VMware Communities : All Content - Security & vShield Zones

Advice needed: virtual firewall product

Iwan Rahabok — Sun, 22 Nov 2009 12:17:05 GMT

I know this is not answering the question directly, but hope it may help:

On the "Test Cluster", you may want to consider running ESX on top of ESX. So the ESX is a VM. It is good enough (as in performance is decent) if you are only running a few VM on top.

This allows you to test the functionality.

Cheers!

vShield VM availability

tom howarth — Sun, 22 Nov 2009 10:17:53 GMT

If the vShield VM goes down a HA event will occur and the Guests behind the Shield will start on another host.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert
VMware Communities User Moderator
Blog: www.planetvm.net
Contributing author on "VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment”. Currently available on roughcuts

VirtualCenter permissions problem

ggpptt — Fri, 20 Nov 2009 16:35:40 GMT

I had the same problem after adding "Read Only" access to group "Users" for a Datacenter.

After that, that rule has precedence over inherited permissions for administrator. Also, administrator has no longer permission to edit the rule, nor anything else like deleting the datacenter tree to create it again.

Access rules in vCenter DB are removed when users or groups are deleted on Active Directory or the local user database at vCenter Server, but "Users" group is a built-in one, and thus can't be deleted by any means.

Finally I went to SQLserver and manually delete the evil access rule.

The schema purposes are not very clear, but I happened to delete only one record and it worked. So I guess that I erased the right entry. Please, note that ids can vary depending on how many permissions you already have. I only had 2 entries because I was working with a test installation.

Here you can find how to do it.

Regards.

Open CMD console:
C:\> cd C:\Program files\Microsoft SQL Server\90\Tools\Binn
C:\Program files\Microsoft SQL Server\90\Tools\Binn> SQLCMD.EXE -S localhost\SQLEXP_VIM -d VIM_VCDB -Q "select id,principal from VPX_access;"
id principal

--------------------------------------------------------------------
1 Administrators
12 Users
(2 rows affected)

C:\Program files\Microsoft SQL Server\90\Tools\Binn> SQLCMD.EXE -S localhost\SQLEXP_VIM -d VIM_VCDB -Q "delete from VPX_access where id=12;"

(1 rows affected)
---
And now restart Virtual Center service.

Scanning guest os, host ports respond

Texiwill — Fri, 20 Nov 2009 16:00:58 GMT

Hello,

So you scan the single IP from a VM already in that subnet and you get 3 ports opened. This does not look like it is returning anything related to ESXi which would include port 902, etc.

If you scan the single IP from a desktop OUTSIDE that subnet (10.) you get more ports open. This sounds like you are actually scanning the router/firewall/NAT device instead of the actual IP as you see H.323 support. I do not think you are scanning what you intend to scan.

Neither of these scans actually look like the ESXi vmkernel device as the wrong ports are actually opened.

You could scan your vmkernel device, then report your findings and compare that to what your VM is showing, etc.

In all this your vmkernel is NOT part of this network really. You are hitting the vSwitch then the vSwitch goes to the vNIC... vmkernel Management COnsole is not part of this picture at all.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Isolating the host from the internet

UlyssesOfEpirus — Fri, 20 Nov 2009 01:12:39 GMT

Still haven't weaned completely from Microsoft. The Bat email client with Sandboxie are too good to say goodbye to, especially given that they live in a VM. Also I have too much mastery of Windows to dump all this knowledge and go back to adventures with linux, which last time I did linux was a pain in the neck.

Having said that, my browser appliance is linux-based. And I'm planning to study and experiment with chroot and OpenVZ as a substitute for Sandboxie.

And don't forget, VM's are disposable, it's not the end of the world if a browser appliance gets messed up. As long as bookmarks are kept somewhere safe (I'm keeping a copy online too).

vShield - No cluster option

tom howarth — Thu, 19 Nov 2009 22:31:57 GMT

A vShield will need to be on each node in the cluster

Can encryption beat a man in the middle attack?

Texiwill — Thu, 19 Nov 2009 15:33:05 GMT

Hello,

In the example you cite, where both keys can be used to encrypt or
decrypt, I do not believe that would meet the definition of Public Key
cryptography.

I agree. However, it does not mean people do not do this already.
Knowing how things work is half the battle.... It is all about the key exchange.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Can malware in the guest access NON-shared folders?

Texiwill — Thu, 19 Nov 2009 15:22:56 GMT

Hello,

If the Malware is embedded in the actual picture and not a hook off some other part of the code, your BMP conversion tool would not know this, unless you have figured out how to undo stegnography, then the Malware is just transferred with the other bits of the image. When you reconvert, the malware still exists within the image. So the BMP becomes just a carrier... The question is then, can the new 'JPG' execute any of that malware.... I am not sure... I imagine it would not be able to do so unless something else came along and rehooked up the pointers, etc.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Using 1 SAN for both LAN and DMZ

ITAV — Thu, 19 Nov 2009 14:28:53 GMT

Sorry for the delay in marking this answered. Thanks so much for your help.

Password expiry date

Texiwill — Mon, 16 Nov 2009 16:25:09 GMT

Hello,

Moved to the Security Forum.

You could also do this using the HyTrust appliance which interacts with AD. While not setting up expiry on ESXi it does act as an authentication proxy that can use AD expiration to do the same thing. The HyTrust appliance exists in a community form.

This also implies that there are no 'real' users on the ESXi platform. Just 'root' and the user used by vCenter. This allows you to get the same access control using regular users, etc

Even with Hytrust you will eventually have to change passwords on the ESXi host. But you can use delegation and just have a few users, perhaps just one that does everything.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

vCenter security - limiting devs to one Resource Pool

Texiwill — Mon, 16 Nov 2009 15:06:58 GMT

Hello,

Yes you can, but I would ensure the roles and perms are applied to the proper view. It will allow everything to work as expected with all the tools.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Securing VMware Tools

msemon1 — Fri, 13 Nov 2009 20:39:29 GMT

I should have read a little further in VMware Vsphere and Virtual Infrastructure Security
This is not as simple as it sounds.

Thanks

Mike

PCI, antivirus, and service console

Texiwill — Thu, 12 Nov 2009 17:54:50 GMT

Hello,

Moved to the Security Forum.

have a security mandate to install AV in the SC, but we need to stop treating every OS as if were Windows

This is true, but if you do install AV in the SC, just take special care on how you scan things. You asked whether VMsafe solves this, and the answer is maybe.

TrendMicro has a product that uses the VDDK (vStorage APIs) to scan VM disk whether they are running or not. This is a great way to do things as you can keep track of AV even if the VM is powered down.

