Contents
Areas of understanding 1
VMKernel is the virtualization layer 1
VMWare Virtual Centre 2
VMWare Suite of components: 2
Datastore Files 3
Backup Options 3
Security areas 4
Security hardening 4
Virtual Infrastructure Client 5
Scalability Issues 5
Raw Device Mapping – RDM 5
References for Network Architecture (Management, viClient, etc) 5
Areas of understanding
– Virtual Machines
o Can be granted access from Guest OS across isolation
o Can access each other through a virtual switch
o Isolate VM’s through resource reservation
– Service Console
o If compromised, VM also at risk
o VMWare Virtual Infrastructure client uses SSL comm’s to server
o Tomcat Web Server on ESX Server
VMKernel is the virtualization layer
– virtualizes CPU, RAM, N/W, HD
o controls the hardware & schedules resource allocation
schedules by saving each slice’s registry values
o each VM has a VM Monitor (VMM)
modifies each guest to run in a lower processor ring
VMM handles device driver requests
– CPU Virtualisation
o Binary translation
Binary, on-demand, full instruction set
o Prevent buffer overflow by performing length check
– Memory Virtualisation
o Physical virtual mapping
o Transparent page sharing, that is common pages between OS’s are shared
– Virtual Networking Layer
o all data comm’s through this layer
SAN, Ethernet, iSCSI, etc
o Includes
Virtual Switches
• Can have VLAN’s
o VM guest tagging (VGT), External Switch tagging (EST), Virtual Switch tagging (VST)
Virtual ports
• Know the granted MAC address of the guest
• Enable association between guest OS and the VServer its on
Virtual switches
• One virtual switch per physical NIC
• Each switch has own forwarding table
• Make private copies of all frame data
Virtual Network Adapters
• Connect to virtual ports on startup, migrate with VMotion
– Virtual Storage
o Guest OS I/O request handled by correct driver in VMM
o Disk requests are handled in a round-robin fashion
o For SAN-backed Fibre (HBA’s), the VM sees the SAN through a virtual SCSI driver
No guest OS knowledge of WWN, LUN info, etc
o VMKernel uses VMFS (VM File System)
A distributed file system & volume manager
o One vmdk per guest OS
o VMFS ensures co-operation between hosts accessing common LUN’s
VMWare Virtual Centre
– manages the creation & enforcement of resource pools
– uses ESX Host root credentials to create a secure comm’ channel
VMWare Suite of components:
– ESX Server
o Common component
– VMFS
o With “Infrastructure Enterprise Edition”
– Virtual SMP
o With “Infrastructure Enterprise Edition”
– Virtual Centre
o Components are:
VC Management Server
VC Database
Virtual Infrastructure (VI) Client
VC Agent
VI Web Access
o Add-on components
DRS (dynamic resource allocation)
• with “Infrastructure Enterprise Edition”
VMotion (manually move VM between hosts)
• with “Infrastructure Enterprise Edition”
HA (high availability)
• with “Infrastructure Enterprise Edition”
– Consolidated Backup
Datastore Files
– The file located within a VM’s datastore are:
o LOG: log of VM’s activity
o NVRAM: BIOS info for the VM
o VMDK: the virtual hard drive
o VMEM: backup of the VM’s paging file
o VMSD: metadata about the snapshots
o VMSN: the state of the VM at the time the snapshot was taken
o VMSS: suspended state file
o VMTM: team data config
o VMX: is a text file of the VM’s config (ie, disk size, networking, etc)
o VMXF: supplemental config files for VM’s in a team
o VSWP: virtual memory swap file. Used when overcommitted host has exhausted all its physical memory
Backup Options
– CX300 SnapView
o Create duplicate of VMWare LUN
Adv
• Seamless, no down-time
• Separates DMZ LAN from Production LAN
Disadv
• Can’t restore a portion of the LUN (ie, one vmdk)
– VMWare Consolidated Backup
o Create vmdk-based backups
Adv
• Granular
Disadv
• Single LUN exposed to VM Management & Internal networks
Security areas
– need to prevent hyperthreading
o basic operation is multiplexing – but can have two guest OS on in 1 CPU simultaneously
– it is possible for OS to access memory outside what it is given by VServer
– disable transparent page sharing
– VMWare only track published exploits to “RedHat Linux 3, Update 6”
– Possibility of VLAN crossing (exploits)
– ESX V2.5 is at EAL2 level (structurally tested for vulnerabilities)
– Possibility of “fingerprinting” a guest OS (ie, to determine that its being hosted by VMWare)
Security hardening
– Guest OS (VM)
o Disable copy-paste between Guest OS & Remote Console
o Enforce resource allocation
o Disable logging for VM (OS & Tools)
o Separate physical NIC
o Use RDP to interact with VM
o Secure the Service Console
ESX server management clients are OK, but it’s the others
Best for separate physical network
Use the maximum security for the firewall
Use VI Client or VirtualCentre
Reduce number of services running
Enforce password policies
o Use AD for ESX Host account authentication
o Don’t use root account for admin
o Maintain logging of activity
o Change SNMP config from default
– ESX Server Host
o Don’t create default port group
o Use isolated network for VMotion
