EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition

Transcription

1 Solution Guide EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Security Management Solution Guide EMC Solutions Abstract This Solution Guide provides information about features and configuration options that are available for configuring secure system operations for a hybrid cloud. This document explains why, when, and how to use these security features. February 2015

2 Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. Published February 2015 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC 2, EMC, ViPR, VNX, Symmetrix, VMAX, Avamar, Data Domain, Data Protection Advisor, VSI, Virtual Storage Infrastructure, Syncplicity, Unisphere, PowerPath, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Security Management Solution Guide Part Number H

3 Contents Contents Chapter 1 Executive Summary 11 Document purpose Audience Cloud security challenges EMC product security approach Technology solution Key components Terminology EMC Enterprise Hybrid Cloud security documentation Chapter 2 Software-Defined Data Center Overview 23 Overview Automation and self-service provisioning Multitenancy and secure separation Workload-optimized storage Elasticity and service assurance Monitoring and resource management Metering and chargeback Modular add-on components Application services Data protection services Continuous availability Disaster recovery Public cloud services EMC and VMware integration Storage services Orchestration Operational management and monitoring Metering Summary Chapter 3 Public Key Infrastructure 35 Overview

4 Contents Enterprise PKI architecture Root certificate authority Subordinate (or issuing) CA subjectaltname attributes in certificates Enterprise PKI solution integration Summary Chapter 4 Converged Authentication 45 Overview Security and authentication Microsoft Active Directory SSL certificates for LDAPS Windows authentication and service accounts Active Directory integration VMware vcenter Log Insight VMware vcenter Operations Manager and Active Directory users VMware vcloud Automation Center: Tenant identity stores VMware vsphere ESXi host integration with Active Directory EMC Avamar integration EMC DPA Active Directory support EMC Unisphere authentication EMC ViPR authentication VMware vcenter SSO TACACS+ authentication integration Summary Chapter 5 Centralized Log Management 59 Overview vcenter Log Insight remote syslog architecture Centralized logging integration Content packs for vcenter Log Insight Configuring alerts Summary Chapter 6 Network Security 73 Overview Network configuration Solution architecture Physical connectivity Logical network topology

5 Contents vsphere networking Overlay networks with VXLAN Supporting infrastructure services Network environment for data protection Automation and provisioning vcloud Networking and Security NSX for vsphere Introduction Distributed logical router Distributed firewall NSX Edge Logical load balancer N-Tier application considerations Traditional three-tier architecture Two tier applications Use case 1: Micro-segmentation with N-Tier virtual applications Configure pre-provisioned multimachine blueprint Verify pre-provisioned deployment Use case 2: Micro-segmentation with converged N-Tier virtual applications Summary Chapter 7 Configuration Management 99 Overview vcenter host profiles vsphere Update Manager vcenter Configuration Manager Use case 1: Configure a custom compliance standard Custom compliance rules Custom compliance template Use case 2: Apply exceptions to compliance templates Summary Chapter 8 Multitenancy 123 Overview Secure separation Network segmentation Tenant authentication Role-based access control

6 Contents Solution infrastructure vcac groups and roles Entitlements Summary Chapter 9 Conclusion 131 Summary

7 Figures Contents Figure 1. Hybrid cloud key components Figure 2. EMC Enterprise Hybrid Cloud features and functionality Figure 3. Self-service provisioning through the vcac portal Figure 4. EMC ViPR Analytics with VMware vcenter Operations Manager Figure 5. ITBM Suite overview dashboard for hybrid cloud Figure 6. EMC ViPR integration points with VMware components Figure 7. PKI hierarchy for EMC Enterprise Hybrid Cloud solution stack Figure 8. Authentication relationships between the solution components Figure 9. Log Insight authentication with Active Directory Figure 10. Create a new group Figure 11. Active Directory authentication providers Figure 12. Active Directory role assignments Figure 13. Centralized logging of hybrid cloud components with vcenter Log Insight Figure 14. Searching for security events with vcenter Log Insight Figure 15. Log Insight client-server architecture Figure 16. Log Insight distributed architecture Figure 17. Sample vcenter Log Insight dashboard for vcenter Server Figure 18. Customized hybrid cloud security dashboard using multiple content packs Figure 19. Custom Log Insight dashboard Figure 20. Example of a Log Insight alert configured to send a notification to vc Ops Figure 21. Examples of security alerts installed in Log Insight Figure 22. Search logs for cloud management platform directly from vc Ops Figure 23. vcenter Log Insight filtering logs for the management cluster components Figure 24. EMC hybrid cloud environment Figure 25. Physical topology of the network Figure 26. Logical topology with the cluster pod and functional networks Figure 27. ESXi host networking vswitch configuration Figure 28. VLAN configuration of the cloud management vds uplinks Figure 29. VLAN configuration of the production vds uplinks Figure 30. Port group and VLAN configuration of the cloud management vds Figure 31. Production vds port groups showing Edge connectivity and VXLAN port groups Figure 32. Backup network architecture for hybrid cloud

8 Contents Figure 33. Traditional three-tiered security architecture Figure 34. Example of two-tiered application secured with micro-segmentation Figure 35. Three-tiered application implemented with micro-segmentation Figure 36. Networking & Security web client view of the security groups Figure 37. View of the web, application, and database tier security policies Figure 38. Web server security policy applied to Web Servers security group Figure 39. Multimachine blueprint showing single machine components Figure 40. Blueprint network and security group configuration Figure 41. Figure 42. NSX service composer security groups membership view for the database-tier Example of converged three-tiered application secured with microsegmentation Figure 43. View of some of the available host profile configuration parameters. 101 Figure 44. View of host compliance status with host profile Figure 45. Compliance view of the clusters attached to the Resource Pods host profile Figure 46. Examples of baselines configured in vsphere Update Manager Figure 47. Figure 48. Example of patch inclusion criteria for a vsphere Update Manager baseline EMC PowerPath/VE extension added to vsphere Update Manager custom baseline Figure 49. Components of EHC Hosts baseline group Figure 50. View of compliance state for the EHC Core Pod Figure 51. Selection view of the vsphere Update Manager Remediation wizard Figure 52. Cluster remediation options presented in the Remediation wizard Figure 53. View of the VCM compliance dashboards showing vsphere Hardening compliance Figure 54. vc Ops dashboard displaying Risk badge score Figure 55. vc Ops dashboard displaying compliance status summary Figure 56. Risk dashboard showing compliance status in environment Figure 57. VCM custom rule creation view Figure 58. Creating a custom compliance rule Figure 59. Data type to select for custom compliance rule Figure 60. Rule criteria selection for detecting vmtools running state Figure 61. Creating a custom compliance rule group filter Figure 62. Selecting vcenters to filter Figure 63. Sample out-of-compliance results for the custom vmtools rule Figure 64. VCM Compliance view showing new template steps Figure 65. Rule groups to choose from in the template creation wizard

9 Contents Figure 66. Graphical summary of the Custom Compliance Template results Figure 67. Navigating to the Compliance Exception wizard Figure 68. Exception rules for Http Datastore on vcenter Server Figure 69. Exception rules for the managed object browser on vcenter server Figure 70. EMC Enterprise Hybrid Cloud network architecture Tables Table 1. Terminology Table 2. Product security guides Table 3. Certificates and keystore types for vcloud Suite 5.5 deployment

10 10 Contents

11 Chapter 1: Executive Summary Chapter 1 Executive Summary This chapter presents the following topics: Document purpose Audience Cloud security challenges EMC product security approach Technology solution Terminology EMC Enterprise Hybrid Cloud security documentation

12 Chapter 1: Executive Summary Document purpose Audience The EMC Federation of companies, EMC, VMware, Pivotal, and RSA, work together to research, develop, and validate leading-edge solutions to deliver superior, integrated solution stacks. This document provides information about features and configuration options that are available for configuring secure system operations in an on-premises implementation of this cloud solution. It explains why, when, and how to use these security features. The EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Foundation Infrastructure Reference Architecture and this Security Management Solution Guide describe the reference architecture and implemented security that all the EMC Enterprise Hybrid Cloud add-on solutions are built on. The following documents provide further information about how to implement specific capabilities or enable specific use cases within the EMC Enterprise Hybrid Cloud solution with VMware: EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition: Hadoop Applications Solution Guide EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition: Pivotal CF Platform as a Service Solution Guide EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition: Public Cloud Integration Guide EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Data Protection Continuous Availability Solution Guide EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Data Protection Disaster Recovery Solution Guide EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Data Protection Backup Solution Guide EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Microsoft Applications Solution Guide This document is part of the solution documentation set and is intended for security architects, practitioners, and administrators responsible for the overall configuration and operation of the EMC Enterprise Hybrid Cloud. Readers should be familiar with VMware vcloud Suite, storage technologies, and general IT functions and requirements, and how they fit into a hybrid cloud architecture. Table 2 on page 20 lists publications that are related to the features and functionality described in this document. A basic understanding of these features is important to understanding EMC Enterprise Hybrid Cloud security. 12

13 Chapter 1: Executive Summary Cloud security challenges While many organizations have successfully introduced virtualization as a core technology within their data center, end users and business units within customer organizations have not experienced many of the benefits of cloud computing, such as increased agility, mobility, and control. Many organizations are now under pressure to provide secure and compliant cloud services to address this need. As a result, IT departments need to create cost-effective alternatives to public cloud services, alternatives that do not compromise enterprise security and features such as data protection, disaster recovery, and guaranteed service levels. Potential security threats must be addressed for organizations to maintain or improve their security posture while enabling the business to continue to operate. In a cloud environment, these threats must be addressed at both the underlying infrastructure and virtualized workload levels. The cloud infrastructure can be protected with restricted administration-level access, integration into authentication, logging, and monitoring systems, and system hardening in case of attack. As virtualized applications are typically exposed to an internal or external user base, they remain the primary threat vector. Web application vulnerabilities, OS configuration errors, and missing patches are still possibilities with virtualized workloads. However, cloud security technologies allow protections against these vulnerabilities while also offering enhanced containerization of workloads that can limit the potential exposure of a successful attack and keep an attacker from infiltrating other systems in the environment. Some of the challenges addressed in the EMC Enterprise Hybrid Cloud are: Lack of trust in cloud technology Disjointed authentication mechanisms Lack of coordinated event tracking Inconsistently applied configurations Difficulty in maintaining client or business unit multitenancy Difficulty in enforcing separation within a demilitarized zone (DMZ) and private network zones The EMC Enterprise Hybrid Cloud implements a variety of security features to control user and network access, monitor system access and use, and support the transmission of encrypted data. The security features related to EMC Enterprise Hybrid Cloud are implemented on the EMC and VMware components that constitute the solution and include the following: Public key infrastructure integration Converged authentication Centralized log management Security configuration management Multitenancy 13

14 Chapter 1: Executive Summary EMC product security approach Technology solution An increasingly interconnected world has created growth opportunities that are now accelerating with the rise of hybrid clouds. Organizations can now deploy information infrastructures more quickly and run them with greater efficiency, control, and choice. These advances foster business agility and connectivity, but they have also created pervasive dependencies among computing components that make problems and vulnerabilities difficult to contain. Complex, interconnected electronic systems inevitably have software bugs and vulnerabilities. Even a perfect product can develop problems through linkages to flawed partner products or to subsequent changes in the technology environment that create new exposures. EMC and VMware meet these product security challenges by applying industry best practices, as well as a flexible and standardized approach to prioritizing security throughout the product lifecycle, from inception through sustainment. Trusted IT requires that EMC products are developed so that the risks of vulnerabilities are minimized, and flaws that surface are assessed and resolved as quickly as possible. This end-to-end process is designed to protect EMC s customers and to provide what customers need to help protect themselves. EMC believes industry collaboration is invaluable for product security. Every company has something to teach and much to learn. Industry collaboration on product security has enabled EMC to help shape and quickly adopt best practices that raise everyone s level of trust in technology. EMC is committed to comprehensive product security programs that are built-in, transparent, and trustworthy. For more information on the EMC product security approach, refer to This EMC Enterprise Hybrid Cloud solution integrates the best of EMC and VMware products and services and empowers IT organizations to accelerate implementation and adoption of a hybrid cloud, while still enabling customer choice for the compute and networking infrastructures within the data center. The solution caters to customers who want to preserve their investment and make better use of their existing infrastructure and to those who want to build out new infrastructures dedicated to a hybrid cloud. The transition from either a physical or a partially virtualized infrastructure to a full hybrid cloud enables a transformative approach to providing security. While many of the same threats to physical environments still exist in the hybrid cloud model, there are new ways to mitigate those threats by using the powerful capabilities of the EMC Enterprise Hybrid Cloud. Network segments and boundaries become fluid as switches, routers, and load balancers can be provisioned as needed to ensure dynamically changing environments remain secure, no longer dependent on hardware procurement or provisioning. 14

15 Chapter 1: Executive Summary The traditional firewalling of North-South directed network traffic can easily be extended to enforce restrictions on East-West traffic as well, allowing true microsegmentation of applications, application sub-tiers (web, middleware, and database), and application environments (development, test/qa, and production). Newly provisioned virtual machines can inherit security postures based on their role. Host-based security controls can run as hypervisor kernel-level processes, allowing virtual machines to consume these services without requiring additional software to be installed in every guest virtual machine. This solution takes advantage of the strong integration between EMC technologies and the VMware vcloud Suite. The solution, developed by EMC and VMware product and services teams includes EMC scalable storage arrays, integrated EMC and VMware monitoring, VMware software-defined networking and security, and data protection suites to provide the foundation for enabling cloud services within the customer environment. Key components This section describes the key components of the solution, as shown in Figure 1. Figure 1. Hybrid cloud key components Data center virtualization and cloud management VMware vcloud Automation Center VMware vcloud Automation Center (vcac) enables customized, self-service provisioning and lifecycle management of cloud services that comply with established business policies. vcac provides a secure portal where authorized administrators, developers, and business users can request new IT services and manage existing computer resources from predefined user-specific menus. VMware vsphere ESXi and VMware vcenter Server VMware vsphere ESXi is a virtualization platform for building cloud infrastructures. vsphere enables you to run your business-critical applications to 15

16 Chapter 1: Executive Summary meet your most demanding service level agreements (SLAs) at the lowest total cost of ownership (TCO). vsphere combines this virtualization platform with the awardwinning management capabilities of VMware vcenter Server. This solution gives you operational insight into the virtual environment for improved availability, performance, and capacity utilization. VMware vcenter Orchestrator VMware vcenter Orchestrator (vco) is an IT process automation engine that helps automate the cloud and integrates the vcloud Suite with the rest of your management systems. vco enables administrators and architects to develop complex automation tasks within the workflow designer. The vco library of pre-built activities, workflows, and plug-ins help accelerate the customization of vcac standard capabilities. VMware vcloud Networking and Security VMware vcloud Networking and Security (vcns) is a software-defined networking and security solution that enhances operational efficiency, unlocks agility, and enables extensibility to rapidly respond to business needs. It provides a broad range of services in a single solution, including virtual firewall, virtual private network (VPN), load balancing, and VXLAN-extended networks. Premium deployment option: VMware NSX for vsphere An alternative deployment option to vcns is VMware NSX for vsphere. NSX is the next generation of software-defined network virtualization and offers additional functionality and improved performance over vcns. This additional functionality includes distributed logical routing, distributed firewalling, logical load balancing, and support for routing protocols such as Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), and Open Shortest Path First (OSPF). Where workloads on different subnets share the same host, the distributed logical router (DLR) optimizes traffic flows by routing locally. This enables substantial performance improvements in throughput, with distributed logical routing and firewalling providing line-rate performance distributed across many hosts instead of being limited to a single virtual machine or physical host. NSX also introduces Service Composer, which integrates with third-party security services. VMware vcenter Configuration Manager VMware vcenter Configuration Manager automates configuration and compliance management across your virtual, physical, and cloud environments, assessing them for operational and security compliance. It automates critical configuration and compliance management tasks, and supports configuration management across virtual and physical servers, VMware infrastructure, and multiple operating systems. In addition, vcenter Configuration Manager integrates with vsphere to deliver the fundamental capabilities that support VMware infrastructure hardening, including deep configuration data collection, change tracking, and compliance assessment. Visibility into your compliance posture is provided through access to compliance toolkits that cover a broad range of standards, including security best practices, vendor-hardening guidelines and regulatory mandates. 16

17 Chapter 1: Executive Summary VMware vcenter Operations Manager VMware vcenter Operations Manager (vc Ops) is a key component of the vcenter Operations Management Suite. It provides a simplified approach to operations management of vsphere, and physical and cloud infrastructures. vc Ops provides operations dashboards to gain insights and visibility into the health, risk, and efficiency of your infrastructure, performance management, and capacity optimization capabilities. It enables root cause analysis with advisory tools and orchestration workflows to enable optimal resource utilization, operational efficiency, and enforcement of configuration standards. VMware vcenter Log Insight VMware vcenter Log Insight delivers automated log management through log aggregation, analytics, and search. With an integrated cloud operations management approach, it provides the operational intelligence and enterprise-wide visibility needed to proactively enable service levels and operational efficiency in dynamic hybrid cloud environments. VMware IT Business Management Suite VMware IT Business Management (ITBM) Suite provides transparency and control over the cost and quality of IT services. By providing a business context to the services that IT offers, ITBM helps IT organizations move from a technology orientation to a service-broker orientation, delivering a portfolio of IT services that aligns with the needs of business stakeholders. EMC storage services EMC ViPR EMC ViPR is a lightweight, software-only solution that transforms existing storage into a simple, extensible, and open platform. ViPR extends current storage investments to meet new cloud-scale workloads, and enables simple data and application migration out of public clouds and back under the control of IT (or vice versa). ViPR gives IT departments the ability to deliver on-premises, fully automated storage services at price points that are at or below public cloud providers. EMC VNX and EMC Symmetrix VMAX EMC VNX and EMC Symmetrix VMAX are powerful, trusted, and smart storage array platforms that provide the highest level of performance, availability, and intelligence in the hybrid cloud. VNX and VMAX storage systems offer a broad array of functionality and tools, such as Fully Automated Storage Tiering for Virtual Pools (FAST VP), enabling multiple storage service levels to support ViPR-driven storageas-a-service offerings in the hybrid cloud environment. EMC ViPR SRM EMC ViPR SRM, storage resource management software, provides comprehensive monitoring, reporting, and analysis for heterogeneous block, file, and virtualized storage environments. It enables you to visualize applications to storage dependencies, monitor and analyze configurations and capacity growth, and optimize your environment to improve return on investment. 17

18 Chapter 1: Executive Summary Terminology Table 1 lists the terminology used in the guide. Table 1. Terminology Term ACL AD AIA API Avamar MCCLI BGP CA CBT CDP CNAME CRL CSR DHCP DFW DLR FQDN HSM IaaS IIS IS-IS LAG LDAP LDAPS OSPF PEM Definition Access control list Active Directory Authority Information Access Application programming interface Avamar Management Console Command Line Interface Border Gateway Protocol Certification authority Changed Block Tracking CRL Distribution Point A canonical name record in DNS used to resolve an alias to an actual hostname Certificate Revocation List that contains a list of serial numbers of revoked certificates Certificate Signing Request Dynamic Host Configuration Protocol NSX distributed firewall NSX distributed logical router Fully qualified domain name Hardware security module Infrastructure as a service Internet Information Services Intermediate System to Intermediate System Link aggregation that bundles multiple physical Ethernet links between two or more devices into a single logical link can also be used to aggregate available bandwidth, depending on the protocol used. Lightweight Directory Access Protocol LDAP over SSL Open Shortest Path First Privacy-Enhanced Mail 18

19 Chapter 1: Executive Summary Term PKI PVLAN SAML SSL STP TLS TACACS vcac blueprint vcac business group vcac fabric group vds VLAN VRF VSI VXLAN Definition Public key infrastructure Private virtual LAN Security Assertion Markup Language is an open standard for exchanging authentication and authorization between an identity provider and a service provider Secure Sockets Layer, now superseded by Transport Layer Security (TLS) which offers better security Spanning Tree Protocol Transport Layer Security Terminal Access Controller Access Control System A blueprint is a specification for a virtual, cloud, or physical machine and is published as a catalog item in the vcac service catalog A set of users, often corresponding to a line of business, department or other organizational unit, that can be associated with a set of catalog services and infrastructure resources A collection of virtualization compute resources and cloud endpoints and is managed by one or more vcac fabric administrators Virtual distributed switch Virtual local area network Virtual routing and forwarding Virtual Storage Integrator Virtual Extensible LAN 19

20 Chapter 1: Executive Summary EMC Enterprise Hybrid Cloud security documentation This solution has been secured where appropriate by implementing the recommendations in the product security guides from EMC and VMware listed in Table 2. Table 2. Product security guides Publication EMC Product Security white paper Part Number H13230 EMC VNX Series Security Configuration Guide for VNX P/N REV. 02 EMC Symmetrix Security Configuration Guide REV 02 EMC ViPR Version Security Configuration Guide P/N REV. 01 EMC Avamar 7.0 Product Security Guide P/N REV 03 EMC Avamar 7.0 Extended Retention Security Guide P/N REV 01 EMC Data Domain Version 5.5 Product Security Guide REV 01 VMware vcenter Configuration Manager Security Guide vsphere Security ESXi 5.5 vcenter Server 5.5 Description This white paper describes how EMC embeds security in the company s product development, deployment, and maintenance practices, as well as in its supply chain. This document provides information about features and configuration options that are available for configuring secure system operation and storage processing. It explains why, when, and how to use these security features. This guide helps you to securely deploy, use, and maintain Solutions Enabler version 7.6 and Unisphere for VMAX version 1.6. This guide provides an overview of security configuration settings available in EMC ViPR, secure deployment and usage settings, secure maintenance and physical security controls needed to ensure secure operation of EMC ViPR. EMC Avamar is backup and recovery software with integrated data deduplication technology. This Product Security Guide provides an overview of the settings and security provisions that are available in Avamar to ensure secure operation of the product. This document describes how to configure security features for the EMC Avamar extended retention feature. This document describes the key security features of EMC Data Domain systems and provides the procedures required to ensure data protection and appropriate access control. This security guide describes how to harden vcenter Configuration Manager for secure use. This security guide provides information about securing your vsphere environment for VMware vcenter Server and VMware ESXi. 20

21 Chapter 1: Executive Summary Publication vsphere 5.5 Update 1 Security Hardening Guide VMware vcenter Log Insight Security Guide VMware vshield Installation and Upgrade Guide VMware NSX Network Virtualization Design Guide VMware NSX 6 Documentation Center Hardened Appliance Operations Guide Description This guide covers hardening the following components of vsphere: Virtual machines ESXi hosts Virtual network vcenter Server and its database and clients. Common vcenter and Windows-specific guidance is here. vcenter Web Client vcenter SSO Server vcenter Virtual Appliance (VCSA) specific guidance vcenter Update Manager This guide provides a reference to the security features of Log Insight. This guide describes how to install and configure the VMware vshield system by using the vshield Manager user interface, the vsphere Client plug-in, and command line interface (CLI). The information includes step-by-step configuration instructions, and suggested best practices. This guide provides an overview of VMware s NSX network virtualization platform. This VMware NSX 6 documentation center provides information about installing, configuring, and using NSX. This guide addresses the site specific technical requirements required to meet Security Technical Information Guides (STIG). 21

22 22 Chapter 1: Executive Summary

23 Chapter 2: Software-Defined Data Center Overview Chapter 2 Software-Defined Data Center Overview This chapter presents the following topics: Overview Automation and self-service provisioning Multitenancy and secure separation Workload-optimized storage Elasticity and service assurance Monitoring and resource management Metering and chargeback Modular add-on components Public cloud services EMC and VMware integration Summary

24 Chapter 2: Software-Defined Data Center Overview Overview The EMC Enterprise Hybrid Cloud solution enables a well-run hybrid cloud by bringing new functionality to IT organizations, developers, end users, and line-of-business owners. In addition to delivering baseline infrastructure as a service (IaaS), built on the software-defined data center architecture, the EMC Enterprise Hybrid Cloud also delivers feature-rich capabilities to expand from IaaS to business-enabling IT as a service (ITaaS). Backup as a service (BaaS) and disaster recovery as a service (DRaaS) are now policies that can be enabled with just a few clicks. End users and developers can quickly gain access to a marketplace of application resources from Microsoft, Oracle, SAP, EMC Syncplicity, and Pivotal, and they can add third-party packages as needed. All these resources can be deployed on private cloud or public cloud services from EMC-powered cloud service providers, including VMware vcloud Air. This solution includes the following features and functionality, as shown in Figure 2. Automation and self-service provisioning Multitenancy and secure separation Workload-optimized storage Elasticity and service assurance Monitoring and resource management Metering and chargeback EMC and VMware integration 24

25 Chapter 2: Software-Defined Data Center Overview Figure 2. EMC Enterprise Hybrid Cloud features and functionality Automation and self-service provisioning This EMC Enterprise Hybrid Cloud solution provides self-service provisioning of automated cloud services to both end users and infrastructure level administrators. The EMC Enterprise Hybrid Cloud uses VMware vcloud Automation Center (vcac), integrated with EMC ViPR and VMware NSX, to provide the compute, storage, network, and security virtualization platforms for the software-defined data center. These platforms enable you to rapidly deploy and provision business-relevant cloud services across your hybrid cloud and physical infrastructure. Cloud users can request and manage their applications and compute resources within established operational policies; this can reduce IT service delivery times from days or weeks to minutes. Features include: Cross-cloud storefront: Acts as a service governor that provisions workloads based on business and IT policies Role-based self-service portal: Delivers a user-appropriate catalog of IT services Resource reservations: Enable resources to be allocated for use by a specific group and ensure those resources are inaccessible to other groups Service levels: Define the amount and type of resources a specific service can receive either during the initial provisioning or as part of any configuration changes 25

26 Chapter 2: Software-Defined Data Center Overview Build specifications: Contain the automation policies that specify the process for building or reconfiguring compute resources In this solution, vcac provides lines of business with the ability to rapidly deploy and provision applications and services to the cloud platform as and when their needs demand. vcac provides the ability to take a shared infrastructure and divide it into logical units and capacities that can be assigned to different business units. Using role-based entitlements, business users can choose from their own self-service catalog of custom-defined services and blueprints. Each user s catalog presents only the virtual machines, applications, and service blueprints they are entitled to, based on their assigned role within the business. Service blueprints enable cloud infrastructure administrators to add services created by EMC that take advantage of ViPR for automated storage services, and Avamar and Data Domain for data protection services. Virtual machine and application blueprints can be single machine or multimachine, covering both bare metal server deployments and virtual machine deployments. Multitier enterprise applications requiring multiple components (application, database, and web) and service levels can be deployed easily from predefined blueprints. Figure 3 shows the EMC Enterprise Hybrid Cloud self-service portal in VMware vcac. Figure 3. Self-service provisioning through the vcac portal Data protection policies can be applied to virtual machine resources at provisioning time, which later enables users to request on-demand backups and restores of their virtual machines, and generation of backup reports, all from the vcac self-service portal. 26

27 Chapter 2: Software-Defined Data Center Overview As part of the vcac provisioning process, NSX virtual routing can be used to provide an on-demand deployment model for creating custom networks, which support NSX edge routers and logical switches. This enables a custom configuration to be built as part of a multimachine provisioning process. This solution is built to work with new and existing infrastructures. It supports the differing requirements of an enterprise s many business units, and integrates with a wide variety of existing IT systems and best practices. Multitenancy and secure separation Multitenancy requirements in a cloud environment can range from shared, open resources to completely isolated resources, secure from any access. This solution provides the ability to enforce physical and virtual separation for multitenancy, offering different levels of security to meet business, security policy, and/or regulatory compliance requirements. This separation can encompass network, compute, and storage resources, to ensure appropriate security and performance for each tenant. The solution supports secure multitenancy through vcac role-based access control (RBAC), enabling vcac roles to be mapped to Active Directory groups. vcac uses existing authentication and business groupings. The self-service portal shows only specific views, functions, and operations based on the role within the business. Physical resource separation can be achieved in vcac to isolate tenant resources or to isolate and contain compute resources for licensing purposes, for example, Oracle. Virtual resource separation can be achieved between and within resource groups, depending on the level of separation required. Virtualized compute resources within the software-defined data center are objects inherited from the vsphere endpoint, most commonly representing VMware vsphere ESXi hosts, host clusters, or resource pools. Compute resources can be configured at the vsphere layer to ensure physical and logical separation of resources between functional environments such as Production and Test and Development (Test/Dev). Valid concerns exist around information leakage and nosy neighbors on a shared network infrastructure. Consumers of the provisioned resources need to operate in an isolated environment and benefit from infrastructure standardization. To address these concerns, this solution has been designed for multitenancy. We 1 approached this from a defense-in-depth perspective, which is demonstrated through: Implementing virtual local area networks (VLANs) to enable isolation at Layer 2 in the cloud management platform and where the solution intersects with the physical network Using VXLAN overlay networks to segment tenant and business group traffic flows 1 In this document, "we" refers to the EMC engineering team that validated the solution. 27

28 Chapter 2: Software-Defined Data Center Overview Integrating with firewalls functioning at the hypervisor level to protect virtualized applications and enabling security policy enforcement in a consistent fashion throughout the solution Deploying provider and business group edge firewalls to protect the business group and tenant perimeters Security This solution enables customers to enhance security by establishing a hardened security baseline across the hardware and software stacks that support their EMC Enterprise Hybrid Cloud infrastructure. The solution helps to reduce concerns around the complexities of the underlying infrastructure by demonstrating how to tightly integrate an as-a-service solution stack with public key infrastructure (PKI) and a common authentication directory to provide centralized administration and tighter control over security. The solution addresses the challenges of securing authentication and configuration management to aid compliance with industry and regulatory standards through: Securing the infrastructure by integrating with a PKI to provide authenticity, non-repudiation, and confidentiality Converging the various authentication sources into a single directory to enable a centralized point of administration and policy enforcement Using configuration management tools to generate infrastructure reports for audit and compliance purposes VMware NSX for vsphere NSX for vsphere can be used in the EMC Enterprise Hybrid Cloud to enable a richer networking and security feature set than that provided by vcns. Enhanced networking and security features in NSX include: NSX logical routing and firewalls: Provide line-rate performance distributed across many hosts instead of being limited to a single virtual machine or physical host. Distributed logical routers: Contain East-West traffic and North-South traffic within the hypervisor where workloads reside on the same host. Logical load balancer: Enables load sharing across a pool of virtual machines with configurable health-check monitoring and application-specific rules for service high availability, URL rewriting, and TLS/SSL pass-through and offload capabilities. A distributed firewall (DFW) enables consistent data-center-wide security policies. Security policies: Can be applied directly to security groups enabling greater flexibility in enforcing security policies. Policies can be based on virtual machine attributes such as VM name, Guest OS, or applied tags, allowing dynamic workloads and shifting environments to be automatically assigned appropriate security policies. 28

29 Chapter 2: Software-Defined Data Center Overview Workload-optimized storage This solution enables customers to take advantage of the proven benefits of EMC storage in a hybrid cloud environment. Using EMC ViPR storage services and the capabilities of VNX and VMAX, this solution provides software-defined storage-policybased management of block- and file-based virtual storage. With a scalable storage architecture that uses the latest flash and tiering technologies, VNX and VMAX storage arrays enable customers to meet any workload requirements with maximum efficiency and performance in the most cost-effective way. With ViPR, the storage configuration is abstracted and presented as a single storage control point, enabling cloud administrators to access all heterogeneous storage resources within a data center as if they were a single large array. Storage administrators are able to maintain control of their storage resources and policies, while the cloud administrator is able to automatically provision storage resources into the cloud infrastructure. Elasticity and service assurance This solution uses a combination of tools to provide the intelligence and visibility required to proactively ensure service levels in virtual and cloud environments. Using vcac and tools provided by EMC, administrators and end users can dynamically add resources as needed, based on their performance requirements. Infrastructure administrators can add storage, compute, and network resources to their resource pools, while end users can expand the resources of their own virtual machines to achieve the service levels they expect for their application workloads. Cloud users can select from a range of service levels of compute, storage, and data protection for their applications to achieve the most efficient use of the resources within their software-defined data center environment. Monitoring and resource management This solution features automated monitoring capabilities that provide IT administrators with a comprehensive view of the cloud environment to enable smart decision making for resource provisioning and allocation. These capabilities are based on a combination of vc Ops dashboards, alerts, and analytics, using extensive additional storage detail provided by EMC analytics adapters for ViPR, VNX, and VMAX. vc Ops provides pre-built and configurable dashboards for real-time performance, capacity, and configuration management. Performance data is abstracted to health, risk, and efficiency metrics that enable IT administrators to easily identify evolving performance problems. Installing the EMC ViPR Analytics adapter on vc Ops enables full end-to-end visibility of the entire infrastructure, from virtual machine to LUN and every point in between. 29

