VBLOCK SOLUTION FOR SECURE ADMINISTRATIVE ACCESS

Transcription

1 VBLOCK SOLUTION FOR SECURE ADMINISTRATIVE ACCESS Version VCE Company, LLC. All Rights Reserved.

2 Contents Introduction... 4 Business case... 4 Solution overview... 4 About this document... 5 Audience... 5 Feedback... 5 Technology overview... 6 Vblock Systems... 6 Compute components... 6 Network components... 6 Storage components... 6 Virtualization components... 7 VCE Advanced Management Pod... 7 Solution components... 7 HyTrust Appliance... 7 RSA SecurID... 8 Architecture overview... 9 Physical configuration... 9 Logical configuration...11 Virtual Local Area Networks...12 RSA Authentication Manager...12 Authentication flow...12 Hardware and software...13 Design considerations...15 General...15 Compute...16 Network...17 Storage...19 Virtualization...20 HyTrust Appliance...22 Active Directory...23 Solution validation...24 Test environment design...24 Test names and objectives...24 Test case #1: Administration VCE Company, LLC. All Rights Reserved. 2

3 Test case #2: Centralized login recording...25 Test case #3: High availability...25 Test case #4: RSA two-factor authentication...26 Summary of results...26 Conclusion...27 Next steps...27 Appendix 1: Active Directory accounts VCE Company, LLC. All Rights Reserved. 3

4 Introduction Business case Industry and government information technology (IT) compliance objectives and requirements exhibit common needs to control data access through authentication and authorization while protecting data integrity and confidentiality. Certain compliance authorities affect specific sectors, such as government (FISMA Certification and Accreditation (C&A) / FedRAMP), banking (Basel III, FFIEC, OCC), healthcare (HIPAA / HITECH), and utilities (FERC, NERC). Some requirements, such as PCI, SOX, and the EU Privacy Directive, are more horizontal and affect a broad range of organizations. Driven by these compliance concerns and the need for additional control in sensitive environments, organizations need the granular administrative authentication, authorization, and accounting (AAA) traditionally lacking in large-scale virtual environments. Compliance authorities call for strict role-based access control (RBAC) with detailed accountability of administrator actions. This challenges large virtual IT environments to blend the individual AAA standards of traditional stand-alone components with the efficiency and agility of new, horizontally-oriented, converged infrastructures. Single-stack vendors also face this problem because their components have been developed independently, designed around the needs of general enterprise buyers instead of converged infrastructure buyers. Applications and data stores affected by the rise in compliance requirements are frequently businesscritical resources that require high availability (HA) and reliable application performance for example, credit card processing regulated by PCI. A successful IT solution for regulated applications must support an infrastructure with consistent and predictable service availability, reliability, and delivery. Solution overview The Vblock Solution for Secure Administrative Access addresses IT compliance objectives by providing a high-performing, high-availability control layer on top of Vblock Systems. The granular control offered by this solution provides the advantages of unified management combined with direct, protected access by individual parts of the organization according to roles and policies, in accordance with the principles of separation of duties. These controls are enforced through a combination of shaping administrative traffic flows, proxy technologies, common authentication technologies, and selective configuration of the managed platforms. Administrative users are constrained by network access controls to use trusted Jump Hosts within the VCE Advanced Management Pod (AMP). Traffic from the Jump Hosts to individual managed objects, including element managers, is selectively forced through a proxy the HyTrust Appliance or, for certain technologies, connects directly to the managed objects. For each of these connections, users can obtain authentication, authorization, and logging functions appropriate to typical compliance targets, such as PCI. Implementing and auditing authorization policies is simplified by drastically reducing the number of points of configuration. This combination of operational characteristics, security flexibility, and enhanced usability makes the Vblock Solution for Secure Administrative Access a superior choice for running regulated application workloads VCE Company, LLC. All Rights Reserved. 4

5 About this document This document describes a simple, unified AAA solution for Vblock Systems compute, network, storage, and virtualization domains that addresses IT compliance and regulatory requirements. It specifically addresses the challenges of separation of duties and related management access enforcement and the auditing of activity and configuration change. This document describes: The technologies we used in the solution How we integrated the HyTrust Appliance and RSA SecurID infrastructure with the Vblock System 300 and AMP to provide security for Vblock Systems compute, network, storage, and virtualization domains The design considerations and best practices we used to optimize the solution How we tested and validated the solution Audience This document is intended for IT and security administrators, managers, and directors managing regulated application workloads in virtualized environments. Feedback To suggest documentation changes and provide feedback on this paper, send to [email protected]. Include the name of this paper, the name of the topic to which your comment applies, and your feedback VCE Company, LLC. All Rights Reserved. 5

