Guide Virtualization Hardening Guides 34900

7/25/2019 Guide Virtualization Hardening Guides 34900

1/14

Interested in learningmore about security?

SANS Institute

InfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

A Guide to Virtualization Hardening Guides

Copyright SANS Institute

Author Retains Full Rights
http://www.sans.org/info/36923http://www.sans.org/info/36923http://www.sans.org/info/36914http://www.sans.org/info/36914http://www.sans.org/info/36914http://www.sans.org/info/36909http://www.sans.org/info/36923


2/14

Sponsored by VMware

A Guide to Virtualization

Hardening GuidesA SANS Whitepaper May 2010Written by Dave Shackleford

Network Security and

Access Controls

User and Group Security

Logging and Auditing

Guest/Host Interaction

Controls

Management Server

Controls

Additional ESX and ESXi

Controls


3/14


4/14


5/14

SANS Analyst Program 3 A Guide to Virtualization Hardening Guides

Control

Isolate VMotion traffic

(to protect confidentiality

of virtual network traffic)

Prevent MAC address

spoofing in a virtual

environment

(to prevent spoofing

and man-in-the-middle

attacks)

Configure the ESX

Firewall for High

Security

(to prevent abuse ofunnecessary ports and

services)

Manage network

access control/

segmentation

(to protect powerful

control data)

VMware vSphere 4.0Hardening Guide

NAR02:Ensure VMotion

traffic is isolated

VMware has guidance for

both physical NIC separationand vSwitch and port

group-based separation

in typical enterprise and

more security-conscious

environments, respectively.

NCN03:Ensure the MAC

Address Change policy is set

to Reject

NCN04:Ensure the ForgedTransmits Policy is set to

Reject

VMware recommends

implementing these

controls for all environments

unless clustering, vShield

Zones, or other partner

products are needed.

CON01:Ensure ESX Firewall

is configured to High Security

NAR04:Strictly control

access to Management

network

DISA ESX ServerSTIG V1r1

ESX0030:Dedicated

physical NIC for VMotion

traffic

ESX0040:Dedicated virtualswitch and VLAN for VMotion

The DISA STIG mandates a

separate physical NIC for

VMotion traffic.

ESX0250:Configure the

MAC Address Change to

Reject on all virtual

switches

ESX0260:Set Forged

Transmit to Reject on all

virtual switches

DISA makes exceptions

for clustering, legacy

applications, and licensing

issues, if documented.

ESX0320:Configure the ESX

firewall at the High Security

level

ESX0130:The Service

Console and VMs should

be on separate VLANs or

network segments

CIS ESX Benchmarkv1.2.0

1.1.1 Do Not Use the

Management Network for

the Virtual Machine Network

CIS only suggests a separateVLAN and port group for

VMotion traffic.

1.5.1Protect Against MAC

Address Spoofing, Forged

Transmits, and Promiscuous

mode

CIS treats this as a Level 1

control, indicating it is a

best practice control with

minimal impact that should

be implemented if possible.

1.5.2Configure the Firewall

to Allow Only Authorized

Traffic

1.1.1Do Not Use the

Management Network for

the Virtual Machine Network

Recommendations

Vmotion traffic is in cleartext and should

be protected from other traffic and access,

usually by segmentation via a separate

vSwitch or port group.Virtual or physical separation of this

traffic should be implemented in all

environments, regardless of security level

or compliance requirements.

In highest-security or compliance

environments, a separate physical NIC is

recommended.

Setting MAC Address Changeand

Forged Transmitsto Rejectcan

adversely affect production systems such

as Microsoft Clustering and vShield Zones.

These are important controls, but may

break functionality. If availability is a

primary concern, consider avoiding these

controls. If integrity of the environment

and data confidentiality are more

important, then implement this control.

Both VMware and DISA recommend High

Security, while CIS is more general.

Unless additional ports and services

are needed, this should be set for allenvironments. ESXi does not currently

have a built-in firewall, but it does have

a local reverse proxy that drops traffic on

unrecognized ports by default.

By default, the High Security setting only

allows ports needed for vir tualization

operations inbound and outbound to

the ESX server. Many organizations need

additional ports opened for other forms

of traffic. It is strongly recommended they

open those ports inbound and outbound

explicitly instead of changing the firewallsecurity level to Medium (all outbound

permitted) or Low (all traffic allowed).

All three guides are straightforward in

this guidance: Because the management

network contains sensitive data

and management interfaces could

potentially expose powerful control and

administration capabilities, they should

be separated from other network areas.

VMware Configuration Guidance


6/14


7/14


8/14


9/14


10/14


11/14


12/14


13/14

SANS Analyst Program 11 A Guide to Virtualization Hardening Guides

SANS would like to thank this papers sponsor:


14/14

Last Updated: July 3rd, 2016

Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location

SANS London Summer 2016 London, GB Jul 09, 2016 - Jul 18, 2016 Live Event

SANS Rocky Mountain 2016 Denver, COUS Jul 11, 2016 - Jul 16, 2016 Live Event

SANS Minneapolis 2016 Minneapolis, MNUS Jul 18, 2016 - Jul 23, 2016 Live Event

SANS San Antonio 2016 San Antonio, TXUS Jul 18, 2016 - Jul 23, 2016 Live Event

SANS Delhi 2016 Delhi, IN Jul 18, 2016 - Jul 30, 2016 Live Event

SANS San Jose 2016 San Jose, CAUS Jul 25, 2016 - Jul 30, 2016 Live Event

Industrial Control Systems Security Training Houston, TXUS Jul 25, 2016 - Jul 30, 2016 Live Event

SANS Boston 2016 Boston, MAUS Aug 01, 2016 - Aug 06, 2016 Live Event

Security Awareness Summit & Training San Francisco, CAUS Aug 01, 2016 - Aug 10, 2016 Live Event

SANS Vienna Vienna, AT Aug 01, 2016 - Aug 06, 2016 Live Event

SANS Dallas 2016 Dallas, TXUS Aug 08, 2016 - Aug 13, 2016 Live Event

SANS Portland 2016 Portland, ORUS Aug 08, 2016 - Aug 13, 2016 Live Event

DEV531: Defending Mobile Apps San Francisco, CAUS Aug 08, 2016 - Aug 09, 2016 Live Event

DEV534: Secure DevOps San Francisco, CAUS Aug 10, 2016 - Aug 11, 2016 Live Event

Data Breach Summit Chicago, ILUS Aug 18, 2016 - Aug 18, 2016 Live Event

SANS Virginia Beach 2016 Virginia Beach, VAUS Aug 22, 2016 - Sep 02, 2016 Live Event

SANS Alaska 2016 Anchorage, AKUS Aug 22, 2016 - Aug 27, 2016 Live Event

SANS Bangalore 2016 Bangalore, IN Aug 22, 2016 - Sep 03, 2016 Live Event

SANS Chicago 2016 Chicago, ILUS Aug 22, 2016 - Aug 27, 2016 Live Event

SANS Adelaide 2016 Adelaide, AU Sep 05, 2016 - Sep 10, 2016 Live Event

SANS Brussels Autumn 2016 Brussels, BE Sep 05, 2016 - Sep 10, 2016 Live Event

SANS Northern Virginia - Crystal City 2016 Crystal City, VAUS Sep 06, 2016 - Sep 11, 2016 Live Event

SANS Network Security 2016 Las Vegas, NVUS Sep 10, 2016 - Sep 19, 2016 Live Event

