By: Michael Haines (Senior Cloud Security Architect)
Originally posted in the VMware vCloud Blog on 11/21/2011
In the first blog of this series, I introduced a "Network and Security System Administrator" at the company, “Example Systems” – a hypothetical scenario to help best describe how to use the vShield API.
Example Systems intends to use vShield REST API to rapidly provision security and to turn their Tier-1 Applications into a business offering to multiple organizations. In the second blog in this series, we discussed how the Network and Security System Administrator experienced Automation tools with vShield App for scalability through the REST APIs, and in this installment, the Network and Security System Administrator is now ready to use the RESTClient Firefox extension to test the RESTful Web services using the vShield API.
Introducing the RESTClient Firefox Extension
In this example, the Network and Security System Administrator is now going to use the RESTClient Firefox extension to test the RESTful Web services using the vShield API. This extension is available from https://addons.mozilla.org/en-US/firefox/addon/restclient/.
The RESTClient supports all HTTP methods RFC2616 (HTTP/1.1). As a Network and Security System Administrator you will also construct custom HTTP requests (custom method with resources URI and HTTP request Body) to directly test requests against the vShield Manager.
When you first start the RESTClient you will be presented with the following UI. This lab will show you the basics of how to use this RESTclient.
Adding a HIGH Precedence Firewall Rule - STEP 1 (Basic)
Get the current vShield App firewall configuration.
- VERB GET (1)
- REST API request (2)
- Add Request Header (3)
- Add Request Header (4)
- Press Send (5)
- Check Request Response (6)
The following code represents the script vShield-App-Firewall-Add.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Adding a HIGH Precedence Firewall Rule - STEP 2 (Basic)
Add the request body vShield App firewall configuration.
- VERB POST (1)
- REST API request (2)
- Add Request Header (3)
- Requested Headers Added (4)
- Press Send (5)
- Check Request Response (6)
Adding a HIGH Precedence Firewall Rule (Advanced)
Based on an example of your corporate security policy, you are now going to add a high precedence firewall rule. As the Network and Security System Administrator remember that vShield App is a hierarchal firewall and you can configure the firewall rules at the Datacenter (DC), Cluster and Portgroup level. When you apply the actual firewall rules they are applied to all the three levels and the rule set on the vShield App appliance looks like the following:
Datacenter High
Cluster
Portgroup/Network/DvPG
Datacenter Low
Datacenter Default
As the Network and Security System Administrator you have decided based on the organizations security policy that you want to allow HTTP in the organizations Datacenter (DC), but to allow access to a specific Cluster or PortGroup without actually modifying the DC rules. Here you can:
- Add a Datacenter (DC) Low precedence HTTP ALLOW rule
- Now if a Portroup or Cluster wants to override this, then as the Network and Security System Administrator you can add a HTTP deny rule, which will deny HTTP in that particular Cluster or Portgroup, but not for others in the organization.
- Similarly if you as the Network and Security System Administrator want to deny something and does not want this to be overruled, you can add a High Level rule and no one can override this. Note: The Precedence feature is ONLY available at Datacenter (DC) level.
The Network and Security System Administrator is now going to add a High precedence rule for ANY->Cluster TCP 80 Allow. In this example you will use the REST Client for Firefox as in the above example.
Note: There are three important things that you as the Network and Security System Administrator must be aware of before you can add a firewall rule:
- The VERB is a POST (1)
- The actions is a save (2)
- The If-Match (3) header should contain the value of Etag Header from the response of the GET request call.
- The vShield App rule that will be added should have a ruleId as '0'. (4)
- The vShield App precedence IDs should match the response of the GET request call. (5)
Getting only the HIGH Precedence Rules from the vShield App Firewall Configuration (Basic)
To get the HIGH Layer 3 precedence vShield App firewall rules run the following command vShield-App-Firewall-Rules-Layer3-HIGH.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Getting only the HIGH Precedence Rules from the vShield App Firewall Configuration (Advanced)
In this example, the Network and Security System Administrator wants to get only the HIGH precedence rules from the vShield App Firewall Configuration for the context datacenter-2. To do this you issue the following request as in the above example (1).
Please note the REST Request Method (2) and precedence level (3).
Getting only the LOW Precedence Rules from the vShield App Firewall Configuration (Basic)
To get the LOW Layer 3 precedence vShield App firewall rules run the following command vShield-App-Firewall-Rules-Layer3-LOW.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Getting only the LOW Precedence Rules from the vShield App Firewall Configuration (Advanced)
In this example, the Network and Security System Administrator wants to get only the LOW precedence rules from the vShield App Firewall Configuration for the context datacenter-2. To do this you issue the following request as in the above example (1). As you can see, the Network and Security System Administrator has not added any LOW precedence rules, hence the request response is NULL.
Please note the REST Request Method (2)
Deleting All the Rules from the vShield App Firewall Configuration (Basic)
To delete all the vShield App firewall rules run the following command vShield-App-Firewall-Delete.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Deleting All the Rules from the vShield App Firewall Configuration (Advanced)
In this final step as the Network and Security System Administrator you have decided to delete all the firewall rules from the Datacenter (DC), other than the default rules. In this example, you want to delete all the rules from the vShield App Firewall Configuration for the context datacenter-2 . To do this you will issue the following request as in the above example (1).
Please note the REST Request Method (2).
Also, note that you can see the Response Code as in (3). This is NOT an error state. This is actually correct and the server has fulfilled the request but does not need to return an entity-body. In fact the 204 response MUST NOT include a message-body, and thus is always terminated by the first empty line after the header fields.
Note. If the default rules have been modified, they will be reset to default values.
Now this workflow is at the Datacenter level, but it is possible to perform and follow a similar workflow for Cluster and Portgroup. If you recall cluster or portgroup does not contain any default rules.
Special thanks to Kaushal Bansal, Sr MTS at VMware for all his help and support. In my next blog, I'll show how the Network and Security System Administrator can begin to work with the vShield Edge REST API. For future updates about this series, be sure to follow @vCloud and @VMwareSP on Twitter.