6 Technology overview Vblock Systems VCE designs and delivers Vblock Systems, which seamlessly integrate leading compute, network, and storage technologies. Through intelligent discovery, awareness, and automation, Vblock Systems provide the highest levels of virtualization and application performance. Vblock Systems are unique in their ability to be managed as a single entity with a common interface that provides customers with end-to-end-visibility. Vblock Systems are built from Cisco, EMC, and VMware components, whose market-leading technologies include compatible virtual security products. When combined with the HyTrust Appliance and RSA s SecurID two-factor authentication solution, Vblock Systems support the security technologies needed to help meet today s compliance requirements. While the Vblock Solution for Secure Administrative Access works on any Vblock System 300 or 700 using the high-availability AMP (HA AMP) or mini-amp, the Vblock System 300 we used to validate this solution is an agile and efficient data center class system, providing flexible and scalable performance. The Vblock System 300 features a high-density, compact fabric switch, tightly integrated fabric-based blade servers, and best-in-class unified storage. Each Vblock Systems model has a base configuration, which is a minimum set of compute and storage components as well as fixed network resources. Within the base configuration, certain hardware aspects can be customized. Together, the components offer balanced CPU, I/O bandwidth, and storage capacity relative to the compute and storage arrays in the system. For more information, go to Compute components The compute components in Vblock Systems are built on the Cisco Unified Computing System (UCS) line of products. The individual components include one or more blade server chassis, compute blades, I/O modules, and the fabric interconnects that connect the unified fabric to the rest of the environment. Network components The network components in Vblock Systems consist of various models of Cisco Nexus IP switches and MDS storage switches. This includes the Cisco Nexus 7000 Series, Cisco Nexus 5000 Series, Cisco Nexus 1000V, Cisco Catalyst 3000 Series, and the Cisco MDS 9000 Series switches. Storage components Vblock Systems are built with either EMC VNX or Symmetrix VMAX storage arrays. The Vblock System 300 ships with VNX-based arrays and the Vblock System 700 ships with VMAX arrays VCE Company, LLC. All Rights Reserved. 6

7 Virtualization components The VMware vsphere suite of virtualization tools includes VMware ESXi and VMware vcenter Server. VCE Advanced Management Pod All Vblock System 300 and 700 models include an AMP. The AMP provides a single management point for Vblock Systems that provides the following benefits: Monitoring and management of Vblock Systems health, performance, and capacity Fault isolation for management Elimination of Vblock Systems resource overhead Clear demarcation point for remote operations The AMP is available with two deployment options mini-amp and HA AMP. The mini-amp is an economical single-server system with reduced costs for switches and licenses and optional packages for networking, backups, and data duplication. The HA AMP is a two-server system using a local disk to boot vsphere ESXi and shared storage for the Vblock Systems management servers. It is designed to be a highly available, outof-band management environment. Both AMPs use redundant Catalyst Layer 2/3 networking switches. The AMP is a key component of this solution, enabling the traffic flows necessary for the HyTrust Appliance to function as a gateway for all administrative traffic. This network-based deep integration improves control and usability. The AMP also provides a virtualization infrastructure that is physically and logically distinct from the system under management, reducing the risk of cascading security failures between the management and data planes. We validated this solution with a mini-amp. Solution components HyTrust Appliance The HyTrust Appliance described in this solution is designed to work as a security gateway for Vblock Systems administrative network traffic, with support by design for all compute, IP, and virtualization components. The HyTrust Appliance is a virtual appliance that secures all protocols used for element management, including: GUI / REST API and SSH access to UCS Manager CLI access to NXOS for Nexus 1000V, Nexus 5000 and 7000 family, and MDS switches SOAP, SSH (Secure Shell), and HTTP management methods for VMware vsphere, including both centralized management using vcenter and direct hypervisor management 2012 VCE Company, LLC. All Rights Reserved. 7

8 The HyTrust Appliance acts as centralized authentication and authorization point for the infrastructure administrators, enabling multi-factor authentication, monitoring and logging of all management activity, and enforcing role-based and object-based controls by permitting or denying interactive administrative requests. At an operational level, in this solution, it sits inline in the network, proxying the protocols used to administer the Vblock Systems elements and intelligently applying controls to that traffic. Monitoring and enforcement controls provided by the HyTrust Appliance can be configured programmatically, assuring enterprises of least privileged design, audit logging, and strong authentication for the converged infrastructure. The HyTrust Appliance bridges the gap between organization-wide and IT function driven administration and satisfies regulatory compliance and separation-of-duties requirements. RSA SecurID The RSA SecurID elements used in this solution include the RSA Authentication Manager and its related physical and software authenticators. RSA Authentication Manager is software that provides capabilities to manage security tokens, users, multiple applications, agents, and resources across physical sites. RSA Authentication Manager verifies authentication requests and centrally administers authentication policies for enterprise networks. RSA SecurID Hardware Authenticators are easy-touse, convenient, self-contained, effective user-identification methods. There are multiple token styles; we used the key fob in this solution. These hardware authenticators are used to handle an array of user applications, including two-factor authentication, hard-disk encryption, and transaction and signing. RSA SecurID Software Authenticators are also used in this solution. They make strong authentication a convenient part of doing business by deploying software tokens on mobile devices smartphones, tablets, and PCs thereby transforming them into intelligent security tokens. The combination of RSA Authentication Manager and authenticator tokens enables two-factor authentication: something you have (the authenticator) and something you know (a password). This level of authentication is a formal requirement under several compliance regimes and highly desirable under many others. While such authentication technology is not natively supported by all components managed within Vblock Systems, this solution describes how to apply it in conjunction with the HyTrust Appliance to administer entire Vblock Systems VCE Company, LLC. All Rights Reserved. 8

9 Architecture overview Physical configuration This solution architecture uses the interlock between core Vblock Systems components and the AMP to enable significant improvements over previous methods of secure administrative access. Illustration 1 shows the high-level data paths for user and Vblock Systems administrator network traffic coming into a Vblock Systems, with particular attention to traffic flows to management interfaces: Both normal Vblock Systems traffic and Vblock Systems administrator traffic enter Vblock Systems through the Nexus 5500 switching layer. Users can directly access their workloads, subject to any other security constraints that may be in place, but direct access to element managers is blocked. Administrators are forced to connect to a Jump Host (locked down Windows Terminal Services system with element management clients installed), from which they can connect to the Vblock Systems element managers. The connections to the element managers pass through an Access Control Layer (ACL), which transparently handles authentication and RBAC, among other functions. A combination of routing, ACLs, and administrative host controls defined on applicable devices specifies which clients can connect to them VCE Company, LLC. All Rights Reserved. 9

10 Illustration 1. Physical configuration 2012 VCE Company, LLC. All Rights Reserved. 10

11 Logical configuration Illustration 2 shows the logical configuration of the solution components. Objects that are managed redundantly are simplified on the diagram below to a single object. Redundant systems that are managed semi-independently are shown in pairs Illustration 2. Logical configuration 2012 VCE Company, LLC. All Rights Reserved. 11

12 Hardware and software components are essential to the administration and configuration of Vblock Systems. This solution builds on the existing physical and logical definition of Vblock Systems, applying minimal modifications as needed for a solid access management architecture for these components. Illustration 2 provides a high-level description of the network layout, spanning the virtual and physical environments and the HyTrust Appliance chokepoint. Certain resources the physical element managers on the left and the vcenter Server and Nexus 1000V VSM on the right are locked down to only permit access from the Jump Host through the HyTrust Appliance. Virtual Local Area Networks These VLANs are defined for the AMP switch and ESXi host with the Cisco Nexus 1000V vswitch: VLAN Contains 101 Management interfaces for the Cisco Nexus 5548UP, Cisco MDS 9148, UCSM, AMP, ESXi management interface(s), and Unisphere 111 Nexus 1000V VSM management interface and vcenter Server 202 Management tools, such as SNMP receptors, syslog servers, and utility hosts RSA Authentication Manager and Active Directory RSA Authentication Manager The RSA Authentication Manager is deployed in a virtual machine (VM) on VLAN 202. This appliance plays an important role in this solution by allowing for two-factor authentication. Authentication flow The authentication flow below demonstrates the authentication process for authorized VMware vcenter clients. We chose VMware vcenter because it requires the most complex authentication process of the element managers presented in this solution. 1. User connects to the Jump Host, authenticating using Active Directory. 2. User logs into vcenter using vsphere. 3. The HyTrust Appliance (HTA) intercepts the login request. 4. The HTA authenticates the user against the Authentication Provider (for example, RSA) configured in the HTA. a. If authentication is successful, the HTA retrieves the groups that the user belongs to in Active Directory (configured in the HTA). b. If the authentication is not successful, an error message is displayed to the user. 5. The HTA uses The Active Directory (AD) groups to authorize the user's attempt to login. a. If authorization is successful, the HTA substitutes the username with service account and forwards the request to vcenter Server. b. If authorization is unsuccessful, a denied message is displayed to the user VCE Company, LLC. All Rights Reserved. 12

13 Hardware and software Table 1 and Table 2 show the hardware and software used in this solution: Table 1. Vblock Solution for Secure Administrative Access hardware Resource Equipment Release Compute Cisco UCS B-Series Blade Servers Cisco UCS M81KR Virtual Interface Card Cisco UCS6120 Fabric Interconnects (2q) Cisco UCS 5108 Blade Server Chassis Network Cisco Nexus 5548UP Switch 5.1(3)N1(1a) Cisco MDS 9148 Multilayer Fabric Switch 5.2(2a) Storage EMC VNX Series Unified Storage VNX OE for File , VNX OE for Block Advanced Management Pod ( mini-amp) Cisco Catalyst 3560-X Switch Cisco C200 High-Density Rack Server (48 GB RAM and 4 TB of storage) Table 2. Vblock Solution for Secure Administrative Access software Resource Equipment Version Management EMC PowerPath/VE 5.7 EMC Unisphere Network Cisco UCS Manager VMware vsphere Server Enterprise Plus Cisco Nexus 1000V Series Switches 2.0(2q) build (1)SV1(5.1) Virtualization VMware vsphere 5 VMware ESXi build and vcenter Server build Advanced Management Pod (mini-amp) Cisco Nexus 1000V Virtual Supervisor Module 4.2(1)SV1(5.1) 2012 VCE Company, LLC. All Rights Reserved. 13

14 Resource Equipment Version EMC Unisphere Security VMware ESXi VMware vcenter Windows Servers RSA Authentication Manager build build R2 7.1 HyTrust Appliance VCE Company, LLC. All Rights Reserved. 14

15 Design considerations General To ensure all outside administrative traffic follows specified channels and cannot circumvent the HyTrust Appliance, we: Placed ACLs on edge devices upstream of the AMP typically including a large Nexus or Catalyst switch with Layer 3 services outside the Vblock Systems (aggregation layer) and the Catalyst switches at the edge of AMP Routed all management network traffic through the HTA To reduce the number of touch points for account administration, we configured the HTA in Directory Services mode, using unified authentication to a central AD service: 1. Connected to the management IP of the HTA using HTTPS, read the EULA, and agreed to the terms. 2. The HTA wizard offered Bridge, Mapped or Router mode. Selected Router and entered all information requested by the wizard. (Refer to the HyTrust Installation Guide included with the HTA software for more details.) To enable two-factor authentication, we used two strategies: 1. For compute, network, and virtualization element management, we connected the HTA to AD and RSA Authentication Manager. The HTA enables transparent authentication using RSA SecurID for these elements. (Refer to the HyTrust Installation Guide included with the HTA software for more details.) 2. For storage, HyTrust and RSA SecurID do not directly support the EMC storage platforms in the Vblock System 300 and 700. There are two ways to handle this, depending on the relative importance of two-factor authentication: a. Omit SecurID for storage administration. Users connect to the Jump Host, and from that, to Unisphere, using their AD user accounts and group memberships to regulate RBAC. b. SecurID-enable a Jump Host. There are two ways to do this, because the number of SecurID authorizations can become cumbersome: i. Require operating system based SecurID authentication on the primary Jump Host for all users (Vblock Systems administrators), who can then connect to Unisphere with standard AD. ii. Establish a second Jump Host that requires SecurID authentication, while leaving the primary Jump Host using standard authentication. Unisphere access will be locked to the address of the SecurID Jump Host(s). If the SecurID Jump Host has the same privileges as the non-securid version, users will be able to choose the Jump Host that provides the access they need with the least disruption. This solution, as documented, follows the Omit SecurID for Storage administration route for brevity and to minimize duplication, but a SecurID-enabled Jump Host is strongly recommended for environments with firm two-factor authentication requirements VCE Company, LLC. All Rights Reserved. 15

16 To prevent unauthorized users from connecting to element managers, we limited element manager access to the IP addresses of the Jump Hosts and the HTA. Because the individual element managers are not tied directly to AD for authentication, it is critical to ensure that the HTA or its protected network is the only group of hosts that can connect to the element managers. Compute To prevent a man-in-the-middle attack, we replaced default certificates with certificates signed by a third party. This avoids self-signed certificates, which allow user neglect and resulting session hijackings and loss of ownership: 1. Created a new keyring in UCSM with a modulus of Created a certificate request for that keyring and sent it to a Certificate Authority. 3. Created a trusted point to establish the means of authenticating the next hop upstream in the chain of trust. 4. Imported the certificate into the keyring created in the first step. To ensure that all management sessions are encrypted and carried over randomized ports, we enabled HTTPS with non-standard port and disabled HTTP for management sessions: 2012 VCE Company, LLC. All Rights Reserved. 16

