Federation Software-Defined Data Center

Size: px
Start display at page:

Download "Federation Software-Defined Data Center"

Transcription

1 Solution Guide Federation Software-Defined Data Center Security Management Solution Guide EMC Solutions Abstract This Solution Guide provides information about features and configuration options that are available for configuring secure system operations for a Federation Software- Defined Data Center. This document explains why, when, and how to use these security features. October 2014

2 Copyright 2014 EMC Corporation. All rights reserved. Published in the USA. Published October 2014 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC 2, EMC, Avamar, Data Domain, Data Protection Advisor, Enginuity, PowerPath/VE, RecoverPoint, Solutions Enabler, Symmetrix VMAX, Syncplicity, Unisphere, ViPR, EMC ViPR SRM, VNX, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. Federation Software-Defined Data Center Security Management Solution Guide Part Number H

3 Contents Contents Chapter 1 Executive Summary 11 Document purpose Audience Cloud security challenges EMC and VMware product security approach Technology solution Key components Terminology Federation Software-Defined Data Center security documentation Chapter 2 Software-Defined Data Center Overview 23 Overview Automation and self-service provisioning Multitenancy and secure separation Workload-optimized storage Elasticity and service assurance Monitoring and resource management Metering and chargeback Modular add-on components Data protection services Disaster recovery Public cloud services EMC and VMware integration Storage services Orchestration Operational management and monitoring Metering Summary Chapter 3 Public Key Infrastructure 35 Overview Enterprise PKI architecture Root certificate authority

4 Contents Subordinate (or issuing) CA subjectaltname attributes in certificates Enterprise PKI solution integration Summary Chapter 4 Converged Authentication 45 Overview Security and authentication Microsoft Active Directory SSL certificates for LDAPS Windows authentication and service accounts Active Directory integration VMware vcenter Log Insight VMware vcenter Operations Manager and Active Directory users VMware vcloud Automation Center: Tenant identity stores VMware vsphere ESXi host integration with Active Directory EMC Avamar integration EMC DPA Active Directory support EMC Unisphere authentication EMC ViPR authentication VMware vcenter SSO TACACS+ authentication integration Summary Chapter 5 Centralized Log Management 59 Overview vcenter Log Insight remote syslog architecture Centralized logging integration Content packs for vcenter Log Insight Configuring alerts Summary Chapter 6 Network Security 73 Overview Network configuration Solution architecture Physical connectivity Logical network topology vsphere networking Overlay networks with VXLAN

5 Contents Supporting infrastructure services Network environment for data protection Automation and provisioning NSX for vsphere Introduction Distributed logical router Distributed firewall NSX Edge Logical load balancer N-Tier application considerations Traditional three-tier architecture Two-tier applications Use case 1: Micro-segmentation with N-Tier virtual applications Configure pre-provisioned multimachine blueprint Verify pre-provisioned deployment Use case 2: Micro-segmentation with converged N-Tier virtual applications Summary Chapter 7 Configuration Management 97 Overview vcenter host profiles vsphere Update Manager vcenter Configuration Manager Use case 1: Configure a custom compliance standard Custom compliance rules Custom compliance template Use case 2: Apply exceptions to compliance templates Summary Chapter 8 Multitenancy 121 Overview Secure separation Network segmentation Tenant authentication Role-based access control Solution infrastructure vcac groups and roles Entitlements

6 Contents Summary Chapter 9 Conclusion 129 Summary

7 Figures Contents Figure 1. Federation Software-Defined Data Center key components Figure 2. Federation Software-Defined Data Center features and functionality Figure 3. Self-service provisioning through the vcac portal Figure 4. EMC ViPR Analytics with VMware vcenter Operations Manager Figure 5. ITBM Suite overview dashboard for software-defined data center Figure 6. EMC ViPR integration points with VMware components Figure 7. PKI hierarchy for the Federation Software-Defined Data Center solution stack Figure 8. Authentication relationships between the solution components Figure 9. Log Insight authentication with Active Directory Figure 10. Create a new group Figure 11. Active Directory authentication providers Figure 12. Active Directory role assignments Figure 13. Centralized logging of software-defined data center components with vcenter Log Insight Figure 14. Searching for security events with vcenter Log Insight Figure 15. Log Insight client-server architecture Figure 16. Log Insight distributed architecture Figure 17. Sample vcenter Log Insight dashboard for vcenter Server Figure 18. Customized software-defined data center security dashboard using multiple content packs Figure 19. Custom Log Insight dashboard Figure 20. Example of a Log Insight alert configured to send a notification to vc Ops Figure 21. Examples of security alerts installed in Log Insight Figure 22. Search logs for cloud management platform directly from vc Ops Figure 23. vcenter Log Insight filtering logs for the management cluster components Figure 24. EMC software-defined data center environment Figure 25. Physical topology of the network Figure 26. Logical topology with the cluster pod and functional networks Figure 27. ESXi host networking vswitch configuration Figure 28. VLAN configuration of the cloud management vds uplinks Figure 29. VLAN configuration of the production vds uplinks Figure 30. Port group and VLAN configuration of the cloud management vds Figure 31. Production vds port groups showing Edge connectivity and VXLAN port groups Figure 32. Backup network architecture for the software-defined data center

8 Contents Figure 33. Traditional three-tiered security architecture Figure 34. Example of two-tiered application secured with micro-segmentation Figure 35. Three-tiered application implemented with micro-segmentation Figure 36. Networking & Security web client view of the security groups Figure 37. View of the web, application, and database tier security policies Figure 38. Web server security policy applied to the Web Servers security group.. 92 Figure 39. Multimachine blueprint showing single-machine components Figure 40. Blueprint network and security group configuration Figure 41. Figure 42. NSX service composer security groups membership view for the database-tier Example of converged three-tiered application secured with microsegmentation Figure 43. View of some of the available host profile configuration parameters Figure 44. View of host compliance status with host profile Figure 45. Compliance view of the clusters attached to the Resource Pods host profile Figure 46. Examples of baselines configured in vsphere Update Manager Figure 47. Figure 48. Example of patch inclusion criteria for a vsphere Update Manager baseline EMC PowerPath/VE extension added to vsphere Update Manager custom baseline Figure 49. Components of the baseline group Figure 50. View of compliance state for the Core Pod Figure 51. Selection view of the vsphere Update Manager Remediation wizard Figure 52. Cluster remediation options presented in the Remediation wizard Figure 53. View of the VCM compliance dashboards showing vsphere Hardening compliance Figure 54. vc Ops dashboard displaying Risk badge score Figure 55. vc Ops dashboard displaying compliance status summary Figure 56. Risk dashboard showing compliance status in environment Figure 57. VCM custom rule creation view Figure 58. Creating a custom compliance rule Figure 59. Data type to select for custom compliance rule Figure 60. Rule criteria selection for detecting vmtools running state Figure 61. Creating a custom compliance rule group filter Figure 62. Selecting vcenters to filter Figure 63. Sample out-of-compliance results for the custom vmtools rule Figure 64. VCM Compliance view showing new template steps Figure 65. Rule groups to choose from in the template creation wizard

9 Contents Figure 66. Graphical summary of the Custom Compliance Template results Figure 67. Navigating to the Compliance Exception wizard Figure 68. Exception rules for Http Datastore on vcenter Server Figure 69. Exception rules for the managed object browser on vcenter server Figure 70. Federation Software-Defined Data Center network architecture Tables Table 1. Terminology Table 2. Product security guides Table 3. Certificates and keystore types for vcloud Suite 5.5 deployment

10 10 Contents

11 Chapter 1: Executive Summary Chapter 1 Executive Summary This chapter presents the following topics: Document purpose Audience Cloud security challenges EMC and VMware product security approach Technology solution Terminology Federation Software-Defined Data Center security documentation

12 Chapter 1: Executive Summary Document purpose Audience The EMC Federation of companies, EMC, VMware, Pivotal, and RSA, work together to research, develop, and validate leading-edge solutions to deliver superior, integrated solution stacks. This Solution Guide provides information about features and configuration options that are available for configuring secure system operations in an on-premises implementation of this cloud solution. It explains why, when, and how to use these security features. The Federation Software-Defined Data Center: Foundation Infrastructure Reference Architecture and this Security Management Solution Guide describe the reference architecture and implemented security that all the Federation Software-Defined Data Center add-on solutions build on. This document is part of the solution documentation set and is intended for security architects, practitioners, and administrators responsible for the overall configuration and operation of the Federation Software-Defined Data Center. Readers should be familiar with VMware vcloud Suite, storage technologies, and general IT functions and requirements, and how they fit into a software-defined data center architecture. Table 2 on page 20 lists publications that are related to the features and functionality described in this document. A basic understanding of these features is important to understanding Federation Software-Defined Data Center security. 12

13 Chapter 1: Executive Summary Cloud security challenges While many organizations have successfully introduced virtualization as a core technology within their data center, end users and business units within customer organizations have not experienced many of the benefits of cloud computing, such as increased agility, mobility, and control. Many organizations are now under pressure to provide secure and compliant cloud services to address this need. As a result, IT departments need to create cost-effective alternatives to public cloud services alternatives that do not compromise enterprise security and features such as data protection, disaster recovery, and guaranteed service levels. Potential security threats must be addressed for organizations to maintain or improve their security posture while enabling the business to continue to operate. In a cloud environment, these threats must be addressed at both the underlying infrastructure and virtualized workload levels. The cloud infrastructure can be protected with restricted administration-level access, integration into authentication, logging, and monitoring systems, and system hardening in case of attack. As virtualized applications are typically exposed to an internal or external user base, they remain the primary threat vector. Web application vulnerabilities, OS configuration errors, and missing patches are still possibilities with virtualized workloads. Cloud security technologies allow protection against these vulnerabilities while offering enhanced containerization of workloads that can limit the potential exposure of a successful attack and keep an attacker from infiltrating other systems in the environment. Challenges addressed are: Lack of trust in cloud technology Disjointed authentication mechanisms Lack of coordinated event tracking Inconsistently applied configurations Difficulty in maintaining client or business unit multitenancy Difficulty in enforcing separation within a demilitarized zone (DMZ) and private network zones The Federation Software-Defined Data Center implements a variety of security features to control user and network access, monitor system access and use, and support the transmission of encrypted data. The security features related to the Federation Software-Defined Data Center are implemented on the EMC and VMware solution components and include the following: Public key infrastructure integration Converged authentication Centralized log management Security configuration management Multitenancy 13

14 Chapter 1: Executive Summary EMC and VMware product security approach Technology solution An increasingly interconnected world has created growth opportunities that are now accelerating with the rise of software-defined data centers. Organizations can now deploy information infrastructures more quickly and run them with greater efficiency, control, and choice. These advances foster business agility and connectivity, but they have also created pervasive dependencies among computing components that make problems and vulnerabilities difficult to contain. Complex, interconnected electronic systems inevitably have software bugs and vulnerabilities. Even a perfect product can develop problems through linkages to flawed partner products or to subsequent changes in the technology environment that create new exposures. EMC and VMware meet these product security challenges by applying industry best practices, as well as a flexible and standardized approach to prioritizing security throughout the product lifecycle, from inception through sustainment. Trusted IT requires that EMC products are developed so that the risks of vulnerabilities are minimized, and flaws that surface are assessed and resolved as quickly as possible. This end-to-end process is designed to protect customers and to provide what customers need to help protect themselves. The Federation believes industry collaboration is invaluable for product security. Every company has something to teach and much to learn. Industry collaboration on product security has enabled EMC to help shape and quickly adopt best practices that raise everyone s level of trust in technology. EMC is committed to comprehensive product security programs that are built-in, transparent, and trustworthy. For more information on the EMC product security approach, refer to This Federation Software-Defined Data Center solution integrates the best of EMC and VMware products and services and empowers IT organizations to accelerate implementation and adoption of a software-defined data center, while still enabling customer choice for the compute and networking infrastructures within the data center. The solution caters to customers who want to preserve their investment and make better use of their existing infrastructure and to those who want to build out new infrastructures dedicated to a software-defined data center. The transition from either a physical or a partially virtualized infrastructure to a full software-defined data center enables a transformative approach to providing security. While many of the same threats to physical environments still exist in the software-defined data center model, there are new ways to mitigate those threats by using the powerful capabilities of the Federation Software-Defined Data Center. Network segments and boundaries become fluid as switches, routers, and load balancers can be provisioned as needed to ensure dynamically changing 14

15 Chapter 1: Executive Summary environments remain secure, no longer dependent on hardware procurement or provisioning. The traditional firewalling of North-South directed network traffic can easily be extended to enforce restrictions on East-West traffic as well, allowing true microsegmentation of applications, application sub-tiers (web, middleware, and database), and application environments (development, test/qa, and production). Newly provisioned virtual machines can inherit security postures based on their role. Host-based security controls can run as hypervisor kernel-level processes, allowing virtual machines to consume these services without requiring additional software to be installed in every guest virtual machine. This solution takes advantage of the strong integration between EMC technologies and the VMware vcloud Suite. The solution, developed by EMC and VMware product and services teams includes EMC scalable storage arrays, integrated EMC and VMware monitoring, VMware software-defined networking and security, and data protection suites to provide the foundation for enabling cloud services within the customer environment. Key components This section describes the key components of the solution, as shown in Figure 1. Figure 1. Federation Software-Defined Data Center key components Data center virtualization and cloud management VMware vcloud Automation Center VMware vcloud Automation Center (vcac) enables customized, self-service provisioning and lifecycle management of cloud services that comply with established business policies. vcac provides a secure portal where authorized administrators, developers, and business users can request new IT services and manage existing computer resources from predefined user-specific menus. 15

16 Chapter 1: Executive Summary VMware vsphere ESXi and VMware vcenter Server VMware vsphere ESXi is a virtualization platform for building cloud infrastructures. vsphere enables you to run your business-critical applications to meet your most demanding service level agreements (SLAs) at the lowest total cost of ownership (TCO). vsphere combines this virtualization platform with the award-winning management capabilities of VMware vcenter Server. This solution gives you operational insight into the virtual environment for improved availability, performance, and capacity utilization. VMware vcenter Orchestrator VMware vcenter Orchestrator (vco) is an IT process automation engine that helps automate the cloud and integrates the vcloud Suite with the rest of your management systems. vco enables administrators and architects to develop complex automation tasks within the workflow designer. The vco library of pre-built activities, workflows, and plug-ins helps accelerate the customization of vcac standard capabilities. VMware NSX for vsphere VMware NSX for vsphere is the next generation of software-defined network virtualization. Features include distributed logical routing, distributed firewalling, logical load balancing, and support for routing protocols such as Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), and Open Shortest Path First (OSPF). Where workloads on different subnets share the same host, the distributed logical router (DLR) optimizes traffic flows by routing locally. This enables substantial performance improvements in throughput, with distributed logical routing and firewalling providing line-rate performance distributed across many hosts instead of being limited to a single virtual machine or physical host. NSX also introduces Service Composer, which integrates with third-party security services. VMware vcenter Configuration Manager VMware vcenter Configuration Manager automates configuration and compliance management across your virtual, physical, and cloud environments, assessing them for operational and security compliance. It automates critical configuration and compliance management tasks, and supports configuration management across virtual and physical servers, VMware infrastructure, and multiple operating systems. In addition, vcenter Configuration Manager integrates with vsphere to deliver the fundamental capabilities that support VMware infrastructure hardening, including deep configuration data collection, change tracking, and compliance assessment. Visibility into your compliance posture is provided through access to compliance toolkits that cover a broad range of standards, including security best practices, vendor-hardening guidelines, and regulatory mandates. VMware vcenter Operations Manager VMware vcenter Operations Manager (vc Ops) is a key component of the vcenter Operations Management Suite. It provides a simplified approach to operations management of vsphere, and physical and cloud infrastructures. vc Ops provides operations dashboards to gain insights and visibility into the health, risk, and efficiency of your infrastructure, performance management, and capacity optimization capabilities. It enables root cause analysis with advisory tools and orchestration 16

17 Chapter 1: Executive Summary workflows to enable optimal resource utilization, operational efficiency, and enforcement of configuration standards. VMware vcenter Log Insight VMware vcenter Log Insight delivers automated log management through log aggregation, analytics, and search. With an integrated cloud operations management approach, it provides the operational intelligence and enterprise-wide visibility needed to proactively enable service levels and operational efficiency in dynamic software-defined data center environments. VMware IT Business Management Suite VMware IT Business Management (ITBM) Suite provides transparency and control over the cost and quality of IT services. By providing a business context to the services that IT offers, ITBM helps IT organizations move from a technology orientation to a service-broker orientation, delivering a portfolio of IT services that aligns with the needs of business stakeholders. EMC storage services EMC ViPR EMC ViPR is a lightweight, software-only solution that transforms existing storage into a simple, extensible, and open platform. ViPR extends current storage investments to meet new cloud-scale workloads, and enables simple data and application migration out of public clouds and back under the control of IT (or vice versa). ViPR gives IT departments the ability to deliver on-premises, fully automated storage services at price points that are at or below public cloud providers. EMC VNX and EMC Symmetrix VMAX EMC VNX and EMC Symmetrix VMAX are powerful, trusted, and smart storage array platforms that provide the highest level of performance, availability, and intelligence in the software-defined data center. VNX and VMAX storage systems offer a broad array of functionality and tools, such as Fully Automated Storage Tiering for Virtual Pools (FAST VP), enabling multiple storage service levels to support ViPR-driven storage-as-a-service offerings in the software-defined data center environment. EMC ViPR SRM EMC ViPR SRM, storage resource management software, provides comprehensive monitoring, reporting, and analysis for heterogeneous block, file, and virtualized storage environments. It enables you to visualize applications to storage dependencies, monitor and analyze configurations and capacity growth, and optimize your environment to improve return on investment. 17

18 Chapter 1: Executive Summary Terminology Table 1 lists the terminology used in the guide. Table 1. Terminology Term ACL AD AIA API Avamar MCCLI BGP CA CBT CDP CNAME CRL CSR DHCP DFW DLR FQDN HSM IaaS IIS IS-IS LAG LDAP LDAPS OSPF PEM Definition Access control list Active Directory Authority Information Access Application programming interface Avamar Management Console Command Line Interface Border Gateway Protocol Certification authority Changed Block Tracking CRL Distribution Point A canonical name record in DNS used to resolve an alias to an actual hostname Certificate Revocation List that contains a list of serial numbers of revoked certificates Certificate Signing Request Dynamic Host Configuration Protocol NSX distributed firewall NSX distributed logical router Fully qualified domain name Hardware security module Infrastructure as a service Internet Information Services Intermediate System to Intermediate System Link aggregation that bundles multiple physical Ethernet links between two or more devices into a single logical link can also be used to aggregate available bandwidth, depending on the protocol used. Lightweight Directory Access Protocol LDAP over SSL Open Shortest Path First Privacy-Enhanced Mail 18

19 Chapter 1: Executive Summary Term PKI PVLAN SAML SSL STP TLS TACACS vcac blueprint vcac business group vcac fabric group vds VLAN VRF VSI VXLAN Definition Public key infrastructure Private virtual LAN Security Assertion Markup Language is an open standard for exchanging authentication and authorization between an identity provider and a service provider Secure Sockets Layer, now superseded by Transport Layer Security (TLS) which offers better security Spanning Tree Protocol Transport Layer Security Terminal Access Controller Access Control System A blueprint is a specification for a virtual, cloud, or physical machine and is published as a catalog item in the vcac service catalog A set of users, often corresponding to a line of business, department, or other organizational unit, that can be associated with a set of catalog services and infrastructure resources A collection of virtualization compute resources and cloud endpoints and is managed by one or more vcac fabric administrators Virtual distributed switch Virtual local area network Virtual routing and forwarding Virtual Storage Integrator Virtual Extensible LAN 19

20 Chapter 1: Executive Summary Federation Software-Defined Data Center security documentation This solution has been secured where appropriate by implementing the recommendations in the product security guides from EMC and VMware listed in Table 2. Table 2. Product security guides Publication EMC Product Security white paper Part Number H13230 EMC VNX Series Security Configuration Guide for VNX P/N REV. 02 EMC Symmetrix Security Configuration Guide REV 02 EMC ViPR Version Security Configuration Guide P/N REV. 01 EMC Avamar 7.0 Product Security Guide P/N REV 03 EMC Avamar 7.0 Extended Retention Security Guide P/N REV 01 EMC Data Domain Version 5.5 Product Security Guide REV 01 VMware vcenter Configuration Manager Security Guide vsphere Security ESXi 5.5 vcenter Server 5.5 Description This white paper describes how EMC embeds security in the company s product development, deployment, and maintenance practices, as well as in its supply chain. This document provides information about features and configuration options that are available for configuring secure system operation and storage processing. It explains why, when, and how to use these security features. This guide helps you to securely deploy, use, and maintain Solutions Enabler version 7.6 and Unisphere for VMAX version 1.6. This guide provides an overview of security configuration settings available in EMC ViPR, secure deployment and usage settings, and secure maintenance and physical security controls needed to ensure secure operation of EMC ViPR. EMC Avamar is backup and recovery software with integrated data deduplication technology. This Product Security Guide provides an overview of the settings and security provisions that are available in Avamar to ensure secure operation of the product. This document describes how to configure security features for the EMC Avamar extended retention feature. This document describes the key security features of EMC Data Domain systems and provides the procedures required to ensure data protection and appropriate access control. This security guide describes how to harden vcenter Configuration Manager for secure use. This security guide provides information about securing your vsphere environment for VMware vcenter Server and VMware ESXi. 20

21 Chapter 1: Executive Summary Publication vsphere 5.5 Security Hardening Guide VMware vcenter Log Insight Security Guide VMware vshield Installation and Upgrade Guide VMware NSX Network Virtualization Design Guide VMware NSX 6 Documentation Center Hardened Appliance Operations Guide Description This guide covers hardening the following components of vsphere: Virtual machines ESXi hosts Virtual network vcenter Server and its database and clients. Common vcenter and Windows-specific guidance is here. vcenter Web Client vcenter SSO Server vcenter Virtual Appliance (VCSA) specific guidance vcenter Update Manager This guide provides a reference to the security features of Log Insight. This guide describes how to install and configure the VMware vshield system by using the vshield Manager user interface, the vsphere Client plug-in, and command line interface (CLI). The information includes step-by-step configuration instructions, and suggested best practices. This guide provides an overview of VMware s NSX network virtualization platform. This VMware NSX 6 documentation center provides information about installing, configuring, and using NSX. This guide addresses the site specific technical requirements required to meet Security Technical Information Guides (STIG). 21

22 22 Chapter 1: Executive Summary

23 Chapter 2: Software-Defined Data Center Overview Chapter 2 Software-Defined Data Center Overview This chapter presents the following topics: Overview Automation and self-service provisioning Multitenancy and secure separation Workload-optimized storage Elasticity and service assurance Monitoring and resource management Metering and chargeback Modular add-on components Public cloud services EMC and VMware integration Summary

24 Chapter 2: Software-Defined Data Center Overview Overview The Federation Software-Defined Data Center solution enables a well-run softwaredefined data center by bringing new functionality to IT organizations, developers, end users, and line-of-business owners. In addition to delivering baseline infrastructure as a service (IaaS), built on the software-defined data center (SDDC) architecture, the Federation Software-Defined Data Center also delivers feature-rich capabilities to expand from IaaS to business-enabling IT as a service (ITaaS). Backup as a service (BaaS) and disaster recovery as a service (DRaaS) are now policies that can be enabled with just a few clicks. End users and developers can quickly gain access to a marketplace of application resources from Microsoft, Oracle, SAP, EMC Syncplicity, and Pivotal, and they can add third-party packages as needed. All these resources can be deployed on private cloud or public cloud services from EMC-powered cloud service providers, including VMware vcloud Air. This solution includes the following features and functionality, as shown in Figure 2. Automation and self-service provisioning Multitenancy and secure separation Workload-optimized storage Elasticity and service assurance Monitoring and resource management Metering and chargeback EMC and VMware integration 24

25 Chapter 2: Software-Defined Data Center Overview Figure 2. Federation Software-Defined Data Center features and functionality Automation and self-service provisioning This solution provides self-service provisioning of automated cloud services to both end users and infrastructure-level administrators. It uses VMware vcloud Automation Center (vcac), integrated with EMC ViPR and VMware NSX, to provide the compute, storage, network, and security virtualization platforms for the SDDC. These platforms enable you to rapidly deploy and provision business-relevant cloud services across your software-defined data center and physical infrastructure. Cloud users can request and manage their applications and compute resources within established operational policies; this can reduce IT service delivery times from days or weeks to minutes. Features include: Cross-cloud storefront: Acts as a service governor that provisions workloads based on business and IT policies Role-based self-service portal: Delivers a user-appropriate catalog of IT services Resource reservations: Enable resources to be allocated for use by a specific group and ensure those resources are inaccessible to other groups Service levels: Define the amount and type of resources a specific service can receive either during the initial provisioning or as part of any configuration changes 25

26 Chapter 2: Software-Defined Data Center Overview Build specifications: Contain the automation policies that specify the process for building or reconfiguring compute resources In this solution, vcac provides lines of business with the ability to rapidly deploy and provision applications and services to the cloud platform as and when their needs demand. vcac provides the ability to take a shared infrastructure and divide it into logical units and capacities that can be assigned to different business units. Using role-based entitlements, business users can choose from their own self-service catalog of custom-defined services and blueprints. Each user s catalog presents only the virtual machines, applications, and service blueprints they are entitled to, based on their assigned role within the business. Service blueprints enable cloud infrastructure administrators to add services created by EMC that take advantage of ViPR for automated storage services, and Avamar and Data Domain for data protection services. Virtual machine and application blueprints can be single machine or multimachine, covering both bare metal server deployments and virtual machine deployments. Multitier enterprise applications requiring multiple components (application, database, and web) and service levels can be deployed easily from predefined blueprints. Figure 3 shows the Federation Software-Defined Data Center self-service portal in VMware vcac. Figure 3. Self-service provisioning through the vcac portal Data protection policies can be applied to virtual machine resources at provisioning time, which later enables users to request on-demand backups and restores of their 26

27 Chapter 2: Software-Defined Data Center Overview virtual machines, and generation of backup reports, all from the vcac self-service portal. As part of the vcac provisioning process, NSX virtual routing can be used to provide an on-demand deployment model for creating custom networks, which support NSX edge routers and logical switches. This enables a custom configuration to be built as part of a multimachine provisioning process. This solution is built to work with new and existing infrastructures. It supports the differing requirements of an enterprise s many business units, and integrates with a wide variety of existing IT systems and best practices. Multitenancy and secure separation Multitenancy requirements in a cloud environment can range from shared, open resources to completely isolated resources, secure from any access. This solution provides the ability to enforce physical and virtual separation for multitenancy, offering different levels of security to meet business, security policy, and/or regulatory compliance requirements. This separation can encompass network, compute, and storage resources, to ensure appropriate security and performance for each tenant. The solution supports secure multitenancy through vcac role-based access control (RBAC), enabling vcac roles to be mapped to Active Directory groups. vcac uses existing authentication and business groupings. The self-service portal shows only specific views, functions, and operations based on the role within the business. Physical resource separation can be achieved in vcac to isolate tenant resources or to isolate and contain compute resources for licensing purposes, for example, Oracle. Virtual resource separation can be achieved between and within resource groups, depending on the level of separation required. Virtualized compute resources within the software-defined data center are objects inherited from the vsphere endpoint, most commonly representing VMware vsphere ESXi hosts, host clusters, or resource pools. Compute resources can be configured at the vsphere layer to ensure physical and logical separation of resources between functional environments such as Production or Test and Development (Test/Dev). Valid concerns exist around information leakage and nosy neighbors on a shared network infrastructure. Consumers of the provisioned resources need to operate in an isolated environment and benefit from infrastructure standardization. To address these concerns, this solution has been designed for multitenancy. We 1 approached this from a defense-in-depth perspective, which is demonstrated through: Implementing virtual local area networks (VLANs) to enable isolation at Layer 2 in the cloud management platform and where the solution intersects with the physical network 1 In this document, "we" refers to the Federation engineering team that validated the solution. 27

28 Chapter 2: Software-Defined Data Center Overview Using VXLAN overlay networks to segment tenant and business group traffic flows Integrating with firewalls functioning at the hypervisor level to protect virtualized applications and enabling security policy enforcement in a consistent fashion throughout the solution Deploying provider and business group edge firewalls to protect the business group and tenant perimeters Security This solution enables customers to enhance security by establishing a hardened security baseline across the hardware and software stacks that support their Federation Software-Defined Data Center infrastructure. The solution helps to reduce concerns around the complexities of the underlying infrastructure by demonstrating how to tightly integrate an as-a-service solution stack with public key infrastructure (PKI) and a common authentication directory to provide centralized administration and tighter control over security. The solution addresses the challenges of securing authentication and configuration management to aid compliance with industry and regulatory standards through: Securing the infrastructure by integrating with a PKI to provide authenticity, non-repudiation, and confidentiality Converging the various authentication sources into a single directory to enable a centralized point of administration and policy enforcement Using configuration management tools to generate infrastructure reports for audit and compliance purposes VMware NSX for vsphere NSX for vsphere can be used in the Federation Software-Defined Data Center to enable a rich networking and security feature set. Enhanced networking and security features in NSX include: NSX logical routing and firewalls: Provide line-rate performance distributed across many hosts instead of being limited to a single virtual machine or physical host. Distributed logical routers: Contain East-West traffic and North-South traffic within the hypervisor where workloads reside on the same host. Logical load balancer: Enables load sharing across a pool of virtual machines with configurable health-check monitoring and application-specific rules for service high availability, URL rewriting, and TLS/SSL pass-through and offload capabilities. A distributed firewall (DFW) enables consistent data-center-wide security policies. Security policies: Can be applied directly to security groups enabling greater flexibility in enforcing security policies. Policies can be based on virtual machine attributes such as VM name, Guest OS, or applied tags, allowing 28

29 Chapter 2: Software-Defined Data Center Overview dynamic workloads and shifting environments to be automatically assigned appropriate security policies. Workload-optimized storage This solution enables customers to take advantage of the proven benefits of EMC storage in a software-defined data center environment. Using EMC ViPR storage services and the capabilities of VNX and VMAX, this solution provides softwaredefined storage-policy-based management of block- and file-based virtual storage. With a scalable storage architecture that uses the latest flash and tiering technologies, VNX and VMAX storage arrays enable customers to meet any workload requirements with maximum efficiency and performance in the most cost-effective way. With ViPR, the storage configuration is abstracted and presented as a single storage control point, enabling cloud administrators to access all heterogeneous storage resources within a data center as if they were a single large array. Storage administrators are able to maintain control of their storage resources and policies, while the cloud administrator is able to automatically provision storage resources into the cloud infrastructure. Elasticity and service assurance This solution uses a combination of tools to provide the intelligence and visibility required to proactively ensure service levels in virtual and cloud environments. Using vcac and tools provided by the Federation, administrators and end users can dynamically add resources as needed, based on their performance requirements. Infrastructure administrators can add storage, compute, and network resources to their resource pools, while end users can expand the resources of their own virtual machines to achieve the service levels they expect for their application workloads. Cloud users can select from a range of service levels of compute, storage, and data protection for their applications to achieve the most efficient use of the resources within their software-defined data center environment. Monitoring and resource management This solution features automated monitoring capabilities that provide IT administrators with a comprehensive view of the cloud environment to enable smart decision making for resource provisioning and allocation. These capabilities are based on a combination of vc Ops dashboards, alerts, and analytics, using extensive additional storage detail provided by EMC analytics adapters for ViPR, VNX, and VMAX. vc Ops provides pre-built and configurable dashboards for real-time performance, capacity, and configuration management. Performance data is abstracted to health, risk, and efficiency metrics that enable IT administrators to easily identify evolving 29

30 Chapter 2: Software-Defined Data Center Overview performance problems. Installing the EMC ViPR Analytics adapter on vc Ops enables full end-to-end visibility of the entire infrastructure, from virtual machine to LUN and every point in between. The ViPR Analytics and EMC Storage Analytics (ESA) packs are presented through the vc Ops custom interface. This enables administrators to quickly recognize the health of EMC ViPR virtual arrays and physical EMC VMAX and VNX block and file arrays using customized EMC dashboards for vc Ops, such as the EMC ViPR dashboard shown in Figure 4. Figure 4. EMC ViPR Analytics with VMware vcenter Operations Manager Capacity analytics in vc Ops identify over-provisioned resources so they can be rightsized for the most efficient use of virtualized resources. What-if scenarios eliminate the need for spreadsheets, scripts, and rules of thumb. EMC ViPR SRM offers comprehensive monitoring and reporting for this softwaredefined data center solution that helps IT visualize, analyze, and optimize their software-defined storage infrastructure. Cloud administrators can use ViPR SRM to understand and manage the impact that storage has on their applications and view their storage topologies in their software-defined data center from application to storage. Capacity and consumption of EMC ViPR software-defined storage and SLA issues can be identified through real-time dashboards or reports in order to meet the needs of the wide range of software-defined data center users. In addition, for centralized logging, infrastructure components can be configured to forward their logs to VMware vcenter Log Insight, which aggregates the logs from all the disparate sources for analytics and reporting. When integrated with vcenter Log Insight, EMC content packs for Avamar, VNX, and VMAX provide customizable 30

31 Metering and chargeback Chapter 2: Software-Defined Data Center Overview dashboards and user-defined fields specifically for those EMC products, which enable administrators to conduct problem analysis and analytics on the storage array and backup infrastructure. The solution uses ITBM Suite to provide cloud administrators with metering and cost information across all business groups in the enterprise. ITBM indicates the cost of a virtual machine and blueprints based on business units and application groups across the software-defined data center environment. VMware ITBM Standard Edition uses its own reference database, which has been preloaded with industry-standard and vendor-specific data to generate the base cost of virtual CPU (vcpu), RAM, and storage values. These prices, which default to cost of CPU, RAM, and storage, are automatically consumed by vcac, where the cloud administrator can change them as appropriate. This eliminates the need to manually configure cost profiles in vcac and assign them to compute resources. ITBM is integrated into the vcac portal for the cloud administrator and presents a dashboard overview of the software-defined data center infrastructure, as shown in Figure 5. Figure 5. ITBM Suite overview dashboard for software-defined data center ITBM is also integrated with VMware vcenter and can import existing resource hierarchies, folder structures, and vcenter tags to associate software-defined data center resource usage with business units, departments, and projects. 31

32 Chapter 2: Software-Defined Data Center Overview Modular add-on components Data protection services Using vcenter Orchestrator workflows customized by the Federation, administrators can quickly and easily set up multitier data protection policies and enable users to select an appropriate policy when provisioning their virtual machines. The backup infrastructure takes advantage of Avamar and Data Domain features such as deduplication, compression, and VMware integration. Avamar provides scalable backup and restore capabilities with integrated data deduplication, which reduces total disk storage by up to 50 times and enables costeffective, long-term retention on Avamar Data Store servers. Avamar can alternatively use a Data Domain appliance as the backup target. Using the vcac application program interface (API) and extensibility toolkits, this solution implements custom functionality to provide Avamar-based, image-level backup services for applications and file systems within a single organization or multiorganization software-defined data center environment. With this solution, enterprise administrators can offer IaaS with EMC backup to end users who want a flexible, on-demand, automated backup infrastructure without having to purchase, configure, or maintain it. Disaster recovery The Federation Software-Defined Data Center enables cloud administrators to select disaster recovery (DR) protection for their applications and virtual machines when deploying from the vcac self-service catalog. EMC ViPR automatically places these systems on storage that is protected remotely by EMC RecoverPoint. VMware vcenter Site Recovery Manager, through tight integration with the EMC RecoverPoint Storage Replication Adapter (SRA), can automate the recovery of all virtual storage and virtual machines at a recovery or failover site. Public cloud services This Federation Software-Defined Data Center solution enables IT organizations to broker public cloud services. This solution has been validated with VMware vcloud Air as a public cloud option that can be accessed directly from the solution's selfservice portal by administrators and users. End users can provision virtual machines, while IT administrators can use VMware vcloud Connector to perform virtual machine migration (offline) from the on-premises component of their software-defined data center to vcloud Air. 32

33 Chapter 2: Software-Defined Data Center Overview EMC and VMware integration This Federation Software-Defined Data Center solution contains many integration points between EMC and VMware products. This section highlights some of the key integration points and how they fit into the overall solution. Some of the integration points between VMware components and EMC ViPR are shown in Figure 6. Figure 6. EMC ViPR integration points with VMware components Storage services While being managed by ViPR, VNX and VMAX storage arrays both support VMware vsphere Storage APIs Array Integration (VAAI), which offloads virtual machine operation to the array to optimize server performance. The ViPR Storage Provider integrates ViPR with VMware vsphere Storage APIs Storage Awareness (VASA). This enables vcenter administrators to view the storage capabilities of ViPR provisioned storage and manage association of these file systems and volumes or LUNs with their ViPR virtual pools. This service runs on the ViPR appliance and a connection is configured in vcenter for communications. All VMware vsphere ESXi servers in this solution run EMC PowerPath/VE for automatic path management and load balancing in the SAN. EMC PowerPath/VE automates failover and recovery and optimizing load balancing of data paths in virtual environments to ensure availability, performance, and the ability to scale-out mission-critical applications. Orchestration The ViPR plug-in for VMware vcenter Orchestrator (vco) provides an orchestration interface to the EMC ViPR software platform. The EMC ViPR plug-in has pre-packaged workflows used through the vco client and other clients that support vco integration. The pre-packaged workflows contain sets for common ViPR operations and sets of building block workflows intended for detailed ViPR operations. The EMC ViPR plug-in is installed in the vco configuration interface. 33

34 Chapter 2: Software-Defined Data Center Overview Operational management and monitoring The EMC ViPR Analytics pack for vc Ops provides advanced metrics for virtual resources at the EMC ViPR virtual array and virtual pool level. The ESA adapter for EMC VNX and VMAX provides preconfigured dashboards for VMware vc Ops users to view storage metrics and topologies of the individual storage components beneath EMC ViPR. EMC also provides storage and data protection content packs for use with VMware vcenter Log Insight. EMC content packs for Avamar, VNX, and VMAX provide dashboards and user-defined fields specifically for those EMC products that enable administrators to conduct problem analysis. Metering EMC ViPR Storage Provider plays a key role in this solution in identifying the capabilities of the storage presented to ESXi servers managed by vcenter. A storage profile is created in vcenter for each class, or tier, of storage presented by ViPR. These storage profiles are used by VMware ITBM to classify and charge for each tier of storage presented and consumed in vcac. Summary This solution enables enterprise customers to build an enterprise-class, scalable, multitenant platform for complete management of their compute service lifecycle. It provides on-demand access and control of compute resources and security while enabling enterprise customers to maximize asset use. Specifically, this solution integrates all of the key functionality that customers demand, and provides a framework and foundation for adding other services. This solution supports a VMware vcloud Suite stack with EMC storage and data protection services, providing customers with the flexibility to deliver cloud-based services with the functionality to which they are accustomed. 34

35 Chapter 3: Public Key Infrastructure Chapter 3 Public Key Infrastructure This chapter presents the following topics: Overview Enterprise PKI architecture Enterprise PKI solution integration Summary

36 Chapter 3: Public Key Infrastructure Overview Integrating a PKI infrastructure in a multitenant software-defined data center environment ensures that all the components that use or rely on X.509 certificates and technology are trusted. By default, components are installed or factory shipped with self-signed X.509 certificates that are untrusted, because you cannot verify the authenticity of who issued or signed them. In such an environment, an attacker could impersonate a device or application to perform man-in-the-middle attacks or harvest administrative credentials for subsequent use in compromising other systems on the network. The impact of such an attack is more serious because of the privileges usually given to systems administrators to fulfill their duties. Certain regulated industries and governments require the use of trusted certificates only. Integration with a trusted PKI addresses this problem by establishing a chain of trust from the trusted X.509 certificate installed on the device or application and through the issuing certification authority (CA) to the root CA. In addition, it provides a means to validate this trust by publishing Authority Information Access (AIA) and Certificate Revocation Lists (CRLs). This chapter provides an overview of integrating the Federation Software-Defined Data Center solution stack and supporting infrastructure into an enterprise PKI hierarchy. This does not cover PKI policies, registration authorities (RAs), validation authorities (VAs), or other components typically used in the PKI. Design considerations for these components should be taken into account when implementing PKI with your organization and are outside the scope of this guide. The private keys used by the CAs should be safeguarded. Use network-based hardware security modules (HSMs) in a virtualized environment to store the CAs private keys in a secure manner with tamper protection. HSMs can also provide offloading of certain cryptographic processing for symmetric or asymmetric needs where performance and speed is a requirement. Note: Transport Layer Security (TLS) is a standard for a cryptographic protocol that is closely related to Secure Sockets Layer (SSL). Both use X.509 certificates and asymmetric authentication between the client and server to exchange the symmetric key used to encrypt the communication session between the endpoints. TLS has supplanted SSL as the protocol used to provide security for client-server encryption as it offers significantly improved security. Throughout this guide there may be references to SSL; however. TLS compatible configurations and certificates have been implemented. 36

37 Chapter 3: Public Key Infrastructure Enterprise PKI architecture Figure 7 shows the hierarchal relationship of the PKI environment with the root selfsigned certificate, the issuing CA certificate, and the end-entity-issued certificates. Figure 7 also shows the trust relationship between the end-entity certificates used in this solution and the end user. Figure 7. PKI hierarchy for the Federation Software-Defined Data Center solution stack All issuing CA and end-entity certificates contain the Authority Information Access (AIA) extension, which contains URLs pointing to where the root and subordinate CA certificates in the certificate chain are located. The issuing CA and end-entity certificates also contain the CRL Distribution Point (CDP) extension, which contains URLs pointing to the location of the CRL for the CAs. The end-entity certificates were issued by the subordinate CA and requested with a subject alternative name (subjectaltname, also abbreviated to SAN) that consists of a fully qualified domain name (FQDN), hostname, and IP address. 37

38 Chapter 3: Public Key Infrastructure Root certificate authority In this solution, we installed the root CA (ESG lab root certificate authority) on a dedicated Microsoft Windows 2012 Server standalone virtual machine. For this environment, the validity period for both the certificates and CRL issued by the root CA was set to five years. After the periods were set, we configured the location of a copy of the root CA certificate and CDPs for the root CA. Because the root CA is typically offline, it is important that the AIAs and CRLs are available on systems other than the root CA, and the root certificate is configured with the location of the AIA and CDPs. In this solution, these are published on the issuing CA. After you have configured the root CA, back it up using the certificate services CA backup utility. This enables you to create a backup of the root CA s private key, CA certificate, certificate database, and certificate database log. Also, it is important that you install the root CA certificate on the system-wide certificate stores on all systems in this environment. Subordinate (or issuing) CA As a prerequisite to starting the subordinate CA configuration, the root CA certificate must be installed on the system-wide certificate store on the Microsoft Windows Server that is used as the subordinate CA. After the root CA certificate is installed, and after joining the domain, the necessary Active Directory Certificate Services and Internet Information Services (IIS) roles can be installed. Because we joined the server to the Active Directory domain, we can deploy this subordinate CA as an enterprise-type installation that enables integration with Active Directory and the auto-enrollment of clients. After the subordinate CA certificate signing request (CSR) is submitted to the root CA and issued, install it on the subordinate CA and start the CA service. The certificate and CRL for the root CA are published to Active Directory and to a folder on the server that is web accessible. We configured the subordinate CA AIA and CDP extensions to use the same locations for the subordinate CA certificate and CRLs. subjectaltname attributes in certificates In production environments, it is common for systems to be managed and accessed using the system IP address, hostname, or FQDN. However, when PKI is introduced, this behavior can result in certificate validation errors that can cause integration to fail. You can issue a certificate that contains one or more Subject Alternative Name attributes (subjectaltname), in addition to the subject name (also known as the common name). However, this is not enabled by default in Active Directory Certificate Services. Note: When designing your PKI it is important to consider the security implications of enabling this extension. Your security policy may require certain controls and processes to be put in place that are beyond the scope of this guide. The security best practices for enabling subject alternative names in certificates can be reviewed in the Microsoft TechNet Library topic How to Request a Certificate With a Custom Subject Alternative Name. 38

39 Chapter 3: Public Key Infrastructure Enterprise PKI solution integration Part of hardening the infrastructure is to replace the self-signed X.509 certificates with valid signed certificates from a trusted CA. Some organizations may choose to use an external entity for this. In this solution, we configured an internal CA using a hierarchical structure, as shown in Figure 7. This shows the CA architecture with the root at the top level, which is either offline or air-gapped. Subordinate CAs are tiered in the Active Directory forest. The PKI used in this solution is based on the deployment of the Active Directory Certificate Services. Follow best practices when designing your organization s PKI infrastructure and take additional security measures to ensure protection of the private keys in use by the CAs. Note: Hardware security modules (HSMs) can provide increased randomness and private key protection, but were not used in this solution. Microsoft Active Directory LDAP over SSL certificates Lightweight Directory Access Protocol (LDAP) is the protocol by which many applications submit authentication or authorization requests. LDAP introduces a significant security risk because credentials (username and password) are passed over the network unencrypted. This can quickly lead to credentials becoming compromised. We can significantly strengthen the security of these authentication and authorization communications by encrypting the entire LDAP session with SSL, known as LDAP over SSL or LDAPS. By default, Active Directory is not configured to support LDAPS so certain steps must be taken to enable integrate Active Directory with a trusted PKI to enable LDAPS. The Active Directory LDAP over SSL (LDAPS) certificate is issued by the subordinate CA and requested on each participating domain controller using the Certificates snap-in added to the Microsoft Management Console (MMC). The certificate is installed in the domain controller certificate store and is used by Active Directory Domain Services to apply to LDAP communications to secure authentication and authorization requests. VMware vcenter Log Insight To update the trusted CA certificate stores for vcenter Log Insight, add the trusted CA chain to both the OpenSSL certificate store and Java CA certificate (cacerts) keystore. When you have established trust with the root and issuing CAs, you can generate the private key and CSR using OpenSSL and combine the resulting signed certificate with the private key and convert it to a PEM-formatted certificate. Install it through the https://vcenter-log-insight_fqdn/admin/ssl/ web interface. 39

40 Chapter 3: Public Key Infrastructure VMware vcenter Orchestrator vco has two elements that use self-signed certificates by default. Replace the selfsigned certificates used for both the vco server engine and the vco management web server to protect the applications communications with other components and the web management interface. vco Server certificate In preparation, import the root and issuing CA certificates using the vco Certificates Manager tool in the vco client. The CSR can be generated using the Server Certificate UI of the vco Configurator and submitted to the issuing CA. The resulting signed certificate is then imported using the Server Certificate UI. vco web server certificate Replacing the vco web server self-signed certificate protects the management interface. In preparation, import the root and issuing CA certificates to the jssecacerts keystore using the vco-installed Java keytool utility. The Java keytool utility is then used to regenerate the dunes private key and CSR that can be submitted to the issuing CA. The resulting signed certificate is imported to the jssecacerts keystore. VMware vcenter Operations Manager To establish the certificate validation chain, add the trusted CA chain to both the OpenSSL certificate store and Java cacerts keystore. Then generate a private key and CSR using OpenSSL that can be submitted to the issuing CA. The resulting signed certificate is combined with the private key and converted to a PEM-formatted certificate that is then installed through the https://vcops_fqdn/admin web interface. VMware vcenter Single Sign-On The certificate requirements of vsphere 5.5 differ significantly from vsphere 5.0 because of the introduction of vcenter Single Sign-On (SSO) as a mandatory prerequisite to installing VMware vcenter Server. vcenter SSO provides an authentication interface called Security Token Service (STS) that enables administrators or applications to authenticate with a defined security domain or identity source such as Active Directory or OpenLDAP. If successful, the credentials are exchanged for a SAML 2.0 token that is then used to interact with the various vsphere platform applications. During the interaction between components, the client verifies the authenticity of the certificate presented during the TLS handshake phase, before encryption, which protects against man-in-the-middle attacks. Each VMware SSO-enabled component registers with SSO using the client end-entity certificate and requires a unique certificate, as detailed in Table 3. The exceptions are the vcac components and ITBM that register with and use the VMware Identity Appliance for SSO and are available to download as part of vcac. Note: The requirement for vcac and ITBM to use the Identity Appliance as an SSO source is no longer present if vcenter 5.5.0b or later is deployed. This version of vcenter SSO supports integration of vcac and ITBM. 40

41 Chapter 3: Public Key Infrastructure Table 3. Certificates and keystore types for vcloud Suite 5.5 deployment Component Keystore Private key Full certificate chain vcenter Single Sign-On N/A Y Y vcenter Inventory Service N/A Y Y vcenter Server N/A Y Y vcenter Log Browser N/A Y Y vcenter Log Insight N/A Y N vcenter Operations Manager N/A Y N vcenter Orchestrator N/A Y Y vsphere Web Client N/A Y Y vsphere Update Manager N/A Y Y vsphere ESXi N/A Y Y In this context, what distinguishes a vsphere component certificate is the subject Organizational Unit (OU) value. This is important because vcenter SSO looks exclusively at this attribute to determine if the vsphere service is already registered or not. The subject Distinguished Name (DN) value is stored in the SSO database as the primary key for each certificate, rather than the hash, thumbprint, or any other attribute. This is important where multiple vcenter services are deployed, as recommended, in a single virtual machine. In this case, the common name and other attributes may be identical, leading to the possibility of the same subject DN being used across services. Ensure that the new SSL certificate for each vsphere component has a unique subject DN encoded within the certificate. You can achieve this by specifying an additional attribute such as a unique OU for each certificate request. Note: Having a unique OU is one way to achieve a unique subject DN, but other attributes can be used. A unique OU is not mandatory as it is only part of the subject DN. For more details on identifying the constituent components of a subject DN, refer to Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 5280). To address some of these complexities, VMware released the vcenter Certificate Automation Tool 5.5. It can automatically generate the certificate-signing requests, update, or replace existing certificates, and establish trust between the VMware components, but it does not handle the replacement of ESXi certificates or have certificate requests signed or renewed by a trusted CA. 41

42 Chapter 3: Public Key Infrastructure VMware vcloud Automation Center Identity appliance Ideally, the self-signed certificate should be replaced immediately after the appliance is deployed and before SSO is instantiated or solutions registered. SSO uses the configured SSL certificate to establish trust with the subsequent registration of solution components. Performing this as a first step avoids potential issues and reregistration. Generate the private key and CSR on a system with OpenSSL installed. Combine the resulting signed PEM-formatted certificate with the issuing and root CA certificates and import it through the appliance web UI with the PEM-formatted private key. vcac appliance Generate the private key and CSR on a system with OpenSSL installed. Combine the resulting signed PEM-formatted certificate with the issuing and root CA certificates and import it through the appliance web UI with the PEM-formatted private key. Infrastructure as a service (IaaS) VMware recommends using a domain certificate for vcac that can be requested using the IIS management console, and the request is then submitted to the issuing CA. You can also generate a CSR from the IIS management console if you want to include subjectaltname attributes. When the certificate is issued, use the IIS management console to install it and configure the binding on port 443 to use the trusted certificate. This is repeated on all vcac components using IIS. When the certificate is replaced, re-register the IaaS endpoints to vcac. VMware NSX for vsphere Generate a private key and CSR using OpenSSL that can be submitted to the issuing CA. The resulting signed certificate is combined with the private key and CA chain and converted to a PKCS#12 keystore. The keystore is then imported using the SSL Certificates configuration page through the Manage Appliance Settings UI in NSX Manager. VMware vsphere ESXi Generate a PEM-formatted private key and CSR for each ESXi host on a system with OpenSSL installed. Place the host in maintenance mode and transfer the private key and signed PEM-formatted certificate. Reboot the ESXi host for the new certificate to take effect. EMC Avamar The Avamar server provides a management web interface that uses a self-signed digital certificate for identification and encryption. To use a certificate that is signed by your own certification authority, create a private key in addition to a certificatesigning request on a system with OpenSSL installed and submit it to the issuing CA. When issued, transfer the private key signed certificate to the Avamar server. Also, install the root and issuing chain certificates to the Apache ca.crt certificate store and restart the Apache daemon. 42

43 Chapter 3: Public Key Infrastructure Before you can create a certificate-signing request, you must delete the default tomcat alias from the keystore and generate a new key with the server-specific data. When this is done, and the CSR is created and submitted to the issuing CA, import the root CA, issuing CA, and trusted certificates into the keystore using the root, intermediate, and tomcat aliases respectively. Restart the ems and dtlt services for the changes to take effect. EMC Data Protection Advisor The Data Protection Advisor (DPA) application server provides a management web interface that uses a self-signed digital certificate for identification and encryption. To use a certificate that is signed by your own CA, create a certificate-signing request using the DPA-installed Java keytool utility and submit it to the issuing CA. You must also install the root and issuing chain certificates to the Java cacerts keystore. When it is issued, import the signed Base64-encoded X.509 certificate into the cacerts keystore and restart the application server. EMC Unisphere Unisphere for VMAX EMC Solutions Enabler must be deployed in your environment to manage an EMC VMAX array. In addition, to encrypt the management traffic, replace the default SSL certificate that is installed when Solutions Enabler is deployed. For this solution, we installed Unisphere for VMAX on the same system on which Solutions Enabler was installed. This can be installed on a separate system and connected to the SYMAPI interface of Solutions Enabler over the network using SSL connections. Notes: The common name must contain storsrvd, followed by a space and the FQDN, as detailed in the EMC Solutions Enabler Version 7.5 Security Configuration Guide. We have also supplemented this with Subject Alternative Name values for the FQDN, short name, and IP address. Additional security features can be set based on your governing rules or regulations for security compliance. For more information, refer to the Client/Server security settings section in the EMC Solutions Enabler Version 7.5 Installation Guide. VNX Unisphere Storage processor The configuration must meet a number of conditions for this process to work correctly: Common name (domain name) must be the storage processor hostname, not FQDN. Common name (alias) must be blank. Both the common name (domain name) and common name (IPv4) must be populated. The pre-populated organization unit name must be ou=clariion. 43

44 Chapter 3: Public Key Infrastructure address must be blank. If you do not adhere to these conditions, either a failure will occur during SSL certificate installation or you will encounter certificate errors. EMC ViPR Replacing the self-signed SSL certificate on ViPR requires you to create a new keypair and CSR. After you have retrieved the issued certificate from the CA, concatenate the private key, the issued certificate, and the CA chain certificates into a single PEMformatted file. This is imported to ViPR using either the ViPR Admin portal or the ViPR CLI, and the nginx service is then restarted. Summary The infrastructure solutions stack required to deliver software-defined data center services must provide an easy means of centralized management, bringing together the software and hardware components that form the complete solution so that they can be securely managed and enforced. This section demonstrated that a Federation Software-Defined Data Center solution stack can be integrated with an enterprise PKI to ensure authenticity, strengthen authentication, and encrypt administrative communications. 44

45 Chapter 4: Converged Authentication Chapter 4 Converged Authentication This chapter presents the following topics: Overview Security and authentication Active Directory integration VMware vcenter SSO TACACS+ authentication integration Summary

46 Chapter 4: Converged Authentication Overview Security and authentication This section introduces integration of authentication mechanisms with a centralized directory and includes the following topics: Microsoft Active Directory LDAP over SSL Windows authentication and service accounts ESXi host integration with Active Directory Authorization and role mapping to Active Directory groups Terminal Access Controller Access Control System Plus (TACACS+) authentication integration A significant challenge in securing any environment is securing how credentials are used to access the solution s resources. This is addressed in part by using PKI integration to implement trusted certificates that enable authenticity of applications and devices to be verified and that encrypt administrator access to the management interfaces. Another challenge is the existence of disparate authentication containers across hardware and software components with differing account and password policies. To address this challenge, this solution covers the integration of the authentication mechanisms found in VMware, EMC, and Cisco components, and convergence with Kerberos, LDAPS, and TACACS+ authentication services by using Active Directory as a centralized directory. In this solution, Active Directory provides a single point of control for account management and policy enforcement. In addition, it is used to provide Kerberos and LDAPS authentication and authorization services. To address devices that do not integrate with Active Directory we used TACACS+ and configured it to use Active Directory as the authentication source. Figure 8 shows the hierarchy of authentication communication paths used in this solution. 46

47 Chapter 4: Converged Authentication Figure 8. Authentication relationships between the solution components Microsoft Active Directory SSL certificates for LDAPS Encrypting the authentication session is a security best practice, because account credentials are exposed in clear text when an application or system authenticates users using a simple BIND request to the directory. To enable LDAPS, an authentication certificate must be installed that meets the following requirements: The LDAPS certificate is located in the local computer's personal certificate store (programmatically known as the computer's MY certificate store), or the Active Directory Domain Services personal certificate store on every domain controller that will authenticate using LDAPS. 47

48 Chapter 4: Converged Authentication A private key that matches the certificate is present in the local computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled. This would prevent unattended restarts as a passphrase is required with every restart of the server or ADDS service. The enhanced key usage extension includes the server authentication ( ) object identifier (OID). The Active Directory FQDN of the domain controller appears in one of the following places: Common Name (CN) in the Subject field DNS entry in the Subject Alternative Name extension The certificate is issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA is chained. The key is generated by Microsoft SSL provider (Schannel) cryptographic service provider (CSP) Active Directory Domain Services LDAPS certificate If the LDAPS-enabled domain controllers are configured with multiple server authentication certificates in the local computer certificate store, problems may arise with LDAPS authentication. This is because Schannel selects the first valid certificate that it finds in the local computer store and that might not be the correct certificate. To work around this issue, the LDAPS certificate can be placed in the Active Directory Domain Services personal certificate store in Windows Server. Active Directory exclusively uses a certificate placed in the Active Directory Domain Services personal certificate store for LDAPS connections; however, there are important considerations to be made before you implement this. According to Microsoft: Automatic certificate enrollment (auto-enrollment) cannot be used with certificates in the Active Directory Domain Services personal certificate store. Current command line tools do not allow certificate management of the Active Directory Domain Services personal certificate store. Certificates should be imported into the store and not moved through the certificates console. This option is only required on a server that has multiple certificates for the purpose of server authentication in the local computer certificates store. If possible, the best solution is to have only one certificate in the local computer personal certificate store. 48

49 Chapter 4: Converged Authentication Windows authentication and service accounts In a production environment, it is a security best practice to use service accounts to track and control applications, and mitigate the impact of a potential systems compromise. The integrated Windows authentication feature in SQL Server provides better security than SQL Server authentication by taking advantage of Active Directory user security and account mechanisms. In the following sections, we detail the steps required to improve security by using integrated Windows authentication for the vcenter Server, vcac IaaS, and vsphere Update Manager SQL Server databases, and service accounts for vcenter Server, vcac IaaS, and vsphere Update Manager. Microsoft SQL Server security While SQL Server security is beyond the scope of this solution guide, we make recommendations that refer to it in subsequent sections. Specifically, we discuss why integrated Windows authentication is preferred over SQL Server authentication. We also discuss why SQL Server s services should be run under an account other than the Local System account. Integrated Windows authentication When an application connects through an Active Directory user account, SQL Server validates the account name and password using the Active Directory principal token in the operating system. This means that Active Directory confirms the user identity. SQL Server does not ask for the password and does not perform the identity validation. Integrated Windows authentication uses the Kerberos security protocol, and provides a centralized mechanism for password policy enforcement, support for account lockout, and password expiration. Integrated Windows authentication offers additional password policies that are not available for SQL Server logins. Microsoft SQL Server service accounts Microsoft recommends isolating the SQL Server services under separate, low-rights Active Directory or local user accounts for each SQL Server service to reduce the risk that one compromised service could be used to compromise other services. During the installation of SQL Server, you can specify an alternate account for the SQL Server services to use. Each service can be configured to use its own service account. SQL Server Configuration Manager should be used to manage or replace the accounts under which the services run. 49

50 Chapter 4: Converged Authentication The hierarchy of accounts (from least privileged to most privileged) that can be used is: 1. Domain user (non-administrative) 2. Local user (non-administrative) 3. Network service account 4. Local system account 5. Local user (administrative) Active Directory integration 6. Domain user (administrative) Account types 1 and 2 are preferred because they best encompass the principle of least privilege. Account type 3 is a shared account and any application or service running under this account would potentially have access to each other s data. Local system is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. Account types 5 and 6 are less secure, since they grant too many unnecessary privileges. The following solution components can be directly integrated with Active Directory: vcenter Log Insight vcenter Operations Manager vcloud Automation Center Tenant identity stores vsphere ESXi hypervisor EMC Avamar EMC Data Protection Advisor EMC Unisphere EMC ViPR VMware vcenter Log Insight Integrating Log Insight authentication with Active Directory vcenter Log Insight can integrate user authentication with Active Directory, as shown in Figure 9. If the Default Domain that you specify is trusted by other domains, Log Insight uses the default domain and the binding user to verify Active Directory users and groups in the trusting domains. 50

51 Chapter 4: Converged Authentication Figure 9. Log Insight authentication with Active Directory vcenter Log Insight role-based access control with Active Directory groups You can assign roles to Active Directory users and groups to access the current instance of Log Insight. As an example, we created two Active Directory groups to map to the Log Insight administrator and user roles, PPOD_LogInsight_Admins and PPOD_LogInsight_Users respectively. When complete, the configuration should resemble that in Figure 10. Figure 10. Create a new group Configure Log Insight to use LDAPS for Active Directory authentication By default, when Log Insight connects to Active Directory, it attempts to use LDAP first, and then uses LDAP with SSL if unsuccessful. To limit the Active Directory communication to one specific protocol, such as LDAPS, or to change the order of protocols that are tried, edit the /usr/lib/loginsight/application/etc/loginsight-config-base.xml file to configure the authentication protocol. 51

52 Chapter 4: Converged Authentication VMware vcenter Operations Manager and Active Directory users When you run the Import from LDAP tool it connects to Active Directory and displays a list of user accounts based on the filtering criteria you specify. Select the users or groups you want to import and the role you want to be assigned. You can also configure an auto-synchronization to occur on a scheduled basis, enabling you to map a vcenter Operations Manager role to corresponding Active Directory groups and manage membership though Active Directory Users and Computers in MMC. Note: vcenter Operations Manager does not store the user accounts passwords locally. These exist only in Active Directory where account management is performed and password policy is enforced. VMware vcloud Automation Center: Tenant identity stores In the Federation Software-Defined Data Center solution, we used the Active Directory type identity store to enable tenant authentication integration with Active Directory over LDAP. To enable LDAP authentication over SSL you must import the CA chain into the cacerts keystore on the vcac virtual appliance. Then use the ldaps:// protocol designator when specifying the identity store Active Directory URL. Note: The protocol designator can only be specified when adding the identity store. To change from using ldap:// to ldaps://, you must delete the identity store and re-create it with the correct designator. VMware vsphere ESXi host integration with Active Directory EMC Avamar integration EMC DPA Active Directory support To integrate the ESXi host with Active Directory, after adding the ESXi host to the vcenter inventory: Create and manage an ESXi administrators group named ESXi Admins that restricts who can log in to the ESXi hosts using Active Directory credentials. If applicable, you need an OU where the ESXi hosts reside in Active Directory. In this solution, we used an OU named ESXi Hosts. EMC Avamar integrates with Active Directory using LDAP or Kerberos. After either one is configured you can create an LDAP Map that enables you to map an Active Directory group to an Avamar role, such as Administrator or User. EMC DPA supports Active Directory using LDAPS. Active Directory groups can be added as an external authentication object and a corresponding DPA role assigned, enabling Active Directory management role-based access control (RBAC). EMC Unisphere authentication Unisphere for VMAX authentication Solutions Enabler must be deployed in your environment to manage an EMC VMAX array. Authentication for Unisphere for VMAX is configured through the web application using the CLI tools installed with Solutions Enabler. Unisphere for VMAX can, by default, use Local Windows or Active Directory domain-based authentication, when implemented with Solutions Enabler deployed on a Windows Server that is a member of an Active Directory domain. 52

53 Chapter 4: Converged Authentication For this solution, we installed Unisphere for VMAX on the same system on which Solutions Enabler was installed. This can be installed on a separate system and connect to the SYMAPI interface of Solutions Enabler over the network using SSL connections. The following sections describe the authentication and Solutions Enabler prerequisites. VMAX authentication prerequisites Active Directory authentication requirements for VMAX include: Solutions Enabler To integrate Unisphere for VMAX with Active Directory, Solutions Enabler must be deployed on a Windows server that is a member of an Active Directory domain. This eliminates the need for LDAP integration and uses the underlying Windows Server Kerberos authentication mechanism with Active Directory. An Active Directory group is required to configure authentication: a. Create an Active Directory group to map to the VMAX System Administrators role. b. Add the resulting Active Directory group to the local administrators group on the Windows server. Note: If the VMAX Admins group is not a member of the local administrators group, some tasks will not be available. An error message stating Access denied - you are not an authorized base daemon user is displayed. Conversely, if you are not a member of the VMAX Admins group but are a member of the local administrators group, an error The caller is not authorized to perform the requested operation might be shown for some tasks. The Active Directory group name must not contain any special characters. Solutions Enabler prerequisites The prerequisites for Solutions Enabler are: Ensure the Solutions Enabler version is compatible with the Enginuity microcode of the VMAX that you are managing. Ensure the gatekeeper LUNs are zoned and masked to all the ESXi hosts within the cluster running this virtual machine or physical server. For a virtual machine, map the LUNs directly to the virtual machine by using RDM in the physical compatibility mode. Note: After the LUNs have been presented to the Solutions Enabler target system, formatting or mounting these volumes after they are presented to the host is not necessary, because these are used for sending array control messages using the SAN to the VMAX array. SYMAUTH can restrict access by user or group. For more information, refer to EMC Solutions Enabler Symmetrix Management CLI. 53

54 Chapter 4: Converged Authentication SYMACL can restrict access by machine. For more information, refer to EMC Solutions Enabler Symmetrix Management CLI. Elevated administration is required for some commands. As a logged-in user, select Start > Accessories. Right-click Command Prompt and select Run as administrator to open an elevated Command Prompt window. Note: When you run specific commands on the Windows system, such as symcfg discover, which populate the local database with the VMAX system to which this system is connected, they must be run with elevated administrator rights. An error message stating Read or Read/Write permission/access not present might be displayed if run from a user-privileged command prompt. VNX Unisphere authentication As part of the integration process, a centralized LDAP authentication system is used and integrated with Unisphere to enable secure management of VNX storage. The Federation recommends that when you use LDAP for Unisphere in production environments, you implement trusted certificates and SSL security as part of the LDAP configuration. From VNX array OE 5.32 (block) and 7.1 (file) releases onward, both block and file subsystems share a common LDAP domain configuration to authenticate administrators with LDAP credentials. In addition, certificate validation is enabled by default and cannot be disabled. This section discusses how you configure the LDAP domain to integrate with Active Directory. VNX authentication prerequisites The following steps must be completed before you can configure the VNX domain: 1. Determine the Active Directory domain name. 2. Create the Active Directory group that will be mapped to VNX roles and add the users to the appropriate group. Each group must contain user accounts and not nested groups. 3. Provide a non-administrative Active Directory user account and password for binding the LDAP service in Unisphere. 4. Determine the domain name for the users and groups search path that will be used for LDAP authentication to the VNX system through Unisphere, and the user account used to bind to the LDAP directory. Note: VNX OE versions 5.32 for block and 7.1 for file require LDAPS certificates that include the certificate chain to function correctly. This differs from previous VNX OE for block and OE for unified versions that required the LDAPS certificate and chain to be imported separately. 54

55 Chapter 4: Converged Authentication EMC ViPR authentication To centralize management of user accounts, you can enable support for Active Directory authentication. ViPR enables multiple Active Directory and LDAP authentication providers to be configured using LDAP or LDAPS, as shown in Figure 11. Figure 11. Active Directory authentication providers RBAC in ViPR Assign roles to the Active Directory users and groups to control the level of access to ViPR. ViPR implements RBAC that enables specific roles to be assigned to Active Directory groups and users. As an example, we created two Active Directory groups to map to the ViPR System Administrator and System Monitor roles: PPOD_ViPR_Admins and PPOD_ViPR_Monitor respectively, as shown in Figure 12. Figure 12. Active Directory role assignments ViPR LDAP over SSL To enable LDAP over SSL you must have already configured your Active Directory Domain Services servers with an LDAPS certificate and added the trusted CA chain to the OpenSSL certificate store and Java cacerts keystore. 55

56 Chapter 4: Converged Authentication VMware vcenter SSO VMware vcenter SSO is an authentication broker and security token exchange solution that interacts with the enterprise identity store (Active Directory or OpenLDAP) on behalf of registered solutions to authenticate users. The following solution components can be indirectly integrated with Active Directory through vcenter SSO: vcenter Orchestrator vcenter Server (automatically installed with vcenter SSO as part of Simple Install mode) vcenter Automation Center IT Business Management VMware NSX for vsphere Note: Alternatively, you can use a VMware Identity Appliance to provide SSO authentication. However, we recommend vcenter SSO as it provides greater visibility, ease of management, and the ability to use a single namespace throughout the automation pod. This also simplifies deployments at scale or implementing a disaster recovery architecture, where a distributed SSO architecture is required. vcenter Orchestrator To integrate vco with vcenter SSO, import the vcenter SSO SSL certificate to the vco SSL certificates repository, and then register to vcenter SSO by specifying an account with SSO administrative privileges. When this is successful, you can specify an administrative group from the SSO or the SSO identity sources (Active Directory) to manage vco. VMware vcenter Automation Center Default tenant vcenter SSO provides SSO capability for vcloud Automation Center users. The Native Active Directory identity store type has the following attributes: Uses Kerberos to authenticate with Active Directory No search base DN is required, making it easier to find the correct Active Directory store Can be used only with the default tenant When you have configured the default tenant s identity store, add tenant administrators and infrastructure administrators. In this solution, we used Active Directory groups to assign these roles to vcac users. Tenant administrators are responsible for configuring tenant-specific branding, and managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant. IaaS administrators are responsible for configuring 56

57 Chapter 4: Converged Authentication infrastructure source endpoints in IaaS, appointing fabric administrators, and monitoring IaaS logs. Note: You must also specify an Active Directory identity store when you configure tenants. Non-default tenant vcac 6 allows the definition of multiple tenants, and each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or Active Directory. The types of identity store available for use for tenants are Active Directory and OpenLDAP. In this solution we integrated with Active Directory; therefore, we selected the Active Directory type and provided a bind DN and a search base. Optionally, you can configure the domain alias with a value that allows users to log in by using as a user name, rather than Note that this must be a unique value across all identity stores. As for the default tenant, tenant and infrastructure administrators must be configured for each tenant configured in vcac. We used Active Directory groups to assign these roles to software-defined data center tenant users. VMware IT Business Management VMware ITBM integrates directly with vcac and uses vcac authentication providers, namely Active Directory through SSO. vcac users access business management data through the vcac portal and do not log on directly to ITBM. VMware NSX for vsphere In this Federation Software-Defined Data Center solution, we integrated NSX with vcenter Single Sign On (SSO) to improve the security of user authentication for vcenter users and authenticate Active Directory users. With SSO, NSX supports authentication using authenticated SAML tokens from a trusted source using REST API calls. NSX Manager can also acquire SAML authentication tokens for use with other VMware solutions. To integrate NSX with SSO you need to create an SSO group, for example NSXAdmins, and populate it with Active Directory identity source user accounts. Then, in the Networking & Security web client, specify the same SSO group as a vcenter group and assign the appropriate role. Note: This does not grant CLI access on the NSX Manager appliance. CLI access can only be granted to locally created accounts on the appliance. 57

58 Chapter 4: Converged Authentication TACACS+ authentication integration Summary TACACS+ provides an increased level of security through authentication, authorization, and accounting services and is a publicly documented protocol over TCP/IP. It encrypts credentials passed from the client device to the TACACS+ system and can be configured to use Active Directory as its authentication directory to enable centralized authentication. For this solution, the Federation used a TACACS+ implementation from TACACS.net because of its easy configuration and ability to integrate with Active Directory. TACACS+ is configured simply as an authentication source with no authorization restrictions. Configuring authorization for separation of duties, such as auditor, security administrator, and network administrator with the TACACS.net software is outside the scope of this Solution Guide. Implementation of TACACS+ involves a complete installation of the software on the domain controllers, as recommended by TACACS.net. The complete installation includes both services and utilities to aid in configuring the TACACS+ server. When the TACACS.net application was deployed, we configured the solution s network and fabric switches to use the new TACACS+ servers for authentication. The infrastructure solutions stack required to deliver software-defined data center services must provide an easy means of centralized management, bringing together the software and hardware components that form the complete solution so that they can be securely managed and enforced. This section demonstrated that integration with a common directory can be achieved to support LDAPS, Kerberos, and TACACS+ authentication services, streamline administration and policy enforcement, and provide tighter control over administrative and end user authentication. 58

59 Chapter 5: Centralized Log Management Chapter 5 Centralized Log Management This chapter presents the following topics: Overview vcenter Log Insight remote syslog architecture Centralized logging integration Content packs for vcenter Log Insight Configuring alerts Summary

60 Chapter 5: Centralized Log Management Overview Many key solution resources constantly record operational and security-related events to a local log. When a security incident occurs, log files can help you track down the root cause. However, without log file consolidation, those investigative tasks can be laborious. Running a reliable and secure data center is a continual process of planning, delivering, and operating. Without a consolidated view of your infrastructure s system log data, your data center is incomplete and at risk. The risks include: Lack of central and holistic visibility into security-related events Inability to easily correlate events that would indicate a security breach Log files are overwritten causing you to lose log entries that are critical for security, compliance, and troubleshooting Increased downtime for applications and servers, because more time is needed to locate and search system log files when trouble occurs Security risks such as malicious attacks or unauthorized logins that could be occurring without your knowledge Loss of historical system logs, leaving you unprepared to report local authentications or maintain compliance Consolidated system logging is a critical data center feature that is commonly left unimplemented because of its complexity. Many IT organizations rely solely on data center monitoring tools, which, while useful, mostly focus on raw metrics such as CPU utilization, memory consumption, and storage I/O but completely ignore log files and security events. When system log files are ignored, valuable security information is overlooked. To address these challenges, the Federation Software-Defined Data Center uses VMware vcenter Log Insight to deliver real-time log management and log analysis with machine-learning-based Intelligent Grouping and a high-performance search, enabling better visibility across the entire Federation Software-Defined Data Center solution. 60

61 Chapter 5: Centralized Log Management Figure 13. Centralized logging of software-defined data center components with vcenter Log Insight Log Insight is tightly integrated with vcenter Server and vsphere ESXi and comes with built-in knowledge and native support for vcenter Operations Manager. Alerts are configured to notify security administrators by or through the vc Ops dashboards. vcenter Log Insight works in multiple ways to ensure greater visibility into your cloud operations and achieve the security compliance that your company requires. Log Insight can analyze log events from the entire Federation Software-Defined Data Center by configuring each solution component to forward logs to Log Insight. Some of this configuration is achieved using Log Insight s native capabilities, while the remainder is done by manually configuring syslog operations. 61

62 Chapter 5: Centralized Log Management Figure 14. Searching for security events with vcenter Log Insight Log Insight allows you to search for security events across all consolidated data, as shown in Figure 14. For example, to search for failed logins across the infrastructure, you can search across all the components that make up the Federation Software- Defined Data Center. Log Insight provides a powerful security tool that consolidates and analyzes logs and enables high-speed interactive queries. In addition, you can create your own custom queries to save and create your custom security dashboard. vcenter Log Insight remote syslog architecture Remote syslog is used for various reasons, including: Aggregation Querying Correlation Retention Security/compliance/auditing Every component in the solution generates log messages. Every virtual machine, including operating system and application machines, generates log messages. A software-defined data center environment generates many log messages per day and the number of logs can increase if issues arise. Troubleshooting and finding root causes for issues is challenging unless logs can be aggregated and queried. For smaller instances of this software-defined data center solution, every device for which you want to collect events is configured to send events directly to one or more 62

63 Chapter 5: Centralized Log Management Log Insight instances, as shown in Figure 15. This is referred to as client-server architecture. Figure 15. Log Insight client-server architecture This client-server architecture is suited to environments, which: Are greenfield, with no syslog operations to date Use automation or configuration management Have fewer than 750 devices sending remote syslog data For larger instances of this software-defined data center solution, a distributed Log Insight deployment with a master node and up to five worker nodes can be deployed in a cluster configuration. To ensure high availability in such a configuration, you must deploy the cluster in an N+1 configuration and use a load balancer in front of the cluster to load-balance connections and handle node failures. With this configuration, if any node goes down, the load balancer can redirect traffic to the remaining nodes. Note that the Web UI access is limited to the master node, as shown in Figure 16. Note: A worker node stores forwarded syslog events and processes queries against log data it stores on behalf of the master node. 63

