EARTH WEEK
Now through April 22, save up to 70% on digital learning resources. Learn more.
Rough Cuts are manuscripts that are developed but not yet published, available through Safari. Rough Cuts provide you access to the very latest information on a given topic and offer you the opportunity to interact with the author to influence the final publication.
This is the Rough Cut version of the printed book.
Complete Hands-On Help for Securing VMware vSphere and Virtual Infrastructure by Edward Haletky, Author of the Best Selling Book on VMware, VMware ESX Server in the Enterprise
As VMware has become increasingly ubiquitous in the enterprise, IT professionals have become increasingly concerned about securing it. Now, for the first time, leading VMware expert Edward Haletky brings together comprehensive guidance for identifying and mitigating virtualization-related security threats on all VMware platforms, including the new cloud computing platform, vSphere.
This book reflects the same hands-on approach that made Haletky’s VMware ESX Server in the Enterprise so popular with working professionals. Haletky doesn’t just reveal where you might be vulnerable; he tells you exactly what to do and how to reconfigure your infrastructure to address the problem.
VMware vSphere and Virtual Infrastructure Security begins by reviewing basic server vulnerabilities and explaining how security differs on VMware virtual servers and related products. Next, Haletky drills deep into the key components of a VMware installation, identifying both real and theoretical exploits, and introducing effective countermeasures.
Coverage includes
• Viewing virtualization from the attacker’s perspective, and understanding the new security problems it can introduce
• Discovering which security threats the vmkernel does (and doesn’t) address
• Learning how VMsafe enables third-party security tools to access the vmkernel API
• Understanding the security implications of VMI, paravirtualization, and VMware Tools
• Securing virtualized storage: authentication, disk encryption, virtual storage networks, isolation, and more
• Protecting clustered virtual environments that use VMware High Availability, Dynamic Resource Scheduling, Fault Tolerance, vMotion, and Storage vMotion
• Securing the deployment and management of virtual machines across the network
• Mitigating risks associated with backup, performance management, and other day-to-day operations
• Using multiple security zones and other advanced virtual network techniques
• Securing Virtual Desktop Infrastructure (VDI)
• Auditing virtual infrastructure, and conducting forensic investigations after a possible breach
informit.com/ph | www.Astroarch.com
1 WHAT IS A SECURITY THREAT? 1
The 10,000 Foot View without Virtualization 2
The 10,000 Foot View with Virtualization 4
Applying Virtualization Security 5
Definitions 10
Threat 11
Vulnerability 11
Fault 11
The Beginning of the Journey 12
2 HOLISTIC VIEW FROM THE BOTTOM UP 15
Attack Goals 16
Anatomy of an Attack 17
Footprinting Stage 17
Scanning Stage 17
Enumeration Stage 19
Penetration Stage 21
Types of Attacks 23
Buffer Overflows 23
Heap Overflows 31
Web-Based Attacks 33
Layer 2 Attacks 41
Layer 3 Nonrouter Attacks 46
DNS Attacks 47
Layer 3 Routing Attacks 49
Man in the Middle Attack (MiTM) 51
Conclusion 57
3 UNDERSTANDING VMWARE VSPHERE AND VIRTUAL INFRASTRUCTURE SECURITY 59
Hypervisor Models 59
Hypervisor Security 60
Secure the Hardware 61
Secure the Management Appliance 62
Secure the Hypervisor 63
Secure the Management Interfaces 81
Secure the Virtual Machine 89
Conclusion 89
4 STORAGE AND SECURITY 91
Storage Connections within the Virtual Environment 92
Storage Area Networks (SAN) 93
Network Attached Storage (NAS) 95
Internet SCSI (iSCSI) Servers 96
Virtual Storage Appliances 96
Storage Usage within the Virtual Environment 97
VM Datastore 98
Ancillary File Store 98
Backup Store 99
Tape Devices 100
Storage Security 102
Data in Motion 103
Data at Rest 104
Storage Security Issues 104
VCB Proxy Server 104
SCSI reservations 106
Fibre Channel SAN (Regular or NPIV) 108
iSCSI 110
NFS 111