VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
3 Replies Last post: Nov 4, 2009 9:41 AM by Texiwill  

Newbie question: Service Console isolation vs accessibility posted: Nov 2, 2009 8:37 AM

Click to view jflanagan's profile Lurker
jflanagan
3 posts since
Feb 22, 2008

Hi, all,

I'm wondering what people do in practice to balance isolating the service console/vCenter with being able to get access to needed services (updates, NTP, etc) and administer the host and vCenter.

The quick background:

Local government, not a large shop. Just getting ready to go into production with ESX3.5/VC2.5, have licensing for VDI which is one of the reasons I'm not starting out with v4. Have had ESX in test for about a year.

Network is somewhat sophisticated, Alcatel hardware, can do VLANs etc, but managed by another team so I haven't gotten familiar with how much it can or can't do for access control.

Firewalls are at the network edge only; an inter-VLAN firewall or ISA server would be new to me, and probably require some negotiation.

Since I'm not quite in production yet, I know my best chance is now to configure the network according to best practices. I've read the Security Hardening Guide, now I'm hoping to get some "street" opinions. Should I go the distance and set up a firewall, or can we configure a VLAN tightly enough to be a good (if second-best) choice? What are the usability tradeoffs? How do you go about getting updates if you don't connect this network to the Internet? Any creative solutions out there for the budget-conscious?

Thanks for your help,

Jenna Flanagan

Town of Belmont IT Department

jflanagan@belmont-ma.gov

Tags: service_console, security

Re: Newbie question: Service Console isolation vs accessibility

1. Nov 2, 2009 10:23 PM in response to: jflanagan
Click to view tom howarth's profile Guru
tom howarth
7,346 posts since
Jul 25, 2005

Jenna, before I answer your question, I will move this post to the "Security and vShields Zones" forum, this is a much better location to get answers to this type of question.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points


Tom Howarth VCP / vExpert
VMware Communities User Moderator
Blog: www.planetvm.net
Contributing author on "VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment”. Currently available on roughcuts

Re: Newbie question: Service Console isolation vs accessibility

2. Nov 2, 2009 10:48 PM in response to: jflanagan
Click to view tom howarth's profile Guru
tom howarth
7,346 posts since
Jul 25, 2005
The service console is often considered the "keys to the Kingdom", if this is compromised then you have access to all the running guests. the Hardening guide is a very good starting point, an internal firewall would be a very good option there are several out there that are secure, but have a low learning curve, ISA is one, but there is smoothwall as well.


However that said, VLANs even though they are not considered a security mechanism, should be used to seperate your traffic, more importantly is to seperate the traffic flows. make sure that your Service console traffic and any VMKernel traffic are separated from your Production Guest traffic, this can be at the lowest level by portgroups and VLANs (not particularly secure, but better than nothing), moving up to seperate pNIC's and vSwitches and finally a completely seperate set of pSwitches to guarantee independent traffic flow (very secure but also very expensive,

how many pNIC's will you have in your guest. The more the merrier. with as little as 4 pNiICs you can start design with true security in mind,

vmnic0 + vmnic2 --> Service Console and VMKernel traffic

vmnic1 + vmnic3 --> Production Guest traffic.

Have a read of Ed Haletky's (Texiwill) very good series on NIC placement in design found here

Now are you aware that the release of View 4 is just around the corner, (guesstimated release date mid November) this would allow you to introduce all the vSphere goodness and utilise VDI. just a thought

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert
VMware Communities User Moderator
Blog: www.planetvm.net
Contributing author on "VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment".

Re: Newbie question: Service Console isolation vs accessibility

3. Nov 4, 2009 9:41 AM in response to: tom howarth
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Tom pretty much summed it up. Service Console access is the keys to the kingdom. You can implement some defense in depth within the SC to alleviate some concerns by using pam_access, hosts.allow/hosts.deny, SSL certificate changes, and other PAM items to protect you, but these are secondary to your existing network configuration.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities