Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
41424344454647484950
Separating and Securing the OS Provisioning Zone
Make the operating system provisioning zone network a private network. Use a separate, dedicated
network interface to connect the OS Provisioning Server with its provisioning zone network. For more
information about private network interfaces, see the VCM Administration Guide. Restrict access to the
operating system provisioning zone to personnel who are trusted to install operating systems and act as
network administrators.
Operating system provisioning operations take place across the network that connects the OS
Provisioning Server and the provisionable targets. The provisioning zone, including its servers, network,
and network infrastructure must be protected from unauthorized access and tampering, and must be kept
available and responsive.
Failure to isolate the operating system provisioning zone exposes you to attacks that intercept
unattended.xml files that contain credentials.
Dedicating a Server to Operating System Provisioning
VCM relies on the OS Provisioning Server to protect the confidentiality, integrity, and availability of
provisioning zone data and OS images. When the OS Provisioning Server is used for purposes other than
provisioning, you risk granting unintended access to provisioning distributions. The OS Provisioning
Server must be dedicated only to provisioning operations and must not allow logins except by the
machine administrator and the VCM administrator who installs the OS Provisioning Server as described in
the VCM Installation Guide.
Closing Unnecessary Ports
"VCM Ports" on page 84 lists the network ports that the OS Provisioning Server uses. Use the iptables host
firewall, which you can manage through VCM, to keep other ports closed.
Protection of Baseline OS Images
The OS Provisioning Server deploys operating system images built from original distribution images from
Microsoft, Red Hat, SUSE, VMware, and others. These images must be obtained from trusted sources,
transferred over secure channels, and protected from tampering.
OS Provisioning Credentials
VCM protects and encrypts credentials stored on server zone machines. However, during operating
system provisioning operations, credentials within bootable distributions are transmitted in clear text
across TFTP. This process is an intrinsic limitation of the PXE startup protocol and makes credentials
subject to attacks that can sacrifice the confidentiality, integrity, and authenticity of the credentials or other
sensitive pieces of provisioned operating systems.
VCM Security Guide
50
VMware, Inc.