7.11. VM Firewall

VM Firewall is a service that controls communication among Virtual Machines.

7.11.1. Available Features

You can use the following features with VM Firewall.
Feature Overview
VM Firewall A feature that controls communication among targeted Virtual Machines.

7.11.2. VM Firewall

This is a feature that specifies rules for controlling IP packets (firewall rules). It can allow or deny the passage of IP packets that match the filter conditions.
You can specify the following conditions for one control rule (firewall rule).
Item Overview
Action Type Specifies whether to “Allow” or “Deny” the passage of IP packets that match the conditions set by the following items.
Direction Specifies whether the IP packets were sent from the targeted virtual machine (“Outgoing”) or are incoming IP packets (“Incoming”).
Frame Types Specifies either “IP,” “ARP,” or “Other.”
Protocol For IP packet protocol, you can specify either “ICMP,” “TCP” or “UDP.”
Source IP Address
Specifies the source IP address of IP packets by IP address and subnet mask.
You can specify multiple IP addresses or IP address ranges.
Source port number Specifies the source port number of IP packets.
Destination IP address
Specifies the destination IP address of IP packets by IP address and subnet mask.
You can specify multiple IP addresses or IP address ranges.
Destination port number Specifies the destination port number of IP packets.

Important

  • There are some rules which must be set allow permission in VM Firewall. Please refer to VM Firewall parameter sheet.

7.11.3. Important Points

Virtual Machine System Requirements
The system requirements (number of vCPU, Memory capacity, Disk capacity and OS) for operating the VM Firewall agent software are shown below.
Item Overview
Memory Capacity 512 MB or greater
Disk Capacity 1 GB or greater
OS The OSs listed in “Supported OS List of VM Anti-Virus, VM Virtual Patch, and VM Firewall” of the available OSs in Enterprise Cloud

Important

  • When using Linux, it is necessary to confirm the kernel version.
  • Please set IPv6 to ON or OFF correctly on Guest OS when using VM Firewall.
Agent Software Installation
In order to use VM Firewall, upload and install agent software on the Virtual Machine. For details, refer to the agent software installation guide.

Important

  • You cannot use the VM Firewall at the same time as other anti-virus software than VM Anti-Virus. Before installing VM Firewall agent software, always make sure to uninstall other virus protection software.
  • Do not upload agents by mounting ISO image files or CD/DVD drives, when uploading it to the VMs.
  • For the virtual server on which the agent software is installed, time needs to be synchronized by using NTP, etc. If the time is not synchronized, activation of the agent software may fail.
  • The port 4118 port is used as the standby port for the agent software. This port number cannot be changed so that be sure to confirm that the same number is not used in other application in the virtual server where agent software is installed.
  • The network interface stops while installing the agent software and it takes a few seconds to restore. New request is generated while using DHCP so that different IP address may be assigned to the recovered connection. See the following Web site for details.

Note

  • We ask you to install the agent software on the Virtual Machine.
  • It is necessary to log in to the target host as the administrator when installing the agent software.
Agent Software Default Install Location
The agent software default install location differs depending on the Virtual Machine OS.
OS Default Install Location
Windows C:\Program Files\Trend Micro\Deep Security Agent
Red Hat Enterprise Linux
System files:/opt/ds_agent, /var/opt/ds_agent
Startup scripts:/etc/init.d/ds_agent, /etc/init.d/ds_filter
Communication channel between user and kernel mode components:/dev/dsa, /dev/dsa_ssl, /proc/driver/dsa

Note

  • You can change where it is installed. Also, the install location might change due to agent software version updates, etc.
Communication with the Manager Administered by NTT Communications
The Virtual Machine that uses VM Firewall must have communication with the Manager administered by NTT Communications.
Please set the routing and the DNS name resolution setting.
Routing Settings
  • Please set the routing from the Virtual Machine to vFirewall/Integrated Network Appliance using either of the following methods.
    • Set the Virtual Machine default gateway to vFirewall/Integrated Network Appliance
    • Set vFirewall/Integrated Network Appliance as the static route gateway for communication addressed to the Manager administered by NTT Communications
  • If the Virtual Machine that uses VM Firewall is connected to a Server Segment that is not directly connected to vFirewall/Integrated Network Appliance, additional Server Segment is required to directly connect the vFirewall/Integrated Network Appliance and the Virtual Machine.
DNS Name Resolution
In order to communicate with the Manager administered by NTT Communications, name resolution for the manager is required. Please use the DNS server inside your environment or the Virtual Machine hosts file to set name resolution for the Manager administered by NTT Communications.
Restrictions
  • The rule names for the VM Firewall are set automatically. You cannot change the settings.

  • Traffic below is blocked in any mode settings.

    • TCP connections over 100,000

    • UDP connections over 100,000

    • Unusual traffic which is not based on RFC or suspected to be inaccurate.
      No IP header
      Source IP and Destination IP are the same
      Text which is not available for URI
      Using character “/” over 100
      Using ”../../” above route
      And there will be blocking resulting from the shortage of compute resource.
  • We ask you to assume responsibility for monitoring agent software (checking to make sure it is activated at all times).

  • If you use a Private Catalog to create a template of the Virtual Machine image and store it, please do it before installing the VM Firewall agent software.
    If a template is created and saved from the Virtual Machine image of a Virtual Machine where VM Firewall agent software is installed, or installation and activation (registration to the Manager administered by NTT Communications) is complete, when a Virtual Machine is created using that template, VM Firewall can no longer be used with the Virtual Machine used for creating the template and the newly-built Virtual Machine. The same applies when used for image backup.
  • VM Firewall does not guarantee that the provided VM Firewall feature has integrity or accuracy, or is suitable for your use.

  • The following information might be provided to the developers or distributors of the devices making up the VM Firewall feature.

    • Configuration information obtained from providing VM Firewall
    • Configuration information obtained from controlling VM Firewall
  • We cannot guarantee recovery from failures that might occur due to incompatibility between the VM Firewall feature and your environment, or failures that occur due to your operations other than those specified by NTT Communications.

  • There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.

  •  Note for Enterprise Cloud 2.0 Host based Security user, if you have inquiry about that menu, please use ticket system in Enterprise Cloud 2.0.