This book features two topics that I have a keen interest in: security and virtualization. The virtualization space can be complex in its own right, and like other technological areas, adding sufficient security can prove to be quite labor intensive and often frustrating. As technology evolves, the idea of building an infrastructure or project in a secure manner from the beginning is still somewhat novel in its approach. While more security controls are available in products, I find that such controls and features continue to be underutilized or not implemented at all.
Consider the following: on receiving a plate of pasta at your local restaurant, you are generally asked, "Would you like cheese with that?" This simple scenario and the relationship between pasta and cheese is an apt metaphor for the way security is applied to the Information Technology (IT) infrastructure in many businesses today.
My core philosophy is to help those in need. By and large, given my profession, ensuring privacy and providing some form of data security seems the logical approach. I hope this cookbook that deals with security tasks specific to the VMware vSphere 5.5 product set will enable you to get a better understanding of the virtualization environment with step-by-step instructions.
This book covers implementing specific security features of the vSphere 5.5 virtualization platform in a step-by-step format. Each topic contains a high-level overview to give context to the cookbook recipes. This book is not intended to provide reference architectures or theories behind specific security topics implemented by vSphere.
Chapter 1, Threat and Vulnerability Overview, provides you with an overview of threats and vulnerabilities specific to the virtualization infrastructure. This chapter covers a high-level review of hypervisor, virtual machine, network, storage, and physical threats and vulnerabilities.
Chapter 2, ESXi Host Security, introduces you to hardening the ESXi host from both the console and the vSphere client. This chapter covers the host firewall and configuration of services.
Chapter 3, Configuring Virtual Machine Security, focuses on security of the guest virtual machine, covering both management of the virtual machine and configuration of the virtual machine. Configuration of guest operating system security and virtual machine isolation controls are covered in this chapter.
Chapter 4, Configuring User Management, guides you through the secure user administration of a virtualization environment using vCenter. Topics include configuring Active Directory integration, configuring Single Sign-On, assigning permissions, and administrative roles.
Chapter 5, Configuring Network Security, introduces you to security options in the configuration of virtual network switches and port groups.
Chapter 6, Configuring Storage Security, introduces you to the configuration of storage security from a vSphere perspective. The majority of this chapter covers iSCSI authentication between source and target systems. On completion of this chapter, you will be able to configure iSCSI authentication on a vSphere 5.5 host.
Chapter 7, Configuring vShield Manager, introduces you to the installation and configuration of vShield Manager, from downloading and installing the virtual appliance to configuration of user and group access—including SSL certificate configuration.
Chapter 8, Configuring vShield App, introduces you to vShield App configuration and setup on the ESXi host. The common application firewall settings are also covered.
Chapter 9, Configuring vShield Edge, introduces you to the setup and configuration of vShield Edge. In addition, adding and managing appliances and interfaces is covered, along with VPN, firewall, and gateway configurations.
Chapter 10, Configuring vShield Endpoint, introduces you to vShield Endpoint protection, installation, and configuration, and the importance of endpoint protection in securing the virtual infrastructure.
Chapter 11, Configuring vShield Data Security, introduces you to the configuration of vShield Data Security options and policies. Customizing data polices and reports are also covered.
Chapter 12, Configuring vSphere Certificates, guides you through the tasks involved in assigning issued X.509 certificates to vSphere component services. The SSL tool is used to assign certificates to vCenter, Update Manager, Web Client, Log Manager, Inventory Manager, and Single Sign-On services.
Chapter 13, Configuring vShield VXLAN Virtual Wires, introduces the prerequisites for implementing VXLAN virtual wires, configuring virtual wires and configuring firewall rules for virtual wires.
You should have knowledge of basic VMware virtualization concepts such as datacenters, clusters, hosts, datastores, networks, and virtual machines.
A background of governance and security is helpful when evaluating how the security procedures covered in this book can provide additional controls in a virtualized environment.
You need to install VMware vSphere Client 5.5 or VMware vSphere Web Client. The web client is heavily referenced in the text and is the preferred VMware management tool going forward.
This book is intended for the virtualization professional who is experienced with VMware vSphere setup and configuration, but who hasn't had the opportunity to investigate securing the environment properly.
This book covers all the major security options for vSphere 5.5 deployment in a modular fashion where only the recipe pertaining to the task is required. In other words, the book is not meant to be read from cover to cover, but rather used as a toolkit for specific tasks and scenarios in the virtualization infrastructure environment.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The Windows Firewall can also be enabled and disabled by using the netsh.exe command via the command line."
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes, for example, appear in the text like this: "Click on OK to initiate the snapshot."
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us because it will help us develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.