VMware Communities : Thread List - Security & vShield Zones

Rights in ESX?

tjw82 — Mon, 23 Nov 2009 22:59:54 GMT

If I wanted a standard user to have rights to view logs on the ESX Console, what rights would I have to grant him/Her?

vShield VM availability

Iwan Rahabok — Sun, 22 Nov 2009 07:18:32 GMT

Since the vShield VM sits in between the "Protected VMs" and "outside network", what happens if the vShield VM goes down? Do the "Protected VMs" lose access to outside world?

Does a planned maintenance of the vShield VM require downtime of the vShield VM? Planned maintenance here means updating the VM with latest patch or updates.

Thanks in advance

vShield - No cluster option

Mickoni — Thu, 19 Nov 2009 15:13:08 GMT

Hopefully this is a simple one......

I have 3xESXi 4.0 hosts in a DRS cluster. I have followed the VMware instructions as much as possible but im obvisouly doing something wrong.

I have installed vShield manually (on a distributed switch) and vShield manager (is currently located on a vSwitch) and am getting connectivity ok. However, when doing a manual install through vShield Manager. I ONLY have the option "Standalone" in the Clustering Settings. In the guide it says I should have a "Add to Cluster" option - which just isnt visible. This obviously just leaves me with 1 host being protected.

Any ideas?!

Advice needed: virtual firewall product

SBaldridge — Wed, 28 Oct 2009 15:59:37 GMT

We are running vSphere vCenter and are migrating our ESX from 3.5 to 4 (like most others I bet), and now have a new requirement from our security group which they are hoping to fast track in this quarter. They like the Altor VF product as they are comfortable with those guys being ex-Checkpoint propeller-head types and it integrates with our current IDS gear. Altor's VF3 is also only 3-4 months out of Beta and one of the only vendors using fast-path so far (maybe Reflex is doing it too?). I should say that I am responsible to keep the infrastructure running and they are responsible for monitoring it. There seems to be a loggerhead here.

I have a huge problem with installing 3rd-party software at the host kernel level into our very stable environment. I've been steering the decision making toward the slow-path model instead. I'm very concerned that although a VMSafe implementation is certified by VMWare there will be a divergence between kernel compatibility at some point in the future... in other words, at some point we will do our monthly ESX patching and there will be a kernel panic that will kill my clusters because the 3rd-party software isn't certified with the newly-patched ESX kernel. We are not big enough to have a "test cluster", and although we test ESX patching on our test ESX, they are not clustered, and we've experienced cluster/HA problems just from ESX with different patch levels in the past, although that has improved a lot.

I was hoping I could get a discussion going that makes me feel better about this decision. My instincts tell me to go with vShield Zones and see what VMSafe implementation VMWare adopts for this product but our security folks want something RIGHT NOW.

Advice? Even if the discussion is non-vendor specific I could use some help.

VirtualCenter permissions problem

VRADlab — Thu, 26 Feb 2009 23:41:37 GMT

Hello, hoping for some help on this one. The previous administrator left me in a bit of a bind.

For a folder in virtualcenter he assigned the "No Access" role to the local group "Users." He intended to prevent non-administrators from accessing this folder but it also applied the deny to the "Administrator" user. For now the workaround is to connect to the individual ESX servers as root and manually control the VMs, but this is not ideal. Can I somehow override this deny permission (even though it's a deny on the administrator account so I have no idea how to escalate priveledges even higher...)?

Is there a way to delete a deny permission on the local administrator account manually?

I was incorrect in my initial description. It's not a folder but two
VMs that I cannot access. I can see the folder just fine but it has two
VMs in it that I cannot reach because they each have No Access set for
the Users group.

Scanning guest os, host ports respond

FiremanE63 — Thu, 19 Nov 2009 22:33:43 GMT

Hello,

I am seeing is issue where if I do a network scan or nmap of a guest OS on ESXi 4 I also get back ports that the Host has open. I also get results when the guest is shutdown. Any one have any ideas on why this happens. It did not alway happen and I have not updated the ESXi host between when it did give me the results I expect and now. I can connect to port 80 (even when guest is shut down) and it does respond but looks like the ESXi host. This happens on every guest that is on this ESXi host.

Nmap results from guest on same ESXi host:

Interesting ports on 192.168.X.X:
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp closed auth
9898/tcp open unknown

Nmap results from my desktop to same guest.

Interesting ports on 192.168.X.X:
Not shown: 980 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
113/tcp closed auth
1720/tcp open H.323/Q.931
1863/tcp open msnp
3128/tcp open squid-http
4445/tcp open unknown
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6009/tcp closed X11:9
6025/tcp closed unknown
6059/tcp closed X11:59
8080/tcp open http-proxy
9898/tcp open unknown

With guest turned off I get:

Interesting ports on 192.168.X.X:
Not shown: 983 filtered ports
PORT STATE SERVICE
80/tcp open http
1720/tcp open H.323/Q.931
1863/tcp open msnp
3128/tcp open squid-http
4445/tcp open unknown
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6009/tcp closed X11:9
6025/tcp closed unknown
6059/tcp closed X11:59
8080/tcp open http-proxy

When I connect to port 80 I get this info:

HTTP/1.0 200 OK
Pragma: no-cache
Cache-Control: no-store
Content-Type: text/html
Content-Length: 230

<html>
<head>
<title> Error </title>
</head>
<body>

Access denied due to security policy violation


Reject ID: 4b05c77a-10004-12071dac-7b6

</body>
</html>

Connection to host lost.

Isolating the host from the internet

UlyssesOfEpirus — Tue, 17 Nov 2009 11:34:22 GMT

I have been trying to isolate my host from the internet. Until recently this was done by plugging a USB router to the VM, and unplugging the ethernet cable from the host. That's ok for one VM at a time, but now I need to provide internet access to several VM's simultaneously. Any secure ways to do that without giving internet access to the host?

I was thinking of setting the USB VM as a gateway over a virtual network. But it can't be the host-only network because that would give internet access to the host too. Is there any other way?

Can encryption beat a man in the middle attack?

UlyssesOfEpirus — Wed, 18 Nov 2009 02:17:19 GMT

If I could get physical access to a server and store a few GB of truly random text onto the server (or somehow connect and transfer the text to it at a time when there is NO man-in-the-middle scheme going on), I could then program a special proxy in the server so that the link between me and the proxy is encrypted by simply XORing the data with the random text according to the one-time pad method. Then it is impossible to break the encryption, but it is also impossible for a man in the middle to harm me by directing me to another server of theirs, because that other server would not have a copy of the secret random text so there could be no communication.

1. Can the same be achieved by conventional encryption schemes like SSL or PGP where I do NOT have physical access to a proxy?

2. Can an authentication with these conventional schemes occur somewhere where there is NO man-in-the-middle attack going on, at a cafe or something, and then continue my encrypted access at a place where I know there most likely is a man-in-the-middle attack going on?

Can malware in the guest access NON-shared folders?

UlyssesOfEpirus — Fri, 06 Nov 2009 05:25:40 GMT

I do not mind if shared folders are written to by any malware running in the guest, but is it possible that malware can also access folders other than the shared ones?

Can malware running in the guest do anything else to harm the host, other than messing with the contents of the shared folders?

Using 1 SAN for both LAN and DMZ

ITAV — Tue, 25 Aug 2009 19:30:44 GMT

So I have been trying to fnd answers or thoughts on the issue of using 1 SAN for both my internal VM's and my VM's that reside inside my DMZ. Currently we have 2 SAN's 1 in each network segment but we are being re-orginized and one of the SAN's needs to move. The result is that my VM's that run on the inside LAN now have no home. I can split my DMZ and LAN up within my SAN but is that a good idea? I am trying to convince them to just purchase a new SAN because everyone has that kind of money laying around... right. I am also trying to find any reason to not mess with my production environment if I dont have to.

Thanks,

ITAV

Password expiry date

fajarpri — Mon, 16 Nov 2009 02:42:43 GMT

Hi all,

Is it possibly to implement password policy like: minimum lenght, max password age, min password age, password history with ESX4.0?

Thank you.

vCenter security - limiting devs to one Resource Pool

ouch — Wed, 11 Nov 2009 22:52:40 GMT

I'd like to set up a role that limits a team of developers to one resource pool. I'd like them to be able to create virtual machines, and modify them, upload files to the datastores, and generally do all the thing devs need to do, but keep them in a sandpit limited to a resource pool. I don't want them to be able to play with VMs in other resource pools, nor have admin access to other stuff within the vCenter Datacentre.

Is this possible, or should I create a second Datacentre and use that for the developers?

I am fairly new to vCentre, so feel free to correct any incorrect concepts in my thinking

Securing VMware Tools

msemon1 — Fri, 13 Nov 2009 16:47:06 GMT

Wanted to see how people were securing VMware Tools. I have unchecked showing VMware Tools on the taskbar, however, was wondering if others control access to the VMware Tools executable.

Mike

PCI, antivirus, and service console

jonb157 — Tue, 29 Sep 2009 21:41:56 GMT

We are in the process of getting Security to buy off on our PCI ESX cluster design. ONe thing that came up was antivirus in the COS. Is antivirus necessary in the ESX cos and if it isn't is there a good whitepaper or statement from VMware that I could show as proof? and next question; if there isn't something like this, how about for ESXi? I thought ESXi eliminated the COS, so shouldn't having an AV agent be negligable in this situation? Once again, is there some supporting document on this? And last question! Does VMSafe for vSphere address and solve most of these issues?

VMWare Tools and Security :?

gsandorx — Fri, 06 Nov 2009 22:12:22 GMT

Hi everyone:

I'm a newbie with ESX 4.0. My experience with VMWare is only with VMWare Worskstation products.

I need to know if there are security issues regarding VMWare Tools for ESX 4.0? I'm in charge to consolidate a bunch of servers on one of my DMZ and I'm concerned about security. I mean, I'm wondering if there is a possiblity to get ESX access through a fully-compromised VM.

Thanks,

Sandor

Virtual Appliance - Password protect

EranL — Sat, 07 Nov 2009 02:47:45 GMT

Hi guy,

I have just export a VM machine as a Virtual Appliance and I wonder:
Is there any way I can password protect my Virtual Appliance?

Thanks,

Eran Levi

vShield agent scan interface

mike lim — Tue, 10 Nov 2009 18:01:49 GMT

Hi,

Am testing out the vShield addon in our local environment and have hit a snag I hope someone knows the answer to. My vShield agent has a management IP address outside of the subnet of VMs that I wish to scan for services. According to the documentation I should enable the scan interface from the CLI and give it an ip address in the range of my VMs which makes sense......but life is never simple. Within the configuration option of the CLI I can only see 3 interfaces which are: mgmt, u0 and p0 so the command to enable the scan interface is clearly missing a step. I am assuming that adding another vNic is the way to go but am wondering what I will need to do after this.

Any help much appreciated.

Mike

How to Allow/Deny specific Applications using Vshield?

secura — Thu, 11 Jun 2009 13:53:02 GMT

Hi,

As per my current understanding we can deny/allow a specific protocol port on a specific IP. I was exploring how to deny/allow specific apps running on that port?

For example , suppose I deny all but one webapp running on Port 80 on a specific IP? Can we set such policies currently on Vshield?

Secura

2009-T-0024 Multiple Vulnerabilities in Linux Kernel

bbengtson — Tue, 03 Nov 2009 17:53:07 GMT

I am trying to create a DISA STIG compliant 3.5 U4 ESX host and coming across this when running the SRR script against my test host. After trying to search online and through the vmware communities I do not see anything out there where this has been patched/mitigated by vmware.

This finding is listed as a category 1 and could possibly prevent us from getting a ATO ot IATO.

ESX version 3.5 update 4

Newbie question: Service Console isolation vs accessibility

jflanagan — Mon, 02 Nov 2009 16:37:22 GMT

Hi, all,

I'm wondering what people do in practice to balance isolating the service console/vCenter with being able to get access to needed services (updates, NTP, etc) and administer the host and vCenter.

The quick background:

Local government, not a large shop. Just getting ready to go into production with ESX3.5/VC2.5, have licensing for VDI which is one of the reasons I'm not starting out with v4. Have had ESX in test for about a year.

Network is somewhat sophisticated, Alcatel hardware, can do VLANs etc, but managed by another team so I haven't gotten familiar with how much it can or can't do for access control.

Firewalls are at the network edge only; an inter-VLAN firewall or ISA server would be new to me, and probably require some negotiation.

Since I'm not quite in production yet, I know my best chance is now to configure the network according to best practices. I've read the Security Hardening Guide, now I'm hoping to get some "street" opinions. Should I go the distance and set up a firewall, or can we configure a VLAN tightly enough to be a good (if second-best) choice? What are the usability tradeoffs? How do you go about getting updates if you don't connect this network to the Internet? Any creative solutions out there for the budget-conscious?

Thanks for your help,

Jenna Flanagan

Town of Belmont IT Department

jflanagan@belmont-ma.gov

Recommended anti-virus protection for VDI on ESX 3.5

IOspaceStorms — Thu, 29 Oct 2009 16:24:28 GMT

Our company currently has SAV10 clients installed on each guest OS as a managed solution in our VDI environment. We would like to step away from that and see if there is a more centralized method of doing this. We are planning on possibly going to SEP instead, but we were wondering if there was an alternative like Immunet, ThreatFire, or Panda's Cloud service, that was recommended as a good practice in VMWare's eyes.

I don't know if VMSafe will be available anytime soon either, which I would really like to see and deploy in the near future.

I've noticed some solutions like Reflex's VSA that looks interesting.

Any suggestions/white papers would be great

Thank you!

Role rights. To Vm admin vs Windows admin

Bastien_P — Tue, 02 Jun 2009 14:33:57 GMT

Hi,

we have 7 esx hosts with numerous VM on them. Almost everything is windows. We are starting to secure the access to those server on a need to use basis. I was wondering how you guys do it? Do you use Vm role to limit access ? (lets say remove interaction rights, even use no access). It seems to be an easy option but then it's kinda hard for the vmadmin to work on these machine if he dont have interaction rights? Possible but seems hard to deploy a template or update vmtools for exemple? Since in our case the Vmadmin and the Windows admin will probably be two different people it might be difficult to go that way. Maybe give interaction but secure login by AD right? At least in this option, the vmadmin can deploy machine?

Nway i was wondering how you guys do it? Does the vmadmin have right to all Vm machines on your network? and if not, how do you do it?

Security question

GregecSLO — Tue, 27 Oct 2009 13:57:59 GMT

Hi guys!

We are running latest virtual center and ESX 3.5 which is in remote datacenter...

So ESX is in remote datacenter and virtual center server in in our office behind firewall...

My question is, is it secure to open ports on our firewall in office and forward it to our internal vcenter server in office:

280 TCP
27000 TCP
27010 TCP
902 UDP

on my firewall and NOT limit it to our ESX which is in datacenter and has public IP.

So anyone can connect to theese ports not just our ESX. Particulary I`m interested in port 902 UDP. Is it secure to be opened to internet and not just to our ESX?

Thanks!

SUDO Configuration

Stuarty1874 — Wed, 16 Sep 2009 14:58:11 GMT

I need to configure SUDO to allow two sets of specific users to log-on to the Service Console.

They are ESX Server Administrator and ID Management.

I've got a handle on how I can allow the ESX Server Administrator access, but I'm unsure of how I give the minimum amounts of rights to the ID Administrator.

I'm thinking that the process I'd like to use for the ID Administrator is to only allow them to run a specific "UserAdd or UserRemove" bash script.

Can anyone offer any advice on how I should configure SUDO to allow the ID Administrator group to only run a specific script/scripts.

I'm looking to learn so I'll carry on doing some research in the meantime.

Any advice is much appreciated.

Thanks in advance.

Vsphre security

sekharkollapudi — Fri, 09 Oct 2009 13:14:39 GMT

Hi VCP's plz provide the security diffrences between esx3 and vsphere

ESX_SRRSecure - Script to allow ESX to pass a DISA Security Readiness Review.

pmorrison — Mon, 12 May 2008 14:05:25 GMT

Background: taken from the DISA website: http://iase.disa.mil/stigs/index.html
In a DOD facility all systems must pass the Security Technical Implementation Guide (STIGs) for the host operating system. The STIG is the configuration standard for DOD IA and IA-enabled devices/systems.

A Security Checklist http://iase.disa.mil/stigs/checklist/index.html (sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration) is essentially a document that contains instructions or procedures to verify compliance to a baseline level of security.

Security Readiness Review Scripts (SRRs) http://iase.disa.mil/stigs/SRR/index.html test products for STIG compliance. SRR Scripts are available for all operating systems and databases that have STIGs, and web servers using IIS. The SRR scripts are unlicensed tools developed by the Field Security Office (FSO) and the use of these tools on products is completely at the user's own risk.

The problem:
As of this writing there is no “official” VMware ESX STIGbut it has been determined that since the ESX service console is *nix based it must conform to the latest Unix STIG.

The current Unix STIG is located here: http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
The current Unix SRR is located here: http://iase.disa.mil/stigs/SRR/unix.html

When reviewing the results of the SRR, not all open issues are valid as the DISA SRR was written for UNIX, LINUX, and AIX. The ESX’s console operating system is based on the Linux Redhat Enterprise 4.5 version, but only contains a subset of the entire operating system and has been customized with specific functionality for interfacing the ESX kernel.

The solution:
Running the SRR will result in an open findings report. After remediating the open issues the SRR is re-run. The goal is to have as few open issues and to document the remaining items as either false findings or open issues with notes as to when they will be closed (patches from VMware) or why they need to be left open.
An example of an open issue is:
==========PDI=IAVA1115 Result========================
PDI Number: IAVA1115
Finding Category: CAT II
Reference: IAVA 2007-T-0042
Description: Sun JRE Web Start Multiple Remote
Vulnerabilities.
Status: Open – *will be fixed in a patch from VMware due
in June.*
For example:
IAVA1115: IAVA 2007-T-0042 - Sun JRE Web Start Multiple
Remote Vulnerabilities.
Outdated
/usr/lib/vmware/webAccess/java/jre1.5.0_12/bin/java, JAVA version 1.5.0.12
found on esx.philhome.dyndns.org.
Upgrade to JAVA version 1.5.0.13 on esx.philhome.dyndns.org.
=========================================================

An example of a false finding that will remain is:
==========PDI=IAVA0360 Result========================
PDI Number: IAVA0360
Finding Category: CAT I
Reference: IAVA 2003-A-0015
Description: There are multiple vulnerabilities in OpenSSL.
Status: Open – *This is a documented false finding as the
vulnerabilities were fixed but the version number was not updated.*
For example:
IAVA0360: IAVA 2003-A-0015
/usr/bin/openssl version 0.9.7a found on
esx.philhome.dyndns.org 2.4.21-47.0.1.ELvmnix.
==========PDI=IAVA0410 Result========================

The ESX SRR Secure script is a shell script which attempts to remediate all of the issues possible on an ESX 3.x host. Some prerequisites to running this script are as follows:
1. Must be run as root.
2.The host must be in maintenance mode.
3. Before beginning with the SRR its advised to install the LAuS library to increase auditing capabilities within the ESX service console, as by default there is limited auditing taking place within the service console itself. These libraries are located on the VMware ESX CD in the /vmware/RPM/ directory. (Note: It appears that this is installed by default in ESX 3.5 update 1)
4. Make sure that all passwords meet the complexity requirements. 7 characters with at least 1 number, 1 symbol, 1 upper case and 1 lower case. This needs to be done for root and any additional accounts installed manually. (Do not change any accounts created by adding a host to Virtual Center).

Once the system is ready, run the script as root and allow the host to be rebooted. Re-run the Unix SRR and compare the open findings report. Below is an example of the summary section both before and after running ESX SRR Secure:
Before:
CAT I = 3/541, CAT II = 55/541, CAT III = 3/541, CAT IV = 0/541
After:
CAT I = 1/139, CAT II = 9/345, CAT III = 1/57, CAT IV = 0/5

The remaining open issues should be documented and should be sufficient to present to the DISA FSO for approval.

Since this is the first “public” exposure for this script, please consider this an early release and test this in a NON-production environment until verification can be made that it does not break something. Also, please give feedback as we would love to see what the community thinks and are continuing to try and make this process better.

Updated script with some corrections and begin to address ESX STIG findings.

VMware Hacking Course

RobMokkink — Thu, 10 Sep 2009 06:41:42 GMT

Hi,

I just received an email regarding the "VMware Hacking" course they are giving in the Netherlands.

Anyone any experience with this course? And can give me some more information?

Thanks in advance.

PCI certification requirements.

jam — Thu, 08 Oct 2009 14:53:27 GMT

Have any of you been through PCI certification using Vmware infrastructure?

If so, did the auditors insist that ESX ran AV? The standard states that AV is require on all system components where appropriate, but the scope in not really defined.

Current the VMs all have AV, but not ESX, and I'd like to keep it that way if possible.

Were there any other issues regarding PCI certification with ESX?

can't import vshield manager when no standard vswitch

dingding — Mon, 12 Oct 2009 01:29:34 GMT

i have a ESX with vDS only, and only after i create a vSS, i can import the vshield manager.

can i migrate vshield manager to vDS?

problems opening a port in the firewall in ESX Server 3.0.2

SercombeC — Fri, 16 Oct 2009 12:43:12 GMT

Hello all...

I´m having problems opening a port in the esx Server 3.0.2

I want to install the CA ARCserve Backup agent that works on ports 6050 and 6051.

Port 6051 works fine. I can do a telnet to this ports and it work, but not the 6050.

I did this...

--root@localhost root--# esxcfg-firewall --openPort 5060,tcp,in,"BAB"

--root@localhost root--# esxcfg-firewall --openPort 5060,tcp,out,"BAB" (to open the port)

--root@localhost root--# /etc/init.d/firewall restart (To restart the firewall)

And the status is:

Opened ports:
BAB : port 6050 tcp.in tcp.out
BAB : port 6051 tcp.in tcp.out

But when I want to do a telnet to the port 6050....

C:\>telnet 10.128.24.101 6050
Conectándose a 10.128.24.101...No se puede abrir la conexión al host, en puerto 6050: Error en la conexión

Could you please help me??

Thanks

vSphere STIG and DoD Discussion

stanj — Fri, 02 Oct 2009 19:05:36 GMT

I started the new thread so that others can contribute.
Hopefully, we can use this thread to advise interested users when the vSphere STIG will be in draft or and final mode.:^0

I have been following the thread about the ESX script to pass DISA Security Review which provided good info for ESX 3.5.

We may be installing vSphere 4.0 in the upcoming months in a DoD facility and will be required to use a DIACAP process to receive an ATO to allow the systems to be connected to a classified network.

I am interested in the process that our DAA will need to investigate.

I am assuming the ESX Stig will be a starting point as we start down the path for receiving our ATO?

what's the password of user enable

dingding — Mon, 12 Oct 2009 01:56:17 GMT

find no info about this user. i can't log into privileged mode.

Does vShield firewall traffic between VMs in the same Zone?

hardingp — Thu, 20 Aug 2009 15:55:48 GMT

vShield is relatively new to us...

and we're having a debate regarding what it is capable of doing. We are at the architectural stage, and am hoping someone can shed some light on this for me.

I understand vShield acts as a layer between vSwitches and provides a firewall. Now does it provide a firewall to the Zone only?? Or can it also create firewalls

for each individual host inside the same zone??(aka firewall traffic between hosts in the same zone)

Changing NIC connections in NIC Team

djenn40 — Tue, 25 Aug 2009 16:33:52 GMT

We currently have a 8 host cluster with each host having 4 NICS. All 4 nics are part of the same vswitch and we haven't had much issue. We've decided to move to a different physical layout in which we'll move 1 nic from each host to an isolated switch for traffic for a specific application on a dedicated vlan. My question is should I remove 1 of the physical connections from vswitch0 and attempt to create a 2nd vswitch with only the 1 nic and configure the vlan specific information on the associated port group? I'll be splitting my connections on the remaining 3 nics as well to different ports if that changes anything.

