Compliance Ready Lab Build
Guide—HIPAA Version
Contents
Overview
Security Application Zone (Runs on)
Requirements
Segmentation/firewall
ESXi Host Security
ESXi Host Firewall
Configure NTP Time Synchronization For ESXi Host
Lockdown Mode
Set DCUI (Direct Console UI) Access
Remote Syslog/Logging
Disable MOB (Managed Object Browser)
Zero-Out VMDK (before deletion)
Create A Non-Root Local Admin Account
Configure Host Profile
vSwitch Security
Reject “Promiscuous Mode”
Reject “MAC Address Changes”
Reject “Forged Transmits”
Network Security
Firewall internal
Allowed ports for management
Firewall external
SECURITY MANAGEMENT
vCloud Networking And Security (vCNS)
1
vShield Manager
vShield Manager Installation
vShield App
Flow Monitoring
App Firewall
vShield App Fail Safe Setting
vShield App Exclusion List
vShield App Installation
Example Of vShield App Firewall Blocking Rule
vShield Edge
vShield Edge Installation
vShield Edge Gateway And Isolated Network Configuration.
vShield Endpoint
vShield Endpoint Installation
Testing Requirements:
vShield Data Security
vShield Data Security Installation
vShield Data Security Policy
Testing Requirements
BMC Server Automation
BSA Architecture
Client Tier
Server Tier
Middle Tier
Installation
BSA Database Server
BSA File Server Agent
BSA Application Server
BSA GUI Console
BSA Compliance Module
Testing Requirement
Setting Discovery Job
Setting Policy-Based Compliance Audit
BMC BladeLogic Decision Support For Server Automation
Installation
Testing Requirement
BMC BladeLogic Atrium Integration
BSA Atrium Integration Diagram
Installation
Testing Requirement
Customizing Data Mapping Between BSA And CMDB
Transferring Business Service Data from Atrium CMDB to BSA
2
Configuration And Testing
Denial Of Service
DATA PROTECTION–ENCRYPTION
Encryption In Flight
Encryption At Rest
VULNERABILITY ASSESSMENT
Intrusion Detection
Deep Packet Inspection
Data Leak Prevention
Data Loss Prevention/Data Loss Protection
vCNS vShield Data Security
Logging And Auditing
EXPLOIT AND MALWARE PROTECTION
Virus Scanning
vCNS vShield Endpoint And VMware Partner’s AntiVirus And AntiMalware Software
Configuration And Patch Management
Integrated Solution
SupernaNet.Connect
VCE Vision™ Intelligent Operations
VMware vCenter
BMC CMDB
Manual Tagging For Compliant CIs
vCenter Inventory Tagging
BMC CMDB Tagging
Automatic Tagging For Compliant CIs
SupernaNet.Connect Mapping File
Monitoring
IDENTITY AND ACCESS MANAGEMENT
LoginTC For OpenVPN
LoginTC Cloud Domain
LoginTC Radius Connector
OpenVPN
LDAP
User
Data protection–backup/restore/replication
Configuration And Patch Management
Auto Deploy Installation VMWare vSphere 5.1
Compliance–HIPAA
§ 164.306 Security Standards: General Rules.
§ 164.308 Administrative Safeguards
Security Management Process (§ 164.308(a)(1))
Key Activities: Conduct Risk Assessment
3
Technical Implementations:
Key Activities: Develop And Deploy The Information System Activity Review Process
Technical Implementations:
Technical Implementations:
Key Activities: Develop Appropriate Standard Operating Procedures
Technical Implementations:
Information Access Management (§ 164.308(a)(4))
Key Activities: Implement Policies And Procedures For Authorizing Access
Technical Implementation:
Security Awareness and Training (§ 164.308(a)(5))
Implementation Specification: Protection From Malicious Software
Technical Implementation:
§ 164.310 Physical Safeguards
Device And Media Controls (§ 164.310(d)(1))
Key Activities: Implement Methods For Final Disposal of EPHI
Technical Implementations:
Key Activities: Develop And Implement Procedures For Reuse Of Electronic Media
Technical Implementations:
§ 164.312 Technical Safeguards
Access Control (§ 164.312(a)(1))
Key Activities: Analyze Workloads And Operations To Identify The Access Needs Of All
Users
Technical Implementations:
Key Activities: Identify Technical Access Control Capabilities
Technical Implementations:
Key Activities: Ensure That All System Users Have Been Assigned A Unique Identifier
Technical Implementations:
Key Activities: Implement Access Control Procedures Using Selected Hardware And
Software
Description:
Technical Implementations:
Key Activities: Review And Update User Access
Technical Implementations:
Key Activities: Terminate Access If It Is No Longer Required
Technical Implementation:
Audit Controls (§ 164.312(b)) - Future In Scope - Security Partner
Key Activities: Determine The Activities That Will Be Tracked Or Audited
Technical Implementation:
Key Activities: Select The Tools That Will Be Deployed For Auditing And System Activity
Reviews
Technical Implementations:
Integrity (§ 164.312(c)(1))
4
Key Activities: Mechanism To authenticate Electronic Protected Health Information
Technical Implementations:
Person Or Entity Authentication (§ 164.312(d))
Key Activities: Determine Authentication Applicability To Current Systems/Applications
Technical Implementation:
Key Activities: Evaluate Authentication Options Available
Technical Implementation:
References
Overview
This document serves as the master design document for all areas of the design. It will be designed to
allow ISVs to design their product into a functional area. The scope of phase I design is shown in the
Figure 1.
Security Application Zone (Runs on)
5
Application deployments will follow a deployment method that ensures that a secure network is in place
between the virtual machines that need to communicate. Applications that adhere to best practices will
follow the requirements below for deployment in the test bed.
Requirements
1. Must Support one or the other deployment option for VM to VM communications
6
Segmentation/firewall
vSphere uses Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT) to provide
remote attestation of the hypervisor image based on hardware root of trust. The hypervisor image
comprises the following elements:
■
■
■
ESXi software (hypervisor) in VIB (package) format
Third-party VIBs
Third-party drivers
7
To leverage this capability, your ESXi system must have TPM and TXT enabled.
1. Enable TPM and document
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-E9B71B85FBA3-447C-8A60-DEE2AE1A405A.html
Cisco Trusted Platform Module
The Cisco Trusted Platform Module (TPM) is a computer chip that securely stores artifacts such as
measurements, passwords, certificates, or encryption keys, that are used to authenticate the Vblock™
Systems. The Cisco TPM provides authentication and attestation services that enable safer computing
in all environments.
The Cisco TPM module is available by default in Vblock Systems as a component within the Cisco UCS
M3 Blade Servers, and is shipped disabled. For more information, refer to the VCE Vblock™ Systems
Blade Packs Reference. Refer to Accessing VCE documentation.
VCE supports Cisco TPM hardware but does not support the Cisco TPM functionality. Using Cisco TPM
features involves using a software stack from a vendor with significant domain experience in trusted
computing. Consult your software stack vendor for configuration and operational considerations
relating to the Cisco TPMs.
ESXi Host Security
ESXi Host Firewall
ESXi includes a firewall between the management interface and the network. The firewall is enabled by
default.
This ESXi Firewall provides a new access control capability for ESXi. We need to configure this ESXi host
firewall to restrict access to services running on the host.
Some important points about this ESXi 5.x firewall:
8
•
ESXi 5.x has a new firewall engine that is not based on iptables.
•
The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings
and communication with DHCP and DNS (UDP only) clients.
•
The firewall is service oriented.
•
The ability to restrict access to specific services based on IP address/Subnet Mask.
•
There is Host Profile support for the ESXi 5.x firewall.
•
A new ESXCLI interface (esxcfg-firewall) is available in ESXi 5.x.
We can configure firewall properties to allow or deny access for a service or management agent. We can
also specify which networks are allowed to connect to each service that is running on the host.
Specify startup policy: set service or client startup option (automatically/manually/start and stop with
host.
9
Fig.2 ESXi Host Security Profile
10
Fig.3 ESXi Host Firewall
Configure NTP Time Synchronization For ESXi Host
By ensuring that all systems are synchronizing to the time standard, we can make it simpler to track and
correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings can make it
difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate.
We need to set the time configuration of the host to point to the NTP server (specify IP address) and start
the service.
It is recommended to synchronize the ESXi clock with a time server that is located on the management
network rather than directly with a time server on a public network. This time server can then
synchronize with a public source through a strictly controlled network connection with a firewall.
11
Lockdown Mode
Enabling lockdown mode disables direct access to an ESXi host, requiring the host to be managed
remotely from vCenter Server. Lockdown limits ESXi host access to the vCenter server. This is done to
ensure that the roles and access controls implemented in vCenter are always enforced and users cannot
bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the
risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly
audited is greatly reduced. Note: Lockdown mode does not apply to users who log in using authorized
keys. When you use an authorized key file for root user authentication, root users are not prevented from
accessing a host with SSH even when the host is in lockdown mode. Note that users listed in the
DCUI.Access directory for each host are allowed to override lockdown mode and login to the DCUI. By
default the "root" user is the only user listed in the DCUI.Access list.
Set DCUI (Direct Console UI) Access
To set this DCUI.Access is to allow only trusted users to override lockdown mode.
Lockdown disables direct host access requiring admins manage hosts from vCenter. However, if a host
becomes isolated from vCenter, the admin would become locked out and would be unable to manage the
host. To avoid potentially becoming locked out of an ESXi host that is running in locked down mode, set
the DCUI.Access to a list of highly trusted users that are allowed to override the lockdown mode and
access the DCUI.
Remote Syslog/Logging
Log files are an important component of troubleshooting attacks and obtaining information about
breaches of host security.
Remote logging to a central log host provides a secure, centralized store for ESXi logs. To facilitate this we
can use vSphere Syslog Collector tool.
By gathering host log files onto a central host you can more easily monitor all hosts with a single tool. For
security purposes we can aggregate analysis and search to look for such things as coordinated attacks on
multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also
provides a long-term audit record.
12
Disable MOB (Managed Object Browser)
The managed object browser (MOB) provides a way to explore the object model used by the VMkernel to
manage the host; it enables configurations to be changed as well. This interface is meant to be used
primarily for debugging the vSphere SDK, but because there are no access controls it could also be used
as a method to obtain information about a host being targeted for unauthorized access.
We cannot disable MOB while the host is in lockdown mode. We can disable MOB before we set the host
in lockdown mode.
Zero-Out VMDK (before deletion)
To help prevent sensitive data in VMDK files from being read off the physical disk after it is deleted, the
virtual disk should be zeroed out prior to deletion. This will make it more difficult for someone to
reconstruct the contents of the VMDK file. The CLI command 'vmkfstools-writezeroes' can be used to
write zeros to the entire contents of a VMDK file prior to its deletion.
Create A Non-Root Local Admin Account
ESXi 5.1 allows the creation of individual local user accounts. Being able to create individual local user
accounts on ESXi hosts eliminates the need to share or use the “root” accounts and passwords. This
approach helps mitigate one of the most common security risks. This approach facilitates better auditing
and traceability capabilities of the ESXi hosts.
Configure Host Profile
Monitoring Changes To The Configuration
Monitoring for configuration drift and unauthorized changes is critical to ensuring the security of an ESXi
hosts. Host profiles provide an automated method for monitoring host configurations against an
established template and for providing notification in the event that deviations are detected.
vSwitch Security
Reject “Promiscuous Mode”
In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous
mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode.
This promiscuous mode security policy can be defined at the virtual switch or port group level in ESX/ESXi
13
Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID92F3AB1F-B4C5-4F25-A010-8820D7250350.html
Reject “MAC Address Changes”
If the virtual machine operating system changes the MAC address, it can send frames with an
impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in
a network by impersonating a network adaptor authorized by the receiving network.
Reject “MAC Address Changes” setting will prevent VMs from changing their effective MAC address. It
will affect applications that require this functionality. An example of such an application is Microsoft
Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer-2
bridge will operate. This will also affect applications that require a specific MAC address for licensing. An
exception should be made for the port groups that these applications are connected to.
Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html
Reject “Forged Transmits”
By default this ”forged transmits” setting is set to “Accept.” This means that the virtual switch does not
compare to the source and effective MAC addresses. To protect against MAC address impersonation, all
virtual switches should have forged transmissions set to “Reject.”
Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID7DC6486F-5400-44DF-8A62-6273798A2F80.html
14
Fig.4 vSwitch Security
15
Network Security
Firewall internal
To safeguard the virtual machines’ resources, the system administrator lowers the risk of DoS and DDoS
attacks by configuring a resource reservation and a limit for each virtual machine. The system
administrator further protects the ESXi host and virtual machines by installing software firewalls at the
front and back ends of the DMZ, ensuring that the host is behind a physical firewall, and configuring the
networked storage resources so that each has its own virtual switch.
DMZ setup
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-A309590AFFFC-45FF-95AD-43242F58D6B4.html
Allowed ports for management
This is the list of predetermined TCP and UDP ports used by vCenter, ESXi host and other network
16
components. Some ports are open by default at installation time as indicated in this Table as “(Default).”
Depending on our requirement and security reasons we can configure the firewall to allow or reject
access to those TCP and UDP ports.
Port
Purpose
Traffic Type
22
SSH Server
Incoming TCP
53 (Default)
DNS Client
Incoming and outgoing UDP
68 (Default)
DHCP Client
Incoming and outgoing UDP
161 (Default)
SNMP Server
Incoming UDP
80 (Default)
vSphere Fault Tolerance (FT)
Incoming TCP
(outgoing TCP, UDP)
Outgoing TCP, UDP
HTTP access
The default non-secure TCP Web
port typically used in conjunction with
port 443 as a front end for access to
ESXi networks from the Web. Port 80
redirects traffic to an HTTPS landing
page (port 443).
WS-Management
17
111 (Default)
RPC service used for the NIS
Incoming and outgoing TCP
register by vCenter Virtual Appliance
123
NTP Client
Outgoing UDP
135 (Default)
Used to join vCenter Virtual
Incoming and outgoing TCP
Appliance to an Active Directory
domain
427 (Default)
The CIM client uses the Service
Incoming and outgoing UDP
Location Protocol, version 2 (SLPv2)
to find CIM servers.
443 (Default)
HTTPS access
Incoming TCP
vCenter Server access to ESXi hosts
Default SSL Web port
vSphere Client access to vCenter
Server
vSphere Client access to ESXi hosts
WS-Management
vSphere Client access to vSphere
Update Manager
Third-party network management
client connections to vCenter Server
18
Third-party network management
clients access to hosts
513 (Default)
vCenter Virtual Appliance used for
Incoming UDP
logging activity
902 (Default)
Host access to other hosts for
Incoming and outgoing TCP, outgoing UDP
migration and provisioning
Authentication traffic for ESXi and
remote console traffic
(xinetd/vmware-authd)
vSphere Client access to virtual
machine consoles
(UDP) Status update (heartbeat)
connection fromESXi to vCenter
Server
903
Remote console traffic generated by
Incoming TCP
user access to virtual machines on a
specific host.
vSphere Client access to virtual
machine consoles
MKS transactions (xinetd/vmwareauthd-mks)
1234, 1235 (Default)
vSphere Replication
Outgoing TCP
19
2049
Transactions from NFS storage
Incoming and outgoing TCP
devices
This port is used on the VMkernel
interface.
3260
Transactions to iSCSI storage
Outgoing TCP
devices
5900-5964
RFB protocol, which is used by
Incoming and outgoing TCP
management tools such as VNC
5988 (Default)
CIM transactions over HTTP
Incoming TCP
5989 (Default)
CIM XML transactions over HTTPS
Incoming and outgoing TCP
8000 (Default)
Requests from vMotion
Incoming and outgoing TCP
8009
AJP connector port for vCenter
Outgoing TCP
Virtual Appliance communication with
Tomcat
8100, 8200 (Default)
Traffic between hosts for vSphere
Incoming and outgoing TCP, UDP
Fault Tolerance (FT)
8182
Traffic between hosts for vSphere
Incoming and outgoing TCP, incoming and
High Availability (HA)
outgoing UDP
20
9009
Used to allow a vCenter Virtual
Incoming and outgoing TCP
Appliance to communicate with the
vSphere Web Client
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-ECEA77F5D38E-4339-9B06-FF9B78E94B68.html
Firewall external
More:
http://www.vmware.com/go/compliance
http://www.vmware.com/go/security/
Information about VMsafe technology for protection of
http://www.vmware.com/go/vmsafe/
virtual machines, including a list of partner solutions
SECURITY MANAGEMENT
vCloud Networking and Security (vCNS)
vCNS provides basic networking and security functionality for virtualized compute environments, built
using the VMware vCloud® Suite. It provides a broad range of services delivered through virtual
appliances, such as a virtual firewall, virtual private network (VPN), load balancing, NAT, DHCP, and
VXLAN-extended networks.
Components of vCNS:
1. vShield Manager
2. vShield App
3. vShield Edge
21
4. vShield Endpoint
5. vShield Data Security
vShield Manager
vShield Manager is the central point of control for all vShield solutions and integrates seamlessly with
VMware vCenter to offer role-based access control and administrative delegation in a unified framework
for managing virtualization security.
Fig.5 vShield Manager Web Interface
22
Fig.6 vShield integrated with VMware vCenter
vShield Manager Installation
Procedure
1. Log in to the vSphere Client and deploy the vShield Manager from the OVA file.
2. Once the installation has been completed, the vShield Manager is installed as a virtual machine in our
vSphere inventory.
3. Power on the vShield Manager virtual machine.
4. Login to the vShield Manager virtual console and set the IP address.
5. Login to the Web GUI for further configurations (vCenter, SSO/Lookup Sever, DNS, NTP settings).
6.Login to the vSphere Client and select the ESX host where the vShield Manager resides. Verify that
vShield appears as a tab. You can then install and configure vShield components from this vSphere
23
Client.
vShield App
A hypervisor-based firewall that protects applications in the virtual data center from network based
attacks. The vShield App provides the stateful inspection firewall that is applied at the virtual network
interface card (vNIC) level directly in front of specific workloads.
This vShield App needs to be installed on each ESXi host where the VMs that needs to be protected by
this vShield App reside. For example, install vShield App on each ESXi hosts in a Cluster so that VMware
vMotion operations work and virtual machines remain protected as they migrate between ESX hosts. By
default, a vShield App virtual appliance cannot be moved by using vMotion.
The System Status option lets us view the health of a vShield App. Details include system statistics,
status of interfaces, software version, and environmental variables.
Fig.7 vShield App Status
There are two main components provided by vShield App: Flow Monitoring and App Firewall.
Flow Monitoring
The Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic on our virtual
network that passed through a vShield App. The Flow Monitoring output defines which machines are
exchanging data and over which application. This data includes the number of sessions, packets, and
bytes transmitted per session. Session details include sources, destinations, direction of sessions,
24
applications, and ports being used. Session details can be used to create firewall allow or block rules.
Fig.8 vShield App Flow Monitoring
App Firewall
The App Firewall service is a centralized firewall for ESX hosts. App Firewall enables us to create rules
that allow or block access to and from our virtual machines. Each installed vShield App enforces the App
Firewall rules. Example of the basic rule that allows everything is shown in the following figure:
Fig.9 vShield App Firewall
vShield App Fail-Safe Setting
By default, traffic is blocked when the vShield App appliance fails or is unavailable. We can change the
25
fail-safe mode to allow traffic to pass. Refer to figure below.
vShield App Exclusion List
We can exclude a set of virtual machines from vShield App protection. This exclusion list is applied
across all vShield App installations within the specified vShield Manager.
The vShield Manager and service virtual machines are automatically excluded from vShield App
protection. We should exclude the vCenter server and partner service virtual machines as well to allow
traffic to flow freely.
Fig.10 vShield app fail-safe and exclusion list
vShield App Installation
Notes:
If the vCenter Server or vCenter Server database virtual machines are on the ESX host on which we are
installing vShield App, we need to migrate them to another host before installing vShield App.
26
During the installation process, this warning will be highlighted (“Do not install on a host or cluster
where the VC or vShield Manager reside.”) Refer to figure below.
Fig.11 vShield App Installation Process
Procedure:
1. Log in to the vSphere Client and select an ESX host from the inventory tree.
2. Click the vShield tab and then click Install for the vShield App service.
3. Under vShield App, provide the following information: Datastore, Management Port Group, IP
Address, Netmask, and Default Gateway.
4. Click Install.
Example Of vShield App Firewall Blocking Rule
For example, if we want to block a VM from SSH service, we set the Firewall Rule to block the SSH traffic
from that VM.
27
Fig.12 Set the firewall blocking rule
Test that by trying to create an SSH session from the VM => Error
28
Fig.13 SSH service is blocked
vShield App Flow Monitoring detects that blocked SSH flow.
29
Fig.14 Flow monitoring detects blocked traffic
30
Fig.15 Flow monitoring provides the details about the blocked traffic
vShield Edge
Provides network edge security and gateway services to isolate a virtualized network, or virtual
machines in a port group, vDS port group, or Cisco Nexus 1000V port group. The vShield Edge provides
the stateful inspection firewall that is applied at the perimeter of the virtual data center.
vShield Edge Installation
1. Log in to vSphere Client and select Network Virtualization tab on the data center resource from the
inventory tree.
2. Click Edges and then click Add to add the vShield Edge.
3. Type a name for the vShield Edge VM.
4. Set CLI user name and password. You can also enable SSH access if required.
5. Add Edge Appliance.
31
6. Add Interfaces (Internal and Uplink Interfaces). Configure Subnets.
7. Configure the Default Gateway.
8. Configure the Default Firewall Policy.
9. Install the vShield Edge.
vShield Edge Gateway And Isolated Network Configuration.
Once the vShield Edge has been installed, you can check the status of this vShield Edge.
Fig.16 vShield Edge status
To create the gateway service for isolated network you need to configure the uplink and internal
interfaces of the vShield Edge.
vShield Edge will act as the gateway between private and public networks.
32
Fig.17 vShield Edge connectivity diagram
33
Fig.18 vShield Edge interfaces—uplink and internal
You also need to configure SNAT (Source Network Address Translation) to provide the isolated VMs
(VMs reside on the isolated network) access to external network (internet). This SNAT rule is configured
to translate a private internal (isolated) IP address into a public IP address for outbound traffic.
The translated (public) IP address must have been added to the vShield Edge interface on which you
want to add the rule.
34
Fig.19 vShield Edge—source NAT configuration
To control the security of the outbound traffic you can configure the vShield Edge Firewall Service.
Fig.20 vShield Edge—firewall rule
35
vShield Edge has the traffic monitoring tools to provide interface throughput statistics.
Fig.21 vShield Edge—interface throughput statistics
vShield Endpoint
Off-loads antivirus and antimalware agent processing to a dedicated secure virtual appliance delivered
by VMware partners.
vShield Endpoint is installed as a hypervisor module and security virtual appliance from a third-party
antivirus vendor (VMware partners) on an ESX host. With this vShield Endpoint on the hypervisor level,
it can scan guest virtual machines without the need for agents in every virtual machine.
vShield Endpoint Installation
Select the vShield Tab on the ESXi Host level in the vCenter Inventory Tree, and click Install.
36
Fig.22 vShield Endpoint installation
Testing Requirements:
1. After you have installed vShield Endpoint on the ESXi host, you need to deploy and configure a
security virtual machine (SVM) to each ESX host according to the instructions from the anti-virus
solution provider.
2. Install the latest version of VMware Tools released for the version of ESX that is on all virtual
machines to be protected. VMware Tools include the vShield Thin Agent that must be installed on each
guest virtual machine to be protected. To include this vShield component with the VMware Tools, you
need to select Interactive Tools Installation or Interactive Tools Upgrade. In the Setup Type wizard, you
can select the Custom option and from the VMware Device Drivers list, select VMCI Driver, then select
vShield Driver.
37
Fig.23 vShield Endpoint on ESXi host
3. Use the Security Virtual Appliance’s Management User Interface to manage the SVM/SVA, e.g.,
download the latest AntiVirus Signature, set the scanning schedule, set policy to handle virus and to
initiate scanning process.
38
Fig.24 vShield Endpoint and 3rd party security virtual appliance—flow control
39
Fig.25 vShield Endpoint status and events log
vShield Data Security
Provides visibility into sensitive data stored within your organization's virtualized and cloud
environments.
vShield Data Security Installation
1. You need to install vShield Endpoint on the ESXi host before you can install vShield Data Security.
2. Log in to vSphere Client and select the ESXi host from the Inventory Tree.
3. Select vShield Tab and click Install next to the vShield Data Security Option.
4. Specify Data Store, Management Port Group, and set the IP address, Netmask and Default Gateway
for the vShield Data Security Appliance.
5. Click Install.
vShield Data Security Policy
40
To begin using vShield Data Security, you need to create a policy that defines the regulations that apply
to data security in your organization and specifies the areas of your environment and files to be
scanned. A regulation is composed of content blades, which identify the sensitive content to be
detected. vShield supports PCI, PHI, and PII-related regulations only.
Fig.26 vShield data security with HIPAA regulation setting (based on PHI/PII category)
vShield Data Security provides the report (e.g. number of violation and details)
41
Fig.27 vShield data security report
Testing vCNS vShield Data Security allows to detect HIPAA Regulation violations.
42
Fig. 28 vCNS vShield data security scan completed report
43
Fig.29 vCNS vShield Data Security report detail
From the Scan History you can see that the vShield Data Security is also able to detect new data.
44
Fig.30 vCNS vShield Data Security scan history
Testing Requirements
1. Set the Policy—regulations and rsandards to detect:
● HIPAA (Health Insurance Portability and Accountability Act)
● HIPAA (Health Insurance Portability and Accountability Act) Low Threshold
● PCI-DSS (Payment Card Industry Data Security Standard)
2. Define the Security Group that you want to include in the scan (or use default if you want to scan the
entire vCenter Inventory).
45
Fig.31 Define the security group for the scan’s participating areas
3. Define Files to Scan.
For example based on the modified date/time
46
Fig.32 Define files to scan
4. Create and store test data with “Privacy” Information on test system.
Example of data for HIPAA test
============
Medical Record Number: PHI-123-900
Account Number: SUP-456-876
47
SSN: 098765
Date of Birth: 01/01/1980
E-mail Address: super@yummy.com
Date of Admission: 01/12/2000
Date of Discharge: 01/08/2001
Test Result: Positive
Patient Name: Super Duper Yummy
Patient ID: A-345-678
Physician Name: Dr. Very GOOD
Health: Injured
Virus: Influenza
Blood: A+
U.S Address:
10240 Sorrento Valley Rd
San Diego, California
92121
Medical Record Number: PHI-123-901
Account Number: SUP-456-877
SSN: 098766
Date of Birth: 01/01/1981
E-mail Address: peter@yummy.com
Date of Admission: 01/12/2000
48
Date of Discharge: 01/08/2001
Test Result: Positive
Patient Name: Peter Pan
Patient ID: A-345-679
Physician Name: Dr. Very GOOD
Health: Accident
Virus: Chicken Pox
Blood: B+
Medical Record Number: PHI-123-902
Account Number: SUP-456-878
SSN: 098767
Date of Birth: 01/01/1982
E-mail Address: mickey@yummy.com
Date of Admission: 01/12/2004
Date of Discharge: 01/08/2005
Test Result: Negative
Patient Name: Mickye Mouse
Patient ID: A-345-680
Physician Name: Dr. Very GOOD
Health: Negative
Virus: Super Virus
Blood: O
49
=============
Example for PCI test
===============
Credit Card Number
Patients
1.
Name: SuperDuper
Account: 65758
Master Card
Credit Card Number: 5111-1111-1111-1118
Expiration Date:
Expire: 07/07/2015
2.
Name:Looney Tunes
Account: 768690
American Express
Credit Card Number: 3111-1111-1111-1117
50
Expiration Date:
Expire: 07/08/2015
3.
Name:Scooby Doo
Account: 998690
VISA
Credit Card Number: 4111-1111-1111-1111
Expiration Date:
Expire: 07/08/2015
================
5. Initiate scan
Click the Start button to run the scan.
vShield Data Security Virtual Appliance will communicate with the Objects in the defined Security Group
through the vShield Endpoint and VMware Tools’ vShield driver.
51
Fig.33 vShield Data Security—flow control
6. Once the scan is done, it will stop by itself and you can see the Report.
BMC Server Automation
BMC Server Automation is part of the BMC BladeLogic Automation Suite. In terms of compliance, BMC
Server Automation helps IT organizations achieve and maintain compliance by defining and applying
configuration policies. When a server or application configuration deviates from policy, the necessary
remediation instructions can be configured to be either automatically or manually deployed on the
server.
BSA Architecture
A BMC Server Automation system has a three-tier architecture that consists of client, server, and middle
52
tiers.
Client Tier
Client Tier is the interface through which the user accesses the BMC Server Automation Application. This
includes:
●
●
●
●
The BMC Server Automation console, a graphical user interface (GUI)
A command line interface (BLCLI) that provides application programming interface (API)—level
access to the functionality available through the console
Network Shell for ad hoc administration of one or more servers. Network Shell is a networkscripting language that enables cross-platform access through a command line interface.
A web interface to the BMC BladeLogic Decision Support for Server Automation server
Server Tier
This is a tier for servers managed by BMC Server Automation. In order for these servers to be managed
by BMC Server Automation, the RSCD agent needs to be deployed on remote servers. The BMC Server
Automation Application Server communicates with RSCD agents and initiates all communication to
perform ad hoc and scheduled tasks.
Middle Tier
In this tier, the primary component is the Application Server, which controls communication between
the BMC Server Automation console (Client Tier) and remote servers (Server Tier). It also controls
interaction with the database and file servers.
53
Fig.34 BMC server automation three-tier architecture
Installation
BSA Database Server
1. For BSA-Database Server, install MS SQL Server 2008 R2.
54
2. Create a database for BSA, create a user login for BSA, and configure user mapping to give db_owner
database role to the BSA user.
3. Run the BSA external script to load the database schema.
BSA File Server Agent
1. Run the RSCD (Remote System Call Daemon) agent installer.
2. You can edit the agent security export file with this option * rw,user=Administrator. This is to map the
all in-bound connection to the Administrator user.
BSA Application Server
1. Run the BSA Application Server installer
2. Set the password
3. Configure the BSA Application Server—Set the Database connection (database type, database server,
database name, user ID, password
4. Define the BSA File Server and file server storage location
5. Set password for RBACAdmin and BLAdmin users
BSA GUI Console
1. Run the BSA Console installer
2. Install together with the Network Shell Client utility
3. Run to the BSA Console and create the default Profile, define the Application Server and
Authentication method. (e.g. Secure Remote Password)
4. Log in to Console with that profile and user password (BLAdmin user)
5. Run blcontent from the network shell console to load some BSA initial samples and configurations
BSA Compliance Module
1. Run the Compliance Content installer
2. With the Custom Setup, you can select which Compliance Content Templates you want to install (e.g.,
HIPAA, PCI, SOX)
55
Fig.35 BMC server automation—compliance templates—HIPAA
Testing Requirement
For testing, you installed and configured all mid-tier components on a host. You also installed the BSA
console on the same host.
The following components were installed on a Windows 2008 R2 VM:
- BSA Database Server
- BSA File Server Agent
- BSA Application Server
56
- BSA Console
- BSA Compliance Module
Also, configure another server to be managed by the BSA—install RSCD Agent on this server.
Setting Discovery Job
1. Create a template under HIPAA folder to discover server with Windows 2008 or 2008 R2 Operating
Systems
2. Define the rule for discovery
Fig.36 Rule definition for discovery
3. Run the Discover Job based on that template. Once it is done, check the discovery result.
57
Fig.37 BSA discover result
Setting Policy-Based Compliance Audit
For this testing, you used the HIPAA template for the policy-based compliance audit.
1. Select the Compliance Template that you want to run. (e.g. HIPAA). Create the Compliance Job.
58
Fig.38 BSA compliance job
2. Run and check the result
59
Fig.39 BSA compliance result
3. You can export the result as a report (e.g. html format).
60
Fig.40 Compliance report exported into HTML format
BMC BladeLogic Decision Support For Server Automation
BMC BladeLogic Decision Support for Server Automation is a web-based application that uses the IBM
Cognos Business Intelligence and a central reports data warehouse (the database for storing data used
in reports).
This BBDSSA provides the ETL (Extract, Transform, and Load) tool to transfer and transform data from
the BSA databases and populates the reports data warehouse. The reporting web application reads data
from the reports data warehouse.
An Apache web server delivers reporting information to web browsers.
Installation
1. Install a Remote System Call Daemon (RSCD) agent (installed and licensed)
61
2. Install BMC Server Automation Network Shell version 8.1 or later
3. Install Database (e.g. Microsoft SQL Server) and MS SQL client software
4. Create the following databases:
- BSARA_DW_DB
- BSARA_ETL_MASTER_DB
- BSARA_ETL_WORK_DB
- BSARA_PORTAL_DB
5. Create SQL Server Users and configure these users as database owner of their own corresponding
databases:
- BSARA_DW
- BSARA_ETL_MASTER
- BSARA_ETL_WORK
- BSARA_PORTAL_DB
6. Create data warehouse schema on SQL Server
7. Run the BBDSSA installer
8. Configure BBDSSA after installation
Testing Requirement
For testing go through the following steps:
1. Create and Run discovery Job (e.g. to discover windows server)
2. Create and Run Snapshot Job
3. Run ETL
4. Verify Report
62
Fig.41 Example of BBDSSA report (server configuration report)
BMC BladeLogic Atrium Integration
The BMC BladeLogic Atrium Integration enables you to share data about the endpoint computers in
your BMC Server Automation system with the BMC Atrium CMDB.
To transfer discovered data from the BMC Server Automation database to BMC Atrium CMDB, the
discovered data is first transferred from the BMC Server Automation database to the BMC BladeLogic
Decision Support for Server Automation database by using the extract, transform, and load (ETL) tool.
