Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Virtual Infrastructure 3

advertisement 
Virtual Infrastructure 3
Best Practices for a secure
installation.
Jeff Mayrand
Contents
Architecture changes (General Overview)
 General Account Security
 VSWIF Security
 Web Security
 Monitoring / Security Toolkits
 VMware Virtual Appliances

Architecture Changes
MUI Removed From ESX Server
 Console and Guests Soft Switches are
Visible - Complete ReWrite of Network
Code
 VM Backup Proxy
 VMFS 3

General Account Security
Do use SUDO and Wheel Groups to
segment administrative functions.
 Create separate service accounts for
operation of Virtual Center
 Recommended administrative groups
(VMAdmins, ESXAdmins)

Virtual Switch Overview
Vswitch at its core is a layer 2 forwarding
engine.
 VLAN Tagging / Stripping / Filtering Units
 Very Modular (3rd Party Addons)
 Part of Community Source

Virtual Switch vs Physical Switch
How is it the similar?
Maintains MAC Port forwarding table.
 Support VLAN segmentation per port.
 Supports copying packets to mirror port
(span port)
 Can be managed remotely by
administrator.

Virtual Switch vs Physical Switch
How is it different?
Direct channel from VNIC’s for control
data (Checksum / segmentation) Very
wide control channel.
 Authoritative MAC filler updates.




No IGMP Snooping to learn multicast group
membership.
No learning of unicast addresses.
Ports can automatically enter mirror mode.
Vswitch Isolation – How to ensure no
traffic leaks between vswitches?
Switches are not cascaded so no code
sharing between.
 Vswitches cannot share uplink ports.
 Each vswitch has its own forwarding table

Vswitch Isolation – How to ensure
guests cannot impact switch behavior?
Vswitches cannot learn from the network
to populate the forwarding table.
 Vswitches make copy of frame to prevent
inflight modification (wide control channel)

Vswitch Isolation – How to ensure
frames are in appropriate VLAN?
VLAN data carried outside frame. (wide
control channel)
 Vswitch has no dynamic trunking.
 Vswitch has NO native VLAN support.

VSWIF1
App Public Tier
ISA
RDP Client Monitoring Backup Server
Management / Backup
Virtual Management Console
Vmotion
VSWIF2
App Private Tier
VSWIF3
Middle Tier
VSWIF4
Data Tier
VSWIF0 - CON
Web Security
Update and use SSL certificates on ESX
hosts and on Virtual Center
 Core is Apache so check into all know
apache exploits.
 MUI removed from ESX hosts which
makes securing easier less widespread.

Monitoring and Security Toolkits
SNMP is default monitoring access. (OID
Masking, Community Strings)
 Security toolkits are available for helping
check for changes to available ports and
known exploit validation. Network Security
Toolkit Virtual Machine (Nagios, Nessus,
Nmap)
 Common Vulnerabilities and Exposures
(Many false positives)

Virtual Appliances
Know who’s providing it to you!
 Isolate before you put into production.


Place extra effort to validate and monitor after
you put in. (Rogue traffic, configuration
changes, etc)
WWW Resources
http://www.vmguru.com/
 http://www.vmware.com/vmtn/technology
/security/
 http://vmprofessional.com/

Related documents
PPTX - Open vSwitch
PPTX - Open vSwitch
VMWARE VSPHERE 5 - PART 1: CONFIGURING AND MANAGING
VMWARE VSPHERE 5 - PART 1: CONFIGURING AND MANAGING
View the slides
View the slides
07-WAS Firewalls and Port Forwarding
07-WAS Firewalls and Port Forwarding
NIC Teaming
NIC Teaming
Screen Tour - Hetnet Software
Screen Tour - Hetnet Software
Wireless Hacking Made Easy - Ernest Staats Network Security
Wireless Hacking Made Easy - Ernest Staats Network Security
UK Visas: a guide to successful applications
UK Visas: a guide to successful applications
- Brocade
- Brocade
Configuring Trunk Ports on 1900 and 2950 Switches
Configuring Trunk Ports on 1900 and 2950 Switches
Effective Vocabulary Instruction K
Effective Vocabulary Instruction K
Document
Document
PPT-2 - Convergence Technology Center
PPT-2 - Convergence Technology Center
Project Lead the Way American High School
Project Lead the Way American High School
ExC-ELL (LP) (3) - Manning`s Teaching and Learning Wiki
ExC-ELL (LP) (3) - Manning`s Teaching and Learning Wiki
orlaBushnell
orlaBushnell
VLAN Security
VLAN Security
Analyze the 3 R*s Reading Street, Reading Naturally
Analyze the 3 R*s Reading Street, Reading Naturally
ATF_2014_Jean Turgeon JT Keynote
ATF_2014_Jean Turgeon JT Keynote
Using Voice VLAN on GS7xxTS As VoIP becoming more and more
Using Voice VLAN on GS7xxTS As VoIP becoming more and more
1. Refer to the exhibit. The network administrator has just added
1. Refer to the exhibit. The network administrator has just added
Chapter 11 - Weber State University
Chapter 11 - Weber State University
Download
advertisement