30 Chapter 2: Software-Defined Data Center Overview The ViPR Analytics and EMC Storage Analytics (ESA) packs are presented through the vc Ops custom interface. This enables administrators to quickly recognize the health of EMC ViPR virtual arrays and physical EMC VMAX and VNX block and file arrays using customized EMC dashboards for vc Ops, such as the EMC ViPR dashboard shown in Figure 4. Figure 4. EMC ViPR Analytics with VMware vcenter Operations Manager Capacity analytics in vc Ops identify over-provisioned resources so they can be rightsized for the most efficient use of virtualized resources. What-if scenarios eliminate the need for spreadsheets, scripts, and rules of thumb. EMC ViPR SRM offers comprehensive monitoring and reporting for this hybrid cloud solution that helps IT visualize, analyze, and optimize their software-defined storage infrastructure. Cloud administrators can use ViPR SRM to understand and manage the impact that storage has on their applications and view their storage topologies in their hybrid cloud from application to storage. Capacity and consumption of EMC ViPR software-defined storage and SLA issues can be identified through real-time dashboards or reports in order to meet the needs of the wide range of hybrid cloud users. In addition, for centralized logging, infrastructure components can be configured to forward their logs to VMware vcenter Log Insight, which aggregates the logs from all the disparate sources for analytics and reporting. When integrated with vcenter Log Insight, EMC content packs for Avamar, VNX, and VMAX provide customizable dashboards and user-defined fields specifically for those EMC products, which enable administrators to conduct problem analysis and analytics on the storage array and backup infrastructure. 30

31 Chapter 2: Software-Defined Data Center Overview Metering and chargeback The solution uses ITBM Suite to provide cloud administrators with metering and cost information across all business groups in the enterprise. ITBM indicates the cost of a virtual machine and blueprints based on business units and application groups across the hybrid cloud environment. VMware ITBM Standard Edition uses its own reference database, which has been preloaded with industry-standard and vendor-specific data to generate the base cost of virtual CPU (vcpu), RAM, and storage values. These prices, which default to cost of CPU, RAM, and storage, are automatically consumed by vcac, where the cloud administrator can change them as appropriate. This eliminates the need to manually configure cost profiles in vcac and assign them to compute resources. ITBM is integrated into the vcac portal for the cloud administrator and presents a dashboard overview of the hybrid cloud infrastructure, as shown in Figure 5. Figure 5. ITBM Suite overview dashboard for hybrid cloud ITBM is also integrated with VMware vcenter and can import existing resource hierarchies, folder structures, and vcenter tags to associate hybrid cloud resource usage with business units, departments, and projects. 31

32 Chapter 2: Software-Defined Data Center Overview Modular add-on components Application services Data protection services The EMC Enterprise Hybrid Cloud uses VMware vcloud Application Director to optimize application deployment and release management through logical application blueprints in vcac. A drag-and-drop user interface lets you quickly and easily deploy blueprints for applications and databases such as Microsoft Exchange, Microsoft SQL Server, Microsoft SharePoint, Oracle, SAP, Cloud Foundry, and Syncplicity. Using vcenter Orchestrator workflows customized by EMC, administrators can quickly and easily set up multitier data protection policies and enable users to select an appropriate policy when provisioning their virtual machines. The backup infrastructure takes advantage of Avamar and Data Domain features such as deduplication, compression, and VMware integration. Avamar provides scalable backup and restore capabilities with integrated data deduplication, which reduces total disk storage by up to 50 times and enables costeffective, long-term retention on Avamar Data Store servers. Avamar can alternatively use a Data Domain appliance as the backup target. Using the vcac application program interface (API) and extensibility toolkits, this solution implements custom functionality to provide Avamar-based, image-level backup services for applications and file systems within a single organization or multiorganization hybrid cloud environment. With this solution, enterprise administrators can offer IaaS with EMC backup to end users who want a flexible, on-demand, automated backup infrastructure without having to purchase, configure, or maintain it. Continuous availability Disaster recovery A combination of EMC VPLEX, VMware vsphere High Availability, and VMware vsphere vmotion enables hybrid cloud users to effectively distribute applications and their data across multiple hosts over synchronous distances. With virtual storage and virtual servers working together over distance, your infrastructure can provide load balancing, real-time remote data access, and improved application protection. All mobility and migration of live systems is seamlessly executed between sites, completely transparent to all users and applications. The EMC Enterprise Hybrid Cloud enables cloud administrators to select disaster recovery (DR) protection for their applications and virtual machines when deploying from the vcac self-service catalog. EMC ViPR automatically places these systems on storage that is protected remotely by EMC RecoverPoint. VMware vcenter Site Recovery Manager (VMware SRM), through tight integration with the EMC RecoverPoint Storage Replication Adapter (SRA), can automate the recovery of all virtual storage and virtual machines at a recovery or failover site. 32

33 Chapter 2: Software-Defined Data Center Overview Public cloud services This EMC Enterprise Hybrid Cloud solution enables IT organizations to broker public cloud services. This solution has been validated with VMware vcloud Air as a public cloud option that can be accessed directly from the solution's self-service portal by administrators and users. End users can provision virtual machines, while IT administrators can use VMware vcloud Connector to perform virtual machine migration (offline) from the on-premises component of their hybrid cloud to vcloud Air. EMC and VMware integration This EMC Enterprise Hybrid Cloud solution contains many integration points between EMC and VMware products. This section highlights some of the key integration points and how they fit into the overall solution. Some of the integration points between VMware components and EMC ViPR are shown in Figure 6. Figure 6. EMC ViPR integration points with VMware components Storage services While being managed by ViPR, VNX and VMAX storage arrays both support VMware vsphere Storage APIs Array Integration (VAAI), which offload virtual machine operation to the array to optimize server performance. The ViPR Storage Provider integrates ViPR with VMware vsphere Storage APIs Storage Awareness (VASA). This enables vcenter administrators to view the storage capabilities of ViPR provisioned storage and manage association of these file systems and volumes or LUNs with their ViPR virtual pools. This service runs on the ViPR appliance and a connection is configured in vcenter for communications. All VMware vsphere ESXi servers in this solution run EMC PowerPath/VE for automatic path management and load balancing in the SAN. EMC PowerPath/VE automates failover and recovery and optimizing load balancing of data paths in virtual environments to ensure availability, performance, and the ability to scale-out mission-critical applications. 33

34 Chapter 2: Software-Defined Data Center Overview Orchestration Operational management and monitoring The ViPR plug-in for VMware vcenter Orchestrator (vco) provides an orchestration interface to the EMC ViPR software platform. The EMC ViPR plug-in has pre-packaged workflows used through the vco client and other clients that support vco integration. The pre-packaged workflows contain sets for common ViPR operations and sets of building block workflows intended for detailed ViPR operations. The EMC ViPR plug-in is installed in the vco configuration interface. The EMC ViPR Analytics pack for vc Ops provides advanced metrics for virtual resources at the EMC ViPR virtual array and virtual pool level. The ESA adapter for EMC VNX and VMAX provides preconfigured dashboards for VMware vc Ops users to view storage metrics and topologies of the individual storage components beneath EMC ViPR. EMC also provides storage and data protection content packs for use with VMware vcenter Log Insight. EMC content packs for Avamar, VNX, and VMAX provide dashboards and user-defined fields specifically for those EMC products that enable administrators to conduct problem analysis. Metering EMC ViPR Storage Provider plays a key role in this solution in identifying the capabilities of the storage presented to ESXi servers managed by vcenter. A storage profile is created in vcenter for each class, or tier, of storage presented by ViPR. These storage profiles are used by VMware ITBM to classify and charge for each tier of storage presented and consumed in vcac. Summary This solution enables enterprise customers to build an enterprise-class, scalable, multitenant platform for complete management of their compute service lifecycle. It provides on-demand access and control of compute resources and security while enabling enterprise customers to maximize asset use. Specifically, this solution integrates all of the key functionality that customers demand, and provides a framework and foundation for adding other services. This solution supports a VMware vcloud Suite stack with EMC storage and data protection services, providing customers with the flexibility to deliver cloud-based services with the functionality to which they are accustomed. 34

35 Chapter 3: Public Key Infrastructure Chapter 3 Public Key Infrastructure This chapter presents the following topics: Overview Enterprise PKI architecture Enterprise PKI solution integration Summary

36 Chapter 3: Public Key Infrastructure Overview Integrating a PKI infrastructure in a multitenant hybrid cloud environment ensures that all the components that use or rely on X.509 certificates and technology are trusted. By default, components are installed or factory shipped with self-signed X.509 certificates that are untrusted, because you cannot verify the authenticity of who issued or signed them. In such an environment, an attacker could impersonate a device or application to perform man-in-the-middle attacks or harvest administrative credentials for subsequent use in compromising other systems on the network. The impact of such an attack is more serious because of the privileges usually given to systems administrators to fulfill their duties. Certain regulated industries and governments require the use of trusted certificates only. Integration with a trusted PKI addresses this problem by establishing a chain of trust from the trusted X.509 certificate installed on the device or application and through the issuing certification authority (CA) to the root CA. In addition, it provides a means to validate this trust by publishing Authority Information Access (AIA) and Certificate Revocation Lists (CRLs). This chapter provides an overview of integrating the EMC Enterprise Hybrid Cloud solution stack and supporting infrastructure into an enterprise PKI hierarchy. This does not cover PKI policies, registration authorities (RAs), validation authorities (VAs), or other components typically used in the PKI. Design considerations for these components should be taken into account when implementing PKI with your organization and are outside the scope of this guide. The private keys used by the CAs should be safeguarded. Use network-based hardware security modules (HSMs) in a virtualized environment to store the CAs private keys in a secure manner with tamper protection. HSMs can also provide offloading of certain cryptographic processing for symmetric or asymmetric needs where performance and speed is a requirement. Note: Transport Layer Security (TLS) is a standard for a cryptographic protocol that is closely related to Secure Sockets Layer (SSL). Both use X.509 certificates and asymmetric authentication between the client and server to exchange the symmetric key used to encrypt the communication session between the endpoints. TLS has supplanted SSL as the protocol used to provide security for client-server encryption as it offers significantly improved security. Throughout this guide there may be references to SSL however TLS compatible configurations and certificates have been implemented. 36

37 Chapter 3: Public Key Infrastructure Enterprise PKI architecture Figure 7 shows the hierarchal relationship of the PKI environment with the root selfsigned certificate, the issuing CA certificate, and the end-entity-issued certificates. Figure 7 also shows the trust relationship between the end-entity certificates used in this solution and the end user. Figure 7. PKI hierarchy for EMC Enterprise Hybrid Cloud solution stack All issuing CA and end-entity certificates contain the Authority Information Access (AIA) extension, which contains URLs pointing to where the root and subordinate CA certificates in the certificate chain are located. The issuing CA and end-entity certificates also contain the CRL Distribution Point (CDP) extension, which contains URLs pointing to the location of the CRL for the CAs. The end-entity certificates were issued by the subordinate CA and requested with a subject alternative name (subjectaltname, also abbreviated to SAN) that consists of a fully qualified domain name (FQDN), hostname, and IP address. 37

38 Chapter 3: Public Key Infrastructure Root certificate authority In this solution, we installed the root CA (ESG lab root certificate authority) on a dedicated Microsoft Windows 2012 Server standalone virtual machine. For this environment, the validity period for both the certificates and CRL issued by the root CA was set to five years. After the periods were set, we configured the location of a copy of the root CA certificate and CDPs for the root CA. Because the root CA is typically offline, it is important that the AIAs and CRLs are available on systems other than the root CA, and the root certificate is configured with the location of the AIA and CDPs. In this solution, these are published on the issuing CA. After you have configured the root CA, back it up using the certificate services CA backup utility. This enables you to create a backup of the root CA s private key, CA certificate, certificate database, and certificate database log. Also, it is important that you install the root CA certificate on the system-wide certificate stores on all systems in this environment. Subordinate (or issuing) CA As a prerequisite to starting the subordinate CA configuration, the root CA certificate must be installed on the system-wide certificate store on the Microsoft Windows Server that is used as the subordinate CA. After the root CA certificate is installed, and after joining the domain, the necessary Active Directory Certificate Services and Internet Information Services (IIS) roles can be installed. Because we joined the server to the Active Directory domain, we can deploy this subordinate CA as an enterprise-type installation that enables integration with Active Directory and the auto-enrollment of clients. After the subordinate CA certificate signing request (CSR) is submitted to the root CA and issued, install it on the subordinate CA and start the CA service. The certificate and CRL for the root CA are published to Active Directory and to a folder on the server that is web accessible. We configured the subordinate CA AIA and CDP extensions to use the same locations for the subordinate CA certificate and CRLs. subjectaltname attributes in certificates In production environments, it is common for systems to be managed and accessed using the system IP address, hostname, or FQDN. However, when PKI is introduced, this behavior can result in certificate validation errors that can cause integration to fail. You can issue a certificate that contains one or more Subject Alternative Name attributes (subjectaltname), in addition to the subject name (also known as the common name). However, this is not enabled by default in Active Directory Certificate Services. Note: When designing your PKI it is important to consider the security implications of enabling this extension. Your security policy may require certain controls and processes to be put in place that are beyond the scope of this guide. The security best practices for enabling subject alternative names in certificates can be reviewed in the Microsoft TechNet Library topic How to Request a Certificate With a Custom Subject Alternative Name. 38

39 Chapter 3: Public Key Infrastructure Enterprise PKI solution integration Part of hardening the infrastructure is to replace the self-signed X.509 certificates with valid signed certificates from a trusted CA. Some organizations may choose to use an external entity for this. In this solution, we configured an internal CA using a hierarchical structure, as shown in Figure 7. This shows the CA architecture with the root at the top level, which is either offline or air-gapped. Subordinate CAs are tiered in the Active Directory forest. The PKI used in this solution is based on the deployment of the Active Directory Certificate Services. Follow best practices when designing your organization s PKI infrastructure and take additional security measures to ensure protection of the private keys in use by the CAs. Note: Hardware security modules (HSMs) can provide increased randomness and private key protection, but were not used in this solution. Microsoft Active Directory LDAP over SSL certificates Lightweight Directory Access Protocol (LDAP) is the protocol by which many applications submit authentication or authorization requests. LDAP introduces a significant security risk because credentials (username and password) are passed over the network unencrypted. This can quickly lead to credentials becoming compromised. We can significantly strengthen the security of these authentication and authorization communications by encrypting the entire LDAP session with SSL, known as LDAP over SSL or LDAPS. By default, Active Directory is not configured to support LDAPS so certain steps must be taken to enable integrate Active Directory with a trusted PKI to enable LDAPS. The Active Directory LDAP over SSL (LDAPS) certificate is issued by the subordinate CA and requested on each participating domain controller using the Certificates snap-in added to the Microsoft Management Console (MMC). The certificate is installed in the domain controller certificate store and is used by Active Directory Domain Services to apply to LDAP communications to secure authentication and authorization requests. VMware vcenter Log Insight To update the trusted CA certificate stores for vcenter Log Insight, add the trusted CA chain to both the OpenSSL certificate store and Java CA certificate (cacerts) keystore. When you have established trust with the root and issuing CAs, you can generate the private key and CSR using OpenSSL and combine the resulting signed certificate with the private key and convert it to a PEM-formatted certificate. Then install it through the web interface. 39

40 Chapter 3: Public Key Infrastructure VMware vcenter Orchestrator vco has two elements that use self-signed certificates by default. Replace the selfsigned certificates used for both the vco server engine and the vco management web server to protect the applications communications with other components and the web management interface. vco Server certificate In preparation, import the root and issuing CA certificates using the vco Certificates Manager tool in the vco client. The CSR can be generated using the Server Certificate UI of the vco Configurator and submitted to the issuing CA. The resulting signed certificate is then imported using the Server Certificate UI. vco web server certificate Replacing the vco web server self-signed certificate protects the management interface. In preparation, import the root and issuing CA certificates to the jssecacerts keystore using the vco-installed Java keytool utility. The Java keytool utility is then used to regenerate the dunes private key and CSR that can be submitted to the issuing CA. The resulting signed certificate is imported to the jssecacerts keystore. VMware vcenter Operations Manager To establish the certificate validation chain, add the trusted CA chain to both the OpenSSL certificate store and Java cacerts keystore. Then generate a private key and CSR using OpenSSL that can be submitted to the issuing CA. The resulting signed certificate is combined with the private key and converted to a PEM-formatted certificate that is then installed through the web interface. VMware vcenter Single Sign-On The certificate requirements of vsphere 5.5 differ significantly from vsphere 5.0 because of the introduction of vcenter Single Sign-On (SSO) as a mandatory prerequisite to installing VMware vcenter Server. vcenter SSO provides an authentication interface called Security Token Service (STS) that enables administrators or applications to authenticate with a defined security domain or identity source such as Active Directory or OpenLDAP. If successful, the credentials are exchanged for a SAML 2.0 token that is then used to interact with the various vsphere platform applications. During the interaction between components, the client verifies the authenticity of the certificate presented during the TLS handshake phase, before encryption, which protects against man-in-the-middle attacks. Each VMware SSO-enabled component registers with SSO using the client end-entity certificate and requires a unique certificate, as detailed in Table 3. The exceptions are the vcac components and ITBM that register with and use the VMware Identity Appliance for SSO and are available to download as part of vcac. Note: The requirement for vcac and ITBM to use the Identity Appliance as an SSO source is no longer present if vcenter 5.5.0b or later is deployed. This version of vcenter SSO supports integration of vcac and ITBM. 40

41 Chapter 3: Public Key Infrastructure Table 3. Certificates and keystore types for vcloud Suite 5.5 deployment Component Keystore Private key Full certificate chain vcenter Single Sign-On N/A Y Y vcenter Inventory Service N/A Y Y vcenter Server N/A Y Y vcenter Log Browser N/A Y Y vcenter Log Insight N/A Y N vcenter Operations Manager N/A Y N vcenter Orchestrator N/A Y Y vsphere Web Client N/A Y Y vsphere Update Manager N/A Y Y vsphere ESXi N/A Y Y In this context, what distinguishes a vsphere component certificate is the subject Organizational Unit (OU) value. This is important because vcenter SSO looks exclusively at this attribute to determine if the vsphere service is already registered or not. The subject Distinguished Name (DN) value is stored in the SSO database as the primary key for each certificate, rather than the hash, thumbprint, or any other attribute. This is important where multiple vcenter services are deployed, as recommended, in a single virtual machine. In this case, the common name and other attributes may be identical, leading to the possibility of the same subject DN being used across services. Ensure that the new SSL certificate for each vsphere component has a unique subject DN encoded within the certificate. You can achieve this by specifying an additional attribute such as a unique OU for each certificate request. Note: Having a unique OU is one way to achieve a unique subject DN, but other attributes can be used. A unique OU is not mandatory as it is only part of the subject DN. For more details on identifying the constituent components of a subject DN, refer to Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 5280). To address some of these complexities, VMware released the vcenter Certificate Automation Tool 5.5. It can automatically generate the certificate-signing requests, update, or replace existing certificates, and establish trust between the VMware components, but it does not handle the replacement of ESXi certificates or have certificate requests signed or renewed by a trusted CA. 41

42 Chapter 3: Public Key Infrastructure VMware vcloud Automation Center Identity appliance Ideally, the self-signed certificate should be replaced immediately after the appliance is deployed and before SSO is instantiated or solutions registered. SSO uses the configured SSL certificate to establish trust with the subsequent registration of solution components. Performing this as a first step avoids potential issues and reregistration. Generate the private key and CSR on a system with OpenSSL installed. Combine the resulting signed PEM-formatted certificate with the issuing and root CA certificates and import it through the appliance web UI with the PEM-formatted private key. vcac appliance Generate the private key and CSR on a system with OpenSSL installed. Combine the resulting signed PEM-formatted certificate with the issuing and root CA certificates and import it through the appliance web UI with the PEM-formatted private key. Infrastructure as a service (IaaS) VMware recommends using a domain certificate for vcac that can be requested using the IIS management console, and the request is then submitted to the issuing CA. You can also generate a CSR from the IIS management console if you want to include subjectaltname attributes. When the certificate is issued, use the IIS management console to install it and configure the binding on port 443 to use the trusted certificate. This is repeated on all vcac components using IIS. When the certificate is replaced, re-register the IaaS endpoints to vcac. VMware NSX for vsphere Generate a private key and CSR using OpenSSL that can be submitted to the issuing CA. The resulting signed certificate is combined with the private key and CA chain and converted to a PKCS#12 keystore. The keystore is then imported using the SSL Certificates configuration page through the Manage Appliance Settings UI in NSX Manager. VMware vsphere ESXi Generate a PEM-formatted private key and CSR for each ESXi host on a system with OpenSSL installed. Place the host in maintenance mode and transfer the private key and signed PEM-formatted certificate. Reboot the ESXi host for the new certificate to take effect. EMC Avamar The Avamar server provides a management web interface that uses a self-signed digital certificate for identification and encryption. To use a certificate that is signed by your own certification authority, create a private key in addition to a certificatesigning request on a system with OpenSSL installed and submit it to the issuing CA. When issued, transfer the private key signed certificate to the Avamar server. Also, install the root and issuing chain certificates to the Apache ca.crt certificate store and restart the Apache daemon. 42

43 Chapter 3: Public Key Infrastructure Before you can create a certificate-signing request, you must delete the default tomcat alias from the keystore and generate a new key with the server-specific data. When this is done, and the CSR is created and submitted to the issuing CA, import the root CA, issuing CA, and trusted certificates into the keystore using the root, intermediate, and tomcat aliases respectively. Restart the ems and dtlt services for the changes to take effect. EMC Data Protection Advisor The Data Protection Advisor (DPA) application server provides a management web interface that uses a self-signed digital certificate for identification and encryption. To use a certificate that is signed by your own CA, create a certificate-signing request using the DPA-installed Java keytool utility and submit it to the issuing CA. You must also install the root and issuing chain certificates to the Java cacerts keystore. When it is issued, import the signed Base64-encoded X.509 certificate into the cacerts keystore and restart the application server. EMC Unisphere Unisphere for VMAX EMC Solutions Enabler must be deployed in your environment to manage an EMC VMAX array. In addition, to encrypt the management traffic, replace the default SSL certificate that is installed when Solutions Enabler is deployed. For this solution, we installed Unisphere for VMAX on the same system on which Solutions Enabler was installed. This can be installed on a separate system and connected to the SYMAPI interface of Solutions Enabler over the network using SSL connections. Notes: The common name must contain storsrvd, followed by a space and the FQDN, as detailed in the EMC Solutions Enabler Version 7.5 Security Configuration Guide. We have also supplemented this with Subject Alternative Name values for the FQDN, short name, and IP address. Additional security features can be set based on your governing rules or regulations for security compliance. For more information, refer to the Client/Server security settings section in the EMC Solutions Enabler Version 7.5 Installation Guide. VNX Unisphere Storage processor The configuration must meet a number of conditions for this process to work correctly: Common name (domain name) must be the storage processor hostname, not FQDN. Common name (alias) must be blank. Both the common name (domain name) and common name (IPv4) must be populated. The pre-populated organization unit name must be ou=clariion. 43

44 Chapter 3: Public Key Infrastructure address must be blank. If you do not adhere to these conditions, either a failure will occur during SSL certificate installation or you will encounter certificate errors. EMC ViPR Replacing the self-signed SSL certificate on ViPR requires you to create a new keypair and CSR. After you have retrieved the issued certificate from the CA, concatenate the private key, the issued certificate, and the CA chain certificates into a single PEMformatted file. This is imported to ViPR using either the ViPR Admin portal or the ViPR CLI, the nginx service is then restarted. Summary The infrastructure solutions stack required to deliver hybrid cloud services must provide an easy means of centralized management, bringing together the software and hardware components that form the complete solution so that they can be securely managed and enforced. This section demonstrated that an EMC Enterprise Hybrid Cloud solution stack can be integrated with an enterprise PKI to ensure authenticity, strengthen authentication, and encrypt administrative communications. 44

45 Chapter 4: Converged Authentication Chapter 4 Converged Authentication This chapter presents the following topics: Overview Security and authentication Active Directory integration VMware vcenter SSO TACACS+ authentication integration Summary

46 Chapter 4: Converged Authentication Overview Security and authentication This section introduces integration of authentication mechanisms with a centralized directory and includes the following topics: Microsoft Active Directory LDAP over SSL Windows authentication and service accounts ESXi host integration with Active Directory Authorization and role mapping to Active Directory groups Terminal Access Controller Access Control System Plus (TACACS+) authentication integration A significant challenge in securing any environment is securing how credentials are used to access the solution s resources. This is addressed in part by using PKI integration to implement trusted certificates that enable authenticity of applications and devices to be verified and that encrypt administrator access to the management interfaces. Another challenge is the disparate authentication containers across hardware and software components with differing account and password policies. To address this challenge, this solution covers the integration of the authentication mechanisms found in VMware, EMC, and Cisco components and convergence with Kerberos, LDAPS, and TACACS+ authentication services by using Active Directory as a centralized directory. In this solution, Active Directory provides a single point of control for account management and policy enforcement. In addition, it is used to provide Kerberos and LDAPS authentication and authorization services. To address devices that do not integrate with Active Directory we used TACACS+ and configured it to use Active Directory as the authentication source. Figure 8 shows the hierarchy of authentication communication paths used in this solution. 46

47 Chapter 4: Converged Authentication Figure 8. Authentication relationships between the solution components Microsoft Active Directory SSL certificates for LDAPS Encrypting the authentication session is a security best practice, because account credentials are exposed in clear text when an application or system authenticates users using a simple BIND request to the directory. To enable LDAPS, an authentication certificate must be installed that meets the following requirements: The LDAPS certificate is located in the local computer's personal certificate store (programmatically known as the computer's MY certificate store), or the Active Directory Domain Services personal certificate store on every domain controller that will authenticate using LDAPS. 47

48 Chapter 4: Converged Authentication A private key that matches the certificate is present in the local computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled. This would prevent unattended restarts as a passphrase is required with every restart of the server or ADDS service. The enhanced key usage extension includes the server authentication ( ) object identifier (OID). The Active Directory FQDN of the domain controller appears in one of the following places: Common Name (CN) in the Subject field DNS entry in the Subject Alternative Name extension The certificate is issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA is chained. The key is generated by Microsoft SSL provider (Schannel) cryptographic service provider (CSP) Active Directory Domain Services LDAPS certificate If the LDAPS-enabled domain controllers are configured with multiple server authentication certificates in the local computer certificate store, problems may arise with LDAPS authentication. This is because Schannel selects the first valid certificate that it finds in the local computer store, and that might not be the correct certificate. To work around this issue, the LDAPS certificate can be placed in the Active Directory Domain Services personal certificate store in Windows Server. Active Directory exclusively uses a certificate placed in the Active Directory Domain Services personal certificate store for LDAPS connections; however, there are important considerations to be made before you implement this. According to Microsoft: Automatic certificate enrollment (auto-enrollment) cannot be used with certificates in the Active Directory Domain Services personal certificate store. Current command line tools do not allow certificate management of the Active Directory Domain Services personal certificate store. Certificates should be imported into the store and not moved through the certificates console. This option is only required on a server that has multiple certificates for the purpose of server authentication in the local computer certificates store. If possible, the best solution is to have only one certificate in the local computer personal certificate store. 48

49 Chapter 4: Converged Authentication Windows authentication and service accounts In a production environment, it is a security best practice to use service accounts to track and control applications, and mitigate the impact of a potential systems compromise. The integrated Windows authentication feature in SQL Server provides better security than SQL Server authentication by taking advantage of Active Directory user security and account mechanisms. In the following sections, we detail the steps required to improve security by using integrated Windows authentication for the vcenter Server, vcac IaaS, and vsphere Update Manager SQL Server databases, and service accounts for vcenter Server, vcac IaaS, and vsphere Update Manager. Microsoft SQL Server security While SQL Server security is beyond the scope of this solution guide, we make recommendations that refer to it in subsequent sections. Specifically, we discuss why integrated Windows authentication is preferred over SQL Server authentication. We also discuss why SQL Server s services should be run under an account other than the Local System account. Integrated Windows authentication When an application connects through an Active Directory user account, SQL Server validates the account name and password using the Active Directory principal token in the operating system. This means that Active Directory confirms the user identity. SQL Server does not ask for the password and does not perform the identity validation. Integrated Windows authentication uses the Kerberos security protocol, and provides a centralized mechanism for password policy enforcement, support for account lockout, and password expiration. Integrated Windows authentication offers additional password policies that are not available for SQL Server logins. Microsoft SQL Server service accounts Microsoft recommends isolating the SQL Server services under separate, low-rights Active Directory or local user accounts for each SQL Server service to reduce the risk that one compromised service could be used to compromise other services. During the installation of SQL Server, you can specify an alternate account for the SQL Server services to use. Each service can be configured to use its own service account. SQL Server Configuration Manager should be used to manage or replace the accounts under which the services run. The hierarchy of accounts (from least privileged to most privileged) that can be used is: 1. Domain user (non-administrative) 2. Local user (non-administrative) 49

50 Chapter 4: Converged Authentication 3. Network service account 4. Local system account 5. Local user (administrative) Active Directory integration 6. Domain user (administrative) Account types 1 and 2 are preferred because they best encompass the principle of least privilege. Account type 3 is a shared account and any application or service running under this account would potentially have access to each other s data. Local system is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. Account types 5 and 6 are less secure, since they grant too many unneeded privileges. The following solution components can be directly integrated with Active Directory: vcenter Log Insight vcenter Operations Manager vcloud Automation Center Tenant identity stores vsphere ESXi hypervisor EMC Avamar EMC Data Protection Advisor EMC Unisphere EMC ViPR 50

51 Chapter 4: Converged Authentication VMware vcenter Log Insight Integrating Log Insight authentication with Active Directory vcenter Log Insight can integrate user authentication with Active Directory, as shown in Figure 9. If the Default Domain that you specify is trusted by other domains, Log Insight uses the default domain and the binding user to verify Active Directory users and groups in the trusting domains. Figure 9. Log Insight authentication with Active Directory vcenter Log Insight role-based access control with Active Directory groups You can assign roles to Active Directory users and groups to access the current instance of Log Insight. As an example, we created two Active Directory groups to map to the Log Insight administrator and user roles, PPOD_LogInsight_Admins and PPOD_LogInsight_Users respectively. When complete, the configuration should resemble that in Figure 10. Figure 10. Create a new group Configure Log Insight to use LDAPS for Active Directory authentication By default, when Log Insight connects to Active Directory, it attempts to use LDAP first, and then uses LDAP with SSL if unsuccessful. To limit the Active Directory communication to one specific protocol, such as LDAPS, or to change the order of protocols that are tried, edit the /usr/lib/loginsight/application/etc/loginsight-config-base.xml file to configure the authentication protocol. 51

52 Chapter 4: Converged Authentication VMware vcenter Operations Manager and Active Directory users When you run the Import from LDAP tool it connects to Active Directory and displays a list of user accounts based on the filtering criteria you specify. Select the users or groups you want to import and the role you want to be assigned. You can also configure an auto-synchronization to occur on a scheduled basis, enabling you to map a vcenter Operations Manager role to corresponding Active Directory groups and manage membership though Active Directory Users and Computers in MMC. Note: vcenter Operations Manager does not store the user accounts passwords locally. These exist only in Active Directory where account management is performed and password policy is enforced. VMware vcloud Automation Center: Tenant identity stores In the EMC Enterprise Hybrid Cloud solution, we used the Active Directory type identity store to enable tenant authentication integration with Active Directory over LDAP. To enable LDAP authentication over SSL you must import the CA chain into the cacerts keystore on the vcac virtual appliance. Then use the ldaps:// protocol designator when specifying the identity store Active Directory URL. Note: The protocol designator can only be specified when adding the identity store. To change from using ldap:// to ldaps://, you must delete the identity store and re-create it with the correct designator. VMware vsphere ESXi host integration with Active Directory EMC Avamar integration EMC DPA Active Directory support To integrate the ESXi host with Active Directory, after adding the ESXi host to the vcenter inventory: Create and manage an ESXi administrators group named ESXi Admins that restricts who can log in to the ESXi hosts using Active Directory credentials. If applicable, you need an OU where the ESXi hosts reside in Active Directory. In this solution, we used an OU named ESXi Hosts. EMC Avamar integrates with Active Directory using LDAP or Kerberos. After either one is configured you can create an LDAP Map that enables you to map an Active Directory group to an Avamar role, such as Administrator or User. EMC DPA supports Active Directory using LDAPS. Active Directory groups can be added as an external authentication object and a corresponding DPA role assigned, enabling Active Directory management role-based access control (RBAC). EMC Unisphere authentication Unisphere for VMAX authentication Solutions Enabler must be deployed in your environment to manage an EMC VMAX array. Authentication for Unisphere for VMAX is configured through the web application using the CLI tools installed with Solutions Enabler. Unisphere for VMAX can, by default, use Local Windows or Active Directory domain-based authentication, when implemented with Solutions Enabler deployed on a Windows Server that is a member of an Active Directory domain. 52

53 Chapter 4: Converged Authentication For this solution, we installed Unisphere for VMAX on the same system on which Solutions Enabler was installed. This can be installed on a separate system and connect to the SYMAPI interface of Solutions Enabler over the network using SSL connections. The following sections describe the authentication and Solutions Enabler prerequisites. VMAX authentication prerequisites Active Directory authentication requirements for VMAX include: Solutions Enabler To integrate Unisphere for VMAX with Active Directory, Solutions Enabler must be deployed on a Windows server that is a member of an Active Directory domain. This eliminates the need for LDAP integration and uses the underlying Windows Server Kerberos authentication mechanism with Active Directory. An Active Directory group is required to configure authentication: a. Create an Active Directory group to map to the VMAX System Administrators role. b. Add the resulting Active Directory group to the local administrators group on the Windows server. Note: If the VMAX Admins group is not a member of the local administrators group, some tasks will not be available. An error message stating Access denied - you are not an authorized base daemon user is displayed. Conversely, if you are not a member of the VMAX Admins group but are a member of the local administrators group, an error The caller is not authorized to perform the requested operation might be shown for some tasks. The Active Directory group name must not contain any special characters. Solutions Enabler prerequisites The prerequisites for Solutions Enabler are: Ensure the Solutions Enabler version is compatible with the Enginuity microcode of the VMAX that you are managing. Ensure the gatekeeper LUNs are zoned and masked to all the ESXi hosts within the cluster running this virtual machine or physical server. For a virtual machine, map the LUNs directly to the virtual machine by using RDM in the physical compatibility mode. Note: After the LUNs have been presented to the Solutions Enabler target system, formatting or mounting these volumes after they are presented to the host is not necessary, because these are used for sending array control messages using the SAN to the VMAX array. SYMAUTH can restrict access by user or group. For more information, refer to EMC Solutions Enabler Symmetrix Management CLI. 53

54 Chapter 4: Converged Authentication SYMACL can restrict access by machine. For more information, refer to EMC Solutions Enabler Symmetrix Management CLI. Elevated administration is required for some commands. As a logged-in user, select Start > Accessories. Right-click Command Prompt and select Run as administrator to open an elevated Command Prompt window. Note: When you run specific commands on the Windows system, such as symcfg discover, which populate the local database with the VMAX system to which this system is connected, they must be run with elevated administrator rights. An error message stating Read or Read/Write permission/access not present might be displayed if run from a user-privileged command prompt. VNX Unisphere authentication As part of the integration process, a centralized LDAP authentication system is used and integrated with Unisphere to enable secure management of VNX storage. EMC recommends that when you use LDAP for Unisphere in production environments, you implement trusted certificates and SSL security as part of the LDAP configuration. From VNX array OE 5.32 (block) and 7.1 (file) releases onward, both block and file subsystems share a common LDAP domain configuration to authenticate administrators with LDAP credentials. In addition, certificate validation is enabled by default and cannot be disabled. This section discusses how you configure the LDAP domain to integrate with Active Directory. VNX authentication prerequisites The following steps must be completed before you can configure the VNX domain: 1. Determine the Active Directory domain name. 2. Create the Active Directory group that will be mapped to VNX roles and add the users to the appropriate group. Each group must contain user accounts and not nested groups. 3. Provide a non-administrative Active Directory user account and password for binding the LDAP service in Unisphere. 4. Determine the domain name for the users and groups search path that will be used for LDAP authentication to the VNX system through Unisphere, and the user account used to bind to the LDAP directory. Note: VNX OE versions 5.32 for block and 7.1 for file require LDAPS certificates that include the certificate chain to function correctly. This differs from previous VNX OE for block and OE for unified versions that required the LDAPS certificate and chain to be imported separately. 54

55 Chapter 4: Converged Authentication EMC ViPR authentication To centralize management of user accounts, you can enable support for Active Directory authentication. ViPR enables multiple Active Directory and LDAP authentication providers to be configured using LDAP or LDAPS, as shown in Figure 11. Figure 11. Active Directory authentication providers RBAC in ViPR Assign roles to the Active Directory users and groups to control the level of access to ViPR. ViPR implements RBAC that enables specific roles to be assigned to Active Directory groups and users. As an example, we created two Active Directory groups to map to the ViPR System Administrator and System Monitor roles: PPOD_ViPR_Admins and PPOD_ViPR_Monitor respectively, as shown in Figure 12. Figure 12. Active Directory role assignments ViPR LDAP over SSL To enable LDAP over SSL you must have already configured your Active Directory Domain Services servers with an LDAPS certificate and added the trusted CA chain to the OpenSSL certificate store and Java cacerts keystore. 55

56 Chapter 4: Converged Authentication VMware vcenter SSO VMware vcenter SSO is an authentication broker and security token exchange solution that interacts with the enterprise identity store (Active Directory or OpenLDAP) on behalf of registered solutions to authenticate users. The following solution components can be indirectly integrated with Active Directory through vcenter SSO: vcenter Orchestrator vcenter Server (automatically installed with vcenter SSO as part of Simple Install mode) vcenter Automation Center IT Business Management VMware NSX for vsphere Note: Alternatively, you can use a VMware Identity Appliance to provide SSO authentication. However, we recommend vcenter SSO as it provides greater visibility, ease of management, and the ability to use a single namespace throughout the automation pod. This also simplifies deployments at scale or implementing a disaster recovery architecture, where a distributed SSO architecture is required. vcenter Orchestrator To integrate vco with vcenter SSO, import the vcenter SSO SSL certificate to the vco SSL certificates repository, and then register to vcenter SSO by specifying an account with SSO administrative privileges. When this is successful, you can specify an administrative group from the SSO or the SSO identity sources (Active Directory) to manage vco. VMware vcenter Automation Center Default tenant vcenter SSO provides SSO capability for vcloud Automation Center users. The Native Active Directory identity store type has the following attributes: Uses Kerberos to authenticate with Active Directory No search base DN is required, making it easier to find the correct Active Directory store Can be used only with the default tenant When you have configured the default tenant s identity store, add tenant administrators and infrastructure administrators. In this solution, we used Active Directory groups to assign these roles to vcac users. Tenant administrators are responsible for configuring tenant-specific branding, and managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant. IaaS administrators are responsible for configuring 56

57 Chapter 4: Converged Authentication infrastructure source endpoints in IaaS, appointing fabric administrators, and monitoring IaaS logs. Note: You must also specify an Active Directory identity store when you configure tenants. Non-default tenant vcac 6 allows the definition of multiple tenants, and each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or Active Directory. The types of identity store available for use for tenants are Active Directory and OpenLDAP. In this solution we integrated with Active Directory; therefore, we selected the Active Directory type and provided a bind DN and a search base. Optionally, you can configure the domain alias with a value that allows users to log in by using userid@domain-alias as a user name, rather than userid@identity-storedomain. Note that this must be a unique value across all identity stores. As for the default tenant, tenant and infrastructure administrators must be configured for each tenant configured in vcac. We used Active Directory groups to assign these roles to hybrid cloud tenant users. VMware IT Business Management VMware ITBM integrates directly with vcac and uses vcac authentication providers, namely Active Directory through SSO. vcac users access business management data through the vcac portal and do not log on directly to ITBM. VMware NSX for vsphere In this EMC Enterprise Hybrid Cloud solution, we integrated NSX with vcenter Single Sign On (SSO) to improve the security of user authentication for vcenter users and authenticate Active Directory users. With SSO, NSX supports authentication using authenticated SAML tokens from a trusted source using REST API calls. NSX Manager can also acquire SAML authentication tokens for use with other VMware solutions. To integrate NSX with SSO you need to create an SSO group, for example NSXAdmins, and populate it with Active Directory identity source user accounts. Then, in the Networking & Security web client specify the same SSO group as a vcenter group and assign the appropriate role. Note: This does not grant CLI access on the NSX Manager appliance. CLI access can only be granted to locally-created accounts on the appliance. 57

58 Chapter 4: Converged Authentication TACACS+ authentication integration Summary TACACS+ provides an increased level of security through authentication, authorization, and accounting services and is a publicly documented protocol over TCP/IP. It encrypts credentials passed from the client device to the TACACS+ system and can be configured to use Active Directory as its authentication directory to enable centralized authentication. For this solution, EMC used a TACACS+ implementation from TACACS.net because of its easy configuration and ability to integrate with Active Directory. TACACS+ is configured simply as an authentication source with no authorization restrictions. Configuring authorization for separation of duties, such as auditor, security administrator, and network administrator with the TACACS.net software is outside the scope of this Solution Guide. Implementation of TACACS+ involves a complete installation of the software on the domain controllers, as recommended by TACACS.net. The complete installation includes both services and utilities to aid in configuring the TACACS+ server. When the TACACS.net application was deployed, we configured the solution s network and fabric switches to use the new TACACS+ servers for authentication. The infrastructure solutions stack required to deliver hybrid cloud services must provide an easy means of centralized management, bringing together the software and hardware components that form the complete solution so that they can be securely managed and enforced. This section demonstrated that integration with a common directory can be achieved to support LDAPS, Kerberos, and TACACS+ authentication services, streamline administration and policy enforcement, and provide tighter control over administrative and end user authentication. 58

59 Chapter 5: Centralized Log Management Chapter 5 Centralized Log Management This chapter presents the following topics: Overview vcenter Log Insight remote syslog architecture Centralized logging integration Content packs for vcenter Log Insight Configuring alerts Summary

60 Chapter 5: Centralized Log Management Overview Many key solution resources constantly record operational and security-related events to a local log. When a security incident occurs, log files can help you track down the root cause. However, without log file consolidation, those investigative tasks can be laborious. Running a reliable and secure data center is a continual process of planning, delivering, and operating. Without a consolidated view of your infrastructure s system log data, your data center is incomplete and at risk. The risks include: Lack of central and holistic visibility into security-related events Inability to easily correlate events that would indicate a security breach Log files are overwritten causing you to lose log entries that are critical for security, compliance and troubleshooting Increased downtime for applications and servers, because more time is needed to locate and search system log files when trouble occurs Security risks such as malicious attacks or unauthorized logins that could be occurring without your knowledge Loss of historical system logs, leaving you unprepared to report local authentications or maintain compliance Consolidated system logging is a critical data center feature that is commonly left unimplemented because of its complexity. Many IT organizations rely solely on data center monitoring tools, which, while useful, mostly focus on raw metrics such as CPU utilization, memory consumption, and storage I/O but completely ignore log files and security events. When system log files are ignored, valuable security information is overlooked. To address these challenges, the EMC Enterprise Hybrid Cloud uses VMware vcenter Log Insight to deliver real-time log management and log analysis with machine learning-based Intelligent Grouping and a high-performance search, enabling better visibility across the entire EMC Enterprise Hybrid Cloud solution. 60

61 Chapter 5: Centralized Log Management Figure 13. Centralized logging of hybrid cloud components with vcenter Log Insight Log Insight is tightly integrated with vcenter Server and vsphere ESXi and comes with built-in knowledge and native support for vcenter Operations Manager. Alerts are configured to notify security administrators by or through the vc Ops dashboards. vcenter Log Insight works in multiple ways to ensure greater visibility into your cloud operations and achieve the security compliance that your company requires. Log Insight can analyze log events from the entire EMC Enterprise Hybrid Cloud by configuring each solution component to forward logs to Log Insight. Some of this configuration is achieved using Log Insight s native capabilities, while the remainder is done by manually configuring syslog operations. 61

62 Chapter 5: Centralized Log Management Figure 14. Searching for security events with vcenter Log Insight Log Insight allows you to search for security events across all consolidated data, as shown in Figure 14. For example, to search for failed logins across the infrastructure, you can search across all the components that make up the EMC Enterprise Hybrid Cloud. Log Insight provides a powerful security tool that consolidates and analyzes logs and enables high-speed interactive queries. In addition, you can create your own custom queries to save and create your custom security dashboard. vcenter Log Insight remote syslog architecture Remote syslog is used for various reasons, including: Aggregation Querying Correlation Retention Security/compliance/auditing Every component in the solution generates log messages. Every virtual machine, including operating system and application machines, generates log messages. A hybrid cloud environment generates many log messages per day and the number of logs can increase if issues arise. Troubleshooting and finding root causes for issues is challenging unless logs can be aggregated and queried. 62

63 Chapter 5: Centralized Log Management For smaller instances of this hybrid cloud solution, every device for which you want to collect events is configured to send events directly to one or more Log Insight instances, as shown in Figure 15. This is referred to as client-server architecture. Figure 15. Log Insight client-server architecture This client-server architecture is suited to environments, which: Are greenfield, with no syslog operations to date Use automation or configuration management Have fewer than 750 devices sending remote syslog data For larger instances of this hybrid cloud solution, a distributed Log Insight deployment with a master node and up to five worker nodes can be deployed in a cluster configuration. To ensure high availability in such a configuration, you must deploy the cluster in an N+1 configuration and use a load balancer in front of the cluster to load-balance connections and handle node failures. With this configuration, if any node goes down, the load balancer can redirect traffic to the remaining nodes. Note that the Web UI access is limited to the master node, as shown in Figure 16. Note: A worker node stores forwarded syslog events and processes queries against log data it stores on behalf of the master node. 63

64 Chapter 5: Centralized Log Management Figure 16. Log Insight distributed architecture For more information on remote syslog architecture for vcenter Log Insight, refer to VMware vcenter Log Insight: Getting Started Guide. Sizing information for VMware vcenter Log Insight for this hybrid cloud solution is documented in the EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Foundation Infrastructure Solution Guide, in the Resource Sizing Guide chapter. Centralized logging integration Unlike many syslog implementations that only support UDP, Log Insight supports receiving syslog-formatted events over UDP, TCP, and SSL protocols. In high volume environments, the inclusion of TCP support provides a significant performance improvement over a UDP-only based system, because more events can be channeled through fewer connections. This ensures that events are not lost as they would be with UDP-only based log servers. Additionally, the support for receiving syslog events over SSL ensures that the event details are transmitted over the network in a confidential manner. Log Insight consolidates and archives all log data in the EMC Enterprise Hybrid Cloud and creates a historical record that enables: Storage of events in sufficient detail and with accuracy 64

65 Chapter 5: Centralized Log Management Retention of audit logs for a determined period of time consistent with enterprise security policy Identification of security incidents and policy violations as they occur Performance of auditing and forensic analysis Establishment of baselines that can be used to detect future anomalous behavior When you have collected data, using Log Insight you can perform ad-hoc searches across all the event data. Figure 17 shows an example of a failed login query. Figure 17. Sample vcenter Log Insight dashboard for vcenter Server You can save queries you perform often as Favorites and also use them to create charts, dashboard widgets, and alerts. In large environments with numerous log messages, you can use runtime field extraction with Log Insight to instantly locate and extract the most important data fields using regular expressions. 65

66 Chapter 5: Centralized Log Management The following components of the hybrid cloud management platform should be configured to forward the application logs to Log Insight: EMC Avamar EMC Unisphere for VMAX EMC ViPR EMC VNX VMware vsphere ESXi hosts VMware IT Business Management VMware NSX for vsphere VMware vcloud Automation Center VMware vcenter Orchestrator VMware vcenter Server All physical compute, fabric, and network devices Content packs for vcenter Log Insight Analysis of the forwarded events can be enhanced using pre-packaged VMware, EMC, partner, and community-provided content packs, which are available on the VMware Solution Exchange. Currently available content packs that relate to components in the EMC Enterprise Hybrid Cloud are: EMC Avamar content pack EMC VMAX content pack EMC VNX content pack VMware vcac Log Insight content pack VMware vcenter Log Insight content pack for vcenter Operations Manager (bundled with Log Insight) VMware vsphere content pack (bundled with Log Insight) Additional content packs: Available for Microsoft Windows, Microsoft Active Directory, and other partner solutions vcenter Log Insight ships with the VMware vsphere content pack, which when used with Log Insight vsphere integration provides detailed knowledge about VMware vsphere logs. 66

