VMware Communities : Unanswered Threads - Security & vShield Zones

vShield - No cluster option

Mickoni — Thu, 19 Nov 2009 15:13:08 GMT

Hopefully this is a simple one......

I have 3xESXi 4.0 hosts in a DRS cluster. I have followed the VMware instructions as much as possible but im obvisouly doing something wrong.

I have installed vShield manually (on a distributed switch) and vShield manager (is currently located on a vSwitch) and am getting connectivity ok. However, when doing a manual install through vShield Manager. I ONLY have the option "Standalone" in the Clustering Settings. In the guide it says I should have a "Add to Cluster" option - which just isnt visible. This obviously just leaves me with 1 host being protected.

Any ideas?!

vShield agent scan interface

mike lim — Tue, 10 Nov 2009 18:01:49 GMT

Hi,

Am testing out the vShield addon in our local environment and have hit a snag I hope someone knows the answer to. My vShield agent has a management IP address outside of the subnet of VMs that I wish to scan for services. According to the documentation I should enable the scan interface from the CLI and give it an ip address in the range of my VMs which makes sense......but life is never simple. Within the configuration option of the CLI I can only see 3 interfaces which are: mgmt, u0 and p0 so the command to enable the scan interface is clearly missing a step. I am assuming that adding another vNic is the way to go but am wondering what I will need to do after this.

Any help much appreciated.

Mike

vSphere STIG and DoD Discussion

stanj — Fri, 02 Oct 2009 19:05:36 GMT

I started the new thread so that others can contribute.
Hopefully, we can use this thread to advise interested users when the vSphere STIG will be in draft or and final mode.:^0

I have been following the thread about the ESX script to pass DISA Security Review which provided good info for ESX 3.5.

We may be installing vSphere 4.0 in the upcoming months in a DoD facility and will be required to use a DIACAP process to receive an ATO to allow the systems to be connected to a classified network.

I am interested in the process that our DAA will need to investigate.

I am assuming the ESX Stig will be a starting point as we start down the path for receiving our ATO?

VM Firewalls

boatrke1 — Tue, 01 Sep 2009 15:02:39 GMT

Anyone have any experience with Altor Networks Virutal Firewalls?

Just looking from some feedback as we are looking to implement in our environment.

Thanks,

Kevin

VM Flow shows "No Data Found"

SCampbell — Fri, 21 Aug 2009 18:56:19 GMT

We're just tinkering with vShield and Cisco N1000V independently and together in the lab as we prepare to deploy vSphere.

The current configuration in our lab is this:

The public side of a vShield VM is connected to an N1000V Port Group
The private side of the vShield VM is connected to a local vSwitch Portgroup with Promiscuous mode permitted. (It's not a dV Port group, but do recognize this would be needed as we evolve the lab)
We have servers on the public side and one server on the protected port group, and can transfer data to and from all these servers from another computer outside the ESX environment.
The protected server is shown as protected in the vShield Manager
I have a script running elsewhere that is generating traffic to and from the protected server. The vShield Manager Status for that vShield is showing all the expected traffic in both the p0 and u0 status.
But, the VMFlow stats for the protected server and its roll-ups shows "No Data Found"

Some questions

I was unable to get the protected Port Group working as an N1000V port group, and have since found information here confirming that. Is the failure to display VMFlow stats related to the fact the public side doesn't really support promiscuous mode? (since it's a N1000V port group)
Is there some other misconfiguration I've done that is preventing the VMFlow data from showing?
Again with the promiscuous issue, am I unlikely to get a second computer in the protected side to work?
I saw a reference to reversing my configuration: Put the public side on a vNetwork switch with uplinks, and put the protected side as an N1000V port group. Is this likely to work better?

I understand Cisco is working on a solution to this problem, but we did want to put in as much "end-state" infrastructure as possible as we prepare for deployment, and doing the uplink side using N1000V seems to make more sense to me.

Thanks for this.

vShield Port Groups management

CharbelZ — Fri, 24 Jul 2009 09:07:18 GMT

Hello ,

Designing an architecture based on ESX4 and implementing a model with multiple remote administrators (on independant VLANs) was the easy task. The next step was to offer each remote admin a virtual data center on the platform to create his own machines and connect them to his port group.

The security problem we are having is restraining each admin to his port group or vlan while creating his machine. In the documentation, dvPorts is a managable object but I can't seem to be able to correctly assign each admin in my active directory to a port group on the vswitch.

Can it be done? Can we create privileges on a vSwitch's port groups directly?

If that is not possible, can we create a mandatory template to connect the VM with the port group already specified?

Thanks for all the help!

Charbel

PS: Reference VSphere Basic System Administration p221-222

Strange numbers in VM Flow report

Anton V Zhbankov — Wed, 08 Jul 2009 13:02:15 GMT

I have VM with Windows File Server and a couple of iSCSI LUNs on external array connected via software initiator from windows.
So, traffic for this file server should be approx 50/50 in/out.

