As enterprise deployments of virtualization continue to grow, it’s critical to have control over the configuration and patch status of hypervisor platforms to minimize the presence of vulnerabilities in your environment. Fortunately, VMware offers a variety of tools within its vSphere infrastructure that can help operations teams keep up with VMware configuration management and VMware patch management best practices. In this tip, we’ll focus on two of the most powerful tools: Host Profiles and VMware Update Manager. Although neither of these are new, they’ve both been updated in vSphere 5 with new functionality and capabilities.
VMware configuration management using Host Profiles
Host Profiles is essentially a template creation and management tool for designing and deploying ESX and ESXi hypervisor configuration images. ESX platforms, with the older Service Console operating system, have a much larger configuration footprint than ESXi systems, in general. However, there are numerous settings that should be consistent across platforms, especially for organizations looking to design and maintain an internal cloud. vSphere 5 has introduced a number of new configuration options for Host Profiles, including support for iSCSI and Fibre Channel over Ethernet (FCoE) controls, storage multipathing capabilities, and new device and kernel module settings.
For security specifically, there are a number of ESXi settings that should be configured through Host Profiles. They include the following, listed here by category and setting name.
- Networking Configuration:vSwitch:<Switch Name>:Network Policy Configuration controls the three built-in security policies for vSwitches. Set all three (AllowPromiscuous, MacChanges and ForgedTransmits) to “Reject”, or “False” in Host Profiles terminology. The same settings should be applied for all Port Groups listed under the Networking Configuration:Virtual machine port group and Networking Configuration:Host port group categories.
- Networking Configuration:Date and time configuration: Time settings should have specific Network Time Protocol (NTP) servers listed to ensure proper timestamps in log files.
- Networking Configuration:Firewall configuration:Default blocking policy -- Ideally set to “Configure a fixed default blocking policy” with the options to block both incoming traffic and outgoing traffic selected.
- Networking Configuration:Firewall configuration:Ruleset Configuration is the control area where you can specify particular firewall rules for the host. These will vary, but only allow traffic that is explicitly needed for proper operation.
- Security configuration:Administrator password: Ideally left as “Leave administrator password unchanged.” In many environments, you’ll use Active Directory membership to control user accounts, and the default admin account should have a long, complex password set and only used in a “break glass” situation.
- Security configuration:Permission rules: Set up if you have specific groups on the host you want to control access for.
- Security configuration:SSH authorized key for root user: Configure with the proper root user public key.
- Service configuration: Review these options and all services (particularly SSH and other remote access services) should be disabled if not required.
- Enter the three “global” advanced configuration option settings for the system’s Syslog agent. Logs are 1024 KB in size, rotate after 8 files, and are found in the /scratch/log directory. These settings are fine or can be changed, but must be configured.
- Authentication configuration:Active Directory configuration should have a domain name set, and a method for joining the ESXi host to the domain (typically a username and password, but may also use the vSphere Authentication Proxy).
- Login Banner:Login Banner Text: Configure with a login banner that meets your organizational policy.
You can attach a host or cluster to a specific host profile to evaluate its compliance with the configuration policy, and then apply the configuration template as well. One new feature is the ability to create a simple XML-based “answer file” with variations for specific hosts. These answer files can then be disseminated when using vSphere Auto Deploy, a handy feature that makes provisioning new systems much simpler.
Patching best practices using VMware Update Manager
Another helpful tool is VMware Update Manager (VUM), which can aid administrators automate and streamline the patching and upgrade process for ESX and ESXi hosts. With VUM, you can flexibly control just about every aspect of the patching cycle, and the new version for vSphere 5 has some new capabilities worth mentioning.
First, VUM has better support for clusters, where all cluster members can be evaluated for resource availability to move hosts into maintenance mode for patching (which means all VMs will need to migrate to other cluster members). Key services can be turned off or left alone on cluster hosts; also, retries can be scheduled if the first attempt at patching fails for some reason. VUM now can download patches from multiple sources, and specific updates can be filtered so only the relevant patches are downloaded. Numerous types of upgrades are now included in VUM, including host upgrades from ESX/ESXi 4.x to 5.x, Virtual Appliance (VA) upgrades for VMware and some third-party products, and VMware Tools upgrades for VMs that can be scheduled for a convenient time.
Configuring VUM is simple and there are a number of clear patching best practices to follow. First, define granular baseline profiles that include both “critical” and “non-critical” host patches (these are predefined), as well as specific profiles for commonly used Virtual Appliances. It’s best to maintain a set of ESXi images to perform upgrades, and each of these also should ideally have a baseline profile defined.
For the most critical hosts that need to have very controlled configuration consistency, it’s best to define Fixed patch baselines, where each patch has to be added manually. Dynamic profiles are useful for automatically adding new patches meeting criteria to the baseline, but can wreak havoc if deployed without adequate testing. The new filtering criteria for Dynamic baselines makes it easy to control which patches are included, however, which can greatly simplify automated patching for less critical hosts. Another sound practice is to define multiple patch repositories, both external (such as VMware’s sites), and local for specific images and patch bundles.
Host Profiles and VUM, when used together, can help alleviate the burden of VMware configuration management and patching for virtualization infrastructure in VMware environments. Host Profiles is only available in the Enterprise Plus license version, where VUM is available in Standard, Enterprise and Enterprise Plus.
About the author:
Dave Shackleford is the senior vice president of research and the chief technology officer at IANS. Dave is a SANS analyst, instructor and course author, as well as a GIAC technical director. Dave previously was the founder and principal consultant with Voodoo Security, and has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering. Dave is a former QSA with several years' experience performing PCI assessments. He is a VMware vExpert, and has extensive experience designing and configuring secure virtualized infrastructures. Dave previously was CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.