security

New beta of the vSphere 5.5 U1 Hardening Guide released

Duncan Epping · May 28, 2014 ·

Mike Foley just announced the new release of the vSphere 5.5 U1 Hardening Guide. Note that it is still labeled as a “beta” as Mike is still gathering feedback, however the document should be finalized first week of June.

For those concerned about security, this is an absolute must read! As always, before implementing ANY of these recommendations make sure to test them on a test cluster and test expected functionality of both the vSphere platform and the virtual machines and applications running on top of it.

Nice work Mike!

Hardening recommendation to set limits on VMs or Resource Pools?

Duncan Epping · Jul 25, 2013 ·

I received this question last week about a recommendation which was in the vSphere 5.1 Hardening Guide. The recommendation in the vSphere 5.1 Hardening Guide is the following:

By default, all virtual machines on an ESXi host share the resources equally. By using the resource management capabilities of ESXi, such as shares and limits, you can control the server resources that a virtual machine consumes. You can use this mechanism to prevent a denial of service that causes one virtual machine to consume so much of the host’s resources that other virtual machines on the same host cannot perform their intended functions.

Now it might be just me but I don’t get the recommendation and my answer to this customer was as follows:
Virtual machines can never use more CPU/Memory resources then provisioned. For instance, when 4GB of memory is provisioned for a virtual machine the Guest OS of that VM will never consume more than 4GB. Same applies to CPU, if a VM has a single vCPU than that VM can never consume more than a single core of a CPU.

So how do I limit my VM? First of all: right sizing! If your VM needs 4GB then don’t provision it with 12GB as it some point it will consume it. Secondly: shares. Shares are the easiest way to ensure that the “noisy neighbor” isn’t pushing away the other virtual machines. By even leaving the shares set to default you can ensure that at least all “alike VMs” have more or less the same priority when it comes to resources. So what about limits?

Try to avoid (VM Level) limits at all times! Why? Well look at memory for a second, lets say you provision your VM with 4GB and limit it to 4GB and now someone changes the memory to 8GB but forgets to change the limit. So what happens? Well your VM uses up the 4GB and moves in to “extra 4GB” but the limit is there, so you the VM will experience memory pressure and you will see ballooning / swapping etc. Not a scenario you want to find yourself in right, indeed! What about CPU then? Well again, it is a hard limit in ALL scenarios. So if you set a 1GHz scenario but have a 2.3GHz CPU, your VM will not consume the 2.3GHz ever…. A waste? Yes it is. And not just VM level limits, there is also an operational impact with resource pool limits.

I can understand what the hardening guide is suggesting, but believe me you don’t want to go there. So let it be clear, AVOID using limits at all times!

Network port diagram for vSphere 5.x

Duncan Epping · Jul 10, 2013 ·

Somehow I missed this one, but as I reviewed the diagram and helped selecting the right format I figured I would still share it. This Network port diagram for vSphere 5.x is one awesome resource for those folks who want to get to the bottom of how components interact with each other.

I don’t think there is a lot more I can say about it, those who love diagrams and like to know the details make sure to hit: http://kb.vmware.com/kb/2054806

Working with CA signed certificates in your vSphere environment?

Duncan Epping · Oct 30, 2012 ·

Are you working with CA signed certificates in your vSphere environment? You might want to check out these recently published KB articles. They will definitely help understanding the whole process around installing and configuring them. (Thanks Simon for pointing these out!)

Configuring CA signed certificates for VMware vCenter Server 5.0.x
http://kb.vmware.com/kb/2015421
Configuring certificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1
http://kb.vmware.com/kb/2036744
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter 5.1
http://kb.vmware.com/kb/2037581
Creating certificate requests and certificates for the vCenter 5.1 components
http://kb.vmware.com/kb/2037432
Configuring CA signed SSL certificates for vCenter SSO in vCenter 5.1
http://kb.vmware.com/kb/2035011
Configuring CA signed SSL certificates for the Web Client and Log Browser in vCenter 5.1
http://kb.vmware.com/kb/2035010
Configuring CA signed SSL certificates for the Inventory service in vCenter 5.1
http://kb.vmware.com/kb/2035009
Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment
http://kb.vmware.com/kb/2015387
Configuring CA signed certificates for ESXi 5.x hosts
http://kb.vmware.com/kb/2015499
Configuring CA signed certificates for vCenter 5.1
http://kb.vmware.com/kb/2035005
Implementing CA signed SSL certificates with vSphere 5.0
http://kb.vmware.com/kb/2015383
Implementing CA signed SSL certificates with vSphere 5.1
http://kb.vmware.com/kb/2034833

vSphere 5.0 Hardening Guide public draft available

Duncan Epping · Apr 18, 2012 ·

One of the things my team is responsible for is security of the cloud infrastructure suite. They have worked really hard the last couple of months on overhauling the vSphere Hardening Guide. Today the public draft was published. (Thanks Charu, Grant and Kyle!)

One of the major changes is the format of the guide. It has been poured into an Excel spreadsheet making it easier filter, sort and edit. Please take a look at the guide and if there is any feedback don’t hesitate to comment on the community forum thread! The final version of the document should be published mid May.