5.8
Table Of Contents
- vCloud Suite Architecture Overview and Use Cases
- Contents
- About this book
- Introduction to vCloud Suite
- Architecture Overview
- Conceptual Design of a vCloud Suite Environment
- vCloud Suite Components in the Management Cluster
- Software-Defined Data Center Core Infrastructure
- Delivering an Infrastructure Service
- Delivering Platform as a Service
- Deploying vCloud Suite
- Install vCloud Suite Components
- Update vCloud Suite Components
- External Dependencies for Deploying vCloud Suite
- System Requirements of vCloud Suite Components
- Security Considerations
- Licensing
- vCloud Suite Licensing Model
- Activating vCloud Suite Components in the vSphere Web Client
- Activating vCloud Suite Components in the vSphere Client
- Add the vCloud Suite License by Using the vSphere Client
- Assign the vCloud Suite License to vSphere in the vSphere Client
- Assign the vCloud Suite License to vCenter Operations Management Suite in the vSphere Client
- Assign the vCloud Suite License to vCloud Networking and Security in the vSphere Client
- Assign the vCloud Suite License Key to vCenter Site Recovery Manager
- Activating vCloud Suite Components by Using Their Own Licensing Interfaces
- Monitoring License Usage for vCloud Suite
- vCloud Suite Use Cases
- Index
The security profile determines how strongly the protection is enforced against impersonation and
interception attacks on virtual machines. To correctly use the settings in the security profile, one must
understand the basics of how virtual network adapters control transmissions and how attacks are staged at
this level.
Each virtual network adapter has its own MAC address assigned when the adapter is created. This address
is called the initial MAC address. Although the initial MAC address can be reconfigured from outside the
guest operating system, it cannot be changed by the guest operating system. In addition, each adapter has
an effective MAC address that filters out incoming network traffic with a destination MAC address different
from the effective MAC address. The guest operating system is responsible for setting the effective MAC
address and typically matches the effective MAC address to the initial MAC address.
When sending packets, an operating system typically places its own network adapter's effective MAC
address in the source MAC address field of the Ethernet frame. It also places the MAC address for the
receiving network adapter in the destination MAC address field. The receiving adapter accepts packets only
when the destination MAC address in the packet matches its own effective MAC address.
Upon creation, a network adapter's effective MAC address and initial MAC address are the same. The
virtual machine's operating system can alter the effective MAC address to another value at any time. If an
operating system changes the effective MAC address, its network adapter receives network traffic destined
for the new MAC address. The operating system can send frames with an impersonated source MAC
address at any time. This means an operating system can stage malicious attacks on the devices in a network
by impersonating a network adapter that the receiving network authorizes.
Standard switch security profiles can be used on hosts to protect against this type of attack by setting three
options. If any default settings for a port are changed, the security profile must be modified by editing
standard switch settings in the vSphere Client.
Securing iSCSI Storage
The storage configured for a host might include one or more storage area networks (SANs) that use iSCSI.
When iSCSI is configured on a host, several measures can be taken to minimize security risks.
The storage configured for a host might include one or more storage area networks (SANs) that use iSCSI.
When iSCSI is configured on a host, several measures can be taken to minimize security risks.
iSCSI is a means of accessing SCSI devices and exchanging data records by using TCP/IP over a network
port rather than through a direct connection to a SCSI device. In iSCSI transactions, blocks of raw SCSI data
are encapsulated in iSCSI records and transmitted to the requesting device or user.
One means of securing iSCSI devices from unwanted intrusion is to require that the host, or initiator, be
authenticated by the iSCSI device, or target, whenever the host attempts to access data on the target LUN.
The goal of authentication is to prove that the initiator has the right to access a target, a right granted when
authentication is configured. ESXi does not support Kerberos, Secure Remote Protocol (SRP), or public-key
authentication methods for iSCSI. Additionally, it does not support IPsec authentication and encryption.
Use the vSphere Client or the vSphere Web Client to determine whether authentication is being performed
and to configure the authentication method.
iSCSI SANs enable the efficient use of existing Ethernet infrastructures to provide hosts access to storage
resources that they can dynamically share. iSCSI SANs provide an economical storage solution for
environments that rely on a common storage pool to serve numerous users. As with any networked system,
iSCSI SANs can be subject to security breaches.
Chapter 3 Deploying vCloud Suite
VMware, Inc. 37