Re: vSphere 5.5 Update 1 Hardening Guide Beta 2

mikefoley · ‎05-27-2014

Hi everyone,

Attached is the Beta 2 (2.1 to be exact as I made changes from internal discussions). I've tried to incorporate as much of your feedback as possible. Please review and reply ASAP!

I believe I fixed all the vulnerability and remediation sections that were cut off. Not sure what happened there. I didn't add that to the change log as they never should have changed to begin with.

I've clarified all of the "no-self-signed-certs" guidelines to be more in line with what was published in the ESXi Security Whitepaper

The goal is to go to GA (General Availability) next week the 1st week of June 2014.

Thanks for all your excellent feedback! Send more!

mike

lorengordon · ‎05-28-2014

Thanks for all your work on this Mike!

To update on my last post from the previous thread, we discovered that the VCSA seems to have some requirement for IPv6. Blocking all IPv6 traffic with the firewall will cause vCenter Services to function improperly, even if IPv6 is not actively in use on the network. The issue appears to be that some VCSA services bind to the auto-assigned IPv6 address and some VCSA services connect to that IPv6 address. Often, allowing loopback address connections is sufficient for such traffic between ports on the same system, but in this case it was not (I'm presuming an issue with SSL certificates?). We were able to modify the default `firewall` script to auto-detect the auto-assigned IPv6 address and we added a rule to allow it to connect to itself from that address. That resolved the issue.

There is still a question about exactly which ports, protocols, and directions are required, as the KBs discussing them are not consistent with each other.

I see in this update that it may become unnecessary to lockdown the firewall ourselves, as it may become part of the VCSA setup by default. Definitely looking forward to that!

-Loren

mikefoley · ‎05-28-2014

Loren, do you have the ability to file a bug report on VCSA? If so, that would be very helpful in getting this sorted out.

Do you have a list of the KB's that are conflicting? I can submit that to the KB team and have it addressed.

Thanks!

mike

lorengordon · ‎05-28-2014

I do have the ability, but I don't have the time. Working through support is always so draining for me. (Not a VMware issue, I feel that way about all support services.) Here's my typical experience: They want log bundles and screenshots and they want me to try different things and generate more logs and screenshots and then they go on vacation and I get transferred to a new technician and they have me answer all the same questions and do all the same things, and several months later I get fed up and go on a rant to get the issue escalated and then they finally actually try it themselves and confirm the bug and say the patch will be released in the next quarter, and then they miss it in the patch bundle and I have to go through all this again. Forgive me for being hesitant to subject myself to that if I can avoid it.

The KBs and the port consistency issues I noticed are listed in the post I linked: Re: vSphere 5.5 Update 1 Hardening Guide beta release - Please comment

-Loren

Texiwill · ‎05-28-2014

Hello,

Odd, you can specify not to use an IPv6 address but it creates one anyways. Actually, there is a way to disable it permanently in the underlying Linux installation but it would require modifying the network settings directly in SLES...

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

lorengordon · ‎05-28-2014

Hi Edward,

We didn't go too far down that road because we didn't want to do something that might compromise an upgrade path. We did check the VAMI UI to see if there was a way to set the IPv6 address to 'none' in a manner that might be well-supported, but the only options were 'auto', 'static' and 'dhcp'. There are also messages upon startup that contain warning about disabling IPv6. The messages weren't too clear to me about what it would break or why it would break, but it did make us hesitant to disable IPv6 entirely via the SLES network config.

-Loren

Texiwill · ‎05-28-2014

Hello,

Disabling IPv6 SHOULD not mar anything, but let me check into it and get back to you. May take a while, still recovering from a spectacular SAN outage...

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

rnelson0 · ‎05-28-2014

Mike,

It seems you are aware of some of the Excel "issues", so you probably already know that some columns aren't the right width and some rows aren't the right height. I definitely thing you need to fix the height in particular as a few cells look like complete sentences but there's more to see if you adjust the height. Ex: VUM!G10 - it looks legit, albeit confusing, until you adjust the height and see there are many more lines.

VM!V59-W59 has content. Valid?

VCSA!G5 - Trailing text "Windows SSO prompts during" - extraneous or incomplete thought? Trailing text also present at SSO!G3; vCenterServer!G32, W7, and W34; vNetwork!W22-25; ESXi!W8, W10, W16, VM!W57. There may be more, as not all texts ended with a period and perhaps the sentence was meant to keep going, plus I started to go cross eyed. Perhaps some of this is still the Excel cutoff issue.

Otherwise it looks great, but I won't have time to go throw each line item in detail for at least another month. Hope that helps!

mikefoley · ‎06-04-2014

Great catches Rob. They have all been fixed and were a result of the Excel chopping issue.

Sorry for the delay in responding folks. I'm out sick at the moment.. Hoping to get back to work tomorrow!

As for the VCSA/IPV6 issue, I think we'll have to get that into a bug report while we get the KB fixed. I'll try and get those things moving internally. The Hardening Guide won't change at this point, I'd rather get the things that are broken fixed so that the Hardening Guide is working.

mike

Tsjo · ‎06-10-2014

ESXi!Q3 and ESXi!R3 doesn't seem related to config-firewall-access. esxcli network firewall ruleset list and esxcli network firewall ruleset allowedip list?

ESXi!A39 vpxuser-password-age is a duplicate of vCenterServer!A32

Message was edited because I missed the release.

If you find this information useful, please award points for "correct" or "helpful".

All

vSphere 5.5 Update 1 Hardening Guide Beta 2