17 1. Navigated to Communication Management > Communications Services. 2. For HTTPS: a. Selected Enabled for Admin State. b. Selected the Key Ring we created. c. Selected a Port we selected For HTTP: a. Clicked Disabled for Admin State. b. Clicked Disabled for Redirect HTTP to HTTPS. To ensure all log traffic is timestamped with the same source time, a best practice for troubleshooting and forensic purposes, we enabled NTP. We enabled syslog and configured it to retain logs in the HTA for a user-specified length of time before moving them over to the remote log server in the AMP. Network To ensure that no insecure, we allowed unencrypted CLI sessions, we disabled Telnet. 1. For NX-OS (MDS, Nexus 1000V, and Nexus 5548), we entered: no feature telnet 2. For IOS (Catalyst switch in the AMP), we entered: line vty 0 4 transport input ssh We enabled SSH protocols to encrypt management CLI sessions. 1. For NX-OS (MDS, Nexus 1000V and Nexus 5548), we entered: no feature ssh ssh key rsa 2048 feature ssh 2. For IOS (AMP Switch), we entered: crypto key generate rsa modulus 2048! ip ssh time-out VCE Company, LLC. All Rights Reserved. 17

18 ip ssh authentication-retries 3! line vty 0 4 transport input ssh To support auditing and forensics requirements, we enabled system event forwarding through syslog, by configuring syslog messages to go to the syslog server in the AMP, relayed through the HTA. 1. For NX-OS (MDS, Nexus 1000V and Nexus 5548), we entered: no logging console no logging monitor logging server use-vrf-management logging logfile messages 6 size For IOS (AMP Switch), we entered: service time log datetime localtime show-timezone msec service time debug datetime localtime show-timezone msec logging host logging trap info logging buffered debugging no logging console To prevent unauthorized users from connecting to element managers, we limited management sessions to the HTA IP address. 1. For NX-OS (MDS, Nexus 1000V and Nexus 5548), we entered: ip access-list mgmt 10 permit tcp /24 eq 22 (x.x.x.x/32 - mgmt IP of device) 20 permit tcp /32 eq 22 (x.x.x.x/32 - mgmt IP of device) line VTY ip access-class MGMT-Access in 2. For IOS (AMP Switch), we entered: access-list 21 permit tcp any eq VCE Company, LLC. All Rights Reserved. 18

19 access-list 21 permit tcp any eq 22 line vty 0 4 access-class 21 in Storage The VNX environment does not natively support RSA SecurID, and customers with a firm two-factor authentication requirement will want to explore configuring a Jump Host to use SecurID or other twofactor authentication method for all authentications. The steps below, however, apply regardless of the authentication methods you use on the Jump Host. We enabled LDAP (Lightweight Directory Access Protocol) authentication to allow for RBAC with centralized administration. To do so, we performed the following procedure: 1. Log on to Unisphere. 2. Click Settings. 3. Click Manage LDAP Domain, on the right side of the screen. 4. Enter the following data: Field Domain Name Value PSO1.xxx.xxx Primary Backup SSL Enabled Selected Port 636 Directory Service Type User Id Attribute Default Active Directory samaccountname We enabled NTP for time services to ensure that all log files had the same timestamp as the other element managers by entering the following CLI commands: 1. Station 1: $ server_date server_1 timesvc start ntp -interval 01: Station 2 $ server_date server_2 timesvc start ntp -interval 01: We installed a third-party certificate for SSL in EMC Unisphere to prevent a man-in-the-middle attack. For complete details, refer to the Security Configuration Guide on VNX for Block at VCE Company, LLC. All Rights Reserved. 19

20 We enabled remote syslog on both control stations and sent the logs to the syslog server in the AMP, through the HTA, by entering the following CLI commands on each control station: 1. Add the loghost information to the /etc/hosts file. #log host # Ipaddress Fully qualified DNS name -- "loghost.vce.com" loghost.vce.com loghost 2. Add the following lines to the /etc/syslog.conf file: # write audit to remote log 3. Restart the syslog service by typing: /etc/service syslog restart Note: Tracking successful logins on VNX or VMAX requires verbose logging levels. Plan your log system capacity accordingly. To ensure that only management VMs are allowed to manage the storage array, we restricted where management connections are allowed to originate. To do so, we performed the following procedure: 1. Connect a web browser to the IP address of each storage processor: and 2. Click Set Administrative Access Restrictions. 3. Enter the IP addresses of the management VMs; in our case, the HTA and the Jump Host. 4. Click Enable. 5. Click Apply Settings. 6. Close the web browser. Virtualization To ensure all logs are stored in one location, we configured each host, as well as vcenter Server event logging, to send syslog messages to the HTA. In the example below, we have configured the AMP host to send syslog messages to the HTA VCE Company, LLC. All Rights Reserved. 20

21 Alternatively, instead of configuring the ESXi logging target individually through vcenter server, you can centrally configure logging through the HTA by selecting Configuration > Logging Configuration and selecting Host Default Logging Configuration > Explicit Syslog Server. The HTA actively logs all the management operations administrators perform against vcenter, ESXi servers NXOS device, and others as it authorizes them. Additionally, to ensure that automatic and scheduled vcenter events are also captured, we enabled vcenter events retrieval in the HTA using the following procedure: 1. In the HTA, select Compliance > Scheduled Events. 2. Select Get vcenter Events in Scheduled Event. 3. Confirm the interval setting. 4. Select Enable. 5. Click OK. To improve log data usefulness for forensics, we synchronized system clocks by enabling NTP for each host and vcenter Server using the following procedure: On the AMP ESXi: 1. Log on to vcenter Server 2. Select Host and Clusters view and click the AMP ESXi host 3. Click the Configuration tab and then Time Configuration 2012 VCE Company, LLC. All Rights Reserved. 21

22 4. Select Properties and the Options > General and select Stop and Start Automatically 5. Select NTP Settings and enter the IP address of the NTP server 6. Click OK, select NTP Client Enabled, and click OK. On the vcenter server VM: 1. Double click on the VMware tools icon in the tray at the bottom right of the vcenter screen. 2. Select Time synchronization between the virtual machine and the host operating system. We installed the HyTrust plug-in for vcenter to provide the linkage between vcenter and HyTrust, which allows you to perform HTA operations directly from a vsphere Client accessing vcenter Server. 1. In the HTA, select Configuration > vcenter Plugin, which displays the vcenter Plugin Configuration page. This allows the HTA administrator to register or unregister the HTA vcenter plug-in for a specified vcenter Server. 2. To register the HTA vcenter plug-in, select Operation > Register Plugin. Include the IP address or FQDN of the vcenter Server, username, and password. Click Go. 3. From the vsphere Client, log on to vcenter and confirm that the HyTrust tab is now viewable from within the vsphere Client. If the HyTrust plug-in is not visible, confirm that the plug-in was installed properly by viewing the Plug-in Manager from Plug-ins > Manage Plug-ins. HyTrust Appliance To ensure continued access for Vblock Systems management in the event of primary HTA failure, we deployed the appliance in HA configuration. To ensure all management traffic flows through the HTA, we deployed the appliance in Router mode, which creates a layer-three hop. This allows you to funnel traffic through the appliance with default routes on the VMs in VLAN Connect to the management IP of the HTA using HTTPS, read the EULA, and agree to the terms. 2. The HTA wizard offers Mapped or Router mode. Select Router and enter all information requested by the wizard. Refer to the HyTrust Installation Guide included with the HTA software for more details. To minimize administration, we deployed the HTA in Directory Services mode instead of using local accounts, in order to tie in with a single global directory of accounts. We configured the HTA to use root password vaulting for the ESXi hosts to provide a higher level of security for passwords. Refer to the HyTrust Installation Guide included with the HTA software for more details VCE Company, LLC. All Rights Reserved. 22

23 Active Directory We used AD to manage permissions for HyTrust for compute, network, storage (VNX), and virtualization. Per installation guidance, we configured specific AD groups for the HTA and VNX. Optionally, you can create additional groups to nest within the HyTrust Appliance and VNX groups when addressing common functional roles, such as viewing or administering storage configurations for which both platforms have group definitions. Such nesting of groups simplifies create/read/update/delete tasks, but it complicates auditing. For a full list of the accounts created refer to Active Directory accounts VCE Company, LLC. All Rights Reserved. 23

24 Solution validation Test environment design The test environment was as described in Architecture overview, with testing performed using: Element manager clients Common web browsers PuTTY for SSH connections Kiwi Syslog Server for collecting syslog events Test names and objectives We conducted the following tests to demonstrate the Vblock Solution for Secure Administrative Access: Table 3. Test names and objectives Number Name Objective 1 Administration Reduced administration for user and role management 2 Centralized logon recording Centralized recording of all logon successes and failures 3 High availability High availability administrative access 4 RSA two-factor authentication Two-factor authentication Test case #1: Administration Procedure 1. Used the list of default roles for HyTrust. For complete details, refer to the HyTrust Configuration Guide at 2. Created a corresponding security group in AD for each of the built-in HyTrust roles. 3. Added users to each group to validate privileges mapped correctly. Results The HyTrust Appliance enriched the log data and sent it to a dedicated syslog server in the AMP. Among other things, this maps activities by generic service accounts to strongly authenticated users and simplifies troubleshooting administrative mistakes. There was access across all systems with the proper level of privileges for each role VCE Company, LLC. All Rights Reserved. 24

25 We tested adding and removing users using AD groups, rather than manually defining them on each instance of each element manager. At a technical level, the time to implement changes was reduced from minutes to less than a minute. In a production setting with robust change management, the time reduction would likely be days. By managing user privileges using AD group memberships, we significantly reduced risk due to improperly executed changes. We conducted negative testing to verify the target accounts did not have inappropriate access. Test case #2: Centralized login recording 1 Procedure 1. Set the log level for syslog to debug on the Unisphere management user interface to ensure that successful and failed logon attempts were recorded in syslog. 2. Attempted to log on to each element manager with two different accounts; one account that was expected to succeed and one expected to fail. 3. Configured all element managers to send their syslog messages to the syslog server, Results HyTrust Appliance recorded Unisphere traffic and passed it through, unchanged, to the syslog server in the AMP. HyTrust Appliance acted as a log consolidator and relay to record and timestamp successful and failed logons in the syslog. Test case #3: High availability Procedure 1. Manually shut down the primary HyTrust Appliance. 2. Manually shut down each interface on the primary HyTrust Appliance. Results All manual failover tests worked within the prescribed five-minute timeout value. Secondary HyTrust Appliance assumes primary interface characteristics and receives traffic. All failover activities recorded in log files. 1 HTA logging capabilities are extensive and beyond the scope of this paper. For more information, go to VCE Company, LLC. All Rights Reserved. 25

26 Existing sessions terminated by the failover process. For most environments, in the unlikely event of a HyTrust Appliance failure, this is unlikely to impact a large number of concurrent sessions. Test case #4: RSA two-factor authentication Procedure 1. Installed RSA Authentication Manager version 7.1 with physical tokens. 2. Deployed RSA Authentication Manager on a VM in the AMP. 3. Placed system in VLAN Used HyTrust Appliance native support for RSA to provide two-factor authentication; for complete details, refer to the HyTrust Configuration Guide at 5. Connected transparently from the Jump Host to compute, network, and virtualization element managers with the expectation of using SecurID to authenticate the sessions. We did not test storage because the process for applying two-factor authentication to it is different. Results Using their normal user authentication interfaces, we successfully used two-factor authentication to authenticate each connection. HyTrust Appliance s single sign-on capabilities provided transparent authentications after the initial two-factor authentication. We observed no other issues. Summary of results Our validation of the Vblock Solution for Secure Administrative Access demonstrated the key features necessary to meet today s security requirements for Vblock Systems administration: Role-based administrative access to Vblock Systems element managers Reduced overhead for administration and troubleshooting Centralized syslog recording with consistent time-stamping High availability failover for planned and unplanned outages RSA SecurID and RSA Authentication Manager for two-factor authentication This solution was easy to install and configure, and it immediately achieved the above objectives for securely administering Vblock Systems VCE Company, LLC. All Rights Reserved. 26

27 Conclusion Businesses face increasing pressure to meet industry and government IT security and auditing requirements. These requirements are difficult to manage in existing IT environments, where individual components have different AAA requirements and traditional technologies resist unified management paradigms. The successful security strategy must offer centralized administration and granular control while accommodating existing organizational and technological environments, with reliable performance and high availability for the business-critical resources requiring this protection. The Vblock Solution for Secure Administrative Access provides administrative control, access enforcement, and activity and configuration auditing capabilities for Vblock Systems with the following advantages: Fewer touch points to modify general administrative access Easier monitoring of resource access rights Additional tools to centrally manage administrators and log their activity Simplified usage and configuration audits Improved monitoring for internal threats and troubleshooting High performance and high availability In this document we have given a high-level description of the solution components and architecture, key design considerations and best practices, and validation demonstrations for each of the key features required for a successful secure administrative access solution. Next steps To learn more about this and other solutions, contact a VCE representative or visit VCE Company, LLC. All Rights Reserved. 27

