紀伊國屋書店

Full Description

Complete Hands-On Help for Securing VMware vSphere and Virtual Infrastructure by Edward Haletky, Author of the Best Selling Book on VMware, VMware ESX Server in the Enterprise As VMware has become increasingly ubiquitous in the enterprise, IT professionals have become increasingly concerned about securing it. Now, for the first time, leading VMware expert Edward Haletky brings together comprehensive guidance for identifying and mitigating virtualization-related security threats on all VMware platforms, including the new cloud computing platform, vSphere. This book reflects the same hands-on approach that made Haletky's VMware ESX Server in the Enterprise so popular with working professionals. Haletky doesn't just reveal where you might be vulnerable; he tells you exactly what to do and how to reconfigure your infrastructure to address the problem. VMware vSphere and Virtual Infrastructure Security begins by reviewing basic server vulnerabilities and explaining how security differs on VMware virtual servers and related products. Next, Haletky drills deep into the key components of a VMware installation, identifying both real and theoretical exploits, and introducing effective countermeasures. Coverage includes* Viewing virtualization from the attacker's perspective, and understanding the new security problems it can introduce* Discovering which security threats the vmkernel does (and doesn't) address* Learning how VMsafe enables third-party security tools to access the vmkernel API* Understanding the security implications of VMI, paravirtualization, and VMware Tools* Securing virtualized storage: authentication, disk encryption, virtual storage networks, isolation, and more* Protecting clustered virtual environments that use VMware High Availability, Dynamic Resource Scheduling, Fault Tolerance, vMotion, and Storage vMotion* Securing the deployment and management of virtual machines across the network* Mitigating risks associated with backup, performance management, and other day-to-day operations* Using multiple security zones and other advanced virtual network techniques* Securing Virtual Desktop Infrastructure (VDI)* Auditing virtual infrastructure, and conducting forensic investigations after a possible breach informit.com/ph | www.Astroarch.com

Contents

1 WHAT IS A SECURITY THREAT? 1The 10,000 Foot View without Virtualization 2The 10,000 Foot View with Virtualization 4Applying Virtualization Security 5Definitions 10Threat 11Vulnerability 11Fault 11The Beginning of the Journey 122 HOLISTIC VIEW FROM THE BOTTOM UP 15Attack Goals 16Anatomy of an Attack 17Footprinting Stage 17Scanning Stage 17Enumeration Stage 19Penetration Stage 21Types of Attacks 23Buffer Overflows 23Heap Overflows 31Web-Based Attacks 33Layer 2 Attacks 41Layer 3 Nonrouter Attacks 46DNS Attacks 47Layer 3 Routing Attacks 49Man in the Middle Attack (MiTM) 51Conclusion 573 UNDERSTANDING VMWARE VSPHERE AND VIRTUAL INFRASTRUCTURE SECURITY 59Hypervisor Models 59Hypervisor Security 60Secure the Hardware 61Secure the Management Appliance 62Secure the Hypervisor 63Secure the Management Interfaces 81Secure the Virtual Machine 89Conclusion 894 STORAGE AND SECURITY 91Storage Connections within the Virtual Environment 92Storage Area Networks (SAN) 93Network Attached Storage (NAS) 95Internet SCSI (iSCSI) Servers 96Virtual Storage Appliances 96Storage Usage within the Virtual Environment 97VM Datastore 98Ancillary File Store 98Backup Store 99Tape Devices 100Storage Security 102Data in Motion 103Data at Rest 104Storage Security Issues 104VCB Proxy Server 104SCSI reservations 106Fibre Channel SAN (Regular or NPIV) 108iSCSI 110NFS 111CIFS for Backups 112Shared File Access over Secure Shell (SSH) or Secure Copy Use 113FTP/R-Command Usage 115Extents 115Conclusion 1165 CLUSTERING AND SECURITY 117Types of Clusters 117Standard Shared Storage 118RAID Blade 122VMware Cluster 123Virtual Machine Clusters 125Security Concerns 125Heartbeats 127Isolation 133VMware Cluster Protocols 140VMware Hot Migration Failures 141Virtual Machine Clusters 142Management 143Conclusion 1456 DEPLOYMENT AND MANAGEMENT 147Management and Deployment Data Flow 148VIC to VC (Including Plug-Ins) 148VIC to Host 152VC webAccess 153ESX(i) webAccess 154VI SDK to VC 154VI SDK to Host 156RCLI to Host 156RCLI to VC 156SSH to Host 156Console Access 157Lab Manager 157Site Manager 157LifeCycle Manager 158AppSpeed 158CapacityIQ 158VMware Update Manager 158Management and Deployment Authentication 158Difference Between Authorization and Authentication 159Mitigating Split-Brain Authorization and Authentication 162Security of Management and Deployment Network 184Using SSL 184Using IPsec 189Using Tunnels 189Using Deployment Servers 190Security Issues during Management and Deployment 191VIC Plug-ins 192VMs on the Wrong Network 193VMs or Networks Created Without Authorization 194VMs on the Wrong Storage 195VMs Assigned to Improper Resource Pools 196Premature Propagation of VMs from Quality Assurance to Production 196Physical to Virtual (P2V) Crossing Security Zones 196Conclusion 1987 OPERATIONS AND SECURITY 199Monitoring Operations 199Host Monitoring 200Host Configuration Monitoring 202Performance Monitoring 203Virtual Machine Administrator Operations 204Using the Wrong Interface to Access VMs 204Using the Built-in VNC to Access the Console 205Virtual Machine Has Crashed 211Backup Administrator Operations 211Service Console Backups 212Network Backups 213Direct Storage Access Backups 213Virtual Infrastructure Administrator Operations 214Using Tools Across Security Zones 214Running Commands Across All Hosts 215Management Roles and Permissions Set Incorrectly 216Conclusion 2178 VIRTUAL MACHINES AND SECURITY 219The Virtual Machine 219Secure the Virtual Hardware 220Secure the Guest OS and Application 239Secure the Hypervisor Interaction Layer 241Virtual Machine Administration 252Virtual Machine Creation 253Virtual Machine Modification 253Virtual Machine Deletion 254Conclusion 2549 VIRTUAL NETWORKING SECURITY 255Virtual Networking Basics 256Basic Connections 256802.1q or VLAN Tagging 268Security Zones 271Standard Zones 273Best Practices 277Virtualization Host with Single or Dual pNIC 278Three pNICs 280Four pNICs 284Five pNICs 289Six pNICs 295Eight pNICs 302Ten pNICs 304pNIC Combination Conclusion 304Cases 305DMZ on a Private vSwitch 305Use of Virtual Firewall to Protect the Virtualization Management Network 307VMware as a Service 307Tools 310Intrusion Detection and Prevention 310Auditing Interfaces 311Conclusion 31410 VIRTUAL DESKTOP SECURITY 315What Is VDI? 315Components 316VDI Products 317VDM 318VDM's Place in the Network 318The VDM Connection Server 319The VDM Client 319The VDM Web Access Client 320The VDM Agent for Virtual Desktops 321Security Implications 322VMware View 324Linked Clones: What Are They and How Do They Change Security? 324Storage Overcommit 326Overview of Linked Clones 326Protecting the VC 328Offline Desktops 329SSL in a VDM or View Environment 333Secure VDI Implementation 338Secure the Virtual Desktop 341Conclusion 34211 SECURITY AND VMWARE ESX 343VMware ESXi Hardening Recipe 345VMware ESX Hardening Recipe 349Step 1: Root Password 355Step 2: Shadow Password 355Step 3: IPtables Firewall 355Step 4: Lockdown by Source IP 357Step 5: Run Security Assessments 360Step 6: Apply Hardening per Assessments 367Step 7: Additional Auditing Tools 388Conclusion 39412 DIGITAL FORENSICS AND DATA RECOVERY 397Data Recovery 398Data Recovery-Host Unavailable 399Data Recovery-Corrupt LUN 400Data Recovery-Re-create LUN 406Data Recovery-Re-create Disk 407Digital Forensics 408Digital Forensics-Acquisition 408Digital Forensics-Analysis 422Digital Forensics-Who Did What, When, Where, and How? 426Conclusion ASSESSMENT SCRIPT OUTPUT 465CIS-CAT Output 465Bastille-Linux Output 470DISA STIG Output 475Tripwire ConfigCheck Output 496D SUGGESTED READING AND USEFUL LINKS 499Books 499Whitepapers 500Products 501Useful Links 502GLOSSARY 503INDEX 507