VMWare: Intro   Leave a comment

Areas of understanding 1
VMKernel is the virtualization layer 1
VMWare Virtual Centre 2
VMWare Suite of components: 2
Datastore Files 3
Backup Options 3
Security areas 4
Security hardening 4
Virtual Infrastructure Client 5
Scalability Issues 5
Raw Device Mapping – RDM 5
References for Network Architecture (Management, viClient, etc) 5

Areas of understanding
– Virtual Machines
o Can be granted access from Guest OS across isolation
o Can access each other through a virtual switch
o Isolate VM’s through resource reservation
– Service Console
o If compromised, VM also at risk
o VMWare Virtual Infrastructure client uses SSL comm’s to server
o Tomcat Web Server on ESX Server

VMKernel is the virtualization layer
– virtualizes CPU, RAM, N/W, HD
o controls the hardware & schedules resource allocation
 schedules by saving each slice’s registry values
o each VM has a VM Monitor (VMM)
 modifies each guest to run in a lower processor ring
 VMM handles device driver requests
– CPU Virtualisation
o Binary translation
 Binary, on-demand, full instruction set
o Prevent buffer overflow by performing length check
– Memory Virtualisation
o Physical virtual mapping
o Transparent page sharing, that is common pages between OS’s are shared
– Virtual Networking Layer
o all data comm’s through this layer
 SAN, Ethernet, iSCSI, etc
o Includes
 Virtual Switches
• Can have VLAN’s
o VM guest tagging (VGT), External Switch tagging (EST), Virtual Switch tagging (VST)
 Virtual ports
• Know the granted MAC address of the guest
• Enable association between guest OS and the VServer its on
 Virtual switches
• One virtual switch per physical NIC
• Each switch has own forwarding table
• Make private copies of all frame data
 Virtual Network Adapters
• Connect to virtual ports on startup, migrate with VMotion
– Virtual Storage
o Guest OS I/O request handled by correct driver in VMM
o Disk requests are handled in a round-robin fashion
o For SAN-backed Fibre (HBA’s), the VM sees the SAN through a virtual SCSI driver
 No guest OS knowledge of WWN, LUN info, etc
o VMKernel uses VMFS (VM File System)
 A distributed file system & volume manager
o One vmdk per guest OS
o VMFS ensures co-operation between hosts accessing common LUN’s

VMWare Virtual Centre
– manages the creation & enforcement of resource pools
– uses ESX Host root credentials to create a secure comm’ channel

VMWare Suite of components:
– ESX Server
o Common component
o With “Infrastructure Enterprise Edition”
– Virtual SMP
o With “Infrastructure Enterprise Edition”
– Virtual Centre
o Components are:
 VC Management Server
 VC Database
 Virtual Infrastructure (VI) Client
 VC Agent
 VI Web Access
o Add-on components
 DRS (dynamic resource allocation)
• with “Infrastructure Enterprise Edition”
 VMotion (manually move VM between hosts)
• with “Infrastructure Enterprise Edition”
 HA (high availability)
• with “Infrastructure Enterprise Edition”
– Consolidated Backup

Datastore Files
– The file located within a VM’s datastore are:
o LOG: log of VM’s activity
o NVRAM: BIOS info for the VM
o VMDK: the virtual hard drive
o VMEM: backup of the VM’s paging file
o VMSD: metadata about the snapshots
o VMSN: the state of the VM at the time the snapshot was taken
o VMSS: suspended state file
o VMTM: team data config
o VMX: is a text file of the VM’s config (ie, disk size, networking, etc)
o VMXF: supplemental config files for VM’s in a team
o VSWP: virtual memory swap file. Used when overcommitted host has exhausted all its physical memory

Backup Options
– CX300 SnapView
o Create duplicate of VMWare LUN
 Adv
• Seamless, no down-time
• Separates DMZ LAN from Production LAN
 Disadv
• Can’t restore a portion of the LUN (ie, one vmdk)
– VMWare Consolidated Backup
o Create vmdk-based backups
 Adv
• Granular
 Disadv
• Single LUN exposed to VM Management & Internal networks

Security areas
– need to prevent hyperthreading
o basic operation is multiplexing – but can have two guest OS on in 1 CPU simultaneously
– it is possible for OS to access memory outside what it is given by VServer
– disable transparent page sharing
– VMWare only track published exploits to “RedHat Linux 3, Update 6”
– Possibility of VLAN crossing (exploits)
– ESX V2.5 is at EAL2 level (structurally tested for vulnerabilities)
– Possibility of “fingerprinting” a guest OS (ie, to determine that its being hosted by VMWare)

Security hardening
– Guest OS (VM)
o Disable copy-paste between Guest OS & Remote Console
o Enforce resource allocation
o Disable logging for VM (OS & Tools)
o Separate physical NIC
o Use RDP to interact with VM
o Secure the Service Console
 ESX server management clients are OK, but it’s the others
 Best for separate physical network
 Use the maximum security for the firewall
 Use VI Client or VirtualCentre
 Reduce number of services running
 Enforce password policies
o Use AD for ESX Host account authentication
o Don’t use root account for admin
o Maintain logging of activity
o Change SNMP config from default

– ESX Server Host
o Don’t create default port group
o Use isolated network for VMotion
o Don’t use promiscuous mode
o Setup to prevent MAC spoofing
o Use grub passwords on console during boot
o Use SAN zoning & masking
o Ensure proper disk partitioning for host

– Virtual Centre
o Harden the Windows OS that this runs on
o Don’t run VC with local admin
o Physically isolate the network that this host is on
 Will be actively communicating with hosts and clients
o Install dB on separate server
o Use non-default certificates

Virtual Infrastructure Client
– when VI Client connects to VC Management Server:
o features enabled are logical data centres and clusters/resource pools for HA & DRS
o All ESX server systems are referred to as hosts, if directly connected called standalone hosts
– Need to enable certificate verification & patch client
o http://securitytracker.com/alerts/2006/Nov/1017270.html
– Active Directory integration
o http://blog.baeke.info/blog/Technologies/VirtualMachines/_archives/2006/10/13/2414173.html

Scalability Issues
– Measures of scalability
o Throughput
 Factors affecting are: Fibre Channel, outstanding I/O requests, # spindles, RAID type, SCSI reservations, caching/prefetching algorithms
o Latency
 Factors affecting are: queue request size, disk properties (rotation, seek & access delays), SCSI reservations, caching/prefetching algorithms
– Factors affecting scalability of ESX storage
o Number of active commands
 Reduce queueing by matching VM’s I/O & capabilities of storage array
o SCSI reservations
 Undertake VM admin tasks in off-peak times
o Total link bandwidth
 Watch link saturation > latency up as # VMFS volumes per path up
– Reference:
o http://www.vmware.com/files/pdf/scalable_storage_performance.pdf

Raw Device Mapping – RDM
What is VMFS & RDM
– VMFS is the VMWare file system. Allows concurrent access by multiple hosts to a shared VMFS volume
– RDM is a mapping file within a VMFS volume that acts as a proxy for a raw physical device
o Virtual mode: fully virtualizes the mapped device, ie. appears as an VMDK file on a VMFS volume
o Physical mode: minimal scsi virtualization. Exposes all underlying LUN characteristics

Performance differences
– For random read/write, VMFS and RDM have similar I/O
– For sequential read/write:
o RDM has better I/O performance for block sizes 32kB

References for Network Architecture (Management, viClient, etc)
– VMWare Web Services SDK open to Brute Force Attacks
o http://www.vminformer.com/997/

– VMWare WebAccess multiple vulnerabilities
o http://www.securiteam.com/securitynews/5VP2X2A1PI.html
o http://www.auscert.org.au/render.html?it=12581
o http://www.securityfocus.com/archive/1/508484
o http://seclists.org/fulldisclosure/2009/Dec/344

– VMWare ESX Web access in vSphere
o http://itknowledgeexchange.techtarget.com/virtualization-pro/vmware-esx-web-access-in-vsphere/

– Virtual Centre – Web access
o http://vmzare.wordpress.com/2007/02/21/virtual-center-web-access/
o http://pubs.vmware.com/vsp40u1/wwhelp/wwhimpl/js/html/wwhelp.htm#href=webaccess/t_run_the_vsphere_web_access_service_on_vcenter_server.html
o http://search.vmware.com/search?q=viclient+best+practice+firewall&cn=vmware&cc=www&client=VMware_Site&entqr=0&ud=1&output=xml_no_dtd&proxystylesheet=VMware_gsa_Site&oe=UTF-8&ie=UTF-8&sort=date%3AD%3AL%3Ad1&site=VMware_Site&ip=

– VMWare VirtualCentre agent for VMWare Server
o http://www.greymatter.com/product/VMware/VMware-VirtualCenter-Agent-For-VMware-Server/381281

– Web Service FAQ’s
o http://www.vmware.com/support/developer/vc-sdk/WS_FAQs.html
o http://search.vmware.com/search?cn=vmware&cc=www&client=VMware_Site&entqr=0&ud=1&output=xml_no_dtd&proxystylesheet=VMware_gsa_Site&site=VMware_Site_technical_resources&ie=UTF-8&oe=UTF-8&q=web service&x=0&y=0

– Configuring VirtualCentre Management Server Options
o http://www.virtualizationadmin.com/articles-tutorials/microsoft-hyper-v-articles/storage-management/configuring-vmware-virtualcenter-management-server.html

– VMWare HA Guidelines
o http://www.vmwarewolf.com/vmware-ha-guidelines-and-best-practices/
o http://sessions.vmworld.com/mgrCourse/launchCourse.cfm?mL_method=player
o http://mylearn.vmware.com/courseware/11081/PS_BC10_289341_166-1_FIN_v5.pdf

– ESX Configuration Guide
o http://www.vmware.com/pdf/vsphere4/r40/vsp_40_esx_server_config.pdf

– Virtual network design, configuration and management guide
o http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1356927,00.html

– Avoid high-risk data commingling with VMWare virtual networks to prevent security vulnerabilities
o http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1342649,00.html

– Five ways to administer a VMWare ESX Server
o http://www.petri.co.il/5_ways_to_adminster_esx_server.htm

o http://www.virtual-strategy.com/2009/01/22/top-10-things-you-must-read-about-vmfs-and-virtual-disks
o http://www.vmware.com/files/pdf/vmfs_rdm_perf.pdf


Posted March 1, 2013 by terop

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: