vmware

Allwyn
0

Zscaler — IPv6 Issues On Virtual Machines Failed to Block CNN

Recently deployed the zscaler client onto my LAB windows 10 VM running on the VMWare ESXi platform. 

I wanted to play around and test features like URL blocking, SSL decryption, and so on. 

As a test, I decided to block the news and media category, would generally block CNN, BBC, and the NYT, and so on. 

I made the policies, the app profile config, and ran the tests, while most sites in the category were blocked and decrypted by ZS, CNN would never get blocked nor would it be decrypted.

This made no sense as BBC and NYT were perfectly responding to the policies.

My first thoughts were that CNN is probably only using ipv6 and so then I enabled prioritizing ipv4 in the app profile, however, it still would not have any effect. And by now I saw that ndtv, an Indian news website was also not responding to the policies.

Finally, I opened a TAC case, once the engineer evaluated the config and everything looked correct, we decided to disable the ipv6 on the VM network adapter from RUN > ncpa.cpl on the windows 10 VM machine, and then immediately CNN and ndtv too behaved as required with SSL decryption working and the URLs blocked.

Allwyn
, , ,
0

Understanding VMNETs in VMWARE Workstation

If you are going to learn cybersecurity then the first thing you realize is how you don’t really understand anything till you do it. Good job to whoever came up with;

I hear, and I forget

I see, and I remember

I do, and I understand.

— not Confucius

And since most of us don’t have data centers lying around at home, the amazing power of virtualization is all we have.

Initially setting these up gets messy because a lot of “network” guys go almost their entire lives never done anything related to servers as they are not the “server” guy. Well, after a few CBT Nugget videos this thing becomes very straightforward.

Now I will stop rambling and get to the point.

Every VMnet Is Like A Network/Subnet

If you look at my setup below.

VMnet settings on my vmware setup
my setup

This means VMnet1 is a network in the range 10.128.1.0/24. Think of it like a switch and the gateway is your own machine which has a VMnet1 adapter with the IP 10.128.1.1/24.

Quick explanation of the highlighted parts:

  • I use VMnet1 as management network or OOB network.
  • Host only – means it doesn’t deal with your host’s IP addresses in anyway and is totally a separate network.
  • Connect a host virtual adapted to this network option creates a vmnet1 adapter on the host machine, which is your PC and the address can be anything in the subnet range but by default is .1, like mine is 10.128.1.1/24. This is like a cable from your machine to the vmnet1 switch and now your machine can access everything connected to this vmnet1.
goto run -> type: ncpa.cpl

  • DHCP – I disable it as most devices just pick up a random IP then it’s difficult to find, just better assign them manually.
  • Subnet – For the love of your God, plan your subnets and IP ranges well, or else you will just stop doing labs when you keep forgetting what IP is where, like happened to me for the first 2 years. 

A NAT VMnet For Internet Access

This is maybe just my setup. I did it this way for the CBT Nuggets F5 labs.

  • The only difference is this is a NAT adapter and not host only, so it will NAT the 10.128.10.0/24 range with your host’s IP address and so anything assigned this adapter can go to the internet through 10.128.10.2
  • Notice the gateway next-hop you have to point to is 10.128.10.2 as .1 is assigned to the vmnet2 adapter on your own host PC.
  • I use this this as my external vlan, where the virtual servers live in f5 labs and also to give a default route to the f5 to the internet through 10.128.10.2.
  • You can use it to give internet access to a firewall too, but remember to NAT your internet inside zone LAN to 10.128.10.2 first as that will be a separate private IP address space.
  • This also puts a vmnet2 adapter on your host machine as explained, which is what lets you connect to the virtual servers if you use this as an external vlan.

One Completely Isolated VMnet

this one’s all by himself

This VMnet cannot be accessed directly from your host machine as it does not “connect a host virtual adapter”. You can only reach him or it to you via a routing device like a firewall or f5.

This is perfect to simulate an inside network in firewall labs and for the internal vlan in f5 labs where you put the back end nodes/servers.