The Bladelogic Atrium Integration uses the AIE (Atrium Integration Engine) to do the following:
●
●
●
Define data exchange and data mapping parameters
Pull data from the BMC BladeLogic Decision Support for Server Automation database
Insert the data into the BMC Atrium CMDB with the BMC BladeLogic Import Dataset
63
BSA Atrium Integration Diagram
Fig.42 BSA Atrium Integration
Installation
Prior to the BladeLogic Atrium Integration installation, you need to have the following components:
— BMC Server Automation Application Server
— BMC Server Automation Console on the computer where BMC BladeLogic Atrium Integration is to be
installed
— BMC BladeLogic Decision Support for Server Automation
— BMC Remedy AR System
— BMC Atrium CMDB
— BMC Atrium Integration Engine
1. Run ETL first before installing the BladeLogic Atrium Integration
64
2. Run the installer
3. After installation, you need to run the procedure to add domain names to the servers in BSA.
4. Create indexes on BMC_BaseElement form
5. Activate the data exchanges in the BMC Atrium Engine Data Exchange Console
6. Enable the BMC BladeLogic Atrium Integration
Testing Requirement
1. Run BSA Discovery and Snapshot Job
2. Run ETL
3. Verify that the Data has been transferred to Atrium CMDB.
Fig.43 Data transferred from BSA
65
Customizing Data Mapping Between BSA And CMDB
If needed, you can customize the data mappings on BMC Server Automation to control what to transfer.
To configure this data mapping you select Atrium Integration menu from BSA console and choose BL to
Atrium Customization option.
Transferring Business Service Data From Atrium CMDB To BSA
Transferring data from BMC Atrium CMDB to the BMC Server Automation database pulls business
service information from BMC Atrium CMDB and associates it with the corresponding servers in BMC
Server Automation as a custom property.
Configuration And Testing
66
1. Configure Atrium Integration connectivity to the CMDB / AR system.
2. Configure Atrium Import Job (e.g., the production dataset that will be used for the import job and the
business service class name).
Fig.44 Atrium Import Job Configuration (CMDB data set name, business service class name)
67
Fig.45 Atrium Import Job Configuration (CI relationship, BladeLogic custom property)
3. Test by creating the Business Service in CMDB and set the relationship between server and Business
Service.
68
Fig.46 Business Service in CMDB
4. Run the Atrium Import Job.
5. Verify that the Business Service field of the server in BSA is populated with the info from CMDB.
69
Fig.47 Business Service property for the server
6. Then, you can create Server Smart Group based on this Business Service classification.
70
Fig.48 BSA Server Smart Group based on Business Service
Denial Of Service
By default, ESXi imposes a form of resource reservation by applying a distribution algorithm that divides
the available host resources equally among the virtual machines, while keeping a certain percentage of
resources for use by other system components. This default behavior provides a degree of natural
protection from DoS and distributed denial-of-service (DDoS) attacks. You set specific resource
71
reservations and limits on an individual basis to customize the default behavior so that the distribution is
not equal across the virtual machine configuration.
DATA PROTECTION–ENCRYPTION
Encryption In Flight
Encryption At Rest
VULNERABILITY ASSESSMENT
Intrusion Detection
Deep Packet Inspection
Data Leak Prevention
Data Loss Prevention/Data Loss Protection
vCNS vShield Data Security
Logging And Auditing
EXPLOIT AND MALWARE PROTECTION
Virus Scanning
vCNS vShield Endpoint And VMware Partner’s AntiVirus And AntiMalware Software
72
Configuration And Patch Management
Integrated Solution
Converged Infrastructure needs to be managed as a whole system and not only by individual
components.
An example of an integrated solution for managing vBlock Converged Infrastructure:
1. SupernaNet.Connect
2. VCE Vision™ software
3. VMware vCenter
4. BMC CMDB
SupernaNet.Connect
SupernaNet.Connect CMDB connector for BMC leverages VCE Vision software and VMware vCenter to
provide a single integration point for automating CMDB CI discovery along with logical to physical
topology with fully automated CI relationships created in the CMDB.
73
Fig.49 SupernaNet.Connect dashboard
The connector discovers Vblock Systems components, relationships, physical topology, and creates the
CI objects to represent the Vblock Systems in the CMDB. In addition to physical CI discovery and
synchronization, the Connector retrieves virtual machine, ESX host and data store objects from vCenter
and maps the logical resources to the physical by creating CI objects and relationships dynamically.
VCE Vision Software
VCE Vision software enables and simplifies converged operations. The software acts as a mediation layer
between the Vblock Systems and data center management tools, dynamically informing those tools
about Vblock Systems.
74
Fig.50 VCE Vision Software discovers Vblock Systems—converged infrastructure details
VMware vCenter
VMware® vCenter Server™ provides a centralized platform for managing your VMware vSphere®
environments.
75
Fig.51 vSphere web client accessing vCenter
BMC CMDB
BMC Atrium CMDB is a configuration management database system to manage data from across IT and
create a more efficient IT infrastructure.
76
Fig.52 BMC Atrium Core Console—list of CI in CMDB data set
77
Fig.53 BMC Atrium Explorer shows relationships between CIs
78
Fig.54 BMC ITSM—asset management
Manual Tagging For Compliant CIs
vCenter Inventory Tagging
In vSphere 5.1 and 5.5 there is a new feature that further enhances the search capabilities called tags.
Tags are the ability to create custom labels and/or metadata and apply to any object with the vCenter
inventory. These tags are fully searchable so you can now provide granular searches on the attached
labels and metadata to further reduce time when retrieving information. You can also utilize this tagging
feature to tag objects that is part of compliant configuration. For example, in the following figure we set
the HIPAA tagging for the VM that is part of HIPAA compliant setup.
79
Fig.55 vCenter Inventory Tagging
With this vCenter Inventory Tagging, you can quickly search any vCenter Objects that has the specific
tagging (e.g. HIPAA Tagging).
80
Fig.56 vCenter Search Object based on tagging
BMC CMDB Tagging
In BMC CMDB you can set additional tagging for configuration items to enable these CIs to be searched
based on their tagging. For example, you can utilize the CITag attribute of the CI to specify that it is
compliant to HIPAA.
81
Fig.57 BMC CMDB tagging
Automatic Tagging For Compliant CIs
SupernaNet.Connect Mapping File
You can set the BMCMapping.xml file on SupernaNet.Connect to map the compliant info to the BMC
CMDB attribute. For example, you set BMCMapping.xml file to map HIPAA to CITag CMDB Attribute.
In BMCMapping.xml file, you add the following configuration:
<TargetAttribute name="CITag" value="HIPAA" type="String"/>
After you have updated the BMCMapping.xml file, you also need to generate the new version info and
update the BMCConfig.xml file with the new generated version info.
For example:
<VersionInfo invalidversionssupported="false">
82
<SupportedVersion name="NCrmZNFMNCHPtW2VDLD7Yg=="/>
<SupportedVersion name="KMplTPQWNCHPtW2VDLD7Yg=="/>
</VersionInfo>
Then, you run the SupernaNet.Connect synchronization to sync the update to the CMDB.
Now your CMDB is populated with the CITag info.
Fig.58 CMDB with CITag info
83
Fig.59 CI Property with CITag info
Monitoring
84
In order to comply with monitoring in-scope devices and to find alarms and events related to potential
noncompliance security or authorization issues on Vblock Systems, the CA Nimsoft Monitor product
combined with the SupernaNET.Converge Probe for Nimsoft with Compliance enhancements allows to
select in-scope objects for monitoring and highlighting the probe UMP Dashboard of any VM, or Vblock
Systems component that has raised an alarm.
The screen shot below shows how the probe simplifies the monitoring function for compliance.
85
IDENTITY AND ACCESS MANAGEMENT
The authentication system will divide application OS and infrastructure into two separate unrelated user
domains for AAA. This will ensure that a compromise in the management domain will not translate into
a compromise in the application management domain.
LoginTC two-factor authentication will be used to secure the following login access:
1. Infrastructure Domain
86
a. vCenter SSO → Openldap
i.
Add a vCenter Single Sign On Identity Source
ii.
Active Directory LDAP Server and OpenLDAP Server Identity Source Settings
iii.
2. Application Domain
LoginTC For OpenVPN
The LoginTC Radius Connector enables OpenVPN to use LoginTC for the two-factor authentication.
Diagram for the Basic Infrastructure of LoginTC Radius Flow: (Ref: LoginTC web site)
87
Components for this solution:
LoginTC Cloud Domain
You need to create a Radius Domain for the Radius Connector configuration. To create this domain, you
need to log in to the LoginTC Cloud admin (https://cloud.logintc.com/panel/login) as the administrator
user. For this login, you need the token from the LoginTC app.
Once you have logged in to the LoginTC Cloud admin web console panel, you can create a domain for
Radius Connector:
Each LoginTC Cloud has a unique API key and each domain has a unique Domain ID. You need this key
and ID for the connector configuration. The API key is found on the LoginTC Cloud Settings page. The
Domain ID is found on the domain settings page.
88
Fig.60 API Key
Fig.61 Domain ID
89
LoginTC Radius Connector
LoginTC Radius Connector is a Virtual Appliance that can be deployed on ESXi host (or VirtualBox). This
Virtual Appliance requires 1 GB RAM and 8 GB of disk space.
At first we need to log in via virtual console to configure the network settings. Then, you can log in via
ssh for further configuration.
Connector Configuration
You need to create a configuration file (/opt/logintc/conf/client.cfg)
[logintc]
api_key=ZPjeNQ6mzfqR6okzLb55zVu5dVn1stPDdLmyKQ1nKPrqQRlwoBcPtSyw23AumXFx
#domain_id=a7641569669c5322db4d64e2fb4e79ef2fbfe2b0
domain_id=06902ff4b82d99c75484ebae71e2236f54f0b494
[ldap]
host=sup-pcidc-01.pci.superna.net
bind_dn=cn=LoginTC1,cn=Users,dc=pci,dc=superna,dc=net
bind_password=GoSuperna!
base_dn=dc=pci,dc=superna,dc=net
attr_username=sAMAccountName
attr_name=displayName
attr_email=mail
filter=(objectClass=person)
[client]
90
name=OpenVpn
ip=172.16.84.20
secret=bigsecret
authentication=ldap,logintc
OpenVPN
Install the OpenVPN Radius Plugin on the OpenVPN server.
Configure the OpenVPN (server.conf file)
local 172.16.84.20
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
# plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
91
push "redirect-gateway def1"
server 10.0.10.0 255.255.255.0
push "dhcp-option DNS 172.16.84.12"
ifconfig-pool-persist ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 5
management localhost 7505
reneg-sec 0
Configure the Radius Plugin:
# The NAS identifier, which is sent to the RADIUS server
NAS-Identifier=OpenVpn
# The service type, which is sent to the RADIUS server
Service-Type=5
92
# The framed protocol, which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type, which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address, which is sent to the RADIUS server
NAS-IP-Address=172.16.84.20
# Path to the OpenVPN configuration file. The plugin searches for:
# client-config-dir PATH (searches for the path)
# status FILE
(searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)
OpenVPNConfig=/etc/openvpn/server.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet,” fill in the right netmask, e.g. from OpenVPN option "--server
93
NETWORK NETMASK"
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server
NETWORK NETMASK"
# p2p=10.8.0.1
# Allows the plugin to overwrite the client configuration in client configuration file directory
# default is true
overwriteccfiles=true
# Allows the plugin to use authorization control files if OpenVPN (>= 2.1 rc8) provides them
# default is false
# useauthcontrolfile=false
# Only the accounting functionality is used. If no user name is forwarded to the plugin, the common
name of certificate is used.
# as user name for radius accounting
# default is false
# accountingonly=false
# If the accounting is nonessential, nonfatal accounting can be set to true.
94
# If set to true, all errors during the accounting procedure are ignored, which can be:
# - radius accounting can fail
# - FramedRouted (if configured) may not be configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true, the performance is increased because OpenVPN does not block during the
accounting procedure.
# default is false
nonfatal accounting=false
# Path to a script for vendor specific attributes
# Leave it out if you don't use an own script
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsa script.
# Leave it out if you don't use an own script
# vsanamedpipe=/tmp/vsapipe
# A radius server definition (there could be more than one).
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
95
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=172.16.84.17
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=60
# The shared secret.
shared secret=big secret
}
#server
#{
#
# The UDP port for radius accounting
#
acctport=1813
#
# The UDP port for radius authentication
#
authport=1812
#
# The name or ip address of the radius server
#
name=127.0.0.1
#
# How many times should the plugin send the if there is no response?
#
retry=1
#
# How long should the plugin wait for a response?
96
#
wait=1
#
# the shared secret.
#
shared secret=testpw
#}
LDAP
Create an LDAP (Active Directory) user for the LoginTC Radius Connector. Provide this user information
in LoginTC Radius Connector’s client.cfg file. Set the LDAP as the first factor authentication and LoginTC
as the second factor authentication.
User
For this two-factor authentication with LDAP/Active Directory and LoginTC, create a user in both Active
Directory and LoginTC Radius domain..
Data Protection–Backup/Restore/Replication
Configuration And Patch Management
This section will capture how to automate tasks related to building a repeatable infrastructure as simply
as possible to remove manual steps.
Auto Deploy Installation VMWare vSphere 5.1
97
User name: administrator
Password: GoSuperna!
98
99
Install Solar Winds TFTP Server (172.16.70.156)
Go to vSphere Client -> Auto Deploy -> Download TFTP Boot Zip
100
Save TFTP Boot Zip and extract it to TFTP Server folder (\\DMANNING-02\TFTP-Root)
Turn off Windows firewall
Start TFTP Server
Add Score Options in DHCP Server (172.16.70.30)
066: 172.16.70.156
067: undionly.kpxe.vmw-hardwired
101
Run PowerShell as administrator to change the execution policy
vSphere PowerCLI should be installed.
Run PowerCLI on 172.16.70.156
Run the command to connect to vCenter Server: connect-VIServer –Server 172.16.70.25
Download ESXi 5.1 Offline Bundle .zip file
https://my.vmware.com/web/vmware/details?downloadGroup=VCL-VSP510-ESXI-510EN&productId=285
Temp Storage Container (\\172.16.70.29)Z:\VCE\vmware\VMware-ESXi-5.1.0-799733-depot.zip
NEXT STEPS:
1. Add path to ESXi 5.1 in PowerCLI:
add-esxsoftwaredepot “C:\vsphere5.1\ESXi\VMware-ESXi-5.1.0-799733depot.zip”
2. Get-EsxImageProfile
3. use the “Standard” image profile
4. New-DeployRule -Name "FirstBoot" -Item "ESXiStatelessImage" -AllHosts
5. Add-DeployRule -DeployRule "FirstBoot"
Or
102
6. New-DeployRule –Name “FirstTimeBoot” –Item “ESXi-5.0.0-469512-standard”
–Pattern “model=VMware Virtual Platform”
7. Add-DeployRule -DeployRule FirstTimeBoot
8. And so on…
Compliance—HIPAA
§ 164.306 Security standards: General rules
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information
that the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such
information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not
permitted or required under subpart E of this section.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach
(1) Covered entities may use any security measures that allow the covered entity to reasonably and
appropriately implement the standards and implementation specifications as specified in this subpart.
(2) When deciding which security measures to use, a covered entity must take into account the
following factors:
(i) The size, complexity, and capabilities of the covered entity
(ii) The covered entity’s technical infrastructure, hardware, and software security capabilities
(iii) The costs of security measures
(iv) The probability and criticality of potential risks to electronic protected health information
(c) Standards. A covered entity must comply with the standards as provided in this section and in §
164.308, § 164.310, § 164.312, § 164.314, and § 164.316 with respect to all electronic protected health
103
information.
(d) Implementation specifications
In this subpart:
(1) Implementation specifications are required or addressable. If an implementation specification is
required, the word ‘‘Required’’ appears in parentheses after the title of the implementation
specification. If an implementation specification is addressable, the word ‘‘Addressable’’ appears in
parentheses after the title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes
required implementation specifications, a covered entity must implement the implementation
specifications.
(3) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes
addressable implementation specifications, a covered entity must:
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard for its
environment when analyzed with reference to the likely contribution to protecting the entity’s
electronic protected health information
(ii) Be applicable to the entity
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate:
(1) Document why it would not be reasonable and appropriate to implement the implementation
specification
(2) Implement an equivalent alternative measure if reasonable and appropriate
(e) Maintenance. Security measures implemented to comply with standards and implementation
specifications adopted under § 164.105 and this subpart must be reviewed and modified as needed to
continue provision of reasonable and appropriate protection of electronic protected health information
as described at § 164.316.
§ 164.308 Administrative Safeguards
104
Security Management Process (§ 164.308(a)(1))
HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security
violations.
Key Activities: Conduct Risk Assessment
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of EPHI held by the covered entity.
Technical Implementations:
1. vCNS vShield Data Security
vShield Data Security provides visibility into sensitive data stored within our organization's virtualized
and cloud environments. Based on the violations reported by vShield Data Security, we can ensure that
sensitive data is adequately protected and compliant with regulations around the world.
Fig.62 vShield Data Security discovers that files contain ePHI
2. BMC Server Automation—Compliance Module
105
In BSA a component is a collection of configuration settings that encapsulates a business or
infrastructure service, application, or security policy.
Components can simplify many data center management tasks because a component provides a higher
level of abstraction than do the servers and server objects that make up the component.
A component template is used to define a component as it establishes rules and provides necessary
information for the component, and then associate the template with a server. You can include the
Compliance Rules in the component template, e.g. HIPAA security policy. With this compliance template
you can run the compliance audit to assess the security risk of the component. For example, you can
assess whether it does not comply with the HIPAA security policy.
The following figure gives an example of how BSA detects noncompliance.
Fig.63 Noncompliance detected
106
Key Activities: Develop And Deploy The Information System Activity Review Process
(Implementation Specification (Required))
Description: Implement procedures to regularly review records of information system activity, such as
audit logs, access reports, and security incident tracking reports.
Technical Implementations:
a. BMC CMBD connector features tracking in scope devices, VMs, extract VMware vCenter, and VCE
Vision software logs for the in scope devices and store in a DB on regular interval.
b. ESXi— Remote Syslog/Logging
Log files are an important component of troubleshooting attacks and obtaining information about
breaches of host security.
Remote logging to a central log host provides a secure, centralized store for ESXi logs. To facilitate this
you can use vSphere Syslog Collector tool.
By gathering host log files onto a central host you can more easily monitor all hosts with a single tool.
For security reasons, you can aggregate analysis and searching to look for such things as coordinated
attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering
and provides a long-term audit record.
Technical Implementations:
1. Install monitoring software for in scope IT devices that process or handle compliance data
applications using a monitoring tool that can show the alarms, events from in scope or flagged
devices.
2. CA Nimsoft plus SupernaNET.Converge probe can selectively track VMs, compute, store and
network data within a portal to filter alarms and events only to the devices selected for HIPAA
compliance in scope, within the UMP Dashboard portal.
107
Key Activities: Develop Appropriate Standard Operating Procedures
Description: Determine the types of audit trail data and monitoring procedures that will be needed to
derive exception reports.
Technical Implementations:
1. Security logs from VCE Vision software and VMware Vcenter, CMDB attribute tracks last log sync
2. Implement the Syslog Sever to centralize the logs from the vCNS vShield App. For example, it detects
when unallowed traffic is being blocked by the vShield App Firewall Rule. Refer to the following Figure.
“1006-DROP” refers to the vShield App Firewall Rule ID 1006 blocking the traffic.
Fig.64 Syslog captured firewall-blocked traffic
With the vShield App Flow monitoring, you can get details and statistics about blocked traffic.
108
Fig.65 vShield App Flow monitoring—Blocked Flows status
Information Access Management (§ 164.308(a)(4))
HIPAA Standard: Implement policies and procedures to authorize access to electronic protected health
information that are consistent with the applicable requirements of subpart E of the Privacy Rule.
Key Activities: Implement Policies And Procedures To Authorize Access
Technical Implementation:
1. vCNS vShield Edge provides the stateful inspection firewall that is applied at the perimeter of the
virtual data center. With this vShield Edge you can configure isolated/internal network for the
application that needs to be protected and use the vShield Edge Firewall Service to control the access.
2. vCNS vShield App Firewall provides the access control to the data and services within vSphere virtual
data center. We can set firewall rules to protect EPHI resources from unauthorized access. This vCNS
vShield App provides the firewall service that is applied at the virtual network interface card (vNIC) level
directly in front of specific workloads (VMs).
3. ESXi Host Internal Firewall. This is a firewall between the ESXi Host’s management interface and the
network. This ESXi firewall allows ESXi to gain access control. You need to configure this ESXi host
firewall to restrict access to services running on the host.
109
Security Awareness And Training (§ 164.308(a)(5))
HIPAA Standard: Implement a security awareness and training program for all members of its workforce
(including management).
Implementation Specification: Protection From Malicious Software
Technical Implementation:
1. vCNS vShield Endpoint together with Partner’s Secure Virtual Appliance (Anti Virus).
vShield Endpoint offloads antivirus and antimalware agent processing to a dedicated secure virtual
appliance delivered by VMware partners.
vShield Endpoint plugs directly into vSphere and consists of three components:
• Hardened secure virtual appliances, delivered by VMware partners
• Thin agent for virtual machines to offload security events (included in VMware Tools)
• VMware Endpoint ESX® hypervisor module to enable communication between the first two
components at the hypervisor layer
110
Fig.66 vShield Endpoint status and events log
Because the secure virtual appliance—unlike a guest virtual machine—doesn’t go offline, it can
continuously update antivirus signatures, giving uninterrupted protection to the virtual machines on the
host. Also, new virtual machines (or existing virtual machines that went offline) are immediately
protected with the most current antivirus signatures when they come online.
§ 164.310 Physical Safeguards
Device And Media Controls (§ 164.310(d)(1))
HIPAA Standard: Implement policies and procedures governing the receipt and removal of hardware and
electronic media that contain electronic protected health information into and out of a facility, and the
111
movement of these items within the facility.
Key Activities: Implement Methods For Final Disposal of EPHI
Implement policies and procedures to address the final disposition of EPHI and/or the hardware or
electronic media on which it is stored.
Technical Implementations:
1. vCNS vShield Data Security
Maintain a current inventory of EPHI on the network by running discovery scan with vShield Data
Security. IT change management can update their data disposal processes to include the review of
discovery reports so that the systems known to store EPHI data can be properly handled.
Key Activities: Develop And Implement Procedures For Reuse Of Electronic Media
Implement procedures for the removal of EPHI from electronic media before the media are made
available for reuse.
Technical Implementations:
1. vCNS vShield Data Security
Maintain a current inventory of EPHI on the network by running discovery scan with vShield Data
Security. IT change management can update their processes for handling the reuse of electronic media
to include the review of discovery reports so that the systems known to store EPHI data can be properly
handled.
§ 164.312 Technical Safeguards
Access Control (§ 164.312(a)(1))
HIPAA Standard: Implement technical policies and procedures for electronic information systems that
maintain electronic protected health information to allow access only to those persons or software
programs that have been granted access rights as specified in § 164.308(a)(4)
112
Key Activities: Analyze Workloads And Operations To Identify The Access Needs Of All Users
Technical Implementations:
1. vCNS vShield Data Security
Perform regular discovery scan of EPHI data on Data Center with vShield Data Security to determine
where access controls must be in place.
2. LoginTC Two-Factor Authentication protects the access control for all users.
Access control can be enforced either locally or remotely. LoginTC provides an entry point of access
control to systems and business applications that contain EPHI data.
●
●
●
Users must be provisioned and authorized to obtain a LoginTC credential by their LoginTC
administrator.
Procedures must be in place in the organization’s identity proofing process in order for a
LoginTC administrator to provision a LoginTC credential.
Applications/systems containing EPHI data can be enabled with a custom LoginTC connector to
offer two-factor authentication.
Key Activities: Identify Technical Access Control Capabilities
Technical Implementations:
1. LoginTC can protect any system that requires authentication, including VPNs, web portals, and cloud
applications; and with the LoginTC REST API, it can enable two-factor authentication virtually to any
system or application that hosts EPHI data.
LoginTC leverages user repositories installed in the client’s infrastructure: MS Active Directory, LDAP or
SQL-based systems, synchronizing, and updating users from their authoritative source(s).
113
Fig.67 LoginTC conceptual overview
Key Activities: Ensure That All System Users Have Been Assigned A Unique Identifier
Technical Implementations:
1. LoginTC assigns both a unique USERNAME and a unique numeric USERID. The LoginTC administrator
determines the user’s USERNAME, and optionally the user’s EMAIL—typically the same username and
email stored in the LDAP or MS AD repositories.
The unique numeric USER ID is randomly generated by the LoginTC system: it is 160 bits or 40 hex
characters that uniquely identifies a LoginTC user.
LoginTC transaction logs capture every access to LoginTC-protected systems and can trace specific users
identified by their USERNAME and/or USER ID.
114
Key Activities: Implement Access Control Procedures Using Selected Hardware and Software
Description:
- Implement the policy and procedures using existing or additional hardware/software solution(s).
Technical Implementations:
1. 2 Factor Authentication. e.g. OpenVPN integrated with Active Directory and LoginTC Cloud. User
needs to provide password (based on the active directory) and PIN (based on LoginTC token).
