Virtualization Adapted Adapting Business Processes for Virtual Infrastrcuture (and vice-versa)

2011/08/11

ESX vSwitch L2 Security

Filed under: it,security,virtualization — Tags: , , , , , , — iben @ 11:58

VMware vSphere ESX Host Virtual Switch Layer 2 Security Features

The virtual switch has the ability to enforce security policies to prevent virtual machines from impersonating other nodes on the network. There are three components to this feature. These should all be set to “REJECT” to enable the security feature.

•Promiscuous mode is disabled by default for all virtual machines. This prevents them from seeing unicast traffic to other nodes on the network.

•MAC address change lockdown prevents virtual machines from changing their own unicast addresses. This also prevents them from seeing unicast traffic to other nodes on the network, blocking a potential security vulnerability that is similar to but narrower than promiscuous mode.

•Forged transmit blocking, when you enable it, prevents virtual machines from sending traffic that appears to come from nodes on the network other than themselves.

Cisco Nexus 1000v Switch Layer 2 Security

MAC ACLs

MAC ACLs are ACLs that filter traffic using information in the Layer 2 header of each packet.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/security_9mac_acls.html

Port Security

Port security lets you configure Layer 2 interfaces permitting inbound traffic from a restricted set of MAC addresses called secure MAC addresses. In addition, traffic from these MAC addresses is not allowed on another interface within the same VLAN. The number of MAC addresses that can be secured is configurable per interface.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/security_10port.html#wp1210839

DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers by doing the following:

•Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.

•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

•Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_12dhcpsnoop.html#wp1272686

Dynamic Address Resolution Protocol (ARP) Inspection (DAI)

DAI is used to validate ARP requests and responses as follows:

•Intercepts all ARP requests and responses on untrusted ports.

•Verifies that a packet has a valid IP-to-MAC address binding before updating the ARP cache or forwarding the packet.

•Drops invalid ARP packets.

DAI can determine the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a Dynamic Host Configuration Protocol (DHCP) snooping binding database. This database is built by DHCP snooping when it is enabled on the VLANs and on the device. It may also contain static entries that you have created.

If an ARP packet is received on a trusted interface, the device forwards the packet without any checks. On untrusted interfaces, the device forwards the packet only if it is valid.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_13arpinspect.html#wp1329252

IP Source Guard

IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches the IP and MAC address bindings of dynamic or static IP source entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.

You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:

•DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.

•IP traffic from static IP source entries that you have configured in the Cisco Nexus 1000V.

The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry.

The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_14sourceguard.html#wp1096775

Reference Links

http://www.vmware.com/files/pdf/dmz-vsphere-nexus-wp.pdf

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/VMware.html#wp696333

Labels:


2011/05/28

Fake path ie8 Dell drac

Filed under: it,security — Tags: , , , , , , , — iben @ 12:11

If you want to use Dell DRAC 5 with IE 8 you need to change this setting or the Virtual Media won’t work.

Microsoft made this change to conform with HTML5.

http://acidmartin.wordpress.com/2009/06/09/the-mystery-of-cfakepath-unveiled/

http://codingforums.com/showthread.php?p=817890

http://blogs.msdn.com/ie/archive/2009/03/20/rtm-platform-changes.aspx

http://forum.maxthon.com/redirect.php?tid=75307&goto=lastpost

http://www.marc-antho-etc.net/blog/post/Two-IE8-behavioral-changes-worth-mentioninge280a6.aspx

So in order to prevent information disclosure (the path to a file may include the user name if the file reside under the user ‘profile), there are actually two changes combined to achieve that:

  • The IE security setting “include local directory path when uploading files to a server” (already present in IE7) is set to “Disable” instead of “Enabled” as it was with IE7 for the “Internet Zone”

2011/05/27

Accelerating Your Virtual Cloud Journey

Filed under: cloud,security — Tags: , , — iben @ 23:48
SECURE CLOUD & VIRTUALIZATION SUMMIT
http://www.misti.com/includes/conferences/agendadetails.asp?pID=174&ISS=21737&SID=713753
Date: Friday, 22 April 2011
10:00 AM – 11:00 AM
Breaking Through “Virtual Stall” and Accelerating Your Virtual Cloud Journey
Iben Rodriguez, VMware vSphere ESX Benchmark Lead, The Center for Internet Security
• The “perfect storm” of challenges that slow down virtualization
• Why organizations need to look beyond technology when developing a virtualization/cloud strategy
• Conducting a comprehensive analysis of your current environment before implementing a virtual/cloud security solution
• Innovative technical solutions that address the key security roadblocks to virtualization and cloud adoption 

 

Slides here:

http://portal.sliderocket.com/AQXFR/InfoSecCloud2011Preso

 

2011/01/05

Review of VMware View Optimization Guide Windows 7 pdf

Filed under: virtualization — Tags: , , , , , — iben @ 11:44

Just reviewed this guide and wanted to share.

Very helpful scripts are included with the adobe acrobat pdf which allow rapid customization and optimization of windows 7 desktops for VMware view.

A few tips:

  • open the pdf with the adobe acrobat reader app
  • you will find included 2 embedded files: commands.txt and ts.xml – save them to a shared folder
  • access the shared folder from the windows 7 template machine being configured
  • tweak your current user environment as you wish – it will be copied and set for use as the default user profile
  • change the folder options view to Disable “Hide extensions for Known file types” and click “Apply to Folders”
  • rename the commands.txt file to commands.bat (see notes below)
  • run the included commands.bat script from an “admin” command prompt or it won’t work right
  • take advantage of the new registry keys to denote current image version and author info
  • run ipconfig /release then shutdown the windows 7 template machine being configured
  • take a snapshot of the windows 7 template machine being configured

Customizing Linked-Clone Desktops with QuickPrep

You can personalize the linked-clone desktops that are created from a parent virtual machine by using the QuickPrep system tool. View Composer executes QuickPrep when a linked-clone desktop is created or recomposed.
QuickPrep customizes a linked-clone desktop in several ways:
Gives the computer a name that you specify when you create the linked-clone pool.
Creates a computer account in Active Directory, joining the computer to the appropriate domain.
Mounts the View Composer persistent disk. The Windows user profile is redirected to this disk.
Redirects temp and paging files to a separate disk.
These steps might require the linked clones to restart one or more times.
QuickPrep uses KMS volume license keys to activate Windows 7 and Windows Vista linked-clone desktops. For details, see Activating Windows 7 and Windows Vista on Linked-Clone Desktops.
You can create your own scripts to further customize the linked clones. QuickPrep can run two types of scripts at predefined times:
After linked clones are created or recomposed
Immediately before linked clones are powered off
For guidelines and rules for using QuickPrep customization scripts, see Running QuickPrep Customization Scripts.
Note
View Composer requires domain user credentials to join linked-clone desktops to an Active Directory domain. For details, see Create a User Account for View Composer.

Link to doc

http://www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf

Command.Bat listing

The contents of the commands.bat (aka commands.txt) file are listed here for your review. Review them and edit as needed for your environment.

rem  Setting Default HKCU values by loading and modifying the default user registry hive


reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"


reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /f


reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /f


reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /f


reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /f


reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /f


reg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /f


reg ADD "hku\temp\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /f


reg unload "hku\temp"


rem Making modifications to the HKLM hive


reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /f


reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /f


reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /f


reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f


reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /f


reg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x100000 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /f


reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f


reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f


reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /f


reg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f


rem Using Powershell to perform Windows Services modifications


Powershell Set-Service 'BDESVC' -startuptype "disabled"


Powershell Set-Service 'wbengine' -startuptype "disabled"


Powershell Set-Service 'DPS' -startuptype "disabled"


Powershell Set-Service 'UxSms' -startuptype "disabled"


Powershell Set-Service 'Defragsvc' -startuptype "disabled"


Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"


Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"


Powershell Set-Service 'iphlpsvc' -startuptype "disabled"


Powershell Set-Service 'MSiSCSI' -startuptype "disabled"


Powershell Set-Service 'swprv' -startuptype "disabled"


Powershell Set-Service 'CscService' -startuptype "disabled"


Powershell Set-Service 'SstpSvc' -startuptype "disabled"


Powershell Set-Service 'wscsvc' -startuptype "disabled"


Powershell Set-Service 'SSDPSRV' -startuptype "disabled"


Powershell Set-Service 'SysMain' -startuptype "disabled"


Powershell Set-Service 'TabletInputService' -startuptype "disabled"


Powershell Set-Service 'Themes' -startuptype "disabled"


Powershell Set-Service 'upnphost' -startuptype "disabled"


Powershell Set-Service 'VSS' -startuptype "disabled"


Powershell Set-Service 'SDRSVC' -startuptype "disabled"


Powershell Set-Service 'WinDefend' -startuptype "disabled"


Powershell Set-Service 'WerSvc' -startuptype "disabled"


Powershell Set-Service 'MpsSvc' -startuptype "disabled"


Powershell Set-Service 'ehRecvr' -startuptype "disabled"


Powershell Set-Service 'ehSched' -startuptype "disabled"


Powershell Set-Service 'WSearch' -startuptype "disabled"


Powershell Set-Service 'wuauserv' -startuptype "disabled"


Powershell Set-Service 'Wlansvc' -startuptype "disabled"


Powershell Set-Service 'WwanSvc' -startuptype "disabled"


rem Making miscellaneous modifications


bcdedit /set BOOTUX disabled


vssadmin delete shadows /All /Quiet


Powershell disable-computerrestore -drive c:\


netsh advfirewall set allprofiles state off


powercfg -H OFF


net stop "sysmain"


fsutil behavior set DisableLastAccess 1


rem Making modifications to Scheduled Tasks


schtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disable


schtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disable


schtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disable


schtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disable


schtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disable


schtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable

rem  Setting Default HKCU values by loading and modifying the default user registry hivereg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /freg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /freg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /freg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /freg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /freg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /freg ADD "hku\temp\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /freg unload "hku\temp"
rem Making modifications to the HKLM hive reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x100000 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /freg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /freg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f
rem Using Powershell to perform Windows Services modificationsPowershell Set-Service 'BDESVC' -startuptype "disabled"Powershell Set-Service 'wbengine' -startuptype "disabled"Powershell Set-Service 'DPS' -startuptype "disabled"Powershell Set-Service 'UxSms' -startuptype "disabled"Powershell Set-Service 'Defragsvc' -startuptype "disabled"Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"Powershell Set-Service 'iphlpsvc' -startuptype "disabled"Powershell Set-Service 'MSiSCSI' -startuptype "disabled"Powershell Set-Service 'swprv' -startuptype "disabled"Powershell Set-Service 'CscService' -startuptype "disabled"Powershell Set-Service 'SstpSvc' -startuptype "disabled"Powershell Set-Service 'wscsvc' -startuptype "disabled"Powershell Set-Service 'SSDPSRV' -startuptype "disabled"Powershell Set-Service 'SysMain' -startuptype "disabled"Powershell Set-Service 'TabletInputService' -startuptype "disabled"Powershell Set-Service 'Themes' -startuptype "disabled"Powershell Set-Service 'upnphost' -startuptype "disabled"Powershell Set-Service 'VSS' -startuptype "disabled"Powershell Set-Service 'SDRSVC' -startuptype "disabled"Powershell Set-Service 'WinDefend' -startuptype "disabled"Powershell Set-Service 'WerSvc' -startuptype "disabled"Powershell Set-Service 'MpsSvc' -startuptype "disabled"Powershell Set-Service 'ehRecvr' -startuptype "disabled"Powershell Set-Service 'ehSched' -startuptype "disabled"Powershell Set-Service 'WSearch' -startuptype "disabled"Powershell Set-Service 'wuauserv' -startuptype "disabled"Powershell Set-Service 'Wlansvc' -startuptype "disabled"Powershell Set-Service 'WwanSvc' -startuptype "disabled"
rem Making miscellaneous modificationsbcdedit /set BOOTUX disabledvssadmin delete shadows /All /QuietPowershell disable-computerrestore -drive c:\netsh advfirewall set allprofiles state offpowercfg -H OFFnet stop "sysmain"fsutil behavior set DisableLastAccess 1
rem Making modifications to Scheduled Tasksschtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disableschtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disableschtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disableschtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disableschtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disableschtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable

2010/10/28

HyTrust Appliance 2.1 Available

Filed under: virtualization — Tags: , , , , , , , , , , , , — iben @ 14:36

HyTrust recently celebrated its 3-year birthday.  HyTrust was founded in October 2007 to bring secure access control and policy to virtual infrastructure, enabling wider adoption of virtualization throughout the enterprise — exactly the same focus that we have today.

