Pluralsight VMware vSphere Security course review

I took some time to go over the VMware vSphere Security course from Pluralsight this week. This course was released on 1/14/2014 and was created by Brian Tobia.

Anyone can install vSphere. It takes a good admin or architect to take into consideration the security aspects of a deployment and how it fits into your organization.

Let me first say that the course seems very long! But each lesson kept my attention and I would find myself saying “I knew that” or “ohh, there is something new”. It is definitely worth going over once or twice.

First, Brian starts off by talking about security basics. When I first heard him mention certificates, not much was covered. I was wanting more! That comes later in vCenter Security Server. So don’t panic, you will get to see more on PKI in a later section.

The next topic goes on to talk about vSwitch security. A lot of vSphere admins may be familiar with this topic. The options have been around for a long time. I think most of this section would be on any VCP exam. Forged transmissions, MAC changes and promiscuous mode are all covered in a step by step video. Brian also explains the relation of the vSwitches and other network hardware when it comes to BPDU and spanning tree. This would be a good overview for your network admins to review as well.

We then move on to Virtual Machine security. VM template creation and deployments are covered in this section. Snapshots and disk security (persistent and non-persistent disks) are also covered. The only thing I do not recall being covered in this section is the virtual machine VMCI device. This is a VM communication interface to provide a high speed communications channel between a VM and the hypervisor. It is optional to enable VMCI between VMs. Honestly I have never seen this device used. I’m sure there is a use case for it, but I have not used it to date. If you were using a monitoring device like Gigamon to inspect VM traffic on a host, you would not see network traffic if you used the VMCI. This device would cause a big security concern if it were left in use.

Host security is covered in the following topic. This is the main topic I see covered when it comes to vSphere security. There are so many options to cover when it comes to the host. In the last few years hosts have been joining Microsoft AD. Brian does a great job on covering this step by step. Of course no security course would be complete without going over the ESXi firewall. You will see step by step options for what you can configure in the host based firewall. The firewall portion is a good topic to cover because I see many people who confuse the host firewall and how it relates to virtual machines. Want to see what Lock-down mode is all about? This is covered as well. If you have not used it before, this is your chance to see it in action. Host profiles have been around for a while. If you have not seen or used host profiles before, this may be a good evaluation of whether to use them or not.  SSL is covered just a little, but gets more in depth in the following topic.

Sever Security is my favorite topic. Brian does a great job at explaining SSL certificates and how they play a role in securing your environment. I think SSL should have received it’s own dedicated topic in this course. It would have been nice to show how the Certificate Automation tool works and how you would apply certificates to different VMware products. The vCSA is also covered in this topic. Right out of the box this Linux based appliance is locked down for security. There is a live lab that covers adding the vCSA to active directory.

Single Sign on has changed in vSphere 5.5 and this topic is covered very well. If you are looking to understand what it is all about, I highly recommend reviewing this section. The SSO add-in is an important piece if you have vCenter servers talking to each other or if you want to work with other vSphere products. I would expect vSphere 6.0 to include SSO for other products like vCloud and SRM.

The next section pretty much covers the vSphere hardening guide. This is recommended reading material for those looking to secure VMware environments. All versions can be found on the VMware site at https://www.vmware.com/support/support-resources/hardening-guides.html.

I was surprised to see a section for Log Insight. This tool is a separately license product from vSphere and vCenter. It is an excellent product for reviewing logs. This section goes over the deployment and configuration of Log Insight. The live labs show just how easy it is to configure and deploy.

And the last topic goes over Compliance Management and hardening with vCenter Configuration Manager. The vCM is another product that is licensed outside of the vSphere products. For those looking for an overview of vCM, Brian does a great job (as usual) with demonstrating how the product is deployed and how it is configured. The vCM helps with regulatory compliance and assessing host configurations. If topics outside of the vSphere suite are covered, why not vShield or NSX? Both are very lengthy topics. I’m sure PluralSight will be coming out with a video soon on the NSX.

Overall I thought this was an excellent course. I’m sure I will listen to it again on one of my drives in to work. A lot of topics are cover that will leave you wondering “should I do something about that” or “I should really look into these add-on products”.

 

Deploying Citrix NetScaler Insight Center on vSphere 5.x

I must have beat my head against this virtual appliance deployment for a whole day! If you are not familiar with the Citrix NetScaler Insight Center, it “delivers unprecedented visibility and enables real-time control in response to network traffic from a variety of services such as cloud, mobile and virtual desktops. Together NetScaler Insight Center and ActionAnalytics bring visibility and control to the datacenter”. To read more, follow this Citrix link for the skinny: http://www.citrix.com/products/netscaler-application-delivery-controller/features/visibility.html

The initial version of this virtual appliance did not have a version compatible with vSphere, only Citrix Xen Server. In mid June there was a press release announcing a version that would work with vSphere. Looking at the download section you will notice almost all .xva files. My initial reaction was “I need to convert this file to an OVA or OVF”. VMware converter will not convert a .xva file. Citrix XenConvert 2.3.1 is the only tool that will do the conversion to an OVA or OVF. But, the encoding for Citrix product will not work on vSphere. OVF and OVA files generated by Citrix cannot be imported by VMware due to different encoding (utf-16 vs. utf-32). If you try to import the OVA or OVF file into VMware you will get an XML error. I ran across numerous Citrix and VMware posts referring to standing up a XenServer, then do an export or convert. These methods would not work for this virtual appliance.

Looking at the deployment guide from Citrix on how to install this on VMware was a little confusing. It looks like it was written by someone who knew very little about VMware products. Why would you need the VMware OVF tool installed? Reading that made me really wonder how much effort I needed to put into this deployment.

The answer to all of this was a little simpler. Looking at the download section there is one option for a zip package.

NSIC-DL

This is the latest version that will work for the initial deployment of vSphere. Version 120.13 is what you want to use as of the date of this post. You will also notice that Citrix has posted “In order to upgrade ESX VM from builds before 120.13 release to 120.13+ builds, fresh install of the 120.13+ build is recommended”.

Within this zip file there is an OVF that is encoded to utf-32. Once you download this version it is as simple as deploying a regular virtual appliance. I recommend reviewing the Citrix Reference Architecture while planning your deployment. When you get your virtual appliance up and running, the default username and password are nsroot / nsroot.