Saturday, June 1, 2019

Security Recommendation and Hardening on Virtual Environments - Chapter Three




This post is the third part of security recommendations for vSphere environments and in the following of last two parts: Chapter One & Chapter Two
In this section, I will explain about some ESXi related security considerations, so let's begin:

1. Keep the Audit logs Persistent: If you install ESXi on the media likes SD Memories, because of inconsistent nature of saving ESXi data on these types of disks, after host restarting you will lose all of the system log files in the /var/log path. Also in this scenario after the first boot, you will see a warning about "logs are stored on non-consistent storage" so you need change their local path to another datastore (whatever storage, local or shared) to keep them safe, even after reboot the host.

2. Set the Syslog Server: Asset Log generation and keeping them into the safe repositories for examining and analyzing is a main step in the network management area. ESXi hosts as the most important components in the virtual infrastructure environments, must be fully monitored, So the major step to do is configuring Syslog server to store and investigate the ESXi logs. 

3. Secure NFS communication: NFS as the popular NAS protocol is the best access method to use  shared repositories between ESXi hosts for such useful files like ISO media. (it's the most popular file-sharing protocol in UNIX-based systems) It's recommended to secure NFS communication channel. If you planned to configure Linux-based NFS, use TLS/SSL encryption(v4  because of its standalone encryption)  or implement Kerberos(v5 the last edition) as the authentication mechanism for the windows server NFS role. Attention: NEVER use anonymous access (no server authentication) even in read-only granted access for ESXi servers.

4. Lockdown Mode: Lockdown mode is a way of hardening access to the ESXi and can prevents from direct login to the host, then it will be accessible only by local console or through management systems like vCenter server. It's crucial to choose carefully between Normal mode (DCUI / VC) or Strict mode (Only VC), because if you permanently lost the vCenter server, there is no way to manage data-center's ESXi hosts and should reinstall them. So provide at least one exception user to keep its permissions before entering into the lockdown mode. Also It's highly recommended to consider lockdown mode only for accounts/credentials of third-party solution, like monitoring, backup & etc.

5. vSphere installation bundles Acceptance Level: There are four level for configure trust to the bundle files of vSphere environment: VMware (Certified or Accepted) and supported file from (Partner or Community). Select whatever you need but do not trust to any of community or even partner supported, at least VMware Accepted is a good choice for this security field.

6. Enable Host Encryption Mode: Now what? CoreDump files will be encrypt always. This option is useful whenever the host is in a high risk of compromising its cryptographic data.



No comments:

Post a Comment

I will start a new journey soon ...