It’s amazing to see what we have achieved in the last three years: great enterprise customers; solid partnerships with the major players in virtualization (VMware, Cisco, RSA, Intel and Symantec); numerous accolades, including Best of Show at VMworld; and, of course, several significant releases of HyTrust Appliance…

So we’re excited to let you know that HyTrust Appliance 2.1 is now generally available. It is chock-full of exciting new enterprise features, including protection for the control of Cisco Nexus 1000V, application-level high availability, and smart card support.  As always, we have also made 2.1 available in the Community Edition form, which can be downloaded for free here: 
http://info.hytrust.com/appliance.html

New HyTrust Appliance Capabilities At a Glance

  • Support for VMware vSphere 4.1
  • Integrated access control, policy and audit logging for Cisco Nexus 1000V CLI management (NX-OS command set)
  • Support for complex, multi-domain Active Directory environments
  • Single sign-on via Windows pass-through authentication with smart card integration
  • New ESX hardening templates including VMware Hardening Guide 4.0 and (Sarbanes Oxley) SOX hardening template
  • Application-level high availability (in addition to VMware HA/FT and federation)

If you would like to take a look at the new functionality, we have recorded demos of the new version available for your viewing pleasure.
http://info.hytrust.com/recorded_product_demo.html

For those of you currently evaluating HyTrust Appliance, we’d like to extend an added incentive to make your purchase in Q4: for a limited time, HyTrust is offering a free “jump-start” professional services package to help you get up and running quickly. Contact sales (sales@hytrust.com) for more information.

2010/10/23

Vyatta router upgrade procedure

Filed under: Uncategorized — Tags: , , , — iben @ 12:36

Upgrading in a Virtual Environment

Upgrading in a virtual environment involves two steps:
1 Install the new appliance to a fresh virtualized environment.
2 Migrate your configuration from old to new Vyatta appliances.

Migrate the configuration

1 In configuration mode on the old system, use the save command to save the
current configuration.
2 For all Ethernet interfaces, remove the hardware ID values using the delete
interfaces ethernet ethx hw-id command to remove the hardware ID values, then
commit and save the configuration to a name other than config.boot (for
example, save oldconfig).
3 Use the load command to return the original configuration to the old system.
4 Use the set service ssh command and then the commit command to configure the
system to allow for SCP file transfer.
5 In configuration mode on the new system, assign an IP address to an interface
residing on the same subnet as one on the old system (for example, set interfaces
ethernet eth0 address 192.168.1.99/24), and then commit the change.
6 Copy the saved configuration (the one with the hardware UDs removed) from the
old system to the new system. For example, if the old system is at 192.168.1.20,
the saved configuration file is name oldconfig, and the username vyatta is
available on the old system, issue the scp command as follows:
scp vyatta@192.168.1.20:/opt/vyatta/etc/config/oldconfig
/opt/vyatta/etc/config/oldconfig
7 Load the copied configuration using the load command (for example, load
oldconfig). At this point, the configuration on the new system should match that
on the old system (except for the hardware IDs).
8 Shut down the old system using the shutdown command.

Reference:

http://www.vrouter.net/solutions/branch_virtualization.php

2010/09/10

vsphere security best practices

Filed under: Uncategorized — Tags: , , , , , , — iben @ 07:54

VMware ESX 4.1 and vCenter Server 4.1

Background:

Follow the security principles of:
– separation of duties
– least privilege

Harden the hypervisor: upgrade to vSphere ESXi 4.1

Give the LAN back to the Network Team

Implement the Cisco Nexus 1000v and only assign ports to active systems.

Audit and control access

Use a tool like HyTrust to eliminate configuration drift and track and control system access.

