ashesh
Contributor
Contributor

securing data

Hi All,

Am very much new to VM environment.I have a folowwing query and need u guys suggestions.

I have a ESX server cluster environment with 2 ESX host and 50 virtual machines.The storage for the virtual machines are via iSCSI connection to the NetApp Filer via FibreChannel.

I need to have some restriction regarding the data that can be access from these virtual  server.The OS installe din these VM are RHEL5.I need some mechanism with which i can restrict user group to only read the information from storage media (NetApp Filer) and cannot copy out any information.

As the information is Customer specefic,is it possible to set up some kind of restriction level for each customer group.

Bu customer i mean to ay the outside vendor who can also access our server via VPN.Please let me know how can i restrict to only readout but cannot copy out the file.

Thanx in advance.

0 Kudos
9 Replies
ashesh
Contributor
Contributor

We store nothing really on the HOST datastrore,its only  on the VM storage (ie) the NetApp storage Filer.The database is actually store don the Filer and not on the ESX host.The data may include the Design and layout based information which are very confidential (Customer specefic)

0 Kudos
idle-jam
Immortal
Immortal

because are the data is stored inside a VMDK inside a datastore, a user connected via VPN will only be able to access the data via the redhat virtual machine attached to the VMDK. the traditional way of protecting your server for unauthorized access apply here is no different for virtual machine.

0 Kudos
ashesh
Contributor
Contributor

ok...so is it even possible to just restrict user to read but not copy out the files?

If yes then what settings are to be made...can be please elaborate on that.

0 Kudos
opbz
Hot Shot
Hot Shot

From the ESX side of things.

VMFS uses file level locking of the vmdk and snapshots.In other words while VM is up and running you should not be able to copy them.

You do need to be carefull with some of the dump files and log files as information on those is ussually unlocked and not encrypted.

idle-jam
Immortal
Immortal

how do your user access the data in the first place? via web? via file share?

0 Kudos
ashesh
Contributor
Contributor

its via file share

0 Kudos
ashesh
Contributor
Contributor

I think i need to clarify my question again....Here goes the scenario...

We have TWO ESX host server with only 50gb HDD....so we are not goign to install VM with storage from ESX server.So we rather install VM on top of ESX HOST with storage being shared with a NetApp Filer storage server using fibrechannel (Hope this part is clear enough)

Finally all our files and database will be stored in this NetApp filer server.The user can access these data via File share through these VM installed on ESX host.I want a way to ensure that when user login to the VM to acces data in the TD filer server ,they can only view the files and cannot copy out any files/folders from their.In short i need to safeguard my database and other file in NetApp server.

Do we need to setup any Firewall setting to achieve the same.or do we have any kind of setting in VM to achieve this.

Thanx

0 Kudos
ashesh
Contributor
Contributor

Any solutions?

0 Kudos
opbz
Hot Shot
Hot Shot

Hi,

depending on how you share your storage to what options you have

If you plan to use NFS then you need to set your access  to your storage on your netapps. That would be where you would set your security. Ideally you should be able to limit your access there to just your ESX servers and backup server (if you have one) Problem is NFS is a pretty open protocol

If your netapps allow you to share out using iscsi you can actually then use chap authentication for better security.

0 Kudos