Wednesday, June 24, 2020

Some of useful ESXCLI commands


ESXCLI is a set of command-lines for managing most parts of the ESXi host, gathering information from many aspects of this hypervisor, and modifying some of the important settings in the Networking, Storage, System areas of this platform.
Although I published a video series about how to work with ESXCLI in my YouTube channel that you can watch them (and also, some of the new parts are coming soon) but in this post, I want to review the execution's results of some listing and getting ESXCLI syntax:



Sunday, June 21, 2020

Security Recommendation and Hardening on Virtual Environments - Chapter Four


After the following "Security Recommendation & Hardening" series: Chapter One, Two and Three, in this part I write about some other important settings and requirements:

1. Implement the vSphere Update Manager (VUM): Updating/upgrading each one of critical components in the virtual infrastructure is a vital procedure. For example, to upgrade an ESXi host we can do it manually via the ESXCLI command-lines, but to achieve this goal with more accurate and better performance, we can implement the VUM inside the vSphere environment . Via the VUM deployment, it's easy to synchronize the update repository for receiving new updates for VM/VA, ESXi hosts, vCenter Server, VMware and other 3rd Party related products. Even we can import new installation sources/update files to the VUM repository for updating the vSphere components on the schedule intervals.

2. Disable access to the MOB: Managed Object Browser is used for debugging purposes via the vSphere SDK. It's an interface to explore and also change the configuration of object models used by the VMkernel for managing the ESXi host. Of course after release of vSphere 6.0 this option is disabled by default (But it's still enabled in the vCenter server) but in older versions you should disable it if you don't really need it, correspond to the security considerations.

3. Restrict the Inter-VM TPS: Transparent Page Sharing is a de-duplication technique that lets the identical set of memory contents have been shared between the virtual machines. So the ESXi host can reclaim the redundant copies and keep only one of them that is shared by multiple VMs. Although in some recent academic research that leverages TPS to gain unauthorized access to data under certain highly controlled conditions and also, VMware believes the risk of TPS being used to gather sensitive information is low, but it's recommended to restrict/disable TPS usage between VMs (Inter-VM TPS). While the TPS is permitted and can be used inside individual VMs (Intra-VM TPS), from the vSphere 6.0 Inter-VM TPS is disabled by default.
For more information about this feature and its security considerations, you can read the following VMware Knowledge Base links:
KB2080735, KB2097593, KB2091682

4. Remove unused devices: Keeping media connected to the VMs, like ISO files or other removable devices that have been used for temporary actions like guest OS installation, and forgetting to remove them, is a bad and sadly usual administration habit that can cause problem especially while a host is failed, or a VM reboots, so the guest OS couldn't boot successfully. So always keep in mind to remove any unnecessary connected devices from your virtual machines.

5. Monitor VMDirectPath I/O activities: For some performance purposes, we may need to use DirectPath I/O Passthrough feature to dedicate a physical device from the ESXi host to a virtual machine. However, it can cause some problems especially during the HA operating while an ESXi belongs to a cluster failed and then that VM tries to reach to a healthy host inside the cluster for the reboot. So always try to avoid using a dedicated device for your VMs, or separately add a VM override inside the cluster setting and choose disable action in the "host isolation response" for those specific VMs with passthrough devices.

However, in this chapter, some titles are not exactly security, but lack of attention to these matters can cause some security breaches especially in the domain of guest OS servicing in the future.


Saturday, June 20, 2020

Configure the NSX manager appliance

Job done, the second part is ready to watch 😇 It's easy to work with the NSX manager appliance, so enjoy this video while you drink a cup of coffee or tea, and be ready for the real NSX configuration in the next parts ...

Sunday, June 14, 2020

What is SDN? VMware NSX introduction

At last I did it, finish the preparation of this video clip: NSX introduction.
The next part of this video series is about "How to manage the NSX manager appliance" and I promise it will come soon ;)

Thursday, June 11, 2020

Setup Microsoft Active Directory and define Forest, Tree & Child Domain

Initial steps of Active Directory installation and then, I define what is the Forest, Tree, Domain and other related terms ...

I will start a new journey soon ...