When it comes to security there is always the concerns about the security of the ESXi hypervisor. Its always the hypervisor that is nominated as the layer that can’t be trusted within the IT infrastructure. The whitepaper by Mike Foley tries to give you more insight on how the VMware ESXi hypervisor from a security perspective and what things to look at when securing the hypervisor.
The topics covered in the white paper are:
Secure Virtual Machine Isolation in Virtualization
Deploying and managing a vCNS Edge device with vCloud Director is a pretty easy task to deploy. You just spin up the appliance, integrate it with vCenter and then hook it up to vCloud Director. Piece of vCAC!
But I was trying to dig deeper into the structure of how vCNS Edge devices work and wanted to log in to the Edge device itself. The only problem I was faced with was the fact that I couldn’t log into console of the Edge appliance that was deployed by vCNS manager on my virtual infrastructure. Thankfully the vCNS Manager interface provides you with the possibility to reset the password. So to reset the password and be able to log into the vCNS edge device you have to:
1. Log into the vCNS web interface
2. Select Edges at “View:” in the left corner
3. Select the Edge Gatway you want to log into
4. Click on Actions and select “Change CLI Credentials”
This allows you to set the password for the “admin” account. With these credentials you can login to the vCNS Edge device.
“If you can create it with physical devices, you can build it in your own vCloud”. That’s something I always tell my customers when advising on VMware vCloud. Same goes for VMware vCloud Network and Security, which in my opinion hasn’t shown its full potential to customer yet. Thankfully Shubha Bheemarao and Ranga Maddipudi have created an excellent whitepaper on implementing vCloud Network and Security for a DMZ zone. This paper demonstrates how securing a virtual DMZ environment using VMware vCloud Networking and
Summary of the paper:
This paper highlights how securing a virtual DMZ environment using vCloud Networking and Security can be a strategic enabler to your organization as it helps you to reduce your capital expenditure and increase agility, while building a cloud ready, secure and scalable environment for business applications. The paper also highlights the different design approaches to securing business critical applications and enables you to make the choice that is most suited to your organization in the cloud journey. Further, it gives prescriptive configuration guidance to help you get started with the deployment of your preferred approach.
For more information on vCloud Networking and Security follow @vCloudNetSec on Twitter.
One thing to always take into account while designing and managing your vSphere infrastructure is security. VMware also recognizes this and has several resources available to help you in securing your vSphere infrastructure.
VMware now released a tool to check your security compliancy against the VMware vSphere Hardening Guide. This guide is a set of best practices to harden your vSphere infrastructure. The VMware Compliance Checker checks and reports these settings in easy and simple manner.
VMware Compliance Checker for vSphere lets you:
Check compliance for multiple VMware ESX and ESXi servers concurrently
Run compliance check on up to 5 ESX or ESXi servers at a time and produce reports.
Supports VMware vSphere hardening guidelines
Perform checks on VMware ESX and ESXi servers to conform with the latest VMware vSphere hardening guidelines.
Analyze compliance assessment results
After a compliance run, you can view the assessments by ESX/ESXi hosts, plus guests.
Save and Print assessment results
You can save and print the compliance assessment reports to your team for review and they can be saved for archival needs.
Download your copy of the VMware Compliance Checker here.
This is a free tool and can be used in small and mid-size companies. This tool isn’t a replacement for the security auditing tools out there. If security really is a big deal within your infrastructure take a look at the compliance center by VMware
This guide is the official security hardening guide by VMware. It will help you configure your VMware vSphere 4.1 Infrastructure in such a way that your infrastructure will be protected against all kinds of security risks.
I find these security hardening guides very handy in helping me to understand all the areas that I need to look into to protect my vSphere Infrastructure. I’m not a security expert and most security experts I talk to don’t have enough knowledge of vSphere to give good advice on the best way to protect your vSphere Infrastructure. This document fills the knowledge gap between both areas of expertise.
Notice that this document is a best practice document. Please read the document carefully before implementing all the security configuration items into your vSphere infrastructure. My advice is to use the security guide as the standard and document all the security configuration items that you do not implement into your vSphere infrastructure. Also document why you didn’t implement the recommended security settings into your vSphere infrastructure. There can be a valid reason for it, but this way you have documented the reason and can always explain your security configuration settings to the security team in the future.
Scope
This set of documents provides guidance on how to securely deploy VMware® vSphere™ 4.1 (“vSphere”) in a production environment. The focus is on initial configuration of the virtualization infrastructure layer, which covers the following:
-‐ The virtualization hosts (both VMware ESX® 4 and VMware ESXi™ 4)
-‐ Configuration of the virtual machine container (NOT hardening of the guest operating system (OS) or any applications running within)
-‐ Configuration of the virtual networking infrastructure, including the management and storage networks as well as the virtual switch (but NOT security of the virtual machine’s network)
-‐ VMware vCenter™ Server, its database and client components
-‐ VMware Update Manager (included because the regular update and patching of the ESX/ESXi hosts and the virtual machine containers are essential to maintaining the security of the environment)
You can download the Security Hardening Guide for vSphere 4.1 over here.
