DNM1: Data Center Virtualization Data Center Virtualization Augusta Crissy Proof-of-Concept Design Template Dakota Remenyi Dakota Remenyi [Date] Version 1.0 PAGE 1 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template CONTENTS A. Systems Analysis of Current ENvironment ......................................................................................................3 B. Virtualization Solution ......................................................................................................................................3 C. Security .............................................................................................................................................................5 C.1. Virus Scan System ............................................................................................................................................5 C.2. Firewall Rules ...................................................................................................................................................5 C.3. Access Control Lists .........................................................................................................................................5 C.4. Security Groups.................................................................................................................................................6 C.5. Information Security Management....................................................................................................................6 D. Implementation Process ....................................................................................................................................7 E. Performance Tuning ..........................................................................................................................................9 F. Load Balancing ............................................................................................................................................... 11 G. Proof-of-Concept Implementation Build ........................................................................................................ 11 G.1. Phase 1 ............................................................................................................................................................ 11 G.2. Phase 2 ............................................................................................................................................................ 11 G.3. Phase 3 ............................................................................................................................................................ 11 G.4. phase 4 ............................................................................................................................................................ 11 PAGE 2 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template A. SYSTEMS ANALYSIS OF CURRENT ENVIRONMENT Augusta Crissy (AC) is in the market to expand their datacenter by integrating it with the cloud as a hybrid solution to support future demand. While the current datacenter has enough resources to meet the current demand, it has multiple limitations to meet future demand. Some of the current limitations include: Single – non-clustered servers; therefore, maintenance and unplanned upgrades cannot failover or initiate connection draining when issues arise. The clustered setup would allow high availability of applications and databases by allowing them to be moved between servers without affecting end-user’s performance. The current datacenter consists of 100 4u rack mounted servers all running Windows Server 2016. The current setup contains 32 processors, 256gb of RAM and 1tb storage each. The servers have enough resources to maintain their current load but could be upgraded to match the spec sheet and allowing for more virtualization. A typical server rack can hold 36U to 40U. There could be 8 Dell 940xa boxes mounted per rack requiring just over 12 racks. Where the servers sit in accordance with the HVAC should be readjusted due to more resources causing more heat. The Windows server OS doesn’t currently have hypervisor installed, which limits Augusta Crissy capability to virtualize their datacenter allowing them to optimize their resources. Installing hypervisor software allows the servers to virtualize without the need to buy more physical devices. Augusta Crissy is examining solutions for a local hybrid cloud datacenter, while this could work, the industry is encouraging the idea to forget about ownership of resources and lease them instead. Augusta Crissy should use a Cloud Service Provider such as AWS to connect to “the cloud”. Many of these Cloud Service Providers have services that help you lift and shift your applications to the cloud, such as AWS snowball. Alternatively, another option is to expand a domain into the cloud via a direct connection or over a VPN. However, I will continue with the proof of concept to showcase a local hybrid datacenter. B. VIRTUALIZATION SOLUTION To demonstrate a virtualized environment Proof of Concept, a single VMWare ESXi hypervisor will be used. The ESXi server is has enough resources to support running 4 Windows virtual machines and one virtual router. The network will be setup using ESXi default virtual switch (vSwitch0) and additional port groups, otherwise known as VLAN networks, to support the infrastructure. The Virtual switch setup is as follows: vSwitch0 o Two uplinks to external o Five port groups Management group (default) Vlan-Pfsense-WAN CIDR: 172.16.0.1/24 VLAN ID: 0 Vlan-Pfsense-LAN CIDR: 172.17.0.1/24 VLAN ID: 10 Vlan-SysAdmin CIDR: 172.18.0.1/24 VLAN: 20 Vlan-Dev CIDR: 172.19.0.1/24 VLAN ID: 30 PAGE 3 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template The following Virtual machines will be deployed: PfSense router o Name: PfSense o VM OS: FreeBSD 11 o Specs: 1 cpu | 1gb RAM | 8 VHD | 2 nics NIC 1: connected to WAN External DHCP assigned NIC 2: connected to LAN - IP: 172.17.0.1/24 1 Windows Server 2019 Standard o Name: DC1 o VM Generation 2 o Specs: 1 cpu | 4gb RAM | 40gb VHDX | 2 nics NIC 1: connected to VLAN-Dev – IP: 172.19.0.2/24 NIC 2: connected to VLAN-SysAdmin – IP: 172.18.0.2/24 o ISO: <datastore>\iso\Windows_Server_2019_Eval.iso o Roles Installed: Active Directory Domain Services – Domain: augustacrissy.lab DHCP: Scope 1 for Vlan-dev & Scope 2 for VLAN-SysAdmin DNS 1 Windows 10 Desktop o Name: W10 o Specs: 1 cpu | 4gb RAM | 32 gb | 3 nics o NIC 1: Connected to Vlan-Dev IP: 172.19.0.3/24 o NIC 2: connected to Vlan-SysAdmin IP: 172.18.0.3/24 o NIC 3: Connected to pfsense LAN IP: 172.17.0.3/24 o ISO: <datastore>\iso\Windows10_EnterpriseEval.iso 2 Windows Server 2019 Datacenter Edition o Name: Data1, Data2 o VM Generation: 1 o Specs: 1 cpu | 4gb RAM | 40gb VHD | 4 nics o NIC 1 and 2 are teamed IP: DHCP Assigned by external network NIC 1: connected to external interface NIC 2: connected to external interface NIC 3: connected to VLAN-SysAdmin DATA 1 IP: 172.18.0.4/24 DATA 2 IP: 172.18.0.5/24 NIC 4: connected to VLAN-Dev DATA 1 IP: 172.19.0.4/24 DATA 2 IP: 172.19.0.5/24 o ISO: <datastore>\iso\Windows_Server_2019_Eval.iso o Roles Installed: Internet Information Service (ISS) Remote Access Role VPN o DHCP Relay to Vlan-SysAdmin Network Load Balancer o Assigned to NIC 4 on both servers PAGE 4 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template C. SECURITY Please see below for the plan. C.1. VIRUS SCAN SYSTEM The environment isn’t very diverse and is only utilizing Windows based OSs for servers and clients. We’ll utilize the built-in malware protection agent. We’ll set domain policies at the Active Directory level to dictate how often scans trigger, what is scanned, and file path exclusions to increase productivity. User Access Control (UAC) will be enabled and enforced to further protect from malicious acts. UAC will prompt for credentials whenever a user attempts to install or run an application that requires elevated privileges. C.2. FIREWALL RULES Utilizing Active Directory, the Windows Firewall group policies will be enforced. The centralized policy will be configured to restrict ports and protocols for each device role. Different roles may require different firewall policies. As an example, a web server will need ports 80/443 requests opened and a VPN server would need 1723 ports open to allow remote user to connect. Telnet will be denied on all endpoints as its not required for communication and can be easily sniffed for clear-text credentials. C.3. ACCESS CONTROL LISTS A mentioned previously UAC will be enforced to only allow appropriate behavior from one account to the next. This also reduces the risk of an attack such as “pass-the-hash.” While it might not eliminate risk, the standard user that surfs the web, email, and performs daily tasks is the most susceptible to the risk – which means the chances of an unauthorized user gaining access to a user with elevated credentials to install software or RDP to another server is highly unlikely. It’s worth mentioning that the other servers will only have elevated users in the administrator’s group on business-critical systems. As an example, Jane Smith is a Server administrator that needs access to Domain Controllers and Servers regularly, however she does not need admin access to her workstation. Jane will be issued several accounts; a user account for accessing email and the internet and other daily tasks for her workstation, a General Admin account for administrating and maintaining servers and a Domain Admin account to administer and maintain Domain Controllers. Only authorized users based on privilege will be added to each box administrators’ group by domain policy. This above-mentioned policy is known as the Principle of Least Privilege. ISO 27002 defines the Principle of Least Privilege as “the general approach favored for protection, rather than unlimited access and superuser rights without careful consideration. As such users should only get access to the network and network services they need to use or know about for their job.” ISO 27002 also mentions to need of routine auditing of group policies to maintain a level of IT hygiene. More information about the principle of least privilege and auditing can be found via the link on the reference page. The logs should be sent to some centralized collector such an a SIEM where another team can monitor for alerts based off domain policy. All new network configuration should be monitored and documented using a change management processes; the process will ensure changes do not affect other resources in the infrastructure and allows roll back if necessary. To prevent network collisions and bottlenecks, networks VLANs will be used with the collision detection protocol on the switches. This allows different networks to be segmented and coexist on the same switch or switches. The recommend configurations is to add a minimal of four VLANs: Data, Development, Administration and Resource PAGE 5 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template Management. This greatly reduces amount of “talking” on a network at any given time – reducing the chance of a collision. - The data VLAN allows for PROD data traffic for end-user consumption, such as email, web traffic and file access. - The DEV VLAN isolates dev ops engineers to their own segment to prevent them from affecting the production network unless they have another authorized account that they can get to via elevated credentials. -The Administration VLAN allows Administrators to perform their duties and restricts users from being able to access servers from the management level. -The Resource Management VLAN allows for services and their accounts to perform their routine processes across their partner resources. This could be the cluster communication quorum traffic the is monitored by the cluster services or the heartbeat broadcast between network load balanced servers. Another use for the Resource Management VLAN is to allow Virtual Machines to be migrated from one host to another without bottlenecking bandwidth on other VLANs. C.4. SECURITY GROUPS As mentioned earlier, to ensure “appropriate level access” accounts are unable to access unassigned systems, Domain Policy will enforce Restricted Groups and restrictive Interactive logon policies will be in place (UAC). The restricted polices will contain the elevated identities in designated AD Security groups controlled and managed by the security team. Adding users to groups via policy reduces the amount of administrative overhead when employees are hired, change positions, or leave. The users can be moved in/out of the security groups by just modifying the Group Policy which will refresh all servers on the network that are part of the domain policy OU. C.5. INFORMATION SECURITY MANAGEMENT An Information Security Management System will be utilized to govern policies, processes, procedures, infrastructure, and services dependency functions. The ISM will incorporate best practices from SOC, ISO 27001 & 27002 series, and if necessary, PCI. This system is designed to maintain daily operations and keep the business healthy by providing guidelines on confidentiality, integrity, and availability to Augusta Crissy’s data and systems. Besides environmental disasters and outages, ISMS should include process on how to handle breaches or attacks from both internal and external members. PAGE 6 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template D. IMPLEMENTATION PROCESS (ZOOM IN) Discuss the implementation phases and project implementation milestones for the proposal, including the dependencies of each phase and milestone. Phase 1: Implement VLANs During phase one, the network will be set up within the ESXI host, so the hosts can be later added. Under the Ports groups o Create four port groups VLan-Dev Vlan-SysAdmin, Vlan-pfSense-WAN Vlan-pfSenseLAN Attach all of them to vSwitch0. The configured VLANS allows traffic from each VLAN to be isolated and unable to communicated to the other VLANs. Phase 2: Build pfSense Router The pfSense router route traffic from the WAN to the LAN when needed. The router will be build via a virtual machine and will be created by selecting the Other as the Guest OS family and FreeBSD 11 (64-bit) as the Guest OS version. See Figure D-3. (Rubicon, 2020) PAGE 7 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template Figure D-3: Selecting pfsense OS family and version During the VM creation… o Add an additional network interface | select Vlan-pfSense-WAN o Vlan-pfSenseLAN for the second. o Attach the ISO from datastore and boot the VM. o Follow any default options and prompts. o After the initial set up, detach the ISO and reboot the system. o Setup the WAN and LAN interfaces based on the guidance provided above. Phase 3: Build Domain Controller Create a new Virtual Machine using “Windows as the Guest OS family and Windows Server 2016 or Higher (64-bit) as the Guest OS version.” o Select Windows Server 2019 Standard with User Experience. o Setup the password and change the computer name. o Install VMTools. o Setup the WAN and LAN interfaces based on what’s outlined above o Install Active Directory | Select DNS and DHCP roles Active Directory role is now installed but not configured. Before configuring the AD roles, statically assign an IP to the server. PAGE 8 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template To configure the AD roles… In Server Manager | promote this server to a domain controller. o Add it as the first domain of augustacrissy.lab. o Reboot Next steps… Login as Administrator o Open DHCP Console and activate it o Create two scopes for VLAN-Dev (172.19.0.0/24) and VLAN-SysAdmin (172.18.0.0/24). Phase 4: Build Datacenters Servers 1 & 2 and Windows 10 Desktop. Create two new Virtual Machines using the Windows as the Guest OS family and Windows Server 2016 or Higher (64-bit) as the Guest OS version. o Select the Windows Server 2019 Datacenter with User Experience. o Set the password and change the computer name. o Setup the WAN and LAN interfaces based on what’s outlined above. o Install VMTools o Join them to the augustacrissy.lab domain Install the following roles, Internet Information Service, Remote Access Role (Microsoft ,2020) and Network Load Balancer. (Parvez, 2020). Both servers will have their first two NIC’s teamed using Address Hash mode. (More, 2020). No additional configuration is needed for the IIS roles Setup the NLB to cluster both servers over the VLAN-Dev network interface in unicast mode Use the Routing and Remote Management wizard will walk through setting up the VPN configuration. Configure the IP range for VPN clients to use in the Routing and Remote Access console : Windows 10 machines: Create a new Virtual Machine using the Windows as the Guest OS family and Windows 10 (64-bit) as the Guest OS version. o Setup the password and change the computer name. o Setup the WAN and LAN interfaces based on what’s outlined above. o Install VMTools and Join it to the augustacrissy.lab domain E. PERFORMANCE TUNING AC needs to successfully perform asset management and performance monitoring to have a successful virtualized datacenter. As it expands, it’s possible that it can get difficult to track and monitor new and current systems. I suggest tracking and monitoring assets in VMware using the PowerCLI module for PowerShell. The module can either be installed via powershell or directly installed and moved to the PowerShell folder. Below are several ways that performance monitoring could be tracked. PAGE 9 DNM1: Data Center Virtualization Design Document 1) Proof-of-Concept Design Template Install-module Vmware.Powercli a. https://www.altaro.com/vmware/how-to-generate-a-vsphere-report-using-powershell/ i. Reporting options include ways to generate html pages for easy reading (Fenech,2016). ii. https://www.altaro.com/vmware/how-to-generate-a-vsphere-report-usingpowershell/ 2) Allan Renouf created another open-sourced project that allowed verbose outputting to include the Esxi and its configurations, which can be found below. a. https://github.com/alanrenouf/vCheck-vSphere 3) VMware provides best practices guidelines which can be downloaded below. Following their best practices will ensure that the ESXI hosts are configured properly and are at optimal functionality and secure. 4) Running reports for the Hosts is a good way to get inventory and overall performance, but it can be beneficial to setup performance monitoring within the virtual machines themselves. This will be able to track applications performance and other resources the VM could be using. a. To setup performance monitoring on Windows, open Performance Monitoring and then build a custom monitor with counters (Chen, 2014). A few counters categories to include are: i. PhysicalDisk: Monitors the VHD. Recommended counters are: Idle Time – no less than 60% Average Disk sec/read – measures IO latency; no higher than 20ms Average Disk sec/write – no higher than 20ms Current Disk Queue Length – no higher than 2 ii. Memory: Tracks total memory utilized & potential memory leaks. Some recommended counters are: Available Mbytes: 10% of memory available is suggested Pages/sec: Less than 1000 - A number higher than that, are signs of excessive paging, which typically indicates a memory leak problem exists. Memory / Cache Bytes – indicates the amount of memory being used for the file system cache. If the value is > than 300MB; that could indicate that there may be a sign of a disk bottleneck. iii. Network Interface - Monitor’s network latency. Recommended counters include the following: Bytes Total/sec – measures the transfer rates. A high transfer rate could be an application is consuming all the bandwidth. Keeping the transfer rate below 40% is typically in a healthy state. Output Queue Length – measures output packet lengths. Keep in mind the lower the number the better, above 2 being critical iv. Paging File - If the paging file is too large, it is recommended to add additional RAM to the VM. % Usage – no higher than 10%, otherwise the VM will suffer disk input/output performance. PAGE 10 DNM1: Data Center Virtualization Design Document Proof-of-Concept Design Template F. LOAD BALANCING As previously stated in the sections above – it will be vital to load balance the datacenter servers to ensure network performance it optimal. If configured properly, the NLB will distribute traffic as even as possibly thereby reducing the likelihood of network latency. To monitor the network load balancer, disable or drain a node in the cluster, then attempt to access the website from the Windows 10 client. If you’re still able to reach the website that’s hosted, then the NLB is working as expected. It should be noted that sticky sessions / cookies should be disabled. If they aren’t, the NLB still may attempt to forward traffic to a host that is down. G. PROOF-OF-CONCEPT IMPLEMENTATION BUILD Provide a separate screenshot of each implementation phase completed in the lab environment, including a brief explanation of the process. Note: You can complete each phase as you build your proof-of-concept solution in the lab environment. Please add sections as necessary if you have more than four phases. G.1. PHASE 1 Provide a screenshot and a brief summary/title of the first implementation phase. G.2. PHASE 2 Provide a screenshot and a brief summary/title of the second implementation phase. G.3. PHASE 3 Provide a screenshot and a brief summary/title of the third implementation phase. G.4. PHASE 4 Provide a screenshot and a brief summary/title of the fourth implementation phase. **Please add additional sections as necessary.** PAGE 11 DNM1: Data Center Virtualization Design Document PAGE 12 Proof-of-Concept Design Template