Musings from security guide –Part 02

in ESX3i all logs are lost during reboot. Therefore a syslog server is required to record and archive all ESX Server 3i logs since a simple reboot will erase all activity of all users.

ISO Images consumes a lot of disk space since they are not compressed when they are created.

Users should create hash checksums on all ISO OS images on the ESX server before utilizing the ISO OS images for virtual machines.

Shares and Resource allocation: Minimum and Maximum resource settings within ESX Servers are absolute values, whereas shares are used to give preference to a guest OS when resource is scare. Minimum guarantee a specific amount of a resource to the virtual machine but deny that much of the resource to other virtual machine, While Maximum deny the virtual machine a portion of the resource while allowing other virtual machine more access to that resources. Do not configure the minimum virtual machine CPU and memory setting equal the total physical amount available. Use reservations,shares and limits to allocate resources.

Time management, synchronizing the virtual machine with the ESX Server is the preferred method for time synchronization.

Musings from security guide –Part 01

• The ESX server virtual switch port groups will be configured with any value between 2 and 4094. Utilizing VLAN1 will cause a denial of service since the ESX Server drops this traffic. The maximum port group that may be configured on a virtual switch is 512. Each port group is identified by a network label and a VLAN ID.

• Ports Groups may have VLAN ID between  0 –4095.

• VLAN ID 4095 specifies that the port group should use trunk mode or Virtual Guest Tagging (VGT) mode.

• A value of Zero or blank VLAN ID is default value for External Switch Tagging(EST). EST is default configuration for all virtual switches within ESX Server. EST mode has 1-to-1 relationship, the number of VLAN’s are limited to the number of physical network adapter ports assigned to ESX.

• Virtual Switch Tagging(VST) allows virtual switch to handle it’s own VLAN tagging. This processing is handled by Pnic and this overhead never comes to VMkernel. Each physical switch port that connects to virtual switch is configured in trunk mode. VLAN’s can span across multiple PSwitch. VLAN is enabled by trunked link connecting the virtual switch and PSwitch thru frame tags. Trunk links can carry the traffic of multiple VLANs simultaneously.Within Switch fabric, switches uses frame tagging to direct frames to the appropriate switch and port. Frame tagging assigns frame id prior to traversing trunked link. After the frame reaches the access link, VLAN ID is removed and the end device receives the frame.

• Each Virtual Nic (VNic) has two MAC Address. effective and initial MAC address. Both the MAC address are same when they are first created.

• Forged Transmits (set to accept by default): When effective MAC Address and initial MAC address are different, which means effective MAC address is always compared with initial MAC address.it is considered as forged transmits.

• MAC Address Changes (set to accept by default): When effective MAC address is changed compared to initial one.

• Promiscuous mode: When promiscuous mode is applied, all virtual machine connected to virtual switch have potential of reading all packets.

• STP is not supported on vSwitch.Spanning Tree Protocol (STP) is either needs to disabled or Port fast needs to be enabled on PSwitch.

The vpxuser has privileges of a root user on the ESX server host,, but has no file privileges on the ESX server console. The vpxuser is created when the ESX server host is attached to Virtual Center. It is not present on the ESX Server host unless the host is being managed through VirtualCenter.

Virtual Center has two default roles defined, system roles and sample roles. System Roles are permanent and the permissions associated with these roles cannot be changed. All changes made to permissions of custom roles are effective immediately not requiring users to log off and log back in.

VMWARE -Security Model

Few important things which I felt from exam perspective are important have been posted here, but it is in brief for more details, please read Server configuration guide. At one point i felt bored, because not much is required from VCP Blue print perspective.

For iSCSI CHAP is used for securing traffice between iniatiators and Target. However CHAP is one way enabled i.e. only target will authenticate the iniatiators. CHAP is enabled at HBA level. It doesn’t support per-target CHAP authentication, which enables you to configure different credentials for each target to achieve greater target refinement. ESX server doesn’t support Kerberos, secure remote protocol, or public key authentication methods for iSCSI; additionally it doesn’t support IPSec and encryption.

Do not configure the default gateway for the service console on the virtual swithc you use for iSCSI connectivity.

If service console is compromized in certain ways, the virtual machines it interacts with might also be compromized, to minimize the risk of an attack through the service console; Vmware protects the service console with a firewall. By default ESX server is installed with a high security setting.

 

Further to this ESX server and virtual center use ports 8085,8087 and 9080 to communicate internally with eachother.