28 Appendix 1: Active Directory accounts Table 4 and Table 5 provide AD accounts for HyTrust Appliance and VNX groups. Table 4. HyTrust groups AD group name HyTrust Role Description of role and associated privileges HT_ApplAdmin HT_ARCAdmin HT_ARCAssessor HT_BackupAdmin HT_BasicLogin HT_CoreApplAdmin HT_DCAdmin HT_ESXMAdmin HT_NetworkAdmin HT_PolicyAdmin HT_RoleAdmin HT_StorageAdmin HyTrust Appliance administrator (ApplAdmin) ARC administrator (ARCAdmin) ARC assessor (ARCAssessor) Backup administrator (BackupAdmin) Basic login (BasicLogin) Core appliance administrator (CoreApplAdmin) Datacenter administrator (DCAdmin) ESXi maintenance administrator (ESXMAdmin) Network administrator (NetworkAdmin) Policy administrator (PolicyAdmin) Role administrator (RoleAdmin) Storage administrator (StorageAdmin) Install HTA and perform HTA configuration tasks: Configure networking Configure high availability Configure logging No privileges to manipulate virtual infrastructure Create and modify ARC templates, add ARC targets, assess and remediate ARC. Perform ARC assessments and view ARC results. Backup and restore VMs (guests). Perform some basic operations like login. Install and configure core appliance VMs. Set up VMware vcenter datacenters and perform actions on all objects within virtual Ddata centers. Install patches, change configuration of ESXi, reboot ESXi hosts. Perform ESXi host maintenance (use SSH, change configuration, reboot). Perform HTA configuration, assessment, and remediation (ARC). No VM privileges. Manage virtual switches, VLANs, and other network configuration settings. Create and modify policies, labels, and constraints. Create and modify roles and privileges. Define VMFS volumes and mapping to LUNs including masking and zoning. Privileges also provided to: Define iscsi access paths. Manage NFS volumes. Manage HSM and data retention VCE Company, LLC. All Rights Reserved. 28

29 AD group name HyTrust Role Description of role and associated privileges Administer storage (disk replacement). Manage backup. HT_SuperAdmin HT_VIAdmin HT_UCSLogin HT_VMPowerUser HT_VMUser Superuser administrator (SuperAdmin) Virtual infrastructure administrator (VIAdmin) Cisco UCS Login (UCSLogin) Virtual machine power user (VMPowerUser) Virtual machine user (VMUser) Perform any action (assigned all privileges). Perform operations on virtual infrastructure. Configure DRS and VMware HA. Initiate VMotion. Assign hosts to resource pools. Limited privileges on ESXi hosts. Access and operations wtih Cisco UCS Manager. Perform actions on VMs and resource objects. Role members may view and change most VM configuration settings, take snapshots, and schedule tasks. Privileges include: All privileges for scheduled task privileges group. Selected privileges for global items, datastore, and VM privileges groups. No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance, and permissions privileges groups. This role is equivalent to the role with the same name defined in VirtualCenter 1.x. Role members may interact with VMs, but not change, the VM configuration. Privileges include: All privileges for the scheduled tasks privileges group. Selected privileges for the global items and VM privileges groups. No privileges for the folder, datacenter, data store, network, host, resource, alarms, sessions, performance, and permissions privileges groups. Table 5. VNX groups AD group name Storage user role Description of role and associated privileges Storage operator Operator Read-only privilege for storage and domain operations; no privilege for security operations. Storage network administrator Storage NAS administrator Storage SAN administrator Network administrator NAS administrator SAN administrator All operator privileges and privileges to configure DNS, IP settings, and SNMP. Full privileges for file operations. Operator privileges for block and security operations. Full privileges for block operations. Operator privileges for file and security operations. Storage administrator Storage administrator Full privileges for file and block operations. Operator privileges for security operations VCE Company, LLC. All Rights Reserved. 29

30 AD group name Storage user role Description of role and associated privileges Storage security administrator Storage security administrator Full privileges for security operations including domains. Operator privileges for file and block operations. Storage superuser Administrator Full privileges for file, block, and security operations. This role has the highest level of privileges VCE Company, LLC. All Rights Reserved. 30

31 ABOUT VCE VCE, formed by Cisco and EMC with investments from VMware and Intel, accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the Vblock Systems delivers the industry's only fully integrated and fully virtualized cloud infrastructure system. VCE solutions are available through an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT infrastructure. For more information, go to THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." VCE MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR MERCHANTABILITY OR MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright 2012 VCE Company, LLC. All rights reserved. Vblock and the VCE logo are registered trademarks or trademarks of VCE Company, LLC, and/or its affiliates in the United States or other countries. All other trademarks used herein are the property of their respective owners VCE Company, LLC. All Rights Reserved.