Virtual Infrastructure 3

Virtual Infrastructure 3
Best Practices for a secure
Jeff Mayrand
Architecture changes (General Overview)
 General Account Security
 VSWIF Security
 Web Security
 Monitoring / Security Toolkits
 VMware Virtual Appliances
Architecture Changes
MUI Removed From ESX Server
 Console and Guests Soft Switches are
Visible - Complete ReWrite of Network
 VM Backup Proxy
 VMFS 3
General Account Security
Do use SUDO and Wheel Groups to
segment administrative functions.
 Create separate service accounts for
operation of Virtual Center
 Recommended administrative groups
(VMAdmins, ESXAdmins)
Virtual Switch Overview
Vswitch at its core is a layer 2 forwarding
 VLAN Tagging / Stripping / Filtering Units
 Very Modular (3rd Party Addons)
 Part of Community Source
Virtual Switch vs Physical Switch
How is it the similar?
Maintains MAC Port forwarding table.
 Support VLAN segmentation per port.
 Supports copying packets to mirror port
(span port)
 Can be managed remotely by
Virtual Switch vs Physical Switch
How is it different?
Direct channel from VNIC’s for control
data (Checksum / segmentation) Very
wide control channel.
 Authoritative MAC filler updates.
No IGMP Snooping to learn multicast group
No learning of unicast addresses.
Ports can automatically enter mirror mode.
Vswitch Isolation – How to ensure no
traffic leaks between vswitches?
Switches are not cascaded so no code
sharing between.
 Vswitches cannot share uplink ports.
 Each vswitch has its own forwarding table
Vswitch Isolation – How to ensure
guests cannot impact switch behavior?
Vswitches cannot learn from the network
to populate the forwarding table.
 Vswitches make copy of frame to prevent
inflight modification (wide control channel)
Vswitch Isolation – How to ensure
frames are in appropriate VLAN?
VLAN data carried outside frame. (wide
control channel)
 Vswitch has no dynamic trunking.
 Vswitch has NO native VLAN support.
App Public Tier
RDP Client Monitoring Backup Server
Management / Backup
Virtual Management Console
App Private Tier
Middle Tier
Data Tier
Web Security
Update and use SSL certificates on ESX
hosts and on Virtual Center
 Core is Apache so check into all know
apache exploits.
 MUI removed from ESX hosts which
makes securing easier less widespread.
Monitoring and Security Toolkits
SNMP is default monitoring access. (OID
Masking, Community Strings)
 Security toolkits are available for helping
check for changes to available ports and
known exploit validation. Network Security
Toolkit Virtual Machine (Nagios, Nessus,
 Common Vulnerabilities and Exposures
(Many false positives)
Virtual Appliances
Know who’s providing it to you!
 Isolate before you put into production.
Place extra effort to validate and monitor after
you put in. (Rogue traffic, configuration
changes, etc)
WWW Resources