VCP6-DCV blueprint section 1: Configure and Administer vSphere 6.x Security – Objective 1.2 – Part 2

Home / blueprint / VCP6-DCV blueprint section 1: Configure and Administer vSphere 6.x Security – Objective 1.2 – Part 2

In this post we will continue to follow the guideline from VMware VCP6-DCV blueprint

This post will include only some of the objectives and i will continue in the next post.

the objective for this post taking from VMware site: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=64180&ui=www_cert

 


Harden a virtual machine against Denial-of-Service attacks

Control VM-VM communications:

In this section I think that VMware refers to the networking security , since VM’s can communicate via the local network.for this section i looks at the VMware Security document and also the Security of the VMware vSphere Hypervisor white paper which listed in the blueprint tools.

 

From the whitepaper : “Just as a physical machine can communicate with other machines in a network only through a network adapter, a virtual machine can communicate with other virtual machines running on the same ESXi host only through a virtual switch. Further, a virtual machine communicates with the physical network, including virtual machines on other ESXi hosts, only through a physical network adapter, unless it uses DirectPath I/O.”

To reduce the chances of packet transmission between VM’s VMware offers two solutions:

  • Use separate physical network adapters for virtual machine zones to ensure that the zones are isolated.Maintaining separate physical network adapters for virtual machine zones is probably the most secure method and is less prone to misconfiguration after the initial segment creation.
  • Set up VLANs to help safeguard your network. Because VLANs provide almost all of the security benefits inherent in implementing physically separate networks without the hardware overhead.

 


Control VM device connections:

Here are some privileges that you can setup to control VM device connection (some of it mention in the previous post too):

Virtual machine.Interaction.Configure CD media –  Allows configuration of a virtual DVD or CD-ROM device. Virtual machines
Virtual machine.Interaction.Configure floppy media – Allows configuration of a virtual floppy device. Virtual machines
Virtual machine.Interaction.Console interaction – Allows interaction with the virtual machine’s virtual mouse,keyboard, and screen.
Virtual machine.Interaction.Device connection – Allows changing the connected state of a virtual machine’s disconnectable virtual devices.
Virtual machine.Interaction.VMware Tools install – Allows mounting and unmounting the VMware Tools CD installer as a CD-ROM for the guest operating system.


Configure network security policies:

In chapter 8 of VMware security document VMware is covering a lot of network security polices and i will refer ONLY to the VM’s related ones,here are the highlights:

Securing vSphere Standard Switches:

You can secure standard switch traffic against Layer 2 attacks by restricting some of the MAC address modes by using the security settings of the switches.

Each virtual machine network adapter has an initial MAC address and an effective MAC address.
Initial MAC address – The initial MAC address is assigned when the adapter is created. Although the initial MAC address can be reconfigured from outside the guest operating system, it cannot be changed by the guest operating system.

Effective MAC address –  Each adapter has an effective MAC address that filters out incoming network traffic with a destination MAC address that is different from the effective MAC address. The guest operating system is responsible for setting the effective MAC address and typically matches the effective MAC address to the initial MAC address.

MAC Address Changes – The security policy of a virtual switch includes a MAC address changes option. This option affects traffic
that a virtual machine receives.

  • Accept option – ESXi accepts requests to change the effective MAC address to a different address than the initial MAC address.
  • Reject option –  ESXi does not honor requests to change the effective

Forged Transmits – The Forged transmits option affects traffic that is transmitted from a virtual machine.

  • Accept option– ESXi does not compare source and effective MAC addresses.
  • Reject option –  protect against MAC impersonation.

Promiscuous Mode Operation – Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire. By default, the virtual machine adapter
cannot operate in promiscuous mode.

 


Harden ESXi Hosts

Enable/Configure/Disable services in the ESXi firewall:

To enable/configure and Disable firewall services:

vCenter >> Hosts and clusters >> highlight the host >> manage >> setting >> security profile >> firewall >> edit 

firewall

 


 

Change default account access and enable lockdown mode.

To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode,
operations must be performed through vCenter Server by default.

Lockdown mode offers different degrees of lockdown. vSphere 6.0 also introduces the Exception User list. Exception users do not
lose their privileges when the host enters lockdown mode. Use the Exception User list to add the accounts of third-party solutions and external applications that need to access the host directly when the host is in lockdown mode.

 

lockdown

 


 

Apply permissions to ESXi Hosts using Host Profiles:

Host profiles allow you to set up standard configurations for your ESXi hosts and automate compliance to these configuration settings. Host profiles allow you to control many aspects of host configuration including memory, storage, networking, and so on.
You can configure host profiles for a reference host from the vSphere Web Client and apply the host profile to all hosts that share the characteristics of the reference host. You can also use host profiles to monitor hosts for host configuration changes. See the vSphere Host Profiles documentation.You can attach the host profile to a cluster to apply it to all hosts in the cluster.

Procedure

  • Set up the reference host to specification and create a host profile.
  • Attach the profile to a host or cluster.
  • Apply the host profile of the reference host to other hosts or clusters.

From Vcenter >> Host Profiles >> add (+)

host_profile

 


Control access to hosts (DCUI/Shell/SSH/MOB)

To control access to host we can configure how services are running on our hosts

vCenter >> Hosts and clusters >> highlight the host >> manage >> setting >> security profile >> Services>> edit 

services

 

As far as controlling MOB , i found this VMware KB article : http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2108405

which describe how to control MOB.

Starting with vSphere 6.0 the Managed Object Browser is disabled by default to avoid malicious configuration changes or actions. You can enable and disable the Managed Object Browser manually.

To enable or disable the Managed Object Browser.
vCenter >> Hosts and clusters >>highlight the host >> manage >> setting >> Advanced System Settings >> Config.HostAgent.plugins.solo.enableMob >> edit 

mob

 

Harden vCenter Server

Control datastore browser access:

 


 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *