VMware

Advanced VMware Security: 5 Day Hands-On Bootcamp

Chapter 1 - Primer and reaffirming our knowledge

• Overview
• ESX Networking Components
• Virtual Ethernet Adapters and How They Work
  • Virtual Switches and How They Work
  • Virtual Switches vis-a-vis Physical Switch
  • Why The Spanning Tree Protocol is Superfluous
  • What are Virtual Ports and Why Should we be Concerned?
  • VMWare so-called "Uplink Ports" and their interaction with the Physical equivalent
  • Concept of Port Groups - They are out of this (physical) world!
  • Uplinks
  • Virtual Switch Correctness
• VLANs in VMware Infrastructure
• NIC Teaming
  • Load Balancing
• Failover Configurations
• Layer 2 Security Features
• Managing the Virtual Network with "VirtualCenter"
• File System Structure
• Kernel
• Processes
  • When do the processes start?
  • Starting and Stopping Processes
  • Interacting with Processes
• Account and Groups
  • Password and Shadow File Formats
• Linux and Unix Permissions
  • Set UID Programs
• Trust Relationships
• Logs and Auditing

Chapter 2 - Penetration Testing 101

• Overview
• What is a Penetration Test?
• Benefits of a Penetration test
• What is the Cost of a Hack?
  • Example
• Current Issues
  • Malware/Virus
  • Active Zombies
  • Hash Collisions
  • SQL Injection
  • Identity Theft
  • Social Engineering, EXploits and Chained Exploits
  • Chained Exploit Example
• The Evolving Threat
• Pen Testing Methodology
• Types of Tests
• Website Review
• Common Management Errors
• It's not Just about the Tools!

Chapter 3 - Routing and the Security Design of VMware

• Overview
• Security of Routing Data
• How traffic is routed Between Virtual Machines on ESX host
  • Different vSwitches, same port group and VLAN
  • Same vSwitch, different port group and VLAN
  • Same vSwitch, same port group and VLAN
• Security Design of the VMware Infrastructure 3 Architecture
• VMware Infrastructure Architecture and Security Features
  • Virtualization Layer
  • CPU Virtualization
  • Buffer overflow
  • Memory Virtualization
  • Virtual Machines
  • Service Console
  • Virtual Networking Layer
  • Virtual Switches
  • Virtual Switch LANs
  • Virtual Ports
  • Virtual Network Adapters
  • Virtual Switch Isolation
  • Virtual Switch Correctness
  • Virtualized Storage
  • SAN Security
  • VMware Virtual Center

Chapter 4 – Information Gathering, Scanning and Enumeration

• Overview
• What information does the hacker gather?
• Methods of Obtaining Information
• Footprinting Defined
  • Maltego
  • Firefox Add
• Google Hacking
• Introduction to Port Scanning
• Port Scanning Tools
  • NMAP
  • TCP Connect Port Scan
  • Half-Open Scan
  • Firewalled Ports
  • Service Version Detection
  • Additional NMAP Scans
  • UDP Scans
• Enumeration Overview
  • Web Server Banner Grabbing
  • Telnet
  • SuperScan4
  • SMTP Server Banner
  • DNS Enumeration
  • Zone Transfers
  • Backtrack Tools
  • Active Directory Enumeration
  • LDAP miner
  • Null Sessions
  • Enumeration with Cain and Abel
  • NAT Dictionary Attack Tool
  • THC-Hydra
  • Cool Stuff with Cain

Chapter 5 – DMZ Virtualization

• Overview
• Virtualized DMZ Networks
• Typical Virtualized DMZ
• Three Typical Virtualized DMZ Configurations
  • Partially Collapsed DMZ with Separate Physical Trust
  • Zones
  • Partially Collapsed DMZ with Virtual Separation of Trust
  • Zones
  • Fully Collapsed DMZ
• Best Practices for Achieving a Secure Virtualized DMZ Deployment
  • Harden and Isolate the Service Console
  • Clearly Label Networks for each Zone within the DMZ
  • Set Layer 2 Security Options on Virtual Switches
  • Enforce Separation of Duties
  • Use ESX Resource Management Capabilities
  • Regularly Audit Virtualized DMZ Configuration

Chapter 6 – Remote DataStore Security

• Overview
• Mask and Zone SAN Resources
  • LUN Masking
  • SAN Zoning
  • Port Zoning
  • Hard and Soft Zoning
  • WWN Zoning
• Classes of Attacks against SANs
• Fiber Channel
  • Fiber Channel – Security Protocol
  • ESP over Fiber Channel
  • DH-CHAP
  • Switch Link
• Attacking Fiber Channel
• Securing iSCSI, iFCP and FCIP over IP networks

Chapter 7 – Penetration Testing and the Tools of the Trade

• Overview
• Vulnerabilities in Network Services
• Vulnerability Assessment Scanners
  • Nessus
  • Saint
• Windows Password Cracking
  • Syskey Encryption
  • Cracking Techniques
  • Cryptanalysis
• Disabling Auditing
  • Clearing the Event Log
• Alternate Data Streams
  • Stream Explorer
• Encrypted Tunnels
• Port Monitoring Software
• Rootkits
• Metasploit
• Fuzzers
• SaintExploit
• Core Impact
• Penetration Testing Tool Comparison
• Wireshark
• ARP Cache Poisoning
  • Cain and Abel
  • Ettercap
  • Breaking SSL Traffic
• Hash Algorithm
  • MD5 Hash Collisions

Chapter 8 – Hardening your ESX Server

• Overview
• Hardening Your ESX Server
• ESX Best Practices
  • Virtual Machines
  • Secure Virtual Machines as You Would Secure Physical Machines
  • Disable Unnecessary or Superfluous Functions
  • Take Advantage of Templates
  • Prevent Virtual Machines from Taking Over Resources
  • Isolate Virtual Machine Networks
  • Arp Cache Poisoning
  • VM Segmentation
  • Minimize Use of the VI ConsoleVirtual Machine Files and Settings
  • Disable Copy and Paste Operations Between the Guest Operating System and Remote Console
  • Limit Data Flow from the Virtual Machine to the Datastore
  • SetInfo Hazard
  • Do Not Use Nonpersistent Disks
  • Ensure Unauthorized Devices are Not Connected
  • Prevent Unauthorized Removal or Connection of Devices
  • Avoid Denial of Service Caused by Virtual Disk Modification Operations
  • Specify the Guest Operating System Correctly
  • Verify Proper File Permissions for Virtual Machine Files
  • Configuring the Service Console in ESX 3.5
  • Configure the Firewall for Maximum Security
  • Limit the Software and Services Running in the Service Console
  • Use VI Client and VirtualCenter to Administer the Hosts Instead of Service Console
  • Use a Directory Service for Authentication
  • Strictly Control Root Privileges
  • Control Access to Privileged Capabilities
  • Establish a Password Policy for Local User Accounts
  • Do Not Manage the Service Console as if it were a Linux Host
  • Maintain Proper Logging
  • Establish and Maintain File System Integrity
  • Secure the SNMP Configuration
  • Protect against the Root File System Filling Up
  • Disable Automatic Mounting of USB Devices
• Best Practices ESXi
  • Configuring Host-level Management in ESXi 3.5
  • Strictly Control Root Privileges
  • Control Access to Privileged Capabilities
  • Maintain Proper Logging
  • Establish and Maintain Configuration File Integrity
  • Secure the SNMP Configuration
  • Ensure Secure Access to CIM
  • Audit or Disable Technical Support Mode
• Configuring the ESX/ESXi Host
  • Isolate the Infrastructure-related Networks
  • Configure Encryption for Communication between Clients and ESX/ESXi
  • Label Virtual Networks Clearly
  • Do Not Create a Default Port Group
  • Do Not Use Promiscuous Mode on Network Interfaces
  • Protect against MAC Address Spoofing
  • Secure the ESX/ESXi Host Console
  • Mask and Zone SAN Resources Appropriately
  • Secure iSCSI Devices through Authentication
• VirtualCenter
  • Set Up the Windows Host for VirtualCenter with Proper Security
  • Limit Administrative Access
  • Limit Network Connectivity to VirtualCenter
  • Use Proper Security Measures when Configuring the Database for VirtualCenter
  • Enable Full and Secure Use of Certificate-based Encryption
  • VirtualCenter Server Certificates Replacement
  • Pre-Installation
  • During Installation
  • Post-Installation
  • Use VirtualCenter Custom Roles
  • Document and Monitor Changes to the Configuration
  • VirtualCenter Add-on Components
  • VMware Update Manager
  • VMware Converter Enterprise
  • VMware Guided Consolidation
  • General Considerations
• Client Components
  • Restrict the use of Linux-based Clients
  • Verify the Integrity of VI Client
  • Monitor the Usage of VI Client Instances
  • Avoid the Use of Plain-Text Passwords

Appendix:

• The Basics of SAN Security, Part I
• Increasing Security Concerns
• Security Domains
  • Administrator-to-Security Management Domain
  • Host-to-Switch Domain
  • Security Management-to-Fabric Domain
• Switch-to-Switch Domain
• Data Integrity and Security
  • So What Is Zoning?
  • Zoning Types
  • Configuring Zoning Components
  • LUN Masking
  • Persistent Binding
  • Security Technologies
  • Host-to-Fabric
  • Summary and Conclusions
• Security Management Part 2
• Fibre Channel Security Management
• Authentication and Authorization
• Configuration Management
• SAN Access
• SAN Security Benefits
• Host-Based and Switch Based Mapping
• Controller-based Mapping
• WWN Privileged Access
• Redundancy
• Management
• Summary and Conclusions
• Appendix 1 – Malware
• Distributing Malware
• Malware Capabilities
• Netcat
  • Netcat Switches
• Executable Wrappers
• Avoiding Detection
• BPMTK
• Appendix 2 – SQL Injection
• What is SQL Injection?
• Why SQL Injection?
• Attacking Database Servers
  • SQL Ping2
  • osql.ex