Other than that, VMsafe will not help with disk scans, it will help if you have a network IPS available to VMsafe-net.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

VMWare Tools and Security :?

Texiwill — Tue, 10 Nov 2009 21:45:14 GMT

Hello,

No problems. This is a very common question actually.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Virtual Appliance - Password protect

Texiwill — Tue, 10 Nov 2009 21:39:50 GMT

Hello,

ZIP, RAR, 7zip or otherwise use an archiving tool to compress and password protect your virtual appliance.

You could include True Crypt within your virtual appliance and encrypt the disk thereby needing a password to decrypt the disk.....

Lots of options here.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

vShield agent scan interface

mike lim — Tue, 10 Nov 2009 18:01:49 GMT

Hi,

Am testing out the vShield addon in our local environment and have hit a snag I hope someone knows the answer to. My vShield agent has a management IP address outside of the subnet of VMs that I wish to scan for services. According to the documentation I should enable the scan interface from the CLI and give it an ip address in the range of my VMs which makes sense......but life is never simple. Within the configuration option of the CLI I can only see 3 interfaces which are: mgmt, u0 and p0 so the command to enable the scan interface is clearly missing a step. I am assuming that adding another vNic is the way to go but am wondering what I will need to do after this.

Any help much appreciated.

Mike

How to Allow/Deny specific Applications using Vshield?

gonzo4477 — Sat, 07 Nov 2009 22:25:35 GMT

Hi

Could anyone please explain more precisely which application's traffic
could be secured via vShield by default and how it is configured?

I am also curious if I could apply my own rules ?

I will be very thankful for an answer.

2009-T-0024 Multiple Vulnerabilities in Linux Kernel

Texiwill — Thu, 05 Nov 2009 13:53:43 GMT

Hello,

I would also push back on the UNIX SRR creators to check for the specific driver and not just the version of the kernel. Otherwise it will always be a false positive.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Newbie question: Service Console isolation vs accessibility

Texiwill — Wed, 04 Nov 2009 17:41:21 GMT

Hello,

Tom pretty much summed it up. Service Console access is the keys to the kingdom. You can implement some defense in depth within the SC to alleviate some concerns by using pam_access, hosts.allow/hosts.deny, SSL certificate changes, and other PAM items to protect you, but these are secondary to your existing network configuration.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Recommended anti-virus protection for VDI on ESX 3.5

Texiwill — Wed, 04 Nov 2009 17:35:27 GMT

Hello,

It uses the DDK which is available for both ESX 3.5 and ESX 4. The ESX 4 version may use vStorage to do this (but really it is still the DDK).

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Role rights. To Vm admin vs Windows admin

Texiwill — Sat, 31 Oct 2009 17:22:09 GMT

Hello,

However, I have seen where RDP "hangs" or does not correctly work after a Windows server is rebooted. A windows server administrator must then power the vm off and back on using the VIC. Is there a way to provide the ability to "power off / on" the vm guest without using the VIC and hence the console subnet?

If RDP hangs or there is a server reboot issue you may actually have a different problem that a reboot may not actually fix. This is a case of the Server Admin must work with the Virtualization Admin to either fix the problem or determine the root cause of the problem.

If you were to expose this capability to non VI-Admins then I would do it through some other mechanism besides vCenter/VIC/vSphere Client/Power Shell/etc. Perhaps just through a process where the Server Admin contacts the VI Admin, etc. That would be the best suggestion as something is definitely wrong with the VM.

Otherwise you could create a custom tool that would contact a proxy which would then go through the firewall to the VI Admin network and then execute a VI SDK script to perform the reboot. Note you do not want to expose the VI SDK through the VI Admin network firewall but something else unrelated.... I have been thinking about the best way to do this recently as well. There exist at least one tool that does do this now. You use one set of credentials to access the proxy and it uses another to do the reboot, etc.... Hyper9 Virtualization Mobile Manager 1.0... Which is available from http://www.hyper9.com/downloads.aspx .... It is not quite what you want (nothing exists yet), but close to what you need and has the necessary security to do the work.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Security question

Texiwill — Tue, 27 Oct 2009 20:27:07 GMT

Hello,

Moved to the Security Forum.

Thanks Abe.

The best solution is to use a VPN between your two offices and then let the data transfer over the VPN....
Any Virtualizaiton management interface, as a previous poster stated, out on the internet is an attack surface of interest. It will be the one the attackers would love to find. Once they get in through one system, you can bet they will pivot to another.... So my setup for this would be:

ESX/ESXi SC/Management Appliance <-> FW w/VPN capability <===VPN through Internet ===> FW w/VPN capability <-> Management Network w/vCenter

This way everything is nice an encapsulated and nothing is broadcast over the network where the bad boys live.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

SUDO Configuration

Texiwill — Tue, 27 Oct 2009 19:12:58 GMT

Hello,

On a stock 3.5 system the command 'sudo -V | grep "dummy exec"' returns a blank line. THis implies that noexec is not supported within this version of sudo. Also, if you do a 'man sudoers' you will also find no reference to NOEXEC. Remember, 3.5 SC is really RHEL3 U8 and a 2.4 kernel. It is a bit old....

If you modify the stock 3.5 system to add your own sudo, you can get the noexec feature. Not something I really do.

Instead I would investigate the use of the hytrust appliance, or use the VIC as much as possible. That way the issue does not come up much.

NOEXEC for example can be used to prevent calls to shells from within VI, the way I do this is NOT allow VI or any editor to be used. Instead you copy the files, modify them, then copy them back in. There are quite a few ways to get what you need from sudo.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Vsphre security

Texiwill — Mon, 26 Oct 2009 18:59:28 GMT

Hello,

The major differences:

VMsafe now available
vShield Zones now available
ESX Service Console went from 2.4 Kernel to 2.6 Kernel (with different linux settings), etc.
PVLAN support with Distributed Switch

Outside of that, they have added some more per VM options.

There are some new items, but the rules you know for VMware VI3 still apply. Nothing has really changed that much within the virtual environment. Just need to account for the newer features.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review.

Texiwill — Mon, 26 Oct 2009 15:52:26 GMT

Hello,

Drag and Drop are per VM settings and you can either use the vSphere Client, PowerShell, or some other scripting mechanism to make these changes using the VI SDK. I am beginning to migrate almost all my tools from shell scripts to ones that use PowerShell and access the shell as necessary. This may be the best way to move forward the DISA SRR in the future. If anyone is interested let me know.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

VMware Hacking Course

DataJock78 — Fri, 23 Oct 2009 14:08:27 GMT

Yes that is WHERE I am teaching it, but I can help you with registration on this end if you like.

PCI certification requirements.

Texiwill — Thu, 22 Oct 2009 14:31:09 GMT

Hello,

Moved to Virtualization Security forum.

PCI is working on the correct guidance for VMs now. So you may wish to check directly with PCI with respect to PCI compliant virtualization hosts/VMs. I am sure there will be a combination of items required. AV being the least concern.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

can't import vshield manager when no standard vswitch

carlosVSZ — Tue, 20 Oct 2009 17:06:53 GMT

This KB article explains the workaround:

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1012440&sliceId=1&docTypeID=DT_KB_1_1&dialogID=42790417&stateId=0%200%2042792813

problems opening a port in the firewall in ESX Server 3.0.2

liqin75 — Mon, 19 Oct 2009 02:11:56 GMT

please use iptables -L -vn to check the results, and further more you can use wireshark to sniff package to check where the error is.

vSphere STIG and DoD Discussion

stanj — Wed, 14 Oct 2009 12:29:58 GMT

I contacted the DISA FSO.

Here is the status and direction so far for vSphere:

VMware is currently working on developing security guidance for ESX4 and 4i.
This is a consensus effort between DISA and VMware.

The projected completion date is January 2010.

The ESX4 STIG will just be a Checklist update addressing the differences ESX3 and ESX4.
In the meantime, Sections 3 and 4 of the ESX Server Checklist would still be applicable to the ESX4 environments.

In the absence of any guidance, CIS benchmarks or vendor security guides are to be used

I will post any additional information I receive.

what's the password of user enable

Saadat — Mon, 12 Oct 2009 06:26:43 GMT

check these links:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012479

http://communities.vmware.com/thread/220039

Does vShield firewall traffic between VMs in the same Zone?

djkast33 — Fri, 09 Oct 2009 18:41:54 GMT

Thanks Carlos.

I am having some trouble figuring out the placement of the vShield in the protected switch and how to tag the unprotected switch

I have 3 vlans

I created four port groups in the protected switch.

VLAN1 -portgroup

VLAN2 -portgroup

VLAN3-portgroup

PROT-portgroup

The VM's are spread across the VLAN port groups, and i put vShield in the 'PROT' portgroup.

Now, I am noticing it that VM can only access what ir's supposed to if the Unprotected vSwitch is tagged appropriately

eg. To get a VM working that's on VLAN2... I need to tag it with '2' and also tag the Unprotected switch with 2.

Is this clear, I'm assuming there is an easier setup for trunked configurations

Changing NIC connections in NIC Team

Texiwill — Tue, 06 Oct 2009 14:23:01 GMT

Hello,

Teximill - Thanks for the reply. So you're saying if we have a 8 host environment perhaps make 2 clusters, 1 for Production (internal vm's) and 1 for DMZ (web facing vm's), with perhaps 6 hosts for cluster 1 (production) and 2 for the DMZ?

This is what I am saying. This way you have 2 vSwitches per host with 2 pNICs each. 2 pNICs for vMOtion/Service Console (pNIC0 and pNIC1) and then 2 pNICs for DMZ or Production VMs but never both.

Or are you suggesting leaving them all in 1 cluster but creating rules to ensure that DMZ vms are kept on certain hosts? I understand how to do it with VLAN's Cisco side if we have to overlap the 2.

No.

+When using a DMZ, the DMZ network including physical switches should be isolated from your production network for best security. +- We wanted to do this but with only 4 nics per host we haven't found a way to do this effectively. We thought about 2 Vswitches, one with 2 nics, the other with 1 nic. The second vswitch would be vmotion and service console, other would be vm traffic. We'd using the remaining nic on an isolated switch (splitting between 2 switches for load balancing) for DMZ traffic. The only issue would be that if either of the DMZ switches goes does we'd have to physically move cabling to allow the DMZ vm's to get out to the internet.

I would not do this, you just do not have the necessary redundancy.

Also., your DMZ should be using separate physical switches than your production network. It sounds however like you are using VLANs, if you are using VLANs in the physical network, using them in the virtual network makes no difference to security. Its really the physical network that is at more risk as the VLAN attacks all work against the physical network and not necessarily the virtual network.

DMZs are the major attack point. Assume they will be attacked and you will be on the right track. Everything in a DMZ is at risk, including the physical switches. So these switches should be isolated as a matter of course.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Enforcing account lockouts

Texiwill — Tue, 06 Oct 2009 14:13:25 GMT

Hello,

You can implement pam_tally by hand, use 'man pam_tally' for assistance.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Distributed vSwitches with vShield Zones

gfzhao — Wed, 30 Sep 2009 06:13:04 GMT

Hello nik-o

Has your issue been resolved?if still not, please take a look at my setup and configuration:
My setup is:
The p0 and u0 of vShield VM connection is:
p0 --> dvportgroup1 on vNDS2
u0 --> dvportgroup2 on vNDS1
Protected VMs --> dvportgroup3 on vNDS2

vNDS uplink NICs connection:
vNDS1 has physical uplink NICs,
vNDS2 has no uplink NICs

VLAN setting:
dvportgroup3 --> vlan 21
dvportgroup1 --> vlan trunking 21
dvportgroup2 --> vlan trunking 21

At first, my protected VMs are not pingable from my unprotected VMs, it's because I did't configure vlan trunking on the dvportgroup "dvportgroup1" and "dvportgroup2"
After I set trunking vlan on these two dvportgroups, my protected VMs are pingable from the unprotected VMs

Hope this info resolve your issue

Active Directory Authentication (Encryption Level)

DC_Engineers — Tue, 29 Sep 2009 08:18:29 GMT

Hi Guys,

I guess the thing to do is to install wireshark either on your DC (presuming it's allowed etc etc) or on a test machine connected to a SPAN / mirrored port on the switch and have a look at the packets. It will show you whether the authentication traffic is encrypted or not and should also show you which algo is used...

I might run a test later!

Cheers,

Dan

vShield installation error

carlosVSZ — Mon, 21 Sep 2009 18:25:24 GMT

vShield supports both legacy and vDS switches and only in 4.0. However, there is a known issue when deploying in an evironment that has no legacy vSwitches. The workaround is detailed in this KB article1012440:
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1012440&sliceId=1&docTypeID=DT_KB_1_1&dialogID=40708575&stateId=0%200%2038376180

The error message in the KB article is slightly different but the end result and workaround is the same.

