Setup guide

Figure 12. vShield Endpoint Installed on an ESX Host
!
Third-party service virtual appliance deployed
on each host to provide endpoint services
vShield Endpoint hypervisor module
deployed on each host
vShield Data Security
vShield Data Security provides visibility into sensitive data stored within your organization's virtualized
and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that
sensitive data is adequately protected and assess compliance with regulations around the world.
Deployment Scenarios
Using vShield, you can build secure zones for a variety of virtual machine deployments. You can isolate
virtual machines based on specific applications, network segmentation, or custom compliance factors. Once
you determine your zoning policies, you can deploy vShield to enforce access rules to each of these zones.
Protecting the DMZ
The DMZ is a mixed trust zone. Clients enter from the Internet for Web and email services, while services
within the DMZ might require access to services inside the internal network.
You can place DMZ virtual machines in a port group and secure that port group with a vShield Edge.
vShield Edge provides access services such as firewall, NAT, and VPN, as well as load balancing to secure
DMZ services.
A common example of a DMZ service requiring an internal service is Microsoft Exchange. Microsoft
Outlook Web Access (OWA) commonly resides in the DMZ cluster, while the Microsoft Exchange back end
is in the internal cluster. On the internal cluster, you can create firewall rules to allow only Exchanged-
related requests from the DMZ, identifying specific source-to-destination parameters. From the DMZ
cluster, you can create rules to allow outside access to the DMZ only to specific destinations using HTTP,
FTP, or SMTP.
vShield Installation and Upgrade Guide
10 VMware, Inc.