But VM Flow report shows 196GB in / 1.8TB out. How can that be? Almost all outbound traffic is to port 3260, iSCSI.

I have antivirus on this VM, so traffic difference can be explained by antivirus that checks a lot of files. But I suppose there should reverse situation, inbound traffic above outbound. Or I just understand inbound / outbound wrong?

---
VMware vExpert '2009
http://blog.vadmin.ru

Any tools to retrieve local windows 2003 account credentials?

azn2kew — Thu, 25 Jun 2009 15:29:48 GMT

Hi All,

I need some help with any tools available to retrieve or backup bunch of local windows 2003 account credentials (username/passwords). I've tried to google but have no luck with a tool that can do so especially reading the user's password for archival purpose.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen
VMware vExpert 2009
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant

Any security concerns with adding VMkernel IP's to DNS?

Nashwood — Thu, 28 May 2009 14:14:25 GMT

Quick background: We have a large ESX shop (200+), and we use a NAS for build scripts, config files and ESX backup. We have to switch over to a new NAS. Problem is that the new NAS (Celerra) has a 2048 character limit, so we cannot add all of the current hosts. EMC found a possible solution by defining netgroups. This works like a host file.

Service Console IP's and FQDN are in DNS, as they should be.

Issue: We have the VMkernel in isolated VLAN's. Storage guys would like to add the IP's for VMkernel into DNS, of course with different name (ex: hostname-vmk). This ensure that they we won't have to continue to add them in the netgroup.

Question: Are there any security concerns with adding VMkernel IP's to DNS?

Thanks in advance.

Scott

2-factor authentication for ESX and vCenter management (VIC and ssh)

echiu — Tue, 19 May 2009 23:41:10 GMT

Hi,

HyTrust is working on implementing 2-factor authentication for ESX and vCenter as part of HyTrust Appliance's access management capabilities for our upcoming 1.1 release. This is for both vCenter and direct-to-host management connections using Virtual Infrastructure Client or ssh. We are currently looking at implementing support for RSA SecureID, smart card, Radius and kerberos.

We are interested in getting additional input on our use cases/workflow for supporting 2-factor authentication as well as beta sites. Let me know if you have an interest in participating.

For those that don't know about us, HyTrust Appliance provides control and visibility for virtual infrastructure. The HyTrust Appliance is a single-point-of-control for access management, audit logging, and consistent hypervisor configuration. The Community Edition of HyTrust Appliance is a full-featured version of the product protecting up to 3 ESX hosts and is totally free to the Community -- download your copy today at http://www.hytrust.com/community.

Please contact me if you have an interest in working with us on 2-factor authentication.

Thanks,

Eric Chiu
650.681.8111 direct
echiu@hytrust.com
www.hytrust.com

Kon-boot

continuum — Mon, 18 May 2009 13:16:28 GMT

Kon-boot is a boot-cd or floppy.
You boot a real metal system or VM with it, It shows a logo at boot-up and then continues loading the installed system from harddisk.
You can then log in without knowing the password on Windows or with password "kon-usr" for root-accounts on Linux
Works on some Linux and on most Windows.

It works alarmingly good - if you are interested in Security you really should know it.

http://www.piotrbania.com/all/kon-boot/

___________________________________

description of vmx-parameters: http://sanbarrow.com/vmx.html
VMware-liveCD: http://sanbarrow.com/moa.html

VMware vShield Zones Private Beta running now

wwu123 — Wed, 25 Mar 2009 18:41:03 GMT

Recently at VMworld Europe 2009 in February, VMware announced a new vSphere offering called VMware vShield Zones that provides network monitoring and firewalling for security and compliance of VM's. We just kicked off a private beta open to vSphere 4 beta customers that will be running for the next few weeks. I'd like to extend an invitation for additional beta testers to the Security and Compliance forum as well. If you are interested, please send me a private message and I will work on manually enrolling you into the vShield Zones beta community to get access to the software, documentation, and beta forum.

You can learn more about VMware vShield Zones at the product page here: http://www.vmware.com/products/vshield-zones/

Regards,

Warren Wu

VMware Product Management

Does anyone have any experience with using LogRhythm to consolidate and manage ESX logs?

Gene H — Wed, 25 Mar 2009 15:40:27 GMT

We have the LogRhythm product for consolidation and management of Windows logs and I know that it can receive syslogs from ESX, however I don't know how to filter the ESX syslogs once it is in LogRhythm.

Does anyone have any experience with this product? I really don't want to re-invent the wheel if someone already has an ESX specific template.

Gene

ServerView agents for VMware ESX Server 3.5 Update 2

Aleksandar_Macedonia — Wed, 22 Oct 2008 08:16:06 GMT

Hi,

I am using ServerView for managing my Fujitsu Siemens servers, but i have to install serverview agents to every server that i want to be managed.

Is it possible to install ServerView agents for VMware ESX Server 3.5 Update.

Can anybody send me links, or some books for this.

I have found some manuals and RPM files, but i doubt that i could use them for esx server 3.5 Update 2.

Thanks

VIM account password was changed on host...

heybuzzz — Tue, 07 Oct 2008 20:36:56 GMT

VIM account password was changed on host

Anyone know what this is? Saw it in my Cluster Task & Events. Thanks

Objection from security folks to open 445, 139 and 902 for P2V

azn2kew — Fri, 19 Sep 2008 18:15:47 GMT

Folks,

Why I'm getting objections to open these ports for P2V projects from DMZ servers ->VCMS->ESX Hosts? I need some justifications to my reasons. I told them its the ports required but not approve. Any other reasons?

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant

FTP Account on ESX hosts

Andy_Imm — Fri, 15 Aug 2008 19:22:09 GMT

Hello people,

We are running security scans against our hosts and came up with a vulnerability. It is related to the ftp account on the esx host. Is this account necessary?

Also have the following accounts;

halt, sync, shutdown, ntp, nfsnobody. Are these accounts necessary?

Thanks in advance,

Andy

ConfigCheck for ESX 3.0

GavinMillard — Mon, 21 Jul 2008 16:12:38 GMT

Just wanted to let you all know that Tripwire released a new version of ConfigCheck, the free utility to assess the Hypervisor against the VMware hardening guidelines, that can now monitor ESX version 3.0. The initial release only monitored 3.5 but after many requests from the community, we've added 3.0 support.

Here is the official announcement

Here is a blog post on the subject

Download the latest version from here.

Please let us know if you have any issues or comments on this latest release by replying to this post.

Gavin Millard ¦ Tripwire Inc.

Virtual Center and SSHD

JDLangdon — Wed, 09 Jul 2008 11:30:41 GMT

Is there any reason why my VirtualCenter server would be attempting to establish a SSHD connection to my hosts servers using the Windows Administrator account? I've recently configured syslog to point to a SPLUNK server and have been noticing a lot of "Illegal user Administrator from x.x.x.x" errors where x.x.x.x is the IP address of the VirtualCenter/License server.

Jason

vmware-config and SELinux

wila — Fri, 04 Jul 2008 15:04:39 GMT

Hi,

So far I've only tested this with a fedora host and vmware-server 1.x

At times when you update a kernel, you'll have to recompile the kernel modules using the /usr/bin/vmware-config.pl script.
This is fine, however as it appears one of the things it touches is the /etc/services file.
If your host has SELinux enabled and enforced, then you'll get SELinux issues.

At the end of the /etc/services file I see a vmware part:

# Beginning of the block added by the VMware software
vmware-authd 904/tcp
# End of the block added by the VMware software

It is known that we only need to relabel the file using

 restorecon -v /etc/services

So here is a challenging idea, could this be made part of the reconfigure process?
Just so that you do not need to lower your security to "permissive" or patch up things afterwards in order to get it working again.

thanks.
Wil

Something really dum

Scott.T — Mon, 05 May 2008 01:38:18 GMT

Ok, ive gone and done something really done, We have a new installation of VC, basically starting from scratch with new infrastructure.

Ive gone and added domain users into the no access security group, very smart i know.

How do i reset permissions on VC?

Scott.T

If the Service Console and VMs are on different vlans (for Security) - where best to put the VC server?

dinny — Thu, 17 Apr 2008 10:20:07 GMT

Hiya,

I am just designing a secure ESX environment to be placed in a DMZ and be PCI compliant.

I realise that the vmotion vlan should be inaccessible from both the SC and the VM vlans.

I also realise that the SC vlan should ideally be isolated from the VM vlans.

I'm less clear on where to put the VC server.

I was initially thinking that it would be best on the same VLAN as the SC - with no access from that vlan to the VM vlans (as a VM that is able to access the VC, would presumably give rise to similar risks as a VM that can access the SC directly)?

I then started to wonder if any VC specific functionality actually requires direct network access to the VMs themselves?

Has anyone tried this - or does anyone know what (if any) requirements there are for VC to directly access the VMs via the VM vlans?

The one thing that I was wondering about specifically was VCB (using a SAN). I know by default VCB will act on the IP address of the VM and then take the snapshots of the VMs via VC. I wasn't sure if they were completely separate activities though?

i.e. is it just the VCB server that needs IP access to the VMs - or would the VC server also need it? Or is it all handled over the san based VCB LUN driver - so neither need access?

If the VC server does need access for VCB - might it be possible to use the VM uids instead - or would this still require IP access to the VM vlans?

Cheers

Dinny

Any good for IBM codename "Phantom" to secure ESX hypervisor world at all?

azn2kew — Wed, 09 Apr 2008 12:14:21 GMT

Has anyone familiar with IBM codename "Phantom" at all? I'm curious what this project will do and help secure virtualization world especially ESX hypervisor and that's going to hit big next with security in the ESX. How good is vmSafe any feedbacks would be nice to know.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen
iGeek Systems LLC.
VMware, Citrix, Microsoft Consultant

Is VI3 ESX 3.0.2 and VC 2.0.2 are EAL 2+ Certified?

BacMan — Fri, 14 Dec 2007 04:11:43 GMT

Hi all,

Is anyone know VI3 ESX 3.0.1 and VC 2.0.1 are EAL2+ certified? If so, is there a link to the document. Thanks.

From the link below they are being reviewed for certification for EAL4+ certification. So, I assumed they have to be cerified at least with EAL 2+, but could not find any document to confirm that.

https://exchange.x-feds.com/exchweb/bin/redir.asp?URL=http://www.cse-cst.gc.ca/services/common-criteria/ongoing-evals-e.html

Cheers,

Windows Licensing Compliance & Hardware

cduncan — Thu, 13 Dec 2007 00:36:59 GMT

I've read a number of the forum discussion on Windows and licensing, as well as some of the provided links, but it seems they address issues for much more complex situations. We're a small company, and I'd like to have one server running three Windows 2003 R2 VMs. I always understood that with Microsoft, the OS is tied to the hardware. The discussions seem to imply that's not the case, but I haven't been able to locate the reference to this in Microsoft's licensing publications. Maybe I'm looking in the wrong place.

*We wont' be using VMotion.

*We don't have applications that span servers

*We'll only move the VM's once thelease for the hardware we're using is up and we replace it.

So, which edition or licensing structure for Windwos 2003 R2 do I need to get so that it isn't tied to the hardware?

Does anyone have a link to a decent resource on the basics of Microsoft's licensing structure. It seems like every result I find through Microsoft is geared towards enterprise solutions.

Application Licensing

ejsegrav — Wed, 31 Oct 2007 14:53:03 GMT

Anyone out there familiar with Data Direct or other software vendors who license products by hardware processors? There is a hook in the application that interrogates the hardware to see how many processors and it is reporting the actual number of physical processors in the box even though we only dedicate one virtual processor to the app. We are trying to negotiate licensing with them to just go after virtual processors but they really don't seem to understand virtualization. Any suggestions?

ANNOUNCE: Catbird V-Agent, ESX Server Security System

howardcat — Thu, 09 Aug 2007 01:28:01 GMT

Hello:

Do you know anyone currently running VMware ESX Server, and seeking a security solution for their virtual infrastructure?

I work for Catbird Security, and we have recently announced our Catbird V-Agent.

For more details, please visit:

http://www.vmware.com/appliances/directory/953
http://www2.catbird.com/our_services/vagent_s.shtml

V-Agent offers security services for ESX Server environments, and I am seeking to work with a few local users who would be interested in getting a free year of service, in exchange for your real-world testing and feedback. It is not a requirement that you go public with your use of our technology, but of course we would be happy to discuss any mutual interest in such.

V-Agent High-level features include:

-Network Access Control
-Intrusion Detection/Prevention
-Vulnerability Assessment
-Windows Policy & Trusted Scan

Additional External Security Services are also available.

If you or a buddy are interested, and have an ESX Server (or many), please get in touch.

The Eval process involves downloading and powering up our V-Agent (Certified VMware Virtual Machine), and running some internal discovery and scanning. Estimated time from power-up to results is about an hour.

Thanks in advance!

Howard Fried
Director, Sales Engineering
Catbird.com

PS This is a somewhat limited offer, and may expire soon, depending upon response. Thanks!

FIPS 140-2 Compliancy

langonej — Fri, 03 Aug 2007 18:40:10 GMT

Is there any documentation out there regarding VI3 and FIPS 140-2?

Thanks in advance.

Securing Sprawling Virtual Machines from Vulnerability-based Attacks

SecurityJunkie — Sat, 20 Jan 2007 01:07:46 GMT

Does anyone have any thoughts on the impact of virtualization on server security? I was chatting with a security expert (who will be apparently speaking on an Interop panel in May) and he was genuinely concerned with the security impacts of: decoupled software and hardware; VM sprawl; software updates; and complex server stacks.

He also said that HIPS/NIPS/Firewalls were never designed to protect these kinds of sprawling (hard to manage) environments. Some of their functionality will continue to function, but any features tied to hardware-based signature processing (very common in mature security solutions) would be rendered "virtually irrelevant."

Anyone have any thoughts? Suggestions?