LoginTC Admin is a web-based control panel for LoginTC administrators that provides:
•
Credential lifecycle management
•
Domain (system/application) lifecycle management
•
Provisioning, reports, auditing
•
REST API services
•
Delivery: On-premise VM or cloud service
Designated LoginTC administrators are provided with a 2-day LoginTC Admin training course that
addresses LoginTC access control management, planning, configuration, integration, and
troubleshooting.
LoginTC provides extensive online documentation and know-how guidelines for planning, integration,
configuration, and deployment of all LoginTC required components.
115
Fig.68 LoginTC admin panel: domain management
2. ESXi—Lockdown Mode
Enabling lockdown mode disables direct access to an ESXi host requiring that the host be managed
remotely from vCenter Server. Lockdown limits ESXi host access to the vCenter server. This is done to
ensure that the roles and access controls implemented in vCenter are always enforced and users cannot
bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the
risk of someone inadvertently gaining elevated privileges or performing tasks that are not properly
audited is greatly reduced. Note: Lockdown mode does not apply to users who log in using authorized
keys. When using an authorized key file for root user authentication, root users are not prevented from
accessing a host with SSH even when the host is in lockdown mode. Note that users listed in the
DCUI.Access list for each host are allowed to override lockdown mode and log in to the DCUI. By default
the "root" user is the only user listed in the DCUI.Access list.
116
3. ESXi—Set DCUI (Direct Console UI) Access
Set this DCUI access to allow only trusted users to override lockdown mode.
Lockdown disables direct host access that require admins to manage hosts from vCenter. However, if a
host becomes isolated from vCenter, the admin gets locked out and is unable to manage the host. To
avoid potentially getting locked out of an ESXi host that is running in lockdown mode, set the DCUI.Access
to a list of highly trusted users allowed to override the lockdown mode and access the DCUI.
4. ESXi—Disable MOB (Managed Object Browser)
The managed object browser (MOB) provides a way to explore the object model used by the VMkernel to
manage the host; it enables configurations to be changed as well. This interface is meant to be used
primarily for debugging the vSphere SDK, but because there are no access controls it can also be used as a
method to obtain information about a host targeted for unauthorized access.
You cannot disable MOB while the host is in lockdown mode. We can disable MOB first before we set the
host in lockdown mode.
Key Activities: Review And Update User Access
Technical Implementations:
1. LoginTC
Users can access LoginTC protected systems with their smartphones and tablets as the second factor for
access control.
Users’ mobile platforms must be connected to the Internet. LoginTC works in the 3G/4G and Wi-Fi
networks and LoginTC notifications are supported locally, nationally, and worldwide.
LoginTC provisioning and registration is the first step for authorized users to access EPHI systems and
applications:
•
Self-registration
•
Bulk upload
117
•
LoginTC REST API (used programmatically)
•
Synchronization with user stores: LDAP, MS AD, SQL, etc.
The LoginTC mobile app can host multiple credentials to access multiple systems, hence allowing users
to seamlessly gain access to multiple applications when required.
Fig.69 Provisioning LoginTC credential for a new user
118
Fig.70 LoginTC end user experience
Key Activities: Terminate Access If It Is No Longer Required
Technical Implementation:
1. LoginTC:
LoginTC credentials can be revoked in two ways:
•
The LoginTC administrator access the LoginTC Admin panel and manually revokes the user’s
credential.
•
If the user record is updated in the master user repository (e.g. MS AD/LDAP) and the LoginTC
synchronization module is in place, the user’s LoginTC credential will be updated accordingly in LoginTC
Admin.
119
Audit Controls (§ 164.312(b))—Future In Scope—Security Partner
HiPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and
examine activity in information systems that contain or use electronic protected health information.
Key Activities: Determine The Activities That Will Be Tracked Or Audited
Technical Implementation:
1. LoginTC
The LoginTC Admin control panel provides LoginTC administrators with a powerful reporting and
auditing tool.
LoginTC Administrators can select data captured by:
•
All Domains
•
Specific Domain
•
Start Date to End Date
It can also download log data in TXT or CVS format for further analysis or correlation.
All LoginTC access is monitored for successful, rejected/suspected fraud, or failed attempts.
One of the most powerful LoginTC features is revealed in the LoginTC logs, including user ignored or
suspect notifications that the end user rejects. This feature prevents phishing or man-in-the-middle
attacks and can be acted upon by the LoginTC administrator, auditors, and security personnel (See
previous Figure X LoginTC end user experience).
120
These LoginTC controls are extremely useful for recording and examining access information activity,
especially when determining if a security violation has occurred.
Fig.71 LoginTC admin panel: log management
Key Activities: Select The Tools That Will Be Deployed For Auditing And System Activity
Reviews
Technical Implementations:
121
1. vCNS vShield Data Security:
You can use this as an audit tool as it provides visibility into sensitive data stored within your
organization's virtualized and cloud environments. Based on the violations reported by vShield Data
Security, you can ensure that sensitive data is adequately protected and compliant with regulations
around the world.
For example: you can assign policies at the Security Group basis so that the application VMs in that
Security Group will be scanned for HIPAA data and, if found, will be reported.
2. BMC Server Automation Compliance Audit
Based on compliance policy, you can run compliance audit for components. The report will show to
which section of the policy the component does not comply. The following figure gives an example.
Fig.72 BSA compliance audit result—red color to indicate noncompliant
122
The report also shows the number of Passed/Failed (compliant/noncompliant)
Fig.73 Compliance report shows number of Passed/Failed (compliant/noncompliant)
Integrity (§ 164.312(c)(1))
HIPAA Standard: Implement policies and procedures to protect electronic protected health information
from improper alteration or destruction.
Key Activities: Mechanism To Authenticate Electronically Protected Health information
Implement electronic mechanisms to corroborate that electronically protected health information has
not been altered or destroyed in an unauthorized manner.
Technical Implementations:
1. vCNS vShield Data Security
Perform regular discovery of EPHI data on Data Center with vShield Data Security to determine if data
has been modified from previous discovery scan by checking the Scan History and Detail Reports.
123
Fig.74 vShield data security—scan history
124
Fig.75 vShield data security—report
Person Or Entity Authentication (§ 164.312(d))
HIPAA Standard: Implement procedures to verify the identity of a person or entity seeking access to
electronically protected health information.
Key Activities: Determine Authentication Applicability To Current Systems/Applications
Technical Implementation:
1. Two-factor authentication for login
125
LoginTC implements two-factor authentication for granting access to systems that contain EPHI records:
•
test.
LoginTC users must know the USERNAME, and optionally, a PASSWORD, to pass the first factor
•
LoginTC users must have a smartphone or tablet with a provisioned LoginTC credential, which is
something that the user possess as a second factor.
•
When notified, the user must unlock the LoginTC credential in the mobile device with a PIN or
passphrase, which is only known to the user.
Using LoginTC two-factor authentication can satisfy the HIPAA Security Rule requirement to create and
maintain security controls that verify user identity when users are connecting to applications and
databases with health data records, either remotely or via a web application.
126
Fig.76 LoginTC two-factor authentication session
2. vSwitch security to prevent impersonating from network perspective:
a. vSwitch security: reject “promiscuous mode”
In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous
mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode.
This promiscuous mode security policy can be defined at the virtual switch or port group level in
ESX/ESXi.
Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID92F3AB1F-B4C5-4F25-A010-8820D7250350.html
b. Reject “MAC Address Changes”
If the virtual machine operating system changes the MAC address, it can send frames with an
impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in
a network by impersonating a network adaptor authorized by the receiving network.
Reject “MAC Address Changes” setting will prevent VMs from changing their effective MAC addresses. It
will affect applications that require this functionality. An example is Microsoft Clustering, which requires
systems to effectively share a MAC address. This will also affect how a layer-2 bridge will operate. This
will also affect applications that require a specific MAC address for licensing. An exception should be
made for the port groups that these applications are connected to.
Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-
127
942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html
c. Reject “forged transmits”
By default this ”forged transmits” setting is set to “Accept”. This means that the virtual switch does not
compare the source and effective MAC addresses. To protect against MAC address impersonation, all
virtual switches should have forged transmissions set to “Reject.”
Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID7DC6486F-5400-44DF-8A62-6273798A2F80.html
128
Fig.77 vSwitch security
129
Key Activities: Evaluate Authentication Options Available
Technical Implementation:
1. LoginTC
LoginTC two-factor authentication can protect systems that contain EPHI records, and can protect the
desktops and mobile platforms used to access those EPHI systems.
LoginTC can be enabled in:
•
VPNs
•
Web access managers
•
Web portals
•
SAML federation systems
•
O/S authentication: Windows/Unix
•
Mobile browsers
•
Mobile applications
•
virtually any platform or system that requires authentication
References
http://www.hipaasurvivalguide.com/hipaa-regulations/164-306.php
130