o Don’t use promiscuous mode
o Setup to prevent MAC spoofing
o Use grub passwords on console during boot
o Use SAN zoning & masking
o Ensure proper disk partitioning for host
– Virtual Centre
o Harden the Windows OS that this runs on
o Don’t run VC with local admin
o Physically isolate the network that this host is on
Will be actively communicating with hosts and clients
o Install dB on separate server
o Use non-default certificates
Virtual Infrastructure Client
– when VI Client connects to VC Management Server:
o features enabled are logical data centres and clusters/resource pools for HA & DRS
http://www.markwilson.co.uk/blog/2006/08/introduction-to-vmware-infrastructure.htm
o All ESX server systems are referred to as hosts, if directly connected called standalone hosts
http://pubs.vmware.com/vi301/admin/wwhelp/wwhimpl/common/html/wwhelp.htm?context=admin&file=BSA_Inventory.9.2.html
– Need to enable certificate verification & patch client
o http://securitytracker.com/alerts/2006/Nov/1017270.html
– Active Directory integration
o http://blog.baeke.info/blog/Technologies/VirtualMachines/_archives/2006/10/13/2414173.html
Scalability Issues
– Measures of scalability
o Throughput
Factors affecting are: Fibre Channel, outstanding I/O requests, # spindles, RAID type, SCSI reservations, caching/prefetching algorithms
o Latency
Factors affecting are: queue request size, disk properties (rotation, seek & access delays), SCSI reservations, caching/prefetching algorithms
– Factors affecting scalability of ESX storage
o Number of active commands
Reduce queueing by matching VM’s I/O & capabilities of storage array
o SCSI reservations
Undertake VM admin tasks in off-peak times
o Total link bandwidth
Watch link saturation > latency up as # VMFS volumes per path up
– Reference:
o http://www.vmware.com/files/pdf/scalable_storage_performance.pdf
Raw Device Mapping – RDM
What is VMFS & RDM
– VMFS is the VMWare file system. Allows concurrent access by multiple hosts to a shared VMFS volume
– RDM is a mapping file within a VMFS volume that acts as a proxy for a raw physical device
o Virtual mode: fully virtualizes the mapped device, ie. appears as an VMDK file on a VMFS volume
o Physical mode: minimal scsi virtualization. Exposes all underlying LUN characteristics
Performance differences
– For random read/write, VMFS and RDM have similar I/O
– For sequential read/write:
o RDM has better I/O performance for block sizes 32kB
–
References for Network Architecture (Management, viClient, etc)
– VMWare Web Services SDK open to Brute Force Attacks
o http://www.vminformer.com/997/
– VMWare WebAccess multiple vulnerabilities
o http://www.securiteam.com/securitynews/5VP2X2A1PI.html
o http://www.auscert.org.au/render.html?it=12581
o http://www.securityfocus.com/archive/1/508484
o http://seclists.org/fulldisclosure/2009/Dec/344
– VMWare ESX Web access in vSphere
o http://itknowledgeexchange.techtarget.com/virtualization-pro/vmware-esx-web-access-in-vsphere/
– Virtual Centre – Web access
o http://vmzare.wordpress.com/2007/02/21/virtual-center-web-access/
o http://pubs.vmware.com/vsp40u1/wwhelp/wwhimpl/js/html/wwhelp.htm#href=webaccess/t_run_the_vsphere_web_access_service_on_vcenter_server.html
o http://search.vmware.com/search?q=viclient+best+practice+firewall&cn=vmware&cc=www&client=VMware_Site&entqr=0&ud=1&output=xml_no_dtd&proxystylesheet=VMware_gsa_Site&oe=UTF-8&ie=UTF-8&sort=date%3AD%3AL%3Ad1&site=VMware_Site&ip=210.87.60.17&access=p&start=10
– VMWare VirtualCentre agent for VMWare Server
o http://www.greymatter.com/product/VMware/VMware-VirtualCenter-Agent-For-VMware-Server/381281
– Web Service FAQ’s
o http://www.vmware.com/support/developer/vc-sdk/WS_FAQs.html
o http://search.vmware.com/search?cn=vmware&cc=www&client=VMware_Site&entqr=0&ud=1&output=xml_no_dtd&proxystylesheet=VMware_gsa_Site&site=VMware_Site_technical_resources&ie=UTF-8&oe=UTF-8&q=web service&x=0&y=0
– Configuring VirtualCentre Management Server Options
o http://www.virtualizationadmin.com/articles-tutorials/microsoft-hyper-v-articles/storage-management/configuring-vmware-virtualcenter-management-server.html
– VMWare HA Guidelines
o http://www.vmwarewolf.com/vmware-ha-guidelines-and-best-practices/
o http://sessions.vmworld.com/mgrCourse/launchCourse.cfm?mL_method=player
o http://mylearn.vmware.com/courseware/11081/PS_BC10_289341_166-1_FIN_v5.pdf
o
– ESX Configuration Guide
o http://www.vmware.com/pdf/vsphere4/r40/vsp_40_esx_server_config.pdf
– Virtual network design, configuration and management guide
o http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1356927,00.html
– Avoid high-risk data commingling with VMWare virtual networks to prevent security vulnerabilities
o http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1342649,00.html
– Five ways to administer a VMWare ESX Server
o http://www.petri.co.il/5_ways_to_adminster_esx_server.htm
– RDM
o http://www.virtual-strategy.com/2009/01/22/top-10-things-you-must-read-about-vmfs-and-virtual-disks
o http://www.vmware.com/files/pdf/vmfs_rdm_perf.pdf
o
IT Considerations 
Leave a Reply