Security Best Practices and Scenarios |
15 |
A series of ESX deployment scenarios can help you understand how best to employ the security features in your own deployment. Scenarios also illustrate some basic security recommendations that you can consider when creating and configuring virtual machines.
This chapter includes the following topics:
n“Security Approaches for Common ESX Deployments,” on page 207
n“Virtual Machine Recommendations,” on page 211
Security Approaches for Common ESX Deployments
You can compare security approaches for different types of deployments to help plan security for your own ESX deployment.
The complexity of ESX deployments can vary significantly depending on the size of your company, the way that data and resources are shared with the outside world, whether there are multiple datacenters or only one, and so forth. Inherent in the following deployments are policies for user access, resource sharing, and security level.
Single-Customer Deployment
In a single-customer deployment, ESX hosts are owned and maintained within a single corporation and single datacenter. Host resources are not shared with outside users. One site administrator maintains the hosts, which are run on a number of virtual machines.
The single-customer deployment does not allow customer administrators, and the site administrator is solely responsible for maintaining the various virtual machines. The corporation staffs a set of system administrators who do not have accounts on the host and cannot access any of the ESX tools such as vCenter Server or command line shells for the host. These system administrators have access to virtual machines through the virtual machine console so that they can load software and perform other maintenance tasks inside the virtual machines.
Table 15-1 shows how you might handle sharing for the components that you use and configure for the host.
Table 15-1. Sharing for Components in a Single-Customer Deployment
Function |
Configuration |
Comments |
|
|
|
Service console shares the same |
No |
Isolate the service console by configuring it on its own |
physical network as the virtual |
|
physical network. |
machines? |
|
|
|
|
|
Service console shares the same |
No |
Isolate the service console by configuring it on its own VLAN. |
VLAN as the virtual machines? |
|
No virtual machine or other system facility such as vMotion |
|
|
must use this VLAN. |
|
|
|
VMware, Inc. |
207 |
ESX Configuration Guide
Table 15-1. Sharing for Components in a Single-Customer Deployment (Continued)
Function |
Configuration |
Comments |
|
|
|
Virtual machines share the same |
Yes |
Configure your virtual machines on the same physical |
physical network? |
|
network. |
|
|
|
Network adapter sharing? |
Partial |
Isolate the service console by configuring it on its own virtual |
|
|
switch and virtual network adapter. No virtual machine or |
|
|
other system facility must use this switch or adapter. |
|
|
You can configure your virtual machines on the same virtual |
|
|
switch and network adapter. |
|
|
|
VMFS sharing? |
Yes |
All .vmdk files reside in the same VMFS partition. |
|
|
|
Security level |
High |
Open ports for needed services like FTP on an individual |
|
|
basis. See “Service Console Firewall Configuration,” on |
|
|
page 192 for information on security levels. |
|
|
|
Virtual machine memory |
Yes |
Configure the total memory for the virtual machines as |
overcommitment? |
|
greater than the total physical memory. |
|
|
|
Table 15-2 shows how you might set up user accounts for the host.
Table 15-2. User Account Setup in a Single-Customer Deployment
User Category |
Total Number of Accounts |
Site administrators |
1 |
|
|
Customer administrators |
0 |
|
|
System administrators |
0 |
|
|
Business users |
0 |
|
|
Table 15-3 shows the level of access for each user.
Table 15-3. User Access in a Single-Customer Deployment
Access Level |
Site Administrator |
System Administrator |
|
|
|
Root access? |
Yes |
No |
|
|
|
Service console access through SSH? |
Yes |
No |
|
|
|
vCenter Server and vSphere Web Access? |
Yes |
No |
|
|
|
Virtual machine creation and modification? |
Yes |
No |
|
|
|
Virtual machine access through the console? |
Yes |
Yes |
|
|
|
Multiple-Customer Restricted Deployment
In a multiple-customer restricted deployment, ESX hosts are in the same datacenter and are used to serve applications for multiple customers. The site administrator maintains the hosts, and these hosts run a number of virtual machines dedicated to the customers. Virtual machines that belong to the various customers can be on the same host, but the site administrator restricts resource sharing to prevent rogue interaction.
Although there is only one site administrator, several customer administrators maintain the virtual machines assigned to their customers. This deployment also includes customer system administrators who do not have ESX accounts but have access to the virtual machines through the virtual machine console so that they can load software and perform other maintenance tasks inside the virtual machines.
Table 15-4 shows how you might handle sharing for the components you use and configure for the host.
208 |
VMware, Inc. |
Chapter 15 Security Best Practices and Scenarios
Table 15-4. Sharing for Components in a Multiple-Customer Restricted Deployment
Function |
Configuration |
Comments |
|
|
|
Service console shares the same |
No |
Isolate the service console by configuring it on its own physical |
physical network as the virtual |
|
network. |
machines? |
|
|
|
|
|
Service console shares the same |
No |
Isolate the service console by configuring it on its own VLAN. |
VLAN as the virtual machines? |
|
No virtual machine or other system facility such as vMotion |
|
|
must use this VLAN. |
|
|
|
Virtual machines share the same |
Partial |
Put the virtual machines for each customer on a different |
physical network? |
|
physical network. All physical networks are independent of |
|
|
each other. |
|
|
|
Network adapter sharing? |
Partial |
Isolate the service console by configuring it on its own virtual |
|
|
switch and virtual network adapter. No virtual machine or |
|
|
other system facility must use this switch or adapter. |
|
|
You configure virtual machines for one customer so that they |
|
|
all share the same virtual switch and network adapter. They do |
|
|
not share the switch and adapter with any other customers. |
|
|
|
VMFS sharing? |
No |
Each customer has its own VMFS partition, and the virtual |
|
|
machine .vmdk files reside exclusively on that partition. The |
|
|
partition can span multiple LUNs. |
|
|
|
Security level |
High |
Open ports for services like FTP as needed. |
|
|
|
Virtual machine memory |
Yes |
Configure the total memory for the virtual machines as greater |
overcommitment? |
|
than the total physical memory. |
|
|
|
Table 15-5 shows how you might set up user accounts for the ESX host.
Table 15-5. User Account Setup in a Multiple-Customer Restricted Deployment
User Category |
Total Number of Accounts |
|
|
Site administrators |
1 |
|
|
Customer administrators |
10 |
|
|
System administrators |
0 |
|
|
Business users |
0 |
|
|
Table 15-6 shows the level of access for each user.
Table 15-6. User Access in a Multiple-Customer Restricted Deployment
|
|
Customer |
System |
Access Level |
Site Administrator |
Administrator |
Administrator |
|
|
|
|
Root access? |
Yes |
No |
No |
|
|
|
|
Service console access through SSH? |
Yes |
Yes |
No |
|
|
|
|
vCenter Server and vSphere Web Access? |
Yes |
Yes |
No |
|
|
|
|
Virtual machine creation and modification? |
Yes |
Yes |
No |
|
|
|
|
Virtual machine access through the console? |
Yes |
Yes |
Yes |
|
|
|
|
VMware, Inc. |
209 |
ESX Configuration Guide
Multiple-Customer Open Deployment
In a multiple-customer open deployment, ESX hosts are in the same datacenter and are used to serve applications for multiple customers. The site administrator maintains the hosts, and these hosts run a number of virtual machines dedicated to the customers. Virtual machines that belong to the various customers can be on the same host, but there are fewer restrictions on resource sharing.
Although there is only one site administrator in a multiple-customer open deployment, several customer administrators maintain the virtual machines assigned to their customers. The deployment also includes customer system administrators who do not have ESX accounts but have access to the virtual machines through the virtual machine console so that they can load software and perform other maintenance tasks inside the virtual machines. Lastly, a group of business users who do not have accounts can use virtual machines to run their applications.
Table 15-7 shows how you might handle sharing for the components that you use and configure for the host.
Table 15-7. Sharing for Components in a Multiple-Customer Open Deployment
Function |
Configuration |
Comments |
|
|
|
Service console shares the same |
No |
Isolate the service console by configuring it on its own |
physical network as the virtual |
|
physical network. |
machines? |
|
|
Service console shares the same VLAN No as the virtual machines?
Isolate the service console by configuring it on its own VLAN. No virtual machine or other system facility such as vMotion must use this VLAN.
Virtual machines share the same |
Yes |
Configure your virtual machines on the same physical |
physical network? |
|
network. |
|
|
|
Network adapter sharing? |
Partial |
Isolate the service console by configuring it on its own |
|
|
virtual switch and virtual network adapter. No virtual |
|
|
machine or other system facility must use this switch or |
|
|
adapter. |
|
|
You configure all virtual machines on the same virtual |
|
|
switch and network adapter. |
|
|
|
VMFS sharing? |
Yes |
Virtual machines can share VMFS partitions, and their |
|
|
virtual machine .vmdk files can reside on shared partitions. |
|
|
Virtual machines do not share .vmdk files. |
|
|
|
Security level |
High |
Open ports for services like FTP as needed. |
|
|
|
Virtual machine memory |
Yes |
Configure the total memory for the virtual machines as |
overcommitment? |
|
greater than the total physical memory. |
|
|
|
Table 15-8 shows how you might set up user accounts for the host.
Table 15-8. User Account Setup in a Multiple-Customer Open Deployment
User Category |
Total Number of Accounts |
|
|
Site administrators |
1 |
|
|
Customer administrators |
10 |
|
|
System administrators |
0 |
|
|
Business users |
0 |
|
|
Table 15-9 shows the level of access for each user.
210 |
VMware, Inc. |