guide virtualization hardening guides 34900
TRANSCRIPT
-
7/25/2019 Guide Virtualization Hardening Guides 34900
1/14
Interested in learningmore about security?
SANS Institute
InfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
A Guide to Virtualization Hardening Guides
Copyright SANS Institute
Author Retains Full Rights
http://www.sans.org/info/36923http://www.sans.org/info/36923http://www.sans.org/info/36914http://www.sans.org/info/36914http://www.sans.org/info/36914http://www.sans.org/info/36909http://www.sans.org/info/36923 -
7/25/2019 Guide Virtualization Hardening Guides 34900
2/14
Sponsored by VMware
A Guide to Virtualization
Hardening GuidesA SANS Whitepaper May 2010Written by Dave Shackleford
Network Security and
Access Controls
User and Group Security
Logging and Auditing
Guest/Host Interaction
Controls
Management Server
Controls
Additional ESX and ESXi
Controls
-
7/25/2019 Guide Virtualization Hardening Guides 34900
3/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
4/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
5/14
SANS Analyst Program 3 A Guide to Virtualization Hardening Guides
Control
Isolate VMotion traffic
(to protect confidentiality
of virtual network traffic)
Prevent MAC address
spoofing in a virtual
environment
(to prevent spoofing
and man-in-the-middle
attacks)
Configure the ESX
Firewall for High
Security
(to prevent abuse ofunnecessary ports and
services)
Manage network
access control/
segmentation
(to protect powerful
control data)
VMware vSphere 4.0Hardening Guide
NAR02:Ensure VMotion
traffic is isolated
VMware has guidance for
both physical NIC separationand vSwitch and port
group-based separation
in typical enterprise and
more security-conscious
environments, respectively.
NCN03:Ensure the MAC
Address Change policy is set
to Reject
NCN04:Ensure the ForgedTransmits Policy is set to
Reject
VMware recommends
implementing these
controls for all environments
unless clustering, vShield
Zones, or other partner
products are needed.
CON01:Ensure ESX Firewall
is configured to High Security
NAR04:Strictly control
access to Management
network
DISA ESX ServerSTIG V1r1
ESX0030:Dedicated
physical NIC for VMotion
traffic
ESX0040:Dedicated virtualswitch and VLAN for VMotion
The DISA STIG mandates a
separate physical NIC for
VMotion traffic.
ESX0250:Configure the
MAC Address Change to
Reject on all virtual
switches
ESX0260:Set Forged
Transmit to Reject on all
virtual switches
DISA makes exceptions
for clustering, legacy
applications, and licensing
issues, if documented.
ESX0320:Configure the ESX
firewall at the High Security
level
ESX0130:The Service
Console and VMs should
be on separate VLANs or
network segments
CIS ESX Benchmarkv1.2.0
1.1.1 Do Not Use the
Management Network for
the Virtual Machine Network
CIS only suggests a separateVLAN and port group for
VMotion traffic.
1.5.1Protect Against MAC
Address Spoofing, Forged
Transmits, and Promiscuous
mode
CIS treats this as a Level 1
control, indicating it is a
best practice control with
minimal impact that should
be implemented if possible.
1.5.2Configure the Firewall
to Allow Only Authorized
Traffic
1.1.1Do Not Use the
Management Network for
the Virtual Machine Network
Recommendations
Vmotion traffic is in cleartext and should
be protected from other traffic and access,
usually by segmentation via a separate
vSwitch or port group.Virtual or physical separation of this
traffic should be implemented in all
environments, regardless of security level
or compliance requirements.
In highest-security or compliance
environments, a separate physical NIC is
recommended.
Setting MAC Address Changeand
Forged Transmitsto Rejectcan
adversely affect production systems such
as Microsoft Clustering and vShield Zones.
These are important controls, but may
break functionality. If availability is a
primary concern, consider avoiding these
controls. If integrity of the environment
and data confidentiality are more
important, then implement this control.
Both VMware and DISA recommend High
Security, while CIS is more general.
Unless additional ports and services
are needed, this should be set for allenvironments. ESXi does not currently
have a built-in firewall, but it does have
a local reverse proxy that drops traffic on
unrecognized ports by default.
By default, the High Security setting only
allows ports needed for vir tualization
operations inbound and outbound to
the ESX server. Many organizations need
additional ports opened for other forms
of traffic. It is strongly recommended they
open those ports inbound and outbound
explicitly instead of changing the firewallsecurity level to Medium (all outbound
permitted) or Low (all traffic allowed).
All three guides are straightforward in
this guidance: Because the management
network contains sensitive data
and management interfaces could
potentially expose powerful control and
administration capabilities, they should
be separated from other network areas.
VMware Configuration Guidance
-
7/25/2019 Guide Virtualization Hardening Guides 34900
6/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
7/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
8/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
9/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
10/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
11/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
12/14
-
7/25/2019 Guide Virtualization Hardening Guides 34900
13/14
SANS Analyst Program 11 A Guide to Virtualization Hardening Guides
SANS would like to thank this papers sponsor:
-
7/25/2019 Guide Virtualization Hardening Guides 34900
14/14
Last Updated: July 3rd, 2016
Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location
SANS London Summer 2016 London, GB Jul 09, 2016 - Jul 18, 2016 Live Event
SANS Rocky Mountain 2016 Denver, COUS Jul 11, 2016 - Jul 16, 2016 Live Event
SANS Minneapolis 2016 Minneapolis, MNUS Jul 18, 2016 - Jul 23, 2016 Live Event
SANS San Antonio 2016 San Antonio, TXUS Jul 18, 2016 - Jul 23, 2016 Live Event
SANS Delhi 2016 Delhi, IN Jul 18, 2016 - Jul 30, 2016 Live Event
SANS San Jose 2016 San Jose, CAUS Jul 25, 2016 - Jul 30, 2016 Live Event
Industrial Control Systems Security Training Houston, TXUS Jul 25, 2016 - Jul 30, 2016 Live Event
SANS Boston 2016 Boston, MAUS Aug 01, 2016 - Aug 06, 2016 Live Event
Security Awareness Summit & Training San Francisco, CAUS Aug 01, 2016 - Aug 10, 2016 Live Event
SANS Vienna Vienna, AT Aug 01, 2016 - Aug 06, 2016 Live Event
SANS Dallas 2016 Dallas, TXUS Aug 08, 2016 - Aug 13, 2016 Live Event
SANS Portland 2016 Portland, ORUS Aug 08, 2016 - Aug 13, 2016 Live Event
DEV531: Defending Mobile Apps San Francisco, CAUS Aug 08, 2016 - Aug 09, 2016 Live Event
DEV534: Secure DevOps San Francisco, CAUS Aug 10, 2016 - Aug 11, 2016 Live Event
Data Breach Summit Chicago, ILUS Aug 18, 2016 - Aug 18, 2016 Live Event
SANS Virginia Beach 2016 Virginia Beach, VAUS Aug 22, 2016 - Sep 02, 2016 Live Event
SANS Alaska 2016 Anchorage, AKUS Aug 22, 2016 - Aug 27, 2016 Live Event
SANS Bangalore 2016 Bangalore, IN Aug 22, 2016 - Sep 03, 2016 Live Event
SANS Chicago 2016 Chicago, ILUS Aug 22, 2016 - Aug 27, 2016 Live Event
SANS Adelaide 2016 Adelaide, AU Sep 05, 2016 - Sep 10, 2016 Live Event
SANS Brussels Autumn 2016 Brussels, BE Sep 05, 2016 - Sep 10, 2016 Live Event
SANS Northern Virginia - Crystal City 2016 Crystal City, VAUS Sep 06, 2016 - Sep 11, 2016 Live Event
SANS Network Security 2016 Las Vegas, NVUS Sep 10, 2016 - Sep 19, 2016 Live Event
SANS London Autumn London, GB Sep 19, 2016 - Sep 24, 2016 Live Event
SANS ICS London 2016 London, GB Sep 19, 2016 - Sep 25, 2016 Live Event
Security Leadership Summit Dallas, TXUS Sep 27, 2016 - Oct 04, 2016 Live Event
MGT433 at SANS London Summer 2016 OnlineGB Jul 07, 2016 - Jul 08, 2016 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced
http://www.sans.org/info/36919http://www.sans.org/info/36919http://www.sans.org/link.php?id=43342http://www.sans.org/london-in-the-summer-2016http://www.sans.org/link.php?id=42857http://www.sans.org/rocky-mountain-2016http://www.sans.org/link.php?id=43252http://www.sans.org/minneapolis-2016http://www.sans.org/link.php?id=43257http://www.sans.org/san-antonio-2016http://www.sans.org/link.php?id=41617http://www.sans.org/delhi-2016http://www.sans.org/link.php?id=43262http://www.sans.org/san-jose-2016http://www.sans.org/link.php?id=43222http://www.sans.org/ics-houston-summit-training-2016http://www.sans.org/link.php?id=43267http://www.sans.org/boston-2016http://www.sans.org/link.php?id=43842http://www.sans.org/security-awareness-summit-2016http://www.sans.org/link.php?id=45017http://www.sans.org/vienna-2016http://www.sans.org/link.php?id=43277http://www.sans.org/dallas-2016http://www.sans.org/link.php?id=43272http://www.sans.org/portland-2016http://www.sans.org/link.php?id=45410http://www.sans.org/DEV531-Defending-Mobile-Applications-2016http://www.sans.org/link.php?id=45415http://www.sans.org/DEV534-Secure-DevOps-2016http://www.sans.org/link.php?id=44787http://www.sans.org/data-breach-summit-2016http://www.sans.org/link.php?id=43287http://www.sans.org/virginia-beach-2016http://www.sans.org/link.php?id=45420http://www.sans.org/alaska-2016http://www.sans.org/link.php?id=41632http://www.sans.org/bangalore-2016http://www.sans.org/link.php?id=43282http://www.sans.org/chicago-2016http://www.sans.org/link.php?id=41622http://www.sans.org/adelaide-2016http://www.sans.org/link.php?id=43812http://www.sans.org/brussels-autumn-2016http://www.sans.org/link.php?id=43297http://www.sans.org/crystal-city-2016http://www.sans.org/link.php?id=43302http://www.sans.org/network-security-2016http://www.sans.org/link.php?id=43847http://www.sans.org/london-autumn-2016http://www.sans.org/link.php?id=43347http://www.sans.org/ics-london-2016http://www.sans.org/link.php?id=44952http://www.sans.org/security-leadership-summit-2016http://www.sans.org/link.php?id=43737http://www.sans.org/mgt433-at-sans-london-summer-2016http://www.sans.org/link.php?id=1032http://www.sans.org/ondemand/about.phphttp://www.sans.org/ondemand/about.phphttp://www.sans.org/link.php?id=1032http://www.sans.org/mgt433-at-sans-london-summer-2016http://www.sans.org/link.php?id=43737http://www.sans.org/security-leadership-summit-2016http://www.sans.org/link.php?id=44952http://www.sans.org/ics-london-2016http://www.sans.org/link.php?id=43347http://www.sans.org/london-autumn-2016http://www.sans.org/link.php?id=43847http://www.sans.org/network-security-2016http://www.sans.org/link.php?id=43302http://www.sans.org/crystal-city-2016http://www.sans.org/link.php?id=43297http://www.sans.org/brussels-autumn-2016http://www.sans.org/link.php?id=43812http://www.sans.org/adelaide-2016http://www.sans.org/link.php?id=41622http://www.sans.org/chicago-2016http://www.sans.org/link.php?id=43282http://www.sans.org/bangalore-2016http://www.sans.org/link.php?id=41632http://www.sans.org/alaska-2016http://www.sans.org/link.php?id=45420http://www.sans.org/virginia-beach-2016http://www.sans.org/link.php?id=43287http://www.sans.org/data-breach-summit-2016http://www.sans.org/link.php?id=44787http://www.sans.org/DEV534-Secure-DevOps-2016http://www.sans.org/link.php?id=45415http://www.sans.org/DEV531-Defending-Mobile-Applications-2016http://www.sans.org/link.php?id=45410http://www.sans.org/portland-2016http://www.sans.org/link.php?id=43272http://www.sans.org/dallas-2016http://www.sans.org/link.php?id=43277http://www.sans.org/vienna-2016http://www.sans.org/link.php?id=45017http://www.sans.org/security-awareness-summit-2016http://www.sans.org/link.php?id=43842http://www.sans.org/boston-2016http://www.sans.org/link.php?id=43267http://www.sans.org/ics-houston-summit-training-2016http://www.sans.org/link.php?id=43222http://www.sans.org/san-jose-2016http://www.sans.org/link.php?id=43262http://www.sans.org/delhi-2016http://www.sans.org/link.php?id=41617http://www.sans.org/san-antonio-2016http://www.sans.org/link.php?id=43257http://www.sans.org/minneapolis-2016http://www.sans.org/link.php?id=43252http://www.sans.org/rocky-mountain-2016http://www.sans.org/link.php?id=42857http://www.sans.org/london-in-the-summer-2016http://www.sans.org/link.php?id=43342http://www.sans.org/info/36919