How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control...
Transcript of How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control...
![Page 1: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/1.jpg)
How to Secure VMware ESXAlex Bakman
Ecora Software
www.ecora.com
Founder, Chairman, CTO
![Page 2: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/2.jpg)
Agenda
Why do we care about security?ESX security architectureESX role-based access controlSecurity deployment modelsTop 10 Security recommendationsChange and Configuration Reporting using Ecora AuditorAdditional Resources
![Page 3: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/3.jpg)
Why Do We Care About Security?
Data center environmentPass regulatory audits: SOX, PCI DSS, etcProtect our customers’ valuable dataKeep your company’s reputation cleanKeep your company in business
![Page 4: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/4.jpg)
![Page 5: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/5.jpg)
ESX Architecture
Virtual Machines are highly secured - hardware isolationvmkernel has no public interfaces to connect to Virtual machines can only communicate through the networkIsolation by performance. e.g. set cpu for a particular machine to consume < 10% CPU
![Page 6: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/6.jpg)
![Page 7: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/7.jpg)
Access to COS
MUI
Command line
VirtualCenter
PAM
VMAUTHD
![Page 8: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/8.jpg)
PAM
Any operation on ESX server requires user authenticationPAM allows processes to authenticate to account databasesAll forms of access: MUI, command line, etc, go through PAMVery flexible and customizable
![Page 9: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/9.jpg)
Default Role-Based Access in ESX Servers
Read onlyNo access to log into MUIMay only view vmkusage stats
Guest OS ownerAbility to log into MUIView only its own VMsControl power function on its own machinesAccess owned machines remotelyGiven r-x access writes to the VM configuration file
![Page 10: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/10.jpg)
Default Role-Based Access in ESX Servers
VMWARE AdminControl power of all guestsRemote console feature on all guestsCreate and delete virtual machinesModify vm hardware configurationChange access permissions of guestsLimited access to COS by using SUDOers file
RootCreate and remove users and groupsModify resource allocations for guestsModify all ESX settingsFull control over COSAssigned by default to root user when ESX is installedUsers must be in a “wheel” group to escalate to root using SU
![Page 11: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/11.jpg)
Single Customer Deployment
![Page 12: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/12.jpg)
Single Customer Deployment
![Page 13: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/13.jpg)
Restrictive Multi-Customer Deployment
![Page 14: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/14.jpg)
Restrictive Multi-customer Deployment
![Page 15: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/15.jpg)
Recommendation #1
Use Firewall and Antivirus software for COSJust like any other OSProvides basic protection
![Page 16: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/16.jpg)
Recommendation #2
Use VLANs to segment physical network so that only machines that need to see each other can
Huge help with compliance auditsRun COS on a a separate network
![Page 17: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/17.jpg)
Recommendation #3
When installing ESX use security=high
This is the default settingsAll traffic is encryptedUsername and password never sent in clear textNo FTP access
![Page 18: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/18.jpg)
Recommendation #4
Do not allow root level access over SSH and use secure commandsdon’t worry MUI and console access will still workForces users to have an audit trailHave users use SU command. Use wheel group to control SU usageSUDO is a great way to accomplish this
![Page 19: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/19.jpg)
Recommendation #5
Disable all unnecessary services in COSNo NFSUse PuTTY for secured shell accessUse WinSCP and scp to copy files
![Page 20: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/20.jpg)
Recommendation #6
Use VirtualCenter to help you manage granular security accessMust have if you have more than a handful of hostsReplaces the native ESX model role-based access model and stores users and acls in the databasePermissions can be assigned at any level of granularity within organizationAudit trails for complianceRoot account is not usedIf external authentication with AD is important, VC makes it a lot easier
![Page 21: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/21.jpg)
Recommendation #7
PatchingStay current with patches, especially security patchesTest patches in development environmentSubscribe to vmware email alerts
![Page 22: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/22.jpg)
Recommendation #8
Secure Guest OSesIt is just like securing a physical machineShut down unnecessary daemons and servicesClose unused portsHarden configurationsPatch frequently
![Page 23: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/23.jpg)
Recommendation #9
Control User Level access using VirtualCenterVMware’s native “flagship” model is too weak for role-based accessUse unique IDs supports Sarbanes Oxley “segregation of duties”model and enables traceabilityAudit logs for individual access are key
![Page 24: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/24.jpg)
Recommendation #10
Document and Monitor configurations changes in your environment,especially changes in security settings.
Changes happen dailyAvoid problems proactivelyMust do for compliances: SOX, PCI DSS, HIPPA, etcProof for Auditors
![Page 25: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/25.jpg)
About Ecora
Founded in 1999, Portsmouth, NHThe industry’s only agentless solution for automatingdetailed configuration and change reporting of IT systems ComponentsCustomers: Fortune Global 1,000 customers in all key verticalsHundreds of companies used Ecora Auditor to verify and proof compliance to SOX, PCI, GLBA, FISMA and other regulatory requirementsThe Only CMDB Vendor with Nearly 8,000 users WorldwideRecognized in 2005 on the Deloitte & ToucheFast 500 and Software 500Partnerships with HP, BMC, Microsoft
![Page 26: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/26.jpg)
•Documentation Report•Baseline Report•Change Report•Fact Finding Reports: •Kernel and Memory Information•ESX Security Settings•Virtual Machine Permissions•VMFS Files•Virtual Machines Summary•Virtual Machine Hardware Summary•Physical NIC and Virtual Switches•Storage Configuration SCSI•Kernel and Memory Information•Memory and Swap File Information•Virtual Machine Hardware•Consolidated Change Log Reports: •Virtual Machines
Ready Made Reports
Documentation ReportBaseline ReportChange Report
Fact Finding Reports: Kernel and Memory InformationESX Security SettingsVirtual Machine PermissionsVMFS FilesVirtual Machines SummaryVirtual Machine Hardware SummaryPhysical NIC and Virtual SwitchesStorage Configuration SCSIKernel and Memory InformationMemory and Swap File InformationVirtual Machine Hardware
Consolidated Change Log Reports: Virtual Machines
![Page 27: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/27.jpg)
Virtual Machine PermissionsPrepared For: administrator <[email protected]>Prepared On: Wednesday, July 19, 2006 11:52:30 AMPrepared By: Ecora Auditor Professional 4.0 - VMware ModulePrepared Using: FFR Definition 'Virtual Machine Permissions'Prepared Time Criteria: Last 20 month(s)
Copyright © 2006 SampleOrg.comAll rights reserved.
•PermissionsThis report shows permissions for Virtual Machines
Table 1. PermissionsHost Name Account Name Account Type Read Execute Write
BUILTIN\Administrators Alias Yes Yes Yes
BUILTIN\Users Alias Yes Yes No
NT AUTHORITY\SYSTEM Group Yes Yes Yes
Other Yes No No
root Group Yes Yes No
root User Yes Yes Yes
vm-server
chmserver
![Page 28: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/28.jpg)
ESX Security SettingsPrepared For: administrator <[email protected]>Prepared On: Wednesday, July 19, 2006 11:52:05 AMPrepared By: Ecora Auditor Professional 4.0 - VMware ModulePrepared Using: FFR Definition 'ESX Security Settings'Prepared Time Criteria: Last 20 month(s)
Copyright © 2006 SampleOrg.comAll rights reserved.
•Security SettingsThis report shows ESX Server security settings
Table 1. Security Settings
Host Name Management Interface SSL Enabled Remote Console SSL Enabled SSH Enabled FTP Enabled Telnet Enabled NFS File Sharing Enabled
BigBoy Yes Yes Yes No No No
BigBoy Yes Yes Yes Yes No No
![Page 29: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/29.jpg)
Host Name Partition File Name Size Permissions Owner Group Type Last Modified Mapped Disk
Ecora.vmdk.gz 299 rw-r--r-- 0 0 May 3 02:50
SwapFile.vswp 16000 rw------- 0 0 swap May 1 08:37
SwapFile2.vswp 200 rw------- 0 0 swap Mar 22 04:33
SwapFile3.vswp 200 rw------- 0 0 swap Mar 22 04:36
SystemDisk.vmdk.filepart 1478 rw-r--r-- 0 0 Mar 22 04:10
Untitled.vmdk 4000 rw------- 0 0 disk Mar 22 09:54
vm1.vmdk 8000 rw------- 0 0 disk May 1 08:28
vm2.vmdk 8000 rw-rw---- 0 507 disk May 1 08:29
vmk3.vmdk 4000 rw------- 0 0 disk Apr 4 09:53
Windows 2003 std.vmdk 5000 rw------- 0 503 disk Feb 17 11:55
BigBoy vmhba1:12:0:5
![Page 30: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/30.jpg)
Additional Resources
http://www.vmware.com/pdf/esx_lun_security.pdf
http://www.vmware.com/pdf/esx_authentication_AD.pdf
http://www.vmware.com/pdf/esx2_security.pdf
www.cert.org
“VMware ESX Server: Advanced Technical Design Guide” by Ron Oglesby and Scott Herold
“Hacking Exposed: Network Security Secrets and Solutions” 4th Edition by Stuart McClure, Joel Scambray, George Kurtz
![Page 31: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/31.jpg)
Presentation Download
Please remember to complete yoursession evaluation form
and return it to the room monitorsas you exit the session
The presentation for this session can be downloaded at http://www.vmware.com/vmtn/vmworld/sessions/
Enter the following to download (case-sensitive):
Username: cbv_repPassword: cbvfor9v9r
![Page 32: How to Secure VMware ESXdownload3.vmware.com/vmworld/2006/tac0162.pdfESX role-based access control ... Change and Configuration Reporting using Ecora Auditor Additional Resources.](https://reader031.fdocuments.net/reader031/viewer/2022022507/5ac82fa07f8b9a51678c0325/html5/thumbnails/32.jpg)