Advanced VMware Security

Explore Esx networking components, virtual adapters and switches, compare virtual with physical switches, cover spanning tree, nic teaming, load balancing, and security features like encryption, certificates, kernel processes and permissions.

Learn about ESX networking components, including virtual NICs, virtual switches, and the distributed virtual switch, plus virtual port groups, uplink concepts, and the service console as a VM.

Explore how virtual switches in VMware function, supporting up to 128 or 248 switches per host, built as on-demand devices with layer 2 forwarding, vlan tagging, and modular security features.

Virtual ports create logical connections among virtual and physical devices, like RJ-45 connectors on virtual switches, with up to 4,096 ports and policies restricting guest MAC changes.

Understand how an uplink port connects a physical adapter to a virtual switch, and that some virtual switches have no uplink ports, limiting access to VM Wan via M2.

Explore port groups as templates that define network attributes for VMs, including switch name, VLAN IDs, teaming policy, security options, and traffic shaping, enabling seamless host connectivity and motion.

Explore virtual switch correctness, where switches use private copies of frame data to make forwarding decisions and protect isolation. Dynamic trunking vulnerabilities and isolation leaks pose risks.

Explore the normal operation of beacon probing by tracing typical traffic flow through a switch and out to the network.

Examine VMware vSwitch security settings and port groups, with defaults to reject promiscuous mode, MAC address changes, and forged transmits. Contrast corp net and evil net to reveal access paths.

Explore Linux file system structure and root directory for virtual machines, understand how everything in Linux is a file, and compare top-level differences across Linux flavors.

Explore the linux file system structure, including the user home directory, shared libraries (dlls), mounted devices, and virtual directories like proc, tmp, usr, and var, all treated as files.

Learn how starting and stopping processes and services work, including auto startup versus manual start, and how cron schedules tasks via crontabs.

Demonstrate how Linux and Unix permissions use discretionary access control with an owner, an owner group, and others, offering read, write, and execute across files and directories, viewable with ls.

Demonstrate the handy chart for read, write, and execute permissions and show how decimal values map to the actual permission equivalents using a calculator.

Learn how the syslog daemon logs and audits Linux events, receiving kernel and user process data, storing them under /var/log (e.g., /var/log/secure) and suggesting separate partitioning.

Explore routing and the security design of VMware, detailing how traffic is routed, the virtualization layer, virtual switches, ESX hosts, port groups, storage, and the role of vCenter.

explore how to secure data transmissions by examining data routing across switches, groups, and potential attackers.

Explore how different vSwitches share the same port group and VLAN on an ESX server, and how staying inside ESX reduces latency and improves security.

Keep all virtual devices on the same ESX host, same vSwitch, same port group, and VLAN to streamline traffic flow, reduce latency, and improve security.

Design and implement secure VMware infrastructure architecture with high performance, incorporating tagging, traffic filtering, layer two security policies for virtual machines, and integrate with Microsoft Active Directory for access control.

Learn how the translator reads virtual memory, converts guest instructions to intermediate objects, and feeds them to the hypervisor for execution, and why a 12-instruction window can't prevent buffer overflow.

Explain memory virtualization by showing how the vm kernel zeros out each memory page address to wipe garbage before reuse, ensuring exclusive vm access except for transparent page 3.

We discuss transparent page sharing, deduplicating identical memory pages to save storage; writes create private copies and prevent leakage, with option to disable per host basis or per VM basis.

Demonstrate how cloudburst exploits shared memory area between the guest and host using video card drivers and para virtualise drivers, echoing early DOS TSR techniques.

Learn how cloud burst attacks exploit off-by-one errors in virtualization graphics to access memory outside screen areas, enabling guest-to-host memory reads and writes, especially via 3D drivers.

virtual machines act as containers that run the guest operating system, isolated by design, with communication limited to their network interfaces.

Set up resource pools with reservations and limits on the ESX host to isolate VMs, so if one is attacked it stays within its reservation and cannot exhaust the host.

Protect the service console by isolating a stripped-down Red Hat Linux 3 environment used by ESX 3.5, because a compromised console can breach the VM kernel and host security.

Mitigate ESX service console risks by using a high security setting with closed inbound and outbound ports, and rely on SSL encryption (256-bit) for admin web access.

Understand the virtualization networking layer and its components, such as virtual network devices, adapters, switches, and port groups, and how they enable VM communication with the outside world and storage.

Discover how virtual switches reinvent the networking stack with a runtime-built design, featuring layer 2 forwarding engine, VLAN tagging, stripping and filtering, and adapter-specific virtual port security and segmentation offloads.

Explore virtual switch VLANs and how three tagging modes: virtual guest tagging, external switch tagging, and virtual switch tagging mode protect network components and traffic for virtual machines.

explore virtual switch vlan part 3, using external switch tagging and a physical switch to add or remove vlan, while noting data center security and potential latency.

The VMware VirtualCenter is the central Windows-based configuration hub that hosts the database and relies on Windows security controls, providing an audit trail through user-specific role-based permissions.

Understand how esx servers connect via fiber channel with hba and worldwide names to switches and disks, and how lun masking and zoning control access along mesh paths.

Explore how Fibre Channel SAN zoning and LUN masking control visibility in an ESX/ESXi environment. See how zoning defines access and storage processor masking hides specific LUNs from selected systems.

Learn how zoning at the switch level secures access to specific storage processors and ESX servers. Explore how LUN masking at the storage processor hides unneeded LUNs and prevents cross-access.

Explore the Duffy Heilmann challenge handshake authentication protocol for fiber channel. Note that DH-CHAP supports multiple algorithms; vendors may implement only one, with one being more secure.

Explore ESP encapsulating security payload, an authentication and encryption method that encapsulates the entire packet like IPsec, adding its own header for easy data transfer.

Explore Fiber Channel security basics, including denial of service, man-in-the-middle, spoofing, and hijacking attacks, their vendor-specific nuances, and insider access considerations.

Segment iSCSI networks and restrict management interfaces to authorized users; disable services like dns and dhcp on Windows Server; use chap authentication and test ipsec encryption to meet pci requirements.

Learn the basics of penetration testing, the cost, and the hacker mindset, while exploring evolving threats, testing methodologies, website reviews to stay current, and virtualization management pitfalls.

Penetration testing helps manage vulnerabilities by addressing false positives and negatives, reduces network downtime, meets regulatory requirements such as PCI compliance and Sarbanes-Oxley, preserves corporate image, and supports cyber insurance.

Analyze botnets, from zombies to thousands of computers under a single controller, and learn how to test your virtual infrastructure to prevent botnet involvement.

Explore how data breaches like the 130 million credit cards incident fuel identity theft, and learn how virtualizing and securing databases protects client information in virtual infrastructures.

Assess the evolving threat landscape by examining script kiddies and professional thieves, and understand why defense spending targets the national interest and national security.

The hacker seeks ownership details, interconnections from mergers, internal staff dynamics and social engineering avenues, plus external views (services, routers, dmz, ports) and virtualization software to exploit insider risk.

Explore physical, social, and digital methods of obtaining information, including door breaching, social engineering, and infiltrating the infrastructure via the Esx server to access other systems.

this lecture shows how to use maltego gui community edition to map a company’s infrastructure—domains, net blocks, dns names, and email addresses—using whois and ip data across views for correlation.

Explore how Shodan scans internet-facing ESX servers by performing service version and operating system checks on IP addresses, exposing vulnerabilities in virtual environments.

Analyze half-open scans by sending a synchronized packet and an acknowledgment, then issuing a reset; if the port is closed, the response mirrors the full TCAP K'NEX scan.

Identify firewalled ports by observing inbound access without outbound responses; ports may appear open (like 389) yet block return traffic, leading Enmasse to guess firewall status and potential vulnerability.

Learn how to perform Nmap UDP scans by using the -sU option to switch from TCP to UDP and scan all systems for UDP communication.

Explore banner grabbing with telnet by connecting to port 80 and issuing a head request to gather web server information, while practicing telnet on various systems.

Explore DNS enumeration to map domain names to IP addresses using tools like nslookup and Maltego, and verify data for redundancy and accuracy across servers.

Master the syntax for a null session with net use, including the IPC$ share and proper parameter order to connect a system to a server.

Examine vulnerabilities across VMware infrastructure by auditing services, operating systems, protocols, and devices; watch for Java exploits, Internet Explorer, and Adobe issues.

Explore Nessus, a linux-based, web-based vulnerability assessment and pen testing tool that supports ipv4 and ipv6, offers robust pci compliance reporting, and covers remote and local exploitation.

Configure the OpenVAS client by selecting general settings, plugins, credentials, target, and access rules before running the scan and generating a report.

This lecture covers how service pack 3 introduced Syskey encryption, adding 128 bit protection to the SAM database, and that cracking passwords requires the boot key and system file.

Use Cain and Abel to crack passwords with rainbow tables, performing brute force and dictionary attacks, importing hashes from databases or files, and create tables with rtg, requiring powerful hardware.

Explore how clearing the event log and deleting security logs can erase audit trails, using a tool called al-Sayed, and discuss implications for alerts and investigations in VMware security.

Explore Meterpreter, a powerful payload that runs in memory and acts as a service, enabling privileged commands, file access, and password hash dumps, posing forensic challenges.

Explore how fuzzers aid pen testers and hackers to test applications and virtual environments for buffer overflows, vulnerabilities, and error handling, including hypervisor-level testing on the ESX environment.

SaintExploit at a glance explains how the vulnerability assessment tool integrates an exploit tool, enabling one-click exploits based on detected vulnerabilities, plus a web site emulator and email forgery capabilities.

The lecture compares exploits in 2008-era penetration testing tools, noting 282 exploits for one tool and 308 for core impact, with core impact including denial of service exploits.

Demonstrates ARP cache poisoning in a virtualized environment, showing how attackers manipulate ARP tables to impersonate server and client, enabling a man-in-the-middle and intel gathering.

Explore virtualized DMZ networks and mitigate risks with ESX servers, an uplink port, a virtual switch, and a virtual adapter isolating web, application, and database servers.

Set layer 2 security options on virtual switches by turning off promiscuous mode, MAC address changes, and forged transmissions to prevent data snooping, sniffing, and spoofing in virtual RACV DMZ.

Explore common attack vectors targeting DMZ deployments, including how web logins create a front door into your VMware infrastructure and the risks of SSL renegotiation.

Examine the generic TLS renegotiation prefix injection vulnerability, including tailless handshakes, renegotiation before timeout, and how a man-in-the-middle can access the session key.

Identify VMware identification vulnerabilities and the end of VMware server support. Learn how a host net interface and port 80 can enable stealing VMs from one guest to another.

The lecture explains why the web server runs as root and highlights the vulnerability, signaling a serious security issue.

Explore how the redirection proxy on ESX redirects requests, detailing proxy mappings and the role of the software development kit in enabling this workflow.

Explore hardening techniques for the ESX server, covering template isolation, VM segmentation to limit data flow, directory services, access control, logging, and other security measures.

Apply the same security standards from the physical world to the virtual environment, keeping the guest OS patched and protected with antivirus, IDS/IPS, and an up-to-date update manager.

Understand how vmx configuration files and vmdk disks relate to each virtual machine, and learn to lock down access to prevent tampering, since changes take effect only after restart.

Explore how the guest operating system communicates with the ESX server via VM tools using setinfo name-value pairs with no predefined format. Assess risks from unlimited data and buffer overflow.

Advanced VMware security shows how to prevent unauthorized removal or connection of devices by isolating devices and setting persistent controls so users cannot alter CD-ROM or network adapters.

Explore securing virtual machines by configuring granular roles and permissions in VMware vCenter, using explicit vs inherited access, group-based admins, and test scenarios across data centers and hosts.

Secure your infrastructure by configuring ESX host and vCenter access, creating Jennifer, a shell-enabled user, and assigning the ARO users group to read-only permissions on the ESX host.

Use ESX's built-in firewall and keep default security settings, blocking all traffic not tied to enabled services, and question any manual port openings to avoid holes.

Explore how to view, enable, and disable ESX firewall services, configure known and nonstandard ports, restart the firewall, and review logs to verify security profiles in an ESX environment.

Limit the service console by restricting software and services, review standard and nonstandard ports, and use the ESX firewall and command line to verify port openness.

Administer hosts via the virtual center using the client to reduce the attack surface, define roles and permissions to prevent unauthorized access, and reserve service console use for rare troubleshooting.

ESX cannot use Active Directory to create accounts; you must create the user on ESX first and then authenticate via Active Directory to log in with assigned permissions.

Integrate Active Directory with ESX by running the ESX config command to enable authentication, then tighten integration with tools like bind or centrify in sphere 4.1.

Explore Active Directory integration on the ESX host by configuring domain controller settings, verifying VMware user accounts, and observing Kerberos and PAM authentication order.

Manage privileged access on ESX servers by granting as-needed rights, restricting root use, and creating non-privileged accounts with Active Directory integration.

Evaluate whether ESX password complexity is managed manually or via Active Directory, and restrict root access by using a separate management network for ILO and the track.

Create the ESX admins group, add users, back up and modify the sudoers PAM to require wheel group, then test restricted sudo access and monitor logs.

Enable caching of login credentials with ESX config dash auth and set password policies: max/min days, 75-day warning, and three-strikes failed logins, plus verbose and help options.

Configure password reuse policies in your esx environment by setting the remember parameter to twenty-four passwords, and secure the all pass W.D. file to prevent re-use.

Learn how ESX log files are organized under /var/log, with vmkernel, hostd, VPXA, firewall and update logs, enabling quick access to events and web authentication details.

Do not create a default port group on ESX/ESXi to keep virtual machines off the service console's network interface; place them on a separate private network.

This lecture explains the differences between VMware ESX and ESXi, noting that the ESX management console runs inside a VM and supports defense in depth through multiple layers.

Configure and monitor host level management on esxi, exploring options aligned with esx architecture and analogous features, with a focus on isi specifics.

Enable lockdown mode on ESXi via the virtual center to control root privileges. Perform changes through a VI client or remote CLI with pre-created local accounts.

Learn how to control access to privileged capabilities in ESXi by securing the DC UI, replacing the blank root password, and restricting local admin group membership to prevent root compromise.

Secure the SNMP configuration on ESXi by using SNMPv3 encryption, isolating communities for logical separation, and enforcing trusted networks with layer 2 filtering and VPNs.

Secure access to the CIM interface by restricting remote access, using a service account with read-only CIM permissions, and granting write rights only via local privileges via a local role.