67 Chapter 5: Centralized Log Management The vsphere content pack provides important operational information about the vsphere environment using several dashboards that contain a comprehensive list of security events and event types such as: ESX/ESXi connections by source ESX/ESXi logins by type, source, and user vcenter Server authentication attempts by type, source, and user Events, tasks, and alarms When integrated with Log Insight, EMC content packs for Avamar, VNX, and VMAX provide dashboards and user-defined fields specifically for those EMC products that enable administrators to conduct problem analysis on their VNX and VMAX arrays or backup infrastructure. Many of these content packs include dashboards that include security-related charts and widgets that provide an at-a-glance visibility into securityrelated events, shown in the example in Figure 18. Figure 18. Customized hybrid cloud security dashboard using multiple content packs Content packs are read-only plug-ins to vcenter Log Insight that provide predefined knowledge about specific types of events, such as log messages. The goal of a content pack is to provide knowledge about a specific set of events in a format easily understandable by security administrators, monitoring teams, and auditors. Each content pack is delivered as a file, and can be imported through the Log Insight web UI. The custom Log Insight dashboard in Figure 19 shows EMC Avamar backup, vcenter and Windows authentication, failures, and ESXi host firewall changes. 67

68 Chapter 5: Centralized Log Management Figure 19. Custom Log Insight dashboard Dashboards and widgets can be manually created for those components for which content packs do not already exist. Each widget provided by a content pack can be cloned and added to a personalized dashboard that can be shared to contain only the views required by the user. Figure 19 provides an example of this, showing a partial view of the hybrid cloud dashboard that contains widgets from the content packs installed for this solution. The content pack for vcenter Operations Manager presents its log data in a more meaningful way and analyzes all of the logs that are redirected from a vcenter Operations Manager instance. The vcenter Operation Manager content pack provides: A collection of logs from all vcenter Operations Manager servers Default queries to expose key fields and events Pre-configured dashboards to make troubleshooting quick and easy The content pack provides six dashboard groups, 32 dashboards, 24 queries, 11 alerts, and 40 extracted fields. You can use these queries and dashboards to monitor and troubleshoot various issues in the vc Ops environment. The queries and dashboards can be used to monitor and troubleshoot issues in the vcenter Operations Manager environment. 68

69 Chapter 5: Centralized Log Management Configuring alerts The EMC Enterprise Hybrid Cloud solution uses vc Ops to monitor the cloud management platform, compute resources, and workloads used in production. vcenter Log Insight integration with vcenter Operations Manager enables you to raise alerts for Log Insight queries and send notifications to vc Ops based on a configurable threshold, as shown in Figure 20. Figure 20. Example of a Log Insight alert configured to send a notification to vc Ops You can also configure predefined alerts that are installed when content packs are imported to Log Insight. An example of a number of security-related alerts imported by the Microsoft Active Directory content pack is shown in Figure

70 Chapter 5: Centralized Log Management Figure 21. Examples of security alerts installed in Log Insight In addition, the integration between vcenter Log Insight and vc Ops enables a Launch in context menu in the vc Ops dashboard that can be used to launch vcenter Log Insight interactive analytics dashboard to display events related to the selected vc Ops object. The example in Figure 22 uses the integration between Log Insight and vc Ops in which the Actions menu in vc Ops triggers a search of all relevant Log Insight information on the selected item. Figure 22. Search logs for cloud management platform directly from vc Ops 70

71 Chapter 5: Centralized Log Management The launch-in-context functionality filters the logs using the constraint, hostname equals <each hostname>, which displays only events that match the criteria, as highlighted in Figure 23. Figure 23. vcenter Log Insight filtering logs for the management cluster components For a more detailed discussion of vc Ops and the role it plays in this solution, refer to the EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Foundation Solution Guide. Summary The integration of vcenter Log Insight in the EMC Enterprise Hybrid Cloud solution enables greater visibility into operational and security-related events. We demonstrated how each component can be configured to forward events to Log Insight to provide a single point of visibility into the environment for administrators and configure alerts to notify through or vc Ops. Where an organization already has a Security Event and Incident Management (SEIM) system in place, Log Insight can act as an aggregator to forward events to the SEIM, providing the security team with a single integration point for the whole solution. 71

72 72 Chapter 5: Centralized Log Management

73 Chapter 6: Network Security Chapter 6 Network Security This chapter presents the following topics: Overview vcloud Networking and Security NSX for vsphere N-Tier application considerations Use case 1: Micro-segmentation with N-Tier virtual applications Use case 2: Micro-segmentation with converged N-Tier virtual applications Summary

74 Chapter 6: Network Security Overview Network configuration This chapter discusses the security aspects of EMC Enterprise Hybrid Cloud networking, introduces VMware NSX for vsphere, and demonstrates network and security integration in an EMC Enterprise Hybrid Cloud solution. Use this chapter as a reference to begin the networking and security planning and design process for your hybrid cloud and to set the stage for successful implementation efforts. Focusing on the network infrastructure and deployment options, this chapter details the key elements for creating a secure service offering and the processes required to implement and secure the network infrastructure. In addition, it includes common use cases for providing connectivity and security to dynamically provisioned application workloads. Solution architecture The solution requires an architecture that: Is resilient to failure Provides for optimal throughput for workloads Ensures multitenancy and secure separation Throughout this chapter, we reference network segments created in the physical and virtual layers including overlay networks. Figure 24 shows a logical representation of the hybrid cloud environment and highlights the management, tenant compute pods, and clusters. 74

75 Chapter 6: Network Security Figure 24. EMC hybrid cloud environment Physical connectivity In designing the physical architecture, our main considerations were high availability, performance, and scalability. As shown in Figure 25, each layer is fault tolerant with physically redundant connectivity throughout. The loss of any one infrastructure component or link does not result in loss of service to the tenant; if the architecture is scaled appropriately, the loss of a component or link does not impact service performance. Figure 25 also shows the connectivity between the physical storage, network, and converged fabric components deployed in the EMC Enterprise Hybrid Cloud solution. 75

76 Chapter 6: Network Security Figure 25. Physical topology of the network The network design uses IEEE 802.1AX virtual link aggregation (vlag) trunks to provide seamless operation in the event of a hardware or link failure by enabling fault tolerance and high speed links between distribution, access, and converged layers. Note: Link aggregation (LAG) is variously known across vendors implementations as virtual port channels, split multi-link trunks, multi-chassis trunking, or multi-switch link aggregation. 76

77 vlag overview Chapter 6: Network Security vlag trunks bundle multiple physical Ethernet links between two or more devices into a single logical link. If a physical link or switch fails, the traffic is automatically redistributed over the remaining physical links. Because multiple physical links are considered a single logical link in a vlag trunk, we did not introduce a loop in this solution. If a member link status changes, vlag prevents a service-interrupting spanning-tree recalculation and resulting convergence. vlag trunks also have the added benefit of load balancing traffic across all available links by using a load balancing algorithm to determine the physical port used. This has the effect of making available an aggregate bandwidth that is the sum of the bandwidth for all the physical links. Configure vlag To make vlag trunks function, you need one or more physical links between the two distribution switches and the two access switches, as shown in Figure 25. This vlag trunk is dedicated to carrying the VLANs and corresponding data that are being carried over the trunks. Typically, you should ensure that the 10 GbE ports used for this purpose are in dedicated mode to avoid oversubscription issues and potential packet loss. Depending on the vendor, a separate link that is not a member of the LAG trunk might be required between each switch-pair to synchronize state and prevent any packet duplication. This can be a Layer 2 or Layer 3 link between the switches, and while it typically does not carry regular network traffic, it is critical to the fault tolerant operation of the design. The control link does not have to be configured as a LAG, but having it configured as such provides fault tolerance. You can optionally configure the control link to sit in its own virtual routing and forwarding (VRF) table, which enables the reuse of the same control-link IP addresses on every pair of devices. In this environment, physical network connectivity to the compute layer is provided over a converged network and FC fabric to the fabric extenders on the compute blade chassis. Each link is capable of 10 Gbps, which enables four 10 GbE network interfaces to be presented to each ESXi host. Logical network topology The logical topology is designed to address the requirements of enabling multitenancy and securing separation of the tenant resources. The topology is also designed to align with security best practices from vendors such as VMware, which segment networks according to the purpose or traffic type. For example, configuring an isolated network segment for vmotion traffic between VMware vsphere ESXi hosts helps prevent attacks in which the unencrypted data transfer is intercepted by an attacker and reconstructed to gain access to sensitive data. We configured the trunks on the physical network infrastructure to allow access by only the VLANs and private VLANs (PVLANs) required for operations within the hybrid cloud environment. This best practice also helps to conserve valuable resources such as Spanning Tree Protocol (STP) logical interfaces. Each switch supports a limited number of STP logical interfaces, which can be used up before the VLAN limit is 77

78 Chapter 6: Network Security reached especially in a multitenant environment. Therefore, pruning and carrying only the necessary VLANs can be of critical importance. Figure 26 shows the logical topology of the physical and virtual networks defined in the EMC Enterprise Hybrid Cloud solution. We used VLANs to provide segmentation of the networks at Layer 2 in the cloud management pod, because that environment is likely to be static and an extension of existing management networks. Figure 26. Logical topology with the cluster pod and functional networks 78

79 Chapter 6: Network Security vsphere networking Connect physical server and create a virtual switch We connected each physical server on which ESXi was deployed to the network using six 10 GbE network interfaces, which are represented in the ESXi hypervisor as vmnic0 to vmnic5. For ESXi hypervisor management and vmotion, we created a virtual switch with vmnic0 and vmnic1 configured as uplinks to the physical switches. This vswitch was configured with the necessary VMkernel ports, as shown in Figure 27. Figure 27. ESXi host networking vswitch configuration Create and configure a vsphere Distributed Switch We then created a cloud management vsphere Distributed Switch (vds) spanning the EHC Automation and Network Edge Infrastructure (NEI) Pods and a separate resource vds spanning the resource pods. In doing so, we created a logical and physical boundary segmenting the management and tenant workload traffic flows and enabling a more focused approach to performance and security monitoring. Both vdss were spanned to the NEI Pod to establish connectivity with the physical core. By implementing a separate vds for resource pods, we can limit administrative access to the cloud management vds that will have comparatively few networks compared with possibly thousands of dynamic tenant networks. This also makes it easier to establish a baseline for management traffic and identify flows that fall outside expected characteristics. We configured the uplinks with only the VLANs that each VDS needed to trunk from the physical networks to service connected resources. This enabled connectivity 79

80 Chapter 6: Network Security between the virtualized resources and the physical environment, shown in the examples in Figure 28 and Figure 29. Figure 28. VLAN configuration of the cloud management vds uplinks Figure 29. VLAN configuration of the production vds uplinks We configured the cloud management vds with a number of port groups, as shown in Figure 30, to provide Edge connectivity with resources in the physical network, such as backup infrastructure, and other services, such as the enterprise Active Directory infrastructure. 80

81 Chapter 6: Network Security Figure 30. Port group and VLAN configuration of the cloud management vds We configured the resource vds with a single port group for Edge connectivity, that is, dvportgroup_uplink. The remaining port groups on this vds, as shown in Figure 31, were created by NSX when the hosts were prepared for network virtualization and VXLAN network segments (also called logical switches) were configured by the administrator through the Network and Security view in the vsphere Web Client. Overlay networks with VXLAN VXLAN enables technology for network virtualization, providing network abstraction, elasticity, and scaling across the data center. VXLAN provides architecture for scaling your applications across clusters and pods without any physical network reconfiguration. With VXLAN, physical switches do not need to be reconfigured when a new VXLAN network is created. Instead, VXLAN virtual wires or networks can be deployed over a single or multiple transit VLANs. The decoupling of virtual networks from physical networks provides great flexibility and agility without requiring changes to or impacting the physical network. This enables rapid and dynamic provisioning of new networks at a theoretical scale of millions of VXLAN networks. At a more practical level, each vds can support up to 6,500 VXLAN networks to a maximum of 10,000 per vcenter Server. The fact that VXLAN overlays can be used to dynamically segment network traffic is of importance to the security posture of enterprise workloads. The scalability limitations 81

82 Chapter 6: Network Security of VLANs are no longer an impediment to segmenting mission-critical applications and creating as many trust zones as are necessary. As shown in Figure 31, the VXLAN port groups all share the same VLAN. This is one of the key benefits of implementing VXLAN. You can use one VLAN as the physical transport for VXLAN overlay networks. This reduces the required configuration of the ESXi host and top of rack (TOR) physical switches to a single VLAN and enables the virtual VXLAN networks to scale to 6,500 (assuming static port groups) per vds. Figure 31. Production vds port groups showing Edge connectivity and VXLAN port groups Supporting infrastructure services To support infrastructure operations, we configured networking on each ESXi host throughout the environment to enable connectivity to the backup, NFS, and vmotion networks. To do this, we configured a VMkernel for NFS and vmotion on each ESXi host and created a port group for the Avamar proxy virtual machines on the cloud management vds to complete the network connectivity. 82

83 Chapter 6: Network Security Network environment for data protection The high levels of deduplication and compression provided by the Avamar solution contribute to minimal data being sent across the LAN. However, as a best practice design for performance, availability, and security, this environment contains a dedicated network for backup infrastructure, separate from production networks, within which the Avamar server nodes and proxy virtual servers reside. All Avamar proxy servers are configured with an isolated PVLAN ID, with the result that they can only communicate with the Avamar server nodes and no other system on the backup network. The backup infrastructure resources are further protected by the isolation of the network from other Layer 3 networks. Where communications must be allowed to enable the solution to function correctly, for example, in the management of the Avamar system by backup administrators and control communications with DPA, vcac, vco, and vcenter servers, a firewall mediates the access attempt and permits the connection if authorized, as shown in Figure 32. This means that by separating production and backup data on the networks, an attacker who gains control of a virtual machine cannot compromise additional systems by using the backup network. Figure 32. Backup network architecture for hybrid cloud In this solution, access between the production network and the backup network is permitted only through a firewall policy restricting access to the Avamar management and control planes by authorized administrators and orchestration processes. 83

84 Chapter 6: Network Security Automation and provisioning With improvements in server virtualization, the network has become the chokepoint of the provisioning process when new applications are being deployed. VXLAN overlay networks are used to greatly simplify the configuration of physical networking equipment, while increasing the scale and speed of deploying new networks and logical switches. With the integration of VXLAN, physical switches do not need to be reconfigured when new virtual networks are created. Instead, VXLAN virtual wires or logical switches can be deployed over a single transit VLAN. This enables dynamic provisioning of new networks at a potential scale of millions of VXLAN logical switches. Deploying a virtual application can take minutes. However, planning, designing, and configuring the network and security elements to support it can often take days or weeks. Using the automation capabilities of vcac, vcns or NSX can significantly reduce the amount of time required for the provision, update, and removal processes. Networks, a router, firewall, and load balancer, can be deployed dynamically with the virtual machine components of a blueprint. This enables an application stack and supporting services to be delivered to production users in minutes with all the necessary network and security services. Two options are currently available for security virtualization in the EMC Enterprise Hybrid Cloud: vcloud Networking and Security, and the premium deployment option, NSX for vsphere. In this section, we focus on their security features. vcloud Networking and Security vcns Manager is a single management and control appliance for vcns operations and provides the interface to manage network virtualization in the solution. This enables the cloud administrator to prepare the vsphere ESXi hosts, configure VXLAN, and create VXLAN networks. Note: The term prepare in this context is used to denote the installation of the necessary kernel modules on each ESXi host to enable VXLAN. While initiated by the administrator, the installation is executed directly by vcns Manager. In addition, vcns Manager is the point from which vcns App and vcns Edge appliances are deployed and security policies managed. Integration with vcac is achieved through the vcac endpoint where the vcns Manager URL and enterprise administrator credentials are specified when configuring the endpoint for vcenter. This enables vcac to make calls to vcns Manager to retrieve inventory, create VXLAN networks, and provision vcns Edge routers. vcns Manager enables the use of security groups to provide logical containers that can be populated with related objects to streamline security policies. As an example, if you create a security group for web servers you can then apply a security policy to that security group to permit access over port 80 and block all other access. Security policies can be configured on vcns Edge appliances to protect perimeters and vcns App Firewall at the datacenter and cluster levels in the vcenter hierarchy, enabling consistent protection to be applied across the datacenter. 84