64 Chapter 5: Centralized Log Management Figure 16. Log Insight distributed architecture For more information on remote syslog architecture for vcenter Log Insight, refer to VMware vcenter Log Insight: Getting Started Guide. Sizing information for VMware vcenter Log Insight for this software-defined data center solution is documented in the Federation Software-Defined Data Center: Foundation Infrastructure Solution Guide, in the Resource Sizing Guide chapter. Centralized logging integration Unlike many syslog implementations that only support UDP, Log Insight supports receiving syslog-formatted events over UDP, TCP, and SSL protocols. In high-volume environments, the inclusion of TCP support provides a significant performance improvement over a UDP-only-based system, because more events can be channeled through fewer connections. This ensures that events are not lost as they would be with UDP-only based log servers. Additionally, the support for receiving syslog events over SSL ensures that the event details are transmitted over the network in a confidential manner. Log Insight consolidates and archives all log data in the Federation Software-Defined Data Center and creates a historical record that enables: Storage of events in sufficient detail and with accuracy Retention of audit logs for a determined period of time consistent with enterprise security policy 64

65 Chapter 5: Centralized Log Management Identification of security incidents and policy violations as they occur Performance of auditing and forensic analysis Establishment of baselines that can be used to detect future anomalous behavior When you have collected data, using Log Insight you can perform ad-hoc searches across all the event data. Figure 17 shows an example of a failed login query. Figure 17. Sample vcenter Log Insight dashboard for vcenter Server You can save queries you perform often as Favorites and also use them to create charts, dashboard widgets, and alerts. In large environments with numerous log messages, you can use runtime field extraction with Log Insight to instantly locate and extract the most important data fields using regular expressions. 65

66 Chapter 5: Centralized Log Management The following components of the software-defined data center management platform should be configured to forward the application logs to Log Insight: EMC Avamar EMC Unisphere for VMAX EMC ViPR EMC VNX VMware vsphere ESXi hosts VMware IT Business Management VMware NSX for vsphere VMware vcloud Automation Center VMware vcenter Orchestrator VMware vcenter Server All physical compute, fabric, and network devices Content packs for vcenter Log Insight Analysis of the forwarded events can be enhanced using pre-packaged VMware, EMC, partner, and community-provided content packs, which are available on the VMware Solution Exchange. Currently available content packs that relate to components in the Federation Software-Defined Data Center are: EMC Avamar content pack EMC VMAX content pack EMC VNX content pack VMware vcac Log Insight content pack VMware vcenter Log Insight content pack for vcenter Operations Manager (bundled with Log Insight) VMware vsphere content pack (bundled with Log Insight) Additional content packs: Available for Microsoft Windows, Microsoft Active Directory, and other partner solutions vcenter Log Insight ships with the VMware vsphere content pack, which when used with Log Insight vsphere integration provides detailed knowledge about VMware vsphere logs. 66

67 Chapter 5: Centralized Log Management The vsphere content pack provides important operational information about the vsphere environment using several dashboards that contain a comprehensive list of security events and event types such as: ESX/ESXi connections by source ESX/ESXi logins by type, source, and user vcenter Server authentication attempts by type, source, and user Events, tasks, and alarms When integrated with Log Insight, EMC content packs for Avamar, VNX, and VMAX provide dashboards and user-defined fields specifically for those EMC products that enable administrators to conduct problem analysis on their VNX and VMAX arrays or backup infrastructure. Many of these content packs include dashboards that include security-related charts and widgets that provide at-a-glance visibility into securityrelated events, shown in the example in Figure 18. Figure 18. Customized software-defined data center security dashboard using multiple content packs Content packs are read-only plug-ins to vcenter Log Insight that provide predefined knowledge about specific types of events, such as log messages. The goal of a content pack is to provide knowledge about a specific set of events in a format easily understandable by security administrators, monitoring teams, and auditors. Each content pack is delivered as a file, and can be imported through the Log Insight web UI. The custom Log Insight dashboard in Figure 19 shows EMC Avamar backup, vcenter and Windows authentication, failures, and ESXi host firewall changes. 67

68 Chapter 5: Centralized Log Management Figure 19. Custom Log Insight dashboard Dashboards and widgets can be manually created for those components for which content packs do not already exist. Each widget provided by a content pack can be cloned and added to a personalized dashboard that can be shared to contain only the views required by the user. Figure 19 provides an example of this, showing a partial view of the software-defined data center dashboard that contains widgets from the content packs installed for this solution. The content pack for vcenter Operations Manager presents its log data in a more meaningful way and analyzes all of the logs that are redirected from a vcenter Operations Manager instance. The vcenter Operation Manager content pack provides: A collection of logs from all vcenter Operations Manager servers Default queries to expose key fields and events Pre-configured dashboards to make troubleshooting quick and easy The content pack provides 6 dashboard groups, 32 dashboards, 24 queries, 11 alerts, and 40 extracted fields. You can use these queries and dashboards to monitor and troubleshoot various issues in the vc Ops environment. The queries and dashboards can be used to monitor and troubleshoot issues in the vcenter Operations Manager environment. 68

69 Chapter 5: Centralized Log Management Configuring alerts The Federation Software-Defined Data Center solution uses vc Ops to monitor the cloud management platform, compute resources, and workloads used in production. vcenter Log Insight integration with vcenter Operations Manager enables you to raise alerts for Log Insight queries and send notifications to vc Ops based on a configurable threshold, as shown in Figure 20. Figure 20. Example of a Log Insight alert configured to send a notification to vc Ops You can also configure predefined alerts that are installed when content packs are imported to Log Insight. An example of a number of security-related alerts imported by the Microsoft Active Directory content pack is shown in Figure

70 Chapter 5: Centralized Log Management Figure 21. Examples of security alerts installed in Log Insight In addition, the integration between vcenter Log Insight and vc Ops enables a Launch in context menu in the vc Ops dashboard that can be used to launch a vcenter Log Insight interactive analytics dashboard to display events related to the selected vc Ops object. The example in Figure 22 uses the integration between Log Insight and vc Ops in which the Actions menu in vc Ops triggers a search of all relevant Log Insight information on the selected item. Figure 22. Search logs for cloud management platform directly from vc Ops 70

71 Chapter 5: Centralized Log Management The launch-in-context functionality filters the logs using the constraint hostname equals <each hostname>, which displays only events that match the criteria, as highlighted in Figure 23. Figure 23. vcenter Log Insight filtering logs for the management cluster components For a more detailed discussion of vc Ops and the role it plays in this solution, refer to the Federation Software-Defined Data Center: Foundation Solution Guide. Summary The integration of vcenter Log Insight in the Federation Software-Defined Data Center solution enables greater visibility into operational and security-related events. We demonstrated how each component can be configured to forward events to Log Insight to provide a single point of visibility into the environment for administrators and configure alerts to notify through or vc Ops. Where an organization already has a Security Event and Incident Management (SEIM) system in place, Log Insight can act as an aggregator to forward events to the SEIM, providing the security team with a single integration point for the whole solution. 71

72 72 Chapter 5: Centralized Log Management

73 Chapter 6: Network Security Chapter 6 Network Security This chapter presents the following topics: Overview NSX for vsphere N-Tier application considerations Use case 1: Micro-segmentation with N-Tier virtual applications Use case 2: Micro-segmentation with converged N-Tier virtual applications Summary

74 Chapter 6: Network Security Overview Network configuration This chapter discusses the security aspects of Federation Software-Defined Data Center networking, introduces VMware NSX for vsphere, and demonstrates network and security integration in a Federation Software-Defined Data Center solution. Use this chapter as a reference to begin the networking and security planning and design process for your software-defined data center, and to set the stage for successful implementation efforts. Focusing on the network infrastructure and deployment options, this chapter details the key elements for creating a secure service offering and the processes required to implement and secure the network infrastructure. In addition, it includes common use cases for providing connectivity and security to dynamically provisioned application workloads. Solution architecture The solution requires an architecture that: Is resilient to failure Provides for optimal throughput for workloads Ensures multitenancy and secure separation Throughout this chapter, we reference network segments created in the physical and virtual layers including overlay networks. Figure 24 shows a logical representation of the software-defined data center environment and highlights the management, tenant compute pods, and clusters. 74

75 Chapter 6: Network Security Figure 24. EMC software-defined data center environment Physical connectivity In designing the physical architecture, our main considerations were high availability, performance, and scalability. As shown in Figure 25, each layer is fault tolerant with physically redundant connectivity throughout. The loss of any one infrastructure component or link does not result in loss of service to the tenant; if the architecture is scaled appropriately, the loss of a component or link does not impact service performance. Figure 25 also shows the connectivity between the physical storage, network, and converged fabric components deployed in the Federation Software-Defined Data Center solution. 75

76 Chapter 6: Network Security Figure 25. Physical topology of the network The network design uses IEEE 802.1AX virtual link aggregation (vlag) trunks to provide seamless operation in the event of a hardware or link failure by enabling fault tolerance and high-speed links between distribution, access, and converged layers. Note: Link aggregation (LAG) is variously known across vendors implementations as virtual port channels, split multi-link trunks, multi-chassis trunking, or multi-switch link aggregation. 76

77 vlag overview Chapter 6: Network Security vlag trunks bundle multiple physical Ethernet links between two or more devices into a single logical link. If a physical link or switch fails, the traffic is automatically redistributed over the remaining physical links. Because multiple physical links are considered a single logical link in a vlag trunk, we did not introduce a loop in this solution. If a member link status changes, vlag prevents a service-interrupting spanning-tree recalculation and resulting convergence. vlag trunks also have the added benefit of load balancing traffic across all available links by using a load balancing algorithm to determine the physical port used. This makes available an aggregate bandwidth that is the sum of the bandwidths for all the physical links. Configure vlag To make vlag trunks function, you need one or more physical links between the two distribution switches and the two access switches, as shown in Figure 25. This vlag trunk is dedicated to carrying the VLANs and corresponding data that are being carried over the trunks. Typically, you should ensure that the 10 GbE ports used for this purpose are in dedicated mode to avoid oversubscription issues and potential packet loss. Depending on the vendor, a separate link that is not a member of the LAG trunk might be required between each switch-pair to synchronize state and prevent any packet duplication. This can be a Layer 2 or Layer 3 link between the switches, and while it typically does not carry regular network traffic, it is critical to the fault tolerant operation of the design. The control link does not have to be configured as a LAG, but having it configured as such provides fault tolerance. You can optionally configure the control link to sit in its own virtual routing and forwarding (VRF) table, which enables the reuse of the same control-link IP addresses on every pair of devices. In this environment, physical network connectivity to the compute layer is provided over a converged network and FC fabric to the fabric extenders on the compute blade chassis. Each link is capable of 10 Gbps, which enables four 10 GbE network interfaces to be presented to each ESXi host. Logical network topology The logical topology is designed to address the requirements of enabling multitenancy and securing separation of the tenant resources. The topology is also designed to align with security best practices from vendors such as VMware, which segment networks according to the purpose or traffic type. For example, configuring an isolated network segment for vmotion traffic between VMware vsphere ESXi hosts helps prevent attacks in which the unencrypted data transfer is intercepted by an attacker and reconstructed to gain access to sensitive data. We configured the trunks on the physical network infrastructure to allow access by only the VLANs and private VLANs (PVLANs) required for operations within the software-defined data center environment. This best practice also helps to conserve valuable resources such as Spanning Tree Protocol (STP) logical interfaces. Each switch supports a limited number of STP logical interfaces, which can be used up 77

78 Chapter 6: Network Security before the VLAN limit is reached especially in a multitenant environment. Therefore, pruning and carrying only the necessary VLANs can be of critical importance. Figure 26 shows the logical topology of the physical and virtual networks defined in the Federation Software-Defined Data Center solution. We used VLANs to provide segmentation of the networks at Layer 2 in the cloud management pod, because that environment is likely to be static and an extension of existing management networks. Figure 26. Logical topology with the cluster pod and functional networks 78

79 Chapter 6: Network Security vsphere networking Connect physical server and create a virtual switch We connected each physical server on which ESXi was deployed to the network using six 10 GbE network interfaces, which are represented in the ESXi hypervisor as vmnic0 to vmnic5. For ESXi hypervisor management and vmotion, we created a virtual switch with vmnic0 and vmnic1 configured as uplinks to the physical switches. This vswitch was configured with the necessary VMkernel ports, as shown in Figure 27. Figure 27. ESXi host networking vswitch configuration Create and configure a vsphere Distributed Switch We then created a cloud management vsphere Distributed Switch (vds) spanning the Federation Automation and Network Edge Infrastructure (NEI) Pods and a separate resource vds spanning the resource pods. In doing so, we created a logical and physical boundary segmenting the management and tenant workload traffic flows and enabling a more focused approach to performance and security monitoring. Both vdss were spanned to the NEI Pod to establish connectivity with the physical core. By implementing a separate vds for resource pods, we can limit administrative access to the cloud management vds that will have comparatively few networks compared with possibly thousands of dynamic tenant networks. This also makes it easier to establish a baseline for management traffic and identify flows that fall outside expected characteristics. We configured the uplinks with only the VLANs that each VDS needed to trunk from the physical networks to service connected resources. This enabled connectivity 79

80 Chapter 6: Network Security between the virtualized resources and the physical environment, shown in the examples in Figure 28 and Figure 29. Figure 28. VLAN configuration of the cloud management vds uplinks Figure 29. VLAN configuration of the production vds uplinks We configured the cloud management vds with a number of port groups, as shown in Figure 30, to provide Edge connectivity with resources in the physical network, such as backup infrastructure, and other services, such as the enterprise Active Directory infrastructure. 80

81 Chapter 6: Network Security Figure 30. Port group and VLAN configuration of the cloud management vds We configured the resource vds with a single port group for Edge connectivity, that is, dvportgroup_uplink. The remaining port groups on this vds, as shown in Figure 31, were created by NSX when the hosts were prepared for network virtualization and VXLAN network segments (also called logical switches) were configured by the administrator through the Network and Security view in the vsphere Web Client. Overlay networks with VXLAN VXLAN enables technology for network virtualization, providing network abstraction, elasticity, and scaling across the data center. VXLAN provides architecture for scaling your applications across clusters and pods without any physical network reconfiguration. With VXLAN, physical switches do not need to be reconfigured when a new VXLAN network is created. Instead, VXLAN virtual wires or networks can be deployed over a single or multiple transit VLANs. The decoupling of virtual networks from physical networks provides great flexibility and agility without requiring changes to or impacting the physical network. This enables rapid and dynamic provisioning of new networks at a theoretical scale of millions of VXLAN networks. At a more practical level, each vds can support up to 6,500 VXLAN networks to a maximum of 10,000 per vcenter Server. 81

82 Chapter 6: Network Security The fact that VXLAN overlays can be used to dynamically segment network traffic is of importance to the security posture of enterprise workloads. The scalability limitations of VLANs are no longer an impediment to segmenting mission-critical applications and creating as many trust zones as are necessary. As shown in Figure 31, the VXLAN port groups all share the same VLAN. This is one of the key benefits of implementing VXLAN. You can use one VLAN as the physical transport for VXLAN overlay networks. This reduces the required configuration of the ESXi host and top-of-rack (TOR) physical switches to a single VLAN and enables the virtual VXLAN networks to scale to 6,500 (assuming static port groups) per vds. Figure 31. Production vds port groups showing Edge connectivity and VXLAN port groups Supporting infrastructure services To support infrastructure operations, we configured networking on each ESXi host throughout the environment to enable connectivity to the backup, NFS, and vmotion networks. To do this, we configured a VMkernel for NFS and vmotion on each ESXi host and created a port group for the Avamar proxy virtual machines on the cloud management vds to complete the network connectivity. 82

83 Chapter 6: Network Security Network environment for data protection The high levels of deduplication and compression provided by the Avamar solution contribute to minimal data being sent across the LAN. However, as a best practice design for performance, availability, and security, this environment contains a dedicated network for backup infrastructure, separate from production networks, within which the Avamar server nodes and proxy virtual servers reside. All Avamar proxy servers are configured with an isolated PVLAN ID, with the result that they can only communicate with the Avamar server nodes and no other system on the backup network. The backup infrastructure resources are further protected by the isolation of the network from other Layer 3 networks. Where communications must be allowed to enable the solution to function correctly, for example, in the management of the Avamar system by backup administrators and control communications with DPA, vcac, vco, and vcenter servers, a firewall mediates the access attempt and permits the connection if authorized, as shown in Figure 32. This means that by separating production and backup data on the networks, an attacker who gains control of a virtual machine cannot compromise additional systems by using the backup network. Figure 32. Backup network architecture for the software-defined data center In this solution, access between the production network and the backup network is permitted only through a firewall policy restricting access to the Avamar management and control planes by authorized administrators and orchestration processes. 83

84 Chapter 6: Network Security Automation and provisioning With improvements in server virtualization, the network has become the chokepoint of the provisioning process when new applications are being deployed. VXLAN overlay networks are used to greatly simplify the configuration of physical networking equipment, while increasing the scale and speed of deploying new networks and logical switches. With the integration of VXLAN, physical switches do not need to be reconfigured when new virtual networks are created. Instead, VXLAN virtual wires or logical switches can be deployed over a single transit VLAN. This enables dynamic provisioning of new networks at a potential scale of millions of VXLAN logical switches. NSX for vsphere Deploying a virtual application can take minutes. However, planning, designing, and configuring the network and security elements to support it can often take days or weeks. Using the automation capabilities of vcac, NSX can significantly reduce the amount of time required for the provision, update, and removal processes. Networks, router, firewall, and load balancer can be deployed dynamically with the virtual machine components of a blueprint. This enables an application stack and supporting services to be delivered to production users in minutes with all the necessary network and security services. Introduction Distributed logical router VMware NSX is the next generation of network virtualization. Functionality includes distributed logical routing, distributed virtual firewalling, logical load balancing, and support for routing protocols such as Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), and Open Shortest Path First (OSPF). NSX also provides substantial performance improvements in throughput, with logical routing and firewalling providing line-rate performance distributed across many hosts, instead of being limited to a single virtual machine or physical host. The DLR performs all East-West workload traffic routing at the hypervisor level. This ensures that as long as the workloads are on the same host, even if they are on different subnets, the traffic does not leave that host. Distributed logical routing offers this advantage over virtual appliances or physical routers, because workload traffic suffers from the hair-pinning effect when workloads on different networks on the same host must route through a virtual or external physical gateway. If the workloads are on separate hosts, the traffic takes the optimal path directly from one host to the other, again without having to take a hairpin route through a virtual appliance or physical router in the data center core. This offers optimal traffic flows and significant performance gains. 84

85 Chapter 6: Network Security Distributed firewall Another key feature is the NSX distributed firewall (DFW), which is implemented as a hypervisor kernel module. This eliminates the need to route traffic through virtual or external physical firewalls for inspection. Traffic is analyzed by the hypervisor when it leaves the source virtual machine vnic and before it enters the vnic of the destination virtual machine. It is this enforcement at the vnic level that allows the East-West virtual machine separation. For more information about this, refer to N-Tier application considerations. Because the NSX is integrated with vcenter Server, it can use the vcenter inventory and filter on more than just source and destination IP addresses or ports. Rules can be applied to virtual machines, security groups, clusters, and data centers. Security groups can also have dynamic membership, which can apply rules based on virtual machine attributes such as guest operating system, virtual machine name, or security tags. Because this inspection is performed at the hypervisor level, traffic does not have to be steered through and analyzed by another device or virtual machine on the network. Flow monitoring can also be used to see historical and real-time traffic flows. These flows can be shown in aggregate, by service, or by virtual machine. The data can be used for troubleshooting performance issues, firewall misconfigurations, or rogue traffic on the network. NSX for vsphere also introduces the Service Composer, which integrates with thirdparty security services. These services can identify virtual machines on the network infected with malware, or with known vulnerabilities, and place them into a quarantine security group that restricts the virtual machines until the issue is resolved. NSX Edge It is important to highlight differences between the NSX Edge that is deployed by vcac as part of a blueprint and an NSX Edge deployed directly from the Networking & Security web client. Through the Networking & Security web client, an NSX Edge is deployed as either an Edge gateway or a DLR. This appears in the Networking & Security web client as an NSX Edge 6.0. However, vcac only supports provisioning an Edge 5.5 in a multimachine deployment where VXLAN segments are provisioned as part of the blueprint. The Edge appears in the Networking & Security web client as an NSX Edge 5.5. Logical load balancer The NSX logical load balancer allows load sharing across a pool of virtual machines. It enables intelligent application monitoring, so that if a virtual machine in the pool stops responding, it is automatically taken out of the pool and no traffic is sent to it until it becomes responsive again. The load balancer can also be deployed in HA mode making it highly available. The load balancer can either be deployed as a service on an Edge appliance that acts as the network gateway, or it can be deployed in one-arm mode, where it has a single interface on the network, and is not the gateway. The load balancer can support throughput of up to 9 Gbps and 130 k connections per second. 85

