And here are the following topics underneath this objective:
I will try to take these one at a time.
ESXI Firewall
Working with services in the ESXi firewall is not too difficult, this can be done on a per host basis under the configuration tab for it or the manage tab using the web client. Most of my material will be using the web client since that is the way things are going. That being said there are a number of ways to work with the firewall settings. You can 1) Set a security profile set in a host profile and apply that to a host (or number of hosts). 2) You can use ESXCLI commands from the command line to customize. 3) You can go through the Web Client. The Procedure to do that would be the following:
You can also allow or restrict these services to specific IP address. By default all IP addresses are allowed.
Lockdown Mode
Lockdown mode has been created to increase security to your hosts. Those of us familiar with vSphere 5 were already of there being a lockdown mode available for your hosts. For vSphere 6 there is now an additional lockdown mode available for use. Strict Lockdown Mode. The lockdown modes now shape up like this:
In order to enable Lockdown mode you need to perform the following steps:
Configuring Network Policies
So configuring network policies, what are they talking about? Perform the following steps
Now at this point you can decide to work your security magic on either on the Virtual Switch itself or you can impose your will on the Port Group. Your options are the same either way just where they want to apply the policy and if they want the same one on everything, or just a subset. Your Options are as follows:
So what do these options mean?
Promiscuous mode being set to Accept will remove the filtering on by default and will receive all traffic observed. This can be useful if you are running Wireshark or some other IDS or packet sniffing program. Otherwise you would generally leave this off.
MAC address changes setting affects the traffic that a virtual machine receives. If set to Reject, ESXi won’t honor requests to change the effective MAC address to a different address than the initial MAC address. The Initial MAC address is set for a vNic when ESXi assigns the NIC to a virtual machine. The OS sees the vNIC with a MAC address and should use that MAC address and it becomes the effective MAC address. Occasionally you might change this to receive traffic coming to a different MAC, such as in the case of Microsoft Network Load Balancing. Where the OS would present a separate NIC to load balance and you want the VM to receive on that MAC address. You would need to make sure that the setting was set to Accept in this case.
Forged Transmits setting affects traffic the virtual machine sends. When this is set to accept ESXi does not compare the source and effective MAC addresses. If the OS tries to send out traffic as a different MAC then ESXi sets for it, and this is set to Reject, ESXi will drop the packets into the bit bucket (trash). The guest OS will most likely assume that the packets are being dropped.
Add an ESXi host to a directory service
Adding an ESXi host to AD or LDAP is not difficult at all. Just follow the following steps:
Apply Permissions to ESXi Hosts using Host Profile
I assume that if you have gotten this far and you are taking a delta exam and not starting from scratch, that you have at least a rudimentary idea of what host profiles are. However just in case, a host profile is a list of host configuration options that can be applied to a host/s or a cluster in order to keep your machines as close to each other as possible. This can come in handy for you as the administrator, since they are centrally managed and can improve efficiency, compliance, and also enable you to use time saving features such as Auto Deploy. You also need to have the proper licensing in place to be able to use this feature. This requires Enterprise Plus licensing.
Creating a Host Profile is simple. You can do it one of two ways. You can either navigate to the host you have configured to use as the reference host and then right click and Host Profile and Extract Host Profile like the below
Or you can navigate right to Host Profiles from the Home Screen
And then after you click on the Host Profiles. You can click on the (+) sign to add a new. It will then pop out a screen and ask you what host you want to use as the reference host.
After you create the Host Profile, then you can go back in to edit if you need to as well. You will need to do this by going to the Host Profiles screen from the Home Menu as mentioned above. After you get there you can click on the Host Profile you want to edit and click Edit Settings. Some of the settings you can set are seen here.
After all that is done, from the same screen, you will need to attach the host profile to a host/s or cluster/s. Then you can run a scan against them to see if they are compliant or not. If not you can Remediate them to bring them into compliance.
Configure Virtual Machine Security Policies
For security it is good to think of your virtual machine the same as a physical machine. You have all the same abilities as a physical machine for securing, firewall on the VM itself and make sure you restrict who has physical access to the VM, and of course patching. You have a number of advantages in these things though since you are using a VM. You can employ things like templates to create a fully patched version of your server when you bring it up, reducing the time it takes to secure it. You can also restrict ability to use the VMRC or Remote Console. The ability to use this should be treated the same as a person having physical access to the machine.
There are other things to also consider as well. Such as if someone were to gain access to the machine, he/she could possibly introduce a program that would start eating resources in your environment. If this were to go unchecked, it runs the possibility of not only affecting that virtual machine but also all others sharing the same resources. You can use something like limits or shares to prevent this from happening.
Also as always, only give the VM what it needs to run. Don’t have unnecessary hardware or features that you won’t use on it. You can disable things like copy/paste and Host Guest File System to further increase your security. Finally we have,
Create / Manage vCenter Server Security Certificates
Personally in the past, I have always let VMware handle the certificates for me, however if you have a need for replacing the self-signed with ones that are signed by a third-party or enterprise certificate authority, VMware can definitely accommodate you. If you have been working with them in previous versions, you will need to know that the 5.5 certificate replacement tool will not work for 6.0 due to the new architecture. There are certs used for just about all authentication services in VMware now.
For vCenter Server, you can use the following to view and replace certificates:
There is a lot of information included in replacing or regenerating certs in the VMware environment and some of it depends on which cert you are replacing. The CLI tools you can use to do this are as follows:
Core Identity Services
Certificate Management Tool Locations
Just due to the sheer depth of certificate management I will defer to the guide for further direction.