Security Threat Analysis CS3517 Distributed Systems and Security Lecture 17.
360 Virtualization Security · PDF file10.1 Configure security group ... click “Add a...
Transcript of 360 Virtualization Security · PDF file10.1 Configure security group ... click “Add a...
1
Content
Installation Guide (VMware NSX) ...................................................................................................... 2
1. Preparations of Installation ............................................................................................... 2
2. Create and Add Distributed network ................................................................................ 3
3. Install NSX Manager .......................................................................................................... 5
4. Register vCenter Server To NSX Manager ....................................................................... 20
5. Add and Distribute License ............................................................................................. 23
6. Configure the Agent Virtual Machine ............................................................................. 27
7. Install Guest Introspection ................................................................................................... 28
8. Install and configure Management Center .......................................................................... 33
8.1Management Center of Installation ........................................................................... 33
8.2 Configure Management Center ................................................................................. 48
9. Deploy Security VM ............................................................................................................. 57
10 Configure security groups and security policy ................................................................... 65
10.1 Configure security group ......................................................................................... 65
10.2 Configure security policy ......................................................................................... 68
10.3 Apply Security Policy ............................................................................................ 71
11. Install VMware-tools in Protected windows VM ............................................................... 73
12. Install Guest Introspection in Protected Linux VM ............................................................ 76
13.Uninstall the Security Modules of Host .............................................................................. 79
14. Troubleshooting ................................................................................................................ 83
Appendix: ............................................................................................................................. 88
1. Install ESXi Host and vCenter ............................................................................................... 88
2.Add ESXi Host to vCenter ................................................................................................... 101
3.Windows operating system supports: ................................................................................ 103
4.Linux operating system supports: ...................................................................................... 103
2
Installation Guide (VMware NSX)
1. Preparations of Installation
1) Related software of VMware
ESXi host
vCenter
NSX Manager
2) NSX security modules
Guest Introspection
3) IP of Guest Introspection and NSVM security VM
4) Version introduction of and NSX Manager and ESXi
3
2. Create and Add Distributed network
Premise:Host has at least 2 network card to configure distributed network
1) Login vCenter via vSphere Client
2) Click “Inventory- Inventory -Networking” to enter into network configuration
3) Select data center, click “Add a vSphere Distributed Switch” in the right side.
4
4) Select corresponding version in the dialog box of “Create vSphere Distributed
Switch”, configure “Number of Uplink ports” as 1 in the tab page of “General
Properties”, because only one network card needs to be added in distributed
switch, click “Next”.
5) In the tab page of “Add Hosts and Physical Adapters” select “Add now”,
select host and physical adapter, click “Next” till finish.
5
6) Back to the page of host and cluster, click host, click “Configuration-Network
Adapters” to view, another extranet card has been added to distributed switch.
3. Install NSX Manager
Recommend that users use OVF template to deploy NSX Manager, it will be more quick and
convenient, taking the template of 6.3NSX-Manager as an example,
VMware-NSX-Manager-6.3.1-5124716.ov
1) Select the host which need be installed with NSX Manager, then click menu “File”- Depoly
OVF Template”, open the dialog box of “Deploy OVF Template” as following:
6
2) Click the button of “ Browse” in the dialog box, select the template of NSX Manager, click
the “Next”
3) Click “Next “ in the page of “OVF template Details”
9
6) Select the resource pool within which you wish to deploy this template in the page of
“ Resource Pool”, then click “Next”
10
7) Select a destination storage for the virtual machine files in the page of “Storage”, then
click “Next”
13
10) Configure the password for the WebUI and CLI of the NSX Manager In the page of
“Properties”, network parameter, the server address of NTP, select to enable SSH, and click
“Next”
16
11) Select “Turn on the power after deployment” and Click “Finish” in the page of “Ready to
Complete”
18
13) After deployment, it will operate the command of “show interface” in the CLI of NSX
Manager to verify the IP address just deployed has applied as expected.
Make sure that NSX Manager can execute the operation of ping on its default gateway,
NTP server, VCenter Server and ESXi host IP
14) Open the WebUI of NSX Manager, Login via the admin user and password
19
15) Click “View Summary“ in the opened page
16) Make sure that VPostgres, RabbitMQ and NSX Management Service are running in the
page of Summary
20
4. Register vCenter Server To NSX Manager
1) Open the WebUI of NSX Manager, Login via admin user and password
2) In the homepage click Manager vCenter Registration
3) Click the button of “Edit” in the right side of vCenter Server page
21
4) Input the address, user name and password of vCenter Server in the dialog box. About user
name, the best choice is the user of [email protected], not root user.
5) Select “Yes” in the page of “ Trust Certificate”
22
6) If the state of vCenter Server is connected, it shows that the registration is successful.
7) Use vsphere Web Client to Login vCenter Server
8) There is an icon of “Network & Security” in the homepage of Vsphere Web Client
23
5. Add and Distribute License
PS: if it is unnecessary to use network, please skip this step.
1) Enter into the page of “Administration” in home page
25
3) Click the button of “+” in the page, add licenses related with network
4) Input the password of license, configure license name in the dialog box of “ New
Licenses”, then click “Finish”
26
5) In the tab page of “Assets”- “Solutions” select NSX for vSphere, click the button of
“Distribute License”
27
6) Select the license just added in the dialog box, click “OK”.
6. Configure the Agent Virtual Machine
1) Use vsphere Web Client to Login vCenter Server
28
2) Select ESXi host in the page, and turn to the page of “Manager”-”Agent VM Settings”, then
click the button of “Edit” in the right side.
3) In the page of “Agent VM Settings” select correct data store and VM network, then click
“OK”
7. Install Guest Introspection
1) Enter into the page of ”Service Deployments” in the module of network and security,
click the button of “+”
29
2) Open the guide of “ Deploy Network & Security Services”, and select “Guest
Introspection” in the page of “Select service & Schedule”, then click “Next”
3) Select Datacenter and cluster of ESXi hostin the page of “Select clusters”, then click
“Next”
30
4) Configure correct data storage and network in the page of “Select storage and
Management Network”, IP is DHCP by default.
Users can also distribute IP via IP pool, click the button of “ Change”, select “ Use IP
pool” in the dialog box of “Select IP Assignment mode” and click “+” to add static IP
pool.
31
5) Click “Finish” in the page of “ Ready to Complete”
6) After clicking “Finish”, you can see the service of Guest Introspection just added in the
page of service deployment
32
7) The ESXi host will automatically create a virtual machine named after Guest
Introspection
PS: Please make sure that the network selected and NSX Manager are in the same network
segment when the user configure the network of Guest Introspection.
33
8. Install and configure Management Center
8.1Management Center of Installation
Management center can be installed in physical machine or virtual machine
The following is an introduction to VMware virtual machine installation:
Now uploading the media of installation ics-ctrl-7.0.0-2279.x86_64.iso to the
physical server.
Open the interface of vSphere client, select a physical server
Right click data store object, for example:datastore164
44
Tick: Edit settings of virtual machine before finishing
Click the button of “Continue”
Here you can alter the CPU 、memory of virtual machine.
The scale of physical
servers management
Configuration suggestion
1~20s 4CPU,16G memory
20~50s 8CPU,32G memory
More than 50s 16CPU,64G memory
46
Right-click to open virtual machine console
Virtual machine starts from ISO, user will get 60s to consider that whether to
confirm installation or not (If there is no any operation after 60s, it will confirm
installation), after pressing “Enter”, it starts to install.
47
After the installation is completed, you will see the notice of Reboot, select Reboot
to complete installation.
48
8.2 Configure Management Center
1. Configure IP address
Because management center is responsible for the security of all
hosts and virtual machines, it need communicate with all physical
machine loaded with virtual machines, the IP is very important
and it can not be changed after configuration, we suggest that
users use static IP address. The method of configuration is as
follows:
1) After the installation and reboot, it will enter into the page of
management center xconsole.
49
Select“Configure System”, and press “Enter”
Select“Configure Network”,and press “Enter”
Select“Configure Interface”,and press “ Enter”
51
Select“Static”, configure static IP
Input correct IP address, mask and gateway, and
press”Enter”.
53
2. Change password(we suggest changing)
Administrator can change the password of logging on xconsole in
management center .
Select “Authentication” in the xconsole,and press “Enter”
Select “Change Password”and press “Enter”
54
Input old password and new password, then confirm new
password in the dialog box.
After pressing “Enter”, system will notice you that password has
been changed successfully.
55
3. Login management center:
The way of logging on management center is
https://X.X.X.X:8443(X.X.X.X.This is the IP in the first step for
management center),its default user name and password are
admin/sysadmin,administrator Login the system, then go to the
page of “management” --“user management” to add or
delete user
The process of activating product
After logging in the management center via user name and password, click the link
of “System- Settings- License” in the page.
The page will skip to the page of “System”- “Settings”- “License”.
Click “Update license”, and click “select file” in the dialog box.
56
Select the correct license file, then click “OK”
After updating license, the states of system security modules are updated
to“activated”.
57
9. Deploy Security VM
1) Add VMware vSphere host
a) Enter into the page of “Assets” - “hosts” in management center, click “New”,and
open the dialog box of “Add Pool”, then select virtual machine platform, type is
VMware vCenter, then input name, vCenter address, user name
([email protected]) and password, and the security solution is NSX(Only
enable anti-malware), then input the address, user name and password of NSX, last
click “OK”.
It will register NSVM Security Serivce in NSX automatically after adding successfully.
b) After adding successfully, user can see ESXi host in the page of host, its state is
“uninstalled security modules”
58
2) Deploy NSVM Security Service
a) Use vsphere web client to Login vCenter Server
b) Enter into the page of Installation-Service Deployment in the module of network
and security, then click the button of “+”.
59
c) In the guide of “Deploy network and security service” select “NSVM Security
Service”, then click “Next”.
61
e) In the page of “ Select storage and Management Network” select that data and
network are “Specified on-host”, select the “Distributed port group” and click
“Next” till finish.
f) Click “Finish”
62
g) AS the following picture, after clicking “Finish”, the page of Service Deployment will
show that the state of NSVM Security Service installation status is scheduled for
install, and the service status is unknown.
h) After about 1 minute, the installation state of NSVM Security Service is succeeded,
and service status is up
63
i) There are some virtual machines named after NSVM Security Service in vCenter,
each vm for one host.
j) Edit the settings of VM, Change the third network card of NSVM to
vmservice-vshield-pg
65
l) In the page of management center, the connection status of this host is connected.
PS:When the number of host is large, the speed of synchronization maybe slows,
just waiting for several minutes.
10 Configure security groups and security policy
10.1 Configure security group
1) Return to homepage, enter into the page of “Service Composer”--”Security
Groups”, click the button of “create new security groups”, then input the name of security
groups in the guide of “New Security Group” , then click “Next” .
66
2) In the TabPage of “ Select the objects to include”, select the type of object “Virtual
machine”, then select the virtual machine which need to be protected in the following
object type box, click the button of , then click “Next”.
68
10.2 Configure security policy
1) Enter into the page of “Service-Composer”-“Security Policies”, then click the
button of “Create security policy”.
2) In the guide of “New Security Policy”, configure the name of security policy, then
click “Next”
69
3) Click the button of “+” in the TabPage of Guest Introspection Services
4) In the dialog box of “Add Guest Introspection Service” configure name and
operation, and then select applied and enabled, consent to implement by force, click “Next”.
71
10.3 Apply Security Policy
1) Select the security policy and right click, and then click “ Apply policy” in the open
menu.
72
2) In the dialog box of “Security policy”–“Apply Policy to Security Groups” select
security group created before and click “OK”.
