Virtual Infrastructure 3 - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Virtual Infrastructure 3

Description:

Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand Contents Architecture changes (General Overview) General Account Security VSWIF ... – PowerPoint PPT presentation

Number of Views:141
Avg rating:3.0/5.0
Slides: 17
Provided by: Case120
Category:

less

Transcript and Presenter's Notes

Title: Virtual Infrastructure 3


1
Virtual Infrastructure 3
  • Best Practices for a secure installation.
  • Jeff Mayrand

2
Contents
  • Architecture changes (General Overview)
  • General Account Security
  • VSWIF Security
  • Web Security
  • Monitoring / Security Toolkits
  • VMware Virtual Appliances

3
Architecture Changes
  • MUI Removed From ESX Server
  • Console and Guests Soft Switches are Visible -
    Complete ReWrite of Network Code
  • VM Backup Proxy
  • VMFS 3

4
(No Transcript)
5
General Account Security
  • Do use SUDO and Wheel Groups to segment
    administrative functions.
  • Create separate service accounts for operation of
    Virtual Center
  • Recommended administrative groups (VMAdmins,
    ESXAdmins)

6
Virtual Switch Overview
  • Vswitch at its core is a layer 2 forwarding
    engine.
  • VLAN Tagging / Stripping / Filtering Units
  • Very Modular (3rd Party Addons)
  • Part of Community Source

7
Virtual Switch vs Physical SwitchHow is it the
similar?
  • Maintains MAC Port forwarding table.
  • Support VLAN segmentation per port.
  • Supports copying packets to mirror port (span
    port)
  • Can be managed remotely by administrator.

8
Virtual Switch vs Physical SwitchHow is it
different?
  • Direct channel from VNICs for control data
    (Checksum / segmentation) Very wide control
    channel.
  • Authoritative MAC filler updates.
  • No IGMP Snooping to learn multicast group
    membership.
  • No learning of unicast addresses.
  • Ports can automatically enter mirror mode.

9
Vswitch Isolation How to ensure no traffic
leaks between vswitches?
  • Switches are not cascaded so no code sharing
    between.
  • Vswitches cannot share uplink ports.
  • Each vswitch has its own forwarding table

10
Vswitch Isolation How to ensure guests cannot
impact switch behavior?
  • Vswitches cannot learn from the network to
    populate the forwarding table.
  • Vswitches make copy of frame to prevent inflight
    modification (wide control channel)

11
Vswitch Isolation How to ensure frames are in
appropriate VLAN?
  • VLAN data carried outside frame. (wide control
    channel)
  • Vswitch has no dynamic trunking.
  • Vswitch has NO native VLAN support.

12
(No Transcript)
13
Web Security
  • Update and use SSL certificates on ESX hosts and
    on Virtual Center
  • Core is Apache so check into all know apache
    exploits.
  • MUI removed from ESX hosts which makes securing
    easier less widespread.

14
Monitoring and Security Toolkits
  • SNMP is default monitoring access. (OID Masking,
    Community Strings)
  • Security toolkits are available for helping check
    for changes to available ports and known exploit
    validation. Network Security Toolkit Virtual
    Machine (Nagios, Nessus, Nmap)
  • Common Vulnerabilities and Exposures (Many false
    positives)

15
Virtual Appliances
  • Know whos providing it to you!
  • Isolate before you put into production.
  • Place extra effort to validate and monitor after
    you put in. (Rogue traffic, configuration
    changes, etc)

16
WWW Resources
  • http//www.vmguru.com/
  • http//www.vmware.com/vmtn/technology/security/
  • http//vmprofessional.com/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Virtual Infrastructure 3" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!