Information Technology Reference
In-Depth Information
The key security-related network security policies you can set in the vSphere virtual net-
working environment are as follows:
Promiscuous mode
◆
◆
MAC address changes
Forged transmits
◆
VMware recommends keeping all of these policies set to Reject. If there is a valid business
need for one of these features to be allowed, you can use per-port group settings to enable the
appropriate feature only for the specii c VM or machines that require such functionality. One
example we've used before is a network-based intrusion detection/intrusion prevention system
(IDS/IPS). Rather than allowing promiscuous mode—required for most IDS/IPS to work—on
the entire vSwitch, create a separate port group just for that VM and allow promiscuous mode
on that port group only.
When considering the security of your VMs, be sure to keep these network security policies
in mind, and be sure that they are coni gured for the correct balance of functionality versus
security.
Our next recommendation with regard to securing VMs is much more general but still a
valid recommendation nevertheless.
Keeping VMs Patched
As with your ESXi hosts and your vCenter Server computer, it's imperative to keep the guest
OSes in your VMs properly patched. Our experience has shown us that many security problems
could have been avoided with a proactive patching strategy for the guest OSes in the VMs.
In vSphere 4.
x
, you could use vSphere Update Manager (then called vCenter Update Manager)
to patch the guest OSes inside your VMs. From vSphere 5.0, this functionality has been removed,
and vSphere Update Manager—covered in detail in Chapter 4—focuses on keeping your ESXi
hosts patched and up-to-date. It's important, therefore, to deploy some sort of guest OS patch-
ing solution that will help you ensure that your guest OSes remain patched and current with all
vendor-supplied security i xes and updates. In the next chapter, we'll delve into the process of
creating and managing VMs.
h
e Bottom Line
Coni gure and control authentication to vSphere.
Both ESXi and vCenter Server have
authentication mechanisms, and both products can utilize local users and groups or users
and groups dei ned in external directories. Authentication is a basic tenet of security; it's
important to verify that users are who they claim to be. You can manage local users and
groups on your ESXi hosts using either the traditional vSphere Client or the command-line
interface (such as the vSphere Management Assistant). Both the Windows-based and the
Linux-based virtual appliance versions of vCenter Server can leverage Active Directory,
OpenLDAP, or local SSO accounts for authentication as well.
Master It
You've asked an administrator on your team to create some accounts on an
ESXi host. The administrator is uncomfortable with the command line and is having a
