cmbwml1
Enthusiast
Enthusiast

security delegation of VLAN and LUN for customer isolation

Jump to solution

Does anyone know if vSphere will provide AD based security delegation of VLANs and LUNs? I need to prevent paying customers in resource pools from accessing other customer networks and virtual disks. The lack of permissions on LUNs and VLANs has forced me to build isolated clusters in a datacenter in order to provide security boundaries.

Any info is greatly appreciated as I am about to buy new hardware for yet another cluster.

Thanks,

-Chris

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership

Hello,

If you allow your customers to use vCenter then you have quite a few problems already, but in general you can use roles and perms to deny access to certain things. Delegation is NOT supported however. You may also want to look into

So in general, NO AD Network/LUN delegation is NOT supported. You can setup a virtual network so that one customer can not access any other virtual network. You can have a LUN or LUNs per Customer. But if you need to grant vCenter access (I would never do this) then you may wan to look at the HyTrust Appliance.

At the moment you have physical constraints with LUNs and virtual networking design that will protect your networks. Note you can include in this design VMware vShield Zones which will aid in protecting one network from another. etc. I.e. its like a packet filtering firewall.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Author of the books 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' available for pre-order now
'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
5 Replies
Texiwill
Leadership
Leadership

Hello,

If you allow your customers to use vCenter then you have quite a few problems already, but in general you can use roles and perms to deny access to certain things. Delegation is NOT supported however. You may also want to look into

So in general, NO AD Network/LUN delegation is NOT supported. You can setup a virtual network so that one customer can not access any other virtual network. You can have a LUN or LUNs per Customer. But if you need to grant vCenter access (I would never do this) then you may wan to look at the HyTrust Appliance.

At the moment you have physical constraints with LUNs and virtual networking design that will protect your networks. Note you can include in this design VMware vShield Zones which will aid in protecting one network from another. etc. I.e. its like a packet filtering firewall.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Author of the books 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' available for pre-order now
'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
cmbwml1
Enthusiast
Enthusiast

Thank you for letting me know that delegation for VLANs is not available in vSphere.

In our university setting we provide a central hosting infrastructure for individual college system administrators to manage their own servers. We sell resource pools to the college and cap the amount of memory and CPU resources based on how much they paid for. Our hope is to centralize the institute server purchases to maximize the return on the institute's capital expenditure. With a large ESX cluster I can replace 20% of the hardware annually and give annual increases of memory and CPU to our customers at a set price.

Some of our customers had their own ESX environments and are competent at using virtual center to manage their VM's. I restrict their access to their resource pools so that they can't see servers from other colleges. The only thing right now I can't restrict them from seeing is the networks and LUNs. I keep our active directory, exchange, virtual center, and cisco management networks and servers on a seperate cluster to prevent customers from seeing those LUNS and virtual disks.

I will take a look at HyTrust and see if the cost and features work for us. I was reading about VMWare's vShielf Zones and assume that it will not prevent a customer from changing a VM's configuration to point to another VLAN network. Is that correct?

Thanks again for responding.

Chris Butler

0 Kudos
Texiwill
Leadership
Leadership

Hello,

I will take a look at HyTrust and see if the cost and features work for us. I was reading about VMWare's vShielf Zones and assume that it will not prevent a customer from changing a VM's configuration to point to another VLAN network. Is that correct?

VMware vSphere w/latest vCenter has more granular permissions, and while 'delegation' is not available you may be able to restrict on which networks and LUNs a VM can reside using these. You can definitely do this using the HyTrust appliance now. But without vSphere the other granularity is not supported.

vShield Zones is more a vSwitch level firewall than a tool to do what you want to do.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Author of the books 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' available for pre-order now
'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
mwronski
Enthusiast
Enthusiast

Thank you for letting me know that delegation for VLANs is not available in vSphere.

I will take a look at HyTrust and see if the cost and features work for us. I was reading about VMWare's vShielf Zones and assume that it will not prevent a customer from changing a VM's configuration to point to another VLAN network. Is that correct?

Chris,

Reflex Systems has a vmsafe based solution that will allow you to set grandular network policy between your different customer zones as well as write policy about VLAN and storage configuraiton of the VM's. As a vmSafe based solution you can not only write zone based policy but also write vm to vm (essentially host end point controll) policies. The product also allows definition of infrastructure policy so things like storage, port group, and other VM configurations can be both monitored and controlled at a zone level. Check it out at

-Mike

mike@reflexsystems.com

-Mike mike(at)reflexsystems.com
0 Kudos
echiu
Contributor
Contributor

Fixing HyTrust search in VMware communities.

0 Kudos