SANS London Autumn London, GB Sep 19, 2016 - Sep 24, 2016 Live Event

SANS ICS London 2016 London, GB Sep 19, 2016 - Sep 25, 2016 Live Event

Security Leadership Summit Dallas, TXUS Sep 27, 2016 - Oct 04, 2016 Live Event

MGT433 at SANS London Summer 2016 OnlineGB Jul 07, 2016 - Jul 08, 2016 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced
http://www.sans.org/info/36919http://www.sans.org/info/36919http://www.sans.org/link.php?id=43342http://www.sans.org/london-in-the-summer-2016http://www.sans.org/link.php?id=42857http://www.sans.org/rocky-mountain-2016http://www.sans.org/link.php?id=43252http://www.sans.org/minneapolis-2016http://www.sans.org/link.php?id=43257http://www.sans.org/san-antonio-2016http://www.sans.org/link.php?id=41617http://www.sans.org/delhi-2016http://www.sans.org/link.php?id=43262http://www.sans.org/san-jose-2016http://www.sans.org/link.php?id=43222http://www.sans.org/ics-houston-summit-training-2016http://www.sans.org/link.php?id=43267http://www.sans.org/boston-2016http://www.sans.org/link.php?id=43842http://www.sans.org/security-awareness-summit-2016http://www.sans.org/link.php?id=45017http://www.sans.org/vienna-2016http://www.sans.org/link.php?id=43277http://www.sans.org/dallas-2016http://www.sans.org/link.php?id=43272http://www.sans.org/portland-2016http://www.sans.org/link.php?id=45410http://www.sans.org/DEV531-Defending-Mobile-Applications-2016http://www.sans.org/link.php?id=45415http://www.sans.org/DEV534-Secure-DevOps-2016http://www.sans.org/link.php?id=44787http://www.sans.org/data-breach-summit-2016http://www.sans.org/link.php?id=43287http://www.sans.org/virginia-beach-2016http://www.sans.org/link.php?id=45420http://www.sans.org/alaska-2016http://www.sans.org/link.php?id=41632http://www.sans.org/bangalore-2016http://www.sans.org/link.php?id=43282http://www.sans.org/chicago-2016http://www.sans.org/link.php?id=41622http://www.sans.org/adelaide-2016http://www.sans.org/link.php?id=43812http://www.sans.org/brussels-autumn-2016http://www.sans.org/link.php?id=43297http://www.sans.org/crystal-city-2016http://www.sans.org/link.php?id=43302http://www.sans.org/network-security-2016http://www.sans.org/link.php?id=43847http://www.sans.org/london-autumn-2016http://www.sans.org/link.php?id=43347http://www.sans.org/ics-london-2016http://www.sans.org/link.php?id=44952http://www.sans.org/security-leadership-summit-2016http://www.sans.org/link.php?id=43737http://www.sans.org/mgt433-at-sans-london-summer-2016http://www.sans.org/link.php?id=1032http://www.sans.org/ondemand/about.phphttp://www.sans.org/ondemand/about.phphttp://www.sans.org/link.php?id=1032http://www.sans.org/mgt433-at-sans-london-summer-2016http://www.sans.org/link.php?id=43737http://www.sans.org/security-leadership-summit-2016http://www.sans.org/link.php?id=44952http://www.sans.org/ics-london-2016http://www.sans.org/link.php?id=43347http://www.sans.org/london-autumn-2016http://www.sans.org/link.php?id=43847http://www.sans.org/network-security-2016http://www.sans.org/link.php?id=43302http://www.sans.org/crystal-city-2016http://www.sans.org/link.php?id=43297http://www.sans.org/brussels-autumn-2016http://www.sans.org/link.php?id=43812http://www.sans.org/adelaide-2016http://www.sans.org/link.php?id=41622http://www.sans.org/chicago-2016http://www.sans.org/link.php?id=43282http://www.sans.org/bangalore-2016http://www.sans.org/link.php?id=41632http://www.sans.org/alaska-2016http://www.sans.org/link.php?id=45420http://www.sans.org/virginia-beach-2016http://www.sans.org/link.php?id=43287http://www.sans.org/data-breach-summit-2016http://www.sans.org/link.php?id=44787http://www.sans.org/DEV534-Secure-DevOps-2016http://www.sans.org/link.php?id=45415http://www.sans.org/DEV531-Defending-Mobile-Applications-2016http://www.sans.org/link.php?id=45410http://www.sans.org/portland-2016http://www.sans.org/link.php?id=43272http://www.sans.org/dallas-2016http://www.sans.org/link.php?id=43277http://www.sans.org/vienna-2016http://www.sans.org/link.php?id=45017http://www.sans.org/security-awareness-summit-2016http://www.sans.org/link.php?id=43842http://www.sans.org/boston-2016http://www.sans.org/link.php?id=43267http://www.sans.org/ics-houston-summit-training-2016http://www.sans.org/link.php?id=43222http://www.sans.org/san-jose-2016http://www.sans.org/link.php?id=43262http://www.sans.org/delhi-2016http://www.sans.org/link.php?id=41617http://www.sans.org/san-antonio-2016http://www.sans.org/link.php?id=43257http://www.sans.org/minneapolis-2016http://www.sans.org/link.php?id=43252http://www.sans.org/rocky-mountain-2016http://www.sans.org/link.php?id=42857http://www.sans.org/london-in-the-summer-2016http://www.sans.org/link.php?id=43342http://www.sans.org/info/36919

Documents

Guide Virtualization Hardening Guides 34900