VMware vSphere Security Cookbook
By Mike Greer
()
About this ebook
Within the IT field, security is often a low priority when it comes to building new environments. As security compliance continues to gain prominence, proper and secure product configuration becomes even more important. Applying security to a complex virtual environment can be a daunting and time-consuming endeavor. This book provides a perfect plan for step-by-step configuration of vSphere 5.5 and its associated components.
The book starts by showing you how to configure the core vSphere components of the ESXi host before covering guest virtual machine security, user management, and network and storage security. Moving ahead, you will learn specifically about the configuration of X.509 certificates utilizing the SSL Certificate Automation Tool. The book concludes by taking you through VXLAN virtual wire configuration.
Related to VMware vSphere Security Cookbook
Related ebooks
VMware View Security Essentials Rating: 0 out of 5 stars0 ratingsElastix Unified Communications Server Cookbook Rating: 0 out of 5 stars0 ratingsHyper-V Security Rating: 0 out of 5 stars0 ratingsOpenStack Networking Cookbook Rating: 0 out of 5 stars0 ratingsMicrosoft System Center Data Protection Manager 2012 R2 Cookbook Rating: 0 out of 5 stars0 ratingsvSphere Virtual Machine Management Rating: 0 out of 5 stars0 ratingsManaging Virtual Infrastructure with Veeam® ONE™ Rating: 0 out of 5 stars0 ratingsVMware vRealize Orchestrator Cookbook Rating: 0 out of 5 stars0 ratingsVirtualization for Security: Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting Rating: 0 out of 5 stars0 ratingsWindows Server 2012 Hyper-V Cookbook Rating: 0 out of 5 stars0 ratingsPractical Linux Security Cookbook Rating: 0 out of 5 stars0 ratingsLearning Veeam® Backup & Replication for VMware vSphere Rating: 5 out of 5 stars5/5WildFly Cookbook Rating: 0 out of 5 stars0 ratingsHybrid Cloud Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsLearning Puppet for Windows Server Rating: 0 out of 5 stars0 ratingsSecurity, Privacy, and Digital Forensics in the Cloud Rating: 0 out of 5 stars0 ratingsConfiguring IPCop Firewalls: Closing Borders with Open Source Rating: 0 out of 5 stars0 ratingsCybersecurity Regulations A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCheckPoint NG VPN 1/Firewall 1: Advanced Configuration and Troubleshooting Rating: 0 out of 5 stars0 ratingsGetting Started with Citrix XenApp 6.5 Rating: 0 out of 5 stars0 ratingsSnort Intrusion Detection and Prevention Toolkit Rating: 5 out of 5 stars5/5Hyper-V Network Virtualization Cookbook Rating: 0 out of 5 stars0 ratingsCloud Computing… Commoditizing It: The Imperative Venture for Every Enterprise Rating: 0 out of 5 stars0 ratingsCybersecurity Charter Standard Requirements Rating: 0 out of 5 stars0 ratingsRed Hat Certified Architect A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsInstant Citrix Security How-to Rating: 0 out of 5 stars0 ratingsNagios 3 Enterprise Network Monitoring: Including Plug-Ins and Hardware Devices Rating: 0 out of 5 stars0 ratingsLearning AirWatch Rating: 5 out of 5 stars5/5Backup and Restore The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsPrivacy And Cybersecurity A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratings
Security For You
Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Amazon Web Services (AWS) Interview Questions and Answers Rating: 5 out of 5 stars5/5Game Console Hacking: Xbox, PlayStation, Nintendo, Game Boy, Atari and Sega Rating: 0 out of 5 stars0 ratingsMake Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Hacking for Beginners: Mastery Guide to Learn and Practice the Basics of Computer and Cyber Security Rating: 0 out of 5 stars0 ratingsHacking For Dummies Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Practical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5How to Hack Like a GOD: Master the secrets of hacking through real-life hacking scenarios Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsPractical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsMike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Dark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5
Reviews for VMware vSphere Security Cookbook
0 ratings0 reviews
Book preview
VMware vSphere Security Cookbook - Mike Greer
Table of Contents
VMware vSphere Security Cookbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Instant updates on new Packt books
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Errata
Piracy
Questions
1. Threat and Vulnerability Overview
Introduction
Risk overview
Understanding defense-in-depth
Hypervisor threats
Hypervisor vulnerabilities
Guest virtual machine threats
Guest virtual machine vulnerabilities
Network threats
Network vulnerabilities
Storage threats
Storage vulnerabilities
Physical threats
Physical vulnerabilities
Security concepts
References
Summary
2. ESXi Host Security
Introduction
Hardening the host via Console
Getting ready
How to do it…
How it works…
There's more
Hardening the host via vSphere Client
Getting ready
How to do it…
How it works…
Configuring host services
Getting ready
How to do it…
How it works…
Configuring the host firewall
Getting ready
How to do it…
How it works…
There's more
TPM encryption
See also
3. Configuring Virtual Machine Security
Introduction
Configuring administrative access options
Getting ready
How to do it…
How it works…
Securing the guest OS
Getting ready
How to do it…
Configuring the Windows 7 guest OS security
Getting ready
How to do it…
How it works…
Configuring the Windows Server 2008 R2 guest OS security
Getting ready
How to do it…
How it works…
There's more...
Virtual machine antivirus
Firewalls
See also
Guest virtual machine hardening
Getting ready
How to do it…
Remove unnecessary virtual hardware
Unexposed features
Restricting data between the host and guest
Restricting commands
Limiting the guest OS writes to the host memory
How it works…
See also
Configuring virtual machine resource isolation
Getting ready
How to do it…
How it works…
Configuring the standard image templates
Getting ready
How to do it...
How it works...
Managing snapshots
Getting ready
How to do it...
How it works...
See also
4. Configuring User Management
Introduction
Configuring vCenter Single Sign-On
Getting ready
How to do it…
How it works…
Managing Single Sign-On users with vSphere Web Client
Getting ready
How to do it…
How it works…
Configuring Active Directory integration
Getting ready
How to do it…
How it works…
Managing Active Directory users and groups
Getting ready
How to do it…
How it works…
Assigning permissions
Getting ready
How to do it…
How it works…
Assigning administrative roles
Getting ready
How to do it…
How it works…
See also
5. Configuring Network Security
Introduction
Configuring Standard vSwitch security
Getting ready
How to do it…
How it works…
Configuring the port group security
Getting ready
How to do it…
How it works…
Configuring VLANs
Getting ready
How to do it…
How it works…
Creating DMZ networks
Getting ready
How to do it…
How it works…
Providing Distributed vSwitch security options
Getting ready
How to do it…
How it works…
Configuring PVLANs
Getting ready
How to do it…
How it works…
See also
6. Configuring Storage Security
Introduction
Configuring network isolation
Getting ready
How to do it…
How it works…
Configuring iSCSI security
Getting ready
How to do it…
How it works…
Configuring Header and Data Digest
Getting ready
How to do it…
How it works…
There's more…
Configuring the Fibre Channel security
See also
7. Configuring vShield Manager
Introduction
Installing vShield Manager OVA
Getting ready
How to do it…
How it works…
Configuring vShield Manager settings
Getting ready
How to do it…
How it works…
Adding vShield licensing to vCenter
Getting Started
How to do it…
How it works…
Configuring SSL Security for Web Manager
Getting ready
How to do it…
How it works…
Configuring Single Sign-On
Getting ready
How to do it…
How it works…
Configuring user accounts and roles
Getting ready
How to do it…
How it works…
Configuring services and service groups
Getting ready
How to do it…
How it works…
8. Configuring vShield App
Introduction
Installing vShield App
Getting ready
How to do it…
How it works…
Configuring vShield App using the Web Console
Getting ready
How to do it…
How it works…
Configuring vShield App Flow Monitoring
Getting ready
How to do it…
How it works…
Configuring vShield App Firewall
Getting ready
How to do it…
How it works…
Configuring vShield App SpoofGuard
Getting ready
How to do it…
How it works…
9. Configuring vShield Edge
Introduction
Installing vShield Edge
Getting ready
How to do it…
Configuring the Edge appliance
Configuring Edge interfaces
How it works…
Managing appliances
Getting ready
How to do it…
How it works…
Managing interfaces
Getting ready
How to do it…
How it works…
Managing certificates and revocation lists
Getting ready
How to do it…
How it works…
See also
Managing firewall rules
Getting ready
How to do it…
How it works…
Managing NAT rules and static routes
Getting ready
How to do it…
How it works…
Managing the IPSec VPN service
Getting ready
How to do it…
How it works…
Managing SSL VPN-Plus
Getting ready
How to do it…
Configuring the IP pool
Configuring private networks
Configuring authentication
Configuring an installation package
How it works…
Configuring the load-balancing service
Getting ready
How to do it…
How it works…
10. Configuring vShield Endpoint
Introduction
Installing vShield Endpoint
Getting started
How to do it…
How it works…
Configuring vShield Endpoint using an antivirus
Getting started
How to do it…
How it works…
11. Configuring vShield Data Security
Introduction
Installing vShield Data Security
Getting ready
How to do it…
How it works…
Configuring the vShield Data Security policies
Getting ready
How to do it…
How it works…
Managing vShield Data Security reports
Getting ready
How to do it…
How it works…
12. Configuring vSphere Certificates
Introduction
Configuring a Windows CA template
Getting started
How to do it…
How it works…
See also
Requesting certificates from a Windows CA
Getting started
How to do it…
How it works…
Using SSL Certificate Automation Tool 5.5
Getting started
How to do it…
How it works…
There's more…
Process certificate requests
Getting started
How to do it…
How it works…
Registering the Single Sign-On certificate
Getting started
How to do it…
How it works…
Registering the Inventory Service certificate
Getting started
How to do it…
How it works…
Registering the vCenter certificate
Getting started
How to do it…
How it works…
Registering the Web Client certificate
Getting started
How to do it…
How it works…
Registering the Log Browser certificate
Getting started
How to do it…
How it works…
Registering the Update Manager certificate
Getting started
How to do it…
How it works…
Installing an ESXi host certificate
Getting started
How to do it…
How it works…
13. Configuring vShield VXLAN Virtual Wires
Introduction
Prerequisites for configuring VXLAN virtual wires
Getting started
How to do it…
Ensuring the Managed IP address of vCenter is set
Ensuring DHCP availability
Setting a multicast address range and segment ID pool
Setting up network connectivity for VXLAN traffic
Verifying the distributed switch MTU setting
How it works…
There's more
Configuring VXLAN virtual wires
Getting started
How to do it…
Adding a VXLAN network scope
Adding a VXLAN virtual wire
Connecting a VXLAN virtual wire to vShield Edge
Enabling services for the VXLAN virtual wire
Connecting a virtual machine to a VXLAN virtual wire
How it works…
Testing VXLAN virtual wires
Getting started
How to do it…
How it works…
There's more
Configuring firewall rules for VXLAN virtual wires
Getting started
How to do it…
How it works…
See also
Index
VMware vSphere Security Cookbook
VMware vSphere Security Cookbook
Copyright © 2014 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: November 2014
Production reference: 1181114
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78217-034-1
www.packtpub.com
Credits
Author
Mike Greer
Reviewers
Mike Armstrong
Alexandre Borges
Mario Russo
Aravind Sivaraman
Acquisition Editor
Nikhil Karkal
Content Development Editor
Poonam Jain
Technical Editor
Faisal Siddiqui
Copy Editors
Relin Hedly
Dipti Kapadia
Project Coordinator
Mary Alex
Proofreaders
Simran Bhogal
Stephen Copestake
Maria Gould
Ameesha Green
Paul Hindle
Indexer
Rekha Nair
Graphics
Ronak Dhruv
Production Coordinators
Kyle Albuquerque
Conidon Miranda
Cover Work
Conidon Miranda
About the Author
Mike Greer is an accomplished IT Security Practitioner and Enterprise architect with a proven track record of successful, highly-complex projects over the past 20 years. Infusing security into the core infrastructure is one of his greatest concerns while enabling customers to achieve and preserve a secure business posture. As a consultant or instructor in his professional career, he continues to provide consultancy services on a number of subject matters that include strategy, virtualization, messaging, database, and infrastructure optimization. He is the founder of Evolution Security Solutions, a start-up company focusing on strategy, virtualization, and security. His industry certifications include CCSK, CISM, CISSP, ITIL, VCP, MCSE, and MCITP.
Evolution Security Solutions provides vCIO services in addition to strategy, security, cloud, and virtualization consulting.
I'd like to thank Gloria, Declan, and Colin for their support and understanding during the course of this project.
About the Reviewers
Mike Armstrong is a Sr. Site Reliability Engineer at VMware that supports OneCloud, VMware's private cloud environment. He is also a VMware vExpert and has been working with virtualization technologies since 2005. He has been in the IT industry for 30 years and has worked with various technologies. Mike's certifications include VCAP5-DCA, VCP4 & 5, MCITP, MCSE, and ITILv3.
Alexandre Borges is an Oracle ACE in Solaris and has been teaching courses on Oracle Solaris since 2001. He worked as an employee and a contracted instructor at Sun Microsystems, Inc. until 2010, teaching hundreds of courses on Oracle Solaris (such as Administration, Networking, DTrace, and ZFS), Oracle Solaris Performance Analysis, Oracle Solaris Security, Oracle Cluster Server, Oracle/Sun hardware, Java Enterprise System, MySQL Administration, MySQL Developer, MySQL Cluster, and MySQL tuning. He was awarded the title of Instructor of the Year twice for teaching Sun Microsystems courses.
Since 2009, he has been imparting training at Symantec Corporation (NetBackup, Symantec Cluster Server, Storage Foundation, and Backup Exec) and EC-Council (Certified Ethical Hacking (CEH)). In addition, he has been working as a freelance instructor for Oracle education partners since 2010.
In 2014, he became an instructor for Hitachi Data Systems (HDS) and Brocade. Currently, he also teaches courses on Reverse Engineering, Windows Debugging, Memory Forensic Analysis, Assembly, Digital Forensic Analysis, and Malware Analysis. Alexandre is also an (ISC)2 CISSP instructor and has been writing articles on the Oracle Technical Network (OTN) on a regular basis since 2013. He has also authored Oracle Solaris 11 Advanced Administration Cookbook by Packt Publishing.
Dedicated to my wife, Fernanda.
Mario Russo has worked as an IT architect, a senior technical VMware trainer, and in the presales department. He has also been working on VMware technology since 2004. In 2005, he worked for IBM on the first large project Consolidation for Telecom Italia on the Virtual VMware ESX 2.5.1 platform in Italy with the Physical to Virtual (P2V) tool. In 2007, he conducted a drafting course and training for BancoPosta, Italy, and project disaster and recovery (DR Open) for IBM and EMC. In 2008, he worked for the project Speed Up Consolidation BNP and the migration P2V on VI3 infrastructure at BNP Cardif Insurance.
He is a VMware Certified Instructor (VCI Level 2) and has a certificate in VCAP5-DCA. He is the owner of Business to Virtual, which specializes in offering virtualization solutions. He was also the technical reviewer of Implementing VMware Horizon View 5.2, Implementing VMware vCenter Server, Troubleshooting vSphere Storage, and VMware Horizon View 5.3 Design Patterns and Best Practices.
I would like to thank my wife, Lina, and my daughter, Gaia. They're my strength.
Aravind Sivaraman is a virtualization consultant with more than 8 years of experience in the IT industry. For the past 5 years, he has been focusing on virtualization solutions, especially VMware products. He holds different certifications from VMware, Microsoft, and Cisco and has been awarded with the VMware vExpert title for 2013 and 2014. He is a VMware Technology Network (VMTN) and Experts Exchange contributor. He maintains his personal blog at http://aravindsivaraman.com/ and can be followed on Twitter @ss_aravind.
He has also technically reviewed Troubleshooting vSphere Storage and is the co-author of VMware ESXi 5.1 Cookbook, both by Packt Publishing.
I would like to thank and dedicate this book to my wife Madhu, my parents, and my family members, who are always there for me no matter what, for all their unconditional support and for teaching me to never give up.
www.PacktPub.com
Support files, eBooks, discount offers, and more
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
Instant updates on new Packt books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter or the Packt Enterprise Facebook page.
Preface
This book features two topics that I have a keen interest in: security and virtualization. The virtualization space can be complex in its own right, and like other technological areas, adding sufficient security can prove to be quite labor intensive and often frustrating. As technology evolves, the idea of building an infrastructure or project in a secure manner from the beginning is still somewhat novel in its approach. While more security controls are available in products, I find that such controls and features continue to be underutilized or not implemented at all.
Consider the following: on receiving a plate of pasta at your local restaurant, you are generally asked, Would you like cheese with that?
This simple scenario and the relationship between pasta and cheese is an apt metaphor for the way security is applied to the Information Technology (IT) infrastructure in many businesses today.
My core philosophy is to help those in need. By and large, given my profession, ensuring privacy and providing some form of data security seems the logical approach. I hope this cookbook that deals with security tasks specific to the VMware vSphere 5.5 product set will enable you to get a better understanding of the virtualization environment with step-by-step instructions.
This book covers implementing specific security features of the vSphere 5.5 virtualization platform in a step-by-step format. Each topic contains a high-level overview to give context to the cookbook recipes. This book is not intended to provide reference architectures or theories behind specific security topics implemented by vSphere.
What this book covers
Chapter 1, Threat and Vulnerability Overview, provides you with an overview of threats and vulnerabilities specific to the virtualization infrastructure. This chapter covers a high-level review of hypervisor, virtual machine, network, storage, and physical threats and vulnerabilities.
Chapter 2, ESXi Host Security, introduces you to hardening the ESXi host from both the console and the vSphere client. This chapter covers the host firewall and configuration of services.
Chapter 3, Configuring Virtual Machine Security, focuses on security of the guest virtual machine, covering both management of the virtual machine and configuration of the virtual machine. Configuration of guest operating system security and virtual machine isolation