73
3) The application object value of security policy is updated to 1.
11. Install VMware-tools in Protected windows VM
1) Login vSphere Web Client(URL is https://x.x.x.x)
74
2) Select the virtual machine to be protected in the page and enter into the TabPage of
“Summary”, and then click “Install VMware Tools” in the right side of page.
3) Select “Mount” in the dialog box of “Install VMware Tools”.
4) Enter into the virtual machine, open DVD driver.
5) Double click the file of setup.exe, and start to install vm-tools
6) Click “Next” in the dialog box of “ VMware Tools Setup”.
7) Select “Custom’, and then click “Next”.
75
8) Search “VMCI driver” in the tree diagram of figure, select and install “NSX File Introspection
driver”, and then click “Next”.
Versions after vSphere 5.5 U2 are as following:
76
Versions before vSphere 5.5 U2 should search“VMCI driver”, and select to install
“vShield Drivers”to local disk.
9) Click “Install” in the dialog box.
10) After finishing installation, you will get a notice to reboot the system, select “Yes”.
11) Enter into the page of “Asset management”–“Virtual machine/terminal” in the management
center, as the followingpicture; you can see the real-time prevention status of virtual machine
just installed is on state.
12. Install Guest Introspection in Protected Linux VM
Premise:
Make sure that agent and virtual machine have been installed ESX 5.1 or higher version
and Linux.
NSX Guest Introspection supports:
Linux operation system:
RHEL 7 GA(64 digit)
SLES 12 GA(64 digit)
Ubuntu 14.04 LTS(64 digit)
PS: Linux thin agent needs install Glib 2.0 in the target system.
Steps:
Please execute following steps through Root Privilege according to your Linus operating
system.
For Ubuntu System:
a. Use the following commands to get and import VMware to pack public keys:
curl -O
77
https://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub
apt-key add VMWARE-PACKAGING-GPG-RSA-KEY.pub
b. Create a new file named vm.list below /etc/apt/sources.list.d
c. Edit file and include contents as following:
vi /etc/apt/sources.list.d/vm.list
deb https://packages.vmware.com/packages/ubuntu/ trusty main
d. Now, please install software package like this:
apt-get update
apt-get install vmware-nsx-gi-file
For RHEL7 system:
a . Use the following commands to get and import VMware to pack public keys:
curl -O
https://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub
rpm --import VMWARE-PACKAGING-GPG-RSA-KEY.pub
b. Create a new file named vm. Repo below /etc/yum.repos.d
c. Edit file and include contents as following:
vi /etc/yum.repos.d/vm.repo
[vm]
name = VMware
baseurl = https://packages.vmware.com/packages/rhel7/x86_64
enabled = 1
gpgcheck = 1
metadata_expire = 86400
ui_repoid_vars = basearch
d. Now, please install software package like this:
yum install vmware-nsx-gi-file
For SLES system:
a. Use the following commands to get and import VMware to pack public keys:
curl -O
https://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub
rpm --import VMWARE-PACKAGING-GPG-RSA-KEY.pub
b. Add the following memory pool:
zypper ar -f "https://packages.vmware.com/packages/sle12/x86_64/" VMware
c. Now, please install software package like this:
zypper install vmware-nsx-gi-file
Check if the thin agent is running through the command “ service vsepd status” and
management prerogative, it should be running.
Install VMware Tools
a. Login vCenter via vSphere Web Client
78
b. Find “Host and Clusters” in the home page
c. Find the Linux host which needs to be protected, click “Install VMware Tools” in
the right side under the page of “Summary”.
d. Click “ Mount” in the dialog box of “Install VMware Tools”, and mount VMware
Tools to this Linux VM.
79
e. Enter into the console of VM Linux, install vmware tools via the command of “yum
install net-tools” and “yum install perl”
f. Mount the installation package of vmware-tools to /mnt directory
mount /dev/cdrom /mnt
g. Copy tar.gz in /mnt to path/
cp /mnt/VMwareTools-9.10.5-2981885.tar.gz /
h. Uncompress and install
tar zxvf VMwareTools-9.10.5-2981885.tar.gz
cd vmware-tools-distrib/
./vmware-install.pl
Reboot VM after finishing installation.
13.Uninstall the Security Modules of Host
1) Select VMware vSphere to be seleted in the page of “Asset-management”, click
“Delete”, then click “OK” in the dialog box.
2) Login vCenter via vSphere Web Client, enter into the page of
“Networking&Security”- “Service Composer”, select security group, right click to
delete.
80
3) Access to “Security Policies” of “Service Composer” , select the Sercurity policy and
right click “Delete”.
4) In the page of “Installation”-“Service Deployments”, select “NSVM Security Service”
and then click “Delete”
81
5) Right click“NSVM Security Service” of “Service Definition”, then click “Edit settings”
6) Select “NSVM Security Service” instance , right click “Delete”.
83
8) In the “Remove service definition” dialog box, select “Delete service manager”, then
click “Yes”
14. Troubleshooting
1. Failed to add VMware NSX host
1) Please check configuration or practical examples related with NSVM service in
vCenter to make sure if they are deleted first, and please read chapter 13 “Un
stall the security module of host” in this file.
2) Enter into the page of NSX Manager to make sure that if the service status of
vPostgres, RabbitMQ and NSX Management Service are correct.
2. The VM cannot kill virus.
1) First Login Vcenter Vsphere Web Client, select “cluster” in the page of “ local
host and cluster”, then enter into the page of “ Monitor-Guest Introspection”,
and check if the description and status of host, NSVM Security Service, Guest
Introspection are correct.
84
2) Then according to the VM operating system for troubleshooting.
Windows VM
a) Enter into the page of “ Networking & Security” –“Service
Composer “–“Security Groups” in vCenter vSphere Web Client, and
click the value of VM in the Security Groups, then check if the
windows VM is included in the security groups in the dialog box.
85
b) Check if the configuration applied in this windows VM have turned
on “ Real-time protection”. Login management center, enter into
the page of “ Asset Management- VM/Terminal” to check the status
of “ Real-time protection”. If the status is not “ Real-time protection
on”, please change the security configuration matched and turn on
“ Real-time protection”.
c) Then check if this VM has already installed with VMware tools and
“NSX File Introspection Driver” by custom installation.
d) In the command line of VM to run “scquery vsepflt” and check if
the service is existing. The following picture1 shows that is normal;
the picture2 shows the service is unavailable.
Service is normal:
Service is unavailable, please install VMware tools again:
e) If the service is unavailable, please install VMware tools again, and
select the driver of NSX File Introspection under “ VMCI driver” by
custom installation. After installation, reboot VM and make sure
86
that VMware tools has been installed.
Versions before vSphere 5.5 U2 should search“VMCI driver”, and
select to install “vShield Drivers”to local disk
Find “VMCI driver” and select “vShield Drivers” to install it in local
disk.
PS:If there is not “ NSX File Introspection Driver” or the option
of “ vShield Drivers” like the picture above in the dialog box of
“VM ware Tools”, which means that the version of VMware Tools
is old, you need download the new version of VMware Tools. And
this is the website: https://packages.vmware.com/tools/esx
f) Check the security VM of host. Login this security VM through
console or SSH and execute the command of “ifconfig-a”, and the IP
of eth1 is as following:
87
g) Test security and the communication of VM. You can ping the
IP169.254.1.1 of vmsevice-nvmsec-pg from security VM. Security
process monitors TCP48651 port of this machine. If the protected
VM is enabled, it will connect with local 8000 port.
Linux VM
a) Make sure if the operating system of linux VM is supported, refer to
Appendix-Linux OS lists of support.
b) Enter into the page of “ Networking & Security”- “Service
Composer”-“Security Groups “ in vCenter vSphere Web Client, click
the value of “VM” lists in the page of security groups, then check if
the Linux VM is included by security groups in the dialog box.