Using Roles to Assign Privileges

A role is a predefined set of privileges. Privileges define individual rights that a user requires to perform actions and read properties.
When you assign a user or group permissions, you pair the user or group with a role and associate that pairing with an inventory object. A single user might have different roles for different objects in the inventory. For example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B. These assignments would allow that user to turn on virtual machines in Pool A, but not those in Pool B. The user would still be able to view the status of the virtual machines in Pool B.
The roles created on an ESX/ESXi host are separate from the roles created on a vCenter Server system. When you manage a host using vCenter Server, the roles created through vCenter Server are available. If you connect directly to the host using the vSphere Client, the roles created directly on the host are available.
vCenter Server and ESX/ESXi hosts provide default roles:

  • System roles
    • System roles are permanent. You cannot edit the privileges associated with these roles.
  • Sample roles
    • VMware provides sample roles for convenience as guidelines and suggestions. You can modify or remove these roles.

You can also create roles.
All roles permit the user to schedule tasks by default. Users can schedule only tasks they have permission to perform at the time the tasks are created.
Note: Changes to permissions and roles take effect immediately, even if the users involved are logged in. The exception is searches, where permission changes take effect after the user has logged out and logged back in.

Details:

Best Practices for vCenter Roles and Permissions

Use best practices for roles and permissions to maximize the security and manageability of your vCenter Server environment.
VMware recommends the following best practices when configuring roles and permissions in your vCenter Server environment:

  • Use folders to group objects to correspond to the differing permissions you want to grant for them.
  • Grant permissions to groups rather than individual users.
  • Grant permissions only where needed. Using the minimum number of permissions makes it easier to understand and manage your permissions structure.
  • If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges. Otherwise, you could unintentionally restrict administrators’ privileges in parts of the inventory hierarchy where you have assigned that group the restrictive role.
  • Use caution when granting a permission at the root vCenter Server level. Users with permissions at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings, and licenses. Changes to licenses and roles propagate to all vCenter Server systems in a Linked Mode group, even if the user does not have permissions on all of the vCenter Server systems in the group.
  • In most cases, enable propagation on permissions. This ensures that when new objects are inserted in to the inventory hierarchy, they inherit permissions and are accessible to users.
  • Use the No Access role to masks specific areas of the hierarchy that you don’t want particular users to have access to.

Use Host Profiles to Apply Permissions to Hosts

When you join a host to an Active Directory domain, you must define roles on the host for a user or group in that domain. Otherwise, the host is not accessible to Active Directory users or groups. You can use host profiles to set a required role for a user or group and to apply the change to one or more hosts.
It is recommended that you follow this procedure for System Administrators (Admin) and Auditors (ReadOnly).

Prerequisites

You must have an existing host profile. See Creating a Host Profile.
Verify that the hosts to which you apply a profile are in maintenance mode.

Procedure

  1. Using the vSphere Client, select View > Management > Host Profiles.
  2. Right-click an existing host profile and select Edit Profile.
  3. Expand the profile tree, and then expand Security configuration.
  4. Right-click the Permission rules folder and select Add Profile.
  5. Expand Permission rules and select Permission.
  6. On the Configuration Details tab in the right pane, click the Configure a permission drop-down menu and select Require a Permission Rule.
  7. Enter the name of the group that should have the role assigned to it.
    1. Use the format DOMAIN\name, where DOMAIN is the name of the Active Directory domain and name is the user name or group name.
  8. Select the Name refers to a group of users check box.
  9. Enter the assigned role name for the user or group (usually Admin or ReadOnly).
    1. The role name is case-sensitive. If this is a system role, you must use the nonlocalized role name. For example, for the Administrator role, enter Admin. For the Read-only role, enter ReadOnly.
  10. Select the Propagate permission check box and click OK.

Reference:

vSphere Datacenter Administration Guide : Setting Up Your Virtual Infrastructure : Managing Users, Groups, Roles, and Permissions : Best Practices for Roles and Permissions
http://pubs.vmware.com/vsphere-esx-4-1/wwhelp/wwhimpl/js/html/wwhelp.htm

2010/04/20

vSphere Network Isolation Addresses

Filed under: virtualization — Tags: , , , , , , — iben @ 14:45

http://www.vmware.com/pdf/vsphere4/r40_u1/vsp_40_u1_availability.pdf

Network Isolation Addresses

A network isolation address is an IP address that is pinged to determine if a host is isolated from the network. This address is pinged only when a host has stopped receiving heartbeats from all other hosts in the cluster. If a host can ping its network isolation address, the host is not network isolated, and the other hosts in the cluster have failed. However, if the host cannot ping its isolation address, it is likely that the host has become isolated from the network and no failover action is taken.

By default, the network isolation address is the default gateway for the host. There is only one default gateway specified, regardless of how many service console networks have been defined, so you should use the das.isolationaddress[…] advanced attribute to add isolation addresses for additional networks. For example,  das.isolationAddress2 to add an isolation address for your second network, das.isolationAddress3 for the third, up to a maximum of das.isolationAddress9 for the ninth.

When you specify additional isolation address, VMware recommends that you increase the setting for the das.failuredetectiontime advanced attribute to 20000 milliseconds (20 seconds) or greater. A node that is isolated from the network needs time to release its virtual machine’s VMFS locks if the host isolation response is to fail over the virtual machines (not to leave them powered on.) This must happen before the other nodes declare the node as failed, so that they can power on the virtual machines, without getting an error that the virtual machines are still locked by the isolated node.

For more information on VMware HA advanced attributes, see “Customizing VMware HA Behavior,” on page 26.

das.isolationaddress
Sets the address to ping to determine if a host is isolated from the network. This address is pinged only when heartbeats are not received from any other host in the cluster. If not specified, the default gateway of the console network is used. This default gateway has to be a reliable address that is available, so that the host can determine if it is isolated from the network. You can specify multiple isolation addresses (up to 10) for the cluster: das.isolationaddressX, where X = 1-10. Typically you should specify one per service console. Specifying too many addresses makes isolation detection take too long and can affect VMware HA behavior.

das.usedefaultisolationaddress
By default, VMware HA uses the default gateway of the console network as an isolation address. This attribute specifies whether or not this default is used (true|false).

2010/04/01

Updated Security for home network

Filed under: home — Tags: , , — iben @ 18:07

Follow these steps to upgrade your home network for improved security.

  1. Change wireless settings on ISP router to use WPA instead of WEP.
  2. Change wireless settings on laptop to use WPA instead of WEP.
  3. Setup a second wireless router on the LAN port and change wireless settings on ISP router to use WPA instead of WEP. Do not use the WAN port.
  4. Disable the DHCP server on the second wireless router.
http://www.gliffy.com/pubdoc/2052413/L.png

Home Wireless Network Diagram

2010/03/30

Using Cryptographic Hashes to verify file download integrity

Filed under: virtualization — Tags: , , , , , , , , , , — iben @ 10:58

The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm.

Vendors provide a sha-1 hash for software downloads. This enables you to verify that your downloaded files are unaltered from the original.

To confirm file integrity, use an sha-1 utility on your computer to calculate your own hash for files downloaded from the VMware web site.

If your calculated hash matches the message digest we provide, you are assured that the file was downloaded intact.

sha-1 utilities are available for Windows and Linux and Mac. Most UNIX installations provide a sha1sum command for sha-1 hashes. You may need a newer linux kernel to calculate the checksums for larger files.

The File Checksum Integrity Verifier (FCIV) can be used on Windows based products to verify sha-1 values. Please see http://support.microsoft.com/kb/841290 for details on FCIV.

Mac OS X: How to Verify a SHA-1 Digest http://support.apple.com/kb/HT1652

Instructions on checking an sha-1 checksum on a Mac:
In Finder, browse to /Applications/Utilities.
Double-click on the Terminal icon. A Terminal window will appear.
In the Terminal window, type: “openssl sha1 ” (sha1 followed by a space).
Drag the downloaded file from the Finder into the Terminal window.
Click in the Terminal window, press the Return key, and compare the checksum displayed to the screen to the one on the vendor’s download page.

From TechNet

Windows Server 2008 R2 Standard, Enterprise, Datacenter, and Web (x64) – DVD (English)
File Name: en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
Size: 2,858 (MB)
Date Published (UTC): 8/31/2009 10:22:24 AM
Last Updated (UTC): 1/11/2010 4:31:40 PM
SHA1: A548D6743129F2A02C907D2758773A1F6BB1BCD7
 ISO/CRC: 8F94460B

About MD5

MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found also to be vulnerable). In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable; specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity.

US-CERT says MD5 “should be considered cryptographically broken and unsuitable for further use,”and most U.S. government applications now require the SHA-2 family of hash functions.

Older Posts »

Powered by WordPress