Objective 1.2: Secure ESXi, vCenter Server, and vSphere Virtual Machines
April 5, 2015
And here are the following topics underneath this objective:
- Enable / Configure / Disable services in the ESXi Firewall
- Enable Lockdown Mode
- Configure Network Security Policies
- Add an ESXi host to a directory service
- Apply permissions to ESXi hosts using Host Profiles
- Configure virtual machine security Policies
- Create / Manage vCenter Server Security Certificates
I will try to take these one at a time.
Working with services in the ESXi firewall is not too difficult, this can be done on a per host basis under the configuration tab for it or the manage tab using the web client. Most of my material will be using the web client since that is the way things are going. That being said there are a number of ways to work with the firewall settings. You can 1) Set a security profile set in a host profile and apply that to a host (or number of hosts). 2) You can use ESXCLI commands from the command line to customize. 3) You can go through the Web Client. The Procedure to do that would be the following:
- Go through the Web Client to the host you are looking to change.
- Click the Manage Tab and then click on Settings
- Now Click on Security Profile
- The Web client will now show a list of incoming and outgoing connections with the ports.
- You can select to enable or disable the rule.
You can also allow or restrict these services to specific IP address. By default all IP addresses are allowed.
Lockdown mode has been created to increase security to your hosts. Those of us familiar with vSphere 5 were already of there being a lockdown mode available for your hosts. For vSphere 6 there is now an additional lockdown mode available for use. Strict Lockdown Mode. The lockdown modes now shape up like this:
- Normal Lockdown Mode: This kills access to the machine through the client to the host, and will deny root access through SSH. However you can still access the physical machine and DCUI is still able to be logged into and used.
- Strict Lockdown Mode: This will also disable the DCUI client. If there are no exception users and it loses access to the vCenter server, you will need to reinstall the host.
In order to enable Lockdown mode you need to perform the following steps:
- Navigate to the host in the object browser that you want to modify
- Click on the host and then on the Manage Tab.
- Click on Settings and then click on Security Profile on the left side.
- Scroll down until you see the Lockdown Mode Section
- Click on Edit and choose desired Mode.
Configuring Network Policies
So configuring network policies, what are they talking about? Perform the following steps
- Navigate to the host you are interested in and click on Manage Tab for that host
- Click on the Networking Button
- Click on the Virtual Switches
- Now Depending on whether you want to change the vSwitch or Port Group you would click on the pencil associated with that object.
Now at this point you can decide to work your security magic on either on the Virtual Switch itself or you can impose your will on the Port Group. Your options are the same either way just where they want to apply the policy and if they want the same one on everything, or just a subset. Your Options are as follows:
- Promiscuous Mode: Reject(Default) or Accept
- MAC address Changes: Accept(Default) or Reject
- Forged Transmits: Accept(Default) or Reject
So what do these options mean?
Promiscuous mode being set to Accept will remove the filtering on by default and will receive all traffic observed. This can be useful if you are running Wireshark or some other IDS or packet sniffing program. Otherwise you would generally leave this off.
MAC address changes setting affects the traffic that a virtual machine receives. If set to Reject, ESXi won’t honor requests to change the effective MAC address to a different address than the initial MAC address. The Initial MAC address is set for a vNic when ESXi assigns the NIC to a virtual machine. The OS sees the vNIC with a MAC address and should use that MAC address and it becomes the effective MAC address. Occasionally you might change this to receive traffic coming to a different MAC, such as in the case of Microsoft Network Load Balancing. Where the OS would present a separate NIC to load balance and you want the VM to receive on that MAC address. You would need to make sure that the setting was set to Accept in this case.
Forged Transmits setting affects traffic the virtual machine sends. When this is set to accept ESXi does not compare the source and effective MAC addresses. If the OS tries to send out traffic as a different MAC then ESXi sets for it, and this is set to Reject, ESXi will drop the packets into the bit bucket (trash). The guest OS will most likely assume that the packets are being dropped.
Add an ESXi host to a directory service
Adding an ESXi host to AD or LDAP is not difficult at all. Just follow the following steps:
- Navigate to the host, and then click on Manage
- Click on Settings and then scroll down to Authentication Services
- The top section has to do with adding the host to a domain, so click on Join Domain
- You are now presented with a box for Join Domain
- Enter in the Domain and User Credentials (will need to be a user in the Domain with admin privileges) and click OK
- When it is successful, your Domain will show up and Directory Services Type will say the type of Domain (Active Directory) you chose
Apply Permissions to ESXi Hosts using Host Profile
I assume that if you have gotten this far and you are taking a delta exam and not starting from scratch, that you have at least a rudimentary idea of what host profiles are. However just in case, a host profile is a list of host configuration options that can be applied to a host/s or a cluster in order to keep your machines as close to each other as possible. This can come in handy for you as the administrator, since they are centrally managed and can improve efficiency, compliance, and also enable you to use time saving features such as Auto Deploy. You also need to have the proper licensing in place to be able to use this feature. This requires Enterprise Plus licensing.
Creating a Host Profile is simple. You can do it one of two ways. You can either navigate to the host you have configured to use as the reference host and then right click and Host Profile and Extract Host Profile like the below
Or you can navigate right to Host Profiles from the Home Screen
And then after you click on the Host Profiles. You can click on the (+) sign to add a new. It will then pop out a screen and ask you what host you want to use as the reference host.
After you create the Host Profile, then you can go back in to edit if you need to as well. You will need to do this by going to the Host Profiles screen from the Home Menu as mentioned above. After you get there you can click on the Host Profile you want to edit and click Edit Settings. Some of the settings you can set are seen here.
After all that is done, from the same screen, you will need to attach the host profile to a host/s or cluster/s. Then you can run a scan against them to see if they are compliant or not. If not you can Remediate them to bring them into compliance.
Configure Virtual Machine Security Policies
For security it is good to think of your virtual machine the same as a physical machine. You have all the same abilities as a physical machine for securing, firewall on the VM itself and make sure you restrict who has physical access to the VM, and of course patching. You have a number of advantages in these things though since you are using a VM. You can employ things like templates to create a fully patched version of your server when you bring it up, reducing the time it takes to secure it. You can also restrict ability to use the VMRC or Remote Console. The ability to use this should be treated the same as a person having physical access to the machine.
There are other things to also consider as well. Such as if someone were to gain access to the machine, he/she could possibly introduce a program that would start eating resources in your environment. If this were to go unchecked, it runs the possibility of not only affecting that virtual machine but also all others sharing the same resources. You can use something like limits or shares to prevent this from happening.
Also as always, only give the VM what it needs to run. Don’t have unnecessary hardware or features that you won’t use on it. You can disable things like copy/paste and Host Guest File System to further increase your security. Finally we have,
Create / Manage vCenter Server Security Certificates
Personally in the past, I have always let VMware handle the certificates for me, however if you have a need for replacing the self-signed with ones that are signed by a third-party or enterprise certificate authority, VMware can definitely accommodate you. If you have been working with them in previous versions, you will need to know that the 5.5 certificate replacement tool will not work for 6.0 due to the new architecture. There are certs used for just about all authentication services in VMware now.
For vCenter Server, you can use the following to view and replace certificates:
- vSphere Certificate Manager Utility – You can perform all common certificate replacement tasks from the command-line
- Certificate Management CLIs – Perform all certificate management tasks with dir-cli, certool, and vecs-cli
- vSphere Web Client certificate management – View certificates, including expiration information
There is a lot of information included in replacing or regenerating certs in the VMware environment and some of it depends on which cert you are replacing. The CLI tools you can use to do this are as follows:
- certool – this allows you to generate and manage certificates and keys. This is part of the VMCA
- vecs-cli – This allows you to manage the contents of VMware certificate store instances. This is part of the VMAFD
- dir-cli – This allows you to create and update certificates in the VMware Directory Service. Also part of the VMAFD
Core Identity Services
- vmdir – This handles SAML certificates management for authentication with vCenter SSO
- VMCA (VMware Certificate Authority) – Issues certificates for VMware solution users, machine certificates for machines on which services are running, and ESXi host certificates. VMCA can be used as is, or as an intermediary CA. VMCA issues certificates to only clients that can authenticate to SSO in the same domain.
- VMware Authentication Framework Daemon (VMAFD) – Includes the VMware Endpoint Certificate Store (VECS) and several other authentication services. VMware administrators interact with VECS; the other services are used internally.
Certificate Management Tool Locations
- C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe
- C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe
- C:\Program Files\VMware\vCenter Server\vmcad\certool.exe
Just due to the sheer depth of certificate management I will defer to the guide for further direction.