Am very much new to VM environment.I have a folowwing query and need u guys suggestions.
I have a ESX server cluster environment with 2 ESX host and 50 virtual machines.The storage for the virtual machines are via iSCSI connection to the NetApp Filer via FibreChannel.
I need to have some restriction regarding the data that can be access from these virtual server.The OS installe din these VM are RHEL5.I need some mechanism with which i can restrict user group to only read the information from storage media (NetApp Filer) and cannot copy out any information.
As the information is Customer specefic,is it possible to set up some kind of restriction level for each customer group.
Bu customer i mean to ay the outside vendor who can also access our server via VPN.Please let me know how can i restrict to only readout but cannot copy out the file.
Thanx in advance.
We store nothing really on the HOST datastrore,its only on the VM storage (ie) the NetApp storage Filer.The database is actually store don the Filer and not on the ESX host.The data may include the Design and layout based information which are very confidential (Customer specefic)
because are the data is stored inside a VMDK inside a datastore, a user connected via VPN will only be able to access the data via the redhat virtual machine attached to the VMDK. the traditional way of protecting your server for unauthorized access apply here is no different for virtual machine.
From the ESX side of things.
VMFS uses file level locking of the vmdk and snapshots.In other words while VM is up and running you should not be able to copy them.
You do need to be carefull with some of the dump files and log files as information on those is ussually unlocked and not encrypted.
I think i need to clarify my question again....Here goes the scenario...
We have TWO ESX host server with only 50gb HDD....so we are not goign to install VM with storage from ESX server.So we rather install VM on top of ESX HOST with storage being shared with a NetApp Filer storage server using fibrechannel (Hope this part is clear enough)
Finally all our files and database will be stored in this NetApp filer server.The user can access these data via File share through these VM installed on ESX host.I want a way to ensure that when user login to the VM to acces data in the TD filer server ,they can only view the files and cannot copy out any files/folders from their.In short i need to safeguard my database and other file in NetApp server.
Do we need to setup any Firewall setting to achieve the same.or do we have any kind of setting in VM to achieve this.
depending on how you share your storage to what options you have
If you plan to use NFS then you need to set your access to your storage on your netapps. That would be where you would set your security. Ideally you should be able to limit your access there to just your ESX servers and backup server (if you have one) Problem is NFS is a pretty open protocol
If your netapps allow you to share out using iscsi you can actually then use chap authentication for better security.