translation

• IP address translation to and from the virtualized environment
• Masquerading of virtual datacenter IP addresses to untrusted locations

Dynamic Host Configuration Protocol

• Automatic IP address provisioning to virtual machines in vSphere environments
• Administrator-defined parameters (such as address pools, lease times, dedicated IP addresses)

Site-to-Site VPN

• Secure communication between virtual datacenters (or edge security virtual machines)
• IPsec VPN with support for certificate authentication, as well as shared key, based on the Internet Key Exchange (IKE) protocol

Web Load Balancing

• Inbound load balancing for all traffic including Web traffic (HTTP)
• Round-robin algorithm
• Support for "sticky" sessions

Edge Flow Statistics

• Metering of virtual datacenter resource utilization, with attribution back to the tenant
• Statistics accessible through Representational State Transfer (REST) APIs and leveraged in service provider chargeback applications

Policy Management

• Full-featured management through vShield Manager; many features also accessible through vCenter Server interface
• Customizable interface for management using REST APIs
• Support for integration with enterprise IT security management tools

Logging and Auditing

• Based on industry-standard syslog format
• Accessible through REST APIs and vShield Manager user interface
• Administrator-defined logging on and off for key edge security events (errors, warnings, etc.):
  • Firewall: at rule level
  • NAT: at rule level
  • VPN: site-to-site connection name
  • Web load balancer: at pool level, specific Web requests including URL or folder
  • DHCP: at service level, bindings (release and renewals)

VMware VMware vShield Edge FAQs:

1. Which existing VMware products are compatible with vShield Edge?

vShield Edge is compatible with:

• (Required) vSphere: 4.1 (including ESX, ESXi 4.1, 4.0), 5.0
• vCenter Server: 4.0, 4.1, 5.0
• vShield App 1.0, 5.0
• vShield Endpoint 1.0, 5.0
• vCloud Director

2. Is vShield Edge compatible with earlier versions of VMware ESX (3.0, 3.5) and VMware vCenter (2.5)?

vShield Edge is not compatible with these earlier versions of VMware ESX and VMware vCenter. Customers are encouraged to upgrade to current versions of vCenter and vSphere (including ESX 4.0, 4.1) to benefit from security and other advanced virtual data center management capabilities.

3. What are the main use cases for vShield Edge?

There are two key use cases for the vShield Edge product:

• Offering multi-tenant hosting services
• Site-to-site VPN to connect partners

For the multi-tenant case, enterprises host potentially hundreds or thousands of tenants in shared infrastructure with:

• Traffic isolation between the tenants
• Complete protection and confidentiality of tenant apps and data
• Integration with enterprise directory services, such as Active Directory
• Complying with various audit requirements

vShield Edge lets you:

• Guarantee full confidentiality and protection of tenant apps and data with built-in firewall and VPN
• Use enterprise-directory services for security policies
• Accelerate compliance by logging all traffic information on per-tenant basis
• Lower cost of security by 100+% by eliminating purpose built appliances and by increasing utilization and virtual machine density

For partner extranets (site-to-site VPN) use case, enterprises can:

Deploy a shared infrastructure to allow partners to access applications and data by:

• Enjoying complete confidentiality
• Leveraging existing VPN solutions from Cisco, Checkpoint or Juniper
• Getting optimal application server utilization
• Ensuring compliance to various audit requirements

vShield Edge lets you:

• Reduce management cost to provision new partners by supporting multiple third party VPN devices
• Improve security with strong encryption of all communication between partners
• Simplify management with vCenter integration and remote management with REST API
• Lower cost of security by 100+% by eliminating purpose built appliances, increasing server utilization and virtual machine density

4. What is the relationship between vShield Edge and vShield App?

While both products provide virtual network firewall capabilities, their implementations are different and address different scenarios. vShield Edge creates a barrier between resources in a virtual datacenter and un-trusted networks, such as other virtual datacenters in the same private cloud. In contrast, vShield App controls traffic between virtual machines within the same vDC and more specifically, on the same vSphere host. The following table summarizes key differences between the two products.

Attribute	vShield Edge	vSphere App
Purpose	Secure traffic between the virtual data center and un-trusted networks	Secure traffic between virtual machines within a single vSphere host
Deployment	Per Port Group	Per host
Features
Security	Firewall, VPN	Firewall
Firewall	Stateful, IP-based, 5-tuple*	Application-based, 5-tuple plus use of Security Groups
NAT, DHCP Services	Yes	No
Availability	Load Balancing across VMs	No

5. What are the similarities and differences between the various VMware security solutions?

There are three solutions for virtualized network security on vSphere-based environments:

• vShield App
• vShield App with Data Security
• vShield Edge

The following table summarizes a comparison of key features for these three products:

