Advanced VMWare Security
Course Code: K3191-S
Course Length: 5 Days
List Tuition (US): $2695.00

Course Description

A critical and often overlooked aspect of migrating to a virtualized environment is security and setting up security properly. Like physical machines, virtualization technologies are not secure "out of the box" and VMware is no exception. The Advanced Virtualization Security course focuses on "where the vulnerabilities lie" and how to reduce the attack surfaces in the virtualized environment. It goes beyond the typical security protocols administrators use to secure their environments and delves much deeper into the actual workings (and short comings) of the VMware environment.

Students will take a 360 degree look at the potential threats, how to defend and defeat them, and establish a solid foundation to build secure virtual data centers from the ground up.  This course was designed from the perspective of how an attacker would get into your Virtual Environment and is taught by a Licensed Penetration Tester with a long history of vulnerability audits with US National Security Teams and audits of many foreign governments.

Intended Audience

System administrators and Security Administrators with 1-3 years experience managing server environments that have previous training in VMware administration course, or have equivalent knowledge and/or training.

Course Objectives

  • Learn the actual internal workings of how things work inside VMware, and compare them to physical and virtual devices.
  • Discover how to securely set up port groups and VLANS.
  • Understand the aspect of securing failover configurations.
  • Distinguish between Denial of Service Failovers that are either wide open failovers or closed failovers.
  • Dive deep into the different layers of security and explore features to include how traffic routes between VM's and different hosts, common denominators of Physical and Virtual Environments, and how to make the virtual environment the most secure.
  • Walk away knowing how to secure a VMware environment in a DMZ and how to protect yourself from the common vulnerabilities of VMware attack surfaces from the eyes of an attacker.
  • Receive in-depth, comprehensive information about all aspects of hardening your ESX environment.
  • Demonstrate proficiency in class by working on a state-of-the-art data center and performing hands-on labs which reinforce learning objectives.

Prerequisites

VMware Installation/Administration training or equivalent. In lieu of the hands-on classroom training, an in-depth knowledge of VMware's ESX virtualization environment is required.

Course Outline

Section A - Primer and reaffirming our knowledge

Virtual Networking Concepts for ESX Administrators

  • ESX Networking Components
  • How Virtual Ethernet Adapters actually work.
  • How Virtual Switches work
  • Similarities & Differences of VSwitches & Physical Switches
  • Spanning Tree Protocol -- Not Needed?
  • VSwitch Isolation
  • Virtual Ports, Uplink Ports, PortGroups
  • Virtual Switch Correctness

VLANs in VMware Infrastructure NIC Teaming

  • Load Balancing & Fail Over Configurations

Layer 2 Security Features

Managing the Virtual Network

Section B - Roll up your sleeves to more in-depth knowledge of how VMware Operates and how to secure it

How Traffic Routes between VM's on an ESX Host

  • Different vSwitches, same port group and VLAN
  • Same vSwitch, different port group and VLAN
  • Same vSwitch, same port group and VLAN - (HOL)

Security Design of VMWare Architecture

  • VMware Infrastructure Architecture & Security
  • Virtualization Layer (CPU & Memory Virtualization)
  • Virtual Machines - (HOL)
  • Service Console
  • Physical Console
  • Remote Access Devices - DRAC
  • SSH Security, sudo - (HOL)
  • Virtual Networking Layer, Switches, and Switch LANs

Security Design of VMWare Architecture (con)

  • Virtual Ports
  • Virtual Network Adapters
  • Virtual Switch Isolation & Correctness
  • Virtualized Storage
  • SAN & iSCSI Security
  • VMware Virtual Center

VMWare in a DMZ

  • Virtualized DMZ Networks
  • 3 Typical Virtualized DMZ Configurations
  • Partially Collapsed DMZ with Separate Physical Trust Zones
  • Partially Collapsed DMZ with Virtual Separation of Trust Zones
  • Fully Collapsed DMZ
  • Best Practices for Achieving a Secure Virtualized DMZ Deployment
  • Harden and Isolate the Service Console
  • Clearly Label Networks for each Zone within the DMZ
  • Set Layer 2 Security Options on Virtual Switches
  • Enforce Separation of Duties
  • Use ESX Resource Management Capabilities
  • Regularly Audit Virtualized DMZ Configuration

Hardening your ESX Server

  • Scan your ESX Server for Vulnerabilities - (HOL)
  • Tripwire Config Checker
  • Hardening Virtual Machines, Machine Files and Settings - (HOL)
  • Configuring the Service Console in ESX 3.5 - (HOL)
  • Configuring Host-level Management in ESXi 3.5 - (HOL)
  • Configuring the ESX/ESXi Host - (HOL)
  • Virtual Center and Add on Components
  • Client Components

Logs that should be audited

  • STools to audit logs, SAuditing ESXi
  • SViewing Log files - (HOL)

ESX and X.500 Directory Integration

  • SAD, SLDAP

Certificates

  • Certificate Use in the ESX Environment
  • Install a trusted certificate - (HOL)