Advanced VMware Security: 5 Day Hands-On Bootcamp
Chapter 1 - Primer and reaffirming our knowledge
Overview
ESX Networking Components
Virtual Ethernet Adapters and How They Work.
Virtual Switches and How They Work
Virtual Switches vis-a-vis Physical Switch
Why The Spanning Tree Protocol is Superfluous
What are Virtual Ports and Why Should we be Concerned?
VMWare so-called "Uplink Ports" and their interaction with the Physical equivalent
Concept of Port Groups - They are out of this (physical) world!
Uplinks
Virtual Switch Correctness
VLANs in VMware Infrastructure
NIC Teaming
Load Balancing
Failover Configurations
Layer 2 Security Features
Managing the Virtual Network with "VirtualCenter"
File System Structure
Kernel
Processes
When do the processes start?
Starting and Stopping Processes
Interacting with Processes
Account and Groups
Password and Shadow File Formats
Linux and Unix Permissions
Set UID Programs
Trust Relationships
Logs and Auditing
Chapter 2 - Penetration Testing 101
Overview
What is a Penetration Test?
Benefits of a Penetration test
What is the Cost of a Hack?
Example
Current Issues
Malware/Virus
Active Zombies
Hash Collisions
SQL Injection
Identity Theft
Social Engineering, EXploits and Chained Exploits
Chained Exploit Example
The Evolving Threat
Pen Testing Methodology
Types of Tests
Website Review
Common Management Errors
It's not Just about the Tools!
Chapter 3 - Routing and the Security Design of VMware
Overview
Security of Routing Data
How traffic is routed Between Virtual Machines on ESX host
Different vSwitches, same port group and VLAN
Same vSwitch, different port group and VLAN
Same vSwitch, same port group and VLAN
Security Design of the VMware Infrastructure 3 Architecture
VMware Infrastructure Architecture and Security Features
Virtualization Layer
CPU Virtualization
Buffer overflow
Memory Virtualization
Virtual Machines
Service Console
Virtual Networking Layer
Virtual Switches
Virtual Switch LANs
Virtual Ports
Virtual Network Adapters
Virtual Switch Isolation
Virtual Switch Correctness
Virtualized Storage
SAN Security
VMware Virtual Center
Chapter 4 – Information Gathering, Scanning and Enumeration
Overview
What information does the hacker gather?
Methods of Obtaining Information
Footprinting Defined
Maltego
Firefox Add
Google Hacking
Introduction to Port Scanning
Port Scanning Tools
NMAP
TCP Connect Port Scan
Half-Open Scan
Firewalled Ports
Service Version Detection
Additional NMAP Scans
UDP Scans
Enumeration Overview
Web Server Banner Grabbing
Telnet
SuperScan4
SMTP Server Banner
DNS Enumeration
Zone Transfers
Backtrack Tools
Active Directory Enumeration
LDAP miner
Null Sessions
Enumeration with Cain and Abel
NAT Dictionary Attack Tool
THC-Hydra
Cool Stuff with Cain
Chapter 5 – DMZ Virtualization
Overview
Virtualized DMZ Networks
Typical Virtualized DMZ
Three Typical Virtualized DMZ Configurations
Partially Collapsed DMZ with Separate Physical Trust
Zones
Partially Collapsed DMZ with Virtual Separation of Trust
Zones
Fully Collapsed DMZ
Best Practices for Achieving a Secure Virtualized DMZ Deployment
Harden and Isolate the Service Console
Clearly Label Networks for each Zone within the DMZ
Set Layer 2 Security Options on Virtual Switches
Enforce Separation of Duties
Use ESX Resource Management Capabilities
Regularly Audit Virtualized DMZ Configuration
Chapter 6 – Remote DataStore Security
Overview
Mask and Zone SAN Resources
LUN Masking
SAN Zoning
Port Zoning
Hard and Soft Zoning
WWN Zoning
Classes of Attacks against SANs
Fiber Channel
Fiber Channel – Security Protocol
ESP over Fiber Channel
DH-CHAP
Switch Link
Attacking Fiber Channel
Securing iSCSI, iFCP and FCIP over IP networks
Chapter 7 – Penetration Testing and the Tools of the Trade
Overview
Vulnerabilities in Network Services
Vulnerability Assessment Scanners
Nessus
Saint
Windows Password Cracking
Syskey Encryption
Cracking Techniques
Cryptanalysis
Disabling Auditing
Clearing the Event Log
Alternate Data Streams
Stream Explorer
Encrypted Tunnels
Port Monitoring Software
Rootkits
Metasploit
Fuzzers
SaintExploit
Core Impact
Penetration Testing Tool Comparison
Wireshark
ARP Cache Poisoning
Cain and Abel