86 Chapter 6: Network Security N-Tier application considerations Traditional threetier architecture N-Tier architecture is a technique used by software developers to split components of an application to allow greater flexibility and modularity. This is typically represented by a three-tier architecture consisting of a presentation layer, a logic layer, and a storage layer. We commonly see this architecture used for web applications consisting of web servers in the presentation layer, application and middleware components in the logic layer, and databases in the storage layer. Security practitioners have adopted the three-tier model for best practices, as it fits well with the principle of least privilege. Granular security controls can be applied to only allow the minimum required network traffic through to each tier. For the web application example, best practices limit all end user traffic to only reach the web servers and only using required services, such as HTTP/HTTPS. Network traffic to the application servers is similarly restricted to traffic from the web servers on specific ports, and traffic to the database servers is only allowed from the application servers to the ports used by the database. In a typical physical data center this is achieved through Layer 3 separation of the tiers (requiring a different subnet for each tier), and firewalls placed between the tiers only allowing the required traffic through, as illustrated in Figure 33. Figure 33. Traditional three-tiered security architecture This model is easily configured with VMware NSX. As NSX firewall rules are enforced at the vnics of each virtual machine, this allows greater flexibility with segmenting virtual machines. Web servers, application servers, and database servers can now sit next to each other within a flat Layer 2 subnet, yet still have granular rules segmenting them from each other. This can enable easier network organization of applications, for example, providing a single Class C subnet for each application. Another benefit of applying this model with NSX is the ability to achieve full application containerization. In the physical world, frequently all web servers in a DMZ can see and talk to each other, even if they are not part of the same application. This is also true of application servers in a protected zone, and database servers which are often placed into an internal core network for licensing reasons (exposing the rest of the internal core network in the event of a database server being 86

87 Chapter 6: Network Security compromised from the outside). With NSX, all tiers of an application can be fully containerized to ensure that if an application is compromised by an attacker at any tier, the attacker cannot pivot beyond the application to attack other applications or hosts within the same network zone. Two-tier applications While the three-tier application model is prevalent, there are still applications that are designed to be split into only two tiers. These generally combine the presentation and logic layers into one, while keeping the database tier separate. This is becoming more common in applications developed using languages and frameworks such as Ruby on Rails and certain Python frameworks. In other cases, a web server may only be used for specific capabilities, such as single sign-on, because using a separate server or virtual machine for it would be wasteful. Frequently an enterprise security team will force the application into a three-tier architecture, often artificially creating a public-facing tier in a DMZ with a reverse proxy for web applications. This can become a source of contention between the security team who are trying to ensure the best possible protection of the data, and the development team who are trying to deliver an application as inexpensively and efficiently as possible. In reality, inflating the application to three tiers and proxying all the traffic through to an application tier doesn t offer significantly better security. Applying extra controls in the web proxy tier, such as installing the ModSecurity application on top of Apache for additional web traffic inspection can help. In a physical data center where multiple applications are present across network tiers, and databases may be contained in an internal or private zone, having the extra protection against compromise is well warranted. However, in the cloud, using the capabilities of NSX to containerize applications and limit potential exposure in the event of a compromised application, two-tier applications may no longer need to be artificially inflated to three tiers. While certain applications with sensitive data may still require the extra protection of the three-tier model, many applications can now be run in two tiers as originally designed without many of the risks associated with bridging network zones. Often the operational issues introduced by the increased complexity far outweigh the enhanced security posture. The containerization enabled by NSX micro-segmentation allows organizations to implement two-tiered applications in the manner in which they were designed to operate. Figure 34 shows an example of a two-tiered security architecture applied to a virtual application. 87

88 Chapter 6: Network Security Figure 34. Example of two-tiered application secured with micro-segmentation Use case 1: Micro-segmentation with N-Tier virtual applications Three-tier applications are the most commonly deployed model in enterprises, with each tier requiring specific configuration and changes that can use the NSX capability with vcac. A three-tier application can be used to demonstrate the network and security provisioning capabilities of NSX when integrated with vcac. The web tier is external facing and load balanced, serving web pages to users. Each web server needs to communicate with the application server, and the application server in turn writes to and retrieves data from the database server. The virtual machines are assigned to their respective security groups by the vcac blueprint. These security groups are associated with security policies (firewall rules) enforced by the NSX DFWs. The deployed virtual machines in each tier inherit their specific security policy because of their security group membership, thus ensuring that applications are protected from the moment of deployment. 88

89 Chapter 6: Network Security An example of a micro-segmentation-enabled three-tiered application is shown in Figure 35. Figure 35. Three-tiered application implemented with micro-segmentation As previously stated, many two-tiered applications do not easily lend themselves to being forced to a three-tiered implementation. NSX security groups and security policies We configured security groups in the Service Composer section of the Networking & Security web client, as shown in Figure 36. Three security groups were created, one for each application tier, but were not assigned any members, and no dynamic criteria for assignment were configured. vcac automatically assigns the virtual machines, when provisioned, to the security groups specified in the blueprint. For more details on configuring security groups in a multimachine blueprint, refer to Use case 1: Configure pre-provisioned multimachine blueprint in the Federation Software- Defined Data Center: Foundation Solution Guide. 89

90 Chapter 6: Network Security Figure 36. Networking & Security web client view of the security groups The following security policies, also known as firewall rules, were created for each corresponding security group: The web-tier policy allows external connectivity on ports 80 and 443 to virtual machines in the Web Servers security group. The application-tier policy allows connectivity from the virtual machines in the Web Servers security group to the virtual machines in the Application Servers security group. The application-tier policy allows connectivity from the virtual machines in the Application Servers security group to the database virtual machines in the Database Servers security group. 90

91 Chapter 6: Network Security The full rule set is shown in Figure 37. Figure 37. View of the web, application, and database tier security policies The completed security policies allow access to virtual machines in the web-tier security group over the HTTP and HTTPS protocols and allow the web-tier virtual machines to communicate with the application-tier virtual machines which, in turn, store and retrieve data from the database tier. The NSX firewall is a stateful firewall, so when a connection is allowed and a communication session established, the response communication path is also allowed. All other inbound or outbound traffic is denied by the block rules at the end of the rule set. Like a traditional firewall, rules are applied in chronological order, that is, from top to bottom. The security policy is then applied to the web tier security group, as shown in Figure

92 Chapter 6: Network Security Figure 38. Web server security policy applied to the Web Servers security group Configure preprovisioned multimachine blueprint The final process is the configuration of the multimachine blueprint. In Build Information, the three single-machine blueprints that comprise the multimachine blueprint are shown in Figure 39. Figure 39. Multimachine blueprint showing single-machine components 92

93 Chapter 6: Network Security In Build Information, each component blueprint is then edited, and the network adapter is mapped to the corresponding security groups, as shown in Figure 40. Figure 40. Blueprint network and security group configuration Note: Both the multimachine blueprint and the component blueprints have a Network page, which may cause some confusion. The multimachine blueprint has a Network page on its main properties screen where the transport zone and network profiles (to trigger dynamic networks) are specified. The component blueprint s Network page is displayed when you edit the component blueprint in Build Information. The configurable options on this screen are Network Adaptors and Security groups. The blueprint is published and added to the catalog where it is made available to the finance business group users. Based on the blueprint, vcac clones the virtual machines and attaches them to their respective logical switch network segments. It also adds the provisioned virtual machines to the appropriate security groups. Verify preprovisioned deployment To verify that each virtual machine was placed in the correct security group, check the security group membership in the Service Composer interface of the Networking & Security web client. As shown in Figure 41, the database-tier virtual machine was added to the correct security group and has therefore inherited the firewall rules configured for the database-tier security policy. Figure 41. NSX service composer security groups membership view for the database-tier 93

94 Chapter 6: Network Security Use case 2: Micro-segmentation with converged N-Tier virtual applications As demonstrated in Use case 1: Micro-segmentation with N-Tier virtual applications, micro-segmentation enables significantly greater control and security. However, we can take this a step further. In many cases, micro-segmentation negates the need for a network segment per tier; therefore, we can implement a converged architecture, as shown in Figure 42. Figure 42. Example of converged three-tiered application secured with micro-segmentation The same procedure can be followed to define the security groups and policies. In fact, the same groups and policies can be used. The only difference in blueprint configuration is that you assign the same network profile to the component machine network adapters of the multimachine blueprint. This results in the three tiers being provisioned to the same network segment. 94

95 Chapter 6: Network Security Summary This chapter outlined the network architecture of the Federation Software-Defined Data Center solution, the design considerations involved, and recommended security practices implemented. This chapter also detailed how the network and security architecture was implemented using NSX for vsphere. The three-tier application use cases showcased both traditional and converged N-Tier architectures where we enhanced the security posture through the implementation of micro-segmentation. VMware NSX and vcac offer flexible creation and deployment of workload resources, while providing richer functionality and improved performance over traditional solutions. 95

96 96 Chapter 6: Network Security

97 Chapter 7: Configuration Management Chapter 7 Configuration Management This chapter presents the following topics: Overview vcenter host profiles vsphere Update Manager vcenter Configuration Manager Use case 1: Configure a custom compliance standard Use case 2: Apply exceptions to compliance templates Summary

98 Chapter 7: Configuration Management Overview In the Federation Software-Defined Data Center, we applied the recommendations in the vsphere 5.5 Security Hardening Guide and security configuration recommendations from EMC and other vendors. This raises the challenge of how to apply these hardening recommendations and operational configurations consistently across all affected components in the hypervisor and virtualization plane. You also need to confirm that these configurations are in effect and remain so, ensuring adherence with electronic governance, risk, and compliance (egrc) requirements, in addition to your internal IT or security standards. Configuration management is a vital element of implementing secure systems consistently and in accordance with your security policies. It comprises a collection of steps focused on establishing a configuration baseline to maintain the integrity of the Federation Software-Defined Data Center and the resources it supports. Many organizations IT and security groups face a significant challenge in gaining visibility into configuration management and compliance in their environments. To address this challenge in the Federation Software-Defined Data Center we use a number of native capabilities, such as: vcenter host profiles ensure that a configuration set is applied consistently across all ESXi hosts. Host profiles also enable many vsphere Hardening Guidelines to be centrally applied. It provides a means to perform ad-hoc scans for host compliance with a profile and displays alerts within the vsphere Web Client. vsphere Update Manager enables patch management across virtual appliances and ESXi hosts and provides a means to install and update third-party software on ESXi hosts. Organization can establish a baseline and audit compliance. vcenter Configuration Manager extends the capabilities of vcenter host profiles and vsphere Update Manager to provide inventory and asset management, scheduled configuration and compliance scans, reports and integration with vcenter Operations Manager. In addition, it enables patch management configuration management of Windows and Linux guest operating systems and can audit the entire virtualized environment against many industry or regulatory frameworks and standards. 98

99 Chapter 7: Configuration Management vcenter host profiles vcenter host profiles ensure that a consistent configuration is applied across all vsphere ESXi hosts when the Federation Software-Defined Data Center is initially deployed and as it is scaled out to meet future capacity requirements. Specifically, host profiles: Ensure consistency for compliance Reduce the deployment time for new hosts Apply the same change to multiple hosts To apply the same configuration settings to a group of vsphere ESXi hosts, you can create or import a host profile. When you create or import a host profile you must associate it with a reference host, this also allows you to update the profile from a reference host. When firmware upgrades or other events happen that require storage, network, or security configuration changes on multiple hosts in a cluster, you can edit the host profile and apply it across the cluster for consistent configuration updates. In addition, you can remove any settings that must be excluded from the host profile check to avoid propagating host configuration values that need to be unique across your environment. Figure 43 shows some of the available parameters that can be configured in a host profile. Figure 43. View of some of the available host profile configuration parameters 99

100 Chapter 7: Configuration Management When the host profile has been created and configured, it can be attached to one or more vsphere hosts or clusters. Once attached, the host configuration is compared against the host profile and any deviations are reported. For example, Figure 44 shows a non-compliant status for one of the hosts in the cluster. Figure 44. View of host compliance status with host profile Additional host profiles, shown in Figure 45, correspond to other clusters in our test environment that have different vds configurations and demonstrate that you can have multiple host profiles according to your configuration requirements. Note: You may only associate ESXi hosts and clusters with a single host profile. New hosts that are added to vcenter Server can be configured by applying the host profile. Using this configuration management feature, you can create a profile once, and then use it for multiple vsphere hosts, enabling rapid configuration. This feature also eliminates the need to set up specialized scripts or to manually configure hosts. Scheduled tasks can be created that will routinely check host compliance against the host profile, the results, and log a vcenter event. You can also view the 100

101 Chapter 7: Configuration Management compliance status in the vsphere Web Client by selecting the host profile and selecting Monitor, as shown in Figure 45. vsphere Update Manager Figure 45. Compliance view of the clusters attached to the Resource Pods host profile When compliance checks return a non-compliant status, a vcenter error event is generated that can be tracked in vcenter Operations Manager. While vcenter Operations Manager is beyond the scope of this security guide, it is discussed in detail in the Federation Software-Defined Data Center: Foundation Solution Guide. Organizations that are unable to patch systems effectively and efficiently are susceptible to compromises that are easily preventable. Consider patch management carefully in the context of security, because it is important in establishing and maintaining a solid security baseline. In addition, patch management is a core requirement of various security compliance standards such as the Payment Card Industry Data Security Standard (PCI DSS) that requires that all system components and software are protected from known vulnerabilities by having the latest vendorsupplied security patches installed. To address patch management in the Federation Software-Defined Data Center, VMware vsphere Update Manager (VUM) is used to keep vsphere hosts and virtual appliances up-to-date. VUM automates patch management and eliminates manual tracking and patching of vsphere hosts and virtual appliances. 101

102 Chapter 7: Configuration Management vsphere Update Manager includes these core features: A compliance dashboard to provide visibility into the patch and upgrade status of hosts and virtual appliances for compliance to static or dynamic baselines Stage and schedule patching for remote sites and scheduled maintenance windows Deployment of patches that are downloaded directly from a vendor website, including drivers, Common Information Model (CIM), and other updates from hardware vendors for VMware vsphere hosts Patching can lead to compatibility errors that require remediation. VUM can eliminate the most common patching problems before they occur, ensuring that the time you save in batch-processing automation is not wasted later in performing rollbacks. Benefits of VUM include: Storing snapshots for a user-defined period, so that administrators can roll back the virtual machine if necessary. Securely patching offline virtual machines without exposing them to the network, reducing the risk of non-compliant virtual machines. Ensuring the most current version of a patch is applied with automatic notification services. vsphere Update Manager compares the state of vsphere hosts with baselines, and can then stage and patch them to enforce compliance. Figure 46 shows examples of different types of baselines. Figure 46. Examples of baselines configured in vsphere Update Manager 102

103 Chapter 7: Configuration Management As an example, the Critical Host Patches baseline that ships with vsphere Update Manager, as shown in Figure 47, is configured to include any patch of severity Critical from any vendor for any product as its inclusion criteria. This is a good example of a dynamic baseline where the baseline updates and the vendors release additional patches. Fixed baselines are for upgrades, and extension baselines are statically defined. Figure 47. Example of patch inclusion criteria for a vsphere Update Manager baseline The inclusion criteria are granular; you can include or exclude individual patches, giving you the flexibility to define a custom baseline specific to your environment. In addition, you can include non-vmware extensions, such as EMC PowerPath/VE in a custom baseline, as shown in Figure

104 Chapter 7: Configuration Management Figure 48. EMC PowerPath/VE extension added to vsphere Update Manager custom baseline This enables you to deploy EMC PowerPath/VE (and any other extensions) to all your ESXi hosts and ensure that consistent revision control is maintained throughout your environment. Baselines can be grouped together and included in a baseline group, as shown in Figure 49. Figure 49. Components of the baseline group Baseline groups are useful in applying multiple baselines to virtual appliances, hosts, clusters, or data center objects but especially when you audit compliance, because the compliance status can be viewed across the group of baselines, not individually. The vsphere Update Manager Compliance view in the vsphere Web Client provides a quick overview of your compliance status. An example is shown in Figure

105 Chapter 7: Configuration Management Figure 50. View of compliance state for the Core Pod In this example, of the hosts in the cluster, 50 percent are out of compliance and the affected baseline group and individual baseline are red-flagged as non-compliant. In addition, the type of update is red-flagged on the affected host. To rectify this situation, click Remediate to start the remediation wizard. From there, the appropriate baseline can be applied to the affected assets, as shown in Figure 51. Figure 51. Selection view of the vsphere Update Manager Remediation wizard You can schedule the remediation for a later time and date. This is useful when you are restricted to a maintenance window and combine a scheduled remediation with the staging feature to ensure you meet your maintenance window requirements. As shown in Figure 51, the extension has already been staged. The remediation wizard also allows for the selection of host remediation options including the virtual machine power state and the disabling of any removable media mounted to virtual machines on the hosts to be remediated. The cluster remediation options are shown in Figure

106 Chapter 7: Configuration Management Figure 52. Cluster remediation options presented in the Remediation wizard Selecting the Enable parallel remediation option, as shown in Figure 52, can significantly reduce the time to remediate by running the remediation tasks in parallel on clusters with two or more hosts and according to the resources in demand on the cluster at the time of remediation. It is important to note that when remediating a vsphere cluster with DRS enabled, all workloads remain available throughout the remediation process. 106

107 Chapter 7: Configuration Management vcenter Configuration Manager The security status of each cloud system changes dynamically. These changes may be caused by a cloud administrator operation introducing risk into the environment, cloud components that are susceptible to a vulnerability, or an external environment change such as a new attack method. Therefore, it is important to continuously monitor the security status of the Federation Software-Defined Data Center, mitigate or remediate the potential risk, and keep the system compliant to a security baseline. In this solution, we integrated VMware vcenter Configuration Manager (VCM) to build a configuration compliance audit and management system. VCM provides a unified dashboard for managing configuration compliance. It integrates with vsphere to perform configuration data collection, which enables the vsphere infrastructure and its dependent components to be audited, exceptions to policy flagged, and remediation performed. Preset rules and templates are available that enable you to begin monitoring system compliance to regulatory (Sarbanes-Oxley or SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach- Bliley Act (GLBA), Federal Information Security Management Act (FISMA), industry (PCI DSS), and Microsoft standards, as shown in Figure 53. Figure 53. View of the VCM compliance dashboards showing vsphere Hardening compliance Examples of elements that can be tracked for compliance are: Hypervisor configuration through vcenter host profiles Hypervisor and virtual appliance patch management through VUM baselines Linux and Windows guest OS configuration Regulatory and industry standards through default compliance toolkits 107