85 vcns App Firewall Chapter 6: Network Security vcns App Firewall provides virtual networking security for virtual machines through segmentation and zoning down to the virtual network interface card (vnic) level. vcns App Firewall is a hypervisor-based application firewall that: Interrogates all the traffic flows between the virtual machines on a vsphere ESXi host Provides deep visibility into network flows and communications Enforces granular policies with security at the vnic level by using a loadable kernel module to inspect and monitor traffic and enforce the security policy Adaptive trust zones with Layer 2 firewalling protect against password sniffing, DHCP snooping, or poisoning attacks, and Address Resolution Protocol (ARP) spoofing. Application-aware firewalling improves security by opening sessions (ports) only when needed for common applications, such as Oracle Database, Microsoft Exchange, and Microsoft RPC. Implementing vcns App Firewall provides further granularity by enabling policies to be applied to individual virtual machines, vapps, or logical groups of resources called security groups. Security groups enable enterprise administrators to logically group various resources such as IP addresses, MAC addresses, resource pools, virtual machines, and vnics in their datacenter when creating firewall rules, thus simplifying administration and reducing complexity. The architecture enables a single management point for networking and security to protect a relatively large number of resources. This advances the flexibility of security beyond the traditional, physical gateway model to a model that protects from the perimeter right down to the vnic level. vcns App Firewall is an important tool for implementing security policies to protect virtualized applications across the datacenter and for monitoring inter-virtual machine traffic to demonstrate compliance when customers are trying to meet regulatory requirements. All virtual machine traffic flows can be easily monitored, rules can be defined and enforced regardless of virtual machine location, and rules can be set to log to a centralized log repository. vcns Edge appliance The vcns Edge appliances provide a rich set of integrated gateway services for protecting virtual datacenters and optimizing resource utilization. This virtual appliance includes services such as stateful firewall, network address translation (NAT), load balancing, DHCP, and VPN. Edge High Availability protects against network, host, and software failures to deliver reliable network communications and connectivity within each business group s networks. In addition, vcns Edge acts as a fully fledged Layer 3/Layer 4 stateful firewall, enabling security at the business group edge and between internal networks. 85

86 Chapter 6: Network Security NSX for vsphere Introduction Distributed logical router Distributed firewall VMware NSX is the next generation of network virtualization and offers additional functionality and improved performance over vcns. This additional functionality includes distributed logical routing, distributed virtual firewalling, logical load balancing, and support for routing protocols such as Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), and Open Shortest Path First (OSPF). NSX also provides substantial performance improvements in throughput, with logical routing and firewalling providing line-rate performance distributed across many hosts, instead of being limited to a single virtual machine or physical host. The DLR performs all East-West workload traffic routing at the hypervisor level. This ensures that as long as the workloads are on the same host, even if they are on different subnets, the traffic does not leave that host. Distributed logical routing offers this advantage over vcns, virtual appliances, or physical routers, because workload traffic suffers from the hair-pinning effect when workloads on different networks on the same host must route through a virtual or external physical gateway. If the workloads are on separate hosts, the traffic takes the optimal path directly from one host to the other, again without having to take a hairpin route through a virtual appliance or physical router in the data center core. This offers optimal traffic flows and significant performance gains. Another key feature is the NSX distributed firewall (DFW), which is implemented as a hypervisor kernel module. This eliminates the need to route traffic through virtual or external physical firewalls for inspection. Traffic is analyzed by the hypervisor when it leaves the source virtual machine vnic and before it enters the vnic of the destination virtual machine. It is this enforcement at the vnic level that allows the East-West virtual machine separation. For more information about this see N-Tier application considerations. Because the NSX is integrated with vcenter Server, it can use the vcenter inventory and filter on more than just source and destination IP addresses or ports. Rules can be applied to virtual machines, security groups, clusters, and data centers. Security groups can also have dynamic membership, which can apply rules based on virtual machine attributes such as guest operating system, virtual machine name, or security tags. Because this inspection is performed at the hypervisor level, traffic does not have to be steered through and analyzed by another device or virtual machine on the network. Flow monitoring can also be used to see historical and real-time traffic flows. These flows can be shown in aggregate, by service, or by virtual machine. The data can be used for troubleshooting performance issues, firewall misconfigurations, or rogue traffic on the network. NSX for vsphere also introduces the Service Composer, which integrates with thirdparty security services. These services can identify virtual machines on the network infected with malware, or with known vulnerabilities, and place them into a 86

87 Chapter 6: Network Security quarantine security group that restricts the virtual machines until the issue is resolved. NSX Edge It is important to highlight differences between the NSX Edge that is deployed by vcac as part of a blueprint and an NSX Edge deployed directly from the Networking & Security web client. Through the Networking & Security web client, an NSX Edge is deployed as either an Edge gateway or a DLR. This appears in the Networking & Security web client as an NSX Edge 6.0. However, vcac only supports provisioning an Edge 5.5 in a multimachine deployment where VXLAN segments are provisioned as part of the blueprint. As a result, the deployment s Edge is limited to that of a vcns Edge. The Edge appears in the Networking & Security web client as an NSX Edge 5.5. Logical load balancer The NSX logical load balancer allows load sharing across a pool of virtual machines. It enables intelligent application monitoring, so that if a virtual machine in the pool stops responding, it is automatically taken out of the pool and no traffic is sent to it until it becomes responsive again. The load balancer can also be deployed in HA mode making it highly available. The load balancer can either be deployed as a service on an Edge appliance that acts as the network gateway, or it can be deployed in one-arm mode, where it has a single interface on the network, and is not the gateway. The load balancer can support throughput of up to 9 Gbps and 130 k connections per second. N-Tier application considerations Traditional threetier architecture N-Tier architecture is a technique used by software developers to split components of an application to allow greater flexibility and modularity. This is typically represented by a three-tier architecture consisting of a presentation layer, a logic layer, and a storage layer. We commonly see this architecture used for web applications consisting of web servers in the presentation layer, application and middleware components in the logic layer, and databases in the storage layer. Security practitioners have adopted the three tier model for best practices, as it fits well with the principle of least privilege. Granular security controls can be applied to only allow the minimum required network traffic through to each tier. For the web application example, best practices limit all end user traffic to only reach the web servers and only using required services, such as HTTP/HTTPS. Network traffic to the application servers is similarly restricted to traffic from the web servers on specific ports, and traffic to the database servers is only allowed from the application servers to the ports used by the database. In a typical physical data center this is achieved through Layer 3 separation of the tiers (requiring a different subnet for each tier), and firewalls placed between the tiers only allowing the required traffic through, as illustrated in Figure

88 Chapter 6: Network Security Figure 33. Traditional three-tiered security architecture This model is easily configured with VMware vcns or NSX, however with NSX we can now go further. As NSX firewall rules are enforced at the vnics of each virtual machine, this allows greater flexibility with segmenting virtual machines. Web servers, application servers, and database servers can now sit next to each other within a flat Layer 2 subnet, yet still have granular rules segmenting them from each other. This can enable easier network organization of applications, for example, providing a single Class C subnet for each application. Another benefit of applying this model with NSX is the ability to achieve full application containerization. In the physical world, frequently all web servers in a DMZ can see and talk to each other, even if they are not part of the same application. This is also true of application servers in a protected zone, and database servers which are often placed into an internal core network for licensing reasons (exposing the rest of the internal core network in the event of a database server being compromised from the outside). With NSX, all tiers of an application can be fully containerized to ensure that if an application is compromised by an attacker at any tier, the attacker cannot pivot beyond the application to attack other applications or hosts within the same network zone. Two tier applications While the three-tier application model is prevalent, there are still applications that are designed to be split into only two tiers. These generally combine the presentation and logic layers into one, while keeping the database tier separate. This is becoming more common in applications developed using languages and frameworks such as Ruby on-rails and certain Python frameworks. In other cases, a web server may only be used for specific capabilities, such as single sign-on, because using a separate server or virtual machine for it would be wasteful. Frequently an enterprise security team will force the application into a three-tier architecture, often artificially creating a public-facing tier in a DMZ with a reverse proxy for web applications. This can become a source of contention between the security team who are trying to ensure the best possible protection of the data, and the development team who are trying to deliver an application as inexpensively and efficiently as possible. In reality, inflating the application to three tiers and proxying all the traffic through to an application tier doesn t offer significantly better security. 88

89 Chapter 6: Network Security Applying extra controls in the web proxy tier, such as installing the ModSecurity application on top of Apache for additional web traffic inspection can help. In a physical data center where multiple applications are present across network tiers, and databases may be contained in an internal or private zone, having the extra protection against compromise is well warranted. However, in the cloud, using the capabilities of NSX to containerize applications and limit potential exposure in the event of a compromised application, two-tier applications may no longer need to be artificially inflated to three tiers. While certain applications with sensitive data may still require the extra protection of the three-tier model, many applications can now be run in two tiers as originally designed without many of the risks associated with bridging network zones. Often the operational issues introduced by the increased complexity far out-weigh the enhanced security posture. The containerization enabled by NSX micro-segmentation allows organizations to implement two-tiered applications in the manner in which they were designed to operate. Figure 34 shows an example of a two-tiered security architecture applied to a virtual application. 89

90 Chapter 6: Network Security Figure 34. Example of two-tiered application secured with micro-segmentation 90

91 Use case 1: Micro-segmentation with N-Tier virtual applications Chapter 6: Network Security Three-tier applications are the most commonly deployed model in enterprises, with each tier requiring specific configuration and changes that can use the NSX capability with vcac. A three-tier application can be used to demonstrate the network and security provisioning capabilities of NSX when integrated with vcac. The web tier is external facing and load balanced, serving web pages to users. Each web server needs to communicate with the application server, and the application server in turn writes to and retrieves data from the database server. The virtual machines are assigned to their respective security groups by the vcac blueprint. These security groups are associated with security policies (firewall rules) enforced by the NSX DFWs. The deployed virtual machines in each tier inherit their specific security policy because of their security group membership, thus ensuring that applications are protected from the moment of deployment. An example of a micro-segmentation-enabled three-tiered application is shown in Figure 35. Figure 35. Three-tiered application implemented with micro-segmentation As previously stated, many two-tiered applications do not easily lend themselves to being forced to a three-tiered implementation. NSX security groups and security policies We configured security groups in the Service Composer section of the Networking & Security web client, as shown in Figure 36. Three security groups were created, one 91

92 Chapter 6: Network Security for each application-tier, but were not assigned any members, and no dynamic criteria for assignment were configured. vcac automatically assigns the virtual machines, when provisioned, to the security groups specified in the blueprint. For more details on configuring security groups in a multimachine blueprint, refer to Use case 1: Configure pre-provisioned multimachine blueprint in the EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Foundation Solution Guide. Figure 36. Networking & Security web client view of the security groups The following security policies, also known as firewall rules, were created for each corresponding security group: The web-tier policy allows external connectivity on port 80 and 443 to virtual machines in the web servers security group. The application-tier policy allows connectivity from the virtual machines in the web servers security group to the virtual machines in the application servers security group The application-tier policy allows connectivity from the virtual machines in the application security group to the database virtual machines in the database servers security group. The full rule set is shown in Figure

93 Chapter 6: Network Security Figure 37. View of the web, application, and database tier security policies The completed security policies allow access to virtual machines in the web tier security group over the HTTP and HTTPS protocols and allow the web tier virtual machines to communicate with the application-tier virtual machines which, in turn, store and retrieve data from the database-tier. The NSX firewall is a stateful firewall, so when a connection is allowed and a communication session established, the response communication path is also allowed. All other inbound or outbound traffic is denied by the block rules at the end of the rule set. Like a traditional firewall, rules are applied in chronological order, that is, from top to bottom. The security policy is then applied to the web tier security group, as shown in Figure

94 Chapter 6: Network Security Figure 38. Web server security policy applied to Web Servers security group Configure preprovisioned multimachine blueprint The final process is the configuration of the multimachine blueprint. In Build Information, the three single-machine blueprints that comprise the multimachine blueprint are shown in Figure 39. Figure 39. Multimachine blueprint showing single machine components In Build Information, each component blueprint is then edited, and the network adapter is mapped to the corresponding security groups, as shown in Figure

95 Chapter 6: Network Security Figure 40. Blueprint network and security group configuration Note: Both the multimachine blueprint and the component blueprints have a Network page, which may cause some confusion. The multimachine blueprint has a Network page on its main properties screen where the transport zone and network profiles (to trigger dynamic networks) are specified. The component blueprint s Network page is displayed when you edit the component blueprint in Build Information. The configurable options on this screen are Network Adaptors and Security Groups. The blueprint is published and added to the catalog where it is made available to the finance business group users. Based on the blueprint, vcac clones the virtual machines and attaches them to their respective logical switch network segments. It also adds the provisioned virtual machines to the appropriate security groups. Verify preprovisioned deployment To verify that each virtual machine was placed in the correct security group, check the security group membership in the Service Composer interface of the Networking & Security web client. As shown in Figure 41, the database-tier virtual machine was added to the correct security group and has therefore inherited the firewall rules configured for the database-tier security policy. Figure 41. NSX service composer security groups membership view for the database-tier 95

96 Chapter 6: Network Security Use case 2: Micro-segmentation with converged N-Tier virtual applications As demonstrated in Use case 1: Micro-segmentation with N-Tier virtual applications, micro-segmentation enables significantly greater control and security. However, we can take this a step further. In many cases, micro-segmentation negates the need for a network segment per tier, therefore we can implement a converged architecture, as shown in Figure 42. Summary Figure 42. Example of converged three-tiered application secured with micro-segmentation The same procedure can be followed to define the security groups and policies. In fact, the same groups and policies can be used. The only difference in blueprint configuration is that you assign the same network profile to the component machine network adapters of the multimachine blueprint. This results in the three tiers being provisioned to the same network segment. This chapter outlined the network architecture of the EMC Enterprise Hybrid Cloud solution, the design considerations involved, and recommended security practices implemented. This chapter also detailed how the network and security architecture was implemented using NSX for vsphere. The three-tier application use cases showcased both traditional and converged N-Tier architectures where we enhanced the security posture through the implementation of 96

97 Chapter 6: Network Security micro-segmentation. VMware NSX and vcac offer flexible creation and deployment of workload resources, while providing richer functionality and improved performance over traditional solutions. 97

98 98 Chapter 6: Network Security

99 Chapter 7: Configuration Management Chapter 7 Configuration Management This chapter presents the following topics: Overview vcenter host profiles vsphere Update Manager vcenter Configuration Manager Use case 1: Configure a custom compliance standard Use case 2: Apply exceptions to compliance templates Summary

100 Chapter 7: Configuration Management Overview In the EMC Enterprise Hybrid Cloud, we applied the recommendations in the vsphere 5.5 Security Hardening Guide and security configuration recommendations from EMC and other vendors. This raises the challenge of how to apply these hardening recommendations and operational configurations consistently across all affected components in the hypervisor and virtualization plane. You also need to confirm that these configurations are in effect and remain so, ensuring adherence with electronic governance, risk, and compliance (egrc) requirements, in addition to your internal IT or security standards. Configuration management is a vital element of implementing secure systems consistently and in accordance with your security policies. It comprises a collection of steps focused on establishing a configuration baseline to maintain the integrity of the EMC Enterprise Hybrid Cloud and the resources it supports. Many organizations IT and security groups face a significant challenge in gaining visibility into configuration management and compliance in their environments. To address this challenge in the EMC Enterprise Hybrid Cloud we use a number of native capabilities such as: vcenter host profiles ensure that a configuration set is applied consistently across all ESXi hosts. Host profiles also enable many vsphere Hardening Guidelines to be centrally applied. It provides a means to perform ad-hoc scans for host compliance with a profile and displays alerts within the vsphere Web Client. vsphere Update Manager enables patch management across virtual appliances and ESXi hosts and provides a means to install and update third-party software on ESXi hosts. Organization can establish a baseline and audit compliance. vcenter Configuration Manager extends the capabilities of vcenter host profiles and vsphere Update Manager to provide inventory and asset management, scheduled configuration and compliance scans, reports and integration with vcenter Operations Manager. In addition, it enables patch management configuration management of Windows and Linux guest operating systems and can audit the entire virtualized environment against many industry or regulatory frameworks and standards. 100

