Book Image

VMware vCloud Security

Book Image

VMware vCloud Security

Overview of this book

Security is a major concern, in particular now that everything is moving to the cloud. A private cloud is a cloud computing platform built on your own hardware and software. The alternative is to deploy the services you need on a public cloud infrastructure provided by an external supplier such as Amazon Web Services, Rackspace Cloud, or HP Public Cloud. While a public cloud can afford greater flexibility, a private cloud gives you the advantage of greater control over the entire stack. "VMware vCloud Security" focuses on some critical security risks, such as the application level firewall and firewall zone, virus and malware attacks on cloud virtual machines, and data security compliance on any VMware vCloud-based private cloud. Security administrators sometimes deploy its components incorrectly, or sometimes cannot see the broader picture and where the vCloud security products fit in. This book is focused on solving those problems using VMware vCloud and the vCloud Networking and Security product suite, which includes vCloud Networking and Security App, vShield Endpoint, and vCloud Networking and Security Data Security. Ensuring the security and compliance of any applications, especially those that are business critical, is a crucial step in your journey to the cloud. You will be introduced to security roles in VMware vCloud Director, integration of LDAP Servers with vCloud, and security hardening of vCloud Director. We'll then walk through a hypervisor-based firewall that protects applications in the virtual datacenter from network-based attacks. We'll create access control policies based on logical constructs such as VMware vCenter Server containers and VMware vCloud Networking and Security security groups but not just physical constructs, such as IP addresses. You'll learn about the architecture of EPSEC and how to implement it. Finally, we will understand how to define data security policies, run scans, and analyze results.
Table of Contents (13 chapters)
VMware vCloud Security
About the Author
About the Reviewers

VMware vCloud Director architecture

Looking at a simple high-level cloud architecture, it might contain a VMware vCloud Director server or a group comprising of multiple vCloud Director servers. Each server can run a collection of services called a vCloud Director cell.

The following figure shows the vCloud architecture and depicts the core architecture and the optional components of vCloud. Though you can have multiple vCloud Director servers in a group, all the vCloud Director servers in the group share a single vCloud Director database. To provide resources for cloud tenants, vCloud Director (vCD) connects to one or more VMware vCenter Server systems and the VMware ESXi hosts.

VMware uses one VMware vCloud Networking and Security server for each vCenter Server instance, that is, the vCloud Networking and Security manager always has a one-to-one relationship with vCenter. vCloud Networking and Security servers provide network security services and deploy VMware the vCloud Networking and Security Edge devices (virtual appliances) on demand from vCloud Director to provide static routing, VPN, NAT, DHCP, gateway, and firewall services. This not only enables vCloud Director to provide multitenancy but also a provides a foundation for Software Defined Networking (SDN), which allows network connectivity that is programmable and decoupled from the physical infrastructure. Thus it enables workloads to be placed and moved anywhere.

vCloud Director uses vSphere to provide the CPU and memory to run virtual machines. For virtual machine networking, it uses vSphere's Distributed Switches and Standard vSwitch as well. However, the vSphere Distributed Switch must be used for cross-host fencing and network pool allocation. vSphere VMFS (Virtual Machine File System) datastores provide storage for virtual machine files and other files necessary for virtual machine operations. These underlying vSphere resources are used by vCloud Director to create cloud resources. This is depicted in the following figure:

vSphere clusters should be enabled with VMware vSphere Distributed Resource Scheduler (DRS) that should set to balance the vCloud Director deployed workloads across the physically compute resources of the vSphere DRS cluster. You can define a single cluster for the cloud provider resource or use multiple vSphere resource pools to provide the cloud provider resource. Though resource pools are supported, the best way to use them is in a cluster-wise format from a scaling perspective.

Let us take a closer look at the vCloud side. A vCloud Director Server group consists of one or more vCloud Director servers, which are also called vCloud cells. These servers share a common database and are linked to the vCenter Server systems and ESXi hosts. The vCloud Networking and Security servers provide network services for vCloud Director. If you want to segregate and allocate vCloud resources to the organizations, there is a web-based portal for vCloud administrators to do this. This web-based portal can be used for each organization as well and can provide consumers with the means to create and manage their own virtual machines. However, access is controlled through a role-based model set up by the organization administrator. A vCloud administrator has the ability to set the lease time to control how long vApps can run and be stored.

Let us look at the hybrid cloud scenario:

  • vCloud Connector (vCC) is a key differentiator in the vCloud Suite for making hybrid cloud.

  • vCC helps customers realize the hybrid cloud vision by providing them with a single pane of glass to view, operate, and copy VMs/vApps/templates across vSphere/vCloud Director and vCloud Service Providers.

The following diagram gives an overview of this scenario:

vCloud administrators can also set quotas that limit the number of virtual machines that an organization can have, define an isolated or shared network, have complete control of the network flow, have preestablished pools of resources, and implement security policies. The following figure shows the vCloud components and the integration of them:

Other than the core vCloud components, you can also add other VMware components to increase the capabilities or control. One example is VMware vCenter Chargeback. vCenter Chargeback provides resource metering and reporting to facilitate resource chargeback. vCenter Chargeback comprises of the vCenter Chargeback server and vCenter Chargeback data collector. Though a Chargeback component is optional, it is a must to meet the NIST (National Institute of Standards and Technology) cloud computing definition. Another additional component is VMware vCloud Connector. vCloud Connector helps facilitate the transfer of a "powered-off" vApp in the Open Virtualization Format (OVF) format from a local cloud (this could also be vSphere) to a remote cloud or a vSphere instance. vCloud Connector is a virtual appliance that is installed in vSphere and handles all the logic of dealing with other clouds. The GUI is displayed in the VMware vSphere Web Client or the C# client through the vCloud Connector browser plugin.