108 Chapter 7: Configuration Management Configuration compliance can be maintained against internal standards, security best practices, vendor hardening guidelines, and regulatory mandates such as: Security best practices developed by the Defense Information Systems Agency (DISA STIGs), the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), and many more Hardening guidelines from VMware and Microsoft Regulatory mandates such as SOX, the PCI standard, HIPAA, and FISMA You can also use VCM to assess compliance with your own internal IT standard to drive best practices in your environment. The integration between vcenter Operations Manager and VCM includes using the VCM compliance template results to contribute to the Risk badge score in vcenter Operations Manager, as shown in Figure 54. Figure 54. vc Ops dashboard displaying Risk badge score The compliance templates are included in badge mappings that are run in VCM against objects in vcenter Server instances that are managed by both VCM and vcenter Operations Manager. These objects include virtual machines, host systems, clusters, vcenter Server instances, and datastores. The compliance mapping results determine the compliance score. Expanding the risk status table in Figure 54 displays the compliance status summary, shown in Figure

109 Chapter 7: Configuration Management Figure 55. vc Ops dashboard displaying compliance status summary vcenter Operations Manager pulls the scores into the formulas used to calculate the Risk badge scores. When you review the standards compliance in vcenter Operations Manager, you can navigate back to VCM to view the detailed results and identify any configuration changes that you must make to bring an object that is non-compliant back into compliance. Enable operational compliance Operational compliance views enable you to proactively enforce configuration standards, detect configuration drift early, and automatically remediate against violations of IT policies. You can also harden the infrastructure for security and regulatory requirements. Preparing for and responding to an audit is no longer an intimidating and time consuming process because, with automated reporting, you can pinpoint critical areas with ease. Compliance views are tightly integrated with the operations dashboard for comprehensive visibility into the health, risk, and efficiency of the infrastructure and applications. 109

110 Chapter 7: Configuration Management Figure 56. Risk dashboard showing compliance status in environment Use case 1: Configure a custom compliance standard Compliance rules compare your virtual or physical machines running Linux, UNIX, Mac OS X, or Windows operating systems against configuration standards that you import or create, to determine if the machines meet the standards. The results of the compliance run notify you what machines comply with or are in violation of the standards. In some cases, you can enforce certain settings on the machines that are not in compliance, initiating the changes from VCM. Preset rules and templates are available that enable you to begin monitoring system compliance to any imported regulatory, industry, or vendor standards. You can create and manage rules and rule groups based on Active Directory, virtualization and physical objects and configuration data, or on machine data. Note: The VCM Compliance Monitor does not query systems directly, but rather it queries the VCM data collection database. If a machine has not been included in a collection, the collection is not configured correctly, or the last collection is outdated, then the Compliance Monitor will report incorrect or out-of-date results. Therefore, for accurate compliance monitoring, you must first collect the necessary data. 110

111 Chapter 7: Configuration Management Custom compliance rules Create a rule group To create a rule group: 1. In the VCM console, navigate to Compliance -> Virtual Environment Compliance > Rule Groups. 2. Click Add and then provide a name for the new rule, as shown in Figure 57. Figure 57. VCM custom rule creation view 3. To add compliance rules to the rule group just created, expand the rule group, select Rules, and then click Add in the menu bar, as shown in Figure 58. Figure 58. Creating a custom compliance rule 4. In this example, to check that vmtools is running in guest virtual machines, enter an appropriate rule name and description. 5. Select vcenter Guests Summary, as shown in Figure 59, from the list of data types to collect. 111

112 Chapter 7: Configuration Management Figure 59. Data type to select for custom compliance rule 6. Select the Conditional rule type to exclude those virtual machines that do not have vmtools installed. 7. On the next screen, click Add to create the IF rule criteria. Select Tools Version Status from the list and select the <> (NOT) operator, then click the ellipsis ( ) to select the correct state. 8. To exclude virtual machines where vmtools is not installed, click the ellipsis and select guesttoolsnotinstalled. 9. In the THEN panel, click Add to create the THEN rule criteria. 10. Select Tools Running Status from the list and click the ellipsis to choose the correct state. 11. To check that the vmtools are running, click the ellipsis and select guesttoolsrunning, as shown in Figure 60. Figure 60. Rule criteria selection for detecting vmtools running state 112

113 Chapter 7: Configuration Management 12. On the Options screen leave the severity as Moderate and click Finish to exit the wizard. Note: On the Options screen, you can change the severity according to your requirements. You can also configure an automatic remediation action by enabling the enforcement checkbox and configuring the appropriate action. Filtering the results In this example, to show only those results for guests in the inventory of the two Federation Software-Defined Data Center vcenter servers, add a filter to the rule group but follow the same sequence, as shown in Figure 61. Figure 61. Creating a custom compliance rule group filter 1. On the Data Type screen select vcenter Guests Summary, as shown in Figure 62. Select Basic as the rule type for the filter. 2. On the next screen specify the vcenters to filter by choosing the OR operator as indicated in Figure 62. Figure 62. Selecting vcenters to filter 3. Select vcenter from the list and click the ellipsis to choose the Core vcenter. Click Add and repeat the process for the Cloud vcenter. 113

114 Chapter 7: Configuration Management Compliance preview results To test the compliance rule created, select the rule, click Preview, and choose Do not apply machine filters to preview. This produces a list of guests in the vcenter inventories that have vmtools installed but are not running. A sample output is shown in Figure 63. Figure 63. Sample out-of-compliance results for the custom vmtools rule Custom compliance template Add custom rule group to new template A template is a collection of rule groups and can be included in scheduled collections. To add a custom rule group to a custom template: 1. Navigate to Virtual Compliance Templates. 2. Click Add in the menu bar, and then provide a name and description for the template, as shown in Figure 64. Figure 64. VCM Compliance view showing new template steps 3. On the Rule Groups screen, as shown in Figure 65, select the rule group created earlier and on the Template Options screen keep the defaults and click Next, and then click Finish. 114

115 Chapter 7: Configuration Management Figure 65. Rule groups to choose from in the template creation wizard 4. To run the Custom Compliance Template to verify the configuration, select the Templates folder and click the newly created Custom Compliance Template. 5. Click Run Template. A configuration screen opens. Leave the options at default. 6. Click OK and the compliance run completes. Refresh the UI to see the resulting data rows. To see a graphical representation of the compliance data results, click the newly created Custom Compliance Template in the navigation side bar. A summary is displayed similar to that shown in Figure

116 Chapter 7: Configuration Management Figure 66. Graphical summary of the Custom Compliance Template results Use case 2: Apply exceptions to compliance templates To temporarily or permanently override the specific template results, exceptions are used rather than explicitly resolving non-compliant results. The exceptions are applied against the compliance template results and indicate that a specific result is compliant or non-compliant even though it does not match the requirements of the rules. Examples of where exceptions may be necessary are: Avamar image-level backup and restore. Avamar uses the http datastore browser feature in vcenter to backup or restore virtual machines Cloud Foundry requires that the managed object browser (MOB) be enabled on the vcenter server or deployments of Cloud Foundry will fail Disabling the http datastore browser and MOB features in accordance with the vsphere Hardening Guidelines would break critical functionality. Exceptions are created so results are not skewed. 116

EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition

EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Solution Guide EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Security Management Solution Guide EMC Solutions Abstract This Solution Guide provides information about

More information

EMC HYBRID CLOUD 2.5 WITH VMWARE

EMC HYBRID CLOUD 2.5 WITH VMWARE Solution Guide EMC HYBRID CLOUD 2.5 WITH VMWARE EMC Solutions Abstract This Solution Guide provides an introduction to VMware vcloud Suite, and the EMC hardware, software, and services portfolio. This

More information

EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition

EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition Solution Guide EMC Enterprise Hybrid Cloud 2.5.1, Federation Software-Defined Data Center Edition Foundation Infrastructure Solution Guide Abstract This Solution Guide provides an introduction to VMware

More information

Federation Software-Defined Data Center

Federation Software-Defined Data Center Reference Architecture Federation Software-Defined Data Center Foundation Infrastructure Reference Architecture Infrastructure as a service Automated provisioning and monitoring Service-driven IT operations

More information

EMC HYBRID CLOUD 2.5 WITH VMWARE

EMC HYBRID CLOUD 2.5 WITH VMWARE Reference Architecture EMC HYBRID CLOUD 2.5 WITH VMWARE Infrastructure as a service Automated provisioning and monitoring Service-driven IT operations EMC Solutions September 2014 Copyright 2014 EMC Corporation.

More information

DEPLOYING AND MANAGING MICROSOFT APPLICATIONS IN EMC HYBRID CLOUD WITH VMWARE

DEPLOYING AND MANAGING MICROSOFT APPLICATIONS IN EMC HYBRID CLOUD WITH VMWARE DEPLOYING AND MANAGING MICROSOFT APPLICATIONS IN EMC HYBRID CLOUD WITH VMWARE Based on the EMC Hybrid Cloud with VMware Foundation Infrastructure Solution 2.5 EMC Solutions Abstract This describes how

More information

Federation Software-Defined Data Center

Federation Software-Defined Data Center SOLUTION GUIDE Federation Software-Defined Data Center Data Protection Backup Solution Guide Abstract This Solution Guide describes the data protection operations and services provided as a modular add-on

More information

EMC HYBRID CLOUD 2.5 WITH VMWARE

EMC HYBRID CLOUD 2.5 WITH VMWARE SOLUTION GUIDE EMC HYBRID CLOUD 2.5 WITH VMWARE EMC Solutions Abstract This Solution Guide describes the data protection operations and services provided as a modular add-on to the EMC Hybrid Cloud solution.

More information

EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition

EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Solution Guide EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Public Cloud Solution Guide EMC Solutions Abstract This Solution Guide describes the hybrid nature of the

More information

EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition

EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Solution Guide EMC Enterprise Hybrid Cloud 2.5, Federation Software-Defined Data Center Edition Pivotal CF Platform as a Service Solution Guide EMC Solutions Abstract This Solution Guide describes the

More information

EMC ENTERPRISE PRIVATE CLOUD

EMC ENTERPRISE PRIVATE CLOUD Reference Architecture EMC ENTERPRISE PRIVATE CLOUD Infrastructure as a service Automated provisioning and monitoring Service-driven IT operations EMC Solutions January 2014 Copyright 2014 EMC Corporation.

More information

EMC VSPEX SOLUTION FOR INFRASTRUCTURE AS A SERVICE WITH VMWARE VCLOUD SUITE

EMC VSPEX SOLUTION FOR INFRASTRUCTURE AS A SERVICE WITH VMWARE VCLOUD SUITE DESIGN AND IMPLEMENTATION GUIDE EMC VSPEX SOLUTION FOR INFRASTRUCTURE AS A SERVICE WITH VMWARE VCLOUD SUITE EMC VSPEX Abstract This describes how to design virtualized VMware vcloud Suite resources on

More information

EMC ENTERPRISE HYBRID CLOUD 2.5.1, FEDERATION SOFTWARE-DEFINED DATA CENTER EDITION: DEPLOYING ORACLE DATABASE AS A SERVICE

EMC ENTERPRISE HYBRID CLOUD 2.5.1, FEDERATION SOFTWARE-DEFINED DATA CENTER EDITION: DEPLOYING ORACLE DATABASE AS A SERVICE White Paper EMC ENTERPRISE HYBRID CLOUD 2.5.1, FEDERATION SOFTWARE-DEFINED DATA CENTER EDITION: DEPLOYING ORACLE DATABASE AS A SERVICE EMC Enterprise Hybrid Cloud 2.5.1 with VMware, VMware vcloud Application

More information

EMC ENTERPRISE HYBRID CLOUD 2.5 FEDERATION SOFTWARE- DEFINED DATA CENTER EDITION

EMC ENTERPRISE HYBRID CLOUD 2.5 FEDERATION SOFTWARE- DEFINED DATA CENTER EDITION Solution Guide EMC ENTERPRISE HYBRID CLOUD 2.5 FEDERATION SOFTWARE- DEFINED DATA CENTER EDITION Hadoop Applications Solution Guide EMC Solutions Abstract This document serves as a reference for planning

More information

EMC HYBRID CLOUD 2.5 WITH VMWARE FOR SAP APPLICATIONS

EMC HYBRID CLOUD 2.5 WITH VMWARE FOR SAP APPLICATIONS White Paper EMC HYBRID CLOUD 2.5 WITH VMWARE FOR SAP APPLICATIONS VMware vcloud Application Director, Blue Medora vcenter Operations Management Pack for SAP CCMS, EMC ViPR, EMC ViPR SRM Integrate two clouds

More information

ABSTRACT. September 2015

ABSTRACT. September 2015 ABSTRACT This Solution Guide provides an introduction to the concepts and architectural options available within the Federation Enterprise Hybrid Cloud solution. It should be used as an aid to deciding

More information

MICROSOFT CLOUD REFERENCE ARCHITECTURE: FOUNDATION

MICROSOFT CLOUD REFERENCE ARCHITECTURE: FOUNDATION Reference Architecture Guide MICROSOFT CLOUD REFERENCE ARCHITECTURE: FOUNDATION EMC VNX, EMC VMAX, EMC ViPR, and EMC VPLEX Microsoft Windows Hyper-V, Microsoft Windows Azure Pack, and Microsoft System

More information

EMC BACKUP-AS-A-SERVICE

EMC BACKUP-AS-A-SERVICE Reference Architecture EMC BACKUP-AS-A-SERVICE EMC AVAMAR, EMC DATA PROTECTION ADVISOR, AND EMC HOMEBASE Deliver backup services for cloud and traditional hosted environments Reduce storage space and increase

More information

INTEGRATING CLOUD ORCHESTRATION WITH EMC SYMMETRIX VMAX CLOUD EDITION REST APIs

INTEGRATING CLOUD ORCHESTRATION WITH EMC SYMMETRIX VMAX CLOUD EDITION REST APIs White Paper INTEGRATING CLOUD ORCHESTRATION WITH EMC SYMMETRIX VMAX CLOUD EDITION REST APIs Provisioning storage using EMC Symmetrix VMAX Cloud Edition Using REST APIs for integration with VMware vcloud

More information

EMC Data Protection Advisor 6.0

EMC Data Protection Advisor 6.0 White Paper EMC Data Protection Advisor 6.0 Abstract EMC Data Protection Advisor provides a comprehensive set of features to reduce the complexity of managing data protection environments, improve compliance

More information

FEDERATION ENTERPRISE HYBRID CLOUD 3.1 Microsoft Applications Solution Guide

FEDERATION ENTERPRISE HYBRID CLOUD 3.1 Microsoft Applications Solution Guide FEDERATION ENTERPRISE HYBRID CLOUD 3.1 Microsoft Applications Solution Guide ABSTRACT This solution guide describes how to use the Federation Enterprise Hybrid Cloud 3.1 to provision and manage new and

More information

vcloud Suite Architecture Overview and Use Cases

vcloud Suite Architecture Overview and Use Cases vcloud Suite Architecture Overview and Use Cases vcloud Suite 5.8 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Advanced Service Design

Advanced Service Design vcloud Automation Center 6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions

More information

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS VCE Word Template Table of Contents www.vce.com MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS January 2012 VCE Authors: Changbin Gong: Lead Solution Architect Michael

More information

EMC SYNCPLICITY FILE SYNC AND SHARE SOLUTION

EMC SYNCPLICITY FILE SYNC AND SHARE SOLUTION EMC SYNCPLICITY FILE SYNC AND SHARE SOLUTION Automated file synchronization Flexible, cloud-based administration Secure, on-premises storage EMC Solutions January 2015 Copyright 2014 EMC Corporation. All

More information

EMC HYBRID CLOUD SOLUTION FOR HEALTHCARE

EMC HYBRID CLOUD SOLUTION FOR HEALTHCARE EMC HYBRID CLOUD SOLUTION FOR HEALTHCARE Next-Generation Health IT at the Point-of-Care ESSENTIALS Delivering ITaaS via a trusted, well-run EMC Hybrid Cloud drives business alignment, efficiency, and end-user

More information

EMC VSPEX SOLUTION FOR INFRASTRUCTURE AS A SERVICE WITH MICROSOFT SYSTEM CENTER

EMC VSPEX SOLUTION FOR INFRASTRUCTURE AS A SERVICE WITH MICROSOFT SYSTEM CENTER DESIGN AND IMPLEMENTATION GUIDE EMC VSPEX SOLUTION FOR INFRASTRUCTURE AS A SERVICE WITH MICROSOFT SYSTEM CENTER EMC VSPEX Abstract This describes how to design virtualized Microsoft System Center resources

More information

Enterprise Hybrid Cloud. Wong Tran

Enterprise Hybrid Cloud. Wong Tran Enterprise Hybrid Cloud Wong Tran 1 Hybrid Clouds Will Be Pervasive Hybrid Private Cloud Cloud Public Cloud 2 Build Your Hybrid Cloud Strategy Economic Evaluation Trust Assessment Functional Assessment

More information

EMC VSPEX END-USER COMPUTING

EMC VSPEX END-USER COMPUTING IMPLEMENTATION GUIDE EMC VSPEX END-USER COMPUTING VMware Horizon 6.0 with View and VMware vsphere for up to 2,000 Virtual Desktops Enabled by EMC VNX and EMC Data Protection EMC VSPEX Abstract This describes

More information

REDEFINE SIMPLICITY TOP REASONS: EMC VSPEX BLUE FOR VIRTUALIZED ENVIRONMENTS

REDEFINE SIMPLICITY TOP REASONS: EMC VSPEX BLUE FOR VIRTUALIZED ENVIRONMENTS REDEFINE SIMPLICITY AGILE. SCALABLE. TRUSTED. TOP REASONS: EMC VSPEX BLUE FOR VIRTUALIZED ENVIRONMENTS Redefine Simplicity: Agile, Scalable and Trusted. Mid-market and Enterprise customers as well as Managed

More information

How Cisco IT Automated End-to-End Infrastructure Provisioning In an Internal Private Cloud

How Cisco IT Automated End-to-End Infrastructure Provisioning In an Internal Private Cloud Cisco IT Case Study June 2012 Cisco IT Elastic Infrastructure (CITEIS) Gen2 How Cisco IT Automated End-to-End Infrastructure Provisioning In an Internal Private Cloud Offering Infrastructure as a Service

More information

VCE Vision Intelligent Operations Version 2.5 Technical Overview

VCE Vision Intelligent Operations Version 2.5 Technical Overview Revision history www.vce.com VCE Vision Intelligent Operations Version 2.5 Technical Document revision 2.0 March 2014 2014 VCE Company, 1 LLC. Revision history VCE Vision Intelligent Operations Version

More information

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking

More information

White Paper: AirSembly Datacenter Architecture Models

White Paper: AirSembly Datacenter Architecture Models White Paper: AirSembly Datacenter Architecture Models AirSembly Version 1.6 August 2015 Abstract: This white paper outlines different scenarios in which AirSembly can be configured. It presents common

More information

Master Hybrid Cloud Management with VMware vrealize Suite. Increase Business Agility, Efficiency, and Choice While Keeping IT in Control

Master Hybrid Cloud Management with VMware vrealize Suite. Increase Business Agility, Efficiency, and Choice While Keeping IT in Control Master Hybrid Cloud Management with VMware vrealize Suite Increase Business Agility, Efficiency, and Choice While Keeping IT in Control Empower IT to Innovate The time is now for IT organizations to take

More information

VMware vcloud Air - Disaster Recovery User's Guide

VMware vcloud Air - Disaster Recovery User's Guide VMware vcloud Air - Disaster Recovery User's Guide vcloud Air This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.

More information

CloudCenter Full Lifecycle Management. An application-defined approach to deploying and managing applications in any datacenter or cloud environment

CloudCenter Full Lifecycle Management. An application-defined approach to deploying and managing applications in any datacenter or cloud environment CloudCenter Full Lifecycle Management An application-defined approach to deploying and managing applications in any datacenter or cloud environment CloudCenter Full Lifecycle Management Page 2 Table of

More information

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.

More information

EMC ENCRYPTION AS A SERVICE

EMC ENCRYPTION AS A SERVICE White Paper EMC ENCRYPTION AS A SERVICE With CloudLink SecureVSA Data security for multitenant clouds Transparent to applications Tenant control of encryption keys EMC Solutions Abstract This White Paper

More information

VMware vcloud Networking and Security

VMware vcloud Networking and Security VMware vcloud Networking and Security Efficient, Agile and Extensible Software-Defined Networks and Security BROCHURE Overview Organizations worldwide have gained significant efficiency and flexibility

More information

Frequently Asked Questions: EMC ViPR Software- Defined Storage Software-Defined Storage

Frequently Asked Questions: EMC ViPR Software- Defined Storage Software-Defined Storage Frequently Asked Questions: EMC ViPR Software- Defined Storage Software-Defined Storage Table of Contents What's New? Platform Questions Customer Benefits Fit with Other EMC Products What's New? What is

More information

LEVERAGE VBLOCK SYSTEMS FOR Esri s ArcGIS SYSTEM

LEVERAGE VBLOCK SYSTEMS FOR Esri s ArcGIS SYSTEM Leverage Vblock Systems for Esri's ArcGIS System Table of Contents www.vce.com LEVERAGE VBLOCK SYSTEMS FOR Esri s ArcGIS SYSTEM August 2012 1 Contents Executive summary...3 The challenge...3 The solution...3

More information

Software-Defined Networks Powered by VellOS

Software-Defined Networks Powered by VellOS WHITE PAPER Software-Defined Networks Powered by VellOS Agile, Flexible Networking for Distributed Applications Vello s SDN enables a low-latency, programmable solution resulting in a faster and more flexible

More information

EMC ViPR for On-Demand File Storage with EMC Syncplicity and EMC Isilon or EMC VNX

EMC ViPR for On-Demand File Storage with EMC Syncplicity and EMC Isilon or EMC VNX EMC ViPR for On-Demand File Storage with EMC Syncplicity and EMC Isilon or EMC VNX EMC Solutions Abstract This document describes how to deploy EMC ViPR software-defined storage in an existing EMC Isilon

More information

VMware's Cloud Management Platform Simplifies and Automates Operations of Heterogeneous Environments and Hybrid Clouds

VMware's Cloud Management Platform Simplifies and Automates Operations of Heterogeneous Environments and Hybrid Clouds VMware's Cloud Platform Simplifies and Automates Operations of Heterogeneous Environments and Hybrid Clouds Ekkarat Klinbubpa Senior Business Development Manager, VMware 2009 VMware Inc. All rights reserved

More information

MOVING TO FEDERATION ENTERPRISE HYBRID CLOUD 3.0

MOVING TO FEDERATION ENTERPRISE HYBRID CLOUD 3.0 1 MOVING TO FEDERATION ENTERPRISE HYBRID CLOUD 3.0 JONATHAN CYR @CYR5999 2 ROADMAP INFORMATION DISCLAIMER EMC makes no representation and undertakes no obligations with regard to product planning information,

More information

Intro to NSX. Network Virtualization. 2014 VMware Inc. All rights reserved.

Intro to NSX. Network Virtualization. 2014 VMware Inc. All rights reserved. Intro to NSX Network Virtualization 2014 VMware Inc. All rights reserved. Agenda Introduction NSX Overview Details: Microsegmentation NSX Operations More Information SDDC/Network Virtualization Security

More information

Building the Virtual Information Infrastructure

Building the Virtual Information Infrastructure Technology Concepts and Business Considerations Abstract A virtual information infrastructure allows organizations to make the most of their data center environment by sharing computing, network, and storage

More information

A Look at the New Converged Data Center

A Look at the New Converged Data Center Organizations around the world are choosing to move from traditional physical data centers to virtual infrastructure, affecting every layer in the data center stack. This change will not only yield a scalable

More information

Enabling Storage Services in Virtualized Cloud Environments

Enabling Storage Services in Virtualized Cloud Environments Cloud Environments Contents 1. Multi-Tenant Architecture... 4 2. Server Groups, Attributes, and Aggregation... 4 3. Capacity Planning as a Service... 6 4. Chargeback as a Service... 9 4.1. Storage Chargeback...

More information

VMware vcloud Networking and Security Overview

VMware vcloud Networking and Security Overview VMware vcloud Networking and Security Overview Networks and Security for Virtualized Compute Environments WHITE PAPER Overview Organizations worldwide have gained significant efficiency and flexibility

More information

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc. White Paper Juniper Networks Solutions for VMware NSX Enabling Businesses to Deploy Virtualized Data Center Environments Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3

More information

Netzwerkvirtualisierung? Aber mit Sicherheit!

Netzwerkvirtualisierung? Aber mit Sicherheit! Netzwerkvirtualisierung? Aber mit Sicherheit! Markus Schönberger Advisory Technology Consultant Trend Micro Stephan Bohnengel Sr. Network Virtualization SE VMware Agenda Background and Basic Introduction

More information

私 有 雲 再 進 化 EMC Hybrid Cloud 解 決 方 案. 徐 師 亮 Sydney Hsu / EMC 系 統 工 程 協 理

私 有 雲 再 進 化 EMC Hybrid Cloud 解 決 方 案. 徐 師 亮 Sydney Hsu / EMC 系 統 工 程 協 理 私 有 雲 再 進 化 EMC Hybrid Cloud 解 決 方 案 徐 師 亮 Sydney Hsu / EMC 系 統 工 程 協 理 BUSINESS IS MOVING MUCH FASTER TRADITIONAL IT TEAM ENTREPRENURIAL BUSINESS TEAM MEASURE SUCCESS IN YEARS MEASURE SUCCESS IN WEEKS

More information

TRANSFORMING DATA PROTECTION

TRANSFORMING DATA PROTECTION TRANSFORMING DATA PROTECTION Moving from Reactive to Proactive Mark Galpin 1 Our Protection Strategy: Best Of Breed Performance LEADER HIGH-END STORAGE VMAX Low Service Level LEADER SCALE-OUT NAS STORAGE

More information

Simplified Management With Hitachi Command Suite. By Hitachi Data Systems

Simplified Management With Hitachi Command Suite. By Hitachi Data Systems Simplified Management With Hitachi Command Suite By Hitachi Data Systems April 2015 Contents Executive Summary... 2 Introduction... 3 Hitachi Command Suite v8: Key Highlights... 4 Global Storage Virtualization

More information

EMC IT AUTOMATES ENTERPRISE PLATFORM AS A SERVICE

EMC IT AUTOMATES ENTERPRISE PLATFORM AS A SERVICE EMC IT AUTOMATES ENTERPRISE PLATFORM AS A SERVICE Self-service portal delivers ready-to-use development platform in less than one hour Application developers order from online catalog with just a few clicks

More information

How Network Virtualization can improve your Data Center Security

How Network Virtualization can improve your Data Center Security How Network Virtualization can improve your Data Center Security Gilles Chekroun SDDC, NSX Team EMEA gchekroun@vmware.com 2014 VMware Inc. All rights reserved. Security IT spending Security spending is

More information

VMware vsphere Data Protection

VMware vsphere Data Protection VMware vsphere Data Protection Replication Target TECHNICAL WHITEPAPER 1 Table of Contents Executive Summary... 3 VDP Identities... 3 vsphere Data Protection Replication Target Identity (VDP-RT)... 3 Replication

More information

EMC Data Domain Management Center

EMC Data Domain Management Center EMC Data Domain Management Center Version 1.1 Initial Configuration Guide 302-000-071 REV 04 Copyright 2012-2015 EMC Corporation. All rights reserved. Published in USA. Published June, 2015 EMC believes

More information

Data center fo the future software defined DC

Data center fo the future software defined DC Data center fo the future software defined DC Giedrius Markevičius Prekybos vadovas Baltijos šalims 2011 VMware Inc. All rights reserved It took us 4 years to get to 1 million VMs, now we add 1 million

More information

Learn how to build Enterprise Hybrid Clouds for your customers using VMware vcloud

Learn how to build Enterprise Hybrid Clouds for your customers using VMware vcloud Learn how to build Enterprise Hybrid Clouds for your customers using VMware vcloud 1 The business has strict demands of IT As the CIO, I provide Through Cloud I am able business with the to cost effectively

More information

VMware vsphere Data Protection 6.0

VMware vsphere Data Protection 6.0 VMware vsphere Data Protection 6.0 TECHNICAL OVERVIEW REVISED FEBRUARY 2015 Table of Contents Introduction.... 3 Architectural Overview... 4 Deployment and Configuration.... 5 Backup.... 6 Application

More information

Copyright 2015 EMC Corporation. All rights reserved. 1

Copyright 2015 EMC Corporation. All rights reserved. 1 Copyright 2015 EMC Corporation. All rights reserved. 1 CLOUD READY DATA PROTECTION BUILT FOR SOFTWARE DEFINED DATACENTER YATIN PATIL Copyright 2015 EMC Corporation. All rights reserved. 2 TWEET US! Are

More information

Journey to the Private Cloud. Key Enabling Technologies

Journey to the Private Cloud. Key Enabling Technologies Journey to the Private Cloud Key Enabling Technologies Jeffrey Nick Chief Technology Officer Senior Vice President EMC Corporation June 2010 1 The current I/T state: Infrastructure sprawl Information explosion

More information

GRAVITYZONE HERE. Deployment Guide VLE Environment

GRAVITYZONE HERE. Deployment Guide VLE Environment GRAVITYZONE HERE Deployment Guide VLE Environment LEGAL NOTICE All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including

More information

vshield Administration Guide

vshield Administration Guide vshield Manager 5.1 vshield App 5.1 vshield Edge 5.1 vshield Endpoint 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by

More information

EMC DATA PROTECTION ADVISOR

EMC DATA PROTECTION ADVISOR EMC DATA PROTECTION ADVISOR Unified Data Protection Management ESSENTIALS Built to meet the data protection requirements of the cloud computing era Single, unified solution provides end-to-end visibility

More information

DESIGN AND IMPLEMENTATION GUIDE EMC DATA PROTECTION OPTION NS FOR VSPEXX PRIVATE CLOUD EMC VSPEX December 2014

DESIGN AND IMPLEMENTATION GUIDE EMC DATA PROTECTION OPTION NS FOR VSPEXX PRIVATE CLOUD EMC VSPEX December 2014 DESIGN AND IMPLEMENTATION GUIDE EMC DATA PROTECTION OPTIONS FOR VSPEX PRIVATE CLOUD EMC VSPEX December 2014 Copyright 2013-2014 EMC Corporation. All rights reserved. Published in USA. Published December,

More information

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics

More information

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, VMware vcenter Converter A Detailed Review EMC Information Infrastructure Solutions Abstract This white paper

More information

CompTIA Cloud+ 9318; 5 Days, Instructor-led

CompTIA Cloud+ 9318; 5 Days, Instructor-led CompTIA Cloud+ 9318; 5 Days, Instructor-led Course Description The CompTIA Cloud+ certification validates the knowledge and best practices required of IT practitioners working in cloud computing environments,

More information

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

More information

Cisco Virtual Network Management Center

Cisco Virtual Network Management Center Data Sheet Cisco Virtual Network Management Center Introduction The dynamic nature of the cloud paradigm introduces new needs for automation, but it also facilitates new types of automation due to the

More information

HP Server Automation Standard

HP Server Automation Standard Data sheet HP Server Automation Standard Lower-cost edition of HP Server Automation software Benefits Time to value: Instant time to value especially for small-medium deployments Lower initial investment:

More information

Foundations and Concepts

Foundations and Concepts vcloud Automation Center 6.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions

More information

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend: CompTIA Cloud+ Length: 5 Days Who Should Attend: Project manager, cloud computing services Cloud engineer Manager, data center SAN Business analyst, cloud computing Summary: The CompTIA Cloud+ certification

More information

EMC CLOUD-ENABLED INFRASTRUCTURE FOR SAP - BUSINESS CONTINUITY SERIES: DATA PROTECTION BUNDLE

EMC CLOUD-ENABLED INFRASTRUCTURE FOR SAP - BUSINESS CONTINUITY SERIES: DATA PROTECTION BUNDLE White Paper EMC CLOUD-ENABLED INFRASTRUCTURE FOR SAP - BUSINESS CONTINUITY SERIES: DATA PROTECTION BUNDLE EMC Symmetrix VMAX, EMC Data Domain, EMC Avamar, and EMC Data Protection Advisor Comprehensive

More information

VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014

VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014 VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014 Table of Contents Introduction.... 3 Features and Benefits of vsphere Data Protection... 3 Additional Features and Benefits of

More information

Brocade One Data Center Cloud-Optimized Networks

Brocade One Data Center Cloud-Optimized Networks POSITION PAPER Brocade One Data Center Cloud-Optimized Networks Brocade s vision, captured in the Brocade One strategy, is a smooth transition to a world where information and applications reside anywhere

More information

VMware Virtualization and Cloud Management Solutions. A Modern Approach to IT Management

VMware Virtualization and Cloud Management Solutions. A Modern Approach to IT Management VMware Virtualization and Cloud Management Solutions A Modern Approach to IT Management Transform IT Management to Enable IT as a Service Corporate decision makers are transforming their businesses by

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

About the VM-Series Firewall

About the VM-Series Firewall About the VM-Series Firewall Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/

More information

EMC BACKUP-AS-A-SERVICE

EMC BACKUP-AS-A-SERVICE White Paper EMC BACKUP-AS-A-SERVICE EMC Avamar, VMware vcloud Director, and VMware vcenter Orchestrator Provide portal-based backup management Deliver single click backup and restore for vcloud Director

More information

vcloud Air Disaster Recovery Technical Presentation

vcloud Air Disaster Recovery Technical Presentation vcloud Air Disaster Recovery Technical Presentation Agenda 1 vcloud Air Disaster Recovery Overview 2 What s New 3 Architecture 4 Setup and Configuration 5 Considerations 6 Automation Options 2 vcloud Air

More information

Microsegmentation Using NSX Distributed Firewall: Getting Started

Microsegmentation Using NSX Distributed Firewall: Getting Started Microsegmentation Using NSX Distributed Firewall: VMware NSX for vsphere, release 6.0x REFERENCE PAPER Table of Contents Microsegmentation using NSX Distributed Firewall:...1 Introduction... 3 Use Case

More information

Becoming a Cloud Services Broker. Neelam Chakrabarty Sr. Product Marketing Manager, HP SW Cloud Products, HP April 17, 2013

Becoming a Cloud Services Broker. Neelam Chakrabarty Sr. Product Marketing Manager, HP SW Cloud Products, HP April 17, 2013 Becoming a Cloud Services Broker Neelam Chakrabarty Sr. Product Marketing Manager, HP SW Cloud Products, HP April 17, 2013 Hybrid delivery for the future Traditional IT Evolving current state Future Information

More information

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition VMware vcloud Architecture Toolkit Version 2.0.1 October 2011 This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents

More information

Softverski definirani data centri - 2. dio

Softverski definirani data centri - 2. dio Softverski definirani data centri - 2. dio Vmware NSX To Deliver a Software Defined Data Center Implementation Automated Operational Model Programmatically Create, Snapshot, Store, Move, Delete, Restore

More information

Symantec NetBackup OpenStorage Solutions Guide for Disk

Symantec NetBackup OpenStorage Solutions Guide for Disk Symantec NetBackup OpenStorage Solutions Guide for Disk UNIX, Windows, Linux Release 7.6 Symantec NetBackup OpenStorage Solutions Guide for Disk The software described in this book is furnished under a

More information

Veeam ONE What s New in v9?

Veeam ONE What s New in v9? Veeam ONE What s New in v9? Veeam ONE is a powerful monitoring, reporting and capacity planning tool for the Veeam backup infrastructure, VMware vsphere and Microsoft Hyper-V. It helps enable Availability

More information

Overcoming Security Challenges to Virtualize Internet-facing Applications

Overcoming Security Challenges to Virtualize Internet-facing Applications Intel IT IT Best Practices Cloud Security and Secure ization November 2011 Overcoming Security Challenges to ize Internet-facing Applications Executive Overview To enable virtualization of Internet-facing

More information

Virtualization, SDN and NFV

Virtualization, SDN and NFV Virtualization, SDN and NFV HOW DO THEY FIT TOGETHER? Traditional networks lack the flexibility to keep pace with dynamic computing and storage needs of today s data centers. In order to implement changes,

More information

SharePoint Microsoft SharePoint has become

SharePoint Microsoft SharePoint has become The Essential Guide to SharePoint S p o n s o r e d b y Microsoft SharePoint has become a mission-critical platform for sharing information and delivering improved collaboration to organizations of all

More information

A Comprehensive Cloud Management Platform with Vblock Systems and Cisco Intelligent Automation for Cloud

A Comprehensive Cloud Management Platform with Vblock Systems and Cisco Intelligent Automation for Cloud WHITE PAPER A Comprehensive Cloud Management Platform with Vblock Systems and Cisco Intelligent Automation for Cloud Abstract Data center consolidation and virtualization have set the stage for cloud computing.

More information

ACCELERATING YOUR IT TRANSFORMATION WITH EMC NEXT-GENERATION UNIFIED STORAGE AND BACKUP

ACCELERATING YOUR IT TRANSFORMATION WITH EMC NEXT-GENERATION UNIFIED STORAGE AND BACKUP ACCELERATING YOUR IT TRANSFORMATION WITH EMC NEXT-GENERATION UNIFIED STORAGE AND BACKUP Virtualization, in particular VMware, has changed the way companies look at how they deploy not only their servers,

More information

SOLUTIONS. Secure Infrastructure as a Service for Production Workloads

SOLUTIONS. Secure Infrastructure as a Service for Production Workloads IaaS SOLUTIONS Secure Infrastructure as a Service for Production Workloads THE CHALLENGE Now more than ever, business and government are facing the challenge of balancing conflicting demands. Market pressures

More information

Scalable Approaches for Multitenant Cloud Data Centers

Scalable Approaches for Multitenant Cloud Data Centers WHITE PAPER www.brocade.com DATA CENTER Scalable Approaches for Multitenant Cloud Data Centers Brocade VCS Fabric technology is the ideal Ethernet infrastructure for cloud computing. It is manageable,

More information

IMPROVING VMWARE DISASTER RECOVERY WITH EMC RECOVERPOINT Applied Technology

IMPROVING VMWARE DISASTER RECOVERY WITH EMC RECOVERPOINT Applied Technology White Paper IMPROVING VMWARE DISASTER RECOVERY WITH EMC RECOVERPOINT Applied Technology Abstract EMC RecoverPoint provides full support for data replication and disaster recovery for VMware ESX Server

More information

EMC DESKTOP-AS-A-SERVICE

EMC DESKTOP-AS-A-SERVICE Proven Solutions Guide EMC DESKTOP-AS-A-SERVICE EMC VNX, EMC SYMMETRIX VMAX, VMWARE VCLOUD DIRECTOR, VMWARE VSPHERE 5, AND VMWARE VIEW 5 Deploy virtual desktop services in cloud environments Support virtual

More information