Is Guest network traffic routed to external (LAN) network

Texiwill — Tue, 15 Sep 2009 21:31:50 GMT

Hello,

Would this not also be based on the netmask in use? If you have a wide enough netmask within the VM then you should be able to communicate with each subnet without using a router? Or if you use the same vNIC for 2 subnets, etc. In this case I have never had to use a router just routes on the VMs.

If your VM has the proper routes in place as well they may never go outside. Now if the VMs have no routes, no interesting netmasks then yes it should go out of the vSwitch to the gateway, etc.

Portgroups with the same VLAN ID (or even none) may not route out of the vSwitch.

Only one way to guarantee that, use different VLAN IDs on the portgroups.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

vShield login error

sebek — Mon, 14 Sep 2009 09:49:16 GMT

You have probably installed vShield Manager straight from the CD. You should install both appliances using VMware installer, instead.

sebek

vShield + Intel 10 Gig 82598EB = BAD

zik — Fri, 11 Sep 2009 13:02:06 GMT

Has this issue been resolved?

How do I have the VMkernel on it's own VLAN

bulletprooffool — Thu, 10 Sep 2009 08:26:04 GMT

You need to make sure that your physical swicth allows the 2 Vlans to be routed correctly too.

Have the Vlans been set up correctly on your physical switches?

Developping a firewall using vmsafe-net

rrandell — Wed, 09 Sep 2009 17:46:44 GMT

Quick answer from the blackberry: The vShield appliance takes care of that by bridging (layer 2) the private and externally connected vswitch.

Rob Randell, CISSP | VMware | Senior Systems Engineer - Security | Office/Mobile: 303.324.2331 | email: rrandell@vmware.com

Sent from Blackberry. Please excuse typos or terse responses.

VM Firewalls

boatrke1 — Wed, 09 Sep 2009 12:37:41 GMT

Thanks for the info.

Kevin

Auditing / Security of ESX

ealaqqad — Wed, 09 Sep 2009 11:01:04 GMT

Just a thought, if you are going to upgrade to vSphere soon, then you might want to look at Host profiles as it might do what you are just looking for.

If you still have a valid VMware support, then it might be worth it for you to upgrade as its free .

I hope this help someone, if it did please reward points.

Enjoy,

Eiad Al-Aqqad

System X & Storage Technical Specialist

http://www.virtualizationTeam.com

VPN Solutions on VMware VDI

Texiwill — Tue, 08 Sep 2009 18:29:58 GMT

Hello,

You would need to do something like:

client <--- Internet ---> VPN Server <-> View Security Server <-> View Broker <-> VM

So your VPN server sits on the edge and therefore none of the VDI components need to integrate with the VPN. So use whichever you desire.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Local storage on a DMZ server

Texiwill — Tue, 08 Sep 2009 18:26:52 GMT

Hello,

The drive layout is generally up to you and independent of most security concerns as a VM can not get to a datastore except through the hypervisor. However, even so due to forensic concerns I use raid 10 where ever possible. I would use Raid 10 on a pair of OS drives and then Raid 5 on the rest.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Portgroup, vmnic, vSwitch, and VLAN oh my!

bulletprooffool — Thu, 03 Sep 2009 08:15:22 GMT

I presume these VMs each have only 1 Nic assigned?

Also, you have verified the VLans . . .and neither of the VLabns is your default VLan . . so your physical switches tag the traffic from the other VLan onto this VLan?

Also, if you have different subnets, you should be hitting 2 Default Gateways to get from subnet to subnet - can you view logs on these?

Have you run a tracert on one of the VMs to see which way it is actually routing?

vShield problem

hnehlsen — Fri, 28 Aug 2009 10:46:35 GMT

Hi,
thanks for the quick answers.
I got it sorted out. Someone in our datacenter pulled out two network cables and didn't plug them in again so I had a link in enclosure backplane but not to the outside world.

Harro,

vShield license problem

hnehlsen — Fri, 28 Aug 2009 07:41:40 GMT

Hi there,

probably all figured out and problem solved by now, but I came accross that one has to move the vShield Management VM to the host the vShield VM is to be installed. In my environment it works, even though I have no idea why VMware doesn't fix this in there quality management.

Harro,

vSwitch and Spanning tree

wlouzado — Tue, 25 Aug 2009 06:28:04 GMT

Textiwill and K-Mac, thank you for your response. I did have this information before though, the issue was related to how an individual vSwitch participated in the network as a L2 loop can be made with a single switch not just two.

Rob, perfect answer, thank you so much. I'm not sure why they don't have this information on the course. It might be worth rewording the 3.5 notes to include this as this is the main reason why no L2 loops can be created. Once again thank you.

Port 903?

Texiwill — Mon, 24 Aug 2009 17:26:25 GMT

Hello,

Howard and I have disagreed in the past.... Its not often but... or was that agreed with reservations... chuckle

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

vmware + truecrypt for fully encrypted windows OS?

psimon2112 — Fri, 21 Aug 2009 20:27:42 GMT

started from thread on truecrypt forums: http://forums.truecrypt.org/viewtopic.php?p=22979

my question from there repeated for convenience:

if I do the following, will any traces be left on my machine at all?

create a truecrypt volume. mount it, and create a vmware partition for a new operating system on the truecrypt volume. if I boot up the vmware operating system (which only has access to the truecrypt section of the hard drive), would any traces of my activity be left behind? what about with the swap/page file in the native OS?

there responses seem to indicate "there's no way that'd work." is that accurate? can I configure vmware to do what I want? if so, how do I go about it?

Encrypting the VM volume is not really the answer here.
What you need to do is seal up the OS (inbound and outbound) within itself.
This will give you the self protecting layer you require.

Encrypting the vm volume will only stop other volumes/ hosts accessing it, not control the effects you are talking about in your thread.

Good luck.

Hello!
Could you please be more specific on how this should/could be done?

P.S.: Merry Christmas!

VMware products can create files outside the VM's directory, but you can play with the tmpDirectory field to control that.

However, the larger problem of the swap/pagefile containing traces of your activity remains intact. This is an operating systems shortcoming, not a VMware one.

I haven't tried, but if you gave the VM 100% reservation of the memory would it not create the swap file? Thus securing the VM from the host perspective?

when you give th VM 100% reservation a zero byte sized swap file is created

There are other traces left besides the swapfile
There are traces in the different logs (vmkernel,hostd,...).
Question is how easily these traces can be used.

But those traces contain no data of what is in the VM. So even a zero byte swapfile is useless, because it has no data in it. I would think if you secure the guest os, turn of things like TPS and have no swap it would be considered secure. The only thing on top of that you could add would be maybe encryption of the VMDKs, but that would add a significant amount of overhead to the virtualization layer.

But those traces contain no data of what is in the VM.

only VMware knows, I guess

So even a zero byte swapfile is useless, because
it has no data in it.agree

Yes, it will leave traces see my post http://www.vmware.com/community/thread.jspa?threadID=70884&tstart=0

then any dissent forensic will get you.

Encryption of the VMDKs, suspend file, and configuration files has been available in VMware ACE, since Dec 2004. You might want to look into that if you're on the desktop, not the server.

I know what you want to do but who exactly do you want to protect your data from? If it's law enforcement having a VM inside of an encrypted drive might be sufficient. If you're trying to protect things from the government then all bets are off.

If you want to hide porn from your parents it's easy. (Unless one of your parents happens to work for the FBI forensics team or NSA data recovery.)

If you want to hide things from the law, it gets harder as they have access to the FBI's forensic services. The best you can do is get everything encrypted and then run ENCASE on your own drives to see if you can find anything.

If you want to hide things from criminals then consider worst case they have a black hat with the skills of the FBI's forensic lab.

If you want to hide things from the NSA what the h@#$ are you doing in the first place that would draw their attention and you should seal your computers into an EM shielded room (TEMPEST) with no outside connections (Sniffing and intrusion) and have a block of thermite setting on top of your drives with a panic button on you at all times (NSA Data recovery that can get data off your drive no matter how many times you overwrite it though it will drop the classification level of the drive by one step. Per their own directive for destruction of classified material get an NSA approved degausser, yank your drive and toss it in. Note that those degaussers that don't require you to take the platters out cost in the range of $30k+) Even with all of that I can't guarantee they won't get your data.

If you want ideas look at the Common Criteria approved products list for data encryption that's approved per NSTISSP No. 11 for use on classified data. I'd advise looking for EAL 4+ products.

This document was generated from the following thread: vmware + truecrypt for fully encrypted windows OS?

VM Flow shows "No Data Found"

SCampbell — Fri, 21 Aug 2009 18:56:19 GMT

We're just tinkering with vShield and Cisco N1000V independently and together in the lab as we prepare to deploy vSphere.

The current configuration in our lab is this:

The public side of a vShield VM is connected to an N1000V Port Group
The private side of the vShield VM is connected to a local vSwitch Portgroup with Promiscuous mode permitted. (It's not a dV Port group, but do recognize this would be needed as we evolve the lab)
We have servers on the public side and one server on the protected port group, and can transfer data to and from all these servers from another computer outside the ESX environment.
The protected server is shown as protected in the vShield Manager
I have a script running elsewhere that is generating traffic to and from the protected server. The vShield Manager Status for that vShield is showing all the expected traffic in both the p0 and u0 status.
But, the VMFlow stats for the protected server and its roll-ups shows "No Data Found"

Some questions

I was unable to get the protected Port Group working as an N1000V port group, and have since found information here confirming that. Is the failure to display VMFlow stats related to the fact the public side doesn't really support promiscuous mode? (since it's a N1000V port group)
Is there some other misconfiguration I've done that is preventing the VMFlow data from showing?
Again with the promiscuous issue, am I unlikely to get a second computer in the protected side to work?
I saw a reference to reversing my configuration: Put the public side on a vNetwork switch with uplinks, and put the protected side as an N1000V port group. Is this likely to work better?

I understand Cisco is working on a solution to this problem, but we did want to put in as much "end-state" infrastructure as possible as we prepare for deployment, and doing the uplink side using N1000V seems to make more sense to me.

Thanks for this.

Getting HA to work on DMZ cluster

Texiwill — Wed, 19 Aug 2009 19:15:23 GMT

Hello,

Moved to Security forum.

Let us instead break this down by Networks. You have 3 maybe 4 major networks....

Management
Storage
VMotion
VM

Management, Storage, VMotion are NOT and NEVER should be within any part of the DMZ not even a NAT in the DMZ. They should be connected to different physical switches unrelated to the DMZ.

The VM Network for DMZ should be within the DMZ, it should be the only thing within the DMZ.

I have been fighting with the network / security team to have my managment ports on a rouable network. This is what is in the DMZ best pratice guide.

What is their concern? That is where we should start this discussion because your management and vmkernel ports should be on the proper network else not much really works. As for DNS, local host files actually cover that quite well.

It sounds like your security team is still of the mindset, its a box with multiple pNICs, hence it is one security zone. Instead of treating each ESX host as its own datacenter.

They may need to read more materials to get a better feel for Virtualization Security.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

vmware and firewall

Texiwill — Wed, 19 Aug 2009 15:44:21 GMT

Hello,

Moved to the Security forum.

The general rule is:

Your management network should never be directly connected to the internet..... You have to consider the management network separate from your VM network. So this should be behind another set of firewalls. If your VMs are internet facing they are in effect within a DMZ.

Check out http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf and http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf for some ideas on how this would work.

I do the following myself:

Internet<->FW<-> DMZ VMs <-> FW <-> Internal VMs <-> FW <-> Service Console/Management Network

This way management is as far from the outside as possible. To access from outside I use a VPN to get to a 'VM' which then can jump into a Management Network VM via VPN/SSH/RDP to the management network, etc. For heightened security there is no reason the management network ports should be seen by any other network.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Potential for using ESX to bridge networks ???

jc69 — Tue, 18 Aug 2009 18:45:55 GMT

Thank you both for your replies. The Best Practices document was a big help too. .

vShield Zones In Depth CLI Documentation

Wolfbrother_KC — Fri, 14 Aug 2009 19:11:53 GMT

Thanks Carlos! Exactly what I was looking for and we can go into more depth on the call. Thanks!

DMZ, network considerations

Texiwill — Thu, 13 Aug 2009 21:24:59 GMT

Hello,

ESXi vs ESX is really not a whole lot different from a network perspective. ESXi is actually far harder to lockdown with a true defense in depth. THere are other issues with ESXi but that should not dissuade you from using it within a DMZ as long as ONLY your VMs are within the DMZ, not the vmkernel ports related to your virtual infrastructure management, storage, etc.

vmkernel ports have no need to live within the DMZ. There are a huge number of references on this within the community. azn2kew has quite a few of them. Check out Top Virtualization Security Links as well for more.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

SSL Server support weak encryption

Texiwill — Tue, 11 Aug 2009 16:02:40 GMT

Hello,

You could change it in these files.... Not sure what would happen but do not think it is an issue.....

/usr/lib/vmware/webAccess/tomcat/*/conf/server.xml

However, not everything uses tomcat either so there are other concerns as well. This just fixes it for webAccess which includes anything using the VI-SDK, etc.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Documented best practice for no antivirus in Service Console???

Texiwill — Tue, 11 Aug 2009 15:36:26 GMT

Hello,

There really is none that is the problem. All we have is the recommendation from consultants, books, etc. But I know many a company that MUST run it, regardless of supporting evidence to the contrary.

My own book, VMware ESX Server in the Enterprise, dictates that it should not be done, but you must realize the only way to make it so it is not required is to change your Security Policy which may be an uphill battle. Now if you switch to ESXi it is physically impossible to run AV within the Posix Management Environment. However, with GNU/Linux it is possible.... So that is the battle you need to face.

Personally running it is not a great idea but as long as you control when it runs and what it scans it will not be a huge issue.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

vSphere in the DMZ Question

Texiwill — Mon, 10 Aug 2009 14:42:41 GMT

Hello,

Protected by VLAN? Please. There is no such thing. You use VLANs only if you 'TRUST' VLANs, they are not in themselves a protection mechanism. THe protection mechanism would be ACLs and Port security to ensure that only the proper machines could connect, mac flooding is controlled, etc.

In general, DMZ's are implemented using segregated physical switches for JUST VM traffic. Your Vitualization Networks (iSCSI, NFS, Management, VMotion, etc.) should not be seen by anything within the DMZ.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

SR-IOV, virtualisation CNA's and security

meistermn — Sun, 09 Aug 2009 06:48:23 GMT

He is right you will see vmdirectpath in generation 2 of Intel vt-d to be vmotion able.

vWire ConfigCheck and vRanger?

Texiwill — Fri, 07 Aug 2009 19:21:11 GMT

Hello,

However after the fact you can get vRanger's account into the wheel group. I have never faced this problem as I always use an account I create in the proper group.

BTW, one Security standard says to remove the setuid options from SU, in effect disabling it complete. vRanger would break completely if this happened, unless vRanger can use sudo instead of su.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

vCenter Permissions to Individual VMs

Texiwill — Thu, 06 Aug 2009 22:43:51 GMT

Hello,

Delegate or Assign? To assign the permission, you assign the permission ONLY on the object you desire. You do NOT assign lesser permissions above that object. It sounds like you have denied this user access to items above the VM and trying to assign greater perms to the VM itself. This does not work. The 'least' permissions win.

So you have the following:

DC
.... Cluster
......... Resource Pool
..............VM <= ASSIGN PERM HERE

In general do not assign perms anywhere else. Ideally you would ONLY assign the perms ona VM under the VIrtual Machine and Templates View NOT the Host and CLusters VIew

<br>Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

DMZ Configuration

Texiwill — Thu, 06 Aug 2009 22:39:09 GMT

Hello,

Take a look at the following Specific Blogs for detailed information on how traffic routes in the vSwitch and information specific to DMZ virtual networks.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Is there any risk with using VMWARE Server 1.x or 2.x

Texiwill — Thu, 06 Aug 2009 22:19:05 GMT

Hello,

VMware Server does not 'open' ports on the firewall but it will enable daemons that listen on ports 8333 and 8222 and maybe a few others. as long as the host firewall is setup to specifically deny access to these management ports then all is well.

However, VMware Server is only as secure as the host.and there is no way I would ever put such a host on the internet.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Would qemu or openvz perhaps be more secure than vmware?

Texiwill — Thu, 06 Aug 2009 22:15:45 GMT

Hello,

The driver within the VM talks to the USB Passthru device presented to the VM through the virtualization layer.That Pass Thru device does have a small bit of code within the host. Usually within the hypervisor but sometimes within the host as well. I know when I pass a usb device to a VM from the host it installs a driver of some sort within the host.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Server virtualization security and compliance (survey)

Texiwill — Thu, 06 Aug 2009 21:42:25 GMT

Hello,

Moved to Security Forum.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

p2v firewall port question?

vmwareluverz — Sat, 01 Aug 2009 01:55:51 GMT

thanks texiwill you seems to know a lot about security and i have completed p2v projects long time but forgot to close the threads.

disable root access from physical console using cat /dev/null >/etc/securetty

vmwareluverz — Sat, 01 Aug 2009 01:44:48 GMT

thanks for thorough explanation and its great everyone knows a lot about security.

Virtual center roles/rights/permissions. What does "Datastore" -> "File Level Management" right do?

Texiwill — Thu, 30 Jul 2009 23:04:04 GMT

Hello,

Roles and Permissions are just not granular enough. You can either use a script as hicksj has suggested or look into using the Hytrust Appliance. Hytrust imposes MUCH more granular permissions.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Nexus 1000v vs. vShield zones

carlosVSZ — Tue, 28 Jul 2009 21:26:57 GMT

The Nexus 1000v and vShield zones are two separate things, let me explain.

VMware offers two types of virtual switches, the traditional or legacy vSwitch and the new vDS (vNetwork Distributed Switch), a federated network switching platform that spans several VMware vSphere servers.

The Nexus 1000v is a third-party vDS switch developed by Cisco and is a software implementation of a Cisco Nexus switch that can replace VMware's vDS and legacy vSwitch in the vNetwork layer.

vShield Zones is not a virtual switch but a virtual firewall that fully integrates with the vSphere environment and provides stateful firewalling and traffic flows for your virtual environment.

vShield Port Groups management

CharbelZ — Fri, 24 Jul 2009 09:07:18 GMT

Hello ,

Designing an architecture based on ESX4 and implementing a model with multiple remote administrators (on independant VLANs) was the easy task. The next step was to offer each remote admin a virtual data center on the platform to create his own machines and connect them to his port group.

The security problem we are having is restraining each admin to his port group or vlan while creating his machine. In the documentation, dvPorts is a managable object but I can't seem to be able to correctly assign each admin in my active directory to a port group on the vswitch.

Can it be done? Can we create privileges on a vSwitch's port groups directly?

If that is not possible, can we create a mandatory template to connect the VM with the port group already specified?

Thanks for all the help!

Charbel

PS: Reference VSphere Basic System Administration p221-222

Best Practices and Security on ESX 3.5

Texiwill — Mon, 20 Jul 2009 14:40:58 GMT

Hello,

There is more to securing your virtualization environment than those specific guides. Which are really about hardening just ESX but there is quite a bit more involved in this. Check out Top Virtualization Security Links for a complete list of resources.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Restrict root Logins To System Console

dtracey — Thu, 16 Jul 2009 08:59:24 GMT

Thanks Edward - you've been really helpful. I'm ordering your book from Amazon.co.uk as we speak

VIM account password was changed on host...

heybuzzz — Mon, 13 Jul 2009 17:39:56 GMT

hmmmmm....Thanks

Vmware Capacity Planner questions

ibmer007 — Mon, 13 Jul 2009 12:48:21 GMT

Hi Winadi & every one looking to be able to upload VMware Capacity Planner at a later time or from another machine,

I have actually been doing this about twice a week for about a year now as many of our customers are Banks & ministries. I have documented the step by step of how I do so at: VMware Capacity Planner on System without internet

Actually I originally got the steps of a VMware engineer & now I had documented them for any one who trip over with the same problem.

I hope that help, if it help you please be kind to award points or leave a thank you at the post.

"Nothing can't be virtualized, even people"
VMware Certified Professiona (VCP)
http://www.virtualizationteam.com Active Memeber

understanding esxcfg-firewall cmd

Texiwill — Fri, 10 Jul 2009 14:00:54 GMT

Hello,

1) Still, I am able to connect to this server via SSH

You are connected, it is the related established issue. But you have not really given the complete esxcfg-firewall -q option. Plus I am not sure if you have done something that has allowed this. Run the command:

You have used odd names, the proper way to disable SSH is to use

esxcfg-firewall -d sshServer

2) From tthis server, i am able to use ssh to connect to the other server, how is this possible?

sshClient is allowed, that is why.

Here is what I would do:

esxcfg-firewall -r
esxcfg-firewall -l
esxcfg-firewall -d sshServer

Now sshServer will be disabled and sshClient will also be disabled as it is by default. I am not sure the state of your firewall and so please reset it (-r), reload the current settings (-l) to be safe, then disable sshServer.

Do not use the -o and -c options unless you really have to do so.

Not sure I would disable ssh instead I would implement TCP Wrappers to limit from which workstation you can use to ssh into ESX, you will need this for maintenance. Also, you can use pam_access.so to limit WHO can actually login using SSH.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Use custom names instead port numbers

Anton V Zhbankov — Thu, 09 Jul 2009 18:43:17 GMT

Could you please help me with this issue http://communities.vmware.com/thread/219974?tstart=0

---
VMware vExpert '2009
http://blog.vadmin.ru

vShield Passwords

EPL — Wed, 08 Jul 2009 23:39:29 GMT

Thanks! That did the trick.

I wonder why this wasn't included in the original documentation? You'd think that for a security product, best practices always dictate to change default user passwords.

Strange numbers in VM Flow report

Anton V Zhbankov — Wed, 08 Jul 2009 13:02:15 GMT

I have VM with Windows File Server and a couple of iSCSI LUNs on external array connected via software initiator from windows.
So, traffic for this file server should be approx 50/50 in/out.

But VM Flow report shows 196GB in / 1.8TB out. How can that be? Almost all outbound traffic is to port 3260, iSCSI.

I have antivirus on this VM, so traffic difference can be explained by antivirus that checks a lot of files. But I suppose there should reverse situation, inbound traffic above outbound. Or I just understand inbound / outbound wrong?

---
VMware vExpert '2009
http://blog.vadmin.ru

Securing access to esx server and vcenter 4

Texiwill — Wed, 08 Jul 2009 12:42:50 GMT

Hello,

That is covered in gory detail within both my books actually. But you will need not only TCP wrappers but changes to the iptables firewall within the ESX host. A secondary firewall so to speak. You may even want to also use pam_access to enforce a group policy so that if multiple people have access to a single host you can lock down by user/group and not just IP.

Note this will NOT affect VC or any VMs hosted by ESX.

Simplest TCP wrappers is:

echo "ALL: AdminIP1 AdminIP2" >> /etc/hosts.allow
echo "ALL: ALL" >> /etc/hosts.deny

Where AdminIP1 and AdminIP2 are the IP Addresses of your management hosts. Do not forget to include the IP address of your vCenter Server in this or things will break. Also include in this list ANYTHING like HPSIM...

Also you should note that while the simplest this setup will NOT pass the DISA STIG requirements as it has very specific requirements for the contents of /etc/hosts.allow.

Also note that this setup only affects those daemons that USE TCPWrappers and not everyone of those does, so you may also have to Lockdown by Source IP... visit http://www.astroarch.com/wiki/index.php/Lockdown_by_Source_IP for more information on this.

Good luck!

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

VM's in the DMZ

Texiwill — Tue, 07 Jul 2009 15:50:01 GMT

Hello,

Moved to Security Forum.

In general follow the guides in the whitepaper forwarded, but I would also look at the

Great vSwitch Debate
Topology Blogs

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Isolating Images from each other

Texiwill — Tue, 07 Jul 2009 15:23:51 GMT

Hello,

Best option is to use a firewall between virtual switches. I.e.

Network<-> pNIC<-> vSwitch <-> vFW <-> vSwitch with your 'same addresses etc'

IPCop and Smoothwall work quite well for this and can actually act as a NAT device if necessary.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Secure erasure of files - at the vmdk level?

LeaUK — Tue, 07 Jul 2009 15:19:25 GMT

Hi Edward

Thanks for the update and I thought I would also share my last findings.

Not sure I know of what you talk. The files of interest are the .vswp, .vmsn, .vmss, .vmdk, etc. Those are really the 'cache' files per say.
Yes, these are the files I'm referring to.

In order to DoD wipe a VM properly, which means everything to me... metafiles, etc. you can not do it from within the VM and current technology requires you to set so many limits on your virtual environment that it becomes very hard to do.... The best solution does not exist yet and that is a vStorage API (part of vSphere) plugin that does this when files are deleted/moved from without the virtual machine. I am not sure that is possible either.

My conclusion is as yours (and many thanks for guiding me also). There is no ideal solution.

However I just wanted to correct my comments about erasure DoD formats as I was incorrectly informed:

DoD 5220.22-M(E) (3 times)

DoD 5220.22-M(E) is an abbreviated version of DoD 5220.22M(ECE) and overwrites all addressable byte locations with a byte of data, its complement (1's & 0's reversed), then overwrites each byte location with random bytes. This means each data byte to be wiped was overwritten 3 times.

DoD 5220.22-M(ECE) (7 times)

DoD 5220.22-M(ECE) overwrites all addressable byte locations with a byte of data and its complement, then overwrites all addressable byte locations with a different byte of data and its complement, then overwrites all addressable byte locations with a yet another different byte of data and its complement, then overwrites each byte location with random byte . This means each data byte to be wiped was overwritten 7 times.

Thanks to everyone who made a contribution, I'm sure one day they'll be a solution...

Kind regards
Lea

Encrypting full disk or system partition of VM

benzfire — Tue, 07 Jul 2009 10:33:45 GMT

Came across this http://www.vmware.com/appliances/directory/76683 Bloombase Spitfire StoreSafe Security Server on vmware's virtual appliance site. Don't know if useful for your case. Anyway, worth take a look.

change password, vi client, minimal password complexity requirements.

davemi — Tue, 07 Jul 2009 07:29:11 GMT

I've put some notes together on changing password complexity for ESXi 4.0 - http://www.vm-help.com/esx40i/password_complexity.php.

Change Root Password

pearlyshells — Mon, 06 Jul 2009 13:41:15 GMT

appreciate the good words. thanks very much

Looking for Beta testers

mwronski — Thu, 02 Jul 2009 19:31:48 GMT

Relfex is looking for software beta testers to help with our pending release. If you fall into the following criteria and would like to participate, please PM me and we will get you further details about the software and expectations. There will be incentives for those that participate and provide solid feedback. See Reflex vTrust for an overview of the types of functionality available.

Group 1:

Organizations with 5+ hosts running VI3 (ESX 3.5) with interest in creating infrastrcutre policy with automated enforcement / command and control via canned actions and scripting.

Group 2:

Organizations with 3+ hosts running vSphere with interest in the above functionality and additionally the use of a vmSafe implementation to provide network segmentation / firewall and other network level enforcement of policy (e.g. quarantine, posture checking)
Mixed environment of VI3 and vSphere is supported

Environment Requirements:

Environment manged by one or more vCenter servers
Host resrouce to run the Reflex VMC management Appliance (typically 2G RAM / 2G available storage)
Multiple VM network environment to apply network and infrastructure policy on. The larger the better.
Ability to spend time to instal and work with the Reflex VMC product. Reflex will provide technical suport during the beta.
Product supports vSwitch, dvs and Cisco N1KV

Thanks,

-Mike Wronski

mike at reflexsystems.com

Outgoing ports 137-139 blocked for guests

Texiwill — Thu, 02 Jul 2009 18:24:04 GMT

Hello,

Moved to Security forum.

The ESX service console iptables based firewall does not apply to virtual machines. So unless you have vShield zones in place (which you do not have) then nothing inside ESX will block ports so it is either the firewall within the Guest OS or the switch.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Secure VMTools

Texiwill — Thu, 02 Jul 2009 14:24:48 GMT

Hello,

Moved to Security Forum.

This is unfortunate but true. Even if you were to disable VMtools by locking down who can actually run the guest daemon (which is a step you should take), anyone can access the VMware backdoor with a little coding. So your best bet is to use the VMware Hardening Guideline and set the appropriate isolation settings to disable the ability for anyone to use the VMware backdoor maliciously.

The DISA STIG Has a larger list than VMware's Hardening Guideline and my book has one that is larger than that.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

vShield & VLANs

carlosVSZ — Wed, 01 Jul 2009 22:57:17 GMT

vShield will work with VLANs. As far as the configuration, if you are installing in a legacy vSwitch using the automated install (see Quick Start Guide) there is no additional configuration required. The automated install will apply the required configuration for the vShield to work with VLANs.

If you are doing a manual install/installing on vDS, all you have to do is configure the Unprotected and Protected port groups in VLAN trunking mode and select the VLAN range. Instructions for this can be located in page 33 and 34 of the Administration Guide (step 4 of the 'Create the Un/Protected dvPort Group" section)

http://www.vmware.com/support/pubs/vsz_pubs.html

Zero out VM images

continuum — Tue, 30 Jun 2009 16:43:37 GMT

it is also useful to safe time with backups ...

___________________________________

VMX-parameters- VMware-liveCD - VM-Sickbay

ESXi as an internet frontier

Texiwill — Tue, 30 Jun 2009 16:05:17 GMT

Hello,

Okay, you have a better analogy....

I use ILOs all the time and I have seen how unsafe they are. Remember they are first and foremost a remote access technology and NOT a security technology. I would use a security technology like the LinkSys VPN or something else as its designed to be a security technology.

ILO has several weaknesses that can be addressed by using pre-shared certificates and only allowing certain hosts/trusts so you can secure it, but if you can get in because these actions were not taken or there was another exploit found attackers have direct access to the console and could reboot your host as you wish to do. Use of a firewall make this less likely and possibly easier to control.

Remember the general rule: if someone can get CONSOLE access they can OWN the machine....

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

ESX v3.5 and LDAP ??

Texiwill — Tue, 30 Jun 2009 12:47:59 GMT

Hello,

Moved to the Security forum.

You need to use different controls within your LDAP server. However you can use pam_tally.so and pam_cracklib.so to improve your local security for passwords..

One option is:

esxcfg-auth --usecrack=3 14 2 2 2 2

First entry is '3' retries for a password attempt.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

How to configure service console firewall to only allow access from certain IPs?

Chuck8773 — Tue, 30 Jun 2009 01:59:33 GMT

Glad it is working. Interesting bug though.

Charles Killmer, VCP

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

ESX 3.5 Behind a Firewall

Texiwill — Sat, 27 Jun 2009 14:12:10 GMT

Hello

Moved to Security Forum.

Ideally you want something like this:

Home <-> Internet <-> FW <-> DMZ <-> FW <-> Production <-> FW <-> Management Network (VC + SC + VIC workstation)

Yes you want that many firewalls. The idea is that you use a VPN to cross the boundaries as necessary. You NEVER want to place your SC/VC/VIC within your DMZ or out on the internet. You could do something like the following to gain the access you need.

Home <-> VPN <-> Management Network

Check out http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

VMWare and IP Network Routing externally

Texiwill — Fri, 26 Jun 2009 14:01:02 GMT

Hello,

Check out Eric SIebert's excellent blog post http://itknowledgeexchange.techtarget.com/virtualization-pro/how-traffic-routes-between-vms-on-esx-hosts/

Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Justification for a separate physical network switch for VI3.5?

Texiwill — Fri, 26 Jun 2009 13:16:56 GMT

Hello,

I would check out the following resources.... plus chapter 9 of the VMware vSphere and Virtual Infrastructure Security (Now available on Amazon.)

Texiwill's Topology Blogs
Ken's Virtual Reality Great vSwitch Debate

Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

ESX 3.5 Network Security

Texiwill — Fri, 26 Jun 2009 13:13:18 GMT

Hello,

This can be performed at any time. However be aware that you can override the default vSwitch settings PER port group so your verification/audit steps should include verifying that the settings are still inherited by the portgroups.

Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast