Академический Документы
Профессиональный Документы
Культура Документы
Network Preparations 2
Leverage the Checklists and Worksheets 2
Configure the Physical Switch 2
Configure VLAN Translation in the IPS 3
Designate IP addresses for vController components 4
Configure the Firewall for Internet Access 4
B
VMware Environment Preparations 5
Designate VMware Host for VMC Server 5
Designate Host for VMC Client 5
Verify each VMware Host Has Sufficient Resources for the vController 5
E
Deploy the VMC Management Application 6
Deploy the VMC Server 6
Configure the VMC Server 7
Install the VMC Client and Connect to the VMC Server 8
T
Configure the VMC for Discovery of VMware ESX/ESXi Hosts 10
Copyright © 2010 TippingPoint Technologies, Inc. TippingPoint® , the TippingPoint logo, and Digital Vaccine® are
registered trademarks of TippingPoint Technologies, Inc. All other company and product names may be trademarks of
their respective holders. All rights reserved. This document contains confidential information, trade secrets or both,
which are the property of TippingPoint Technologies, Inc. No part of this documentation may be reproduced in any form
or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written
permission from TippingPoint Technologies, Inc. or one of its subsidiaries.
TippingPoint Technologies, Inc. reserves the right to revise this documentation and to make changes in content from time
to time without obligation on the part of TippingPoint Technologies, Inc. to provide notification of such revision or
change.
TippingPoint Technologies, Inc. provides this documentation without warranty, term, or condition of any kind, either
implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability,
satisfactory quality, and fitness for a particular purpose. TippingPoint Technologies, Inc. may make improvements or
changes in the product(s) and/or the program(s) described in this documentation at any time.If there is any software on
B
removable media described in this documentation, it is furnished under a license agreement included with the product as
a separate document.
United States Government Legend: All technical data and computer software is commercial in nature and developed
solely at private expense. Software is delivered as Commercial Computer Software as defined in DFARS 252.227-7014
(June 1995) or as a commercial item as defined in FAR 2.101(a) and as such is provided with only such rights as are
T
provided in TippingPoint’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not
to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or
delivered to you in conjunction with guide.
A
Unless otherwise indicated, TippingPoint registered trademarks are registered in the United States and may or may not be
registered in other countries.
Microsoft and Windows are registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
Other brand and product names may be registered trademarks or trademarks of their respective holders.
1
Installation and
Configuration Guide
Overview of vController Solution
This document provides a brief summary of the installation procedures for the TippingPoint Virtual
Controller (vController). The vController is a software solution that enables network traffic within a
B
VMware-based virtual environment to be inspected and filtered by a TippingPoint Intrusion Protect
System (IPS) on the external physical LAN. Because the solution uses standard ethernet technologies it
allows an existing Intrusion Prevention System (IPS) to be leveraged by multiple VMware hosts with
little or no modification.
The vController solution requires that the following components be deployed into an existing VMware
E
vSphere environment:
• The vController management application, referred to as the Virtual Management Center (VMC),
which is comprised of a management server and a client console
• The vController itself, which is deployed to each VMware ESX/ESXi host whose virtual machine
T
network traffic is to be inspected by the TippingPoint IPS
• The vController VMsafe module, which is deployed to the VMware hypervisor of each virtual
machine whose network traffic is to be inspected by the TippingPoint IPS
The vController solution requires the following from the physical network upon which the IPS resides:
A
• A TippingPoint IPS, operating TippingPoint Operating System (TOS) v3.1 or later, which initially is
available on the IPS N-Platform series.
• A network device that supports VLANs.
Because the vController inspects traffic that is passing between VMware virtual machines, the VMware
environment must meet the following vController versioning requirements:
• The VMware environment in which the vController solution is deployed must be built on VMware
vSphere 4.0 Update 1.
• The VMware environment must include at least one instance of vCenter 4.0, the vSphere
management console. Only the Windows version of vCenter 4.0 is supported by the vController.
• The VMware hosts upon which the vController is installed must be running VMware ESX/ESXi 4.0.
Network Preparations
B
Leverage the Checklists and Worksheets
The tasks to prepare the network are precise in both their order and their actions. Failure to perform
these tasks appropriately may result in a network loop condition or a failed vController installation.
To ensure all the tasks are performed, and performed in the correct order, make use of the vController
E
Pre-Installation Checklist document. While similar information is contained in this document, the
checklists offer a direct, step-by-step approach to preparing the network.
CAUTION: Do not connect cables between the physical switch and the IPS until all
switch interfaces are configured. Failure to do so may result in a network loop condition.
T
Configure the Physical Switch
A
The vController solution assumes a VLAN-capable physical switch resides in the network path between
the ESX/ESXi host and the IPS. The physical switch ensures a distinct tunnel exists for each
vController-to-IPS network path. Within each of these paths, the switch ensures the separation of
inspected and uninspected traffic, made possible through the use of virtual local area networks,
known as VLANs.
The solution requires specific configuration tasks be performed on the switch before the vController
software is deployed and before the IPS is physically connected to the switch.
Configure Interfaces
For each vController-to-IPS network path, at least three interfaces on the physical switch must be
configured. The first interfaces are the pair designated to connect to the IPS. The third interface is the
one between the switch and the ESX/ESXi host upon which the vController is deployed.
Define VLANs
The vController solution uses VLAN translation functionality within the IPS device and therefore
requires that the networking environment in which the IPS resides supports VLANs. VLANs are used
to tunnel uninspected and inspected traffic between the virtual machines and the TippingPoint IPS,
B
which uses VLAN translation to translate traffic between two VLANs.
Each vController installed on a VMware ESX/ESXi host requires the use of two VLANs. The virtual
machines running on a ESX/ESXi host use the VLAN IDs to tag each network packet, according to the
802.1Q specification, to ensure the packet follows the correct route to the IPS and then follows the
correct route to the packet’s intended destination. The VLAN through which traffic moves from the
E
vController to the IPS is termed the outbound VLAN. The VLAN through which traffic moves from the
IPS back to the vController is termed the inbound VLAN.
To prepare the physical network define a pair of VLANs for each vController that will be deployed, and
document which VLAN IDs to assign to each vController. The information will be requested during the
T
deployment and configuration of each vController.
To learn more about defining and configuring VLANs refer to the configuration guide for your physical
switch.
A
Assign VLANs to Switch-to-Host Interface
Because both inbound and outbound network traffic passes through the switch interface that connects,
physically, to the ESX/ESXi host, the interface must reside within both the inbound and outbound
VLANs.
To accomplish this, configure the interface to be a trunk link, then assign both VLANs to the interface.
If multiple connections are implemented, for redundancy or pooling purposes, repeat this task for each
switch-to-host interface through which the vController-to-IPS traffic flows.
An IPS rule similar to Side A:<VLAN ID x> to Side B: <VLAN ID y>, with auto-reverse enabled must
be created. A separate VLAN translation rule must be created for each deployed vController.
Note: Initial support for VLAN translation was released in the TippingPoint N-
Platform IPS series, running TippingPoint OS (TOS) v3.1.1.
For each VMware ESX/ESXi host whose virtual machine network traffic is targeted for inspection, the
B
vController solution installs the vController. The vController requires its own network identity and
therefore requires its own IP address. It must reside on the same network as the VMC and at least one
vCenter Server. Document the IP address, network mask, gateway, and so on for each vController for
use in a future installation procedure.
E
Configure the Firewall for Internet Access
The following TCP ports need to be open for communications between the components:
VMC Each ESX Host Deployment of vController. SSL TCP 443, 902
Server being managed Software asset inventory
collection.
Only one VMC Server is needed to manage multiple deployed vControllers. Designate an appropriate
VMware ESX/ESXi host upon which the VMC Server will be deployed.
Designate an appropriate virtual machine or physical system upon which the VMC Client will be
installed.
E
Verify each VMware Host Has Sufficient Resources for
the vController
The vController is itself a virtual machine. It must reside on each VMware ESX/ESXi host whose virtual
T
machine network traffic will be inspected. The vController minimum system requirements are one
CPU, 640 MB of RAM, and one GB of disk space.
Verify that each VMware ESX/ESXi host has sufficient available resources to allocate to the vController.
A
Deploy the VMC Management Application
Deploy the VMC Server
The VMC Server is pre-packaged as a virtual machine, compressed using the VMware Open
Virtualization Format (OVF). The virtual machine contains an installed and ready-to-be-configured
instance of the VMC Server. It also contains the distribution package for the VMC Client as well as the
vController.
1. Logon to the vCenter Server that manages the ESX/ESXi host upon which you want to deploy
the VMC Server.
2. Select the host to which you want to deploy the VMC Server.
Note: While it is not possible to go back a step in the Setup Helper, that the
A
process can be aborted at the end of the wizard before any configuration
changes have been made. The wizard can be rerun at any time to modify
configuration settings.
CAUTION: Each time Setup Helper is run and a configuration change made the
software will reset any active VMC client connections.
1. Log on to virtual machine or physical system to which you want to install the VMC Client. It
must have connectivity to the VMC Server.
2. Open a web browser and enter the IP address of the VMC Server.
3. When the browser connects to the VMC Server, the TippingPoint vController web page
displays. Click the “Download TippingPoint vController Client” link and save the file.
B
E
4. Locate the file, which is a standard Microsoft Windows installer. Launch the file by double-
T
clicking it.
5. Step through the installation wizard, closing it when complete.
The VMC Client installs.
Launch the VMC Client using the desktop icon or through the Start->Programs-
A
6.
>TippingPoint menu.
7. The startup screen prompts for logon credentials to the VMC Server. Enter the IP address/
hostname and administrative credentials that were entered in the VMC Server Setup Helper
wizard.
Note: Until at least one VMware host has been identified to, and discovered by,
the VMC, the VMC continues to request this information each time a VMC client
logs on to the VMC server.
The VMC presents the following dialog box to perform discovery of VMware hosts.
B
E
T
A
In the first field enter the IP address or hostname of a vCenter Server that manages ESX/ESXi hosts
whose virtual machine network traffic is targeted for inspection by the IPS. In the second field enter a
name that uniquely identifies the host to the VMC, or choose to keep the same name as entered in the
first field. In the next two fields enter the credentials needed to log on to the vCenter Server. The
credentials must be sufficient to create virtual machines and manipulate network configurations.
To discover hosts immediately leave the Enable Harvesting box checked. Discovery of the hosts may
take a few seconds or a few minutes, depending on the number of hosts being discovered and the
performance of the vCenter Server.
Note: The VMC uses the term Virtual Management Server (VMS) as a generic
identifier for all virtual environment management applications. The VMware
management application is the vCenter.
B
E
T
A
The following steps summarize the procedure to deploy a vController to a single ESX/ESXi host.
B
6. Select a vSwitch.
Select the appropriate vSwitch from the dropdown list. The vSwitch must be connected to all
the virtual machines whose network traffic is to be inspected and must also be connected to
the host’s physical NIC that connects to the physical switch, which in turn connects to the
E
TippingPoint IPS.
7. Enter the inbound and outbound VLAN IDs.
Recall that the outbound VLAN carries uninspected traffic and the inbound VLAN carries
inspected traffic from the IPS back to the virtual machines. Be sure you assign the VLANs to
T
match those defined in the physical switch, and to match the flow of traffic into the Side A and
Side B of the TippingPoint IPS.
The inbound and outbound VLAN IDs must be different from each other.
A
CAUTION: Each vController redirector must have a unique pair of VLAN IDs.
That is, no two vControllers can redirect traffic onto the same VLAN. To avoid the
possibility of a routing loop or a packet storm be sure to use a different set of
VLANs for each vController/VMware host.
8. Choose to deny or allow network traffic by checking or unchecking the Fail Open check box.
The purpose of the fail open check box is to allow or deny network traffic if the tunnel
between the virtual machine and the IPS is not functioning. The setting depends on the risk
profile of those who are responsible to secure network traffic. When checked, the vController
will allow network traffic to flow if the tunnel is in a failed state. When unchecked, the
vController will deny network traffic if the tunnel is in a failed state.
9. Click OK.
VMware requires that all virtual machines running on a host system be powered off before the host can
enter Maintenance Mode. Follow your company policies for handling virtual machine maintenance.
Depending on your policy you may be required to migrate the virtual machines onto another ESX/ESXi
host or you may be required to shutdown the virtual machine guest operating system and then power
off the virtual machine.
B
E
T
A
B
E
T
A
Field Description
Tags to add to Tags are user-defined identifiers of virtual machines and their properties. The
vControllers tags are used in rules and policies typically to group like-devices and to trigger
inspection actions. In this field, define tags that you plan to refer to in your
vController rules and policies.
Management vSwitch Select the VMware virtual switch through which communications between the
VMC and the vController will take place.
Management VLAN If communications between the VMC and the vController pass through a VLAN,
designate the VLAN ID here. If the communications do not pass through a VLAN
accept the default value of 0 (zero).
vController VM Name The vController solution deploys a virtual machine onto each host whose virtual
machines will be protected. Enter the desired name of the virtual machine here.
Management IP Enter the IP address you want allocated to the virtual machine. The IP address
must enable communications from the virtual machine to the VMC.
Before assigning the IP address, verify that it is not already assigned to another
host or virtual machine.
Caution: Mistakenly entering the VMware host IP address here will cause an IP
address conflict and disrupt communications between the VMC and the host to
which the vController is being deployed. [Doc To Do: I’d really like to place the
Caution icon at the beginning of this sentence but can’t figure out how to embed a
table within a table.]
Management Gateway Enter the gateway through which the VMC and vController will communicate.
Datastore (free) Choose the virtual machine datastore on which the vController software
components will be placed.
Note that because the vController operates at the VMware host kernel level,
B
migration of a vController to another host is unsupported. For this reason it is best
practice to place the vController on local storage, as a precautionary measure
against unintentional migration during a host outage/failover.
8. Select Next to view the summary of choices you made in the vController deployment wizard.
E
9. Select Finish to deploy the vController.
Deployment of the vController can take up to several minutes, depending on how many hosts
to which the vController is being deployed and the amount of time it takes to reboot each
host.
T
Status indicators are available at the bottom of the VMC Client console, in the VMware
vCenter Recent Task list, in the VMware vCenter host hierarchy, and in the VMC Client
console Logical Topology view.
The following shows the status indicator located at the bottom of the VMC Client console.
A
B
E
T
The following shows the vCenter host hierarchy after the vController has been deployed.
Notice the new virtual machine, named vController-10.100.0.209.
A
B
E
T
The following shows the Topology->Logical view in the VMC Client console. Notice the
additional services connected to the newly deployed vController virtual machine.
A
10. The vController deployment wizard powers on the new vController virtual machine and
moves the VMware host out of Maintenance Mode. Any virtual machines that were powered
off or migrated to other hosts prior to deployment of the vController can now be migrated
back to the host and powered on.
• For each host upon which the vController has been deployed, view the status indicator located next to
the hostname/IP address shown in the Physical Redirectors console. The console is located by
clicking the Administration tab in the VMC, then choosing Redirectors from the left-side menu list.
B
The following table shows status indicators and their meaning of the tunnel’s operational state.
Unknown Status
A
Communication between the VMC and the vController is not occurring as
expected. Verify the network between the two entities is functioning and that the
VMC and vController virtual machines are powered on and running.
Fail Close
While communication between the VMC, vController, and vController redirectors
is operating as expected, communication between the vController and the
physical-switch VLAN (and on to the IPS) is not occurring as expected.
Fail Open
While communication between the VMC, vController, and vController redirectors
is occurring as expected, communication between the vController and the
physical-switch VLAN (and on to the IPS) is not occurring as expected.
Exception
The vController may be in a state of reconfiguration, the vController redirector is
configured incorrectly (ex. configuration refers to a non-existent virtual switch),
or the VMC Server is experiencing problems.
CAUTION: In order to connect a virtual machine to the vController, the virtual machine
must be suspended. When suspended, all processing and all communications to and
from the virtual machine are disrupted.
The VMC displays a logical network topology of the discovered virtual machines, virtual
E
NICs, and networks.
3. Choose the virtual machine to which you want to connect the vController by right-clicking on
the virtual machine’s image, then choosing from the drop-down menu, vController->Install
on VM(s)....
T
To simultaneously connect multiple virtual machines to the vController, click each virtual
machine while holding down the CRTL key, then right-click on one image to bring up the
drop-down menu.
A
4. The VMC launches the vController Protection Wizard. Click Next to begin.
B
E
T
A
Field Description
Tags to add to Tags are user-defined identifiers of virtual machines and their properties. The
vControllers tags are used in rules and policies typically to group like-devices and to trigger
inspection actions. In this field, define tags that you plan to refer to in your
vController rules and policies.
6. Select Next to view the summary of choices you made in the vController deployment wizard.
7. Select Finish to deploy the vController.
Connection of virtual machines to the vController can take up to several minutes, depending
on how many virtual machines are being connected and the amount of time it takes to
suspend and power on the virtual machines.
The following shows the list of tasks that appear in the VMware vCenter console.
B
E
T
A
A policy consists of one or more rules, each of which is similar to a conventional firewall rule. A rule
defines a set of criteria, one or more actions to take when the criteria are met, and one or more devices
to which the rule is applied. The following table shows examples of each of these rule components:
Field Description
All traffic going out of port 80 Redirect to IPS All virtual NICs in host
192.168.29.11
All FTP traffic (inbound and Redirect to IPS and log All virtual NICs in hosts that are
outbound) located in the DMZ
B
All Windows Remote Desktop Redirect to IPS All virtual NICs in hosts that are
Protocol traffic (inbound and running the Windows Terminal
outbound) Server service.
SSH traffic Allow (i.e. do not redirect to IPS) All virtual NICs in hosts that are
E
located behind the DMZ
B
E
3. Choose Yes to install the default policies.
4. The vController Workspace dialog box opens. The default zone and policies information
appears on the left-side of the dialog box. Click on the All zone and the list of policies
assigned to that zone appear. Notice that the list of all policies, regardless of whether or not
T
A
B
E
T
Create a New Redirection Policy
Perform the following steps to create a new, single-rule, policy.
A
1. On the lower left of the dialog box, select the Policies tab.
B
4. Select Add from the right-hand of the policy tab area to create a new rule.
5. Enter the required rule information. A rule is comprised of four categories of information:
Action, Direction, Source/Destination, and Protocol. Define each of these categories, referring
to the category descriptions in the following table:
E
Category Description
Action The action to be performed if the rule criteria are met. The valid
options are to redirect traffic to the IPS so it is inspected, allow
traffic to pass without redirection, and log the event.
T
Direction Monitor for network traffic that is outbound, inbound, or both.
Source/Destination Enter for the source and for the destination an IP address,
resolvable hostname, or a VQL criteria that will dynamically locate
hosts based on the criteria.
A
Protocol Enter the Ethernet protocol, the IP protocol (TCP, UDP, or ICMP),
and the source/destination services (examples: HTTP, RDP, NFS,
SNMP)
B
3. Name the zone.
E
4. Create the zone specification using an IP address, hostname, or VQL criteria used to
dynamically locate hosts based on the criteria.
5. Click OK to save the zone.
B
4. Select one or more zones from the list.
E
5. Click OK to save the assignment.
r.
CAUTION: To save all the changes made in the vController Workspace, including the
T
policy, the rule, the zone, and the zone-to-policy assignment, you must click Save at the
bottom-right of the vController Workspace dialog box.
VQL queries against user-defined tags created within the VMC and also against hundreds of properties
maintained by VMware itself.
For example user-defined tags can be used to categorize virtual machines by physical location, logical
location, or purpose. A tag might be assigned to all virtual machines operating in the Chicago data
center, or operating within a network’s DMZ, or operating for the purpose of servicing internet-based
order inquiries.
The configuration of a policy rule and of a zone allows use of VQL statements to filter the entire
population of vController-secured devices. The VMC also supports running VQL queries as stand-
alone commands. Perform the following steps to run a VQL query:
The VQL Editor opens on the lower half of the VMC Client console.
T
A
4. Enter a VQL query in the upper portion of the editor, then click the green arrow to execute the
query command.
The query results are displayed in the lower half of the editor.