Feature	vShield Edge	vShield App	vShield App with Security	vShield Endpoint
Deployment Method	Per port group	Per host	Per host	Per host
Enforcement	Between virtual datacenter and un-trusted networks	Between virtual machines	Between virtual machines	Within the guest virtual machine
Anti-virus, Anti-malware	No	Yes	Yes	Yes
Site-to-Site VPN	Yes	No	No	No
NAT, DHCP services	Yes	No	No	No
Load balancing	Yes	No	No	No
Sensitive Data Discovery	No	No	Yes	No
Stateful firewall	Yes	Yes	Yes	No
Change-Aware	Yes (1)	Yes	Yes	No
Hypervisor-based firewall	No	Yes	Yes	No
Application firewall	Yes	Yes	Yes	No
Flow Monitoring	No	Yes	Yes	No
Groupings for policy enforcement	Only 5-tuple (2) based policies	1) 5-tuple 2) Security Groups: resource pools, folders, containers and other vSphere groupings	1) 5-tuple 2) Security Groups: resource pools, folders, containers and other vSphere groupings	Any available vCenter groupings for virtual machines

(1) The Port Group Isolation feature is actually deployed as an LKM (Loadable Kernel Module). All other features are provided in the virtual appliance.

(2) Edge security and services are maintained within the host where the edge appliance is deployed. If the virtual appliance were moved to another host, the edge security policies would need to be updated.

Support:

VMware Production Support & Subscription

Technical Support, 24 Hour Sev 1 Support -- 7 days a week.

Focused, 24-Hour Support For Production Environments

• Global, 24x7 support for Severity 1 issues
• Fast response times for critical issues
• Unlimited number of support requests
• Remote Support
• Online access to documentation and technical resources, knowledge base, discussion forums
• Product updates and upgrades

Overview

VMware Production Support is designed with your production environments in mind. Our global support centers are staffed around the clock to provide you access to our industry-leading expertise in virtualization and years of experience supporting virtual infrastructure products in real-world customer environments. We are committed to delivering enterprise-class, worldwide support with a single objective in mind: your success.

VMware Basic Support & Subscription Service

Technical Support, 12 Hours/Day, per published Business Hours, Mon. thru Fri.

Weekday Support for Test, Dev and Non-Critical Deployments

• Global, 12x5 access to support
• Unlimited number of support requests
• Remote Support
• Online access to documentation and technical resources, knowledge base, discussion forums
• Product updates and upgrades

Overview

VMware Basic Support is designed for non-critical applications and platforms that require support during normal business hours. Our global support centers have been strategically placed to provide you with fast and efficient access to the support center in your region. Each center is staffed with engineers that can provide industry-leading expertise in virtualization and years of experience supporting virtual infrastructure products in real-world customer environments. We are committed to delivering enterprise-class, worldwide support with a single objective in mind: your success.

Feature	Production Support	Basic Support
Hours of Operation	24 Hrs/Day 7 Days/Wk 365 Days/Yr 1	12 Hrs/Day Mon–Fri 1
Length of Service	1 or 3 Years	1 or 3 Years
Product Updates	Yes	Yes
Product Upgrades	Yes	Yes
Products Supported	All Products (excluding VMware Fusion and Player)	All Products (excluding VMware Fusion and Player)
Method of Access	Telephone/ Web	Telephone/ Web
Response Method	Telephone/ Email	Telephone/ Email
Remote Support	Yes	Yes
Access to VMware Web site	Yes	Yes
Access to VMware Discussion Forums and Knowledge Base	Yes	Yes
Max Number of Support Admins per Contract	6	4
Number of Support Requests	Unlimited	Unlimited
Target Response Times Critical (Severity 1 Major (Severity 2) Minor (Severity 3) Cosmetic (Severity 4)	30 minutes or less: 24x7 4 business hours 8 business hours 12 business hours	4 business hours 8 business hours 12 business hours 12 business hours
Business Hours North America and Latin America Alaska, Hawaii South America (NASA) Europe, Middle East, Africa (EMEA Asia, Pacific Rim, Japan (APJ) Australia/New Zealand	Monday - Friday 6 a.m. to 6 p.m. (local time zone) 6 a.m. to 6 p.m. (PST/PDT) 6 a.m. to 6 p.m. (EST/EDT) 7 a.m. to 7 p.m. (GMT/GMT+1) 8:30 a.m. to 8:30 p.m. (Singapore Time) 7 a.m. to 7 p.m. (Sydney AET)	Monday - Friday 6 a.m. to 6 p.m. (local time zone) 6 a.m. to 6 p.m. (PST/PDT) 6 a.m. to 6 p.m. (EST/EDT) 7 a.m. to 7 p.m. (GMT/GMT+1) 8:30 a.m. to 8:30 p.m. (Singapore Time) 7 a.m. to 7 p.m. (Sydney AET)

1Hours of operation for Gemstone are Monday - Friday, 8 a.m. to 5 p.m. (PST/PDT) globally.
1Hours of operation for VMware Go Pro and vCenter Protect products are 7 a.m. to 7 p.m. (CST/CDT), except holidays.
1Hours of operation for VMware IT Business Management and IT Financial Management are 8 a.m. to 5 p.m. (EST/EDT/GMT) except holidays.
1Hours of operation for Socialcast are 6 a.m. to 6 p.m. (PST/PDT).

Documentation:

Download the VMware vShield Edge Datasheet (PDF).

Download the VMware vShield Brochure (PDF).