I just spent a couple of hours happily deploying VMware vShield Zones, less happily pouring over the manuals, and then unhappily thinking I’d wasted my time.
I think our ESX platform is fairly typical. We have multiple ESX servers, running guest VM’s for multiple customers (or departments), many of which are tagged to isolated vLans, and most of which ultimately communicate to the outside world via our firewall clusters. To achieve security in this scenario means understanding your vlans, dropping the right vNic on the right VM, and managing a typical firewall appliance (Cisco in my environment).
VMware vShield Zones have been introduced (actually bought from Blue Lane Technologies) supposedly to simplify the network security by implementing a firewall within your ESX farm. Sounds cool, right? It would be too, if it was done right.
I won’t go into the detail of how it works, and how to configure it, as you can read up on that by following the links on Rodos‘ blog.
There are loads of gotchas, and strange concepts at first, but they’re all well documented in the manual. The install process was flawless too, so what’s not to like?
- It requires a vShield agent VM per vSwitch with a physical NIC attached. That means lots of additional VM’s for us.
- It does not offer anywhere near enough reporting detail. No real time bandwidth monitors, just per hour statistics.
- It does not offer any bandwidth controls like rate limiting or QoS.
- But mostly IT DOES NOT SIMPLIFY ANYTHING.
On the contrary, as I doubt anybody will be throwing out their perimeter firewalls just yet, vShield adds a further layer to manage. Perhaps I’m missing something.