virtual infrastructure 3 best practices for a secure installation. jeff mayrand
TRANSCRIPT
![Page 1: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/1.jpg)
Virtual Infrastructure 3
Best Practices for a secure installation.
Jeff Mayrand
![Page 2: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/2.jpg)
Contents Architecture changes (General Overview) General Account Security VSWIF Security Web Security Monitoring / Security Toolkits VMware Virtual Appliances
![Page 3: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/3.jpg)
Architecture Changes MUI Removed From ESX Server Console and Guests Soft Switches are
Visible - Complete ReWrite of Network Code
VM Backup Proxy VMFS 3
![Page 4: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/4.jpg)
![Page 5: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/5.jpg)
General Account Security Do use SUDO and Wheel Groups to
segment administrative functions. Create separate service accounts for
operation of Virtual Center Recommended administrative groups
(VMAdmins, ESXAdmins)
![Page 6: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/6.jpg)
Virtual Switch Overview Vswitch at its core is a layer 2 forwarding
engine. VLAN Tagging / Stripping / Filtering Units Very Modular (3rd Party Addons) Part of Community Source
![Page 7: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/7.jpg)
Virtual Switch vs Physical SwitchHow is it the similar? Maintains MAC Port forwarding table. Support VLAN segmentation per port. Supports copying packets to mirror port
(span port) Can be managed remotely by
administrator.
![Page 8: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/8.jpg)
Virtual Switch vs Physical SwitchHow is it different? Direct channel from VNIC’s for control data
(Checksum / segmentation) Very wide control channel.
Authoritative MAC filler updates. No IGMP Snooping to learn multicast group
membership. No learning of unicast addresses. Ports can automatically enter mirror mode.
![Page 9: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/9.jpg)
Vswitch Isolation – How to ensure no traffic leaks between vswitches? Switches are not cascaded so no code
sharing between. Vswitches cannot share uplink ports. Each vswitch has its own forwarding table
![Page 10: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/10.jpg)
Vswitch Isolation – How to ensure guests cannot impact switch behavior? Vswitches cannot learn from the network
to populate the forwarding table. Vswitches make copy of frame to prevent
inflight modification (wide control channel)
![Page 11: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/11.jpg)
Vswitch Isolation – How to ensure frames are in appropriate VLAN? VLAN data carried outside frame. (wide
control channel) Vswitch has no dynamic trunking. Vswitch has NO native VLAN support.
![Page 12: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/12.jpg)
App Public Tier
App Private Tier
Middle Tier
Data Tier
Management / Backup
Vmotion
ISA
RDP Client
VSWIF1
VSWIF2
VSWIF3
VSWIF4Virtual Management Console
Backup ServerMonitoring
VSWIF0 - CON
![Page 13: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/13.jpg)
Web Security Update and use SSL certificates on ESX
hosts and on Virtual Center Core is Apache so check into all know
apache exploits. MUI removed from ESX hosts which makes
securing easier less widespread.
![Page 14: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/14.jpg)
Monitoring and Security Toolkits SNMP is default monitoring access. (OID
Masking, Community Strings) Security toolkits are available for helping
check for changes to available ports and known exploit validation. Network Security Toolkit Virtual Machine (Nagios, Nessus, Nmap)
Common Vulnerabilities and Exposures (Many false positives)
![Page 15: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/15.jpg)
Virtual Appliances Know who’s providing it to you! Isolate before you put into production.
Place extra effort to validate and monitor after you put in. (Rogue traffic, configuration changes, etc)
![Page 16: Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e7c5503460f94b7e81d/html5/thumbnails/16.jpg)
WWW Resources http://www.vmguru.com/ http://www.vmware.com/vmtn/technology/
security/ http://vmprofessional.com/