Virtual Infrastructure 3

Best Practices for a secure installation.

Jeff Mayrand

Contents Architecture changes (General Overview) General Account Security VSWIF Security Web Security Monitoring / Security Toolkits VMware Virtual Appliances

Architecture Changes MUI Removed From ESX Server Console and Guests Soft Switches are

Visible - Complete ReWrite of Network Code

VM Backup Proxy VMFS 3

General Account Security Do use SUDO and Wheel Groups to

segment administrative functions. Create separate service accounts for

operation of Virtual Center Recommended administrative groups

(VMAdmins, ESXAdmins)

Virtual Switch Overview Vswitch at its core is a layer 2 forwarding

engine. VLAN Tagging / Stripping / Filtering Units Very Modular (3rd Party Addons) Part of Community Source

Virtual Switch vs Physical SwitchHow is it the similar? Maintains MAC Port forwarding table. Support VLAN segmentation per port. Supports copying packets to mirror port

(span port) Can be managed remotely by

administrator.

Virtual Switch vs Physical SwitchHow is it different? Direct channel from VNIC’s for control data

(Checksum / segmentation) Very wide control channel.

Authoritative MAC filler updates. No IGMP Snooping to learn multicast group

membership. No learning of unicast addresses. Ports can automatically enter mirror mode.

Vswitch Isolation – How to ensure no traffic leaks between vswitches? Switches are not cascaded so no code

sharing between. Vswitches cannot share uplink ports. Each vswitch has its own forwarding table

Vswitch Isolation – How to ensure guests cannot impact switch behavior? Vswitches cannot learn from the network

to populate the forwarding table. Vswitches make copy of frame to prevent

inflight modification (wide control channel)

Vswitch Isolation – How to ensure frames are in appropriate VLAN? VLAN data carried outside frame. (wide

control channel) Vswitch has no dynamic trunking. Vswitch has NO native VLAN support.

App Public Tier

App Private Tier

Middle Tier

Data Tier

Management / Backup

Vmotion

ISA

RDP Client

VSWIF1

VSWIF2

VSWIF3

VSWIF4Virtual Management Console

Backup ServerMonitoring

VSWIF0 - CON

Web Security Update and use SSL certificates on ESX

hosts and on Virtual Center Core is Apache so check into all know

apache exploits. MUI removed from ESX hosts which makes

securing easier less widespread.

Monitoring and Security Toolkits SNMP is default monitoring access. (OID

Masking, Community Strings) Security toolkits are available for helping

check for changes to available ports and known exploit validation. Network Security Toolkit Virtual Machine (Nagios, Nessus, Nmap)

Common Vulnerabilities and Exposures (Many false positives)

Virtual Appliances Know who’s providing it to you! Isolate before you put into production.

Place extra effort to validate and monitor after you put in. (Rogue traffic, configuration changes, etc)

WWW Resources http://www.vmguru.com/ http://www.vmware.com/vmtn/technology/

security/ http://vmprofessional.com/