Manualshelf

HP Adaptive Infrastructure Solution Security for BladeSystem Matrix

ManualsBrandsHP ManualsSoftwareHP Insight Server Migration X2X Unlimited Migration 1yr Supp/Updates SW License
21222324252627282930
modify their own copy, but only if they are authorized to create planning scenarios for the systems in
the original scenario.
Virtual environment security policy and practice
recommendations
Most security policies and practices utilized in a traditional environment are applicable in a
virtualized environment. However in a virtualized environment, these policies might require
modifications and additions. Following are numerous security practices recommended by HP in a
virtualized environment. This is only a partial list as differing security policies and implementation
practices make it difficult to provide a complete and definitive list. However, this list will serve as a
good starting point.
Use a separate management network. For security and performance reasons, HP recommends:
Establishing a private management network separate from the data network
Granting only administrators access to the management network
Using a firewall to restrict traffic into the management network
Eliminate or disable non-essential services. Configure all host systems, management systems and
network devices so that non-essential services are either eliminated or disabled, including
networking ports when not in use. This can significantly reduce the number of attack vectors in your
environment.
Ensure that a process is in place to periodically check for and install patches for all components in
your environment.
Security policy and processes must address the use of virtualization in the environment, for
example:
Educate administrators about changes to their roles and responsibilities in a virtual environment.
If an Intrusion Detection System (IDS) is being utilized in your environment, ensure that the IDS
solution has visibility into network traffic in the virtual switch (within a hypervisor).
Mitigate potential sniffing of vlan traffic by turning off promiscuous mode in the hypervisor and by
encrypting traffic flowing over the vlan.
Note:
In many cases if promiscuous mode is disabled in the hypervisor it cannot
be utilized on a VM guest (the guest can enable it, but it will not be
functional).
Maintain zones of trust (DMZ separate from production machines)
Ensure proper access controls on Fibre Channel devices:
Use LUN masking on both storage and compute hosts
Ensure LUNs are defined in the host configuration rather than by discovery
Use Hard Zoning based on port World Wide Name if possible
Ensure communication with the WWNs is enforced at the switch port level
Clearly define administrative roles and responsibilities (host administrator, network administrator,
and virtualization administrator). Utilize the HP SIM toolbox and Virtual Connect role capabilities to
distinguish these roles.
28