VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment

Paperback (Print)
Buy New
Buy New from BN.com
$45.74
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Paperback)
  • All (11) from $1.99   
  • New (5) from $39.28   
  • Used (6) from $1.99   

Overview

Complete Hands-On Help for Securing VMware vSphere and Virtual Infrastructure by Edward Haletky, Author of the Best Selling Book on VMware, VMware ESX Server in the Enterprise

As VMware has become increasingly ubiquitous in the enterprise, IT professionals have become increasingly concerned about securing it. Now, for the first time, leading VMware expert Edward Haletky brings together comprehensive guidance for identifying and mitigating virtualization-related security threats on all VMware platforms, including the new cloud computing platform, vSphere.

This book reflects the same hands-on approach that made Haletky’s VMware ESX Server in the Enterprise so popular with working professionals. Haletky doesn’t just reveal where you might be vulnerable; he tells you exactly what to do and how to reconfigure your infrastructure to address the problem.

VMware vSphere and Virtual Infrastructure Security begins by reviewing basic server vulnerabilities and explaining how security differs on VMware virtual servers and related products. Next, Haletky drills deep into the key components of a VMware installation, identifying both real and theoretical exploits, and introducing effective countermeasures.

Coverage includes

• Viewing virtualization from the attacker’s perspective, and understanding the new security problems it can introduce

• Discovering which security threats the vmkernel does (and doesn’t) address

• Learning how VMsafe enables third-party security tools to access the vmkernel API

• Understanding the security implications of VMI, paravirtualization, and VMware Tools

• Securing virtualized storage: authentication, disk encryption, virtual storage networks, isolation, and more

• Protecting clustered virtual environments that use VMware High Availability, Dynamic Resource Scheduling, Fault Tolerance, vMotion, and Storage vMotion

• Securing the deployment and management of virtual machines across the network

• Mitigating risks associated with backup, performance management, and other day-to-day operations

• Using multiple security zones and other advanced virtual network techniques

• Securing Virtual Desktop Infrastructure (VDI)

• Auditing virtual infrastructure, and conducting forensic investigations after a possible breach

informit.com/ph www.Astroarch.com

Read More Show Less

Product Details

  • ISBN-13: 9780137158003
  • Publisher: Prentice Hall
  • Publication date: 7/8/2009
  • Edition description: New Edition
  • Pages: 521
  • Product dimensions: 6.90 (w) x 9.10 (h) x 1.20 (d)

Meet the Author

Edward L. Haletky is the author of the well-received book VMware ESX Server in the Enterprise: Planning and Securing Virtualization Servers. A virtualization expert, Edward has been involved in virtualization host security discussions, planning, and architecture since VMware ESX version 1.5.x. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting, and development. Edward is a 2009 VMware vExpert, Guru, and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward moderates the Virtualization Security Roundtable Podcast held every two weeks where virtualization security is discussed in depth. Edward is DABCC’s Virtualization Security Analyst.

Edward is the virtualization Security Analyst at www.virtualizationpractice.com

Tim Pierson has been a technical trainer for the past 23 years and is an industry leader in both security and virtualization. He has been the noted speaker at many industry events, including Novell’s Brainshare, Innotech, GISSA, and many military venues, including the Pentagon and numerous facilities addressing security both in the United States and Europe. He is a contributor to Secure Coding best practices and coauthor of Global Knowledge Windows 2000 Boot Camp courseware.

Tom Howarth is DABCC’s Data Center Virtualization Analyst. Tom is a moderator of the VMware Communities Forums. Tom owns TCA Consulting and PlanetVM.Net. He regularly designs large virtualization projects for enterprises in the U.K. and elsewhere in EMEA. Tom received the VMware vExpert 2009 award.

