security

Hytrust, virtualization under control

Duncan Epping · Apr 7, 2009 ·

A few weeks ago I had a conference call with an unknown company, well at least for me it was still unknown. Eric Chiu contacted me if he, and his team, could demonstrate their new product.

HyTrust‘s product is an appliance. Not only virtual but also physical. But as a virtualization consultant of course the virtual appliance is what interested me the most. The HT appliance ensures host security and authentication compliancy. It’s not only a single point of management for security and authentication but it’s also a single point of authentication. This may sound weird but the HT appliance acts as a authentication/security proxy. This makes for instance configuring active directory based authentication a matter of seconds. Or what about giving a specific group of people the permissions to run a specific command or deny them the permissions to run the command.

I really liked what HyTrust demoed and I think it’s a very useful tool for those who need to enforce security policies / audit hosts and vCenter / extensive logging.

I can try to explain what the HT appliance exactly does, but it’s a lot easier to just check this youtube demo of the appliance:

You can find more info here:

vWire Opscheck

Duncan Epping · Feb 17, 2009 ·

As it seems Tripwire is preparing a new toolkit. Opscheck is the first of more to come that has been released.

Tripwire created a new website / community called vWire. They moved Configcheck over to vWire and added Opscheck to the list. Where Configcheck identifies possible security vulnerabilities and Opscheck checks for VMware VMotion support by rapidly analyzing ESX 3.0, 3.5, and ESXi hypervisors.

The next thing to expect from Tripwire, euuhm vWire, euuuh… vWire Solution. You can sign up for the announcement at the vWire website.

How to use trusted certificates with SRM

Duncan Epping · Jan 15, 2009 ·

When we were playing around with Site Recovery Manager last week we had the opportunity to ask a bunch of questions to Lee Dilworth. Lee is a Specialist System Engineer for Site Recovery Manager. During the discussion Lee told us about a document that Horst Mundt, also a VMware employee, wrote about using trusted certificates. We received the document via email and I wanted to share this with you. After a quick search on the internet I noticed that Horst already uploaded his document to VI:OPS:

SRM establishes a secure connection between the protected and the recovery site.

There are two options for authentication: Credential based or certificate based.

If you install SRM into an existing environment, make sure to choose the method that is appropriate for your environment.

If you have not changed the default certificates that were installed by the VMware vCenter server setup then go for credential based authentication. You do not need to read the this document.

If you have installed SSL certificates issued by a trusted CA on your VMware vCenter servers then go for certificate based authentication. The document explains how certificates need to be setup in order for this to work.

Virtualization Security Roundtable Podcast

Duncan Epping · Jan 14, 2009 ·

Most of you are familiar with the VMTN Podcasts by now which are hosted by VMware’s John Troyer. One of the regulars of the VMTN podcast, Edward Haletky (also known as Texiwill on VMTN and Twitter), formed a panel of experts on Security and will start a new podcast: The Virtualization Security Round Table Podcast. Those who listen to the VMTN Podcast know how passionate Edward is about security and virtualization so expect these weekly roundtables to be at least on the same level as the VMTN podcasts.

Info about the podcasts can be found on Edwards website:

Episode 1: First Panel Talkshoe on Thursday 15 January 2009 at 2:30 PM EST / 20:30 (CEST): http://www.talkshoe.com/tc/34217

Expect the following topics to be discussed in the near future:

Use of Virtualization in a DMZ.
Review of security lockdown standards/benchmarks and tools
Virtualization Security in shared and dedicated hosting environments
Providing VaaS (VMware as a Service) securely to SMBs for DR.
How virtualization security relates to cloud computing security
Top 3 security issues
Optimal Network configuration and design for security
How to accommodate small / medium and home businesses
Disaster recovery options – small, medium, large businesses
VLANs as a Security measure with vSwitch Security

If you’ve got ideas / topics for the roundtable hit Edward up on the VMTN forum or via Twitter. And off course it’s also possible to just drop your questions during the podcast on the Talkshoe chat. Mark the date in your agenda, every week on Thursday at 2:30 PM EST / 20:30 (CEST)!

Permissions and roles

Duncan Epping · Jan 13, 2009 ·

I was just troubleshooting a problem with permissions and roles at a customer site within vCenter. For some weird reason we could not create a VM. I hardly ever use this functionality and if I do it’s mostly on a “Hosts & Clusters” level.

This customer wanted to set permissions on a “HA-DRS” Cluster level. Each cluster will be administered by a different group of admins. These admins should not be allowed to do any administrative tasks on one of the other clusters in vCenter. Half of the setup worked, as in the admins could do certain tasks on the ESX hosts, but there was no way they could create VM’s.

I’ve browsed through my documentation but couldn’t find anything useful but luckily VI:OPS contained an excellent document on this topic: VI3 Roles and Permissions.

I did a copy and paste of the information that clarified the problem we were facing:

VMs appear in the inventory in two places: under the “Virtual Machines and Templates” view and the “Hosts and Clusters” view. This is also reflected in their privilege inheritance: VMs inherit privileges from both the containing host/cluster object as well as the containing VM/Template folder. Under Hosts and Clusters, possible containing objects include: folders, clusters, hosts, and resource pools. The two views and hierarchies become unified at the top level datacenter (or any folder that contains the datacenter)

Certain tasks require privileges on both sides of the hierarchy. For example, to create a VM, you need to have the “VM > Inventory > Create” privilege on a VM folder (in the VM view) as well as “Resource > Assign VM to Resource Pool” somewhere on an object in the Host view (folder, cluster, host, or resource pool). If you have a role which contains both these privileges, and you assign it at the datacenter level, it will propogate down both sides of the hierarchy. If, however, you want to limit its scope, then you’d need to apply it separately to individual subsections on each side of the hierarchy.

In other words, creating VM’s requires permissions on both levels “Datacenter” and “Cluster”.