VMware introduced vShield Zones as part of the vSphere release along with VMware Data Recovery as a value-added product that is available in certain editions. I’m always interested in virtualization security products so I spent a lot of time checking out the product which resulted in me writing a series of tips about it. That was a while ago, so I thought I would summarize the information in this blog post and provide some use cases for vShield Zones.
Let’s start with what a vShield Zone is.
A vShield Zone is essentially a virtual security guard for your vSwitches that protects virtual machines (VMs) based on rules you define. If you took a physical firewall and did a physical-to-virtual (P2V) conversion, you would end up with a vShield Zone appliance that is a virtual firewall that works inside an ESX(i) host to protect the VMs on it.
Why would you want a virtual firewall instead of a physical one?
In some cases, a physical firewall can’t protect a VM. For example, if you have multiple VMs on the same vSwitch and port group on a host server, the network traffic between them never leaves the host to travel over the physical network, so a physical firewall cannot provide protection. Virtual firewalls are also complementary to physical firewalls and provide an additional layer of protection for your virtual machines.
What are some uses cases for vShield Zones?
Since a vShield Zone provides a protected area inside a vSwitch you might create one for new VMs until you can properly patch and harden them. Since you can control the port access into and out of the zone you can block all inbound connections and only allow outbound ones on the ports needed to update the server. Once the VM is ready to go out into the often-hostile network world you can move it from the Zone to another vSwitch or port group.
Another use case would be in a demilitarized zone (DMZ) environment; you can configure vShield Zones to sit in front of your VMs so any traffic from the Internet must go through the vShield Zone appliance before it can reach the VMs. With this configuration you can allow only Internet traffic on HTTP ports to reach your VMs to help prevent attacks and exploits that can occur on other TCP/IP ports.
A final use case would be to satisfy some of the many compliance regulations that require segmentation and isolation of certain servers based on their roles to protect them from other VMs and clients. For example the PCI (Payment Card Industry) specification states the following:
Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network.
There is an obvious benefit to implementing segmentation using firewalls to help reduce the scope of your compliance efforts. It can get costly when you try to do this physically; setting up vShield Zone appliances is simple and easy and since it is already included in many editions of vSphere it would not cost you anything.
When I last looked at vShield Zones I felt that it was a decent product that provides an extra needed layer of network security built right into vSphere but lacked some of the robustness that some of the similar third-party vendor products offer. But it does provide all the basic functionality needed to protect your VMs, and since it is already part of vSphere I would recommend checking it out and see if it works for you.
VMware vShield Zones is still a 1.0 product and when I spoke to the team that developed it a while back they seemed very excited and proud of the product so I fully expect future releases of it to get better and better.
For more information on vShield Zones, including what is, how to install and configure it, and tips for using it, see the series of tips I wrote: