virtualsouthwest, profile picture
Uploaded byvirtualsouthwest
PDF, PPTX814 views

RHT Design for Security

The document provides tips for improving performance and security in a vSphere 4.1 environment. It discusses new features in vSphere 4.1 related to networking, storage, memory compression, and management. It then outlines best practices for securing the virtual infrastructure, including using virtual networking segmentation, hardening ESXi hosts, protecting the vCenter management environment, and securing individual virtual machines. The document recommends configuration changes, tools, and resources to improve the security of the virtualization platform.

Embed presentation

Download as PDF, PPTX
VSPHERE 4.1 PERFORMANCE & SECURITY TIPS Mike Armstrong, VCP vSphere 4
Agenda • New features in vSphere 4.1 • Security in a virtual environment • Secure virtual networking • Protecting the management environment • Protecting ESX/ESXi hosts • Protecting virtual machines
vSphere 4.1 New Features – Network – Network I/O Control, Load Based Teaming, IPv6, Performance – Storage – Storage I/O Control, vStorage APIs for Array Integration (VAAI), Performance Reporting, iSCSI Offload enhancements – Memory Compression – A New Level of Hierarchy for Overcommit – ESXi – New Deployment Methods, Tech Support Mode Enhancements – Performance improvements in Availability and Resource Management - High Availability (HA), Fault Tolerance (FT), vMotion, Distributed Resource Scheduler (DRS), and Distributed Power Management Enhancements – Management – vCenter Server & Platform Enhancements
HA and DRS Cluster Improvements Increased cluster limitations • Cluster limits are now unified for HA and DRS clusters • Increased limits for VMs/host and VMs/cluster • Cluster limits for HA and DRS: • 32 hosts/cluster • 320 VMs/host (regardless of # of hosts/cluster) • 3000 VMs/cluster • Note that these limits also apply to post-failover scenarios. Please be sure that these limits will not be violated even after the maximum configured number of host failovers.
Enhanced vCenter Scalability vSphere 4 vSphere 4.1 Ratio VMs per host 320 320 1x Hosts per cluster 32 32 1x VMs per cluster 1280 3000 3x Hosts per VC 300 1000 3x Registered VMs per VC 4500 15000 3x+ Powered-On VMs per VC 3000 10000 3x Concurrent VI Clients 30 120 4x Hosts per DC 100 500 5x VMs per DC 2500 5000 2x 5
New Active Directory Service • Provides authentication for all local services – vSphere Client – Other access based on vSphere API – Tech Support Mode (local and remote) • Has Active Directory groups functionality – Members of “ESX Admins” AD group have Administrative privilege – Administrative privilege includes: • Full Administrative role in vSphere Client and vSphere API clients • DCUI access • Tech Support Mode access (local and remote)
Security in a virtual environment What makes it different from a physical environment? – Ease and speed of server deployments – Collapse of switches and servers into one device – Virtual machine encapsulation into files – Consolidation of server hardware
Security in a virtual environment What makes it easier from a physical environment? – Virtual switches do not learn from the network, makes them invulnerable to attacks like MAC spoofing, random frame, and other types of attacks. – Virtual switches are also not vulnerable to spanning tree attacks because they do not need to support spanning tree protocol since they can’t be connected together and can’t create loops – Virtual machines do not have direct access to hardware, not susceptible to buffer overflow type attacks – Virtual machines are by design isolated from one another – Restoring a compromised virtual machine is faster since you can quickly revert to a previous state of the virtual machine, use templates or restore from a full VM backup – Availability of virtual security appliances – API’s and products specifically designed to secure a virtual environment, vShield
Secure virtual networking Physical network configurations – Create separate VLANs for all management traffic, vMotion, IP Storage, and host management – Limit VLAN’s allowed on the trunk ports to host servers – Configure physical ports connected to host servers using VMware best practices, no STP, Auto Negotiate, PortFast enabled ,multiple ports for teaming and failover Virtual network configurations – Change virtual switch and port group default settings for MAC address changes and Forged Transmits to Reject – Change the default number of ports on a virtual switch – Implement Private VLAN’s to further isolate virtual machines, (need to be supported and configured on the physical switches as well)
Secure virtual networking contd. Changing default settings for MAC address changes and Forged Transmits
Secure virtual networking contd. Changing the default number of ports on a virtual switch
Secure virtual networking contd. Private VLAN on Virtual Distributed Switch settings
Secure virtual networking contd. Private VLAN configuration on Virtual Distributed Switch settings
Secure virtual networking contd. Create Private VLAN on Virtual Distributed Switch
Secure virtual networking contd. Create Private VLAN selection on Virtual Distributed Switch
Protecting the management environment User Access Controls – Use vCenter server to centralize access rather than creating users or groups on individual hosts – Add vCenter, ESX/EXSi hosts to Active Directory, create security groups for specific management and user purposes – Use vCenter roles to assign granular permissions to groups, clone roles to create custom roles and permissions – Apply the principle of least privilege when assigning and creating roles – Create folders to assign roles to objects that require similar access Gather vCenter roles and assignments using PowerCLI – Get-vipermission –entity (get-inventory) | export-csv “c:permissions.csv”
Protecting the management environment contd. Install vSphere Management Assistant (vMA) – Virtual machine that is prepackaged with vSphere cli to provide an authenticated platform to run commands and scripts – vMA can be configured as a centralized logging system Use the VMware PowerCLI for bulk administration and reporting – A Windows PowerShell snapin with over 300 cmdlets Create a Dedicated Management Cluster – Set permissions at the Cluster level for only VM Admins
Protecting the management environment contd. vCenter Server Hardening – Replace self–signed SSL certificates on vCenter and ESX/ESXi hosts with a commercial SSL cert or local CA certificate – Keep server properly patched, Windows Updates – Use the Windows firewall or a 3rd party firewall – Restrict login to the system to vSphere Admins – Install vCenter using a service account, or remove the local Administrator account after installation – Add vCenter server to a dedicated management network – Disable vCenter Web Access – Deploy the vSphere client using VMware ThinApp
Protecting ESXi/ESX hosts ESXi hosts – Enable Tech Support Mode(Local and Remote) only when necessary – Enable lockdown mode with the DCUI service turned on – Enable lockdown mode and turn off the DCUI service (total lockdown) – Disable the managed object browser – Create a separate service account for Common Information Model (CIM) applications – Remove the web welcome screen, see http://communities.vmware.com/docs/DOC-11864 – Use host profiles to reduce misconfigurations and check compliance (also for ESX hosts)
ESXi Tech Support Mode Can enable in vCenter or DCUI
ESXi Tech Support Mode Timeout • Timeout automatically disables Tech Support Mode (local and remote) • Running sessions are not terminated • All commands issued in Tech Support Mode are sent to syslog
ESXi Lockdown Mode Forces all operations to be performed through vCenter Server – Lockdown Mode (disallows all access except root on DCUI) – Tech Support Mode (local and remote) – If all configured, then no local activity is possible (except reinstall)
Protecting ESXi/ESX hosts contd. ESX hosts – Upgrade to ESXi, ESX 4.1 will be the last supported version of ESX! – Configure firewall rules based on security needs and requirements, allow only default ports (902,4 43, 80, 22) – Modify password policies on the host for history, aging and complexity. Can modify the pam_cracklib.so plugin to modify password policies, see KB 1012033 for info – Limit access to su commands to users in the wheel group, edit /etc/pam.d/su and remove # from line auth required /lib/security/$ISA/pam_wheel.so use_uid – Restrict access to commands with SUDO utility – Disallow root account login at the console, create a nonprivileged user then run cat /dev/null > /etc/securetty to modify – Disable vSphere web access service, see KB1007617
Protecting Virtual Machines Secure the virtual machine operating system – Enable antivirus, antispyware, firewall and IDS appliances, consider using vShield for antivirus, firewall and IDS appliances – Keep current on updates and patches, including templates and powered off VM’s – Disable unused services and applications in the operating systems – Disconnect unused devices, CD, floppy, serial and parallel ports and USB controller – Use shares and reservations to ensure critical virtual machines have the resources they need
Protecting Virtual Machines contd. Set additional security parameters in the virtual machine configuration file (VMX), or in the vSphere client
Protecting Virtual Machines contd. List of common security configuration parameters – Prevent virtual disk shrink: “isolation.tools.diskWiper.disable = True” – Prevent connection of devices: “isolation.deviceconnectable.disable = True” and “isolation.device.edit.disable = True” – Limit the number of console connections: “RemoteDisplay.maxConnections = Value 1” – Limit virtual machine log file size and number: “log.rotatesize = Value 1000” and “log.keepOld = Value 10” – Limit messages from the VM to the VMX file: “tools.setInfo.sizeLimit = 104856” – Disable remote operations within the guest(VIX API): “guest.command.enable = False” – Disable sending host performance information to the guest: “tools.guestlib.enable HostInfo = False”
Resources • vSphere 4.1 Hardening Guide http://www.vmware.com/files/pdf/techpaper/VMW-TWP-vSPHR- SECRTY-HRDNG-USLET-101-WEB-1.pdf • VMware Manage & Design for Security Class http://mylearn.vmware.com/mgrreg/courses.cfm?ui=www_edu& a=one&id_subject=19217 • List of VMsafe third-party solutions http://www.vmware.com/technical- resources/security/vmsafe/security_technology.html • ThinApp and security http://vmjunkie.wordpress.com/2009/01/05/why-thinapp-is- revolutionary-from-a-security-perspective/
QUESTIONS?

More Related Content

PDF
VMware - Virtual SAN - IT Changes Everything
byVMUG IT
 
PPTX
Upgrading to VMware vSphere 6.0
byTim Carman
 
PDF
Configuring v sphere 5 profile driven storage
byvirtualsouthwest
 
PPTX
Whats new v sphere 6
byshixi wang
 
PDF
RHT Upgrading to vSphere 5
byvirtualsouthwest
 
PPTX
Nashville VMUG Keynote April 8 2015 - vSphere 6
byAdam Eckerle
 
PDF
VMworld 2013: Lowering TCO for Virtual Desktops with VMware View and VMware V...
byVMworld
 
PPT
VMware Virtual SAN slideshow
byAshley Williams
 
VMware - Virtual SAN - IT Changes Everything
byVMUG IT
 
Upgrading to VMware vSphere 6.0
byTim Carman
 
Configuring v sphere 5 profile driven storage
byvirtualsouthwest
 
Whats new v sphere 6
byshixi wang
 
RHT Upgrading to vSphere 5
byvirtualsouthwest
 
Nashville VMUG Keynote April 8 2015 - vSphere 6
byAdam Eckerle
 
VMworld 2013: Lowering TCO for Virtual Desktops with VMware View and VMware V...
byVMworld
 
VMware Virtual SAN slideshow
byAshley Williams
 

What's hot

PPTX
VMware vSphere 6.0 - Troubleshooting Training - Day 1
bySanjeev Kumar
 
PPT
VMware Presentation
byEmirates Computers
 
PDF
VMware vSphere Networking deep dive
bySanjeev Kumar
 
PPTX
VMware Advance Troubleshooting Workshop - Day 5
byVepsun Technologies
 
PPTX
VMware Advance Troubleshooting Workshop - Day 4
byVepsun Technologies
 
PPTX
VMware Advance Troubleshooting Workshop - Day 2
byVepsun Technologies
 
PPTX
VMware virtual SAN 6 overview
bysolarisyougood
 
PDF
VMware Virtual SAN Presentation
byvirtualsouthwest
 
PPTX
VMware Advance Troubleshooting Workshop - Day 6
byVepsun Technologies
 
PPTX
Rht v sphere-security
bymikeponderosa
 
PDF
VMware Site Recovery Manager (SRM) 6.0 Lab Manual
bySanjeev Kumar
 
PDF
VSAN – Architettura e Design
byVMUG IT
 
PPTX
Five common customer use cases for Virtual SAN - VMworld US / 2015
byDuncan Epping
 
PPTX
VMware vSAN - Novosco, June 2017
byNovosco
 
PDF
VMware HA deep Dive
byEric Sloof
 
PPTX
VMware ESXi 6.0 Installation Process
byNetProtocol Xpert
 
PPT
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущее
byDenis Gundarev
 
PDF
VMworld 2014: Virtual SAN Architecture Deep Dive
byVMworld
 
PPTX
Oracle VM 3 hard partitioning
byGary Waldrom
 
VMware vSphere 6.0 - Troubleshooting Training - Day 1
bySanjeev Kumar
 
VMware Presentation
byEmirates Computers
 
VMware vSphere Networking deep dive
bySanjeev Kumar
 
VMware Advance Troubleshooting Workshop - Day 5
byVepsun Technologies
 
VMware Advance Troubleshooting Workshop - Day 4
byVepsun Technologies
 
VMware Advance Troubleshooting Workshop - Day 2
byVepsun Technologies
 
VMware virtual SAN 6 overview
bysolarisyougood
 
VMware Virtual SAN Presentation
byvirtualsouthwest
 
VMware Advance Troubleshooting Workshop - Day 6
byVepsun Technologies
 
Rht v sphere-security
bymikeponderosa
 
VMware Site Recovery Manager (SRM) 6.0 Lab Manual
bySanjeev Kumar
 
VSAN – Architettura e Design
byVMUG IT
 
Five common customer use cases for Virtual SAN - VMworld US / 2015
byDuncan Epping
 
VMware vSAN - Novosco, June 2017
byNovosco
 
VMware HA deep Dive
byEric Sloof
 
VMware ESXi 6.0 Installation Process
byNetProtocol Xpert
 
xen server 5.6, provisioning server 5.6 — технические детали и планы на будущее
byDenis Gundarev
 
VMworld 2014: Virtual SAN Architecture Deep Dive
byVMworld
 
Oracle VM 3 hard partitioning
byGary Waldrom
 

Viewers also liked

PPTX
Presentation oracle on power power advantages and license optimization
bysolarisyougood
 
PPT
Customer overview oracle solaris cluster, enterprise edition
bysolarisyougood
 
PDF
Ibm tivoli storage manager in a clustered environment sg246679
byBanking at Ho Chi Minh city
 
PPT
2.ibm flex system manager overview
bysolarisyougood
 
PDF
AIX 5L Differences Guide Version 5.3 Edition
byIBM India Smarter Computing
 
PDF
Ibm tivoli storage manager bare machine recovery for aix with sysback - red...
byBanking at Ho Chi Minh city
 
PPT
Sparc t4 systems customer presentation
bysolarisyougood
 
PPT
HP-UX Dynamic Root Disk vs Solaris Live Upgrade vs AIX Multibos by Dusan Balj...
byCircling Cycle
 
PPTX
Visual studio 2008 overview
bysagaroceanic11
 
PPTX
V mware v center orchestrator 5.5 knowledge transfer kit
bysolarisyougood
 
PPTX
Overview of v cloud case studies
bysolarisyougood
 
PPT
Leveraging Open Source to Manage SAN Performance
bybrettallison
 
PPTX
Aix admin course provider Navi Mumbai | AIX Admin Course Training Navi Mumbai...
byVibrantGroup
 
PPT
Avoiding Chaos: Methodology for Managing Performance in a Shared Storage A...
bybrettallison
 
PDF
Proof of concept guide for ibm tivoli storage manager version 5.3 sg246762
byBanking at Ho Chi Minh city
 
PDF
CTI Group- Blue power technology storwize technical training for customer - p...
byTri Susilo
 
PDF
IBMRedbook
byNeelamegan Minor
 
PDF
Accelerate Return on Data
byJeffrey T. Pollock
 
Presentation oracle on power power advantages and license optimization
bysolarisyougood
 
Customer overview oracle solaris cluster, enterprise edition
bysolarisyougood
 
Ibm tivoli storage manager in a clustered environment sg246679
byBanking at Ho Chi Minh city
 
2.ibm flex system manager overview
bysolarisyougood
 
AIX 5L Differences Guide Version 5.3 Edition
byIBM India Smarter Computing
 
Ibm tivoli storage manager bare machine recovery for aix with sysback - red...
byBanking at Ho Chi Minh city
 
Sparc t4 systems customer presentation
bysolarisyougood
 
HP-UX Dynamic Root Disk vs Solaris Live Upgrade vs AIX Multibos by Dusan Balj...
byCircling Cycle
 
Visual studio 2008 overview
bysagaroceanic11
 
V mware v center orchestrator 5.5 knowledge transfer kit
bysolarisyougood
 
Overview of v cloud case studies
bysolarisyougood
 
Leveraging Open Source to Manage SAN Performance
bybrettallison
 
Aix admin course provider Navi Mumbai | AIX Admin Course Training Navi Mumbai...
byVibrantGroup
 
Avoiding Chaos: Methodology for Managing Performance in a Shared Storage A...
bybrettallison
 
Proof of concept guide for ibm tivoli storage manager version 5.3 sg246762
byBanking at Ho Chi Minh city
 
CTI Group- Blue power technology storwize technical training for customer - p...
byTri Susilo
 
IBMRedbook
byNeelamegan Minor
 
Accelerate Return on Data
byJeffrey T. Pollock
 

Similar to RHT Design for Security

PDF
VMware
byInstituteIBA
 
PPT
Why Security Teams should care about VMware
byJJDiGeronimo
 
PDF
Vmware Vsphere For Dummies Dan Mitchell Thomas Keegan
byaramuayonta
 
PDF
Vsicm51 m02 virtualization_intro_
byVCAP5_wordpress
 
PPS
Safe checkup - vmWare vSphere 5.0 22feb2012
byM.Ela International Srl
 
PPTX
V mware v sphere 5 fundamentals services kit
bysolarisyougood
 
PPTX
Virtualization Security
bysyrinxtech
 
PDF
Exploring VMware APIs by Preetham Gopalaswamy
byAlan Renouf
 
PDF
Maximum Vsphere Tips Howtos And Best Practices For Working With Vmware Vspher...
byatakanyonay
 
PPTX
V sphere 5.1 what's new presentation, customer
bysolarisyourep
 
PDF
Presentation cloud infrastructure launch – what’s new
bysolarisyourep
 
PDF
Presentation cloud infrastructure launch – what’s new
byxKinAnx
 
PPT
How to configure esx to pass an audit
byConcentrated Technology
 
PDF
Presentation step into virtualization and transform your it
bysolarisyourep
 
PDF
Vtguru v mware-v-sphere-administration-training
byfosilalive2
 
PPTX
Denver VMUG nov 2011
byDan Brinkmann
 
PDF
Web server hardware and software
bySaquib Suhail
 
PDF
VCP5 vs VCP4 Blue Print
bySathishkumar A
 
PPTX
Transitioning to vmWare ESXi
byJose Antonio Chavez Verdin
 
PPTX
VMware Technical Overview (2012)
bySteven Aiello
 
VMware
byInstituteIBA
 
Why Security Teams should care about VMware
byJJDiGeronimo
 
Vmware Vsphere For Dummies Dan Mitchell Thomas Keegan
byaramuayonta
 
Vsicm51 m02 virtualization_intro_
byVCAP5_wordpress
 
Safe checkup - vmWare vSphere 5.0 22feb2012
byM.Ela International Srl
 
V mware v sphere 5 fundamentals services kit
bysolarisyougood
 
Virtualization Security
bysyrinxtech
 
Exploring VMware APIs by Preetham Gopalaswamy
byAlan Renouf
 
Maximum Vsphere Tips Howtos And Best Practices For Working With Vmware Vspher...
byatakanyonay
 
V sphere 5.1 what's new presentation, customer
bysolarisyourep
 
Presentation cloud infrastructure launch – what’s new
bysolarisyourep
 
Presentation cloud infrastructure launch – what’s new
byxKinAnx
 
How to configure esx to pass an audit
byConcentrated Technology
 
Presentation step into virtualization and transform your it
bysolarisyourep
 
Vtguru v mware-v-sphere-administration-training
byfosilalive2
 
Denver VMUG nov 2011
byDan Brinkmann
 
Web server hardware and software
bySaquib Suhail
 
VCP5 vs VCP4 Blue Print
bySathishkumar A
 
Transitioning to vmWare ESXi
byJose Antonio Chavez Verdin
 
VMware Technical Overview (2012)
bySteven Aiello
 

Recently uploaded

PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
The year in review - MarvelClient in 2025
bypanagenda
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
The Landscape of Computer Software Development Companies
byYash Singh
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 

RHT Design for Security

  • 1.
    VSPHERE 4.1 PERFORMANCE & SECURITY TIPS Mike Armstrong, VCP vSphere 4
  • 2.
    Agenda • New features in vSphere 4.1 • Security in a virtual environment • Secure virtual networking • Protecting the management environment • Protecting ESX/ESXi hosts • Protecting virtual machines
  • 3.
    vSphere 4.1 NewFeatures – Network – Network I/O Control, Load Based Teaming, IPv6, Performance – Storage – Storage I/O Control, vStorage APIs for Array Integration (VAAI), Performance Reporting, iSCSI Offload enhancements – Memory Compression – A New Level of Hierarchy for Overcommit – ESXi – New Deployment Methods, Tech Support Mode Enhancements – Performance improvements in Availability and Resource Management - High Availability (HA), Fault Tolerance (FT), vMotion, Distributed Resource Scheduler (DRS), and Distributed Power Management Enhancements – Management – vCenter Server & Platform Enhancements
  • 4.
    HA and DRSCluster Improvements Increased cluster limitations • Cluster limits are now unified for HA and DRS clusters • Increased limits for VMs/host and VMs/cluster • Cluster limits for HA and DRS: • 32 hosts/cluster • 320 VMs/host (regardless of # of hosts/cluster) • 3000 VMs/cluster • Note that these limits also apply to post-failover scenarios. Please be sure that these limits will not be violated even after the maximum configured number of host failovers.
  • 5.
    Enhanced vCenter Scalability vSphere 4 vSphere 4.1 Ratio VMs per host 320 320 1x Hosts per cluster 32 32 1x VMs per cluster 1280 3000 3x Hosts per VC 300 1000 3x Registered VMs per VC 4500 15000 3x+ Powered-On VMs per VC 3000 10000 3x Concurrent VI Clients 30 120 4x Hosts per DC 100 500 5x VMs per DC 2500 5000 2x 5
  • 6.
    New Active DirectoryService • Provides authentication for all local services – vSphere Client – Other access based on vSphere API – Tech Support Mode (local and remote) • Has Active Directory groups functionality – Members of “ESX Admins” AD group have Administrative privilege – Administrative privilege includes: • Full Administrative role in vSphere Client and vSphere API clients • DCUI access • Tech Support Mode access (local and remote)
  • 7.
    Security in avirtual environment What makes it different from a physical environment? – Ease and speed of server deployments – Collapse of switches and servers into one device – Virtual machine encapsulation into files – Consolidation of server hardware
  • 8.
    Security in avirtual environment What makes it easier from a physical environment? – Virtual switches do not learn from the network, makes them invulnerable to attacks like MAC spoofing, random frame, and other types of attacks. – Virtual switches are also not vulnerable to spanning tree attacks because they do not need to support spanning tree protocol since they can’t be connected together and can’t create loops – Virtual machines do not have direct access to hardware, not susceptible to buffer overflow type attacks – Virtual machines are by design isolated from one another – Restoring a compromised virtual machine is faster since you can quickly revert to a previous state of the virtual machine, use templates or restore from a full VM backup – Availability of virtual security appliances – API’s and products specifically designed to secure a virtual environment, vShield
  • 9.
    Secure virtual networking Physicalnetwork configurations – Create separate VLANs for all management traffic, vMotion, IP Storage, and host management – Limit VLAN’s allowed on the trunk ports to host servers – Configure physical ports connected to host servers using VMware best practices, no STP, Auto Negotiate, PortFast enabled ,multiple ports for teaming and failover Virtual network configurations – Change virtual switch and port group default settings for MAC address changes and Forged Transmits to Reject – Change the default number of ports on a virtual switch – Implement Private VLAN’s to further isolate virtual machines, (need to be supported and configured on the physical switches as well)
  • 10.
    Secure virtual networkingcontd. Changing default settings for MAC address changes and Forged Transmits
  • 11.
    Secure virtual networkingcontd. Changing the default number of ports on a virtual switch
  • 12.
    Secure virtual networkingcontd. Private VLAN on Virtual Distributed Switch settings
  • 13.
    Secure virtual networkingcontd. Private VLAN configuration on Virtual Distributed Switch settings
  • 14.
    Secure virtual networkingcontd. Create Private VLAN on Virtual Distributed Switch
  • 15.
    Secure virtual networkingcontd. Create Private VLAN selection on Virtual Distributed Switch
  • 16.
    Protecting the management environment UserAccess Controls – Use vCenter server to centralize access rather than creating users or groups on individual hosts – Add vCenter, ESX/EXSi hosts to Active Directory, create security groups for specific management and user purposes – Use vCenter roles to assign granular permissions to groups, clone roles to create custom roles and permissions – Apply the principle of least privilege when assigning and creating roles – Create folders to assign roles to objects that require similar access Gather vCenter roles and assignments using PowerCLI – Get-vipermission –entity (get-inventory) | export-csv “c:permissions.csv”
  • 17.
    Protecting the management environmentcontd. Install vSphere Management Assistant (vMA) – Virtual machine that is prepackaged with vSphere cli to provide an authenticated platform to run commands and scripts – vMA can be configured as a centralized logging system Use the VMware PowerCLI for bulk administration and reporting – A Windows PowerShell snapin with over 300 cmdlets Create a Dedicated Management Cluster – Set permissions at the Cluster level for only VM Admins
  • 18.
    Protecting the management environmentcontd. vCenter Server Hardening – Replace self–signed SSL certificates on vCenter and ESX/ESXi hosts with a commercial SSL cert or local CA certificate – Keep server properly patched, Windows Updates – Use the Windows firewall or a 3rd party firewall – Restrict login to the system to vSphere Admins – Install vCenter using a service account, or remove the local Administrator account after installation – Add vCenter server to a dedicated management network – Disable vCenter Web Access – Deploy the vSphere client using VMware ThinApp
  • 19.
    Protecting ESXi/ESX hosts ESXihosts – Enable Tech Support Mode(Local and Remote) only when necessary – Enable lockdown mode with the DCUI service turned on – Enable lockdown mode and turn off the DCUI service (total lockdown) – Disable the managed object browser – Create a separate service account for Common Information Model (CIM) applications – Remove the web welcome screen, see http://communities.vmware.com/docs/DOC-11864 – Use host profiles to reduce misconfigurations and check compliance (also for ESX hosts)
  • 20.
    ESXi Tech SupportMode Can enable in vCenter or DCUI
  • 21.
    ESXi Tech SupportMode Timeout • Timeout automatically disables Tech Support Mode (local and remote) • Running sessions are not terminated • All commands issued in Tech Support Mode are sent to syslog
  • 22.
    ESXi Lockdown Mode Forcesall operations to be performed through vCenter Server – Lockdown Mode (disallows all access except root on DCUI) – Tech Support Mode (local and remote) – If all configured, then no local activity is possible (except reinstall)
  • 23.
    Protecting ESXi/ESX hostscontd. ESX hosts – Upgrade to ESXi, ESX 4.1 will be the last supported version of ESX! – Configure firewall rules based on security needs and requirements, allow only default ports (902,4 43, 80, 22) – Modify password policies on the host for history, aging and complexity. Can modify the pam_cracklib.so plugin to modify password policies, see KB 1012033 for info – Limit access to su commands to users in the wheel group, edit /etc/pam.d/su and remove # from line auth required /lib/security/$ISA/pam_wheel.so use_uid – Restrict access to commands with SUDO utility – Disallow root account login at the console, create a nonprivileged user then run cat /dev/null > /etc/securetty to modify – Disable vSphere web access service, see KB1007617
  • 24.
    Protecting Virtual Machines Securethe virtual machine operating system – Enable antivirus, antispyware, firewall and IDS appliances, consider using vShield for antivirus, firewall and IDS appliances – Keep current on updates and patches, including templates and powered off VM’s – Disable unused services and applications in the operating systems – Disconnect unused devices, CD, floppy, serial and parallel ports and USB controller – Use shares and reservations to ensure critical virtual machines have the resources they need
  • 25.
    Protecting Virtual Machinescontd. Set additional security parameters in the virtual machine configuration file (VMX), or in the vSphere client
  • 26.
    Protecting Virtual Machinescontd. List of common security configuration parameters – Prevent virtual disk shrink: “isolation.tools.diskWiper.disable = True” – Prevent connection of devices: “isolation.deviceconnectable.disable = True” and “isolation.device.edit.disable = True” – Limit the number of console connections: “RemoteDisplay.maxConnections = Value 1” – Limit virtual machine log file size and number: “log.rotatesize = Value 1000” and “log.keepOld = Value 10” – Limit messages from the VM to the VMX file: “tools.setInfo.sizeLimit = 104856” – Disable remote operations within the guest(VIX API): “guest.command.enable = False” – Disable sending host performance information to the guest: “tools.guestlib.enable HostInfo = False”
  • 27.
    Resources • vSphere 4.1Hardening Guide http://www.vmware.com/files/pdf/techpaper/VMW-TWP-vSPHR- SECRTY-HRDNG-USLET-101-WEB-1.pdf • VMware Manage & Design for Security Class http://mylearn.vmware.com/mgrreg/courses.cfm?ui=www_edu& a=one&id_subject=19217 • List of VMsafe third-party solutions http://www.vmware.com/technical- resources/security/vmsafe/security_technology.html • ThinApp and security http://vmjunkie.wordpress.com/2009/01/05/why-thinapp-is- revolutionary-from-a-security-perspective/
  • 28.