Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand.

Published byMagdalen Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand."— Presentation transcript:

1 Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand

2 Contents  Architecture changes (General Overview)  General Account Security  VSWIF Security  Web Security  Monitoring / Security Toolkits  VMware Virtual Appliances

3 Architecture Changes  MUI Removed From ESX Server  Console and Guests Soft Switches are Visible - Complete ReWrite of Network Code  VM Backup Proxy  VMFS 3

4

5 General Account Security  Do use SUDO and Wheel Groups to segment administrative functions.  Create separate service accounts for operation of Virtual Center  Recommended administrative groups (VMAdmins, ESXAdmins)

6 Virtual Switch Overview  Vswitch at its core is a layer 2 forwarding engine.  VLAN Tagging / Stripping / Filtering Units  Very Modular (3 rd Party Addons)  Part of Community Source

7 Virtual Switch vs Physical Switch How is it the similar?  Maintains MAC Port forwarding table.  Support VLAN segmentation per port.  Supports copying packets to mirror port (span port)  Can be managed remotely by administrator.

8 Virtual Switch vs Physical Switch How is it different?  Direct channel from VNIC’s for control data (Checksum / segmentation) Very wide control channel.  Authoritative MAC filler updates. No IGMP Snooping to learn multicast group membership. No learning of unicast addresses. Ports can automatically enter mirror mode.

9 Vswitch Isolation – How to ensure no traffic leaks between vswitches?  Switches are not cascaded so no code sharing between.  Vswitches cannot share uplink ports.  Each vswitch has its own forwarding table

10 Vswitch Isolation – How to ensure guests cannot impact switch behavior?  Vswitches cannot learn from the network to populate the forwarding table.  Vswitches make copy of frame to prevent inflight modification (wide control channel)

11 Vswitch Isolation – How to ensure frames are in appropriate VLAN?  VLAN data carried outside frame. (wide control channel)  Vswitch has no dynamic trunking.  Vswitch has NO native VLAN support.

12

13 Web Security  Update and use SSL certificates on ESX hosts and on Virtual Center  Core is Apache so check into all know apache exploits.  MUI removed from ESX hosts which makes securing easier less widespread.

14 Monitoring and Security Toolkits  SNMP is default monitoring access. (OID Masking, Community Strings)  Security toolkits are available for helping check for changes to available ports and known exploit validation. Network Security Toolkit Virtual Machine (Nagios, Nessus, Nmap)  Common Vulnerabilities and Exposures (Many false positives)

15 Virtual Appliances  Know who’s providing it to you!  Isolate before you put into production. Place extra effort to validate and monitor after you put in. (Rogue traffic, configuration changes, etc)

16 WWW Resources  http://www.vmguru.com/ http://www.vmguru.com/  http://www.vmware.com/vmtn/technolog y/security/ http://www.vmware.com/vmtn/technolog y/security/  http://vmprofessional.com/ http://vmprofessional.com/

Download ppt "Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand."

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
Virtual LANs.

Virtual LANs.
Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.

Switching Topic 4 Inter-VLAN routing. Agenda Routing process Routing VLANs – Traditional model – Router-on-a-stick – Multilayer switches EtherChannel.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
VLANs Semester 3, Chapter 3 Allan Johnson Website:

VLANs Semester 3, Chapter 3 Allan Johnson Website:
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.

Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
LOGO Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Chapter 6.

LOGO Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Chapter 6.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Speaker 2006/XX/XX Speaker 2007/XX/XX www.Edge-Core.com IGMP Snooping WWW.Edge-Core.com CK NG Technical Marketing.

Speaker 2006/XX/XX Speaker 2007/XX/XX IGMP Snooping CK NG Technical Marketing.
1 Lecture #6 Switch – VLAN Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand.

1 Lecture #6 Switch – VLAN Asst.Prof. Dr.Anan Phonphoem Department of Computer Engineering, Faculty of Engineering, Kasetsart University, Bangkok, Thailand.
Chapter 4: Managing LAN Traffic

Chapter 4: Managing LAN Traffic
Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17

Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
IEEE 802.1q - VLANs Nick Poorman.

IEEE 802.1q - VLANs Nick Poorman.
Semester 3, v Chapter 3: Virtual LANs

Semester 3, v Chapter 3: Virtual LANs
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V

© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V

Similar presentations

Ads by Google