I have some dongles with license keys that are supposed to be used for various applications within the virtual infrastructure. If the goal is 100% virtualization in a multitenant environment, how can I move toward that and still allow these applications to access their dongle? I don't want to stick hardware usb appliances all over the datacenter. Has anyone faced this problem?
Hello,
Unless you have a compensating control such as a locked cabinet with limited access to the keys, aka physical security, then assume the USB over IP is an untrusted security zone as such it should be segregated from the rest of your network. You can use VLANs or you could use a firewall. Either way you need some way to ensure the only thing on the USB network is USB devices coming from a specific set of IP address, and a specific set of devices. a blend of physical and virtual security is needed here.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
Hello,
It depends on the dongles. Parallel have to be connected to the server. Serial and USB may be able to use over IP products. You could have one and just lock it in a closet/rack somewhere and mount them to the appropriate VM as required. Some of the dongles do not work over IP however.
Most people I talk about use USB or Serial over IP devices. This also help in case you have to move a VM using vMotion, a pinned VM cannot move easily. So this is the approach I would take with the use of a USB or Serial trust zone, and limiting access (physical) and network to these devices.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
OK great - I'm somewhat unfamiliar with what you mean by a "USB trust zone" If I use a USB over IP hardware device, where do I create the "USB trust zone"? Do you mean just an isolated vLAN on the network with an associated virtual switch port group?
Hello,
Unless you have a compensating control such as a locked cabinet with limited access to the keys, aka physical security, then assume the USB over IP is an untrusted security zone as such it should be segregated from the rest of your network. You can use VLANs or you could use a firewall. Either way you need some way to ensure the only thing on the USB network is USB devices coming from a specific set of IP address, and a specific set of devices. a blend of physical and virtual security is needed here.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
ok great thanks