Archive for March 2013

Identify configuration files related to network security

March 4, 2013 Objective 7 Secure a vSphere environment No comments

padlock

ESXi Security

By introducing a layer of abstraction between the physical hardware and virtualized systems running IT services, virtualization technology provides a powerful means to deliver cost savings via server consolidation as well as increased operational efficiency and flexibility. However, the added functionality introduces a virtualization layer that itself becomes a potential avenue of attack for the virtual services being hosted. Because a single host system can house multiple virtual machines, the security of that host becomes even more important. Because it is based on a light‐weight kernel optimized for virtualization, VMware ESX and VMware ESXi are less susceptible to viruses and other problems that affect general‐purpose operating systems. However, ESX/ESXi is not impervious to attack, and you should take proper measures to harden it, as well as the VMware VirtualCenter management server, against malicious activity or unintended damage

ESXILog111

The log files provide an important tool for diagnosing breaches of security as well as other system issues. They also provide audit information. In addition to storing information in files on the local host, you can also send this information to a remote syslog server

As with ESX, ESXi maintains its configuration state in a set of configuration files. However, on ESXi these files can be accessed only using the remote file access API, and there are far fewer files involved. These files normally are not modified directly. Instead, their contents normally change indirectly because of some action invoked on the host. However, the file access API does allow for direct modification of these files, and some modifications might be warranted in special circumstances. Therefore, you should monitor all of these files for integrity and unauthorized tampering, either by periodically downloading them and tracking their contents or by using a commercial tool designed to do this.

Configure and Maintain the ESXi Firewall

March 4, 2013 Objective 7 Secure a vSphere environment No comments

images

The ESXi Firewall

Supported services and management agents that are required to operate the host are described in a rule set configuration file in the ESXi firewall directory /etc/vmware/firewall/. The file contains firewall rules and lists each rule’s relationship with ports and protocols.

By default, when ESXi is installed, the firewall is enabled. The default configuration is to permit only the required operational traffic and to deny all other

Firewall

Identify esxcli firewall configuration commands

esxclinetwork

Capture

Example Commands of esxcli network firewall

List Firewall Rules

  • esxcli network firewall ruleset list

firewall

Enable and Disable the FTP Client Rulset

  • esxcli network firewall ruleset set –ruleset-id ftpClient –enabled true
  • esxcli network firewall ruleset set –ruleset-id ftpClient –enabled false

Firewall2

Explain the three Firewall Security Levels

Capture

Enable/Disable pre-configured services

Firewall2

Configure service behavior automation

Select a host > Configuration > Software > Security Profile > Services > Properties > Options

  • Start automatically if any ports are open, and stop when all ports are closed: The default setting for these services that VMware recommends. If any port is open, the client attempts to contact the network resources pertinent to the service in question. If some ports are open, but the port for a particular service is closed, the attempt fails, but there is little drawback to such a case. If and when the applicable outgoing port is opened, the service begins completing its tasks.
  • Start and stop with host: The service starts shortly after the host starts and closes shortly before the host shuts down. Much like Start automatically if any ports are open, and stop when all ports are closed, this option means that the service regularly attempts to complete its tasks, such as contacting the specified NTP server. If the port was closed but is subsequently opened, the client begins completing its tasks shortly thereafter.
  • Start and stop manually: The host preserves the user-determined service settings, regardless of whether ports are open or not. When a user starts the NTP service, that service is kept running as long as the host is powered on. If the service is started and the host is powered off, the service is stopped as part of the shutdown process.

Firewall3

Open/Close ports in the firewall
  1. Login to vSphere client
  2. Enter the Hosts and Clusters View
  3. Select a host
  4. Click the Configuration tab
  5. Under the Software view, select Security Profile
  6. Under Security Profile > Firewall, click Properties
  7. Highlight a service
  8. To enable a firewall rule, check the check box next to the traffic label

firewall3

Allowing connections from an IP Address or a network

  1. All connections may be allowed or it can be restricted to a single IPv4 or IPv6 addresses and/or IPv4 or IPv6 networks.

Firewall2

Example esxcli network firewall commands

List the Firewall rules and their ports

  • esxcli network firewall ruleset rule list

firewall4

Disable and Enable the All IPs allowed rule for the ftpClient Rule

  • esxcli network firewall ruleset set –allowed-all false –ruleset-id=ftpClient
  • esxcli network firewall ruleset set –allowed-all true –ruleset-id=ftpClient

firewall5

Specify an allowed network range 10.1.1./24 for the ftpClient Firewall Rule

  • esxcli network firewall ruleset allowedip add –ip-address=10.1.1.0/25 –ruleset-id ftpClient

firewall6

Create a custom service

Rule set configuration files are located in the /etc/vmware/firewall directory and you will see there are 2 files there already