88
c)
Check if the configuration applied in this linux VM have turned on
“ Real-time protection”. Login management center, enter into the
page of “ Asset Management- VM/Terminal” to check the status of
“ Real-time protection”. If the status isn’t “ Real-time protection on”,
please change the security configuration matched and turn on
“ Real-time protection”.
d) Enter into the command line of linux VM, check through the
command of service vseped status if the service status of vseped is
correct, and the normal is running.
Appendix:
1. Install ESXi Host and vCenter
1) Preparation and introduction of installation
Before installing ESXi host and vCenter, please prepare files as following:
ESXi installation file:
Task ESXi6.0 as an example, ESXi-6.0-Custom-e1000e_3.2.2.1.iso
VCenter installation file:
Take VCenter 6.0 as an example VMware-VCSA-all-6.0.0-3040890.iso
89
2) Install ESXi host
ESXi host’s installation is the same as the VMware, you can deploy it via referring to the
official file of VMware.
http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.install.do
c%2FGUID-7C9A1E23-7FCD-4295-9CB1-C932F2423C63.html
3) Install VCenter
Introduction:The deployment of VMware vCenter Server Appliance(VCSA)6.0 is different
from the previous version, versions before version5.5 can be deployed quickly through
importing the file of OVA, but users must execute installing procedure in windows from
version6.0, then finish the deployment of VCSA through installation guide.
a. Download VMware-VCSA-all-6.0.0-3040890.iso from the official website.
b. Mount the virtual optical drive to the windows machine.
c. Enter into the directory of vsca to install plugin.
92
e. After finishing the installation of plugin, click vsca-setup.html and open VCSA
virtual machine guide of installation.
f. Click “ Install”.
94
h. In the page of “ Connect to target server” input IP of ESXi host, user name and
password, then click “Next”.
i. In the dialog box of “Certificate Warning” select “Yes”.
95
j. In the page of “Set up virtual machine” input the name and root password of VCSA
virtual machine, and then click“Next”.
96
k. In the page of “Select deployment type” select default, and click “Next”.
l. In the page of “Set up Single Sign-on” input SSO password, domain name and all
sites use default, and then click “Next”.
97
m. In the page of “ Select appliance size” use default option, and then click “Next”.
n. In the page of “Select datastore” select the memory space of virtual machine, and
then click “Next”.
99
p. In the page of “ Network settings” select correct network card, the system of IP
address is IPv4, Network Type is static, then configure IP, subnet mask, gateway, DNS, select
to sync the time of device with ESXi, and then click “ Next”.
q. Check whether the parameter is properly configured or not, click “Finish”.
101
4) Install vSphere Client
Download and install in the website
http://www.prolved.com/vsphere-client-downloads/is ok
2.Add ESXi Host to vCenter
1) Login VMwareVSphere Web Client through [email protected]
2) Create Datacenter
102
3) Select Datacenter that just created and give a right click, then select “ New Cluster” in
the menu.
4) Input the name of cluster in the dialog box of “New Cluster”, enable DRS and click “OK”.
103
5) Select the cluster that just created, then click “Add a host”, then operate step by step
according to the guide of “Add host”
3.Windows operating system supports:
Windows XP SP3 and higher versions(32-digit)
Windows Vista(32-digit)
Windows 7(32/64-digit)
Windows 8(32/64-digit)- only vSphere 5.5
Windows 8.1 (32/64) - vSphere 5.5 Patch 2 and higher versions
Windows 10
Windows 2003 SP2 and higher versions(32/64-digit)
Windows 2003 R2(32/64-digit)
Windows 2008(32/64-digit)
Windows 2008 R2(64-digit)
Win2012 (64) - only vSphere 5.5
Win2012 R2 (64) - vSphere 5.5 Patch 2 and higher versions
4.Linux operating system supports:
RHEL 7 GA(64-digit)