I took some time to go over the VMware vSphere Security course from Pluralsight this week. This course was released on 1/14/2014 and was created by Brian Tobia.
Anyone can install vSphere. It takes a good admin or architect to take into consideration the security aspects of a deployment and how it fits into your organization.
Let me first say that the course seems very long! But each lesson kept my attention and I would find myself saying “I knew that” or “ohh, there is something new”. It is definitely worth going over once or twice.
First, Brian starts off by talking about security basics. When I first heard him mention certificates, not much was covered. I was wanting more! That comes later in vCenter Security Server. So don’t panic, you will get to see more on PKI in a later section.
The next topic goes on to talk about vSwitch security. A lot of vSphere admins may be familiar with this topic. The options have been around for a long time. I think most of this section would be on any VCP exam. Forged transmissions, MAC changes and promiscuous mode are all covered in a step by step video. Brian also explains the relation of the vSwitches and other network hardware when it comes to BPDU and spanning tree. This would be a good overview for your network admins to review as well.
We then move on to Virtual Machine security. VM template creation and deployments are covered in this section. Snapshots and disk security (persistent and non-persistent disks) are also covered. The only thing I do not recall being covered in this section is the virtual machine VMCI device. This is a VM communication interface to provide a high speed communications channel between a VM and the hypervisor. It is optional to enable VMCI between VMs. Honestly I have never seen this device used. I’m sure there is a use case for it, but I have not used it to date. If you were using a monitoring device like Gigamon to inspect VM traffic on a host, you would not see network traffic if you used the VMCI. This device would cause a big security concern if it were left in use.
Host security is covered in the following topic. This is the main topic I see covered when it comes to vSphere security. There are so many options to cover when it comes to the host. In the last few years hosts have been joining Microsoft AD. Brian does a great job on covering this step by step. Of course no security course would be complete without going over the ESXi firewall. You will see step by step options for what you can configure in the host based firewall. The firewall portion is a good topic to cover because I see many people who confuse the host firewall and how it relates to virtual machines. Want to see what Lock-down mode is all about? This is covered as well. If you have not used it before, this is your chance to see it in action. Host profiles have been around for a while. If you have not seen or used host profiles before, this may be a good evaluation of whether to use them or not. SSL is covered just a little, but gets more in depth in the following topic.
Sever Security is my favorite topic. Brian does a great job at explaining SSL certificates and how they play a role in securing your environment. I think SSL should have received it’s own dedicated topic in this course. It would have been nice to show how the Certificate Automation tool works and how you would apply certificates to different VMware products. The vCSA is also covered in this topic. Right out of the box this Linux based appliance is locked down for security. There is a live lab that covers adding the vCSA to active directory.
Single Sign on has changed in vSphere 5.5 and this topic is covered very well. If you are looking to understand what it is all about, I highly recommend reviewing this section. The SSO add-in is an important piece if you have vCenter servers talking to each other or if you want to work with other vSphere products. I would expect vSphere 6.0 to include SSO for other products like vCloud and SRM.
The next section pretty much covers the vSphere hardening guide. This is recommended reading material for those looking to secure VMware environments. All versions can be found on the VMware site at https://www.vmware.com/support/support-resources/hardening-guides.html.
I was surprised to see a section for Log Insight. This tool is a separately license product from vSphere and vCenter. It is an excellent product for reviewing logs. This section goes over the deployment and configuration of Log Insight. The live labs show just how easy it is to configure and deploy.
And the last topic goes over Compliance Management and hardening with vCenter Configuration Manager. The vCM is another product that is licensed outside of the vSphere products. For those looking for an overview of vCM, Brian does a great job (as usual) with demonstrating how the product is deployed and how it is configured. The vCM helps with regulatory compliance and assessing host configurations. If topics outside of the vSphere suite are covered, why not vShield or NSX? Both are very lengthy topics. I’m sure PluralSight will be coming out with a video soon on the NSX.
Overall I thought this was an excellent course. I’m sure I will listen to it again on one of my drives in to work. A lot of topics are cover that will leave you wondering “should I do something about that” or “I should really look into these add-on products”.