Introduction to XTMv WatchGuard Training

Table of Contents Virtualization and Network Security XTMv Overview Use Cases VMware Deployment XTMv Deployment Resources WatchGuard Training

Virtualization and Network Security WatchGuard Training

Computing Evolution: from Physical to Virtual … To Logical To Virtual 1. Virtualization has become a major technology in the last decade, but it is not a new idea at all. Every stage in the evolution of computing has been defined by some level of virtualization, of abstracting logical resources from their physical containers in order to deliver power and flexibility. The first step was when programmers moved past writing monolithic programs that included not only their application logic but also all of the functions that control the hardware… 2. …and took all of those functions out into a common package called an operating system, where they could write their I/O and control functions once, then reuse them no matter what application they were using – accounting, human resources, database… 3. …and then, extending the operating system so it could run more than one application at a time. This evolution happened in the 1960s with mainframes, in the 70s and 80s with minicomputers and workstations, and in the 90s with personal computers. But the most radical advance came from abstracting the computer hardware itself…

…to Virtualized …from virtualization. A new kind of operating system, the hypervisor, was developed – essentially an operating system for running other operating systems. By creating abstract, or virtual hardware, the hypervisor can convince multiple operating systems that they each have their own dedicated server, securely isolated from the others.

Everything You Know About Network Security… 1) Everything on one system is in the same security domain The big driver for security concerns is that things just work differently on virtualized platforms, and you cannot rely on some of the assumptions about how the laws of physics provide security. In a pure physical server installation, you can rely on the fact that one server equals one OS equals one pool of users and one security domain, even if multiple applications run on the system.

Everything You Know About Network Security… 2) Traffic crosses over wires and can be examined in motion And protecting the network can be done by putting a hardware device in the middle of the wires. When all traffic passes through a physical network, devices can be added to inspect traffic and enforce security policies.

…Is Wrong. But in a virtualized environment, you cannot rely on either of these assumptions. Virtual machines that run on the same device can serve different applications, different users… at a service provider, they can even belong to different companies. And each company wants to make sure their data are protected from each other. In a virtualized environment, network traffic doesn’t necessarily pass over a physical network. Packets can flow from virtual machine to virtual machine over host-only virtual networks, completely in memory… and no wires means there is no way to put a red box in between.

Virtual Infrastructure Virtual infrastructure separates the physical hardware from the software CPU, memory, storage, and network resources are allocated to each VM Each virtual machine behaves as if it has dedicated hardware Network Security

XTMv Overview WatchGuard Training

What is XTMv? XTMv is a WatchGuard XTM device that runs as a VM within a virtual infrastructure. The initial deployment process is different from other XTM devices. Almost everything else is the same: Fireware XTM OS WatchGuard management tools (WSM, Web UI, and CLI) Configuration file format WatchGuard Training

XTMv Differences Fireware XTM features not supported on XTMv: FireCluster Hardware diagnostics (the CLI diagnose hardware command) Ability to automatically save a support snapshot to a connected USB drive No front panel buttons to start the device in safe mode or recovery mode (Use the CLI command restore factory-default to start the device with factory default settings) With XTMv, we cannot assume the hardware is known The network administrator must allocate resources to the XTMv virtual machine. Storage (XTMv requires ~ 3 GB disk space) Virtual processors (CPUs) Memory Network adapters for each interface WatchGuard Training

XTMv Editions and Licensing WatchGuard sells four XTMv editions Each edition has different recommended resource requirements Each edition has different feature key limits Product CPU (Min rec) Memory (Min rec) Feature Key Limits Small Office Edition 1 Core 1 GB 200 Mbps throughput 50 VPN Tunnels 30K Connections 10 Interfaces Medium Office Edition 2 Cores 2 GB 2.5 Gbps throughput 600 VPN Tunnels 350K Connections Large Office Edition 4 Cores 4 GB 5 Gbps throughput 6K VPN Tunnels 1M Connections Datacenter Edition 8 or more Cores 4 GB or more Unlimited throughput 10K VPN Tunnels 2.5M Connections WatchGuard Training

Use Cases WatchGuard Training

Use Cases Business Use Cases Networking Use Cases IT pre-production testing Multi-tenancy Colocation Office in a Box Networking Use Cases Isolated network VM gateway Exposed WatchGuard Training

Business Use Case: IT Pre-Production Testing Create a virtual duplicate of a production environment on an ESXi host: Networks Servers Applications Test any upgrades or changes in the virtual environment first, before you make a change in the production environment WatchGuard Training

Business Use Case: Multi-Tenancy Use XTMv to protect networks that belong to different organizations

Business Use Case: Colocation Finance Engineering Use XTMv to protect the “internal edge” between users or applications

Business Use Case: Office in a Box A server can host VMs and virtual networks for all the servers needed to run a business office. Email servers Web servers Network application servers Use XTMv to protect workloads/servers located on a single server

Networking Use Case: Isolated Virtual Network Deploy XTMv within virtual networks that do not connect to any physical interface on the ESXi host. ESXi Host WatchGuard Training

Networking Use Case: Isolated Network Deploy XTMv within a virtual network with the firewall between one or more virtual networks and a physical interface on the ESXi host. Physical Network Interface ESXi Host WatchGuard Training

Networking Use Case: Exposed Network Deploy XTMv between virtual networks that connect to different physical network interfaces on the ESXi host. Physical Network Interface ESXi Host Physical Network Interface WatchGuard Training

VMware WatchGuard Training

VMware Hypervisor A hypervisor is a virtual machine manager (VMM). The hypervisor allows multiple virtual machines to run concurrently on a host computer. Each VM runs its own guest OS and applications. Examples of hypervisors: VMware ESX VMware ESXi Microsoft Hyper-V Server Citrix XenServer XTMv initially supports one hypervisor — VMware ESXi 4.1 or 5.0 XTMv does not support vMotion for virtual machine migration between ESXi hosts. WatchGuard Training WatchGuard Training

VMware Software vSphere is a VMware suite of software for virtualization. Some of the main components of vSphere are: ESXi host — the virtualization platform, or hypervisor that hosts virtual machines ESXi is installed on bare server hardware ESXi 4.1 or 5.0 is required for XTMv vCenter Server — An optional management server that provides centralized administration of multiple ESXi hosts and their virtual machines. vCenter Server is not required for XTMv vSphere Client – a Windows client that is the primary management interface used to deploy, manage, and monitor virtual machines on ESXi hosts. vSphere Client is required for XTMv deployment WatchGuard Training

vSphere Client The vSphere Client can connect to an ESXi host or to a vCenter Server. This is similar to the way WSM can connect to an individual XTM device or to a WatchGuard Management Server. XTMv setup steps assume the vSphere Client connects to an ESXi host. VMware vCenter Server WatchGuard Training

XTMv Deployment WatchGuard Training

vSphere Client Installation The XTMv customer should already have an ESXi host and the vSphere Client installed. To install the vSphere client: In a web browser, connect to the VMware ESXi server. Download and install the vSphere Client. WatchGuard Training

vSphere Client To connect to the VMware ESXi host: Launch the VMware vSphere Client. Type the IP address, User name, and Password for the ESXi host. WatchGuard Training

XTMv Installation Prerequisites To prepare for the XTMV installation, make sure you have these things: VMware ESXi 4.1 or 5.0 host 3 GB of available disk space — required for each XTMv virtual machine Two virtual networks — to map to the XTMv external and trusted interfaces VMware vSphere 4.1 or 5.0 client installed on a Windows computer XTMv device serial number WatchGuard XTMv virtual appliance file File name: xtmv_<version>.ova, where <version> is the Fireware XTM OS version. (For example, xtmv_11_5_4.ova) WatchGuard Training

Installation Overview Installation consists of three main procedures: In the VMware vSphere client, deploy the XTMv virtual appliance to the ESXi host; then power on the XTMv virtual machine. Connect to the Web UI and use the Fireware XTM Web Setup Wizard to set up a basic configuration. Allocate additional resources to the XTMv virtual machine. This training and the XTMv Setup Guide describe how to use the Web Setup Wizard to create the initial configuration. You can also use the Quick Setup Wizard in WatchGuard System Manager, if you can connect to the trusted network of the XTMv device. WatchGuard Training

Deploy the XTMv Virtual Appliance Launch the vSphere Client, and log in to the ESXi host with administrator credentials. Select File > Deploy OVF Template. Browse to the location of the WatchGuard XTMv OVF template file, xtmv_<version>.ova. WatchGuard Training

Deploy XTMv – OVF Details Verify the product and version on the OVF Template Details page. The left side of the dialog box shows the deployment steps, and which step you are on. WatchGuard Training

Deploy XTMv – Name the VM Review and accept the EULA. Type a name for the virtual machine — the name identifies this virtual machine in the inventory on the ESXi host. It is not the same as the device name in the Fireware XTM configuration. WatchGuard Training

Deploy XTMv – Resource Pool Select a resource pool (if the ESXi host has multiple resource pools). This determines where the virtual machine appears in the hierarchy of virtual machines on the ESXi host. WatchGuard Training

Deploy XTMv – Disk Format Select Thick provisioned format. (This is the default.) WatchGuard Training

Deploy XTMv – Network Mapping Select the destination network for Network 0 (Eth 0: External). Select the destination network for Network 1 (Eth1: Trusted). Available networks appear in a drop-down list. Just like other XTM devices, the XTMv Trusted interface has a default IP address of 10.0.1.1. Make sure that Network 1 is a network on the 10.0.1.0 subnet. WatchGuard Training WatchGuard Training

Deploy XTMv – Verify and Finish Review the deployment settings, and click Finish. The deployment begins. Deployment can take a few minutes WatchGuard Training WatchGuard Training

XTMv After Deployment The XTMv virtual machine appears in the Inventory tree. The virtual machine is initially powered off. Click Power On to start it. Click to power on XTMv WatchGuard Training

XTMv After Power On After you power on the device, you can see the IP addresses. The External IP address is assigned by a DHCP server (if there is one). Use the Eth0 interface IP address to connect to the XTMv device with the Web UI to run the Web Setup Wizard. Click to see all IP addresses. Eth 0: External Eth 1: Trusted WatchGuard Training WatchGuard Training

XTMv Factory Default Settings When you power on the XTMv virtual machine for the first time, it starts with factory default settings. The XTMv device has two active interfaces, external, and trusted. The external interface is configured to receive an IP address via DHCP. The trusted interface has the IP address 10.0.1.1. The account passphrases are admin/readwrite, and status/readonly. Differences in factory default settings for XTMv: The trusted interface does not assign IP addresses via DHCP. Both the trusted and external interfaces accept management connections. The serial number for an unactivated XTMv device ends with “000000000”. To reset an XTMv to factory default settings: Use the CLI command restore factory-default. WatchGuard Training

Run the Web Setup Wizard Connect to the Web UI: https://<external IP address>:8080 Log in with the default admin password: readwrite. The Web Setup Wizard is the same as for any other XTM device. For XTMv, you can connect to the external interface to run the Web Setup Wizard. WatchGuard Training

Web Setup Wizard Accept the EULA. Configure the external interface (DHCP, PPPoE, or Static). Configure DNS and WINS servers. Configure the trusted interface. Before you run the wizard, the DHCP server is disabled on the trusted interface. In the wizard, the DHCP check box is selected by default. You might not want to enable this, if the trusted network already has a DHCP server. WatchGuard Training

Web Setup Wizard Create passphrases. Add contact information. Default device name is “XTMv”. It is a good practice to change this to the name you gave the XTMv virtual machine when you deployed it. Set the time zone. There is no step to enable remote management – it is enabled by default. WatchGuard Training

Web Setup Wizard – Activation For XTMv you must type the Serial Number to use Online Activation. This is different than for other XTM devices. Activation options in the Web Setup Wizard are the same as for any XTM device. Online activation Paste feature key Skip activation If you do not complete online activation or paste a feature key, the XTMv device uses the default serial number, that ends with “000000000”. A serial number that ends in nine zeros indicates that the XTMv is not activated. WatchGuard Training

Manage XTMv WSM Web UI CLI To open a CLI console window, click Open Console on the Summary tab for this VM in the vSphere client . WatchGuard Training

Some VMware Terminology In the VMware world, these terms all have different meanings: Virtual appliance – the “virtual device image”” you deploy (the .ova file). Virtual machine – the XTMv machine after you deploy it. Virtual device – virtual hardware device, such as a network WatchGuard Training

VMware Resources - Public VMware product support http://www.vmware.com/support/product-support/vsphere/index.html VMware vSphere 5 Documentation: http://pubs.vmware.com/vsphere-50/index.jsp ESXi and vSphere 4 documentation http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp ESXi Networking http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/topic/com.vmware.vsphere.esxi_server_config.doc_41/esx_server_config/c_networking.html VMware vSphere Glossary http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.intro.doc_40/master_glossary.html Glossary of Virtualization Terms http://communities.vmware.com/docs/DOC-6277 WatchGuard Training

WatchGuard XTMv Resources XTMv Setup Guide Available at www.watchguard.com/help/documentation Fireware XTM Student Guide and other Fireware XTM training courseware Available on the WatchGuard Portal > My Training tab WatchGuard Training