SEC1980: Department of Defense vShield Architecture

Here I am again at VMware VMworld, and I’ll try to blog about as many sessions as I can. Unfortunately the way VMware has structured the schedule it’s not very conducive to a lot of blogging but I’ll do the best I can. This session was a very high level (and quick) overview of the VMware vShield products and how they can be used to help secure your networks, based on DISA guidance. However, DISA has not blessed or endorsed these products but the information was good none the less.

  • In August 2010 DISA published the Network Infrastructure Technology overview which describes how to implement defense in depth for a physical environment. It uses common products like firewalls, VLANs, IDPS, etc. Good perimeter protection, but not a lot internally although there is some. However, managing all of these physical devices can be complicated, error prone, and are not typically designed with VMs in mind.
  • vShield Edge is a product that provides perimeter protection, designed for multi-tenant internal clouds.
    • Supports NAT, L2 firewall, DHCP, IPsec, web load balancing, and static routes
    • It also supports syslog logging
  • vShield App is designed to protect applications at the hypervisor level. Basically at the vNIC level it can do packet inspection, both inbound and outbound.
    • VMs are protected as they migrate between hosts – Policy follows VMs
    • Protects against ARP spoofing, and includes a layer 4 firewall
  • vShield EndPoint is a framework that third party partners can use to provide addition inspection such as AV scanning, DLP, IDS and other functionality. Trend Micro is one such partner. McAfee/HBSS and Symantec do not yet have supporting products.
  • These products can allow you to create an ‘enclave in a box’ where on a single host or multiple hosts you can granularly control network access. For example, you can define a resource pool for VDI where the users can NOT access the internet, or have privileged VMs that administrators use that COULD access internal management VLANs.
  • These products have not undergone any common criteria testing, but VMware is targeting a future point release at EAL4+, but there are some product enhancements needed to ensure it will meet all criteria.

As I mentioned this session was very high level and didn’t really provide any examples beyond birds eye views what a system might look like. The speaker only used 30 of his 60 minutes, so I think he could have covered more content such as real examples to help solidify the concepts and how to implement them. These are not DISA “approved” or recommended products so it’s up to your organization to work with your security team to implement a solution that can be accredited.

Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments