1

Virtual Network Security and vShield Edge

Vishal Patel, Dhanvanthari Ilangovan, Dakshinamurthy karra Department of Computer Netwroks Ryerson University {vishal.patel, dilangov, dkarra}@ryerson.ca

AbstractVirtualization has become a buzz word in the IT infrastructure industry since the inception of players like Xen and VMware. There is also a great push towards cloud computing in order to reduce the capex and opex in IT industry. Though the idea of cloud computing is gaining momentum still there is a huge gap in addressing the security issues with virtualized environment. This paper explores the relevance of vShield edge rewall from VMWare in virtualized data center environment. Index TermsVMWare, vShield Edge, Security, Penetration testing;

the need for additional physical resources. It can provide advantages like consolidation of edge security, providing performance and availability and help maintaining IT compliance for organizations. vShield edge can be used to enforce security policies between virtual machines spanning different physical machines. They also provide the stateful inspection of the packets passing through the physical NICs. The paper explores the functionality and performance feasibility of vShield Edge in vSphere environment. II. T EST S ETUP

I. I NTRODUCTION As organizations across the world leverages the power of cloud computing to get more exibility, agility and reducing the cost of operations. The traditional approach of using physical infrastructure to protect the virtual infrastructure and cloud environment may not work efciently for many reasons. Heavy reliance on hardware based point solutions for rewalls, VPN and load balancer is one of them. Distributed approach to rules and policies results not only limited visibility but also impact control of organization policies. Using security tools that are not virtualized and change-aware can impact performance and limit the ability to control security policy. VMWare has been a leading player in server virtualization on X86 platforms. In a bid to virtualize the security devices like rewalls, they have developed a new product range called vShield. It is a suite of products including vShield Apps, vShield Endpoints and vShield Edge; this paper mainly focuses on vShield edge which is a virtualized perimeter rewall. vShield Edge helps in provisioning edge security services like rewall and VPN using existing resources which essentially eliminating

Our test environment consists of two different test setups, One for functionality testing and other for performance testing.

Functionality test setup: The functionality test setup consisted of backtrack Linux distribution, which is Linux distribution modied for penetration testing of enterprise environment. They have different tools like scanners, keyloggers , enumeration tool etc.., built in with them. The machine under test is windows 2003 server which has IIS congured; This machine is a web server providing web access to the external clients. This machine is placed in DMZ. The penetration test box is has two NICs one in DMZ port group and other in outside portgroup. At any point of time only one of the NIC cards are active. Performance setup: For the purpose of performance testing we use two instances of Ixia chariot one instance lies inside the DMZ with same conguration as the windows 2003 server, This Ixia instance is treated as a destination and the second Ixia lies in the outside zone, This

machine is treated as a source machine for the trafc. The Ixia chariot is capable of generating different type of data trafc. The source machine is moved in to or out of the rewall by changing the port group of having two NICs with one on each port group and keeping only one enabled at a time. III. F UNCTIONALITY T ESTING vShield edge was tested for functional ability of the product to defend the data center against the attacks on the virtual data center. During functionality testing the rewall rules were congured to allow only http and https trafc from the outside interface to the protected web server in the DMZ. The back track Linux distribution was used as penetration testing machine. The main phases of functionality testing were. These phases were carried out with and without the rewall.

Fig. 1: IP scan outside the rewall

Foot-printing: Foot-printing is the process of collecting relevant information before initiating an attack on a system by the attacker. During this phase hacker usually collects all possible information about the system to be taken down. This stage is one in which most information that are collected are non technical. These information are then put together to ascertain the general organization of the company. Scanning: Scanning was carried out in two phases: IP Scanning: During IP scanning it is necessary to check for live machines in the network so a simple ping sweep was done using Nmap. The attacker who is outside the network when scans the network was able to see only the translated addresses, but not the LAN IP addresses when the internal addresses are masked by the rewall it is not easy for the attacker to exploit the machine using this WAN IP addresses. Whereas when the scan was done without rewall the attacker can view the entire IP addressing scheme of the network. Port Scanning: During the port scan process the attacker outside the rewall can only see HTTP and HTTPS ports they cannot see any other ports. There are not many attacks that could be possibly

carried out with these ports unless the attacker knows the kind of applications that are running on the host machine the attacker cannot exploit the target successfully. When the port scan was carried out without rewall there were few additional ports which are specic to windows machines were open. Enumeration and exploit: Now that the attacker is prevented from knowing about the actual IP address and ports that could be exploited. The chances of the web server being compromises were mitigated, but the exploits which were carried out in the absence of Edge rewall proved to be disastrous. The attacker was able to successfully obtain shell access to the target machine as an administrator. The following gure shows the shell access exploited by the attacker.

Fig. 2: Shell access without rewall

IV. P ERFORMANCE T ESTING Stress on the performance parameters of the vShield edge during performance testing like the throughput and

response time for varied trafc conditions. In this phase Edge rewall was subjected to intense trafc analysis. The study of throughput of different type of trafc with and without vShield Edge was carried out. The performance of rewall when subjected to DOS attack was also studied with and without rewall rules. The performance testing gives us the measure of overhead involved in virtualization the rewall. The throughput analysis of the setup was done with two aspects in to consideration.

below shows the average and maximum throughput for HTTP and HTTPS trafc. TABLE II: Application layer analysis
HTTP Avg(Mbps) Max(Mbps) 4.5 5.8 4.9 6.6 HTTPS Avg(Mbps) Max(Mbps) 0.3 0.5 0.3 0.5

With Firewall Without Firewall

Network layer throughput analysis: In network layer analysis two generic data streams namely TCP and UDP data grams are transmitted over the network and their effect on network is studied. The following table summarizes the observations made from the performance tests. The source is constantly generates 10Megabytes of uncompressed trafc. It is evident from the table that, the throughput is greatly reduced when there is a rewall between the outside and inside interface. The average throughput of TCP and UDP trafc is reduced by 69% when the rewall is deployed. The peak TCP throughput is decreased by 87% and peak UDP throughput is decreased 65%. This overhead in throughput is due to ltering due to rewall rules, considering the level of security needed in a data center environment this over head is inevitable and has to be incurred in any data center. TABLE I: Network layer analysis
TCP Avg(Mbps) Max(Mbps) 110 200 158 230 UDP Avg(Mbps) Max(Mbps) 60 62 87 95

DoS Attack Analysis: Denial of Service attack is the most simplest but damaging attack possible on any network. The rewalls response when under denial of service was tested and the ndings are discussed below. The test is carried out with 80 pairs of endpoints each carrying trafc of 10MB of data on each record. The test was conducted on three types of setup and was allowed to run for 1 min. It is clear from the below gures that the minimum throughput when there is no rewall is closer to 30.6Mbps, where as the minimum throughput is just below 41Mbps with rewall. This shows that though vShield Edge does not completely eliminate DOS. It does mitigate the effect of DOS to a small extent.

Fig. 3: Throughput w/o rewall when under DoS attack

With Firewall Without Firewall

Application Layer Analysis: When it comes to application level performance testing the results are better than the network level testing. There is a very little overhead on throughput with and without rewall in fact the overhead nearly absent if we see the average performance of both HTTP and HTTPS trafc, but there is a small difference of 0.8Mbps in maximum throughput of the HTTP trafc. Considering the average throughput it can be observed that the overhead is nearly zero. The table

Fig. 4: Throughput with rewall when under DoS attack

V. OTHER RELATED PRODUCTS There are many such products that offer one kind or another kind of virtual rewall solutions. Although none

of them is much more exible or scalable like VMWare vShield product family. Following table list some of such products. TABLE III
Who Cisco IBM Vyatta Trend Micro What Nexus 1000v Security Virtual Protection Vyatta Network OS Server Security How Virtual Virtual Virtual Virtual switch - Not a FW Security FW, VPN, IPS+ Security

VI.

CONCLUSION

vShield Manager provides easy to use interface to congure vShield edge features like NAT rules, DHCP pools, Firewall rules, VPN conguration etc. All these features play import role in physical setup of the network; vshield edge provides access to them in virtual network as well as we saw in functionality testing and with comparable efciency to the physical setup as we saw in the performance testing. vShield product. But as shown by our studies it is not just enough to set up a rewall we also need other security implementations like IDS,IPS, access restriction and proactive security policies in place in order to provide maximum security to the network under study. R EFERENCES 1. http://www.vmware.com/pdf/vshield 41 admin.pdf