Ettercap
Breaking SSL Traffic
Hash Algorithm
MD5 Hash Collisions
Chapter 8 – Hardening your ESX Server
Overview
Hardening Your ESX Server
ESX Best Practices
- Virtual Machines
- Secure Virtual Machines as You Would Secure Physical Machines
- Disable Unnecessary or Superfluous Functions
- Take Advantage of Templates
- Prevent Virtual Machines from Taking Over Resources
- Isolate Virtual Machine Networks
- Arp Cache Poisoning
- VM Segmentation
- Minimize Use of the VI Console
- Virtual Machine Files and Settings
- Disable Copy and Paste Operations Between the Guest Operating System and Remote Console
- Limit Data Flow from the Virtual Machine to the Datastore
- SetInfo Hazard
- Do Not Use Nonpersistent Disks
- Ensure Unauthorized Devices are Not Connected
- Prevent Unauthorized Removal or Connection of Devices
- Avoid Denial of Service Caused by Virtual Disk Modification Operations
- Specify the Guest Operating System Correctly
- Verify Proper File Permissions for Virtual Machine Files
- Configuring the Service Console in ESX 3.5
- Configure the Firewall for Maximum Security
- Limit the Software and Services Running in the Service Console
- Use VI Client and VirtualCenter to Administer the Hosts Instead of Service Console
- Use a Directory Service for Authentication
- Strictly Control Root Privileges
- Control Access to Privileged Capabilities
- Establish a Password Policy for Local User Accounts
- Do Not Manage the Service Console as if it were a Linux Host
- Maintain Proper Logging
- Establish and Maintain File System Integrity
- Secure the SNMP Configuration
- Protect against the Root File System Filling Up
- Disable Automatic Mounting of USB Devices
Best Practices ESXi
- Configuring Host-level Management in ESXi 3.5
- Strictly Control Root Privileges
- Control Access to Privileged Capabilities
- Maintain Proper Logging
- Establish and Maintain Configuration File Integrity
- Secure the SNMP Configuration
- Ensure Secure Access to CIM
- Audit or Disable Technical Support Mode
Configuring the ESX/ESXi Host
- Isolate the Infrastructure-related Networks
- Configure Encryption for Communication between Clients and ESX/ESXi
- Label Virtual Networks Clearly
- Do Not Create a Default Port Group
- Do Not Use Promiscuous Mode on Network Interfaces
- Protect against MAC Address Spoofing
- Secure the ESX/ESXi Host Console
- Mask and Zone SAN Resources Appropriately
- Secure iSCSI Devices through Authentication
VirtualCenter
- Set Up the Windows Host for VirtualCenter with Proper Security
- Limit Administrative Access
- Limit Network Connectivity to VirtualCenter
- Use Proper Security Measures when Configuring the Database for VirtualCenter
- Enable Full and Secure Use of Certificate-based Encryption
- VirtualCenter Server Certificates Replacement
- Pre-Installation
- During Installation
- Post-Installation
- Use VirtualCenter Custom Roles
- Document and Monitor Changes to the Configuration
- VirtualCenter Add-on Components
- VMware Update Manager
- VMware Converter Enterprise
- VMware Guided Consolidation
- General Considerations
Client Components
- Restrict the use of Linux-based Clients
- Verify the Integrity of VI Client
- Monitor the Usage of VI Client Instances
- Avoid the Use of Plain-Text Passwords
Appendix:
The Basics of SAN Security, Part I
Increasing Security Concerns
Security Domains
- Administrator-to-Security Management Domain
- Host-to-Switch Domain
- Security Management-to-Fabric Domain
Switch-to-Switch Domain
Data Integrity and Security
- So What Is Zoning?
- Zoning Types
- Configuring Zoning Components
- LUN Masking
- Persistent Binding
- Security Technologies
- Host-to-Fabric
- Summary and Conclusions
Security Management Part 2
Fibre Channel Security Management
Authentication and Authorization
Configuration Management
SAN Access
SAN Security Benefits
Host-Based and Switch Based Mapping
Controller-based Mapping
WWN Privileged Access
Redundancy
Management
Summary and Conclusions
Appendix 1 – Malware
Distributing Malware
Malware Capabilities
Netcat
Executable Wrappers
Avoiding Detection
BPMTK
Appendix 2 – SQL Injection
What is SQL Injection?
Why SQL Injection?
Attacking Database Servers