Author Archives: Rob Randell

A New Year and New VMware vShield Protection: Symantec Endpoint Protection

Written by Jeremiah Cornelius – Security Architect – VMware Global Strategic Alliances

VMware vShield Endpoint enables Symantec Endpoint Protection 12 – offloading anti-virus and anti-malware agent processing to a dedicated secure virtual appliance – streamlining deployment and monitoring for your VMware environment.

One year ago, there was really only a single option available if a VMware customer wished to use the vShield Endpoint introspection possible on vSphere to protect servers or virtual desktops.  As 2013 begins, the number of partner solutions has grown to a half-dozen and continues to grow. It’s probably an understatement to call the latest of these, “much anticipated”.  The introduction I’m referring to is Symantec’s Endpoint Protection 12.1.2. With the mid-December availability of Symantec’s entry to the field of virtual guest protection, we welcome a new year.

Symantec has been working with the VMware vCloud Security team for several years. Now, I’m glad to see that our shared customers can begin to enjoy the rewards of our strategic alliance.

“We collaborated closely with Symantec so that VMware vShield Endpoint and Symantec Endpoint Protection 12 will work together… our customers need the right security solutions to embrace virtualizing business critical applications and to accelerate cloud adoption.”

Parag Patel, vice president, VMware

Symantec support for VMware vSphere and View deployments delivers the opportunity for a unified solution across your entire infrastructure. Managing operations of both physical and virtual endpoints through single, uniform policies and management, Symantec Endpoint Protection coupled with vShield Endpoint – can now improve virtualization consolidation ratios, and prevent anti-virus storms in the software-defined data center, along with the traditional protection, already relied upon. I’m also glad that the new Symantec Endpoint Protection release continues offering improvement in the detection engine and behavior-based blocking of “zero day” attacks. Technologies like Insight and SONAR allow reduction of anti-virus scans and maximum performance. Effort has been also made to simplify your deployment and updating while improving the quality of reporting.

The additional benefit I’d like to share with customers for coupling Symantec’s protections with vShield Endpoint is the additional layer for defense in depth – agent-less and directly from the VMware Cloud infrastructure, without further guest configuration. This improves your overall security posture and compliance for the growing number of virtual machines deployed in testing, development, and private cloud deployments.

We also made it easier to acquire the vShield Endpoint part of this. Recognizing the value of ensuring security and compliance audit requirements for the expanding roles of virtualization and private clouds, VMware customers with valid Support and Subscription (SnS) contracts for vSphere Essentials Plus or higher editions are now entitled to vShield Endpoint functionality at no extra cost. This means that vShield Endpoint is now licensed with vSphere, and better positioned to deliver you these benefits with Symantec Endpoint Protection today.

Symantec has additional security solutions that work with VMware vShield and vCloud Networking and Security to create a broad set of solutions for VMware customers, to provide:

  • Optimized Endpoint Protection for High-density Virtual Environments
  • Orchestrated Data Loss Prevention
  • Compliance Across Converged Infrastructure
  • Protection for Virtual Data Centers Against Advanced Threats
  • Integrated Threat Intelligence

There’s more details and information on these protections, including whitepapers and solutions briefs at – VMware Solutions Exchange and Symantec Partner: VMware.

vShield Automation

Automation is a powerful tool, with automation we can not only make our lives as administrators easier and less cumbersome but also enable products to do things automagically that they never could do before.


This quote which I really liked, can be attributed to VMware's very own Alan Renouf.  Alan is somewhat of an automation genius here at VMware, putting together all kinds of cool scripts and workflows to do all kinds of neat stuff.  Well he has taken his skills and applied them to the vShield REST APIs, and has graciously made the work that he has done available for all to leverage.

If you are interested in automating your vShield deployments through Powershell, Alan has developed a Powershell Module that leverages the vShield REST APIs.  It will allow you to do many things including the automation of the deployment of vShield App and Edge appliance to updating policies and more.  

He posted it here on his personal blog.  He is planning a series of blogs with more on what powerful operations you can perform with this module and how you can do it. So if you are interested I would highly suggest you start to follow his blog more closely.  

Rob Randell, CISSP – Principal CIM Architect – Security and Compliance Specialist

Security in the New Virtualized World…..The “Cloud”

Hi fellow security gurus….Ana Seijas from Security & Compliance Specialist team here at VMware. I wanted to bring you up to speed on some exciting things happening with virtual security and getting you on the Virtual Security Journey……

It’s been a few months since VMworld 2011 but security made a big splash!  So much so that I've been talking to a lot of customers about what they heard there.  With all the talk about cloud, virtual desktops and agility come new concerns for everyone on how are we going to secure these things we can no longer see or touch.  

I see the security industry as a whole still very immature when it comes to understanding virtualization and how it can be used to provide agility, better processes, more control and overall better security.  

I've been in security for well over 20 years and although security, compliance and governance have become critical to organizations, little has been done with it to take advantage of the new agile infrastructures customers are building.

Every company out there has some virtualization…and IT as a whole is changing to support the Facebook generation.  So IT has to move fast to provide the apps that customers want to consume instantly while still making sure to meet the security policies and requirements of so many regulations, while also keeping the hackers out and their brand intact.

VMware has lead the change in how we consume IT….servers, memory, storage and now desktops can all be virtualized.  So what about security!  

Well I believe VMware is leading the way there as well.   Last year at VMworld 2010, VMware announced the vShield suite of products and APIs and the beginning of a new way to consume security.   In the last year, not only have the vShield products been enhanced but 3rd party security vendors are now taking their products and not only making them virtualization aware but also taking advantage of the automation that this new infrastructure provides.   VMware has shaken the security industry and security vendors are hurrying to have the best products for the cloud era.

So what does that mean to customers and specifically to security teams in their organizations.  

For most customers, sometimes security is an afterthought, a burden to maintain…inflexible and the list goes on…. Why not build security right into the platform and make it transparent by automating it.  Security as a Service!

As customers begin to virtualize more of their tier 1 apps, security is beginning to get more involved.  As a security person I urge other security practitioners to get on the virtualization journey and learn how to do better security through virtualization.

Let me give you the top advantages of virtualization and how they can help with security:

1. Built in HA (High Availability) and FT (Fault Tolerance) for VMs and VMs running 3rd party security solutions
2. Isolation in ESX and ESXi is built in by design along with memory protection
3. Ability to automate disaster recovery with tools like SRM (Site Recovery Manager)
4. Ability to automate moving VMs causing malicious activity to a quarantined area using REST API's available in vShield products
5. Ability to automatic security processes with vCO (vCenter Orchestrator) plugins available for Active Directory, UCS, NetApp, SOAP and REST.
6. Automated compliance using vCM (vCenter Configuration Manager) to continuously monitor and remediate both physical and virtual environments.

At this year's VMworld, a slew of 3rd party security vendors were on hand showcasing their new virtually aware technologies….never mind the enormous amount of backup and availability products.

McAfee, Symantec, Trend, BitDefender, Kaspersky, and Sophos all made announcements or showcased their support for vShield Endpoint and agentless AV.

Lumension is also using vShield Endpoint for their whitelisting and blacklisting product.

Hytrust, CA, Catbird, all showcased virtualizaton aware security and compliance tools.

Sourcefire, NetOptics, McAfee, HP Tipping Point, are inspecting inter-VM traffic and showcasing network security solutions.

LogLogic, Splunk, and Envision showcased event management and correlation of vSphere events.

And the list continues to grow!  I suggest taking a look at these products that are bringing the same level of security to the virtual world.  Challenge the security vendors you have today to take the virtualization journey that the rest of your organization is on.

Discounted Beta Course for vCenter Configuration Manager

One of the best ways to get value faster from VMware products is to train your team.  The benefit is especially powerful with hands-on training: when people have had a chance to get their hands dirty with a new tool in an environment where it’s OK to make mistakes, they will be more confident and effective when they get back to the shop.  VMware is launching hands-on instructor led training on VMware vCenter Configuration Manager, and I wanted to tell you about a special opportunity.

VMware Customer Education wants to recruit your participation in the beta delivery of our VCM training course.  VMware Education's beta classes let you get training early and at a big discount.  If you anticipate having to work with VMware vCenter Configuration Manager hands-on in the not-too-distant future, you’re in the intended audience for the beta.  If you've already worked hands-on with VCM yourself, please share this announcement with a co-worker who hasn't.

The VCM course is 5 days of instructor-led hands-on training, with live labs and case studies.  The beta delivery is being held in Houston, Texas, USA, from August 8 through 12. Participants will learn about VCM 5.4 installation and use as a compliance and provisioning tool.  Here's the datasheet:

The course is open to VMware customers and partners.  All categories of participants get an approx. 50% discount off the list price of the course when it ships.  The price per seat including this discount is US$1875 or 19 PSO Credits.  (No further discounts are applied on top of the beta discount.)

Here's the link to enroll:

If you take part in the beta class, feel free to post in the Security & Compliance forum about your experiences once it’s done (


Analogies and The Principle of Least Privilege

Ana Seijas here — one of the newest members of the VMware Security & Compliance team.  So I've been doing security for a long time…started as an external systems auditor and then onto internal audit, consulting, training, CISO, but the one thing I've enjoyed the most was being a Systems Engineer.  So I've been an SE as they are most commonly known for a number of years and for several very large companies.   As SE's we play consultant, sales person, techy or plain listener for our customers…and with all of these hats the one thing in common is that we do a lot of presenting!  As soon as there's even just one person in the room, we're ready to present….be it a Powerpoint, whiteboard, or napkin!  So over the years I've taken many presentation classes….and although I've learned many cool techniques, the one thing that stands out and I try to do most of all is create analogies of technical stuff to real-world stuff.  Its how I can make people remember what this stuff really does!

So when I joined VMware a few months ago and was introduced to our vShield products, I knew that I would be presenting them soon enough. So as I learned the features, functions, and use cases…I started to think of the analogies…so here goes…

Customers secure their data and assets from all those bad guys out on the internet with firewalls, IPS, switches, routers, load balancers and whatever new technology they can find.  For the most part they've learned to build a very "hard shell" around the outside of their company.  In most cases its very hard to get inside a customer's network from the internet (although these days its seems like everybody is being hacked!)…for the most part that "hard shell" exists…but once I'm on the inside as an employee with access, its a "soft and chewy inside" and that's where the problems exist.  Its way too expensive ($$$, people, process and complexity) for a customer to completely isolate every application, group, line of business, or piece of data they have and so for the most part…access on the internal network allows me to probably see or poke around more than I need to.   Curiosity kills the cat or more likely leads to data leakage or stolen information.

VMware's vShield products can help customers maintain that "hard shell" around their virtual datacenters, but also provide "crunch for the soft and chewy inside"…its like sticking a pretzel in it!

Let me explain further!  vShield Edge is a stateful inspection firewall that can provide perimeter security for the virtual datacenter.  It provides the same guiding principles of firewalls but also includes site to site VPN and load balancing capabilities for securing your different tenants, companies, countries, lines of business, stores, offices, etc that exist in your virtual infrastructure.   Adding vShield App allows the customer to now define security groups inside of the virtual datacenter for different trust zones (i.e. PCI, DMZ, HIPAA, etc), applications (web servers, SAP, oracle, etc.) or groups (finance, HR, development, etc.) and define security rules based on their actual business needs as opposed to how the infrastructure or network was created and thus providing that crunch on the inside. 

With vShield App, organizations can become more secure by limiting the ability for the curious employee with "the roaming eyes" to access or see information that they don't need.  It’s the ability to apply the principle of least privilege in a logical manner at the network layer. 

So what is the principle of least privilege: As per PCMag's Encyclopedia – A basic principle in information security that holds that entities (people, processes, devices) should be assigned the fewest privileges consistent with their assigned duties and functions. For example, the restrictive "need-to-know" approach defines zero access by default and then opens security as required. All data in a corporate network would be off-limits except to specific people or groups based on Role Based Access Controls.

Now the principle of least privilege implies getting down to as granular access as possible so the vShield products only provide another layer of granular access control at the network and inter-vm traffic.  You still need to provide granularity using Role Based Access controls in vCenter, your network devices, at the guest OS and applications to name a few.

So if you're Security team is coming down on you to protect more and more of your data for PCI, HIPAA, or whatever the reason, show them how smart you are on security and tell them you're going to virtualize more so you can provide more access controls and enhance the principle of least privilege by using vShield!

Updated DISA Guidelines for VCM

The VMware Center for Policy and Compliance is pleased to announce our latest content update for DISA in vCenter Configuration Manager ™ (VCM).

What’s new in this package?

  • Windows XP       v6.1.21
  • Windows 2000   v6.1.12
  • Windows 2003   v6.1.21
  • Windows 2008   v6.1.14
  • Windows 7          v1.4
  • Windows Vista  v6.1.21
  • UNIX & Linux     v5.1.29

How does this help you address your compliance needs?

As a combat support agency, The Defense Information Systems Agency (DISA)  plays a vital role in the delivery of information technology services and capabilities to the warfighter. From the fundamental to the tactical, DISA's mission touches all facets of the DoD IT environment. The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. This content and guidance is adopted by SOX, GLBA, HIPAA & FISMA. In fact, most Healthcare Providers are now adopting DISA Guidelines for best practices within their Enterprise. Using VCM you can now Continuously apply this content to your Virtual & Physical environment and quickly remediate Delta’s.

How do you get it?
Customers wishing to harden their vSphere environment can download the new content via the VCM Content Wizard

George Gerchow VMware Director, Center for Policy & Compliance

vSphere 4.1 Security Hardening Guidelines for vCenter Configuration Manager (VCM) Released

The VMware Center for Policy and Compliance is excited to announce our content release of the vSphere 4.1 Security Hardening Guidelines for vCenter Configuration Manager (VCM).
CP&C is a group of folks with alphabet soup behind their names that build content, thought leadership and evangelize our Security & Compliance  strategy all over the planet.
Why should you care about this latest release? That’s easy, the content supports ESX 4.1, ESXi 4.1 and vCenter 4.1. That means we can automate the continuous collection of data, compare it to our standards and within minutes provide prescriptive guidance on best practices and  reduce the LONG painful audit cycle.
Together VCM and Host Profiles become an important  part of creating a trusted virtual environment.  With VCM and the new CP&C content you can harden your ESX/i hosts based on vSphere standards and use Host Profiles to push these secure settings across your virtual infrastructure.  There is no longer a need to painstakingly pour-over the best practices or reference technical documentation in order to configure the Host Profile reference host(s) to meet these standards.
By the way, these standards have been recommended to the PCI Security Council as benchmark for 2.0 content around virtualization. (Stay Tuned!)
Yours Truly, George Gerchow – VMware Director of CP&C.
vSphere 4.1 Security Hardening Guidelines Compliance Dashboard snapshots:





Quick Note on a Nice Blog Post from our Friends at Sourcefire

Rob Randell here with a quick note to point folks at a nice blog post from Sourcefire PM Richard Park.  He does an excellent job here outlining what it takes to integrate to vShield through the vShield REST API.  In this post he focus' on "…how to use the API to programatically make firewall rule changes."  He points also points out a few other things you can do with the API like:

  • List the current firewall ruleset
  • Add new rules
  • Get a list of past firewall revisions
  • Revert back to a previous ruleset revision

These capabilities are just the tip of the iceberg.  This REST APIs is key to the vShield product line because it allows for our partners to integrate their products very easily and customers to automate the security policy enforcement within their vSphere implementations. 

For more information on the API here is a quick link to the vShield API Programming Guide.  We'll revisit the APIs in much greater detail in a future post.

vShield App and View Desktops: Desktop Security Zones and the Desktop DMZ

Hi…Rob Randell here again.  In an earlier posting on the partner announcements at the RSA and HIMSS Conferences, I promised that I would go into detail on how we can leverage VMware View to provide what I like to call Desktop Security Zones and the Desktop DMZ.  In this blog I am going to illustrate this in a use case on a hospital network. 

Specifically, in this use case we have two primary sets of users: Doctors and Hospital Administrators.  The doctors need to have access to the medical records of their patients.  These records reside in a medical records app on the hospital’s internal network that they access via a browser. 

The hospital administrators on the other hand need access to the billing and insurance information of these patients.  This data resides on another set of servers also served up via a web application on the local hospital network.

The doctors have no reason to access the billing or insurance info for their patients and the hospital admins don’t need access to the medical information.  Both the doctors and the hospital admins need access to the web though so they can do research and check on personal matters. 

So based on this case study we are going to have three sets of virtual desktops:

  1. Doctor Desktops
  2. Hospital Administrator Desktops
  3. Web Browsing Desktops

We have two different users that we are going to demonstrate this use case for.  The first is Doc Jones and the second is Hoss Admin.  You can probably guess who is the doctor and who is the hospital admin. 

The first step we need to take in our configuration is to put Doc Jones and Hoss Admin into Active Directory groups that match them to their roles.  In our case, the AD groups are simply “Doctors” and “Hospital Administrators.  These can be seen in the screenshot below.


The next step happens in vCenter where we need to create some resource pools for the housing of our different desktop pools.  These will be necessary for our vShield App rule creation later.  We need to create three resource pools for our different virtual desktops: “Browsing Desktops”, “DoctorDesktops”, and “HospitalAdminDesktops”.  The screenshot below shows the three resource pools we created for our virtual desktops. 

Now that we have created our groups in AD and resource pools in vCenter, we need to create the Desktop Pools within the View Manager.  We will create three desktop pools to matchup with the roles we talked about earlier, BrowserDesktops, DocDesktops, and HospitalAdminDesktops.  You can imagine having additional pools here for other roles within a hospital like nurses, pharmacists, etc… For our use case we will focus on the Doctors, the Hospital Admins and the browsing desktops.  These can be seen in the screenshot below.


Next we configured the entitlements to give the user access to their desktop specific to their roles and the browsing desktop.   




OK, now that we have our desktop pools provisioned.   We need to create the rules necessary for the desktops to work properly.  This includes ensuring that Windows works properly and can communicate with everything it needs like DNS, AD, NTP, etc…  Lots of Windows rules to create as can be seen in the screenshot below.   Click on the screenshot to see the full image.


Communication with the View Server needs to be opened up to allow for PCoIP, USB redirection (if needed), etc…  We have up to 4 rules per desktop pool.  TCP and UDP for PCoIP to allow the View Client to connect to the View Desktop to allow the PCoIP display protocol to work, JMS to allow the View Agent to communicate with the View Manager, and USB Redirection that is tunneled through the View Manager.  Of course in a most cases I would argue that it is a good idea to block this traffic unless it is absolutely necessary.  In this case, it would be reasonable, and likely that we would disable and block the USB Redirection as we probably wouldn’t want the Doctors and Hospital Admins to be able to copy data off of their virtual desktops to a USB drive.   So in our case we will only have three rules per desktop pool (PCoIP (both tcp/udp) and JMS.  Click on the screenshot to see the full image.


Note that the creation of these rules can be scripted so as new desktop pools are created, we can then run a quick script to add the necessary rules. 

Next we need to create the rules to allow the doctors access to the medical app and the hospital admins access to the billing and insurance app.  In this case, albeit very simple, it shows that the Doctors are entitled to the “Doctor Desktops”, which are restricted by vShield App to only have access to the Medical Servers.  The Hospital Admins are entitled to the “Hospital Admin Desktops”, which are restricted by vShield App to only have access to the Billing Servers. 

We used vApps to group the Medical Servers and Billing Servers.  Doing this made creating our rules very easy as we just choose the “Medical Servers” and “Billing Servers” vApps for our destinations and the “HospitalAdminDesktops” and “DoctorDesktops” Resource Pools as opposed to doing some sort of IP subnet based rules.   Both the medical app servers and the hospital app servers provide access via SSL.  


Both need Internet access from the browsing desktops, as the other desktops are not allowed Internet access.  Notice that we deny the “Browsing Desktops” access to all Internal IP Addresses.  If a rule does not match these two rules, it means that the IP address is an external IP address where we allow these desktops HTTP and HTTPS access.  If we wanted to we could allow additional protocols, but for the purposes of our hospital, they should only need these basic protocols.  Also, if we wanted to send a syslog message anytime one of the browsing desktops attempted to access an internal resource and was denied we could check the “Log” checkbox in those rules.  In this case we didn’t choose to do that.


The doctors and hospital administrators now have access to their desktop and any of the resources that their particular desktop is capable of connecting to. This network access is controlled through vShield App where the View Connection Server controls the access to the desktop.  In this case, you can see the vShield App firewall rule that shows the DoctorDesktops have access to the Medical Servers.  Notice that we created these rules based on the resource pool where View Composer deploys the doctor’s desktops (DoctorDesktops) as the source and the vApp that contains the medical application (Medical Servers) as the destination.  Pretty simple, huh?  

Interestingly, it was pointed out to me by Rob Babb that we could make this even simpler for the browsing desktops by setting up a proxy server.  This could be the single point of access to the Internet and would make setting up the rules even simpler as we wouldn’t need the “Deny” rules to the internal networks for the BrowsingDesktops.  All we would need is an allow rule for these desktops to the proxy server, as the deny to the rest of the network would be handled by the default deny rules we have setup at the bottom of our rule set.

Now it is time for the users to login.  We will show the instance of a doctor logging in.  The doctor will run the View Client on their iPad, Thin/Zero Client, laptop, or any other device.  In this case we will show the login with the standard View Client from a Windows machine.


Doc Jones will then authenticate to the connection server.  In this case he is using a standard AD Credentials, but we could use a Smartcard or SecureID as well.


Once authenticated the doctor will have a choice of whether they want to login to the “Doctor Desktops” or the “Web Browsing Desktop”.  Once they decide on the desktop their login credentials they provided to the View Client will be automatically passed through using the single sign-on capabilities of VMware View.


In this case we are logging them into their main desktop so they can gain access to the medical server, but are not allowed access to anything else.   This can be seen in the screenshots below.



Here we can see both the allowed and blocked connections for the docvm2, which is the desktop that Doc Jones was using.


So to summarize, in a minimal amount of work, we were able to setup two desktop pools that are entitled to specific sets of users, which protected with vShield App are restricted to access only a specific set of resources.  Make note that these rules are good for one desktop or 1000 desktops as they apply to the resource pools as opposed to creating the rules for individual desktops.  So we don’t have to constantly add rules as new desktops are added or old desktops are removed.

The cool thing about this is that we can automate this even more to make it even easier which I didn't address in this posting.  I also didn’t talk about how we could use vShield Endpoint and vShield Edge in this use case.  Not to mention adding in partner solutions for IDS/IPS protections as well.  Stay tuned for more on all of this.

Security FAQ: My vShield Endpoint SVM is not responding, what do I do?

Hey…Rob Randell here again.  A new feature that we will be sprinkling into the security blog is entries that will talk about some interesting or frequently asked questions that we feel deserves some more explanation to more than just the person who asked the question.  

Recently we had a question come up a few times as to the resiliency of the vShield Endpoint SVM and what happens if it fails or if the app itself stops responding.  Specifically, the question is: “What kind of availability capabilities do we have for the vShield Endpoint SVM?”

The issue obviously is that if it does fail the VMs being protected by the SVM for AV scanning will be vulnerable to virus’ during the time it is down.  So because of this issue, we’ve built in “health monitoring” of all of its components through standard vCenter Events and Alerts.  These events can trigger an alert in vCenter, which in turn can trigger an action.   This is well documented in the vShield Admin Guide staring on page 81.  That said, we thought it would be worthwhile to discuss this in deeper detail to bring it to folks attention.

The vShield Endpoint SVM that is provided by our partners is constantly monitored by the vShield Manager.  If for some reason the SVM stops responding the vShield Manager will send an event to vCenter that will trigger an alarm.   The screenshot below shows the prebuilt alarm for alertling on the status of the SVM appliance itself.

Alarm Setting - General

These alarms can be used to perform a number of actions like send a notification email or SNMP traps, reset the SVM, or reboot the VM.  In addition, the host can be put into maintenance mode, which will force all VMs to migrate to other hosts in the same resource container that have working SVMs providing protection.  It can be configured to even run a command.  For example, because the SVM is stateless, a standby SVM can even be configured (by cloning the original SVM after registration) to take over in case of a failure.  This can be accomplished through a script which can be run should the alarm be triggered.  This allows us to minimize the downtime of an SVM as well as get notified should an issue such as this should arise so it can be responded to very quickly.  The screenshot below shows a subset of the list of actions that can be taken.

Alarm Settings - Actions

So in short, there are a number of options to provide resiliency and redundancy into the deployment of the vShield Endpoint SVMs.  Expect more of these FAQ type blogs in the future on the VMware Security Blog.