Read More Show Less

Table of Contents

1 WHAT IS A SECURITY THREAT? 1

The 10,000 Foot View without Virtualization 2

The 10,000 Foot View with Virtualization 4

Applying Virtualization Security 5

Definitions 10

Threat 11

Vulnerability 11

Fault 11

The Beginning of the Journey 12

2 HOLISTIC VIEW FROM THE BOTTOM UP 15

Attack Goals 16

Anatomy of an Attack 17

Footprinting Stage 17

Scanning Stage 17

Enumeration Stage 19

Penetration Stage 21

Types of Attacks 23

Buffer Overflows 23

Heap Overflows 31

Web-Based Attacks 33

Layer 2 Attacks 41

Layer 3 Nonrouter Attacks 46

DNS Attacks 47

Layer 3 Routing Attacks 49

Man in the Middle Attack (MiTM) 51

Conclusion 57

3 UNDERSTANDING VMWARE VSPHERE AND VIRTUAL INFRASTRUCTURE SECURITY 59

Hypervisor Models 59

Hypervisor Security 60

Secure the Hardware 61

Secure the Management Appliance 62

Secure the Hypervisor 63

Secure the Management Interfaces 81

Secure the Virtual Machine 89

Conclusion 89

4 STORAGE AND SECURITY 91

Storage Connections within the Virtual Environment 92

Storage Area Networks (SAN) 93

Network Attached Storage (NAS) 95

Internet SCSI (iSCSI) Servers 96

Virtual Storage Appliances 96

Storage Usage within the Virtual Environment 97

VM Datastore 98

Ancillary File Store 98

Backup Store 99

Tape Devices 100

Storage Security 102

Data in Motion 103

Data at Rest 104

Storage Security Issues 104

VCB Proxy Server 104

SCSI reservations 106

Fibre Channel SAN (Regular or NPIV) 108

iSCSI 110

NFS 111

CIFS for Backups 112

Shared File Access over Secure Shell (SSH) or Secure Copy Use 113

FTP/R-Command Usage 115

Extents 115

Conclusion 116

5 CLUSTERING AND SECURITY 117

Types of Clusters 117

Standard Shared Storage 118

RAID Blade 122

VMware Cluster 123

Virtual Machine Clusters 125

Security Concerns 125

Heartbeats 127

Isolation 133

VMware Cluster Protocols 140

VMware Hot Migration Failures 141

Virtual Machine Clusters 142

Management 143

Conclusion 145

6 DEPLOYMENT AND MANAGEMENT 147

Management and Deployment Data Flow 148

VIC to VC (Including Plug-Ins) 148

VIC to Host 152

VC webAccess 153

ESX(i) webAccess 154

VI SDK to VC 154

VI SDK to Host 156

RCLI to Host 156

RCLI to VC 156

SSH to Host 156

Console Access 157

Lab Manager 157

Site Manager 157

LifeCycle Manager 158

AppSpeed 158

CapacityIQ 158

VMware Update Manager 158

Management and Deployment Authentication 158

Difference Between Authorization and Authentication 159

Mitigating Split-Brain Authorization and Authentication 162

Security of Management and Deployment Network 184

Using SSL 184

Using IPsec 189

Using Tunnels 189

Using Deployment Servers 190

Security Issues during Management and Deployment 191

VIC Plug-ins 192

VMs on the Wrong Network 193

VMs or Networks Created Without Authorization 194

VMs on the Wrong Storage 195

VMs Assigned to Improper Resource Pools 196

Premature Propagation of VMs from Quality Assurance to Production 196

Physical to Virtual (P2V) Crossing Security Zones 196

Conclusion 198

7 OPERATIONS AND SECURITY 199

Monitoring Operations 199

Host Monitoring 200

Host Configuration Monitoring 202

Performance Monitoring 203

Virtual Machine Administrator Operations 204

Using the Wrong Interface to Access VMs 204

Using the Built-in VNC to Access the Console 205

Virtual Machine Has Crashed 211

Backup Administrator Operations 211

Service Console Backups 212

Network Backups 213

Direct Storage Access Backups 213

Virtual Infrastructure Administrator Operations 214

Using Tools Across Security Zones 214

Running Commands Across All Hosts 215

Management Roles and Permissions Set Incorrectly 216

Conclusion 217

8 VIRTUAL MACHINES AND SECURITY 219

The Virtual Machine 219

Secure the Virtual Hardware 220

Secure the Guest OS and Application 239

Secure the Hypervisor Interaction Layer 241

Virtual Machine Administration 252

Virtual Machine Creation 253

Virtual Machine Modification 253

Virtual Machine Deletion 254

Conclusion 254

9 VIRTUAL NETWORKING SECURITY 255

Virtual Networking Basics 256

Basic Connections 256

802.1q or VLAN Tagging 268

Security Zones 271

Standard Zones 273

Best Practices 277

Virtualization Host with Single or Dual pNIC 278

Three pNICs 280

Four pNICs 284

Five pNICs 289

Six pNICs 295

Eight pNICs 302

Ten pNICs 304

pNIC Combination Conclusion 304

Cases 305

DMZ on a Private vSwitch 305

Use of Virtual Firewall to Protect the Virtualization Management Network 307

VMware as a Service 307

Tools 310

Intrusion Detection and Prevention 310

Auditing Interfaces 311

Conclusion 314

10 VIRTUAL DESKTOP SECURITY 315

What Is VDI? 315

Components 316

VDI Products 317

VDM 318

VDM’s Place in the Network 318

The VDM Connection Server 319

The VDM Client 319

The VDM Web Access Client 320

The VDM Agent for Virtual Desktops 321

Security Implications 322

VMware View 324

Linked Clones: What Are They and How Do They Change Security? 324

Storage Overcommit 326

Overview of Linked Clones 326

Protecting the VC 328

Offline Desktops 329

SSL in a VDM or View Environment 333

Secure VDI Implementation 338

Secure the Virtual Desktop 341

Conclusion 342

11 SECURITY AND VMWARE ESX 343

VMware ESXi Hardening Recipe 345

VMware ESX Hardening Recipe 349

Step 1: Root Password 355

Step 2: Shadow Password 355

Step 3: IPtables Firewall 355

Step 4: Lockdown by Source IP 357

Step 5: Run Security Assessments 360

Step 6: Apply Hardening per Assessments 367

Step 7: Additional Auditing Tools 388

Conclusion 394

12 DIGITAL FORENSICS AND DATA RECOVERY 397

Data Recovery 398

Data Recovery–Host Unavailable 399

Data Recovery–Corrupt LUN 400

Data Recovery–Re-create LUN 406

Data Recovery–Re-create Disk 407

Digital Forensics 408

Digital Forensics–Acquisition 408

Digital Forensics–Analysis 422

Digital Forensics–Who Did What, When, Where, and How? 426

Conclusion 428

CONCLUSION: JUST THE BEGINNING: THE FUTURE OF VIRTUALIZATION SECURITY 431

A PATCHES TO BASTILLE TOOL 435

B SECURITY HARDENING SCRIPT 441

C ASSESSMENT SCRIPT OUTPUT 465

CIS-CAT Output 465

Bastille-Linux Output 470

DISA STIG Output 475

Tripwire ConfigCheck Output 496

D SUGGESTED READING AND USEFUL LINKS 499

Books 499

Whitepapers 500

Products 501

Useful Links 502

GLOSSARY 503

INDEX 507

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 5 Customer Reviews
  • Posted January 6, 2011

    Excellent reference and learning material

    From the offset the book delivers with a wealth of fact but also with the breadth of knowledge available making it an essential read for anyone looking to further virtualisation. The book is clearly written thus allowing pretty much anyone pick it up and start learning although some knowledge is beneficial for moving through the system and understanding some of the key points.

    Impressively the book is able to cater for both VMware and virtualisation as a whole and so anyone working with a virtual platform would be advised to read and understand the topics covered as it would allow a full appreciation of the mechanisms and what that check box or feature entails.

    On each subject, network, storage, deployment, to name a few, clear descriptions are made of the item before explaining any security concerns allowing the reader to understand why the measures are suggested and so allowing the reader to construct an argument if challenged by other IT administrators.

    Throughout the book references are made to menus with images provided to illustrate, in addition there are topics which include code/scripts which are laid out clearly allowing the more advanced administrators to take something from this book.

    At the end of the book are four appendixes covering scripts, screen outputs, patches and suggested reading with useful links which are referred to on occasions. A glossary is also provided although this feels a little short whilst covering the critical ones.

    Due to the wealth of knowledge available there are a few pages, 521 in total which means the contents and index are a little daunting at first but prove to be useful when navigating through the book for guidance.

    The book does not try to be something its not and that is where I believe the author Edward has been clever, the book provides sufficient knowledge and guidelines to complete actions without either undermining competent users or those starting on a new learning curve.

    A very good book and one I would recommend!

    Was this review helpful? Yes  No   Report this review
  • Posted September 9, 2009

    more from this reviewer

    Excellent VMware reference

    Wow, I was ready for this book. Really, really, really ready! Virtual environments are springing up everywhere and knowing just what to secure within them has been a challenge to identify. This book not only addresses VMware alone, though, it takes a look at issues with securing the entire environment that interrelates with the VMware components and walks you through securing these as well. Anyone running or considering implementing the VMware into their environment should read this book and follow its instruction.
    For example, I found the chapter on storage security helpful in that you don't typically see such in-depth coverage of the various component of storage in relation to how they can be a problem with Virtual environments. The issues mentioned here not only relate to virtual security, but can also apply to storage security in general. The author is excellent at covering items that you may not normally see addressed when looking at types of attacks in the virtual world.
    The book overall is organized in such a fashion that it can really stand on its own as a security tool for these environments, providing useful guidance in the first several chapters to help establish a baseline understanding of items such as security at a 10,000 foot view and the different types of attacks that can occur. At the back of the book, three appendices with additional information on security hardening scripts, Tripwire recommended configuration and additional links with suggested reading should you want to dive into related topics more deeply.
    Other useful features of the book include the occasional 'tip', either on implementing your virtual environment or specific security tips are sprinkled throughout the book. Furthermore, there are many useful diagrams that help support the explanation of the complex concepts. On a scale of 1-5, I would most certainly give this book a 5.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted January 5, 2011

    No text was provided for this review.

  • Anonymous

    Posted November 25, 2009

    No text was provided for this review.

  • Anonymous

    Posted October 25, 2009

    No text was provided for this review.

Sort by: Showing all of 5 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)