Information Technology Reference
In-Depth Information
When considering how to secure the various components involved in a vSphere environment,
you must consider the following three aspects to security:
Authentication
◆
◆
Authorization
Accounting
◆
This model—often referred to as the AAA model—describes the way in which a user must
be authenticated (properly identii ed as who they claim to be), authorized (enabled or permitted
to perform a task, which also includes network access controls), and accounted for (all actions
are tracked and logged for future reference). In using this AAA model, you can ensure that
you've covered the key aspects of securing the different components of a vSphere environment.
We'll use the AAA model as a rough guideline to structure the discussion of securing vSphere
in this chapter.
As you work your way through this chapter, keep in mind that some of the recommenda-
tions we make here have absolutely nothing to do with virtualization. Because virtualizing with
vSphere affects many areas of the datacenter, you must also consider those areas when you look
at security. Further, some of the recommendations we make are made elsewhere in the topic, so
you might see some duplicate information. Security should be woven into every aspect of your
vSphere design and implementation, so it's completely natural that you'll see some of the same
tips during this focused discussion on security.
The i rst components we discuss securing are the ESXi hosts.
Securing ESXi Hosts
VMware ESXi sits at the heart of vSphere, so any discussion of how to secure vSphere includes
a discussion on how to secure ESXi. In the following sections, we'll discuss securing your ESXi
hosts using the AAA model as a guiding framework, starting with the concept of authentication.
Working with ESXi Authentication
The majority of what you need to do as a vSphere administrator involves working with vCenter
Server. Even so, it's still necessary to discuss how ESXi handles user authentication, because
the mechanism vCenter Server uses to manage ESXi hosts also relies on ESXi authentication.
Additionally, there are occasions where it might be necessary to connect directly to an ESXi
host. Although using vCenter Server eliminates the largest part of the need to connect directly
to an ESXi host, the need does not go away entirely. There are instances when a task cannot be
accomplished through vCenter Server, such as, for example, in the following situations:
vCenter Server is not available or is down.
◆
◆
You are troubleshooting ESXi boot and coni guration problems.
Because the need to authenticate to ESXi still exists (even if you are authenticating indirectly
through vCenter Server), you need to understand the options for managing users and groups on
ESXi hosts. There are two basic options: managing users and groups locally on each host or inte-
grating with Active Directory. We'll cover each of these options in the following sections.
