Tag Archives: vswitch

VCAP-DCA Study notes 7.1 – Secure ESX/ESXi hosts

Security is a large topic and one you could spend a lifetime mastering. The blueprint isn’t too helpful in clarifying what level of detail you’re expected to know for this as the ESX/ESXi configuration guides cover issues not in the ‘skills and abilities’ section. More in depth still is the vSphere Hardening Guide. I guess the main thing is to focus on practical issues as the VCAP-DCA is a practical exam – knowing that the VMkernel uses memory hardening is no use in an exam if it can’t be configured or tweaked! Some of this section seems to have been added for the sake of it – how often will an admin need to modify the SSL timeouts? I could only fine one KB article about it!

Knowledge

  • Identify configuration files related to network security
  • Identify virtual switch security characteristics

Skills and Abilities

  • Add/Edit Remove users/groups on an ESX Host
  • Customize SSH settings for increased security
  • Enable/Disable certificate checking
  • Generate ESX Host certificates
  • Enable ESXi lockdown mode
  • Replace default certificate with CA?signed certificate
  • Configure SSL timeouts
  • Secure ESX Web Proxy
  • Enable strong passwords and configure password policies
  • Identify methods for hardening virtual machines
  • Analyze logs for security?related messages

Virtual switch security characteristics

vSwitch security (layer2) settings (can be overridden at portgroup level);

  • Promiscuous mode – needed for packet sniffing, vShield Zones (and virtual ESX hosts). Disabled by default.
  • MAC address changes –affects inbound traffic. May need to be enabled if you’re using MS load balancing in Unicast mode, or the iSCSI software initiator with certain storage arrays. Enabled by default.
  • Forged transmits – affects outbound traffic. Enabled by default.

Other network security measures (IPSec, VLANs, PVLANs etc) are dealt with in section 2, Networking.

Host security

Customise SSH settings (ESX only)
  • Edit /etc/ssh/sshd.conf and set ‘PermitRootLogin’ to YES (default is NO). See VMwareKB for a list of other settings you can adjust (including the available ciphers).
  • You can use PKI to authenticate using SSH without being prompted for a password. This is a standard Linux procedure – for step by step instructions see VMwareKB1002866.
  • By default only SSH server is enabled. Configuration -> Security Profile to enable SSHClient, or use ‘esxcfg-firewall –e SSHClient’.
    image

Continue reading VCAP-DCA Study notes 7.1 – Secure ESX/ESXi hosts