VMware vSphere Security Design Training

Section 1: Course Introduction

Lesson 1 - Getting Started with VMware vSphere Security Design Training

In this lesson learn what makes vSphere security such an important topic for you and your company. You’ll find out what the course will cover as well as the basics of building a vSphere lab that you could use to practice the configurations you’ll learn in the course.

• Why vSphere Security is Critical Knowledge
• What You Will Learn in This Course
• Lab Setup

Lesson 2 - About Your Instructors

Find out who Jason Nash and Lane Leverett are, their qualifications, and why they make such excellent vSphere security instructors.

• About Jason Nash
• About Lane Leverett

Lesson 3 - Introduction to Information Security Concepts

This lesson provides a fundamental base of understanding for system and information security, specifically as it relates to virtualization security.

• The Many Layers of Security in a Virtual Environment
• The Fundamentals: A Security Primer
• AAA: Authentication, Authorization, and Accounting
• Standard Terminology
• CIA: Confidentiality, Integrity, and Availability
• The Different Shapes and Sizes of Potential Attackers
• The Steps of an Attempted Attack
• The Process for Developing and Maintaining Good Security
• Security Tools

Section 2: Information Security Concepts

Lesson 4 - Security Priorities in a Virtual Environment

Explore how security is different a virtual environment, dispel common virtualization security concerns, find out the impact of security in a virtual infrastructure, and learn what VMware is doing about security.

• Is Virtualization Secure?
• Is The Hypervisor a Security Weakness?
• Encapsulation
• Common Worries About virtualization Security
• Types of Security Threats
• Impact of Virtualization of Security
• What is VMware Doing About Security?
• Regular Tasks a Good Admin Should Perform

Lesson 5 - Security Technologies

In this lesson you will learn technologies, features, and options for securing your vSphere environment. You will also learn how to control who has access to your virtual infrastructure as well as how to keep maintain that level of security for the long term.

• What do I Need to Protect What?
• Pairing Assets to Security Technology
• vSphere Authentication
• Who Has Access to Your Environment?
• Creating Local VSphere Users
• VSphere Host Authentication
• Integration with active Directory
• The VI Firewall
• Integrating Security in with the Hypervisor by Using VMsafe
• Using vShield to Secure Application and Guests
• Keeping Hosts and Guests Updated with Update Manager

Section 3: Security in Virtual Networks

Lesson 6 - vNetwork Security Architecture

This lesson will give you an overview of how security impacts the selection, deployment, and management of the vNetwork. Instructor Jason Nash also details recommendations and common mistakes seen in production environments.

• Deployment Types for Different Trust Zones
• Partially Collapsed with Separate Physical Trust Zones
• Partially Collapsed with Separate Virtual Trust Zones
• Fully Collapsed Trust Zones
• Top 10 Common Mistakes and Recommendations
• Security Considerations with the Standard vSphere vSwitch
• Security Considerations with the vSphere vdSwitch
• Layering Additional Functionally with the Cisco Nexus 1000v
• Protecting Your Management Communications
• Isolating Management

Lesson 7 - Securing vNetwork Configuration

Learn about implementing vNetwork security with features like VLANs, PVLANs, and trust zones. Also, you will get an introduction to using the Cisco Nexus 1000v Distributed Switch.

• Security Considerations in Your vNetwork Design
• Configuring the vNetwork for Different Trust Zones
• Implementing VLANs and Network Separation
• Using and Configuring Private VLANs (PVLANS)
• vSwitch Security Configuration
• Using and Configuring the vSphere dvSwitch
• Overview of the Cisco Nexus 1000v Distributed Switch
• Deployment and Configuration of the Cisco Nexus 1000v Distributed Switch
• Configure Physical and VM Port-Groups

Section 4: Protecting vCenter

Lesson 8 - Working with SSL Certificates

This lesson discusses how to use SSL Certificates, whether from a certificate authority or self signed, to secure vCenter communications.

• An Overview on How SSL Works and Why We Use It
• How VMware Uses SSL
• Example of an SSL Negotiation
• Let’s Talk About Digital Certificates
• Getting Reid of That Annoying SSL Warning when I Log in to vCenter!
• Using Internal Versus Generating “Real” Certificates
• Protect Your Certificates!
• Installing Your Own Certificates
• About the Digital Certificate Files
• How to Replace Existing SSL Certificates

Lesson 9 - Hardening the vCenter Server System

Appling security’s triple A (Authentication, Authorization, and Accounting) to harden the underlying operating system, vCenter, and the vSphere Client. Finally, find out how to monitor vCenter logs to know that the infrastructure is secure.

• Authentication, Authorization, and Accounting with vCenter
• Best Practices for Deploying and Protecting vCenter
• Hardening the Underlying Operating System
• Don’t forget the vSphere Client!
• Monitoring the vCenter Logs

Section 5: Protecting ESX/ESXi Host Systems

Lesson 10 - ESX and ESXi Security Architecture

In this lesson you will learn the difference between ESX Classic and ESXi Server when it comes to security. You will also learn about security at each layer of ESX/ESXi as well as how to secure the ESX service console.

• Why is ESXi More Secure Than ESX Classic – or is It?
• The Virtualization Layer, Virtual Network Layer, and Virtual Machine Layer
• What is the Service Console/Management Interface and Why Does It Need to Be Secured?

Lesson 12 - Hardening ESX and ESXi Host Systems

Based on the vSphere security hardening guide, this lesson shows you, step by step, how to take a base ESX/ESXi installation and give it heavy-duty security.

• ESX Hardening – User and Group Configuration
• Sudo
• Customize SSH
• Secure ESX Web Proxy
• Configuring Password Policies
• Configure the ESX Firewall
• ESXi Hardening – Enabling ESXi Lockdown Mode
• Tech Support and Remote Tech Support Configuration
• Common Hardening – Isolate the ESX/ESXi and vCenter Management Networks
• Enabling Certificate Checking in vCenter
• Configuring CA Signed Certificates
• Configure SSL Timeouts

Lesson 11 - Controlling Access to Storage

This lesson discusses what security controls are available for each of the storage protocols.

• Common Security for All Protocols
• Fiber Channel: Zoning and LUN Masking
• iSCSI: CHAP and LUN Masking
• NFS (Network File System)

Section 6: Hardening Virtual Machines

Lesson 13 - Virtual Machine Security Architecture

Find out the enhancements to security that virtualization brings, the challenges that virtualization introduces, and the common OS hardening needed for virtual machines.

• Virtual Machine Isolation
• Virtualization Security Enablers
• Virtualization Security Challenges
• Operating System Security Best Practices

Lesson 14 - Hardening Virtual Machines - Best Practices

Learn how to apply real-world proven virtual machine security practices in your infrastructure, step by step!

• Use a Firewall or Access Control Lists
• Use an Antivirus Solution
• Use VMware Update Manager
• Limit Who Has Console Access
• Do Not Use the VMCI if Possible
• Isolate VMotion and/or FT Networks
• Use vCenter Roles
• Use Virtual Machine Log Rotation
• Turn off or Disable Unneeded Services
• Turn on Auditing and/or Logging

Section 7: Standardizing ESX/ESXi Host Configurations

Lesson 15 - Using Host Profiles to Standardize ESX/ESXi Configuration

In this lesson you will learn how to use vSphere’s host profiles as a template to insure that new and existing ESX/ESXi hosts comply with security policies and best practices.

• How Host Profiles Help Secure ESX/ESXi
• What is Supported with Host Profiles
• What is Not Supported with Host Profiles
• Create, Apply, and Check Compliance with a Host Profile

Lesson 16 - Keeping Hosts and VMs Secure with Update Manager

VMware’s Update Manager (VUM) is a powerful vSphere security enabler that you can use to keep both hosts and virtual machines up to date with security patches. Find out how to do it, step by step.

• Using VMware Update Manager (VUM) to Help Secure ESX/ESXi and VMs
• Deployment Options for Update Manager

Section 8: vSphere Logging and Event Monitoring

Lesson 17 - Understanding and Managing vSphere Logs

A critical piece of any security monitoring is the proper monitoring and alerting of security events. Find out how to monitor vSphere security logs, how to retain those logs, and how to use vCenter alarms to make sure you know when security events occur.

• Monitoring Log Files for Security
• Where vSphere Stores Local Log Files
• Using Syslog for Logging Repository
• How to Monitor and Retain Log Files for Auditing Purposes
• Using vCenter Alarms for Security Monitoring

Section 9: Getting Started with Top vSphere Security Tools

Lesson 18 - vShield: Zones, App, and Edge

VMware’s vShield is a suite of virtualization security products designed to keep your virtual datacenters secure, ESXi hosts secure, the edge of the network secure, and even your VM apps secure. Find out how it works, what it can do for you, and how to implement vShield zones in your vSphere infrastructure.

• An Overview of the vShield Suite
• Centralized Management of the vShield Suite Using vShield Manager
• Protecting Virtual Machines with vShield Zones
• How vShield Zones Does Traffic Analysis
• Configuring vShield Zones Firewall Policies
• Enhancements Provided by vShield App
• Deploy the vShield Manager
• Deploy Agent VMs
• Moving VMs Between Protected and Unprotected Hosts
• Using vShield Edge to Provide Multi-tenancy Security
• Putting All of the Pieces Together, Deploying the vShield Suite for Maximum Benefit

Lesson 19 - vShield: Endpoint and Trend Micro Deep Security

vShield endpoint provides third-party companies the ability to perform revolutionary virtual network security. You will learn how vShield endpoint works and how you would use Trend Micro’s Deep Security for vSphere to ensure your virtual infrastructure is virus-free without installing any anti-virus agents on your virtual machines.

• What is vShield Endpoint?
• An Overview of Trend Micro’s Deep Security
• Pros and Cons
• Deployment Steps
• Deploy Endpoint
• Install Deep Security Manager
• Prepare the vSphere Host and Deploy an Agent VM
• Install Drivers on the Guest and Activate the Guest to Be Managed
• Configure Anti-malware and Intrusion Prevention Functionality
• Where/When Would I Use Deep Security?

Lesson 20 - Hytrust Appliance

One of the most popular and useful third-party virtual infrastructure security solutions is the Hytrust appliance. Learn how it can help you and how it works in this lesson.

• An Overview of Hytrust
• Pros and Cons
• Hytrust Installation Demo
• Where/When Would I Use Hytrust

Lesson 21 - Compliance and vCenter Configuration Manager

VMware’s vCenter compliance and configuration manager ensures that the virtual infrastructure is never misconfigured or insecure by automatically detecting and comparing changes to policies. Learn how it works and how you would use it to maintain configuration security and compliance. Additionally, find out how to use VMware’s free compliance checker.

• What is Compliance?
• How Do We Do Compliance?
• Why is Compliance Important?
• Tools for Managing Compliance
• About VMware Configuration Manager
• VMware’s Compliance Checker for vSphere and PCI Compliance Checker
• Installing and Running Free Compliance Checking Tools

Section 10: Course Conclusion

Lesson 22 - Next Steps

• What is Your Next Step?
• We Value Your Opinion