Design Considerations for VM Security

Posted by admin on March 8, 2010 under Help, Tutorials | Be the First to Comment

Port-Profile capability in Nexus 1000V is the primary mechanism by which network policy is defined and applied to virtual machines. A port-profile can be used to define configuration options as well as security and service level characteristics. Virtual-Service-Domain (VSD), on the other hand, is a feature within the Nexus 1000V that allows for grouping of one or more port-profiles into one logical domain. The VSD capability allows for services that work in conjunction with Nexus 1000V, such as a virtual firewall entity like vShield, to be integrated into the virtual environment and accessed by the individual domains. This seamless service integration in conjunction with the Nexus 1000V can be used to provide more granular security policies within a virtual environment.

As mentioned above, any set of port-profiles can be functionally separated using a Virtual-Service-Domain. This VSD can then be used to direct traffic to any service or entity within the environment. In the following design, the VSD is used to move a group of virtual machines behind the vShield which is the virtual firewall entity within VSphere. The VSD feature set allows insertion of the vShield virtual appliance in the forwarding path between protected guest virtual machines and the physical network outside of the ESX host. To accomplish this, two areas of configuration are required:

•The port-profiles that identify outside and inside virtual ports of the vShield appliances

•The port-profiles which home guest virtual machines which require firewall protection

The virtual switch ports on the Nexus 1000V that connect to the unprotected (outside) and protected (inside) interfaces of the vShield are marked with a given VSD name configuration and the administrator can selectively mark port-profiles homing guests to participate in the newly configured VSD. If no VSD configuration is tagged onto a port-profile, the traffic continues to forward normally. Figure 7 depicts the logical location of vShield within the host. Continue