Enforcing account lockouts

gary1012 — Thu, 05 Feb 2009 15:19:16 GMT

I'm trying to enforce account lockouts after 3 bad attempts and am failing. Accounts will lockout after 5 bad attempts. Here's what' I've done:

Use esxcfg-auth --maxfailedlogins=3.
Verified via esxcfg-auth -p and manually inspected /etc/pam.d/system-auth for account required pam_tally.so deny=3 no_magic_root
Restarted sshd. Since that didn't work, I restarted the host.

I'm still locking test accounts at 5 attempts. I'm using ESX 3.5 build 143128 with the latest patches. Am I overlooking something?

Distributed vSwitches with vShield Zones

nik-O — Wed, 12 Aug 2009 13:48:26 GMT

Hi there,

It's been a week since i've tried to play with vShield with vNDS.

Although i have followed word by word the administration guide, my protected vms aren't able to communicate with the rest of the network.

What seems strange to me is that in a normal vswitch environment, the u0 is still bound to the original vswitch, linked to a physical interface.

But if you see the vNDS procedure, u0 and p0 are connected to the cloned vNDS, with no physical adapter bound ....so maybe i'm missing something or there is something weird here

So has someone managed to configure fully vShield with vNDS and if so, could you help me please :)?

Thanks a lot,

Active Directory Authentication (Encryption Level)

Stuarty1874 — Wed, 16 Sep 2009 15:27:16 GMT

I'm familiar with using the esxcfg-auth --enablead command in ESX and have successfully implemented it in a few environments.

I was asked a question by our security team that I wasn't able to answer.

What level of encryption is used to pass the credentials/password back to the ESX host when it authenticates a user against Active Directory?

Can anyone offer and advice or point me to an article that will help me get a better understanding of this?

vShield installation error

Iwan Rahabok — Sun, 20 Sep 2009 15:20:29 GMT

Hi,

I've got the vShield Manager installed and running.

But on the vShield agent, I got an error message when deploying the OVF. The error message is "Device VirtualVMXNet3 has a backing type that is not supported".

Is it because it is not yet compatible with ESXi? It deployed ok on ESX.

Regards

Is Guest network traffic routed to external (LAN) network

Steve Peck — Tue, 15 Sep 2009 16:41:19 GMT

I'm thinking this is a basic question but I couldn't find a clear answer in the blogs, so thanks for your patience.

We want to be sure that all Guest network traffic is routed through our physical network. Configuration: VMs are contained in several Port Groups that are 'under' a single vSwitch. The vSwitch is associated with a physical NIC, and each Port Group represents a different subnet.

The question is does all traffic from every Guest pass through the physcial NIC to our physical network (routers, etc.), including the traffic coming from Guests that are in the same Port Group/subnet?

Thanks in advance for your help.

Steve

vShield login error

ElGogy — Fri, 03 Jul 2009 18:02:48 GMT

I´m testing the vShield Zones Release 1.0-G68.

I´m deployed the appliance and configure the network settings, but when i try to login trough the web manager I get an error: "login failed for user ´admin´. Try again"

I already try again the login, reset the password to default trough the command console, and also deploy the appliance once again and reconfigure them again.

No success.

I check on the web for similar cases but I didn´t found nothing.

Any idea? Maybe some services on the appliance is not started?

Thanks for all in advance.

vShield + Intel 10 Gig 82598EB = BAD

joergriether — Tue, 26 May 2009 09:14:49 GMT

Dear VMware,

a little challenge for your engineers: Please connect a single Intel 10 Gig 82598EB to an Nehalem based ESX 4 and try to login to vShield Manager. What do you see? Yep. Nothing ;-(

I reprodruced this. It only occurs with this 10 Gig Card.

best,
Joerg

How do I have the VMkernel on it's own VLAN

Andy_Imm — Mon, 31 Aug 2009 20:10:33 GMT

Greetings;

Please excuse my ignorance as I am having difficulty wrapping my head around this. I would like to isolate the VMkernel on it's own VLAN.

We have 4 esx 3.5 hosts, with the VC as a Windows 2003 server. vSwitch0 is teamed with vmnic0 and vmnic1 and currently has the SC and the Kernel on it.

Is there any easy way to segment the Kernel on its own VLAN?

Thx in advance,

Andrew

Developping a firewall using vmsafe-net

octane808 — Wed, 26 Aug 2009 08:56:57 GMT

Hello

Under ESX4 I'm using a virtual appliance as a firewall (based on a linux distro and iptables/netfilter). It works, but I want more.

I'm reading a lot of things about Vmsafe and Vmsafe-net. I think this should helps me. From what I understand, I should develop a sort of "kernel module" for the ESX hypervisor, and use a virtual appliance for managing this "kernel module". With the help of vmsafe-net I could benefits of better performances, and I could follow appliance while vmotion-ing. The kernel module should be using "Fast Path" and the appliance "Slow Path".

But the only docs I found are from the marketing of Vmware (telling that vmsafe is great), but I can't find any technical docs about Vmware. They talk about an API, but where is the documentation of that API? Do anybody have some sample code?

If I'm not in the right community, just tell me which one is the best for that question.

Pardon me for my english (it's not my native language) and thanks for any links or technical paper for vmsafe.

VM Firewalls

boatrke1 — Tue, 01 Sep 2009 15:02:39 GMT

Anyone have any experience with Altor Networks Virutal Firewalls?

Just looking from some feedback as we are looking to implement in our environment.

Thanks,

Kevin

Auditing / Security of ESX

Heartstealer — Tue, 12 May 2009 20:27:32 GMT

Hi All,

Is there a way I can monitor the configuration changes made to ESX by VC or by CLI ?

If yes is it can be datewised and userwise audited/tracked?

How can we secure an ESX and VC or rather a VI3 environment?

Is it possible to integrate ESX to an ADS/RSA environment? If yes an documentation on the same available?

Thanks and Regards,

Raul

VPN Solutions on VMware VDI

vasanthkumard — Wed, 02 Sep 2009 09:59:32 GMT

Hi Experts,

Could you let me know what are the VPN solutions that will work with the VMware VDI solution? Also, request to share any documentation on this if available...

Local storage on a DMZ server

Gene H — Mon, 31 Aug 2009 21:10:33 GMT

Hello,

If I am trying to maximize the storage on a stand-alone six drive bay ESX server, is it a recommended secure configuration to use RAID 5 on all of the drives, then divide it into two partitions: 1) the ESX hypervisor/console partition, 2) all remaining space for vm guests partition? This server will be in the DMZ running ESX 3.0.3.

Or is it recommended to use two drive bays for a pair of mirrored OS drives, then using the remaining four drive bays for a RAID 5 partition for the vm guests?

Gene

Portgroup, vmnic, vSwitch, and VLAN oh my!

JDLangdon — Wed, 02 Sep 2009 19:52:19 GMT

I have two pnics teamed to a single vSwitch. On the vSwitch I have two portgroups which are taged to two different VLAN's. On each portgroup I have one VM. Both the these VM's are separated by a physical firewall.

According to the VM owner these two VM's are able to communicate with each other even though the physical firewall does not permit it. According to the Network people there is no network traffic crossing the firewall.

It has always been my understanding that a vSwitch does not route traffic between different portgroups which were on different VLANs.

Does anyone have any idea how these to VM's are communicating?

________________________________
Jason D. Langdon

vShield problem

hnehlsen — Fri, 28 Aug 2009 08:18:09 GMT

Hi,
I have a problem (obviously)!
I configured the vShield Management VM, I deployed the vshield vms everything fine so far, no vlans, no distributed switch or any special configuration.The VMs configured to use the protected/unprotected networks don't get any lan connection (DHCP, etc). I don't have any firewall rules configured.

I had it running once but I had to reinstall and now see above.

Harro, (Help)

vShield license problem

ferdis — Mon, 25 May 2009 09:22:25 GMT

Hello,

vShield Manager shows me "You dont have valid vSphere license for vShield Zones installation" when Im trying to install vShield through Manager web interface. Im trying to install it with eval licenses and also with Enterprise licenses but nothing works.

Thanks.

vSwitch and Spanning tree

michelemase — Tue, 18 Mar 2008 07:07:01 GMT

as far as i know, the spanning tree protocol is not "implemented" in the vmware vSwitch (esx 3.5 and V.C 2.5) ;

could it be a problem..? is there a reason why vmware not implemented the spanning tree protocl in the virtual switch?

Hypotetically i can create a loop? is it true?

thanks in advance

Port 903?

JDLangdon — Wed, 19 Aug 2009 17:49:09 GMT

I'm in the process of placing my ESX COS behind an internal firewall and I'm not sure where port 903 should be opened to. This port is being used for VI Client access to virtual machine consoles. Do I need to open the firewall between my workstation and the ESX host or is it between the VC server and the ESX host?

Currently, we do not have a firewall between my workstation and the VC server.
________________________________
Jason D. Langdon

VM Flow shows "No Data Found"

SCampbell — Fri, 21 Aug 2009 18:56:19 GMT

We're just tinkering with vShield and Cisco N1000V independently and together in the lab as we prepare to deploy vSphere.

The current configuration in our lab is this:

The public side of a vShield VM is connected to an N1000V Port Group
The private side of the vShield VM is connected to a local vSwitch Portgroup with Promiscuous mode permitted. (It's not a dV Port group, but do recognize this would be needed as we evolve the lab)
We have servers on the public side and one server on the protected port group, and can transfer data to and from all these servers from another computer outside the ESX environment.
The protected server is shown as protected in the vShield Manager
I have a script running elsewhere that is generating traffic to and from the protected server. The vShield Manager Status for that vShield is showing all the expected traffic in both the p0 and u0 status.
But, the VMFlow stats for the protected server and its roll-ups shows "No Data Found"

Some questions

I was unable to get the protected Port Group working as an N1000V port group, and have since found information here confirming that. Is the failure to display VMFlow stats related to the fact the public side doesn't really support promiscuous mode? (since it's a N1000V port group)
Is there some other misconfiguration I've done that is preventing the VMFlow data from showing?
Again with the promiscuous issue, am I unlikely to get a second computer in the protected side to work?
I saw a reference to reversing my configuration: Put the public side on a vNetwork switch with uplinks, and put the protected side as an N1000V port group. Is this likely to work better?

I understand Cisco is working on a solution to this problem, but we did want to put in as much "end-state" infrastructure as possible as we prepare for deployment, and doing the uplink side using N1000V seems to make more sense to me.

Thanks for this.

Getting HA to work on DMZ cluster

burdweiser — Sun, 16 Aug 2009 17:43:02 GMT

I need a little direction on getting HA to work in a DMZ cluster. Here is my setup and what I've done so far:

vCenter is in the production network on 10.3.0.X network. A NAT in the DMZ has been setup for vCenter (10.2.0.15). In vCenter under Runtime Settings, I have configured a "managed IP address" of 10.2.0.15.

The hosts are ESXi 4. I have configured the hosts file with the IP of the NAT IP for the vCenter server 10.2.0.15. I have also configured the "preserveServeIp" option for the hosts vpxa.cfg file.

The managment ports are on the DMZ network 10.2.0.x network. vMotion ports are isolated (the hosts only talk to eachother, vMotion is not on a routable network).

In the advanced settings of the cluster for HA, I have configured das.allowvMotionNetworks = false to keep HA off the vMotion ports.

I can manage the host servers in vCenter, but I cannot get HA working. I know HA relies heavy on DNS, but I have configured everything in the hosts file on both host servers. I always get the error "cmd addnode failed for secondary node: Internal AAM error - agent could not start: Unknown HA error".

Am I just going to have to stick the managment ports on a routable managment network to get HA working?

I have been fighting with the network / security team to have my managment ports on a rouable network. This is what is in the DMZ best pratice guide.

vmware and firewall

ranjitcool — Tue, 18 Aug 2009 21:52:50 GMT

Hey Guys,

We have a vmware box which is open to world. We got a firewall and the networking wants a list of ports that need to be allowed so they can add in the rule set for the box.

I have vm's on it and I can netstat them but what about the vmware esx host itself. What ports does it need to talk to the world so I can access different stuff.

Please assist.

Any other advices for me so I can be careful?

Thanks

May be we all live virtual lives..

Potential for using ESX to bridge networks ???

jc69 — Mon, 17 Aug 2009 18:52:03 GMT

I have a request from someone for a VM that will be connected to our DMZ. My ESX 3.5 Hosts are physically connected to our internal network (behind the firewall).

My question is, if I connect this same host to our DMZ network using a separate physical interface and virtual switch for a VM that will reside in the DMZ , is there any potential threat that this DMZ VM were to be hacked that some type of software routing could be enabled on it that would use ESX to do any kind of routing to a VM, on the same host, that is connected to our internal network ?

vShield Zones In Depth CLI Documentation

Wolfbrother_KC — Wed, 05 Aug 2009 20:16:32 GMT

Hey Guys (Carlos specifically if you read this),

I was on the vShield Zones VMTN Podcast just a bit ago and as the call was ending had a question come up. Do you have any "detailed" documentation on the CLI for the vShield AGents? I've taken a look at the CLI section of the vShield Admin guide, but was wanting a bit more detail on the usage of the commands and more detailed description of what the commands are and how they would be used in configuration or troubleshooting. For example, wondering what the esx-watchdog is all about.

Thanks,

Lane Leverett

DMZ, network considerations

mdemarcork53 — Thu, 13 Aug 2009 01:52:14 GMT

We are planning to setup a DMZ environment for our VM network.

Current network :

2pnic- SC vSwitch

1pnic-VMotion vSwitch

2pnic- Production vSwitch

1pnic-DMZ vSwitch

Proposed solution:

2-SC (Mgmt VLAN)

1-VMotion (private, non-routed VLAN)

2-Prod (Prod VLAN)

1-DMZ (DMZ VLAN)

Questions:

1. If we use a firewall or ACLs to separate the SC from the Production & DMZ networks. Do we need to open any ports?
2. Should vCenter server be on the production or mgmt vlan?
3. The plan was to only allow certain workstations to access vCenter. Configure vCenter server to be the only one that has access to all the esx SC. If this would work and is a secure option, what ports if any need to be opened.

SSL Server support weak encryption

MAD1969 — Wed, 01 Jul 2009 09:30:56 GMT

Completed a vulnerability study on our ESX 3.5 environment and its high lighted (SSL (Sercure Socket Layer) Server support weak encryption keys, which are defined as encryption keys with lengths of less 128 bits. Message encypted with weak encryption keys are relatively easy for an unauthorized user decrpt) on port 443.

I have looked at the VMware Secuirty Hardening document and it say that it Must always be available.

Should this be left allow, or is there anything I can do to correct this?

Thanks

Documented best practice for no antivirus in Service Console???

leejaime97 — Thu, 06 Aug 2009 19:04:45 GMT

Could someone point me to a document/web page that shows VMware's best practice on not having antivirus in the Service Console?

vSphere in the DMZ Question

timcwhite — Thu, 06 Aug 2009 13:23:26 GMT

Good morning,

We are in the process of implementing vSphere 4 in our DMZ and I wanted to run a question by you regarding the design. Currently, we are running our Virtual Center server within our Core network. The new vSphere servers will reside within our DMZ but will need to be managed by the internal Virtual Center server. Below are the following scenarios that we are considering.

Scenario I:

Open the following ports:

Port 22 and 902 between our VC and ESX hosts
Port 903 between our VI client and Virtual Machines for remote console
Port 27000 and 27010 between our vSphere hosts and license server (this is also our virtual center server)
Port 443 for inbound HTTPS connections

Scenario II

Don't open any ports and connect the service console and the Vkernel network to our core network.

Has anyone implemented either? What is your opinion/suggestions regarding either scenario?

SR-IOV, virtualisation CNA's and security

JoeShmoe — Fri, 03 Apr 2009 12:14:45 GMT

Cam someone help out a dumb architect here trying to muddle his way through the muddy waters of the UCS announcement and virtual networking.If its ok I'll cut and paste some comments from erudite guys like Scott Lowe and Brad Hedlund

Im looking at UCS and seeing how the new virtualization based CNA's (Palo?) use "a PCI SIG standard for allowing a physical network adapter to present
multiple virtual adapters to upper-level software, in this case the hypervisor. This eliminates the need for the hypervisor to manage the physical network adapter and allows VMs to attach directly to one of
the SR-IOV virtual adapters" - "With Cisco UCS and the Palo adapter, you will be able to achieve “Hypervisor Bypass” (VM Direct Path), where the VM writes directly to its SR-IOV slice of the adapter. The adapter then applies a VN-Tag to uniquely identify the “virtual NIC” the traffic belongs to — VN-Tag acts like a virtual patch cable running from the SR-IOV adapter to the UCS 6100 fabric switch. At this point the virtual machine is managed as if it is connected directly to the UCS 6100 fabric switch"

All sounds great, I can use this additional layer in hardware to present multiple interfaces on single adapter to an ESX host and not have switching done by the processor (using vSwitch or Nexus1000V) as its done on a chip

However I could do this before (in software) using VLAN seperation i.e. collapse all network zones (data, mgt, backup, storage etc) on a single cable and leverage VLANs / PortGroups for everything - I would guess most if not everyone probably didnt do this due to the obvious fears of VLAN security and went back to having dedicated NIC's for the network zones and in many cases even more NICs to seperate the VM's on the data/vm network within different subnets

So my question is, does the use of SR-IOV, VMDirectPath and the new 'virtualisation aware' CNA's allow me to collapse these networks onto one adapter and use SR-IOV to partition them? Or do we still have the need for mutliple CNA's for the network zones and all this is really doing is pushing the switching out of ESX and down to the hardware

I guess im looking for the day when someone tells me I can do this and reduce cabling, VLAN seperation etc. FCoE looks like it wants to do this but again, not understand how security between zones is any different than it is now, I dont see how I can run all these things down the same piece of string

Tks!

vWire ConfigCheck and vRanger?

JDLangdon — Sat, 01 Aug 2009 21:09:06 GMT

Shortly after vWire released their ConfigCheck utility I ran it against one of our existing ESX 3.5u3 servers and was rather surprised by the number of test we were failing on. From this list of fails I decided what was acceptable and what need to be changed in order to get the servers to a better pass/fail ratio. At this point I've created a security script that will configure an ESX host server for a 61 pass / 16 fail ratio.

In the process of making this security script changes I noticed if I run the script and then attempt to connect the ESX host server to vRanger I get an error message stating that "Server <hostname> appears to be a non ESX host server" and the attempted connection will fail. However, if I connect to vRanger first and then run my security script vRanger will continue to function correctly.

This leads me to believe that one of the recommendations in the vWire ConfigCheck utility causes the ESX server to behave like a non ESX host.

Does anyone know what causes this behavior?

________________________________
Jason D. Langdon

vCenter Permissions to Individual VMs

stin — Thu, 06 Aug 2009 17:40:14 GMT

Thanks in advance for any assistance!

I'm trying to delegate permissions to a single VM to allow an application administrator vCenter and VM access. When I set the user up as a Virtual Machine Administrator to the VM only, the user cannot see the VM in the VIC client (they cannot see the cluster or resource pool the VM is a member of either). The only way I can get this to work is to give them read permissions to the container above the VM, in this case a resource pool. Obviously they only have read access to all the other VMs in that resource pool but I would prefer if they could only see the VM they have permissions to. Am I missing something or is this not possible?

I've never assign permissions the granular before and I guess I just assumed, based on my research, vCenter used an access base enumeration algorithm but my assumption is probably wrong (they usually are).

Thanks!

DMZ Configuration

Grove12 — Wed, 05 Aug 2009 20:52:07 GMT

I was wondering if you guys could help me out with a few DMZ questions. I need to convert our DMZ boxes to VMs and after research I decided that I'm going to do the following:

Create a separate cluster on the same vCenter server as my internal, production VMs.
In that cluster create vSwitch0 that has IPs for SC and VMkernel on their own private vlan.
Create vSwitch1 for the VM network and run those cables to our DMZ switch and assign public IPs to the VMs.

A couple questions:

We have a firewall sitting between the internal network and DMZ. Does the DMZ need to have internal access to the vlan I'm using for SC and vmkernel in #2 above? I would think they would be mutually exclusive, but I could be wrong.
Our network admin is freaking out and pushing hard to keep these boxes physical... stating that this is a huge security risk. I told him that it's no more or less secure just because it's virtual and that we're only as secure as the firewall that he configured that sits between these zones. Is this correct logic?

Sorry if this is long-winded. Any help is most appreciated. Thanks.

Is there any risk with using VMWARE Server 1.x or 2.x

EvilRen — Tue, 28 Jul 2009 07:15:36 GMT

When I am installing vmware server free version in my lan network and my virtual servers does have access to internet(just like another server) does the VMWARE server opens any dangerous ports or can cause any security issues?

Would qemu or openvz perhaps be more secure than vmware?

UlyssesOfEpirus — Tue, 21 Jul 2009 19:21:55 GMT

For the purposes of basic, basic usage of vmware, in my case just a guest connected to the internet and a host connected to absolutely nothing (no networking functionality at all at the host, any transfers to be done via a usb flash drive or the .vmdk mount tool):

1. Would using qemu instead of vmware perhaps make it harder for a hacker to penetrate the host from the guest?

2. Would OpenVZ perhaps make it harder to penetrate the host?

If vmware is so much more widely used than the other two, wouldn't it have the same problem that microsoft internet explorer has compared to opera browser, namely that there's a larger number of computers using it therefore it would give a better return on investment to hackers trying to find exploits for it, therefore much more exploits available for vmware at any given time?

Server virtualization security and compliance (survey)

Virturity — Wed, 05 Aug 2009 08:23:29 GMT

Hi,

i'm working on a research paper on server virtualization security and compliance (MSc Information Security @ University of East London). As part of this i've created a survey to gather input from the people who are faced with these questions in their organizations or do have an opinion on this topic. Its a fairly short survey and it would be great if you have 5-10 minutes to provide your feedback. I've posted the survey in a handful other communities and i would really appreciate the feedback from the VMWare experts here.

The last question in the survey gives you the option to leave an email address in case you would like to see the final results.

The URL for the survey is -
http://www.surveymonkey.com/s.aspx?sm=IACdvGppxeyrRU0r_2fhyUgw_3d_3d

If you have any questions or would like to share your experience/opinion in a less formal way please feel free to mail me.

Thank you
Daniel

p2v firewall port question?

vmwareluverz — Tue, 05 Aug 2008 16:13:37 GMT

on esx 3.5, we only need port 443 and 902 for source/destination open on firewall? i have 4 esx hosts tie to dmz network and a vc server so only 443 and 902 open require? using vmware converter plugin from virtual center client.

disable root access from physical console using cat /dev/null >/etc/securetty

vmwareluverz — Fri, 03 Apr 2009 21:54:17 GMT

i was playing with development esx 3.5 host and forgot i only have root equivalent accounts when used 'useradd -o -u -0 accountname' command, so after i issued "cat /dev/null >/etc/securetty" command, i no longer able to logon to console with root or accounted created earlier. the command is created with that purpose, but anyone know how to workaround this or troubleshoot to restore root access. i can't find any on google but worth to fine out in case someone try this in production systems.

thanks

Virtual center roles/rights/permissions. What does "Datastore" -> "File Level Management" right do?

jwurfel — Wed, 29 Jul 2009 09:41:35 GMT

Hi VMTN

We have special AD license monitoring user, that only needs "read" access to log files on VMFS datastores. We run VC 2.5 and ESX 3.5 U3.

The question is how to do that.

In Virtual Center -> under Administration -> have we have created a new custom role -> given the role given the privilige Datastore - "Browse datastore" -> and Datastore - "File Management". (But NOT the Datastore - "Remove file" privilige)

Then in Virtual Center -> Under Inventory -> Permissions on Hosts and Clusters -> given the AD user the custom role just created (with propagate)

We then login into Virtual Center again, with the specific AD license monitoring user and then browse to a datqastore to see what rights we have been given. Sadly do we have rights to Create folders, cut + copy + move files and also to delete files.

Why is that? My guess would be that "Datastore" -> "File Level Management" right would only have simple rights like read + copy rights.

Nexus 1000v vs. vShield zones

hardingp — Tue, 28 Jul 2009 18:40:22 GMT

I am deciding whether to implement vShield in the initial license of vSphere.

I am getting the Enterprise version of vSphere which includes the Nexus 1000v and the Virtual distributed switch.

What am I trying to get more information on, is what vShield can offer for security that the Nexus 1000v cannot. I understand that vShield installs as a virtual, and filters traffic through its own portgroup and offers some reporting and management features.

However, from an actual security perspective. It seems unecessary to acquire vShield if you are running the n1000v.

For instance:

vShield offers:

-Bridge, firewall, or isolate virtual machine zones based on logical trust or organizational boundaries

Nexus 1000v also offers zone isolation based on policies on a more robust level?

Can anyone give me a quick comparison on the 2 products and if they even work with each other? Why would you run both?

vShield Port Groups management

CharbelZ — Fri, 24 Jul 2009 09:07:18 GMT

Hello ,

Designing an architecture based on ESX4 and implementing a model with multiple remote administrators (on independant VLANs) was the easy task. The next step was to offer each remote admin a virtual data center on the platform to create his own machines and connect them to his port group.

The security problem we are having is restraining each admin to his port group or vlan while creating his machine. In the documentation, dvPorts is a managable object but I can't seem to be able to correctly assign each admin in my active directory to a port group on the vswitch.

Can it be done? Can we create privileges on a vSwitch's port groups directly?

If that is not possible, can we create a mandatory template to connect the VM with the port group already specified?

Thanks for all the help!

Charbel

PS: Reference VSphere Basic System Administration p221-222

Best Practices and Security on ESX 3.5

jozsef — Fri, 17 Jul 2009 14:55:16 GMT

Can anyone point me to some definitive documentation in regards to securing ESX servers and best practices related to securing ESX hosts.

Things like not using Root account, regular patching, esx lock downs??...

Thank you.

Regards

Joe

Restrict root Logins To System Console

dtracey — Mon, 13 Jul 2009 16:29:18 GMT

Hi Guys,

I've just run the Compliance Checker from Configuresoft against a couple of my hosts and it flagged an issue with the hosts not having restricted access to the system console for the root account as per this article:

http://compliancechecker.configuresoft.com/virt-esx.html?004

As you can see from the link, it advises recreating the /etc/securetty file with the following contents:

console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11

Can someone please explain how adding the console to this file adds security? I thought that each line represented a connection that root WAS allowed to connect to, and it would only be disallowed if it was commented out with a #?

Thanks for your time guys.

Dan

VIM account password was changed on host...

heybuzzz — Tue, 07 Oct 2008 20:36:56 GMT

VIM account password was changed on host

Anyone know what this is? Saw it in my Cluster Task & Events. Thanks

Vmware Capacity Planner questions

discovery — Fri, 07 Sep 2007 02:00:49 GMT

Regarding the data collection. The document say can send the collected data over Internet. Due to the security concern, we don't allow to do this. Can we collect the data in the local disk first and then send to Vmware manaually? Any answer will be very appriciated. Thanks in advance.

understanding esxcfg-firewall cmd

galibai — Thu, 09 Jul 2009 13:25:58 GMT

Hi,

My understanding was you can enable a port either via the port number OR with the service name.

For ex - esxcfg-firewall -o 22,tcp,in,sshServer

esxcfg-firewall -e sshServer

On similiar grounds, I tried to ssh the server and from there, I tried to use

esxcfg-firewall -d sshServer

I thought, I will loose the network connectivity and I will have to go to the console of the ESX or use via DRAC. But to my surprise, nothing happened.

What am I missing here? Any help on this cmd will be greatly appreciated.

Thanks

Use custom names instead port numbers

Anton V Zhbankov — Wed, 08 Jul 2009 13:05:45 GMT

Can I make VM Flow to display "iSCSI" instead of 3260?

---
VMware vExpert '2009
http://blog.vadmin.ru

vShield Passwords

EPL — Wed, 08 Jul 2009 16:38:44 GMT

Is there a way to change the admin passwords for a vShield Instance? I've successfully changed it for the vShiled Manager, but haven't found a way to change it for the instance.

Also, is there a way to get and change the root password for the manager and vShield instance, and would that break anything?

Thanks!

Strange numbers in VM Flow report

Anton V Zhbankov — Wed, 08 Jul 2009 13:02:15 GMT

I have VM with Windows File Server and a couple of iSCSI LUNs on external array connected via software initiator from windows.
So, traffic for this file server should be approx 50/50 in/out.

But VM Flow report shows 196GB in / 1.8TB out. How can that be? Almost all outbound traffic is to port 3260, iSCSI.

I have antivirus on this VM, so traffic difference can be explained by antivirus that checks a lot of files. But I suppose there should reverse situation, inbound traffic above outbound. Or I just understand inbound / outbound wrong?

---
VMware vExpert '2009
http://blog.vadmin.ru

Securing access to esx server and vcenter 4

richardmiddleton — Tue, 07 Jul 2009 07:44:36 GMT

When you browse to the Management IP Address of each ESX Server and vCenter it displays a welcome page with links to download the client, tools and the ability to login to web access. We are running a windows 2003 domain. I would like to deny access from all machines on our network to the three ESX servers and the vCenter server apart from two admin machines. I would have thought this would be done by blocking all ips apart from two, but im not sure how to do this.

Has anyone come across a solution for this?

Many thanks

VM's in the DMZ

Kev77 — Mon, 06 Jul 2009 17:18:16 GMT

Hello,

I am looking for some documentation on putting VM's in the DMZ. The best practices, recommendations, etc...
Thanks,

Kev

Isolating Images from each other

Joe_PSL — Mon, 06 Jul 2009 15:59:56 GMT

i have 4 images running on ESX3.5 each with its own ip address on the same subnet in the external range. I want to isolate one image so that it cannot communicate with the other 3 at the ip level.

What is the best and easiest way to do this within ESX.

Joe

Secure erasure of files - at the vmdk level?

LeaUK — Thu, 16 Apr 2009 10:28:32 GMT

Hi all

We're implementing a corporate secure deletion policy whereby our Help Desk staff will use a Windows tool that supports at least US DOD 5200.28-STD file erasure (all reasonably straight forward), however the question has been asked if the erasure propagates through to the underlying VMware disk and if so, is the data stored within the disk securely erased also?

Our file servers are all W2K3 and have HBA links to our SANs. The VMWare 'disks' are stored in .vmdk(s) on the SAN.

Your comments and advice are much appreciated.

Lea

Encrypting full disk or system partition of VM

Osami.K — Tue, 16 Dec 2008 01:30:16 GMT

Hi,

Please tell me.

Encryption tools for full disk or system partition on VM are supported? If I encrypt them on the Guest OS, can OS boot and run without ERROR?

As a trial, I tried encryption of full disk with TrueCrypt, which is a free tool, and the VM seemed to run normally...

Thanks.

change password, vi client, minimal password complexity requirements.

LucasAlbers — Fri, 22 May 2009 19:23:14 GMT

I installed esxi 4.0.

I did not change the password, as it complained about minimal password complexity.

So to change the password, go to:

Users and Groups-> Select the root user, Select edit.

and change the password.

An error is generated when changing the password:

"A general system error occurred: passwd: Authentication token manipulation error passwd"

This indicates I am not meeting the complexity requirements for the password.

What are the password complexity requirements on esxi for the root user?

Change Root Password

pearlyshells — Thu, 25 Jun 2009 13:44:24 GMT

We have a policy that requires us to change the Root Password on all our ESX hosts every 90 days. This is a new policy. I have done this once so far and afterward had rebooted the host for the password to take effect. Was wondering if a reboot is really necessary or can I use a restart of service mgmt-vmware?

Looking for Beta testers

mwronski — Thu, 02 Jul 2009 19:31:48 GMT

Relfex is looking for software beta testers to help with our pending release. If you fall into the following criteria and would like to participate, please PM me and we will get you further details about the software and expectations. There will be incentives for those that participate and provide solid feedback. See Reflex vTrust for an overview of the types of functionality available.

Group 1:

Organizations with 5+ hosts running VI3 (ESX 3.5) with interest in creating infrastrcutre policy with automated enforcement / command and control via canned actions and scripting.

Group 2:

Organizations with 3+ hosts running vSphere with interest in the above functionality and additionally the use of a vmSafe implementation to provide network segmentation / firewall and other network level enforcement of policy (e.g. quarantine, posture checking)
Mixed environment of VI3 and vSphere is supported

Environment Requirements:

Environment manged by one or more vCenter servers
Host resrouce to run the Reflex VMC management Appliance (typically 2G RAM / 2G available storage)
Multiple VM network environment to apply network and infrastructure policy on. The larger the better.
Ability to spend time to instal and work with the Reflex VMC product. Reflex will provide technical suport during the beta.
Product supports vSwitch, dvs and Cisco N1KV

Thanks,

-Mike Wronski

mike at reflexsystems.com

Outgoing ports 137-139 blocked for guests

rganesan — Thu, 18 Jun 2009 16:51:59 GMT

I think I am going nuts over this one. I have a brand new VMware ESX installation. No Virtual Center, just managing through VIClient. I was trying to mount a samba volume from an external physical server inside a Windows XP guest and that didn't work. Firewall disabled on the samba server or Windows XP. I loaded wireshark on WinXP and I see outgoing syn packets for ports 137 and 139 but the samba server never gets the SYN. I thought, okay, something is messed up and loaded a debian guest and tried connecting to the samba host. telnet to ports 137, 138 and 139 - packets do not get through. telnet to port 140, sure enough connection reset.

I did a lot of googling and searching though vmware website but I don't see any one else raising this. Not sure what's going on. Any help is appreciated.

Ganesan

Secure VMTools

ISYS2 — Thu, 02 Jul 2009 13:44:59 GMT

Is there a way to prevent users from running malicious scripts via VMTools?

We use VMtools for drivers (obviously) and the Time Sync functionality. What we have discovered though is that a non-admin Windows user can make use of the VMTools Script tab to make scripts run under the System account after a reboot of the VM.

Many thanks

vShield & VLANs

Anton V Zhbankov — Tue, 30 Jun 2009 10:33:12 GMT

Can vShield serve multiple VLANs?

---
VMware vExpert '2009
http://blog.vadmin.ru

Zero out VM images

NSITPS — Sat, 27 Jun 2009 10:10:44 GMT

At this current time what is the best method for zeroing out un populated areas of VMDKs prior to image level backups - Also, is it safe and does it work?

Thanks

ESXi as an internet frontier

korba — Tue, 09 Jun 2009 19:18:23 GMT

What about such a stupid idea as installing ESXi on a server with 2 NIC's with one NIC sticking to the internet and the other one to the corporate LAN and running a router|proxy|firewall software in VM? Also including all the DMZ machines in virtual LAN? Is that extremly stupid or ita has a chance of success?

ESX v3.5 and LDAP ??

btrcmptr — Thu, 18 Jun 2009 17:26:01 GMT

Howdy,

ESX v3.5 can use LDAP for authentication - so far so good. I have a requriement to maintain "password minimum difference = 3" Does ESX server have this setting?

Thank you in advance,

Bill Burke

How to configure service console firewall to only allow access from certain IPs?

Tysonl — Sat, 27 Jun 2009 00:37:33 GMT

I've spent most of today looking for information on the "esxcfg-firwall --ipruleAdd" command. I want to restrict SSH access to only 2 subnets (let's say 192.168.123.0/24 and 192.168.134.0/24). IP rules looks like it should be able to do it but I've not figured out the right combination of rules.

This is what I've tried (and the man page for esxcfg-firewall made it sound like it should work...)

esxcfg-firewall --ipruleAdd 0.0.0.0/0,22,tcp,REJECT,"Block_SSH"
esxcfg-firewall --ipruleAdd 192.168.123.0/24,22,tcp,ACCEPT,"Allow_123_SSH"
esxcfg-firewall --ipruleAdd 192.168.134.0/24,22,tcp,ACCEPT,"Allow_134_SSH"

My ressoning was that since SSH is open to the world to start I would deny all and then allow the two subnets I wanted. What actaully happened is the black worked and the allows didn't.

This is the example from the man page I based these rules on

To allow only one host access specified port of COS
esxcfg-firewall --ipruleAdd 0.0.0.0/0,902,tcp,REJECT,"block_902"
esxcfg-firewall --ipruleAdd 192.168.1.1,902,tcp,ACCEPT,"allow_one"

Any help you can give would be awesome. Thanks all.

ESX 3.5 Behind a Firewall

ejking — Thu, 11 Jun 2009 17:15:14 GMT

Requirement

ESX server is on DMZ to be on HP hardware and VC(2.5) on the internal LAN. Server based licensing to be used and the Flex lic server is on the same server as VC

Ability to deploy software on ESX by use of ILO by Admins (both Console & Virtual media access)

Ability for the app support to remote to VM's in DMZ to manage VM's only and deploy sofware. Preferably if app support can load the app themselves and if not possible admin does if for them. mstsc/landesk/sms/dameware,etc is not allowed.

Ability to deploy software from Altiris RDP server which is inside the internal LAN

DNS name resolution to be allowed.

Company operates a strict policy and ports need to be kept to a bare minimum

******************************************************************************************************************************************************************************************************

Current Ports to be opened and solution that i can think off

ESX to Flex lic server (27000 &27010), ESX to Vcenter/Web (443 and 903/UDP), VI to ESX(902&903), ILO to ESX(23 &17988), DNS(53 TCP/UDP)

Other than adding IP helper ipaddresses on Switches is there any ports required for altiris RDP server VM deployment? Is the risk of using RDP more than the benefit?

App support team to be given access via "Generating Remote Console URL" for VM's on VC. And admin teams put the software for them on VM's. Is there a better solution to this?

If we used host based licensing, would 27000 and 27010 still needs to be open on the firewall

Suggest any ports that can be added or removed, or anything else usefull. Thanking you

VMWare and IP Network Routing externally

NetworkEngineer1970 — Tue, 23 Jun 2009 12:50:51 GMT

VMWare and IP Network Routing externally
Yesterday at 2:02pm Hi all,

Sorry, I am bit new to VMWare, so please bear with me. I am just starting to install it, but not sure if what I am trying to do is even possible in a virtual environment. And I could not find a section for networking and security issues and this is the closest match.

ISSUE 1: Here's my example along with example IP numbering:

Machine 1

1. VM DHCP + DNS
192.168.1.2

2. VM FW
192.168.1.1,
192.168.2.1,
192.168.3.1,
192.168.4.1,

Machine 2

3. VM VPN Server
192.168.2.2

4. VM LDAP
192.168.3.1

5. VM FileServer
192.168.3.2

I have added multiport cards to facilitate the network.

My question:
Can I even get the packets to traverse OUT of the physical box? E.g. there will be specific rules that define access between the VPN Server and the LDAP?

In other words, an authorisation request from the VPN Server should actually go through the firewall on Machine 1. I fear that since the IP addresses are locally known to the underlying OS, i.e. the IP stack on Machine 2 knows that both 192.168.2.2 and 192.168.3.2 are on the local machine, so the packets might never traverse the network at all.

Am I right? If I can force the issue, how do I do it?

ISSUE 2:
How can I assign specific network interfaces to specific machines? E.g. if I do not want eth0 to be available at all to VM4. But eth0 to be available ONLY to VM5?
Is this possible?

Any responses would be greatly appreciated.

Kind regards.

Justification for a separate physical network switch for VI3.5?

stratolynne — Tue, 23 Jun 2009 13:53:38 GMT

I was asked by management to come up with justification to procure a new physical network switch for VI3.5. Currently we are using part of a network switch for VMotion and VirtualServer for about half the ESX hosts we have. I know its a good idea to split off this traffic for VMotion but wanted to know if there are any other reasons.

Can someone help point me to some information on why you would use a separate physical network switch?

Thanks

ESX 3.5 Network Security

iendicott — Tue, 23 Jun 2009 10:39:50 GMT

Hi,

I am about to change the Layer 2 network security on all my hosts to Reject Promiscuios Mode \ MAC Address Changes & Forged Transmits. Can this be completed on the fly or is this a maintenance mode for the hosts job as it may effect VM's connectivity ?

Thanks