advanced vmware security course 01 - primer and ...advanced vmware security course 01 - primer and...
TRANSCRIPT
Advanced VMware Security
Course 01 - Primer and Reaffirming Our
Knowledge
Slide 1
1-1
ESX Networking Components
• Key Virtual Networking Components• Virtual Ethernet adapters vNIC
• Virtual Switches vSwitch
• Distributed Virtual Switch dvSwitch (vSphere4)
• Virtual Port Groups
• These components used to connect the ESX Server service Console to External networks.
Service
Console
Vmware ESX
VMkernel
Production
LANManagement
LAN
NIC Team
Production
LAN
VM 1
OS
APP
-Denotes Virtual Device
VM 3
OS
APP
VM 4
OS
APP
VM 2
OS
APP
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 2
1-21-2
How Virtual Ethernet Adapters Work
• 6 Different Types of Adapters– Exclusively Used for Virtual Machines
• Vmxnet - a para-virtualized device that works only if VMware Tools is installed in the guest operating system
• Vmxnet3 – Built on the same architecture as vmxnet but provides up to 10GBps speeds. (ESX4.0 only and requires Version 7 Hardware to be installed)
• Vlance - emulates AMD Lance PCNet32 Ethernet adapter• E1000 – emulates Intel E1000
– Other Adapters• vSwif – Used only by the ESX Server Service Console• Vmknic – Typically used to service vMotion, NFS, iSCSI clients
– All of these • Have their own MAC address• Strictly Layer 2 Ethernet adapter devices
• Note: The speed and duplex settings found in physical networking are not relevant in the virtual network, because all the data transfer takes place in the host system’s RAM, nearly instantaneously and without the possibility of collisions or other signaling-related errors.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 3
1-3
How Virtual Switches Work
• Virtual Switches are the Key Networking Components• Can create up to 128 vSwitches on each ESX 3.5 Host
• Can create up to 248 vSwitches on each ESX 4 Host
• Virtual Switch is Built to Order
• Uses Core Layer 2 forwarding Engine• Key part of the system. Processes only Layer 2 Ethernet
headers so is protocol independent and faster
• VLAN tagging, stripping, and filtering units
• Layer 2 security, checksum, and segmentation offload units.• Modular in nature; to be used in future developments
• Dynamically built at runtime – Utilizing only needed components
• Support built in for 3rd party modules
• VMSafe and VShield Zones are built into ESX4
Note: In many ways, the ESX Server virtual switches are similar to physical switches. In some notable ways, they are different. Understanding these similarities and differences will help you plan the secure configuration of your virtual network and its connections to your physical network.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 4
1-41-4
VMsafe Overview
• Set of APIs built into ESX4/ESXi4
• Allows 3rd Parties to build Security Appliances
• Memory and CPU– Provides detailed monitoring of guest VM memory pages and
vCPU states
• Network Packet Filtering– Monitors into and out of the vSwitch
– Monitors within a dedicated Security VM
• Process execution (guest handling): – APIs that enable complete monitoring and control of process
execution inside guest OS
• Storage– VMDKs can be mounted, manipulated and modified as they
persist on storage devices
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 5
1-5
Current VMsafe Partners
• Altor Networks
• Apani
• Bigfix
• BlueLane
• Catbird
• Cenzic
• Check Point
• Configuresoft
• F5
• Fortinet
• Fortispher
• HyTrust
• IBM
• Imperva
• Kaspersky
• ManageIQ
• McAfee
• Montego Networks
• Reflex
• RSA
• Secure Computing
• Symantec
• Third Brigade
• Trend Micro
• Tripwire
• Webroot
Topic 6: Vmsafe and vShield Zones
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 6
1-61-6
VS
Virtual Switch vs. Physical Switch• ESX Server vSwitches have these
characteristics in common with Physical Switches
–maintains a MAC:port forwarding table
–Looks up each frame’s destination MAC
when it arrives
–Forwards a frame to one or more ports for transmission
–Avoids unnecessary deliveries (it is not a hub)
–Supports VLAN segmentation at the port level• Can be configured to access a single VLAN
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 7
1-71-7
Spanning Tree Protocol Not Needed
• VMI3 and vSphere4 enforces a single-tier network topology– Can’t interconnect multiple virtual switches
– So Bridge Loops can’t exist – Thus:
• No Need for the Spanning Tree Protocol
• Because there is no need to cascade virtual switches, no capability is provided to connect virtual switches.
• Because there is no way to connect virtual switches, there is no need to prevent bad virtual switch connections.
• Because virtual switches cannot share physical Ethernet adapters, there is no way to fool the Ethernet adapter into doing loopback or some similar configuration that would cause a leak between virtual switches.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 8
1-81-8
Virtual Ports
• Provides logical connection points among virtual devices and between virtual and physical devices
– Think of them as RJ45 Connectors
• Each Switch can have up to 1,016 virtual ports on ESX 3.5 and 4,088 on ESX 4.
• Limited to 4096 ports on all virtual switches on a Host
• ESX Virtual Ports:
– no MAC learning is required to populate forwarding tables
– Unlike physical switches, know authoritatively the “hard” configuration of the virtual Ethernet adapters attached to them
• This capability makes it possible to set such policies as “guest can’t change MAC address”
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 9
1-9
.
Uplink Ports
•Provides a connection between a virtual network and a physical network
•Virtual Switches can be configured with uplink ports or with no Uplink Ports
vSwitches
VM 1
OS
APP
-Denotes Virtual Device
VM 2
OS
APP
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 10
1-101-10
Port Groups
• You can think of port groups as templates for creating virtual ports with particular sets of specifications
• Port groups are important particularly for Vmotion
• Allows you to specify a given VM should have a particular type of connectivity across hosts
• Port Groups are User Named Objects Containing
– Virtual switch name
– VLAN IDs and policies for tagging and filtering
– Teaming policy
– Layer 2 security options
– Traffic shaping parameters
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 11
1-111-11
Uplinks
• Physical Ethernet adapters serve as bridges between virtual and physical networks
• VMI3 calls these uplinks
• The virtual ports connected to them are called uplink ports
• A single host may have a maximum of 32 uplinks
– May be on 1 switch
– Or Distributed among multiple switches
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 12
1-121-12
Virtual Switch Correctness
• Virtual switches do not learn from the network in order to populate their forwarding tables.
• Virtual switches make private copies of any frame data used to make forwarding or filtering decisions
• ESX Ensures VLAN Isolation by:
– VLAN data is carried outside the frame as it passes through the virtual switch.
– Virtual switches have no dynamic trunking support.
• Dynamic trunking and native VLAN are features in which an attacker may find vulnerabilities that could open isolation leaks.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 13
1-131-13
VLANs in VMWareInfrastructure
• Header of a packet tagged by an 802.1Q VLAN trunking drive
VLANs provide for logical groupings of stations or switch ports
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 14
1-141-14
NIC Teaming
• NIC Teaming is used to connect a single vSwitch to multiple Physical adapters
• A team can share the load of traffic between physical and virtual networks
– Teaming is not the same as a physical network
• You can provide passive failover in the event of a hardware failure or a network outage
• You can set NIC teaming policies at the port group level.
• Important: All physical switch ports in the same team must be in the same Layer 2 broadcast domain
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 15
1-151-15
Load Balancing
• Route Based on the Originating virtual Switch Port ID– When you use this setting traffic from a given vNIC is
consistently sent to the same physical adapter unless there is a failover in the NIC team
• Route based on source MAC hash– This produces a hash of the source MAC address
– When you use this setting traffic from a given vNIC is consistently sent to the same physical adapter unless there is a failover in the NIC team
• Route based on IP hash– Evenness of traffic distribution depends on the number of
TCP/IP sessions to unique destinations. -no benefit for bulk transfer between a single pair of hosts.
– You can use link aggregation
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 16
1-161-16
Failover Configurations
• Link Status Only
– Relies solely on the link status provided by the network adapter
• Beacon Probing
– Sends out and listens for beacon probes
– Ethernet broadcast frames sent by physical adapters to detect upstream network connection failures
• To Minimize Delays
– Disable Spanning Tree Protocol
– Disable Etherchannel Negotiation such as PAgP or LACP
– Disable Trunking Negotiation
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 17
1-171-17
Normal Operation
Network
VM
ESX Server Switch 1
Switch 2
Switch 3
Switch 4
nic3
nic2
nic1
Virtual Machine Traffic Handled by nic1
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 18
1-181-18
Connection Fails
Network
VM
ESX Server Switch 1
Switch 2
Switch 3
Switch 4
nic3
nic2
nic1
Connection between switch 1 and switch 4 failsEach Ethernet adapter sends a beacon packet
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 19
1-191-19
Signaling Process – Beaconing
Network
VM
ESX Server Switch 1
Switch 2
Switch 3
Switch 4
nic3
nic2
nic1
Beacons returned on nic2 and nic3 but not on nic1
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 20
1-201-20
Data Rerouted
Network
VM
ESX Server Switch 1
Switch 2
Switch 3
Switch 4
nic3
nic2
nic1
Data to network rerouted through nic3
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 21
1-211-21
Layer 2 Security Features
• Promiscuous mode is disabled by default for all virtual machines. This prevents them from seeing unicast traffic to other nodes on the network.
• MAC address change lockdown prevents virtual machines from changing their own unicastaddresses. This also prevents them from seeing unicast traffic to other nodes on the network, blocking a potential security vulnerability that is similar to but narrower than promiscuous mode.
• Forged transmit blocking, when you enable it, prevents virtual machines from sending traffic that appears to come from nodes on the network other than themselves
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 22
1-221-22
Forged Transmits – Cont’d
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 23
1-231-23
Managing the Virtual Network
• Using VMWare Virtual Center to manage a virtual network.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 24
1-241-24
Symmetric vs. Asymmetric Encryption
Speed:• Symmetric-key algorithms are generally much less
computationally intensive than asymmetric key algorithms.
http://en.wikipedia.org/wiki/Symmetric_key
Type Advantages Disadvantages
Symmetric Speed –Very Fast Insecure Key Exchange
Asymmetric Secure Key Exchange
Speed – Very Slow
Hybrid Very FastSecure Key Exchange
PKI Required.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 25
1-251-25
Hashes
•Types-–MD5 (Considered Insecure)
–SHA1
–SHA2
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 26
1-261-26
Digital Signatures
• Digital signatures ensure non-repudiation.
Senders private key
Senders public key
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 27
1-271-27
Breaking SSL Traffic
• ARP Cache Poisoning will allow us to perform a successful SSL crack!
• They hacking tools will create fake certificates.• Two simultaneous SSL connections are established. One
between the victim and the hacker, the other between the hacker and the real server.
• The communication process starts on port 443 and once the SSL authentication has been established VMware moves the communication to port 902.
SSL request
SSL reply
(Fake certificate)
SSL request
SSL reply
(Real Self Signed Cert)
F&JLMDHGST*KU P)JDGH$FDSD@Cleartext
Copy &
Alter
Stop
ESX Sever
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 28
1-281-28
File System Structure
• Almost everything is treated as a file: many devices, certain elements of processes and, of course, files.
• We are going to look at a high-level map of the file system, there are variations between flavors.
• The top level is known as “root” and it is named / (pronounced slash).
• Everything starts here; we are going to look at the common structure and what is located in the common folder.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 29
1-291-29
File System Structure
/
bin dev etc
passwd group shadow
home lib mnt proc tmp usr
bin man sbin
var
log
Directory Purpose
/ The root directory, which is the tip of the file system.
/bin (along with /sbin on some systems)
Critical system executables needed to boot the system or run it.
/dev Devices connected to the system, such as terminals, disks, USB devices and so on.
/etc System configuration files, including accounts and passwords, network addresses and names, system startup settings and so on.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 30
1-301-30
File System StructureDirectory Purpose
/home Location of user directories.
/lib The home of various shared libraries for programs.
/mnt The point where files systems exported from another system are temporarily mounted, as well as removable devices such as the CD-ROM and USB devices.
/proc Images and data about currently executing processes on the system. The /proc directory isn’t even on your hard drive. Instead, it’s a virtual component of your files system, a portal created by the kernel. This directory was designed so you could peek in on what your kernel and processes are doing.
/tmp Temporarily created files by applications which can be removed without fear of harming your system.
/usr A variety of critical system files, including some standard system utilities (/usr/bin), manual pages (/usr/man), headers for C programs (/usr/include), and administration executables (/usr/sbin).
/var A place to store various types of files, often used for administration. The /var directory commonly stores log files (/var/log) and temporary storage space for some services (such as spooling for mail, printers, etc.).
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 31
1-311-31
Kernel
Linux and UNIX have a modular
architecture.
The special program at the core is called the kernel, which is
the brain of the entire system.
When a program runs, the kernel
starts a process to execute the
programs code.
Process 1 – Process 2….Process n
The Kernel
Hardware (disks, network interfaces, etc.)
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 32
1-321-32
Processes
• It contains the running programs executable code, the memory associated with the program and various threads of execution that are moving their way through the code executing its instructions.
• Think of a process like a bubble that contains all of the guts of a running program.
• The kernel inflates the bubbles, controls the flow of the bubbles and tries to keep them from popping.
• There are hundreds and sometimes thousands of processes running on any given system.
• The CPU only handles one at a time but the kernel juggles them through the CPU.
• Many processes run in the background, they are known as daemons. (Critical system functions and spooling for printing are examples.)
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 33
1-331-33
Processes1. When booting the kernel is loaded into memory.
2. Then it starts a daemon called init.
1. init – It is the parent of all other user-level processes.
2. Location: /etc/init.d
3. Some network services are not used all the time and thus should not be running. (FTP and telnet are examples)
4. init starts another process called the Internet Daemon which does the waiting for these processes.
1. Xinetd is the process. xinetd is an extended version of inetd that offers better access control and logging.
2. These files are found in the /etc/xinetd.d directory.
3. The configuration file is /etc/xinetd.conf.
4. The port numbers are defined in the /etc/services file.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 34
1-341-34
Starting and Stopping Processes
Automatically
• Init.d, xinetd.d and cronautomatically start processes.
• So you can edit the xinetd.conffile.
• Edit the crontab files which are found in the /etc/crontabdirectory.
Manually
• By typing the name of a program in the command line, you are starting a process.
• echo $PATH – gives you the path the OS uses to search for your program. If it cannot be found, you get the error, otherwise it just starts.
• You do not want a “.” in your path as this may allow a hacker to run malicious programs with the same name as legitimate ones.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 35
1-351-35
Interacting with Processes
• The Kernel assigns each running process on a machine a unique process ID (called a PID, pronounced P-I-D).
– You can list the processes: ps
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 36
1-361-36
Interacting with Processes
• You can Kill a process by simply typing any of the following examples:
– kill –TERM [PID]
– killall –TERM xinetd
• You can reset or restart the process or the entire inetd file by typing one of the following commands
– kill –HUP [PID]
– killall –HUP xinetd
• Another command for listing open files is lsof.
– lsof
– lsof -p [PID]
– lsof -i
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 37
1-371-37
ACCOUNTS AND GROUPS
Accounts are created and
managed using the passwd file located
in /etc/passwd.
Each line contains the information for
one account.
You can add a user by simply typing
adduser and follow the prompts.
You can change a password by typing passwd [username].
It is world readable, so to encrypt our
passwords, we use the shadow format.
This places an xwhere the password
would be in the passwd file and
places the password in the shadow file.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 38
1-381-38
Password & Shadow File Formats
•While some other Linux distributions force you to install the Shadow Password Suite in order to use the shadow format, Red Hat makes it simple. To switch between the two formats, type (as root):
•/usr/sbin/pwconv - To convert to the shadow format•/usr/sbin/pwunconv - To convert back to the traditional format
•With shadow passwords, the “/etc/passwd” file contains account information, and looks like this:
•kstuart:x:561:561:Kevin Stuart:/home/kstuart:/bin/bash
•The “/etc/shadow” file contains password and account expiration information for users, and looks like this:
•kstuart:A46mckrOLChF.:10063:0:99999:7:::
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 39
1-391-39
Accounts and Groups
The format of the passwd file includes the following items:
• Login Name, Encrypted/Hashed Password, UID Number, Default GID Number, GECOS Information, Home Directory and Login Shell.
Yes, to help save time, you can also utilize groups in UMIX and Linux.
The group information is found in the /etc/group file.
The group file contains the following information:
• Group Name, Encrypted or Hashed Group Password, GID Number, Group Members
• The password area is never used.
The most important and powerful account is, of course, root!!!
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 40
1-401-40
Linux and UNIX Permissions
• Every file has permissions. They were actually ahead of the game on this.
– Every file has an owner and an owner group. The root user and the owner can access the file.
• There are 3 different areas:
– Owner, group owner and everyone
• With 3 different levels:
– Read, write and execute
• Leaving 9 standard forms of permissions.
• You can look at the permissions of all the files in a given directory with the following command.
– ls –l
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 41
1-411-41
Linux and UNIX Permissions
There are 10 characters we need to look at when discussing permissions.
If the first character is a d then it is a directory, otherwise it is a file.
• The first group of 3 covers the owner – in most cases the owner can perform all levels of access.
• The second group covers the owner group.
• The third group cover the everyone account.
• If there is a - the access is not allowed.
The next nine are permissions.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 42
1-421-42
Linux and UNIX Permissions
• You can utilize the chmod command to change the permissions for given users.
• You must understand the Octal Equivalents in order to make these changes.
• The next slide covers these.
• If you wanted to set the following for the file document1, your command would be: chmod 745 document1
– Owner account (read, write and execute)
– Owner group (read)
– Everyone (read and execute)
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 43
1-431-43
Linux and UNIX Permissions
r w x Octal Equivalent
0 0 0 0
0 0 1 1
0 1 0 2
0 1 1 3
1 0 0 4
1 0 1 5
1 1 0 6
1 1 1 7
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 44
1-441-44
Set UID Programs
• How does a lowly user change his password without root level access? The answer lies in the SetUID capabilities.
• With SetUID, a program can be configured to always execute with the permissions of its owner!
• This is needed unless you want to pay the admin guy to spend every second on rudimentary issues.
• You can find all programs whose SetUID is set to run as root by typing the following:– find / -uid 0 –perm -4000 -print
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 45
1-451-45
Logs and Auditing
• Event Logs are created by the syslog daemon know as syslogd.
– Receives information from various system and user processes including the kernel.
– Configuration is in the file /etc/syslog.conf
• Logs are stored in the /var/log folder.
• Common Log files are:
– Secure - Such as /var/log/secure
– Local16.warning - /var/log/vmkwarning
– Local15.* - var/log/vmkproxy
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Slide 46
1-461-46
Logs and Auditing
• User Access information is stored in accounting files. These files are used by administrators to detect anomalous activity.
• The following files are of interest:– utmp – Information about who is currently logged in.
• Accessed by typing the “who” command.
• Found in /var/run
– wtmp – Records all logins and logouts from the system.• The command “last” will display the information found in this
file.
• Stored in /var/log
– lastlog – Contains information about the time and location of each user’s last login to the system.• You can access this information by using the “lastlog” command.
• Located at /var/log/lastlog.
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Review Questions:
1. A standard VMware vSwitch is susceptible to which of the following attacks against physical switches?
A. MAC flooding B. 802.1Q and ISL tagging C. Double-encapsulation D. None of the above
2. Which of the following is not a network connection type for a standard virtual switch?
A. Service console port B. Virtual machine port group C. VMkernel port D. Cisco discovery protocol port
3. Which of the following is used to define a service console port?
A. vmnic B. Vmnic-COS C. vswif D. vmknic
4. Which of the following are the default settings for the security mode policy exceptions?
A. Promiscuous mode reject B. Promiscuous mode accept C. MAC address changes reject D. MAC address changes accept E. All of the above F. A and C G. B and D H. A and D I. B and C J. None of the above
5. Which of the following are the supported network failover detection methods?
A. Uplink NIC failure B. Link state only C. Link state plus beaconing D. Link state plus uplink failure E. All of the above F. A and B G. B and C H. A and D I. C and D J. None of the above
6. What technology do you implement in order to have the best network performance possible for
your VM?
A. NIC Teaming on the Virtual Switch B. NIC Teaming in the Virtual Machine C. VLANs D. Traffic Shaping
7. Which of the following are the correct definitions for symmetric encryption?
A. Encryption uses a key to encode data. In symmetric encryption, the same key is used to encode and decode data
B. This fast-performing algorithm is typically used for bulk (large volume of data) encryption C. An encryption system in which two different keys are used for encryption and decryption D. This slow-performing algorithm is typically used for small volume of data encryption E. A and B F. C and D G. None of the above
8. In cryptography, a cryptographic hash function is a transformation that takes an input and
returns a string, which is called the hash value. When you change a password, for example, from Pass123 to Pass1234, what happens to the hash value?
A. The hash value adds another value to the end of the hash, changing the size of the hash B. The hash value changes but the size of the hash does not C. Nothing, the hash value does not change since there was only one number added D. The hash value is padded with 0000 on the end
9. Which of the following types of load balancing uses both the destination and source IP address?
A. Route based on the originating Virtual Switch Port ID B. Route based on source MAC hash C. Route based on source and destination hash D. Route based on IP hash
10. What is the default multipathing policy for a SAN storage device?
A. Preferred Path (Fixed) B. Most Recently Used (MRU) C. Round Robin (RR) D. Custom
Answer Key:
1. D The common attacks will not work since the functionality does not exist in the architecture due to the simplicity of a standard virtual switch.
2. D Each virtual switch can contain port groups of multiple types. The allowable types are service console ports used for management purposes, virtual machine port groups that are used for virtual machine communication, and VMkernel ports that are used to connect to IP-based storage, fault tolerance, and VMotion.
3. C
Service console ports are defined as vswif ports. The VMkernel ports are defined as vmknic ports. The uplink ports are defined as vmnic ports.
4. H
Security policies defined at the virtual switch level by default are promiscuous mode-reject, MAC address changes-accept and forged transmits-accept.
5. G
The only two supported network failover detection methods are link state only and link state plus beaconing. Link state plus beaconing allows for the ability to detect if the link to the physical switch has failed, and also if the link to an upper-level physical switch has failed by sending broadcast messages out to one physical NIC and listening on another for the message (i.e., it requires two physical NICs on the vSwitch).
6. D
NIC Teaming can only be implemented on the vSwitch or port group. It provides the only option available in an ESX server to perform load balancing which will provide you with better performance for the VM. Traffic Shaping prevents a VM from overloading the network, which will limit the VM performance.
7. E
Symmetric encryption uses the same key to both encode and decode data; it is also faster than asymmetric and therefore is generally used to encrypt large volumes of data.
8. B A hash is a fixed length set of characters derived from an algorithm. The length never changes, but the hash will change with every change in a password.
9. D
Route based on IP hash uses the source and destination IP address and produces a hash in order to provide load balancing. There is no such option called route based on source and destination hash.
10. A The default multipathing policy is Preferred Path (Fixed). In the case of failover, ESX will select a different path; however, once the original path has been restored ESX will failback to the original path. MRU is used as the policy in active/passive storage devices. In the case of MRU, once a failover occurs the path will not revert once restored. Round Robin will rotate the paths on a per number of I/Os or per number of blocks basis. Round Robin was experimental in 3.5 but is now supported as the recommended multipathing policy.