Книга: Mastering VMware® Infrastructure3
Chapter 12: Securing a Virtual Infrastructure
Chapter 12: Securing a Virtual Infrastructure
Create and apply roles and permissions in VirtualCenter. Creating host and virtual machine alarms is a proactive way to be alerted to abnormal behavior for all four resource groups or state changes. Alarms can be applied to a single host, a virtual machine, or a group of either object in the VirtualCenter hierarchy.
Master It Company security policy dictates that access to VirtualCenter requires users to only be granted the rights necessary to perform their jobs.
Solution There are several predefined roles, and roles can be created to fit particular job requirements. Assign roles to the lowest object in the inventory that allows users to do their job.
Master It Create ESX Server user accounts.
Solution You have two options for creating local users accounts on ESX Server: using command line and using the VI Client.
Create users on the ESX Service Console. Restricting which users and hosts can connect to an ESX Server is one of the most important security steps you can implement.
Master It Company security policy dictates that direct access to the Service Console must be restricted.
Solution Configure sshd_config with AllowUsers to specify the users who are allowed to log in to the Service Console.
Master It Configure TCP wrappers to restrict host access to the Service Console.
Solution Edit hosts.allow to specify which hosts are allowed to connect to the Service Console.
Enable and disable services on the firewall. The Service Console firewall is locked down by default for only those ports needed to provide management for virtualization. There are times when other ports will need to be opened using esxcfg-firewall.
Master It A security inspection requires an audit of the existing Service Console firewall configuration.
Solution Use esxcfg-firewall -q to audit your ESX Server's current firewall setup.
Master It Open the firewall for specific services or agents.
Solution Use esxcfg-firewall -e service_name to enable firewall access to specific services. Use esxcfg-firewall -o to open lesser-known ports for services or agents.
Use Kerberos authentication on ESX Server. Kerberos authentication allows for Active Directory authentication of local ESX Server user accounts. This simplifies account management and centralizes user account security policies.
Master It Direct authentication to ESX Server hosts should be secured using an existing Active Directory infrastructure.
Solution Use esxcfg-auth to implement Kerberos authentication.
Audit and monitor important files. Changes to Service Console files should be audited and monitored on a regular basis.
Master It A server failure results in a call to VMware support. The technician requests that you send information about your environment for further review.
Solution Create and extract the vm-support file. Send the file to the technician.
Manage updates and patches with VMware Update Manager VMware Update Manager provides an integrated and easy-to-use utility for managing ESX Server host and virtual machine updates.
Master It You have just installed ESX 3.5 on seven new Dell Poweredge 2950 servers into a DRS/HA cluster. No virtual machines exist. You need to apply all updates immediately.
Solution Create a custom baseline for all updates, attach the baseline at the cluster level, and perform an immediate remediation.
Master It Two days ago you added a new Dell Poweredge R900 server named silo3507 .vdc.local to a partially automated DRS/HA cluster. There are six virtual machines running on silo3507. You need to apply critical updates to silo3507.
Solution Attach the critical updates baseline to silo3507 and perform an immediate remediation. Either alter the failure options to power off or suspend virtual machines or manually relocate virtual machines off of silo3507 to allow it to enter maintenance mode and begin remediation.
Master It You have ten virtual machines that serve as domain controllers. You want to install all of the latest Windows updates on all ten virtual machines using VMware Update Manager. The installation of updates should not affect production during business hours of 9:00 AM to 5:00 PM. You want a 24-hour window of opportunity to remove the update.
Solution Use the Virtual Machines & Templates view to create a folder to hold the ten virtual machines. Create a baseline that includes all updates and attach the baseline at the folder level. Schedule a remediation to happen during non-business hours. Configure VMware Update Manager to maintain the rollback snapshot for a period of 24 hours.
- Chapter 1: Introducing VMware Infrastructure 3
- Chapter 2: Planning and Installing ESX Server
- Chapter 3: Creating and Managing Virtual Networks
- Chapter 4: Creating and Managing Storage Devices
- Chapter 5: Installing and Configuring VirtualCenter 2.0
- Chapter 6: Creating and Managing Virtual Machines
- Chapter 7: Migrating and Importing Virtual Machines
- Chapter 8: Configuring and Managing Virtual Infrastructure Access Controls
- Chapter 9: Managing and Monitoring Resource Access
- Chapter 10: High Availability and Business Continuity
- Chapter 11: Monitoring Virtual Infrastructure Performance
- Chapter 12: Securing a Virtual Infrastructure
- Chapter 13: Configuring and Managing ESXi
- CHAPTER 30 Securing Your Machines
- Chapter 12 Securing a Virtual Infrastructure
- Appendix A The Bottom Line
- Mastering VMware® Infrastructure3
- Chapter 5. Preparations
- Chapter 6. Traversing of tables and chains
- Chapter 7. The state machine
- Chapter 8. Saving and restoring large rule-sets
- Chapter 9. How a rule is built
- Chapter 10. Iptables matches