VM /ETC

Posts Tagged ‘security’

If you are planning on re-purposing some of your existing server hardware to run the latest virtualization products or to take advantage of modern hardware optimizations for virtual hosts and machines, you need to be able to determine which of your servers already have Intel-VT or AMD-V features. Here are some utilities and commands you can use to check from both Windows and Linux operating systems.

Read the rest of this entry »

Yes, this post uses another movie reference.

In the film 28 Days Later the Rage virus infects the Island of Great Britain turning all but a few survivors into zombie-like monsters called “The Infected”. The virus was unleashed when animal activists released medical research chimpanzees which ended up attacking the activists and scientists. This post is about what could cause a similar rage 730 days after installing VirtualCenter, potentially causing VI administrators to become lifeless, rabid, and insane.

After installing VirtualCenter (VC), you should check the installed SSL certificate used by the VI Client because you will most likely need to manually replace it. After a fresh installation the default certifcate expires in 730 days (or 2 years). If the certificate expires you will be unable to log in to the VirtualCenter Management Server using either the VI Client or the web administration interface.

Unfortunately, it is unclear to me at this writing if upgrading the VC Server within the 730 day period updates the certificate store. Read the rest of this entry »

New Patches have been released for ESX 3.5 / 3i, ESX 3.02, and ESX 3.01. Information from the email notifications I received are copied in this post. Looks like monthly patching has become a reality for VMware. That’s the ultimate proof of success, I guess. If it’s a popular product the chances of it being exploited are increased exponentially. Make sure your Update Manager server is working properly …..

Read the rest of this entry »

VMware and Tripwire have released a free tool that analyzes the configuration of ESX servers and compares the results against established best practices. ConfigCheck is a free utility that downloads to your desktop where you can easily assess whether your VMware virtual infrastructure is properly configured for security. According to Tripwire’s download page the tool is available for both Windows and Linux. Tripwire Configcheck was developed as a no cost introduction to the fully featured and licensed version of Tripwire Enterprise.

Both VMware and Tripwire have information about the free product on their websites. The following information from both sources provides a good summary about what the tool can do. Read the rest of this entry »

When I first started VM /ETC by live blogging from VMworld 2007 last September, I posted a few entries about what I call “ton of bricks” moments. This happens to me usually when I am talking to vendors or other engineers about virtualization technologies, strategies or designs and I learn something new that is so simple but so important that it hits me like a ton of bricks. VMware’s Partner Exchange 2008 first such moment happened not because of a single conversation or breakout session, but because of a collective of virtual infrastructure security discussions.

Virtual Infrastructure presents some unique security challenges to administrators. Sure, virtual machines are networked servers just like physical servers and traditional security monitoring and intrusion detection products and processes can be deployed as usual. However, consolidation of servers has changed the attack surface from physical networking to virtualized networks contained within virtualization hosts. If a hacker were to compromise one of your VMs could your current security monitoring alert you of any suspicious activity? What if the activity never reached the core network switch or even the physical NICs of the host server, but instead was kept internal to the host by only attempting to compromise the VMs that shared the virtual switches? What if an intruder brought his own VM and started it up on one of your virtualization hosts, would you know it ever happened?

I have talked with several vendors this week that have solutions to provide visibility and monitoring of the internal virtual network activity and inter-VM communications. These solutions Read the rest of this entry »

Did you know you can modify a VI client shortcut so you can enable single sign on to Virtual Center? This is an undocumented feature that many blogs reported on in March, but most credit vinternals.com and the post VirtualCenter 2.5 Passthrough Authentication as the first to report this option.

“At last! VMware have finally added passthrough auth support in VC 2.5, although it is currently classed as experimental. This is something I have been waiting / asking about for quite some time. And even better, it’s on by default! To use it, simply add -passthroughAuth -s vchostname to the end of the shortcut used to launch the VI 2.5 client.

By default it uses the Negotiate SSPI provider, however since they have fully implemented the interface you can change that behaviour to use Kerberos by adding the following within the <vpxd> node in the vpxd.cfg file on the VC server:

<sspiProtocol>Kerberos</sspiProtocol>”

The screenshot of the VI Client shortcut was found at Pass Through Authentication with the VMware VI Client by Diary of a Bad Golfer. Click on it for a larger image.

There is also a VMware Communities thread at How to enable passthrough authentication in VMware VirtualCenter 2.5

When you use VCB you have to specify either ESX root or VC2 administrator credentials. These credentials are added and easily found stored in the required vcb-pre-backup and vcb-post-backup .bat files, and the config.js file when using a third party backup integration module. Therefore, a best practice is to create a new user that has the required permissions for backing up VMs. The new user, vcbuser, will allow you to keep your administrator and root accounts secure.

In the latest version of VC, VC2.5, the vcbuser role and permissions are predefined and called “VMware Consolidated Backup User”. The steps in this post are intended only for VC2.02 and earlier.

To create the vcbuser do the following: Read the rest of this entry »