Monday, 27 January 2014

Objective 7.1 – Secure ESXi Hosts


Knowledge - Identify Configuration Files Related To Network Security

ESXi network security is achieved by use of SSL certificate files on the host these can be found /etc/vmware/ssl

Knowledge - Identify Virtual Switch Security Characteristics
  • MAC Address Changes affects traffic that a virtual machine receives. When the option is set to Accept (Default), ESX accepts requests to change the effective MAC address to other than the initial MAC address. When the option is set to Reject, ESX does not honor requests to change the effective MAC address to anything other than the initial MAC address, which protects the host against MAC impersonation. The port that the virtual adapter used to send the request is disabled and the virtual adapter does not receive any more frames until it changes the effective MAC address to match the initial MAC address. The guest operating system does not detect that the MAC address change was not honored. In some situation, you might have a legitimate need for more than one adapter to have the same MAC address on a network – for example, if you are using Microsoft Network Load Balancing in unicast mode. When MS NLB is used in the standard multicast mode, adapters do not share MAC addresses.
  • Forged Transmissions affects traffic that is transmitted from a virtual machine. When the option is set to Accept (Default), ESX does not compare source and effective MAC addresses. To protect against MAC impersonation, you can set this option to Reject. If you do, the host compares the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESX drops the packet. The guest operating system does not detect that its virtual network adapter cannot send packets by using the impersonated MAC address. The ESX host intercepts any packets with impersonated addresses before they are delivered, and the gust operating system might assume that the packets are dropped.
  • Promiscuous Mode Operation eliminates any reception filtering that the virtual network adapter would perform so that the guest operating system receives all traffic observed on the wire. By default, the virtual network adapter cannot operate in promiscuous mode. Although promiscuous mode can be useful for tracking networking activity, it is an insecure mode of operation, because any adapter in promiscuous mode has access to the packets regardless of whether some of the packets are received only by a particular network adapter. This means that an administrator or root user within a virtual machine can potentially view traffic destined for other gust or host operating systems.

Skills and Abilities - Add/Edit Remove users/groups on an ESXi host

To note you need to go direct to ESXi host to modify local user accounts.

Skills and Abilities - Customize SSH settings for increased security
Start the vSphere Client, Hosts & Clusters > ESXi host > Configuration > Security Profile > Properties

Select the SSH service and press the Options button you can stop and start the services and change the startup options

 Skills and Abilities - Enable/Disable certificate checkingCertificates enable secure communication between ESXi hosts and vCenter and is required for FT. Certificate checking is enabled by default in vCenter 5, it can be enabled and disabled via GUI

Click Home -> vCenter Server Settings -> SSL Settings (un)check requires verified host SSL certificates

 Skills and Abilities - Generate ESXi host certificates
Backup by renaming files /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key

Generate new certificates
    /sbin/generate-certificates.sh

Restart hostd
    /etc/init.d/hostd restart

Skills and Abilities - Enable ESXi Lockdown ModeWhen you enable lockdown mode, no users other then vpxuser have authentication permissions, nor can they perform operations against the host directly. Lockdown mode forces all operations to be performed through vCenter Server. This includes running vCLI commands or using the vMA against the host.



Skills and Abilities - Replace default certificate with CA-signed certificate
Generate certificates as per kb1029944 then replace the files in /etc/vmware/ssl.

Skills and Abilities - Configure SSL timeouts
The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESX. The Handshake Timeout setting applies to connections that have not completed the SSL handshake process with port 443 of ESX. Both connection timeouts are set in milliseconds. Idle connections are disconnected after the timeout period. By default, fully established SSL connections have a timeout of infinity and are not specified in the config.xml these can be added.

 Skills and Abilities - Configure vSphere Authentication ProxyvSphere Authentication Proxy is to enable ESXi hosts to join a domain without using Active Directory credentials. vSphere Authentication Proxy enhances security for PXE-booted hosts and hosts that are provisioned using Auto Deploy, by removing the need to store Active Directory credentials in the host configuration.

  1. Install vSphere Auto Deploy.
  2. You do not have to install Auto Deploy on the same host machine as the vSphere Authentication Proxy service.
  3. Add the host machine where you will install the authentication proxy service to the domain.
  4. Use the Domain Administrator account to log in to the host machine.
  5. In the software installer directory, double-click the autorun.exe file to start the installer.
  6. Select VMware vSphere® Authentication Proxy and click Install.
  7. Follow the wizard prompts to complete the installation.
  8. During installation, the authentication service registers with the vCenter Server instance where Auto Deploy is registered.
Skills and Abilities - Enable strong passwords and configure password policies
vi /etc/pam.d/passwd

min=8,8,8,7,6 maps to  min=N0,N1,N2,N3,N4

 Change the parameters

 N0=12: Passwords containing characters from one character class must be at least twelve characters long. For example: charsoftware
N1=10: Passwords containing characters from two character classes must be at least ten characters long. For example: chars12345
N2=8: Passphrases must contain words that are each at least eight characters long. For example: software
N3=8: Passwords containing characters from all three character classes must be at least eight characters long. For example: CHars123
N4=7: Passwords containing characters from all four character classes must be at least seven characters long. For example:  CHars1!

 Skills and Abilities - Identify methods for hardening virtual machines
  • Install antivirus software
  • Disable copy and past to the clipboard
  • Remove unnecessary hardware devices
  • Limiting guest operating system writes to host memory
Skills and Abilities - Analyze logs for security-related messages
  • /var/log/auth.log: ESXi Shell authentication success and failure.
  • /var/log/esxupdate.log: ESXi patch and update installation logs.
  • /var/log/hostd.log: Host management service logs, including virtual machine and host Task and Events, communication with the vSphere Client and vCenter Server vpxa agent, and SDK connections.
  • /var/log/syslog.log: Management service initialization, watchdogs, scheduled tasks and DCUI use.
Skills and Abilities - Manage Active Directory Integration
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)