5.8
Table Of Contents
- vCloud Suite Architecture Overview and Use Cases
- Contents
- About this book
- Introduction to vCloud Suite
- Architecture Overview
- Conceptual Design of a vCloud Suite Environment
- vCloud Suite Components in the Management Cluster
- Software-Defined Data Center Core Infrastructure
- Delivering an Infrastructure Service
- Delivering Platform as a Service
- Deploying vCloud Suite
- Install vCloud Suite Components
- Update vCloud Suite Components
- External Dependencies for Deploying vCloud Suite
- System Requirements of vCloud Suite Components
- Security Considerations
- Licensing
- vCloud Suite Licensing Model
- Activating vCloud Suite Components in the vSphere Web Client
- Activating vCloud Suite Components in the vSphere Client
- Add the vCloud Suite License by Using the vSphere Client
- Assign the vCloud Suite License to vSphere in the vSphere Client
- Assign the vCloud Suite License to vCenter Operations Management Suite in the vSphere Client
- Assign the vCloud Suite License to vCloud Networking and Security in the vSphere Client
- Assign the vCloud Suite License Key to vCenter Site Recovery Manager
- Activating vCloud Suite Components by Using Their Own Licensing Interfaces
- Monitoring License Usage for vCloud Suite
- vCloud Suite Use Cases
- Index
n
For efficiency, private virtual machine Ethernet networks or virtual networks can be configured. With
virtual networks, a host-based firewall is installed on a virtual machine at the head of the virtual
network. This serves as a protective buffer between the physical network adapter and the remaining
virtual machines in the virtual network.
n
Installing a host-based firewall on virtual machines at the head of virtual networks is a good security
practice. However, because host-based firewalls can slow performance, it's important to balance
security needs against performance before deciding to install host-based firewalls on virtual machines
elsewhere in the virtual network.
n
Keeping different virtual machine zones within a host on different network segments. If virtual
machine zones on their own network segments are isolated, the risks of data leakage from one virtual
machine zone to the next is minimized. Segmentation prevents various threats, including Address
Resolution Protocol (ARP) spoofing, in which an attacker manipulates the ARP table to remap MAC
and IP addresses, thereby gaining access to network traffic to and from a host. Attackers use ARP
spoofing to generate Man in the Middle attacks, DoS attacks, hijack the target system, and otherwise
disrupt the virtual network.
n
Planning segmentation carefully lowers the chances of packet transmissions between virtual machine
zones, which prevents sniffing attacks that require sending network traffic to the victim. Also, an
attacker cannot use an insecure service in one virtual machine zone to access other virtual machine
zones in the host. Segmentation can be implemented by using either of two approaches, each of which
has different benefits.
n
Use separate physical network adapters for virtual machine zones so that the zones are isolated.
Maintaining separate physical network adapters for virtual machine zones is probably the most
secure method and is less prone to misconfiguration after the initial segment creation.
n
Set up virtual local area networks (VLANs) to help safeguard the network. Because VLANs
provide almost all of the security benefits inherent in implementing physically separate networks
without the hardware overhead, they offer a viable solution that can save the cost of deploying and
maintaining additional devices, cabling, and so forth.
This level of security can be implemented in different ways.
VLANs are an IEEE standard networking scheme with specific tagging methods that allow routing of
packets to only those ports that are part of the VLAN. When properly configured, VLANs provide a
dependable means to protect a set of virtual machines from accidental or malicious intrusions.
VLANs let you segment a physical network so that two machines in the network are unable to transmit
packets back and forth unless they are part of the same VLAN. For example, accounting records and
transactions are among a company’s most sensitive internal information. In a company whose sales,
shipping, and accounting employees all use virtual machines in the same physical network, you might
protect the virtual machines for the accounting department by setting up VLANs.
Chapter 3 Deploying vCloud Suite
VMware, Inc. 35