Deployment Scenarios; Protecting The Dmz; Isolating And Protecting Internal Networks - VMware VSHIELD APP 1.0 Quick Start Manual

vShield Quick Start Guide

Deployment Scenarios

Using vShield, you can build secure zones for a variety of virtual machine deployments. You can isolate virtual
machines based on specific applications, network segmentation, or custom compliance factors. Once you
determine your zoning policies, you can deploy vShield to enforce access rules to each of these zones.

Protecting the DMZ

The DMZ is a mixed trust zone. Clients enter from the Internet for Web and email services, while services
within the DMZ might require access to services inside the internal network. You can place DMZ virtual
machines in a port group and secure that port group with a vShield Edge. vShield Edge provides access
services such as firewall, NAT, and VPN, as well as load balancing to secure DMZ services.
A common example of a DMZ service requiring an internal service is Microsoft Exchange. Microsoft Outlook
Web Access (OWA) commonly resides in the DMZ cluster, while the Microsoft Exchange back end is in the
internal cluster. On the internal cluster, you can create firewall rules to allow only Exchanged‐related requests
from the DMZ, identifying specific source‐to‐destination parameters. From the DMZ cluster, you can create
rules to allow outside access to the DMZ only to specific destinations using HTTP, FTP, or SMTP.

Isolating and Protecting Internal Networks

You can use a vShield Edge with the Port Group Isolation feature to isolate an internal network from the
external network. A vShield Edge provides perimeter firewall protection and edge services to secure virtual
machines in a port group, enabling communication to the external network through DHCP, NAT, and VPN.
Within the secured port group, you can install a vShield App instance on each ESX host that the vDS spans to
secure communication between virtual machines in the internal network.
If you utilize VLAN tags to segment traffic, you can use App Firewall to create smarter access policies. Using
App Firewall instead of a physical firewall allows you to collapse or mix trust zones in shared ESX clusters. By
doing so, you gain optimal utilization and consolidation from features such as DRS and HA, instead of having
separate, fragmented clusters. Management of the overall ESX deployment as a single pool is less complex
than having separately managed pools.
For example, you use VLANs to segment virtual machine zones based on logical, organizational, or network
boundaries. Leveraging the Virtual Infrastructure SDK, the vShield Manager inventory panel displays a view
of your VLAN networks under the Networks view. You can build access rules for each VLAN network to
isolate virtual machines and drop untagged traffic to these machines.
10 VMware, Inc.