During VMware Tech Summit last week one of the few Labs I did get to do myself was the Hytrust Lab. Roughly a year ago I first got introduced to Hytrust.
Hytrust is a policy driven appliance which enhances security and auditing for virtualized environments. Although I had seen multiple demos I had never actually played around with it. I must say I was pleasantly surprised at Tech Summit.
Hytrust sits in between you, the user/admin, and the vCenter/ESX. Basically it proxies the requests based on your role. If the role has no permissions on the specific “task” it will return a message stating “permission denied by Hytrust”.
Now that sounds cool doesn’t it? I guess what was even more impressing was the fact that with Hytrust this also works on ESXi. Yes you are reading that correct, role based “unsupported” mode access to ESXi, that’s something VMware doesn’t even offer at the moment. I tested it, it works great! (Yeah I know it is still not supported, but it does offer a solution to those who need it.)
Another cool thing is the configuration templates for Hosts. It basically enables assessment of security configuration. Hytrust contains several pre-built templates including for instance VMware’s Security Hardening Best Practices. Not only assessment but also the option to remediate when needed.
And I haven’t even talked about the auditing functionality yet. As Hytrust proxies all commands, it is just a small step for them to log all the info and make it audit-able….
After playing around with in Hytrust I fully understand why Cisco invested, it rocks. Just try it out. The Community Edition, free for up to three hosts is available here: Hytrust Appliance v2.0 Community Edition
as an FYI.. Reflex doesn’t provide the access control policies that Hytrust does, but we do provide the controlled access to ESX and ESXi consoles as well as a VERY comprehensive host configuration function. (in addition to all the other things we do)
We introduced the concept of multiple configuration profiles, not just security (e.g. storage, HW, etc) that can be combined to make the complete host configuration.
Servers can then be audited against the configuration as well as apply remediation. From the pure audit perspective, every configuration change of the Host is tracked and can vetted via policy or provided as audit evidence.
If you get a chance, you should take a look at the Reflex VMC and our new vProfile feature set.
Duncan, you mention “role-based access” to ESXi. Does this work with Active Directory or LDAP or do you need to configure local accounts?
Works with AD/LDAP.
Excellent. Thanks for the info and overview. This was one of the sessions I didn’t get to catch and knew nothing about.
AJ I will email you some extra info 🙂
That would be awesome! Thanks Duncan!
How does this compare to Xtra Effort’s client http://www.Aveksa.com
There is yet another product which provides many features along with this for virtualization platform
Check out…
http://www.redcannon.com/products/enforcer_esx.html