Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Virtual Infrastructure 3

advertisement 
Virtual Infrastructure 3
Best Practices for a secure
installation.
Jeff Mayrand
Contents
Architecture changes (General Overview)
 General Account Security
 VSWIF Security
 Web Security
 Monitoring / Security Toolkits
 VMware Virtual Appliances

Architecture Changes
MUI Removed From ESX Server
 Console and Guests Soft Switches are
Visible - Complete ReWrite of Network
Code
 VM Backup Proxy
 VMFS 3

General Account Security
Do use SUDO and Wheel Groups to
segment administrative functions.
 Create separate service accounts for
operation of Virtual Center
 Recommended administrative groups
(VMAdmins, ESXAdmins)

Virtual Switch Overview
Vswitch at its core is a layer 2 forwarding
engine.
 VLAN Tagging / Stripping / Filtering Units
 Very Modular (3rd Party Addons)
 Part of Community Source

Virtual Switch vs Physical Switch
How is it the similar?
Maintains MAC Port forwarding table.
 Support VLAN segmentation per port.
 Supports copying packets to mirror port
(span port)
 Can be managed remotely by
administrator.

Virtual Switch vs Physical Switch
How is it different?
Direct channel from VNIC’s for control
data (Checksum / segmentation) Very
wide control channel.
 Authoritative MAC filler updates.




No IGMP Snooping to learn multicast group
membership.
No learning of unicast addresses.
Ports can automatically enter mirror mode.
Vswitch Isolation – How to ensure no
traffic leaks between vswitches?
Switches are not cascaded so no code
sharing between.
 Vswitches cannot share uplink ports.
 Each vswitch has its own forwarding table

Vswitch Isolation – How to ensure
guests cannot impact switch behavior?
Vswitches cannot learn from the network
to populate the forwarding table.
 Vswitches make copy of frame to prevent
inflight modification (wide control channel)

Vswitch Isolation – How to ensure
frames are in appropriate VLAN?
VLAN data carried outside frame. (wide
control channel)
 Vswitch has no dynamic trunking.
 Vswitch has NO native VLAN support.

VSWIF1
App Public Tier
ISA
RDP Client Monitoring Backup Server
Management / Backup
Virtual Management Console
Vmotion
VSWIF2
App Private Tier
VSWIF3
Middle Tier
VSWIF4
Data Tier
VSWIF0 - CON
Web Security
Update and use SSL certificates on ESX
hosts and on Virtual Center
 Core is Apache so check into all know
apache exploits.
 MUI removed from ESX hosts which
makes securing easier less widespread.

Monitoring and Security Toolkits
SNMP is default monitoring access. (OID
Masking, Community Strings)
 Security toolkits are available for helping
check for changes to available ports and
known exploit validation. Network Security
Toolkit Virtual Machine (Nagios, Nessus,
Nmap)
 Common Vulnerabilities and Exposures
(Many false positives)

Virtual Appliances
Know who’s providing it to you!
 Isolate before you put into production.


Place extra effort to validate and monitor after
you put in. (Rogue traffic, configuration
changes, etc)
WWW Resources
http://www.vmguru.com/
 http://www.vmware.com/vmtn/technology
/security/
 http://vmprofessional.com/

Related documents
PPTX - Open vSwitch
PPTX - Open vSwitch
VMWARE VSPHERE 5 - PART 1: CONFIGURING AND MANAGING
VMWARE VSPHERE 5 - PART 1: CONFIGURING AND MANAGING
View the slides
View the slides
07-WAS Firewalls and Port Forwarding
07-WAS Firewalls and Port Forwarding
NIC Teaming
NIC Teaming
Screen Tour - Hetnet Software
Screen Tour - Hetnet Software
Wireless Hacking Made Easy - Ernest Staats Network Security
Wireless Hacking Made Easy - Ernest Staats Network Security
UK Visas: a guide to successful applications
UK Visas: a guide to successful applications
- Brocade
- Brocade
Configuring Trunk Ports on 1900 and 2950 Switches
Configuring Trunk Ports on 1900 and 2950 Switches
Effective Vocabulary Instruction K
Effective Vocabulary Instruction K
Document
Document
Download
advertisement