Category: Automation

Making Security Easier – An ESXi Fling for US Federal Customers

Running systems in the US Federal Government presents its own unique challenges. From specific system login requirements (CAC/PIV smart cards) to specific regulations like DISA STIG’s, managing systems in this environment comes with a healthy dose of security. Today we’re taking a small step towards making that easier with the introduction of a VMware Fling for ESXi targeting the DISA STIG standards.

DISA STIG

Many of the requirements of a STIG come from years of operational experience with other operating systems. Even though ESXi isn’t Linux, there are some common tools that have specific settings requirements that need to be met by the STIG. This VIB simplifies this process and does it in a more secure manner.

Continue reading

vSphere 6.0 Lockdown Modes

Lockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.

Continue reading

Survey: What questions does the security guy ask all the time?

You’re the virtualization admin. Your security guy comes up to you, looking for information. You really don’t want to give him an account on vCenter, do you? (according to a group discussion session I did at VMworld, the answer was clearly “No” with some being a little more colorful by using the term “NFW”!)

But lets face it, the IT Security folks do have a job to do and they really could use information on a regular basis to do their job. Let’s see if we help them by helping you, shall we?

Give us questions, we’ll give you answers

I’m looking for examples of the types of questions IT Security needs regular answers to. Alan Renouf and I are mulling some ways to help both of you out. No details yet but having Alan involved should give you a hint! :) Give us the questions, let us surprise you.

I’ll start this off with some examples:

Security Guy: “I need to see….

  • all the virtual machines that have a CD drive attached
  • what virtual machines are on what network/switch/portgroup
  • what virtual machines are on what storage device
  • what roles are assigned to what users
  • ESXi server SSL certificate details like when they expire
  • What vSwitches are in promiscuous mode
  • any vDS port mirroring details
  • the ESXi shell interactive timeout values
  • what the syslog IP address is set to on the ESXi servers

Based on that, start posting the questions! We’ll try to get as many included in this little project we are working on. We hope you like it!

mike