In this post we will continue to follow the guideline from VMware VCP6-DCV blueprint
This post will include only some of the objectives and i will continue in the next post.
the objective for this post taking from VMware site: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=64180&ui=www_cert
Harden a virtual machine against Denial-of-Service attacks
Control VM-VM communications:
In this section I think that VMware refers to the networking security , since VM’s can communicate via the local network.for this section i looks at the VMware Security document and also the Security of the VMware vSphere Hypervisor white paper which listed in the blueprint tools.
From the whitepaper : “Just as a physical machine can communicate with other machines in a network only through a network adapter, a virtual machine can communicate with other virtual machines running on the same ESXi host only through a virtual switch. Further, a virtual machine communicates with the physical network, including virtual machines on other ESXi hosts, only through a physical network adapter, unless it uses DirectPath I/O.”
To reduce the chances of packet transmission between VM’s VMware offers two solutions:
- Use separate physical network adapters for virtual machine zones to ensure that the zones are isolated.Maintaining separate physical network adapters for virtual machine zones is probably the most secure method and is less prone to misconfiguration after the initial segment creation.
- Set up VLANs to help safeguard your network. Because VLANs provide almost all of the security benefits inherent in implementing physically separate networks without the hardware overhead.
Control VM device connections:
Here are some privileges that you can setup to control VM device connection (some of it mention in the previous post too):
Virtual machine.Interaction.Configure CD media – Allows configuration of a virtual DVD or CD-ROM device. Virtual machines
Virtual machine.Interaction.Configure floppy media – Allows configuration of a virtual floppy device. Virtual machines
Virtual machine.Interaction.Console interaction – Allows interaction with the virtual machine’s virtual mouse,keyboard, and screen.
Virtual machine.Interaction.Device connection – Allows changing the connected state of a virtual machine’s disconnectable virtual devices.
Virtual machine.Interaction.VMware Tools install – Allows mounting and unmounting the VMware Tools CD installer as a CD-ROM for the guest operating system.
Configure network security policies:
In chapter 8 of VMware security document VMware is covering a lot of network security polices and i will refer ONLY to the VM’s related ones,here are the highlights:
Securing vSphere Standard Switches:
You can secure standard switch traffic against Layer 2 attacks by restricting some of the MAC address modes by using the security settings of the switches.
Each virtual machine network adapter has an initial MAC address and an effective MAC address.
Initial MAC address – The initial MAC address is assigned when the adapter is created. Although the initial MAC address can be reconfigured from outside the guest operating system, it cannot be changed by the guest operating system.
Effective MAC address – Each adapter has an effective MAC address that filters out incoming network traffic with a destination MAC address that is different from the effective MAC address. The guest operating system is responsible for setting the effective MAC address and typically matches the effective MAC address to the initial MAC address.
MAC Address Changes – The security policy of a virtual switch includes a MAC address changes option. This option affects traffic
that a virtual machine receives.
- Accept option – ESXi accepts requests to change the effective MAC address to a different address than the initial MAC address.
- Reject option – ESXi does not honor requests to change the effective
Forged Transmits – The Forged transmits option affects traffic that is transmitted from a virtual machine.
- Accept option– ESXi does not compare source and effective MAC addresses.
- Reject option – protect against MAC impersonation.
Promiscuous Mode Operation – Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire. By default, the virtual machine adapter
cannot operate in promiscuous mode.
Harden ESXi Hosts
Enable/Configure/Disable services in the ESXi firewall:
To enable/configure and Disable firewall services:
vCenter >> Hosts and clusters >> highlight the host >> manage >> setting >> security profile >> firewall >> edit
Change default account access and enable lockdown mode.
To increase the security of your ESXi hosts, you can put them in lockdown mode. In lockdown mode,
operations must be performed through vCenter Server by default.
Lockdown mode offers different degrees of lockdown. vSphere 6.0 also introduces the Exception User list. Exception users do not
lose their privileges when the host enters lockdown mode. Use the Exception User list to add the accounts of third-party solutions and external applications that need to access the host directly when the host is in lockdown mode.
Apply permissions to ESXi Hosts using Host Profiles:
Host profiles allow you to set up standard configurations for your ESXi hosts and automate compliance to these configuration settings. Host profiles allow you to control many aspects of host configuration including memory, storage, networking, and so on.
You can configure host profiles for a reference host from the vSphere Web Client and apply the host profile to all hosts that share the characteristics of the reference host. You can also use host profiles to monitor hosts for host configuration changes. See the vSphere Host Profiles documentation.You can attach the host profile to a cluster to apply it to all hosts in the cluster.
- Set up the reference host to specification and create a host profile.
- Attach the profile to a host or cluster.
- Apply the host profile of the reference host to other hosts or clusters.
From Vcenter >> Host Profiles >> add (+)
Control access to hosts (DCUI/Shell/SSH/MOB)
To control access to host we can configure how services are running on our hosts
vCenter >> Hosts and clusters >> highlight the host >> manage >> setting >> security profile >> Services>> edit
As far as controlling MOB , i found this VMware KB article : http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2108405
which describe how to control MOB.
Starting with vSphere 6.0 the Managed Object Browser is disabled by default to avoid malicious configuration changes or actions. You can enable and disable the Managed Object Browser manually.
Harden vCenter Server
Control datastore browser access:
Create/Manage vCenter Server Security Certificates
This is a BIG subject since a lot of change from the previous vSphere version , before you continue to read my summarized notes ,please watch the following video (The link is from the VMware security document : http://link.brightcove.com/services/player/bcpid2296383276001? bctid=ref:video_vsphere6_cert_infrastructure
here is a link for all you want to know about Certificates : https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-3D0DE463-D0EC-442E-B524-64759D063E25.html
In vSphere 6.0 the VMware Certificate Authority (VMCA) provisions each ESXi host and each vCenter Server service with certificates that are signed by VMCA by default.
For vCenter Server, you can view and replace certificates with the following tools and interfaces.
- vSphere Certificate Manager utility Perform all common certificate replacement tasks from the command-line.
- Certificate management CLIs Perform all certificate management tasks with dir-cli, certool, and vecscli.
- vSphere Web Client certificate management View certificates, including expiration information.
Supported vCenter Certificates :
- Certificates that are generated by VMCA
- Custom Certificates
- Enterprise certificates that generated from your own internal PKI
- Third-party CA-signed certificates that are generated by an external PKI
Self-signed certificates that were created using OpenSSL in which no Root CA exists are not supported.
Control MOB access:
I am still looking for an answer for that , i posted on VMware communities and i will update the post when i get an answer , i didn’t see any mention of that in the security document.
Change default account access:
We need to restrict users from directly in to the vCenter Server host machine and give access only to those users that need to perform tasks.
Restrict administrative privileges:
Not all administrator users must have the Administrator role. Instead, create a custom role with the appropriate set of privileges and assign it to other administrators.
Users with the vCenter Server Administrator role have privileges on all objects in the hierarchy.