Compliance Ready Lab Build Guide—HIPAA Version Contents Overview Security Application Zone (Runs on) Requirements Segmentation/firewall ESXi Host Security ESXi Host Firewall Configure NTP Time Synchronization For ESXi Host Lockdown Mode Set DCUI (Direct Console UI) Access Remote Syslog/Logging Disable MOB (Managed Object Browser) Zero-Out VMDK (before deletion) Create A Non-Root Local Admin Account Configure Host Profile vSwitch Security Reject “Promiscuous Mode” Reject “MAC Address Changes” Reject “Forged Transmits” Network Security Firewall internal Allowed ports for management Firewall external SECURITY MANAGEMENT vCloud Networking And Security (vCNS) 1 vShield Manager vShield Manager Installation vShield App Flow Monitoring App Firewall vShield App Fail Safe Setting vShield App Exclusion List vShield App Installation Example Of vShield App Firewall Blocking Rule vShield Edge vShield Edge Installation vShield Edge Gateway And Isolated Network Configuration. vShield Endpoint vShield Endpoint Installation Testing Requirements: vShield Data Security vShield Data Security Installation vShield Data Security Policy Testing Requirements BMC Server Automation BSA Architecture Client Tier Server Tier Middle Tier Installation BSA Database Server BSA File Server Agent BSA Application Server BSA GUI Console BSA Compliance Module Testing Requirement Setting Discovery Job Setting Policy-Based Compliance Audit BMC BladeLogic Decision Support For Server Automation Installation Testing Requirement BMC BladeLogic Atrium Integration BSA Atrium Integration Diagram Installation Testing Requirement Customizing Data Mapping Between BSA And CMDB Transferring Business Service Data from Atrium CMDB to BSA 2 Configuration And Testing Denial Of Service DATA PROTECTION–ENCRYPTION Encryption In Flight Encryption At Rest VULNERABILITY ASSESSMENT Intrusion Detection Deep Packet Inspection Data Leak Prevention Data Loss Prevention/Data Loss Protection vCNS vShield Data Security Logging And Auditing EXPLOIT AND MALWARE PROTECTION Virus Scanning vCNS vShield Endpoint And VMware Partner’s AntiVirus And AntiMalware Software Configuration And Patch Management Integrated Solution SupernaNet.Connect VCE Vision™ Intelligent Operations VMware vCenter BMC CMDB Manual Tagging For Compliant CIs vCenter Inventory Tagging BMC CMDB Tagging Automatic Tagging For Compliant CIs SupernaNet.Connect Mapping File Monitoring IDENTITY AND ACCESS MANAGEMENT LoginTC For OpenVPN LoginTC Cloud Domain LoginTC Radius Connector OpenVPN LDAP User Data protection–backup/restore/replication Configuration And Patch Management Auto Deploy Installation VMWare vSphere 5.1 Compliance–HIPAA § 164.306 Security Standards: General Rules. § 164.308 Administrative Safeguards Security Management Process (§ 164.308(a)(1)) Key Activities: Conduct Risk Assessment 3 Technical Implementations: Key Activities: Develop And Deploy The Information System Activity Review Process Technical Implementations: Technical Implementations: Key Activities: Develop Appropriate Standard Operating Procedures Technical Implementations: Information Access Management (§ 164.308(a)(4)) Key Activities: Implement Policies And Procedures For Authorizing Access Technical Implementation: Security Awareness and Training (§ 164.308(a)(5)) Implementation Specification: Protection From Malicious Software Technical Implementation: § 164.310 Physical Safeguards Device And Media Controls (§ 164.310(d)(1)) Key Activities: Implement Methods For Final Disposal of EPHI Technical Implementations: Key Activities: Develop And Implement Procedures For Reuse Of Electronic Media Technical Implementations: § 164.312 Technical Safeguards Access Control (§ 164.312(a)(1)) Key Activities: Analyze Workloads And Operations To Identify The Access Needs Of All Users Technical Implementations: Key Activities: Identify Technical Access Control Capabilities Technical Implementations: Key Activities: Ensure That All System Users Have Been Assigned A Unique Identifier Technical Implementations: Key Activities: Implement Access Control Procedures Using Selected Hardware And Software Description: Technical Implementations: Key Activities: Review And Update User Access Technical Implementations: Key Activities: Terminate Access If It Is No Longer Required Technical Implementation: Audit Controls (§ 164.312(b)) - Future In Scope - Security Partner Key Activities: Determine The Activities That Will Be Tracked Or Audited Technical Implementation: Key Activities: Select The Tools That Will Be Deployed For Auditing And System Activity Reviews Technical Implementations: Integrity (§ 164.312(c)(1)) 4 Key Activities: Mechanism To authenticate Electronic Protected Health Information Technical Implementations: Person Or Entity Authentication (§ 164.312(d)) Key Activities: Determine Authentication Applicability To Current Systems/Applications Technical Implementation: Key Activities: Evaluate Authentication Options Available Technical Implementation: References Overview This document serves as the master design document for all areas of the design. It will be designed to allow ISVs to design their product into a functional area. The scope of phase I design is shown in the Figure 1. Security Application Zone (Runs on) 5 Application deployments will follow a deployment method that ensures that a secure network is in place between the virtual machines that need to communicate. Applications that adhere to best practices will follow the requirements below for deployment in the test bed. Requirements 1. Must Support one or the other deployment option for VM to VM communications 6 Segmentation/firewall vSphere uses Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT) to provide remote attestation of the hypervisor image based on hardware root of trust. The hypervisor image comprises the following elements: ■ ■ ■ ESXi software (hypervisor) in VIB (package) format Third-party VIBs Third-party drivers 7 To leverage this capability, your ESXi system must have TPM and TXT enabled. 1. Enable TPM and document http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-E9B71B85FBA3-447C-8A60-DEE2AE1A405A.html Cisco Trusted Platform Module The Cisco Trusted Platform Module (TPM) is a computer chip that securely stores artifacts such as measurements, passwords, certificates, or encryption keys, that are used to authenticate the Vblock™ Systems. The Cisco TPM provides authentication and attestation services that enable safer computing in all environments. The Cisco TPM module is available by default in Vblock Systems as a component within the Cisco UCS M3 Blade Servers, and is shipped disabled. For more information, refer to the VCE Vblock™ Systems Blade Packs Reference. Refer to Accessing VCE documentation. VCE supports Cisco TPM hardware but does not support the Cisco TPM functionality. Using Cisco TPM features involves using a software stack from a vendor with significant domain experience in trusted computing. Consult your software stack vendor for configuration and operational considerations relating to the Cisco TPMs. ESXi Host Security ESXi Host Firewall ESXi includes a firewall between the management interface and the network. The firewall is enabled by default. This ESXi Firewall provides a new access control capability for ESXi. We need to configure this ESXi host firewall to restrict access to services running on the host. Some important points about this ESXi 5.x firewall: 8 • ESXi 5.x has a new firewall engine that is not based on iptables. • The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients. • The firewall is service oriented. • The ability to restrict access to specific services based on IP address/Subnet Mask. • There is Host Profile support for the ESXi 5.x firewall. • A new ESXCLI interface (esxcfg-firewall) is available in ESXi 5.x. We can configure firewall properties to allow or deny access for a service or management agent. We can also specify which networks are allowed to connect to each service that is running on the host. Specify startup policy: set service or client startup option (automatically/manually/start and stop with host. 9 Fig.2 ESXi Host Security Profile 10 Fig.3 ESXi Host Firewall Configure NTP Time Synchronization For ESXi Host By ensuring that all systems are synchronizing to the time standard, we can make it simpler to track and correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate. We need to set the time configuration of the host to point to the NTP server (specify IP address) and start the service. It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall. 11 Lockdown Mode Enabling lockdown mode disables direct access to an ESXi host, requiring the host to be managed remotely from vCenter Server. Lockdown limits ESXi host access to the vCenter server. This is done to ensure that the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Note that users listed in the DCUI.Access directory for each host are allowed to override lockdown mode and login to the DCUI. By default the "root" user is the only user listed in the DCUI.Access list. Set DCUI (Direct Console UI) Access To set this DCUI.Access is to allow only trusted users to override lockdown mode. Lockdown disables direct host access requiring admins manage hosts from vCenter. However, if a host becomes isolated from vCenter, the admin would become locked out and would be unable to manage the host. To avoid potentially becoming locked out of an ESXi host that is running in locked down mode, set the DCUI.Access to a list of highly trusted users that are allowed to override the lockdown mode and access the DCUI. Remote Syslog/Logging Log files are an important component of troubleshooting attacks and obtaining information about breaches of host security. Remote logging to a central log host provides a secure, centralized store for ESXi logs. To facilitate this we can use vSphere Syslog Collector tool. By gathering host log files onto a central host you can more easily monitor all hosts with a single tool. For security purposes we can aggregate analysis and search to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record. 12 Disable MOB (Managed Object Browser) The managed object browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host; it enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method to obtain information about a host being targeted for unauthorized access. We cannot disable MOB while the host is in lockdown mode. We can disable MOB before we set the host in lockdown mode. Zero-Out VMDK (before deletion) To help prevent sensitive data in VMDK files from being read off the physical disk after it is deleted, the virtual disk should be zeroed out prior to deletion. This will make it more difficult for someone to reconstruct the contents of the VMDK file. The CLI command 'vmkfstools-writezeroes' can be used to write zeros to the entire contents of a VMDK file prior to its deletion. Create A Non-Root Local Admin Account ESXi 5.1 allows the creation of individual local user accounts. Being able to create individual local user accounts on ESXi hosts eliminates the need to share or use the “root” accounts and passwords. This approach helps mitigate one of the most common security risks. This approach facilitates better auditing and traceability capabilities of the ESXi hosts. Configure Host Profile Monitoring Changes To The Configuration Monitoring for configuration drift and unauthorized changes is critical to ensuring the security of an ESXi hosts. Host profiles provide an automated method for monitoring host configurations against an established template and for providing notification in the event that deviations are detected. vSwitch Security Reject “Promiscuous Mode” In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode. This promiscuous mode security policy can be defined at the virtual switch or port group level in ESX/ESXi 13 Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID92F3AB1F-B4C5-4F25-A010-8820D7250350.html Reject “MAC Address Changes” If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Reject “MAC Address Changes” setting will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of such an application is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer-2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to. Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html Reject “Forged Transmits” By default this ”forged transmits” setting is set to “Accept.” This means that the virtual switch does not compare to the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to “Reject.” Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID7DC6486F-5400-44DF-8A62-6273798A2F80.html 14 Fig.4 vSwitch Security 15 Network Security Firewall internal To safeguard the virtual machines’ resources, the system administrator lowers the risk of DoS and DDoS attacks by configuring a resource reservation and a limit for each virtual machine. The system administrator further protects the ESXi host and virtual machines by installing software firewalls at the front and back ends of the DMZ, ensuring that the host is behind a physical firewall, and configuring the networked storage resources so that each has its own virtual switch. DMZ setup http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-A309590AFFFC-45FF-95AD-43242F58D6B4.html Allowed ports for management This is the list of predetermined TCP and UDP ports used by vCenter, ESXi host and other network 16 components. Some ports are open by default at installation time as indicated in this Table as “(Default).” Depending on our requirement and security reasons we can configure the firewall to allow or reject access to those TCP and UDP ports. Port Purpose Traffic Type 22 SSH Server Incoming TCP 53 (Default) DNS Client Incoming and outgoing UDP 68 (Default) DHCP Client Incoming and outgoing UDP 161 (Default) SNMP Server Incoming UDP 80 (Default) vSphere Fault Tolerance (FT) Incoming TCP (outgoing TCP, UDP) Outgoing TCP, UDP HTTP access The default non-secure TCP Web port typically used in conjunction with port 443 as a front end for access to ESXi networks from the Web. Port 80 redirects traffic to an HTTPS landing page (port 443). WS-Management 17 111 (Default) RPC service used for the NIS Incoming and outgoing TCP register by vCenter Virtual Appliance 123 NTP Client Outgoing UDP 135 (Default) Used to join vCenter Virtual Incoming and outgoing TCP Appliance to an Active Directory domain 427 (Default) The CIM client uses the Service Incoming and outgoing UDP Location Protocol, version 2 (SLPv2) to find CIM servers. 443 (Default) HTTPS access Incoming TCP vCenter Server access to ESXi hosts Default SSL Web port vSphere Client access to vCenter Server vSphere Client access to ESXi hosts WS-Management vSphere Client access to vSphere Update Manager Third-party network management client connections to vCenter Server 18 Third-party network management clients access to hosts 513 (Default) vCenter Virtual Appliance used for Incoming UDP logging activity 902 (Default) Host access to other hosts for Incoming and outgoing TCP, outgoing UDP migration and provisioning Authentication traffic for ESXi and remote console traffic (xinetd/vmware-authd) vSphere Client access to virtual machine consoles (UDP) Status update (heartbeat) connection fromESXi to vCenter Server 903 Remote console traffic generated by Incoming TCP user access to virtual machines on a specific host. vSphere Client access to virtual machine consoles MKS transactions (xinetd/vmwareauthd-mks) 1234, 1235 (Default) vSphere Replication Outgoing TCP 19 2049 Transactions from NFS storage Incoming and outgoing TCP devices This port is used on the VMkernel interface. 3260 Transactions to iSCSI storage Outgoing TCP devices 5900-5964 RFB protocol, which is used by Incoming and outgoing TCP management tools such as VNC 5988 (Default) CIM transactions over HTTP Incoming TCP 5989 (Default) CIM XML transactions over HTTPS Incoming and outgoing TCP 8000 (Default) Requests from vMotion Incoming and outgoing TCP 8009 AJP connector port for vCenter Outgoing TCP Virtual Appliance communication with Tomcat 8100, 8200 (Default) Traffic between hosts for vSphere Incoming and outgoing TCP, UDP Fault Tolerance (FT) 8182 Traffic between hosts for vSphere Incoming and outgoing TCP, incoming and High Availability (HA) outgoing UDP 20 9009 Used to allow a vCenter Virtual Incoming and outgoing TCP Appliance to communicate with the vSphere Web Client http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-ECEA77F5D38E-4339-9B06-FF9B78E94B68.html Firewall external More: http://www.vmware.com/go/compliance http://www.vmware.com/go/security/ Information about VMsafe technology for protection of http://www.vmware.com/go/vmsafe/ virtual machines, including a list of partner solutions SECURITY MANAGEMENT vCloud Networking and Security (vCNS) vCNS provides basic networking and security functionality for virtualized compute environments, built using the VMware vCloud® Suite. It provides a broad range of services delivered through virtual appliances, such as a virtual firewall, virtual private network (VPN), load balancing, NAT, DHCP, and VXLAN-extended networks. Components of vCNS: 1. vShield Manager 2. vShield App 3. vShield Edge 21 4. vShield Endpoint 5. vShield Data Security vShield Manager vShield Manager is the central point of control for all vShield solutions and integrates seamlessly with VMware vCenter to offer role-based access control and administrative delegation in a unified framework for managing virtualization security. Fig.5 vShield Manager Web Interface 22 Fig.6 vShield integrated with VMware vCenter vShield Manager Installation Procedure 1. Log in to the vSphere Client and deploy the vShield Manager from the OVA file. 2. Once the installation has been completed, the vShield Manager is installed as a virtual machine in our vSphere inventory. 3. Power on the vShield Manager virtual machine. 4. Login to the vShield Manager virtual console and set the IP address. 5. Login to the Web GUI for further configurations (vCenter, SSO/Lookup Sever, DNS, NTP settings). 6.Login to the vSphere Client and select the ESX host where the vShield Manager resides. Verify that vShield appears as a tab. You can then install and configure vShield components from this vSphere 23 Client. vShield App A hypervisor-based firewall that protects applications in the virtual data center from network based attacks. The vShield App provides the stateful inspection firewall that is applied at the virtual network interface card (vNIC) level directly in front of specific workloads. This vShield App needs to be installed on each ESXi host where the VMs that needs to be protected by this vShield App reside. For example, install vShield App on each ESXi hosts in a Cluster so that VMware vMotion operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a vShield App virtual appliance cannot be moved by using vMotion. The System Status option lets us view the health of a vShield App. Details include system statistics, status of interfaces, software version, and environmental variables. Fig.7 vShield App Status There are two main components provided by vShield App: Flow Monitoring and App Firewall. Flow Monitoring The Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic on our virtual network that passed through a vShield App. The Flow Monitoring output defines which machines are exchanging data and over which application. This data includes the number of sessions, packets, and bytes transmitted per session. Session details include sources, destinations, direction of sessions, 24 applications, and ports being used. Session details can be used to create firewall allow or block rules. Fig.8 vShield App Flow Monitoring App Firewall The App Firewall service is a centralized firewall for ESX hosts. App Firewall enables us to create rules that allow or block access to and from our virtual machines. Each installed vShield App enforces the App Firewall rules. Example of the basic rule that allows everything is shown in the following figure: Fig.9 vShield App Firewall vShield App Fail-Safe Setting By default, traffic is blocked when the vShield App appliance fails or is unavailable. We can change the 25 fail-safe mode to allow traffic to pass. Refer to figure below. vShield App Exclusion List We can exclude a set of virtual machines from vShield App protection. This exclusion list is applied across all vShield App installations within the specified vShield Manager. The vShield Manager and service virtual machines are automatically excluded from vShield App protection. We should exclude the vCenter server and partner service virtual machines as well to allow traffic to flow freely. Fig.10 vShield app fail-safe and exclusion list vShield App Installation Notes: If the vCenter Server or vCenter Server database virtual machines are on the ESX host on which we are installing vShield App, we need to migrate them to another host before installing vShield App. 26 During the installation process, this warning will be highlighted (“Do not install on a host or cluster where the VC or vShield Manager reside.”) Refer to figure below. Fig.11 vShield App Installation Process Procedure: 1. Log in to the vSphere Client and select an ESX host from the inventory tree. 2. Click the vShield tab and then click Install for the vShield App service. 3. Under vShield App, provide the following information: Datastore, Management Port Group, IP Address, Netmask, and Default Gateway. 4. Click Install. Example Of vShield App Firewall Blocking Rule For example, if we want to block a VM from SSH service, we set the Firewall Rule to block the SSH traffic from that VM. 27 Fig.12 Set the firewall blocking rule Test that by trying to create an SSH session from the VM => Error 28 Fig.13 SSH service is blocked vShield App Flow Monitoring detects that blocked SSH flow. 29 Fig.14 Flow monitoring detects blocked traffic 30 Fig.15 Flow monitoring provides the details about the blocked traffic vShield Edge Provides network edge security and gateway services to isolate a virtualized network, or virtual machines in a port group, vDS port group, or Cisco Nexus 1000V port group. The vShield Edge provides the stateful inspection firewall that is applied at the perimeter of the virtual data center. vShield Edge Installation 1. Log in to vSphere Client and select Network Virtualization tab on the data center resource from the inventory tree. 2. Click Edges and then click Add to add the vShield Edge. 3. Type a name for the vShield Edge VM. 4. Set CLI user name and password. You can also enable SSH access if required. 5. Add Edge Appliance. 31 6. Add Interfaces (Internal and Uplink Interfaces). Configure Subnets. 7. Configure the Default Gateway. 8. Configure the Default Firewall Policy. 9. Install the vShield Edge. vShield Edge Gateway And Isolated Network Configuration. Once the vShield Edge has been installed, you can check the status of this vShield Edge. Fig.16 vShield Edge status To create the gateway service for isolated network you need to configure the uplink and internal interfaces of the vShield Edge. vShield Edge will act as the gateway between private and public networks. 32 Fig.17 vShield Edge connectivity diagram 33 Fig.18 vShield Edge interfaces—uplink and internal You also need to configure SNAT (Source Network Address Translation) to provide the isolated VMs (VMs reside on the isolated network) access to external network (internet). This SNAT rule is configured to translate a private internal (isolated) IP address into a public IP address for outbound traffic. The translated (public) IP address must have been added to the vShield Edge interface on which you want to add the rule. 34 Fig.19 vShield Edge—source NAT configuration To control the security of the outbound traffic you can configure the vShield Edge Firewall Service. Fig.20 vShield Edge—firewall rule 35 vShield Edge has the traffic monitoring tools to provide interface throughput statistics. Fig.21 vShield Edge—interface throughput statistics vShield Endpoint Off-loads antivirus and antimalware agent processing to a dedicated secure virtual appliance delivered by VMware partners. vShield Endpoint is installed as a hypervisor module and security virtual appliance from a third-party antivirus vendor (VMware partners) on an ESX host. With this vShield Endpoint on the hypervisor level, it can scan guest virtual machines without the need for agents in every virtual machine. vShield Endpoint Installation Select the vShield Tab on the ESXi Host level in the vCenter Inventory Tree, and click Install. 36 Fig.22 vShield Endpoint installation Testing Requirements: 1. After you have installed vShield Endpoint on the ESXi host, you need to deploy and configure a security virtual machine (SVM) to each ESX host according to the instructions from the anti-virus solution provider. 2. Install the latest version of VMware Tools released for the version of ESX that is on all virtual machines to be protected. VMware Tools include the vShield Thin Agent that must be installed on each guest virtual machine to be protected. To include this vShield component with the VMware Tools, you need to select Interactive Tools Installation or Interactive Tools Upgrade. In the Setup Type wizard, you can select the Custom option and from the VMware Device Drivers list, select VMCI Driver, then select vShield Driver. 37 Fig.23 vShield Endpoint on ESXi host 3. Use the Security Virtual Appliance’s Management User Interface to manage the SVM/SVA, e.g., download the latest AntiVirus Signature, set the scanning schedule, set policy to handle virus and to initiate scanning process. 38 Fig.24 vShield Endpoint and 3rd party security virtual appliance—flow control 39 Fig.25 vShield Endpoint status and events log vShield Data Security Provides visibility into sensitive data stored within your organization's virtualized and cloud environments. vShield Data Security Installation 1. You need to install vShield Endpoint on the ESXi host before you can install vShield Data Security. 2. Log in to vSphere Client and select the ESXi host from the Inventory Tree. 3. Select vShield Tab and click Install next to the vShield Data Security Option. 4. Specify Data Store, Management Port Group, and set the IP address, Netmask and Default Gateway for the vShield Data Security Appliance. 5. Click Install. vShield Data Security Policy 40 To begin using vShield Data Security, you need to create a policy that defines the regulations that apply to data security in your organization and specifies the areas of your environment and files to be scanned. A regulation is composed of content blades, which identify the sensitive content to be detected. vShield supports PCI, PHI, and PII-related regulations only. Fig.26 vShield data security with HIPAA regulation setting (based on PHI/PII category) vShield Data Security provides the report (e.g. number of violation and details) 41 Fig.27 vShield data security report Testing vCNS vShield Data Security allows to detect HIPAA Regulation violations. 42 Fig. 28 vCNS vShield data security scan completed report 43 Fig.29 vCNS vShield Data Security report detail From the Scan History you can see that the vShield Data Security is also able to detect new data. 44 Fig.30 vCNS vShield Data Security scan history Testing Requirements 1. Set the Policy—regulations and rsandards to detect: ● HIPAA (Health Insurance Portability and Accountability Act) ● HIPAA (Health Insurance Portability and Accountability Act) Low Threshold ● PCI-DSS (Payment Card Industry Data Security Standard) 2. Define the Security Group that you want to include in the scan (or use default if you want to scan the entire vCenter Inventory). 45 Fig.31 Define the security group for the scan’s participating areas 3. Define Files to Scan. For example based on the modified date/time 46 Fig.32 Define files to scan 4. Create and store test data with “Privacy” Information on test system. Example of data for HIPAA test ============ Medical Record Number: PHI-123-900 Account Number: SUP-456-876 47 SSN: 098765 Date of Birth: 01/01/1980 E-mail Address: super@yummy.com Date of Admission: 01/12/2000 Date of Discharge: 01/08/2001 Test Result: Positive Patient Name: Super Duper Yummy Patient ID: A-345-678 Physician Name: Dr. Very GOOD Health: Injured Virus: Influenza Blood: A+ U.S Address: 10240 Sorrento Valley Rd San Diego, California 92121 Medical Record Number: PHI-123-901 Account Number: SUP-456-877 SSN: 098766 Date of Birth: 01/01/1981 E-mail Address: peter@yummy.com Date of Admission: 01/12/2000 48 Date of Discharge: 01/08/2001 Test Result: Positive Patient Name: Peter Pan Patient ID: A-345-679 Physician Name: Dr. Very GOOD Health: Accident Virus: Chicken Pox Blood: B+ Medical Record Number: PHI-123-902 Account Number: SUP-456-878 SSN: 098767 Date of Birth: 01/01/1982 E-mail Address: mickey@yummy.com Date of Admission: 01/12/2004 Date of Discharge: 01/08/2005 Test Result: Negative Patient Name: Mickye Mouse Patient ID: A-345-680 Physician Name: Dr. Very GOOD Health: Negative Virus: Super Virus Blood: O 49 ============= Example for PCI test =============== Credit Card Number Patients 1. Name: SuperDuper Account: 65758 Master Card Credit Card Number: 5111-1111-1111-1118 Expiration Date: Expire: 07/07/2015 2. Name:Looney Tunes Account: 768690 American Express Credit Card Number: 3111-1111-1111-1117 50 Expiration Date: Expire: 07/08/2015 3. Name:Scooby Doo Account: 998690 VISA Credit Card Number: 4111-1111-1111-1111 Expiration Date: Expire: 07/08/2015 ================ 5. Initiate scan Click the Start button to run the scan. vShield Data Security Virtual Appliance will communicate with the Objects in the defined Security Group through the vShield Endpoint and VMware Tools’ vShield driver. 51 Fig.33 vShield Data Security—flow control 6. Once the scan is done, it will stop by itself and you can see the Report. BMC Server Automation BMC Server Automation is part of the BMC BladeLogic Automation Suite. In terms of compliance, BMC Server Automation helps IT organizations achieve and maintain compliance by defining and applying configuration policies. When a server or application configuration deviates from policy, the necessary remediation instructions can be configured to be either automatically or manually deployed on the server. BSA Architecture A BMC Server Automation system has a three-tier architecture that consists of client, server, and middle 52 tiers. Client Tier Client Tier is the interface through which the user accesses the BMC Server Automation Application. This includes: ● ● ● ● The BMC Server Automation console, a graphical user interface (GUI) A command line interface (BLCLI) that provides application programming interface (API)—level access to the functionality available through the console Network Shell for ad hoc administration of one or more servers. Network Shell is a networkscripting language that enables cross-platform access through a command line interface. A web interface to the BMC BladeLogic Decision Support for Server Automation server Server Tier This is a tier for servers managed by BMC Server Automation. In order for these servers to be managed by BMC Server Automation, the RSCD agent needs to be deployed on remote servers. The BMC Server Automation Application Server communicates with RSCD agents and initiates all communication to perform ad hoc and scheduled tasks. Middle Tier In this tier, the primary component is the Application Server, which controls communication between the BMC Server Automation console (Client Tier) and remote servers (Server Tier). It also controls interaction with the database and file servers. 53 Fig.34 BMC server automation three-tier architecture Installation BSA Database Server 1. For BSA-Database Server, install MS SQL Server 2008 R2. 54 2. Create a database for BSA, create a user login for BSA, and configure user mapping to give db_owner database role to the BSA user. 3. Run the BSA external script to load the database schema. BSA File Server Agent 1. Run the RSCD (Remote System Call Daemon) agent installer. 2. You can edit the agent security export file with this option * rw,user=Administrator. This is to map the all in-bound connection to the Administrator user. BSA Application Server 1. Run the BSA Application Server installer 2. Set the password 3. Configure the BSA Application Server—Set the Database connection (database type, database server, database name, user ID, password 4. Define the BSA File Server and file server storage location 5. Set password for RBACAdmin and BLAdmin users BSA GUI Console 1. Run the BSA Console installer 2. Install together with the Network Shell Client utility 3. Run to the BSA Console and create the default Profile, define the Application Server and Authentication method. (e.g. Secure Remote Password) 4. Log in to Console with that profile and user password (BLAdmin user) 5. Run blcontent from the network shell console to load some BSA initial samples and configurations BSA Compliance Module 1. Run the Compliance Content installer 2. With the Custom Setup, you can select which Compliance Content Templates you want to install (e.g., HIPAA, PCI, SOX) 55 Fig.35 BMC server automation—compliance templates—HIPAA Testing Requirement For testing, you installed and configured all mid-tier components on a host. You also installed the BSA console on the same host. The following components were installed on a Windows 2008 R2 VM: - BSA Database Server - BSA File Server Agent - BSA Application Server 56 - BSA Console - BSA Compliance Module Also, configure another server to be managed by the BSA—install RSCD Agent on this server. Setting Discovery Job 1. Create a template under HIPAA folder to discover server with Windows 2008 or 2008 R2 Operating Systems 2. Define the rule for discovery Fig.36 Rule definition for discovery 3. Run the Discover Job based on that template. Once it is done, check the discovery result. 57 Fig.37 BSA discover result Setting Policy-Based Compliance Audit For this testing, you used the HIPAA template for the policy-based compliance audit. 1. Select the Compliance Template that you want to run. (e.g. HIPAA). Create the Compliance Job. 58 Fig.38 BSA compliance job 2. Run and check the result 59 Fig.39 BSA compliance result 3. You can export the result as a report (e.g. html format). 60 Fig.40 Compliance report exported into HTML format BMC BladeLogic Decision Support For Server Automation BMC BladeLogic Decision Support for Server Automation is a web-based application that uses the IBM Cognos Business Intelligence and a central reports data warehouse (the database for storing data used in reports). This BBDSSA provides the ETL (Extract, Transform, and Load) tool to transfer and transform data from the BSA databases and populates the reports data warehouse. The reporting web application reads data from the reports data warehouse. An Apache web server delivers reporting information to web browsers. Installation 1. Install a Remote System Call Daemon (RSCD) agent (installed and licensed) 61 2. Install BMC Server Automation Network Shell version 8.1 or later 3. Install Database (e.g. Microsoft SQL Server) and MS SQL client software 4. Create the following databases: - BSARA_DW_DB - BSARA_ETL_MASTER_DB - BSARA_ETL_WORK_DB - BSARA_PORTAL_DB 5. Create SQL Server Users and configure these users as database owner of their own corresponding databases: - BSARA_DW - BSARA_ETL_MASTER - BSARA_ETL_WORK - BSARA_PORTAL_DB 6. Create data warehouse schema on SQL Server 7. Run the BBDSSA installer 8. Configure BBDSSA after installation Testing Requirement For testing go through the following steps: 1. Create and Run discovery Job (e.g. to discover windows server) 2. Create and Run Snapshot Job 3. Run ETL 4. Verify Report 62 Fig.41 Example of BBDSSA report (server configuration report) BMC BladeLogic Atrium Integration The BMC BladeLogic Atrium Integration enables you to share data about the endpoint computers in your BMC Server Automation system with the BMC Atrium CMDB. To transfer discovered data from the BMC Server Automation database to BMC Atrium CMDB, the discovered data is first transferred from the BMC Server Automation database to the BMC BladeLogic Decision Support for Server Automation database by using the extract, transform, and load (ETL) tool. The Bladelogic Atrium Integration uses the AIE (Atrium Integration Engine) to do the following: ● ● ● Define data exchange and data mapping parameters Pull data from the BMC BladeLogic Decision Support for Server Automation database Insert the data into the BMC Atrium CMDB with the BMC BladeLogic Import Dataset 63 BSA Atrium Integration Diagram Fig.42 BSA Atrium Integration Installation Prior to the BladeLogic Atrium Integration installation, you need to have the following components: — BMC Server Automation Application Server — BMC Server Automation Console on the computer where BMC BladeLogic Atrium Integration is to be installed — BMC BladeLogic Decision Support for Server Automation — BMC Remedy AR System — BMC Atrium CMDB — BMC Atrium Integration Engine 1. Run ETL first before installing the BladeLogic Atrium Integration 64 2. Run the installer 3. After installation, you need to run the procedure to add domain names to the servers in BSA. 4. Create indexes on BMC_BaseElement form 5. Activate the data exchanges in the BMC Atrium Engine Data Exchange Console 6. Enable the BMC BladeLogic Atrium Integration Testing Requirement 1. Run BSA Discovery and Snapshot Job 2. Run ETL 3. Verify that the Data has been transferred to Atrium CMDB. Fig.43 Data transferred from BSA 65 Customizing Data Mapping Between BSA And CMDB If needed, you can customize the data mappings on BMC Server Automation to control what to transfer. To configure this data mapping you select Atrium Integration menu from BSA console and choose BL to Atrium Customization option. Transferring Business Service Data From Atrium CMDB To BSA Transferring data from BMC Atrium CMDB to the BMC Server Automation database pulls business service information from BMC Atrium CMDB and associates it with the corresponding servers in BMC Server Automation as a custom property. Configuration And Testing 66 1. Configure Atrium Integration connectivity to the CMDB / AR system. 2. Configure Atrium Import Job (e.g., the production dataset that will be used for the import job and the business service class name). Fig.44 Atrium Import Job Configuration (CMDB data set name, business service class name) 67 Fig.45 Atrium Import Job Configuration (CI relationship, BladeLogic custom property) 3. Test by creating the Business Service in CMDB and set the relationship between server and Business Service. 68 Fig.46 Business Service in CMDB 4. Run the Atrium Import Job. 5. Verify that the Business Service field of the server in BSA is populated with the info from CMDB. 69 Fig.47 Business Service property for the server 6. Then, you can create Server Smart Group based on this Business Service classification. 70 Fig.48 BSA Server Smart Group based on Business Service Denial Of Service By default, ESXi imposes a form of resource reservation by applying a distribution algorithm that divides the available host resources equally among the virtual machines, while keeping a certain percentage of resources for use by other system components. This default behavior provides a degree of natural protection from DoS and distributed denial-of-service (DDoS) attacks. You set specific resource 71 reservations and limits on an individual basis to customize the default behavior so that the distribution is not equal across the virtual machine configuration. DATA PROTECTION–ENCRYPTION Encryption In Flight Encryption At Rest VULNERABILITY ASSESSMENT Intrusion Detection Deep Packet Inspection Data Leak Prevention Data Loss Prevention/Data Loss Protection vCNS vShield Data Security Logging And Auditing EXPLOIT AND MALWARE PROTECTION Virus Scanning vCNS vShield Endpoint And VMware Partner’s AntiVirus And AntiMalware Software 72 Configuration And Patch Management Integrated Solution Converged Infrastructure needs to be managed as a whole system and not only by individual components. An example of an integrated solution for managing vBlock Converged Infrastructure: 1. SupernaNet.Connect 2. VCE Vision™ software 3. VMware vCenter 4. BMC CMDB SupernaNet.Connect SupernaNet.Connect CMDB connector for BMC leverages VCE Vision software and VMware vCenter to provide a single integration point for automating CMDB CI discovery along with logical to physical topology with fully automated CI relationships created in the CMDB. 73 Fig.49 SupernaNet.Connect dashboard The connector discovers Vblock Systems components, relationships, physical topology, and creates the CI objects to represent the Vblock Systems in the CMDB. In addition to physical CI discovery and synchronization, the Connector retrieves virtual machine, ESX host and data store objects from vCenter and maps the logical resources to the physical by creating CI objects and relationships dynamically. VCE Vision Software VCE Vision software enables and simplifies converged operations. The software acts as a mediation layer between the Vblock Systems and data center management tools, dynamically informing those tools about Vblock Systems. 74 Fig.50 VCE Vision Software discovers Vblock Systems—converged infrastructure details VMware vCenter VMware® vCenter Server™ provides a centralized platform for managing your VMware vSphere® environments. 75 Fig.51 vSphere web client accessing vCenter BMC CMDB BMC Atrium CMDB is a configuration management database system to manage data from across IT and create a more efficient IT infrastructure. 76 Fig.52 BMC Atrium Core Console—list of CI in CMDB data set 77 Fig.53 BMC Atrium Explorer shows relationships between CIs 78 Fig.54 BMC ITSM—asset management Manual Tagging For Compliant CIs vCenter Inventory Tagging In vSphere 5.1 and 5.5 there is a new feature that further enhances the search capabilities called tags. Tags are the ability to create custom labels and/or metadata and apply to any object with the vCenter inventory. These tags are fully searchable so you can now provide granular searches on the attached labels and metadata to further reduce time when retrieving information. You can also utilize this tagging feature to tag objects that is part of compliant configuration. For example, in the following figure we set the HIPAA tagging for the VM that is part of HIPAA compliant setup. 79 Fig.55 vCenter Inventory Tagging With this vCenter Inventory Tagging, you can quickly search any vCenter Objects that has the specific tagging (e.g. HIPAA Tagging). 80 Fig.56 vCenter Search Object based on tagging BMC CMDB Tagging In BMC CMDB you can set additional tagging for configuration items to enable these CIs to be searched based on their tagging. For example, you can utilize the CITag attribute of the CI to specify that it is compliant to HIPAA. 81 Fig.57 BMC CMDB tagging Automatic Tagging For Compliant CIs SupernaNet.Connect Mapping File You can set the BMCMapping.xml file on SupernaNet.Connect to map the compliant info to the BMC CMDB attribute. For example, you set BMCMapping.xml file to map HIPAA to CITag CMDB Attribute. In BMCMapping.xml file, you add the following configuration: <TargetAttribute name="CITag" value="HIPAA" type="String"/> After you have updated the BMCMapping.xml file, you also need to generate the new version info and update the BMCConfig.xml file with the new generated version info. For example: <VersionInfo invalidversionssupported="false"> 82 <SupportedVersion name="NCrmZNFMNCHPtW2VDLD7Yg=="/> <SupportedVersion name="KMplTPQWNCHPtW2VDLD7Yg=="/> </VersionInfo> Then, you run the SupernaNet.Connect synchronization to sync the update to the CMDB. Now your CMDB is populated with the CITag info. Fig.58 CMDB with CITag info 83 Fig.59 CI Property with CITag info Monitoring 84 In order to comply with monitoring in-scope devices and to find alarms and events related to potential noncompliance security or authorization issues on Vblock Systems, the CA Nimsoft Monitor product combined with the SupernaNET.Converge Probe for Nimsoft with Compliance enhancements allows to select in-scope objects for monitoring and highlighting the probe UMP Dashboard of any VM, or Vblock Systems component that has raised an alarm. The screen shot below shows how the probe simplifies the monitoring function for compliance. 85 IDENTITY AND ACCESS MANAGEMENT The authentication system will divide application OS and infrastructure into two separate unrelated user domains for AAA. This will ensure that a compromise in the management domain will not translate into a compromise in the application management domain. LoginTC two-factor authentication will be used to secure the following login access: 1. Infrastructure Domain 86 a. vCenter SSO → Openldap i. Add a vCenter Single Sign On Identity Source ii. Active Directory LDAP Server and OpenLDAP Server Identity Source Settings iii. 2. Application Domain LoginTC For OpenVPN The LoginTC Radius Connector enables OpenVPN to use LoginTC for the two-factor authentication. Diagram for the Basic Infrastructure of LoginTC Radius Flow: (Ref: LoginTC web site) 87 Components for this solution: LoginTC Cloud Domain You need to create a Radius Domain for the Radius Connector configuration. To create this domain, you need to log in to the LoginTC Cloud admin (https://cloud.logintc.com/panel/login) as the administrator user. For this login, you need the token from the LoginTC app. Once you have logged in to the LoginTC Cloud admin web console panel, you can create a domain for Radius Connector: Each LoginTC Cloud has a unique API key and each domain has a unique Domain ID. You need this key and ID for the connector configuration. The API key is found on the LoginTC Cloud Settings page. The Domain ID is found on the domain settings page. 88 Fig.60 API Key Fig.61 Domain ID 89 LoginTC Radius Connector LoginTC Radius Connector is a Virtual Appliance that can be deployed on ESXi host (or VirtualBox). This Virtual Appliance requires 1 GB RAM and 8 GB of disk space. At first we need to log in via virtual console to configure the network settings. Then, you can log in via ssh for further configuration. Connector Configuration You need to create a configuration file (/opt/logintc/conf/client.cfg) [logintc] api_key=ZPjeNQ6mzfqR6okzLb55zVu5dVn1stPDdLmyKQ1nKPrqQRlwoBcPtSyw23AumXFx #domain_id=a7641569669c5322db4d64e2fb4e79ef2fbfe2b0 domain_id=06902ff4b82d99c75484ebae71e2236f54f0b494 [ldap] host=sup-pcidc-01.pci.superna.net bind_dn=cn=LoginTC1,cn=Users,dc=pci,dc=superna,dc=net bind_password=GoSuperna! base_dn=dc=pci,dc=superna,dc=net attr_username=sAMAccountName attr_name=displayName attr_email=mail filter=(objectClass=person) [client] 90 name=OpenVpn ip=172.16.84.20 secret=bigsecret authentication=ldap,logintc OpenVPN Install the OpenVPN Radius Plugin on the OpenVPN server. Configure the OpenVPN (server.conf file) local 172.16.84.20 port 1194 proto udp dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf # plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login client-cert-not-required username-as-common-name 91 push "redirect-gateway def1" server 10.0.10.0 255.255.255.0 push "dhcp-option DNS 172.16.84.12" ifconfig-pool-persist ipp.txt client-to-client duplicate-cn keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log openvpn.log log-append openvpn.log verb 5 management localhost 7505 reneg-sec 0 Configure the Radius Plugin: # The NAS identifier, which is sent to the RADIUS server NAS-Identifier=OpenVpn # The service type, which is sent to the RADIUS server Service-Type=5 92 # The framed protocol, which is sent to the RADIUS server Framed-Protocol=1 # The NAS port type, which is sent to the RADIUS server NAS-Port-Type=5 # The NAS IP address, which is sent to the RADIUS server NAS-IP-Address=172.16.84.20 # Path to the OpenVPN configuration file. The plugin searches for: # client-config-dir PATH (searches for the path) # status FILE (searches for the file, version must be 1) # client-cert-not-required (if the option is used or not) # username-as-common-name (if the option is used or not) OpenVPNConfig=/etc/openvpn/server.conf # Support for topology option in OpenVPN 2.1 # If you don't specify anything, option "net30" (default in OpenVPN) is used. # You can only use one of the options at the same time. # If you use topology option "subnet,” fill in the right netmask, e.g. from OpenVPN option "--server 93 NETWORK NETMASK" subnet=255.255.255.0 # If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK" # p2p=10.8.0.1 # Allows the plugin to overwrite the client configuration in client configuration file directory # default is true overwriteccfiles=true # Allows the plugin to use authorization control files if OpenVPN (>= 2.1 rc8) provides them # default is false # useauthcontrolfile=false # Only the accounting functionality is used. If no user name is forwarded to the plugin, the common name of certificate is used. # as user name for radius accounting # default is false # accountingonly=false # If the accounting is nonessential, nonfatal accounting can be set to true. 94 # If set to true, all errors during the accounting procedure are ignored, which can be: # - radius accounting can fail # - FramedRouted (if configured) may not be configured correctly # - errors during vendor specific attributes script execution are ignored # But if set to true, the performance is increased because OpenVPN does not block during the accounting procedure. # default is false nonfatal accounting=false # Path to a script for vendor specific attributes # Leave it out if you don't use an own script # vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl # Path to the pipe for communication with the vsa script. # Leave it out if you don't use an own script # vsanamedpipe=/tmp/vsapipe # A radius server definition (there could be more than one). # The priority of the server depends on the order in this file. The first one has the highest priority. server { # The UDP port for radius accounting. acctport=1813 95 # The UDP port for radius authentication. authport=1812 # The name or ip address of the radius server. name=172.16.84.17 # How many times should the plugin send the if there is no response? retry=1 # How long should the plugin wait for a response? wait=60 # The shared secret. shared secret=big secret } #server #{ # # The UDP port for radius accounting # acctport=1813 # # The UDP port for radius authentication # authport=1812 # # The name or ip address of the radius server # name=127.0.0.1 # # How many times should the plugin send the if there is no response? # retry=1 # # How long should the plugin wait for a response? 96 # wait=1 # # the shared secret. # shared secret=testpw #} LDAP Create an LDAP (Active Directory) user for the LoginTC Radius Connector. Provide this user information in LoginTC Radius Connector’s client.cfg file. Set the LDAP as the first factor authentication and LoginTC as the second factor authentication. User For this two-factor authentication with LDAP/Active Directory and LoginTC, create a user in both Active Directory and LoginTC Radius domain.. Data Protection–Backup/Restore/Replication Configuration And Patch Management This section will capture how to automate tasks related to building a repeatable infrastructure as simply as possible to remove manual steps. Auto Deploy Installation VMWare vSphere 5.1 97 User name: administrator Password: GoSuperna! 98 99 Install Solar Winds TFTP Server (172.16.70.156) Go to vSphere Client -> Auto Deploy -> Download TFTP Boot Zip 100 Save TFTP Boot Zip and extract it to TFTP Server folder (\\DMANNING-02\TFTP-Root) Turn off Windows firewall Start TFTP Server Add Score Options in DHCP Server (172.16.70.30) 066: 172.16.70.156 067: undionly.kpxe.vmw-hardwired 101 Run PowerShell as administrator to change the execution policy vSphere PowerCLI should be installed. Run PowerCLI on 172.16.70.156 Run the command to connect to vCenter Server: connect-VIServer –Server 172.16.70.25 Download ESXi 5.1 Offline Bundle .zip file https://my.vmware.com/web/vmware/details?downloadGroup=VCL-VSP510-ESXI-510EN&productId=285 Temp Storage Container (\\172.16.70.29)Z:\VCE\vmware\VMware-ESXi-5.1.0-799733-depot.zip NEXT STEPS: 1. Add path to ESXi 5.1 in PowerCLI: add-esxsoftwaredepot “C:\vsphere5.1\ESXi\VMware-ESXi-5.1.0-799733depot.zip” 2. Get-EsxImageProfile 3. use the “Standard” image profile 4. New-DeployRule -Name "FirstBoot" -Item "ESXiStatelessImage" -AllHosts 5. Add-DeployRule -DeployRule "FirstBoot" Or 102 6. New-DeployRule –Name “FirstTimeBoot” –Item “ESXi-5.0.0-469512-standard” –Pattern “model=VMware Virtual Platform” 7. Add-DeployRule -DeployRule FirstTimeBoot 8. And so on… Compliance—HIPAA § 164.306 Security standards: General rules (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this section. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) When deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity (ii) The covered entity’s technical infrastructure, hardware, and software security capabilities (iii) The costs of security measures (iv) The probability and criticality of potential risks to electronic protected health information (c) Standards. A covered entity must comply with the standards as provided in this section and in § 164.308, § 164.310, § 164.312, § 164.314, and § 164.316 with respect to all electronic protected health 103 information. (d) Implementation specifications In this subpart: (1) Implementation specifications are required or addressable. If an implementation specification is required, the word ‘‘Required’’ appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word ‘‘Addressable’’ appears in parentheses after the title of the implementation specification. (2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications. (3) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity must: (i) Assess whether each implementation specification is a reasonable and appropriate safeguard for its environment when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information (ii) Be applicable to the entity (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate: (1) Document why it would not be reasonable and appropriate to implement the implementation specification (2) Implement an equivalent alternative measure if reasonable and appropriate (e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under § 164.105 and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at § 164.316. § 164.308 Administrative Safeguards 104 Security Management Process (§ 164.308(a)(1)) HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations. Key Activities: Conduct Risk Assessment Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity. Technical Implementations: 1. vCNS vShield Data Security vShield Data Security provides visibility into sensitive data stored within our organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, we can ensure that sensitive data is adequately protected and compliant with regulations around the world. Fig.62 vShield Data Security discovers that files contain ePHI 2. BMC Server Automation—Compliance Module 105 In BSA a component is a collection of configuration settings that encapsulates a business or infrastructure service, application, or security policy. Components can simplify many data center management tasks because a component provides a higher level of abstraction than do the servers and server objects that make up the component. A component template is used to define a component as it establishes rules and provides necessary information for the component, and then associate the template with a server. You can include the Compliance Rules in the component template, e.g. HIPAA security policy. With this compliance template you can run the compliance audit to assess the security risk of the component. For example, you can assess whether it does not comply with the HIPAA security policy. The following figure gives an example of how BSA detects noncompliance. Fig.63 Noncompliance detected 106 Key Activities: Develop And Deploy The Information System Activity Review Process (Implementation Specification (Required)) Description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Technical Implementations: a. BMC CMBD connector features tracking in scope devices, VMs, extract VMware vCenter, and VCE Vision software logs for the in scope devices and store in a DB on regular interval. b. ESXi— Remote Syslog/Logging Log files are an important component of troubleshooting attacks and obtaining information about breaches of host security. Remote logging to a central log host provides a secure, centralized store for ESXi logs. To facilitate this you can use vSphere Syslog Collector tool. By gathering host log files onto a central host you can more easily monitor all hosts with a single tool. For security reasons, you can aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record. Technical Implementations: 1. Install monitoring software for in scope IT devices that process or handle compliance data applications using a monitoring tool that can show the alarms, events from in scope or flagged devices. 2. CA Nimsoft plus SupernaNET.Converge probe can selectively track VMs, compute, store and network data within a portal to filter alarms and events only to the devices selected for HIPAA compliance in scope, within the UMP Dashboard portal. 107 Key Activities: Develop Appropriate Standard Operating Procedures Description: Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports. Technical Implementations: 1. Security logs from VCE Vision software and VMware Vcenter, CMDB attribute tracks last log sync 2. Implement the Syslog Sever to centralize the logs from the vCNS vShield App. For example, it detects when unallowed traffic is being blocked by the vShield App Firewall Rule. Refer to the following Figure. “1006-DROP” refers to the vShield App Firewall Rule ID 1006 blocking the traffic. Fig.64 Syslog captured firewall-blocked traffic With the vShield App Flow monitoring, you can get details and statistics about blocked traffic. 108 Fig.65 vShield App Flow monitoring—Blocked Flows status Information Access Management (§ 164.308(a)(4)) HIPAA Standard: Implement policies and procedures to authorize access to electronic protected health information that are consistent with the applicable requirements of subpart E of the Privacy Rule. Key Activities: Implement Policies And Procedures To Authorize Access Technical Implementation: 1. vCNS vShield Edge provides the stateful inspection firewall that is applied at the perimeter of the virtual data center. With this vShield Edge you can configure isolated/internal network for the application that needs to be protected and use the vShield Edge Firewall Service to control the access. 2. vCNS vShield App Firewall provides the access control to the data and services within vSphere virtual data center. We can set firewall rules to protect EPHI resources from unauthorized access. This vCNS vShield App provides the firewall service that is applied at the virtual network interface card (vNIC) level directly in front of specific workloads (VMs). 3. ESXi Host Internal Firewall. This is a firewall between the ESXi Host’s management interface and the network. This ESXi firewall allows ESXi to gain access control. You need to configure this ESXi host firewall to restrict access to services running on the host. 109 Security Awareness And Training (§ 164.308(a)(5)) HIPAA Standard: Implement a security awareness and training program for all members of its workforce (including management). Implementation Specification: Protection From Malicious Software Technical Implementation: 1. vCNS vShield Endpoint together with Partner’s Secure Virtual Appliance (Anti Virus). vShield Endpoint offloads antivirus and antimalware agent processing to a dedicated secure virtual appliance delivered by VMware partners. vShield Endpoint plugs directly into vSphere and consists of three components: • Hardened secure virtual appliances, delivered by VMware partners • Thin agent for virtual machines to offload security events (included in VMware Tools) • VMware Endpoint ESX® hypervisor module to enable communication between the first two components at the hypervisor layer 110 Fig.66 vShield Endpoint status and events log Because the secure virtual appliance—unlike a guest virtual machine—doesn’t go offline, it can continuously update antivirus signatures, giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online. § 164.310 Physical Safeguards Device And Media Controls (§ 164.310(d)(1)) HIPAA Standard: Implement policies and procedures governing the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the 111 movement of these items within the facility. Key Activities: Implement Methods For Final Disposal of EPHI Implement policies and procedures to address the final disposition of EPHI and/or the hardware or electronic media on which it is stored. Technical Implementations: 1. vCNS vShield Data Security Maintain a current inventory of EPHI on the network by running discovery scan with vShield Data Security. IT change management can update their data disposal processes to include the review of discovery reports so that the systems known to store EPHI data can be properly handled. Key Activities: Develop And Implement Procedures For Reuse Of Electronic Media Implement procedures for the removal of EPHI from electronic media before the media are made available for reuse. Technical Implementations: 1. vCNS vShield Data Security Maintain a current inventory of EPHI on the network by running discovery scan with vShield Data Security. IT change management can update their processes for handling the reuse of electronic media to include the review of discovery reports so that the systems known to store EPHI data can be properly handled. § 164.312 Technical Safeguards Access Control (§ 164.312(a)(1)) HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4) 112 Key Activities: Analyze Workloads And Operations To Identify The Access Needs Of All Users Technical Implementations: 1. vCNS vShield Data Security Perform regular discovery scan of EPHI data on Data Center with vShield Data Security to determine where access controls must be in place. 2. LoginTC Two-Factor Authentication protects the access control for all users. Access control can be enforced either locally or remotely. LoginTC provides an entry point of access control to systems and business applications that contain EPHI data. ● ● ● Users must be provisioned and authorized to obtain a LoginTC credential by their LoginTC administrator. Procedures must be in place in the organization’s identity proofing process in order for a LoginTC administrator to provision a LoginTC credential. Applications/systems containing EPHI data can be enabled with a custom LoginTC connector to offer two-factor authentication. Key Activities: Identify Technical Access Control Capabilities Technical Implementations: 1. LoginTC can protect any system that requires authentication, including VPNs, web portals, and cloud applications; and with the LoginTC REST API, it can enable two-factor authentication virtually to any system or application that hosts EPHI data. LoginTC leverages user repositories installed in the client’s infrastructure: MS Active Directory, LDAP or SQL-based systems, synchronizing, and updating users from their authoritative source(s). 113 Fig.67 LoginTC conceptual overview Key Activities: Ensure That All System Users Have Been Assigned A Unique Identifier Technical Implementations: 1. LoginTC assigns both a unique USERNAME and a unique numeric USERID. The LoginTC administrator determines the user’s USERNAME, and optionally the user’s EMAIL—typically the same username and email stored in the LDAP or MS AD repositories. The unique numeric USER ID is randomly generated by the LoginTC system: it is 160 bits or 40 hex characters that uniquely identifies a LoginTC user. LoginTC transaction logs capture every access to LoginTC-protected systems and can trace specific users identified by their USERNAME and/or USER ID. 114 Key Activities: Implement Access Control Procedures Using Selected Hardware and Software Description: - Implement the policy and procedures using existing or additional hardware/software solution(s). Technical Implementations: 1. 