Scribd Logo
Unggah

Selamat datang di Scribd!

  • ESX2

    Diunggah oleh

    Naresh Madiraju
    52 tayangan14 halaman
    Security

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PPT, PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Security

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PPT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    52 tayangan14 halaman

    ESX2

    Diunggah oleh

    Naresh Madiraju
    Security

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PPT, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 14

    Security

    Server Security Levels ESX Server Users and Permissions Securing the Service Console

    ESX Server System Management I Module 9

    Deploying ESX Server Securely


    Set Security Level appropriately Create ESX Server users to own VMs Restrict use of root login Isolate virtual machines from Service Console Keep up with patches Use Service Console solely for VM management

    2
    2

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    ESX Server Security Levels


    ssh access High On Access FTP telnet portmap to Web access access (for NFS or NIS) MUI SSL SSL Clear Off On On Off On On Off On On

    Medium On Low On

    3
    3

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Create ESX Server Users to Own VMs


    An ESX Server user is a person who can view or modify a virtual machine
    Via Web Management UI or Remote Console Not the same as users in a guest OS

    User accounts are created:


    During installation Via the VMware Management Interface From the Service Console: useradd c "Jane Doe" jdoe passwd jdoe

    Default: Locally stored passwords


    Optional: Use Pluggable Authentication Modules (e.g. LDAP, NT Domain) to store passwords elsewhere
    4
    4
    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Virtual Machine Security


    Only R
    Can see VM in MUI

    RX
    Start, Stop, Reset, Suspend VM via MUI, Remote Console, API Access files read-only

    RW
    Can access VM from MUI but cannot run VM, only monitor Details and Event Logs Configure VM and save changes via MUI Cannot connect to VM via Remote Console Connect to VM via API Access and modify files that make up VM

    Check permissions on both the .vmx file and the parent directories

    RWX
    Full access, actions, and modification privileges

    5
    5

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Virtual Machine Configuration Security


    Default permissions for .vmx files:
    RWX Full access, actions and modification privileges

    RX Start, stop, reset, suspend using MUI, Remote Console, or API; Access files readonly
    6
    6
    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Virtual Disk Security


    Default permissions for .dsk files:
    RW Full access, actions, and modification privileges

    Owner of .vmx file must have access to .dsk file(s)


    Simplest case: make ownership the same

    7
    7

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    User Access to VMs


    Web MUI
    Web Browser Apache

    Remote Console
    Remote Console xinetd

    VM Authentication

    vm-list

    Virtual Machine

    8
    8

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Restrict Use of root Login


    Only user root can perform the following functions:
    Govern resource allocation Configure system Import and export virtual disk files Shut down or reboot the ESX server

    For all other functions, login as a normal user

    9
    9

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Isolating Virtual Machines


    Service Console and VMs must be on separate NICs
    To separate administration network from VM network

    Understand how network traffic can pass from one network to the next
    Watch for VMs with NICs on different networks

    Physical interfaces must run in promiscuous mode unless they have exactly one VM bound to them

    10
    10

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Keep Up With Patches


    Only apply VMware-approved security patches
    Patches tested prior to release

    Article posted to Support Knowledge Base acknowledging security vulnerability


    Within 24 hours of notification of an issue

    Patches available via Download section of VMware web site


    Email notification to the listed technical contact on support contract

    11
    11

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Service Console is VM Management Tool


    Avoid adding insecure services to Service Console:
    telnet FTP X Window System

    Use secure services instead


    Secure Shell (ssh) Secure Copy (scp)

    12
    12

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Summary
    Choose the right security level
    Secure deployment means matching security level to security environment

    Restrict user access to the Service Console Turn off needless services on the Service Console Know your VMs!

    13
    13

    For ESX Server 2.0.1 2003-10-27 Copyright 2003 VMware, Inc. All rights reserved.

    Questions?

    ESX Server System Management I Module 9

    Anda mungkin juga menyukai