Book Image

VMware vSphere Security Cookbook

By : Michael Greer
Book Image

VMware vSphere Security Cookbook

By: Michael Greer

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
VMware vSphere Security Cookbook
Michael Greer
Nov, 2014 | 334 pages
No titles found
Table of Contents (20 chapters)
VMware vSphere Security Cookbook
VMware vSphere Security Cookbook
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Threat and Vulnerability Overview
Threat and Vulnerability Overview
Introduction
Risk overview
Hypervisor threats
Hypervisor vulnerabilities
Guest virtual machine threats
Guest virtual machine vulnerabilities
Network threats
Network vulnerabilities
Storage threats
Storage vulnerabilities
Physical threats
Physical vulnerabilities
Security concepts
Summary
2
ESXi Host Security
ESXi Host Security
Introduction
Hardening the host via Console
Hardening the host via vSphere Client
Configuring host services
Configuring the host firewall
3
Configuring Virtual Machine Security
Configuring Virtual Machine Security
Introduction
Configuring administrative access options
Securing the guest OS
Guest virtual machine hardening
Configuring virtual machine resource isolation
Configuring the standard image templates
Managing snapshots
4
Configuring User Management
Configuring User Management
Introduction
Configuring vCenter Single Sign-On
Managing Single Sign-On users with vSphere Web Client
Configuring Active Directory integration
Managing Active Directory users and groups
Assigning permissions
Assigning administrative roles
5
Configuring Network Security
Configuring Network Security
Introduction
Configuring Standard vSwitch security
Configuring the port group security
Configuring VLANs
Creating DMZ networks
Providing Distributed vSwitch security options

Configuring PVLANs
6
Configuring Storage Security
Configuring Storage Security
Introduction
Configuring network isolation
Configuring iSCSI security
Configuring Header and Data Digest
7
Configuring vShield Manager
Configuring vShield Manager
Introduction
Installing vShield Manager OVA
Configuring vShield Manager settings
Adding vShield licensing to vCenter
Configuring SSL Security for Web Manager
Configuring Single Sign-On
Configuring user accounts and roles
Configuring services and service groups
8
Configuring vShield App
Configuring vShield App
Introduction
Installing vShield App
Configuring vShield App using the Web Console
Configuring vShield App Flow Monitoring
Configuring vShield App Firewall
Configuring vShield App SpoofGuard
9
Configuring vShield Edge
Configuring vShield Edge
Introduction
Installing vShield Edge
Managing appliances
Managing interfaces
Managing certificates and revocation lists
Managing firewall rules
Managing NAT rules and static routes
Managing the IPSec VPN service
Managing SSL VPN-Plus
Configuring the load-balancing service
10
Configuring vShield Endpoint
Configuring vShield Endpoint
Introduction
Installing vShield Endpoint
Configuring vShield Endpoint using an antivirus
11
Configuring vShield Data Security
Configuring vShield Data Security
Introduction
Installing vShield Data Security
Configuring the vShield Data Security policies
Managing vShield Data Security reports
12
Configuring vSphere Certificates
Configuring vSphere Certificates
Introduction
Configuring a Windows CA template
Requesting certificates from a Windows CA
Using SSL Certificate Automation Tool 5.5
Process certificate requests
Registering the Single Sign-On certificate
Registering the Inventory Service certificate
Registering the vCenter certificate
Registering the Web Client certificate
Registering the Log Browser certificate
Registering the Update Manager certificate
Installing an ESXi host certificate
13
Configuring vShield VXLAN Virtual Wires
Configuring vShield VXLAN Virtual Wires
Introduction
Prerequisites for configuring VXLAN virtual wires
Configuring VXLAN virtual wires
Testing VXLAN virtual wires
Configuring firewall rules for VXLAN virtual wires
Index
Index

Security concepts

This book contains a number of security, compliance and encryption topics that might not be second nature to the reader. This section will provide an overview of concepts and methods discussed in the book along with references for further information.

Data classifications

Data classifications are used to assign data at the right level of protection and security based on the content type and sensitivity required. Personally Identifiable Information (PII) and Protected Health Information (PHI) are two of the classifications referenced.

  • PII: Information that can uniquely identify an entity is considered PII. An example includes Social Security Number (SSN), home address, birthdate, e-mail address, and application login information.

  • PHI: Information created or derived from a hospital, physician, and healthcare providers specific to an individual's past, present and future medical condition. There is also a growing concern over the activity information recorded by wearable devices by privacy experts.

Cryptography

Symmetric Encryption: This utilizes a shared secret key to encrypt and decrypt messages. Both the sender and recipient utilized the same key to encrypt and decrypt information passed between them. The key can take the form of a complex string, for example. The encryption algorithm along with its key length determine the relative strength of the key. The strongest current block cipher is Advanced Encryption Standard (AES).

Asymmetric Encryption: This utilizes a public key and a private key. A message encrypted by the private key can only be decrypted by the public key and vice versa. The public key is available to anyone, while the private key is kept secret. Public key certificates utilize asymmetric encryption and provide information about the organization to which the certificate was issued.

Certificates

Certificates provide digital identification and a mechanism to establish trust. We can think of a certificate as a driver's license or government issued ID card. The trusted root authority can be thought of as the government in this example. The license or ID can be thought of as the certificate. When someone checks our ID to verify our identity, they trust the authority that issued that ID. Likewise, when a certificate is issued from a trusted authority, we can be assured the identity represented by the certificate is genuine.

Also known as digital certificates or X.509 certificates, these certificates are widely used by websites to prove their identity to the web browser. Certificates can also be used for mutual authentication where not only does the web browser trust the website, but also the web site trusts the web browser.

Public Key Infrastructure (PKI) generates certificates in both public and private scenarios. A Certificate Authority (CA) is the mechanism that responds to proper certificate requests and returns certificates to the requesting party. Verisign, Thawte, and Digicert are examples of public CAs, meaning a certificate issued by them is trusted by the majority of commercial web browsers by default. A private CA is usually set up within a corporate network, and the certificates issued are only trusted by machines on the corporate network.

Virtual Private Networks

Virtual Private Networks (VPN) provide a network tunnel between two endpoints through which information is encrypted (protected) from the network traffic outside the VPN tunnel. There are two main types of VPN tunnels in use today: IPSEC and SSL. IPSEC stands for Internet Protocol security, while SSL stands for Secure Sockets Layer.

References

The following references give a background on topics covered in this chapter:

Previous Section
End of Section 14
Next Section