  • fdm.xml
  • service.xml

fw2

Create a custom service file for a service

  • Log into WinSCP and navigate to /etc/vmware/firewall/
  • Copy the service.xml file to your machine
  • I copied the format for an individual service within the service.xml file and created a new Wordpad file initially where I adjusted the service id to a unique ID, the id to my service name – RhianService and chose a new port number 800

XMLFormat

  • I then saved the file as RhianService.xml
  • Next copy this file to the /etc/vmware/firewall directory

Rhianservice2

  • Next Putty into your host and run the following commands as seen in the screenprint below
  • esxcli network firewall refresh
  • esxcli network firewallrulset list and you should see your new service

CustomFirewallRule

  • In vCenter look at Configuration > Software > Security Profile. You should see your custom profile

firewallservice

Adding a Custom Service

To add a service to the host security profile, VMware partners can create a VIB that contains the port rules for the service in a configuration file. VIB authoring tools are available to VMware partners only. Each set of rules for a service in the rule set configuration file contains the following information

  • A numeric identifier for the service, if the configuration file contains more than one service.
  • A unique identifier for the rule set, usually the name of the service.
  • For each rule, the file contains one or more port rules, each with a definition for direction, protocol, port type, and port number or range of port numbers.
  • An indication of whether the service is enabled or disabled when the rule set is applied.
  • An indication of whether the rule set is required and cannot be disabled

Set Firewall Security Level

fw

  • High Security (Default) – Firewall is configured to block all incoming and outgoing traffic, except for ports 22,123,427,443,902,5989, and 5988. These are ports used for basic ESXi communication
  • Medium Security – All incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not blocked
  • Low Security – There are no ports blocked on either incoming or outgoing traffic. This setting is equivalent to removing the fireall

Set High

  • esxcli network firewall set –default-action false

firewall7

Set Low

  • esxcli network firewall set –default-action true

firewall8

Restart hostd at the command line following Security Level changes by typing service mgmt-vmware restart

Analyse Logs for Security Related Messages

March 4, 2013 Objective 7 Secure a vSphere environment No comments

images

What logs are there?

ESXILog11

Identify methods for hardening virtual machines

March 4, 2013 Objective 7 Secure a vSphere environment No comments

index

Hardening Machines

  • Installing Antivirus Software

Stagger the schedule for virus scans, particularly in deployments with a large number of virtual machines. Performance of systems in your environment will degrade significantly if you scan all virtual machines simultaneously.
Because software firewalls and antivirus software can be virtualization-intensive, you can balance the need for these two security measures against virtual machine performance, especially if you are confident that your virtual machines are in a fully trusted environment.

  • Limiting Exposure of Sensitive Data Copied to the Clipboard

Go to the VM > Edit Settings > Options > Advanced > General > Configuration Parameters > Add Row > Enter the below values

Capture

  • Removing Unnecessary Hardware Devices

Attackers can use this capability to breach virtual machine security in several ways. For example, an attacker with access to a virtual machine can connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive, or disconnect a network adapter to isolate the virtual machine from its network, resulting in a denial of service.

  • Prevent a Virtual Machine User or Process from Disconnecting Devices

If you do not want to permanently remove a device, you can prevent a virtual machine user or process from connecting or disconnecting the device from within the guest operating system.

  • Limiting Guest Operating System Writes to Host Memory

The guest operating system processes send informational messages to the host through VMware Tools. If the amount of data the host stored as a result of these messages was unlimited, an unrestricted data flow would provide an opportunity for an attacker to stage a denial-of-service (DoS) attack.

  • Modify Guest Operating System Variable Memory Limit

You can increase the guest operating system variable memory limit if large amounts of custom information are being stored in the configuration file.

  • Prevent the Guest Operating System Processes from Sending Configuration Messages to the Host

You can prevent guests from writing any name-value pairs to the configuration file. This is appropriate when guest operating systems must be prevented from modifying configuration settings.

  • Configuring Logging Levels for the Guest Operating System

Normally, a new log file is created each time you reboot a host, so the file can grow to be quite large. You can ensure new log file creation happens more frequently by limiting the maximum size of the log files. VMware recommends saving 10 log files, each one limited to 100KB. These values are large enough to capture sufficient information to debug most problems that might occur.

  • Limit Log File Numbers and Sizes

To prevent virtual machine users and processes from flooding the log file, which can lead to denial of service, you can limit the number and size of the log files ESXi generates.

  • Securing Fault Tolerance Logging Traffic

This logging traffic between the Primary and Secondary VMs is unencrypted and contains guest network and storage I/O data, as well as the memory contents of the guest operating system. This traffic can include sensitive data such as passwords in plaintext. To avoid such data being divulged, ensure that this network is secured, especially to avoid “man-in-the-middle” attacks. For example, use a private network for FT logging traffic.

VMware Hardening Guides

vSphere 5.0 Hardening Guide

vSphere 4.1 Hardening Guide

vSphere 5 Security Guide