VMware Cloud Community
TheVMinator
Expert
Expert
‎02-04-2015 07:10 AM
Jump to solution

Hardware Protection Keys and Virtualization

I have some dongles with license keys that are supposed to be used for various applications within the virtual infrastructure.  If the goal is 100% virtualization in a multitenant environment, how can I move toward that and still allow these applications to access their dongle?  I don't want to stick hardware usb appliances all over the datacenter.  Has anyone faced this problem?

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎02-13-2015 06:08 AM
Jump to solution

Hello,

Unless you have a compensating control such as a locked cabinet with limited access to the keys, aka physical security, then assume the USB over IP is an untrusted security zone as such it should be segregated from the rest of your network. You can use VLANs or you could use a firewall. Either way you need some way to ensure the only thing on the USB network is USB devices coming from a specific set of IP address, and a specific set of devices. a blend of physical and virtual security is needed here.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
4 Replies
Texiwill
Leadership
Leadership
‎02-04-2015 07:48 AM
Jump to solution

Hello,

It depends on the dongles. Parallel have to be connected to the server. Serial and USB may be able to use over IP products. You could have one and just lock it in a closet/rack somewhere and mount them to the appropriate VM as required. Some of the dongles do not work over IP however.

Most people I talk about use USB or Serial over IP devices. This also help in case you have to move a VM using vMotion, a pinned VM cannot move easily. So this is the approach I would take with the use of a USB or Serial trust zone, and limiting access (physical) and network to these devices.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
TheVMinator
Expert
Expert
‎02-13-2015 05:39 AM
Jump to solution

OK great - I'm somewhat unfamiliar with what you mean by a "USB trust zone"  If I use a USB over IP hardware device, where do I create the "USB trust zone"?  Do you mean just an isolated vLAN on the network with an associated virtual switch port group?

0 Kudos
Texiwill
Leadership
Leadership
‎02-13-2015 06:08 AM
Jump to solution

Hello,

Unless you have a compensating control such as a locked cabinet with limited access to the keys, aka physical security, then assume the USB over IP is an untrusted security zone as such it should be segregated from the rest of your network. You can use VLANs or you could use a firewall. Either way you need some way to ensure the only thing on the USB network is USB devices coming from a specific set of IP address, and a specific set of devices. a blend of physical and virtual security is needed here.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
TheVMinator
Expert
Expert
‎02-17-2015 07:25 AM
Jump to solution

ok great thanks

0 Kudos