Appendix B: Security
   
Appendix B: Security
Network Access Security
vCloud Networking and Security Edge VPN functionality allows the creation of site-to-site tunnels using IPSEC. It supports NAT-T traversal for using IPSEC through network address translation (NAT) devices.
Table 20. Network Access Security Use Cases
Category
Description
Multi-site vCloud deployment
The vCloud Networking and Security VPN can connect multiple vCloud deployments. For example, an organization’s virtual datacenter at a public vCloud provider can be securely connected with the organization’s internal private vCloud. Or virtual datacenters hosted at a vCloud service provider in Europe can be connected to a vCloud service in Asia.
Note: Because vCloud Networking and Security also provides address translation, it is possible to deploy multiple organization virtual datacenters at different providers using the same RFC1918 address space as long as unique subnets are used.
Single-site vCloud deployment
 
vCloud Networking and Security VPNs can be created between either different organizations in the same vCloud Director instance, or different networks within the same organization.
In this use case, the site-to-site VPN is used to secure sensitive traffic between networks over shared infrastructure.
Remote Site to vCloud VPN
A permanent secure connection from a router or firewall based VPN; for example, Cisco/Juniper devices at a remote site to a vCloud environment with the vCloud Networking and Security Edge. As the vCloud Networking and Security VPN is a standard IPsec implementation, a wide range of devices can be used at the remote site (Commercial or Open Source).
Client to cloud VPN
Client software is generally not used with IPsec VPNs (as it is typically a permanent network-to-network tunnel), although clients with static IP addresses that implement pre-shared key authentication are supported.
 
Site-to-site IPsec VPN configuration is available to organization administrators directly from the vCloud Director web console. VPN functionality is implemented using integration with vCloud Networking and Security Edge, which provides per-tenant Layer 3 network security and routing. It currently supports preshared key mode, IP unicast traffic, and NAT-T traversal with no dynamic routing protocols between the vCloud Networking and Security Edge and peers. Behind each remote VPN endpoint multiple subnets can be configured to connect to the network behind a vCloud Networking and Security Edge device over IPsec tunnels. These networks must have nonoverlapping address ranges.

When configuring a site-to-site VPN between different organization virtual datacenter networks in a vCloud environment (either across different vCloud environments or within an organization), much of the configuration complexity is abstracted from the vCloud consumer. After the appropriate networks are selected, both ends of the VPN tunnel are configured, automatically providing compatibility between the Edge peers. In comparison, configuring remote devices to connect to a vCloud Networking and Security Edge-based VPN requires an understanding of IPsec and the supported policies to successfully establish an encrypted tunnel.
The IKE Phase 1 parameters used by the vCloud Networking and Security Edge VPN are:
*Main Mode.
*Pre-Shared Key Authentication Mode.
*3DES or AES128 encryption.
*SHA1 authentication.
*MODP group 2 (1024 bits).
*SA lifetime of 28800 seconds (eight hours).
*Disable ISAKMP aggressive mode.
Additional parameters for IKE Phase 2:
*Quick Mode.
*Diffie-Helman Group 2/5 (1024 bit/1536 bit, respectively).
*PFS (Perfect Forward Secrecy).
*ESP Tunnel Mode.
*SA lifetime of 3600 seconds (one hour).
vCloud Networking and Security Edge VPN proposes a policy that requires 3DES or AES128 (configurable although AES is recommended), SHA1, PSK and DH Group 2/5.
To allow IPsec VPN traffic, following ports need to be opened on firewalls in between the two endpoints:
*Protocol 50 ESP.
*Protocol 51 AH.
*UDP port 500 IKE.
*UDP port 4500.
The external IP address for the vCloud Networking and Security Edge device must be accessible to the remote endpoint, either directly or using NAT. In a NAT deployment, the external address of the vCloud Networking and Security Edge must be translated into a publicly accessible address. Remote VPN endpoints then use this public address to access the vCloud Networking and Security Edge.
It is also possible for the remote VPN endpoints to be located behind an NAT device as well, although on both ends a static onetoone NAT is required for the external IP address.
As VPNs are used to provide secure access to an organization’s remote networks, consumers should be aware of any security implications. A best practice for VPN configuration is to filter and restrict VPN traffic to only destinations that are absolutely necessary. vCloud Director 1.5 (and later) can also apply firewall rules to VPN traffic, whereas filtering was previously restricted to the remote end of a VPN tunnel only.
The vCloud Director IPsec VPN has a maximum of 10 sites per any VPN traffic is Edge devices.
Figure 49. Site-to-Site VPN connectivity
 
The following features are not currently supported in the any VPN traffic is Edge VPN implementation:
*Remote endpoints with dynamic IP addresses.
*Site-to-site VPNs at the vApp network level (available to organization virtual datacenter networks only).
*SSL VPNs. These typically support per-user tunnels as opposed to network tunnels with IPsec VPNs, work over HTTPS, and are often based on vendor specific implementations.
*IPv6 support.
*Authentication types other than Pre-Shared Keys. For example, certificates.
*Fenced vApps (VPN can only be enabled on routed networks).