2 Factor Authentication. e.g. OpenVPN integrated with Active Directory and LoginTC Cloud. User needs to provide password (based on the active directory) and PIN (based on LoginTC token). LoginTC Admin is a web-based control panel for LoginTC administrators that provides: • Credential lifecycle management • Domain (system/application) lifecycle management • Provisioning, reports, auditing • REST API services • Delivery: On-premise VM or cloud service Designated LoginTC administrators are provided with a 2-day LoginTC Admin training course that addresses LoginTC access control management, planning, configuration, integration, and troubleshooting. LoginTC provides extensive online documentation and know-how guidelines for planning, integration, configuration, and deployment of all LoginTC required components. 115 Fig.68 LoginTC admin panel: domain management 2. ESXi—Lockdown Mode Enabling lockdown mode disables direct access to an ESXi host requiring that the host be managed remotely from vCenter Server. Lockdown limits ESXi host access to the vCenter server. This is done to ensure that the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently gaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to users who log in using authorized keys. When using an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Note that users listed in the DCUI.Access list for each host are allowed to override lockdown mode and log in to the DCUI. By default the "root" user is the only user listed in the DCUI.Access list. 116 3. ESXi—Set DCUI (Direct Console UI) Access Set this DCUI access to allow only trusted users to override lockdown mode. Lockdown disables direct host access that require admins to manage hosts from vCenter. However, if a host becomes isolated from vCenter, the admin gets locked out and is unable to manage the host. To avoid potentially getting locked out of an ESXi host that is running in lockdown mode, set the DCUI.Access to a list of highly trusted users allowed to override the lockdown mode and access the DCUI. 4. ESXi—Disable MOB (Managed Object Browser) The managed object browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host; it enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it can also be used as a method to obtain information about a host targeted for unauthorized access. You cannot disable MOB while the host is in lockdown mode. We can disable MOB first before we set the host in lockdown mode. Key Activities: Review And Update User Access Technical Implementations: 1. LoginTC Users can access LoginTC protected systems with their smartphones and tablets as the second factor for access control. Users’ mobile platforms must be connected to the Internet. LoginTC works in the 3G/4G and Wi-Fi networks and LoginTC notifications are supported locally, nationally, and worldwide. LoginTC provisioning and registration is the first step for authorized users to access EPHI systems and applications: • Self-registration • Bulk upload 117 • LoginTC REST API (used programmatically) • Synchronization with user stores: LDAP, MS AD, SQL, etc. The LoginTC mobile app can host multiple credentials to access multiple systems, hence allowing users to seamlessly gain access to multiple applications when required. Fig.69 Provisioning LoginTC credential for a new user 118 Fig.70 LoginTC end user experience Key Activities: Terminate Access If It Is No Longer Required Technical Implementation: 1. LoginTC: LoginTC credentials can be revoked in two ways: • The LoginTC administrator access the LoginTC Admin panel and manually revokes the user’s credential. • If the user record is updated in the master user repository (e.g. MS AD/LDAP) and the LoginTC synchronization module is in place, the user’s LoginTC credential will be updated accordingly in LoginTC Admin. 119 Audit Controls (§ 164.312(b))—Future In Scope—Security Partner HiPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Key Activities: Determine The Activities That Will Be Tracked Or Audited Technical Implementation: 1. LoginTC The LoginTC Admin control panel provides LoginTC administrators with a powerful reporting and auditing tool. LoginTC Administrators can select data captured by: • All Domains • Specific Domain • Start Date to End Date It can also download log data in TXT or CVS format for further analysis or correlation. All LoginTC access is monitored for successful, rejected/suspected fraud, or failed attempts. One of the most powerful LoginTC features is revealed in the LoginTC logs, including user ignored or suspect notifications that the end user rejects. This feature prevents phishing or man-in-the-middle attacks and can be acted upon by the LoginTC administrator, auditors, and security personnel (See previous Figure X LoginTC end user experience). 120 These LoginTC controls are extremely useful for recording and examining access information activity, especially when determining if a security violation has occurred. Fig.71 LoginTC admin panel: log management Key Activities: Select The Tools That Will Be Deployed For Auditing And System Activity Reviews Technical Implementations: 121 1. vCNS vShield Data Security: You can use this as an audit tool as it provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive data is adequately protected and compliant with regulations around the world. For example: you can assign policies at the Security Group basis so that the application VMs in that Security Group will be scanned for HIPAA data and, if found, will be reported. 2. BMC Server Automation Compliance Audit Based on compliance policy, you can run compliance audit for components. The report will show to which section of the policy the component does not comply. The following figure gives an example. Fig.72 BSA compliance audit result—red color to indicate noncompliant 122 The report also shows the number of Passed/Failed (compliant/noncompliant) Fig.73 Compliance report shows number of Passed/Failed (compliant/noncompliant) Integrity (§ 164.312(c)(1)) HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Key Activities: Mechanism To Authenticate Electronically Protected Health information Implement electronic mechanisms to corroborate that electronically protected health information has not been altered or destroyed in an unauthorized manner. Technical Implementations: 1. vCNS vShield Data Security Perform regular discovery of EPHI data on Data Center with vShield Data Security to determine if data has been modified from previous discovery scan by checking the Scan History and Detail Reports. 123 Fig.74 vShield data security—scan history 124 Fig.75 vShield data security—report Person Or Entity Authentication (§ 164.312(d)) HIPAA Standard: Implement procedures to verify the identity of a person or entity seeking access to electronically protected health information. Key Activities: Determine Authentication Applicability To Current Systems/Applications Technical Implementation: 1. Two-factor authentication for login 125 LoginTC implements two-factor authentication for granting access to systems that contain EPHI records: • test. LoginTC users must know the USERNAME, and optionally, a PASSWORD, to pass the first factor • LoginTC users must have a smartphone or tablet with a provisioned LoginTC credential, which is something that the user possess as a second factor. • When notified, the user must unlock the LoginTC credential in the mobile device with a PIN or passphrase, which is only known to the user. Using LoginTC two-factor authentication can satisfy the HIPAA Security Rule requirement to create and maintain security controls that verify user identity when users are connecting to applications and databases with health data records, either remotely or via a web application. 126 Fig.76 LoginTC two-factor authentication session 2. vSwitch security to prevent impersonating from network perspective: a. vSwitch security: reject “promiscuous mode” In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode. This promiscuous mode security policy can be defined at the virtual switch or port group level in ESX/ESXi. Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID92F3AB1F-B4C5-4F25-A010-8820D7250350.html b. Reject “MAC Address Changes” If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Reject “MAC Address Changes” setting will prevent VMs from changing their effective MAC addresses. It will affect applications that require this functionality. An example is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer-2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to. Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID- 127 942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html c. Reject “forged transmits” By default this ”forged transmits” setting is set to “Accept”. This means that the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to “Reject.” Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID7DC6486F-5400-44DF-8A62-6273798A2F80.html 128 Fig.77 vSwitch security 129 Key Activities: Evaluate Authentication Options Available Technical Implementation: 1. LoginTC LoginTC two-factor authentication can protect systems that contain EPHI records, and can protect the desktops and mobile platforms used to access those EPHI systems. LoginTC can be enabled in: • VPNs • Web access managers • Web portals • SAML federation systems • O/S authentication: Windows/Unix • Mobile browsers • Mobile applications • virtually any platform or system that requires authentication References http://www.hipaasurvivalguide.com/hipaa-regulations/164-306.php 130