101 Chapter 7: Configuration Management vcenter host profiles vcenter host profiles ensure that a consistent configuration is applied across all vsphere ESXi hosts when the EMC Enterprise Hybrid Cloud is initially deployed and as it is scaled out to meet future capacity requirements. Specifically, host profiles: Ensure consistency for compliance Reduce the deployment time for new hosts Apply the same change to multiple hosts To apply the same configuration settings to a group of vsphere ESXi hosts, you can create or import a host profile. When you create or import a host profile you must associate it with a reference host, this also allows you to update the profile from a reference host. When firmware upgrades or other events happen that require storage, network, or security configuration changes on multiple hosts in a cluster, you can edit the host profile and apply it across the cluster for consistent configuration updates. In addition, you can remove any settings that must be excluded from the host profile check to avoid propagating host configuration values that need to be unique across your environment. Figure 43 shows some of the available parameters that can be configured in a host profile. Figure 43. View of some of the available host profile configuration parameters When the host profile has been created and configured, it can be attached to one or more vsphere hosts or clusters. Once attached, the host configuration is compared 101

102 Chapter 7: Configuration Management against the host profile and any deviations are reported. For example, Figure 44 shows a non-compliant status for one of the hosts in the cluster. Figure 44. View of host compliance status with host profile Additional host profiles, shown in Figure 45, correspond to other clusters in our test environment that have different vds configurations and demonstrate that you can have multiple host profiles according to your configuration requirements. Note: You may only associate ESXi hosts and clusters with a single host profile. New hosts that are added to vcenter Server can be configured by applying the host profile. Using this configuration management feature, you can create a profile once, and then use it for multiple vsphere hosts, enabling rapid configuration. This feature also eliminates the need to set up specialized scripts or to manually configure hosts. Scheduled tasks can be created that will routinely check host compliance against the host profile, results, and log a vcenter event. You can also view the compliance status in the vsphere Web Client by selecting the host profile and selecting Monitor, as shown in Figure

103 Chapter 7: Configuration Management vsphere Update Manager Figure 45. Compliance view of the clusters attached to the Resource Pods host profile When compliance checks return a non-compliant status, a vcenter error event is generated, that can be tracked in vcenter Operations Manager. While vcenter Operations Manager is beyond the scope of this security guide, it is discussed in detail in the EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition: Foundation Solution Guide. Organizations that are unable to patch systems effectively and efficiently are susceptible to compromises that are easily preventable. Consider patch management carefully in the context of security, because it is important in establishing and maintaining a solid security baseline. In addition, patch management is a core requirement of various security compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) that requires that all system components and software are protected from known vulnerabilities by having the latest vendorsupplied security patches installed. To address patch management in the EMC Enterprise Hybrid Cloud, VMware vsphere Update Manager (VUM) is used to keep vsphere hosts and virtual appliances up-todate. VUM automates patch management and eliminates manual tracking and patching of vsphere hosts and virtual appliances. vsphere Update Manager includes these core features: A compliance dashboard to provide visibility into the patch and upgrade status of hosts and virtual appliances for compliance to static or dynamic baselines Stage and schedule patching for remote sites and scheduled maintenance windows 103

104 Chapter 7: Configuration Management Deployment of patches that are downloaded directly from a vendor website, including drivers, Common Information Model (CIM), and other updates from hardware vendors for VMware vsphere hosts Patching can lead to compatibility errors that require remediation. VUM can eliminate the most common patching problems before they occur, ensuring that the time you save in batch processing automation is not wasted later in performing rollbacks. Benefits of VUM include: Storing snapshots for a user-defined period, so that administrators can roll back the virtual machine if necessary. Securely patching offline virtual machines without exposing them to the network, reducing the risk of non-compliant virtual machines. Ensuring the most current version of a patch is applied with automatic notification services. vsphere Update Manager compares the state of vsphere hosts with baselines, and can then stage and patch them to enforce compliance. Figure 46 shows examples of different types of baselines. Figure 46. Examples of baselines configured in vsphere Update Manager 104

105 Chapter 7: Configuration Management As an example, the Critical Host Patches baseline that ships with vsphere Update Manager, as shown in Figure 47, is configured to include any patch of severity Critical from any vendor for any product as its inclusion criteria. This is a good example of a dynamic baseline where the baseline updates and the vendors release additional patches. Fixed baselines are for upgrades, and extension baselines are statically defined. Figure 47. Example of patch inclusion criteria for a vsphere Update Manager baseline The inclusion criteria are granular; you can include or exclude individual patches, giving you the flexibility to define a custom baseline specific to your environment. In addition, you can include non-vmware extensions, such as EMC PowerPath/VE in a custom baseline, as shown in Figure

106 Chapter 7: Configuration Management Figure 48. EMC PowerPath/VE extension added to vsphere Update Manager custom baseline This enables you to deploy EMC PowerPath/VE (and any other extensions) to all your ESXi hosts and ensure that consistent revision control is maintained throughout your environment. Baselines can be grouped together and included in a baseline group, as shown in Figure 49. Figure 49. Components of EHC Hosts baseline group Baseline groups are useful in applying multiple baselines to virtual appliances, hosts, clusters, or data center objects but especially when you audit compliance, because the compliance status can be viewed across the group of baselines, not individually. The vsphere Update Manager Compliance view in the vsphere Web Client provides a quick overview of your compliance status. An example is shown in Figure

107 Chapter 7: Configuration Management Figure 50. View of compliance state for the EHC Core Pod In this example, of the hosts in the cluster, 50 percent are out of compliance and the affected baseline group and individual baseline are red flagged as non-compliant. In addition, the type of update is red flagged on the affected host. To rectify this situation, click Remediate to start the remediation wizard. From there, the appropriate baseline can be applied to the affected assets, as shown in Figure 51. Figure 51. Selection view of the vsphere Update Manager Remediation wizard You can schedule the remediation for a later time and date. This is useful when you are restricted to a maintenance window and combine a scheduled remediation with the staging feature to ensure you meet your maintenance window requirements. As shown in Figure 51, the extension has already been staged. The remediation wizard also allows for the selection of host remediation options including the virtual machine power state and the disabling of any removable media mounted to virtual machines on the hosts to be remediated. The cluster remediation options are shown in Figure

108 Chapter 7: Configuration Management Figure 52. Cluster remediation options presented in the Remediation wizard Selecting the Enable parallel remediation option, as shown in Figure 52, can significantly reduce the time to remediate by running the remediation tasks in parallel on clusters with two or more hosts and according to the resources in demand on the cluster at the time of remediation. It is important to note that when remediating a vsphere cluster with DRS enabled, all workloads remain available throughout the remediation process. 108

109 Chapter 7: Configuration Management vcenter Configuration Manager The security status of each cloud system changes dynamically. These changes may be caused by a cloud administrator operation introducing risk into the environment, cloud components that are susceptible to a vulnerability, or an external environment change such as a new attack method. Therefore, it is important to continuously monitor the security status of the EMC Enterprise Hybrid Cloud, mitigate or remediate the potential risk, and keep the system compliant to a security baseline. In this solution, we integrated VMware vcenter Configuration Manager (VCM) to build a configuration compliance audit and management system. VCM provides a unified dashboard for managing configuration compliance. It integrates with vsphere to perform configuration data collection, which enables the vsphere infrastructure and its dependent components to be audited, exceptions to policy flagged, and remediation performed. Preset rules and templates are available that enable you to begin monitoring system compliance to regulatory (Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach- Bliley Act (GLBA), Federal Information Security Management Act (FISMA), industry (PCI DSS), and Microsoft standards, as shown in Figure 53. Figure 53. View of the VCM compliance dashboards showing vsphere Hardening compliance Examples of elements that can be tracked for compliance are: Hypervisor configuration through vcenter host profiles Hypervisor and virtual appliance patch management through VUM baselines Linux and Windows guest OS configuration Regulatory and industry standards through default compliance toolkits 109

110 Chapter 7: Configuration Management Configuration compliance can be maintained against internal standards, security best practices, vendor hardening guidelines, and regulatory mandates such as: Security best practices developed by the Defense Information Systems Agency (DISA STIGs), the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and many more Hardening guidelines from VMware and Microsoft Regulatory mandates such as SOX, the PCI standard, HIPAA, and FISMA You can also use VCM to assess compliance with your own internal IT standard to drive best practices in your environment. The integration between vcenter Operations Manager and VCM includes using the VCM compliance template results to contribute to the Risk badge score in vcenter Operations Manager, as shown in Figure 54. Figure 54. vc Ops dashboard displaying Risk badge score The compliance templates are included in badge mappings that are run in VCM against objects in vcenter Server instances that are managed by both VCM and vcenter Operations Manager. These objects include virtual machines, host systems, clusters, vcenter Server instances, and datastores. The compliance mapping results determine the compliance score. Expanding the risk status table in Figure 54 displays the compliance status summary, shown in Figure

111 Chapter 7: Configuration Management Figure 55. vc Ops dashboard displaying compliance status summary vcenter Operations Manager pulls the scores into the formulas used to calculate the Risk badge scores. When you review the standards compliance in vcenter Operations Manager, you can navigate back to VCM to view the detailed results and identify any configuration changes that you must make to bring an object that is non-compliant back into compliance. Enable operational compliance Operational compliance views enable you to proactively enforce configuration standards, detect configuration drift early, and automatically remediate against violations of IT policies. You can also harden the infrastructure for security and regulatory requirements. Preparing for and responding to an audit is no longer an intimidating and time consuming process because, with automated reporting, you can pinpoint critical areas with ease. Compliance views are tightly integrated with the operations dashboard for comprehensive visibility into the health, risk, and efficiency of the infrastructure and applications. 111

112 Chapter 7: Configuration Management Figure 56. Risk dashboard showing compliance status in environment Use case 1: Configure a custom compliance standard Compliance rules compare your virtual or physical machines running Linux, UNIX, Mac OS X, or Windows operating systems against configuration standards that you import or create, to determine if the machines meet the standards. The results of the compliance run notify you what machines comply with or are in violation of the standards. In some cases, you can enforce certain settings on the machines that are not in compliance, initiating the changes from VCM. Preset rules and templates are available that enable you to begin monitoring system compliance to any imported regulatory, industry, or vendor standards. You can create and manage rules and rule groups based on Active Directory, virtualization and physical objects and configuration data, or on machine data. Note: The VCM Compliance Monitor does not query systems directly, but rather it queries the VCM data collection database. If a machine has not been included in a collection, the collection is not configured correctly, or the last collection is outdated, then the Compliance Monitor will report incorrect or out-of-date results. Therefore, for accurate compliance monitoring, you must first collect the necessary data. 112

113 Chapter 7: Configuration Management Custom compliance rules Create a rule group To create a rule group: 1. In the VCM console, navigate to Compliance -> Virtual Environment Compliance -> Rule Groups. 2. Click Add and then provide a name for the new rule, as shown in Figure 57. Figure 57. VCM custom rule creation view 3. To add compliance rules to the rule group just created expand the rule group just created, select Rules, and then click Add in menu bar, as shown in Figure 58. Figure 58. Creating a custom compliance rule 4. In this example, to check that vmtools is running in guest virtual machines, enter an appropriate rule name and description. 5. Select vcenter Guests Summary, as shown in Figure 59, from the list of data types to collect. 113

114 Chapter 7: Configuration Management Figure 59. Data type to select for custom compliance rule 6. Select the Conditional rule type to exclude those virtual machines that do not have vmtools installed. 7. On the next screen, click Add to create the IF rule criteria. Select Tools Version Status from the list and select the <> (NOT) operator, then click the ellipsis to select the correct state. 8. To exclude virtual machines where vmtools is not installed, click the ellipsis and select guesttoolsnotinstalled. 9. In the THEN panel, click Add to create the THEN rule criteria. 10. Select Tools Running Status from the list and click the ellipsis to choose the correct state. 11. To check that the vmtools are running, click the ellipsis and select guesttoolsrunning, as shown in Figure 60. Figure 60. Rule criteria selection for detecting vmtools running state 114

115 Chapter 7: Configuration Management 12. On the Options screen leave the severity as Moderate and click Finish to exit the wizard. Note: On the Options screen, you can elect to change the severity according to your requirements. You will also observe that you can configure an automatic remediation action by enabling the enforcement checkbox and configuring the appropriate action. Filtering the results In this example, to show only those results for guests in the inventory of the two EMC Enterprise Hybrid Cloud vcenter servers, add a filter to the rule group but follow the same sequence, as shown in Figure 61. Figure 61. Creating a custom compliance rule group filter 1. On the Data Type screen select vcenter Guests Summary, as shown in Figure 62. Select Basic as the rule type for the filter. 2. On the next screen specify the vcenters to filter by choosing the OR operator as indicated in Figure 62. Figure 62. Selecting vcenters to filter 3. Select vcenter from the list and click the ellipsis to choose the EHC Core vcenter. Click Add and repeat the process for the EHC Cloud vcenter. 115

116 Chapter 7: Configuration Management Compliance preview results To test the compliance rule created, select the rule, click Preview, and choose Do not apply machine filters to preview. This produces a list of guests in the EHC vcenter inventories that have vmtools installed but are not running. A sample output is shown in Figure 63. Figure 63. Sample out-of-compliance results for the custom vmtools rule Custom compliance template Add custom rule group to new template A template is a collection of rule groups and can be included in scheduled collections. To add a custom rule group to a custom template: 1. Navigate to Virtual Compliance Templates. 2. Click Add in the menu bar, and then provide a name and description for the template, as shown in Figure 64. Figure 64. VCM Compliance view showing new template steps 3. On the Rule Groups screen, as shown in Figure 65, select the rule group created earlier and on the Template Options screen keep the defaults and click Next, and then click Finish. 116

117 Chapter 7: Configuration Management Figure 65. Rule groups to choose from in the template creation wizard 4. To run the Custom Compliance Template to verify the configuration, select the Templates folder and click the newly created Custom Compliance Template. 5. Click Run Template. A configuration screen opens. Leave the options at default. 6. Click OK and the compliance run completes. Refresh the UI to see the resulting data rows. To see a graphical representation of the compliance data results click the newly created Custom Compliance Template in the navigation side bar. A summary is displayed similar to that shown in Figure

118 Chapter 7: Configuration Management Figure 66. Graphical summary of the Custom Compliance Template results Use case 2: Apply exceptions to compliance templates To temporarily or permanently override the specific template results, exceptions are used rather than explicitly resolving non-compliant results. The exceptions are applied against the compliance template results and indicate that a specific result is compliant or non-compliant even though it does not match the requirements of the rules. Examples of where exceptions may be necessary are: Avamar image level backup and restore. Avamar uses the http datastore browser feature in vcenter to backup or restore virtual machines Cloud Foundry requires that the managed object browser (MOB) be enabled on the vcenter server or deployments of Cloud Foundry will fail Disabling the http datastore browser and MOB features in accordance with the vsphere Hardening Guidelines would break critical functionality. Exceptions are created so results are not skewed. The template to which you want to apply the exception must already exist. In our example we will create and apply the exception items above against the VMware 118

119 Chapter 7: Configuration Management vsphere 5.5 Hardening Jun vsphere Controls - No Guests compliance template. Adding an exception for the datastore http browser To create the MOB exception: 1. Navigate to Virtual Environment Compliance and select the Exceptions folder. 2. Click Add to start the wizard and provide a suitable name and description for the exception, as shown in Figure 67. Figure 67. Navigating to the Compliance Exception wizard 3. On the next Templates screen, choose the compliance template to which you want the exception to be applied. 4. On the Virtual Object Groups screen, select All Virtual Objects. 5. On the Override Options and Expiration Date leave the settings at default values and click Next. The Create Exception Rule(s) screen opens. 6. To add the rules necessary to build the exception, click Add, as shown in Figure

120 Chapter 7: Configuration Management Figure 68. Exception rules for Http Datastore on vcenter Server The Rule relates to the compliance rule for which we are creating an exception, in this example disable-datastore-web Disable datastore web browser. The configuration parameter that this rule references is config.enablehttpdatastoreaccess, therefore the expected values are NULL or true. To account for these two possible values, as shown in Figure 68, we have used the NOT operator with a value of false. Adding an exception for the managed object browser The procedure is the same as that for the Http Datastore browser exception with one difference: the exception rules differ slightly, as shown in Figure 69. Figure 69. Exception rules for the managed object browser on vcenter server The Rule relates to the 'disable-mob - Disable managed object browser' compliance rule. The configuration parameter is config.vpxd.enable.debugbrowse, and the expected values are NULL or true. As Cloud Foundry Operations Manager is provisioned using the EHC Cloud vcenter server, narrow the scope of the exception by setting the Object value to that of the Cloud vcenter. 120