Dell EMC VxRack System FLEX Security Configuration Guide

Dell EMC

VxRack

™

System FLEX

Security Configuration Guide

Document revision 1.5

February 2018

Revision history

Date

February 2018

Document revision

1.5

October 2017

August 2017

June 2017

October 2016

May 2016

1.4

1.3

1.2

1.1

1.0

Description of changes

•

Removed control ID information

•

Removed Security control identifier numbering section

•

Removed non-Dell procedures and references

•

Added Log Management

•

Added Certificate Management

Minor edits

Minor edits

Updated the compute layer security baseline for

Controller and Management nodes

•

Updated management software information

•

Added reference information for EMC ScaleIO

2.0 features

•

Updated EMC ScaleIO user accounts

Initial release

Revision history | 2

Contents

Introduction.................................................................................................................................................5

Disclaimer....................................................................................................................................................6

Security strategies......................................................................................................................................7

Secure development.............................................................................................................................. 7

Threat landscape and security considerations....................................................................................... 7

Administrative control.......................................................................................................................8

Network connectivity........................................................................................................................ 8

Management systems......................................................................................................................9

Change and configuration management........................................................................................10

Patch and update practices........................................................................................................... 10

VxRack System FLEX security baseline.................................................................................................11

Compute layer security baseline...........................................................................................................11

VxRack Compute nodes ............................................................................................................... 11

Network layer security baseline............................................................................................................14

Cisco NX-OS devices.................................................................................................................... 14

Storage layer security baseline............................................................................................................ 22

ScaleIO.......................................................................................................................................... 22

Virtualization layer security baseline.................................................................................................... 23

Management Virtual Machines...................................................................................................... 23

VMware ESXi.................................................................................................................................32

VMware vCenter Single Sign On (SSO)........................................................................................ 37

VMware vSphere Update Manager................................................................................................37

VMware vCenter Server Appliance (VCSA)...................................................................................38

VMware vNetwork..........................................................................................................................39

VMware vSphere Distributed Switch and DVS networking............................................................41

VMware vSphere Web Client.........................................................................................................42

Management layer security baseline....................................................................................................42

VxRack Controller nodes .............................................................................................................. 42

System infrastructure security baseline................................................................................................45

Panduit Power Distribution Unit (PDU).......................................................................................... 45

Log Management...................................................................................................................................... 47

Internal component log file locations.................................................................................................... 47

Configuring an external syslog server.................................................................................................. 47

Certificate management........................................................................................................................... 48

Operationalizing Converged Systems.................................................................................................... 49

Integrating a new Converged System into a live environment............................................................. 49

Ongoing security administration........................................................................................................... 49

Operational checklist............................................................................................................................ 50

Converged System password management.......................................................................................... 51

Compute...............................................................................................................................................51

3 | Contents

Changing the VxRack System FLEX enclosure password............................................................ 51

Storage.................................................................................................................................................51

ScaleIO default accounts............................................................................................................... 52

ScaleIO user-defined accounts......................................................................................................54

Virtualization.........................................................................................................................................55

Changing a VMware ESXi host root password.............................................................................. 55

Modifying the VMware vCenter Server Single Sign On password.................................................57

Changing virtual machine operating system administrative passwords.........................................58

Management........................................................................................................................................ 58

Changing the VxRack Controller password................................................................................... 59

Vision Intelligent Operations credentials........................................................................................59

Ports and protocols..................................................................................................................................64

ScaleIO ports and authentication......................................................................................................... 64

VMware vSphere 6.0 ports and authentication.................................................................................... 64

Vision Intelligent Operations ports and protocols................................................................................. 67

Open port assignments..................................................................................................................67

Northbound Vision software ports and protocols........................................................................... 69

Southbound Vision software ports and protocols...........................................................................70

References.................................................................................................................................................72

Contents | 4

Introduction

This guide focuses on the hardening practices implemented by Dell EMC for VxRack System components and provides specific configuration guidance to help mitigate security vulnerabilities and risks. It also provides information on additional security topics related to VxRack Systems.

This document refers to VxRack Systems as Converged Systems.

When reading this guide, consider the following:

•

Use this guide as a starting point for configuration security. The security controls presented provide a baseline to build on to meet the specific security needs of your organization.

•

As a baseline, this guide minimizes the operational impacts of security, working with feature sets such as VMware Tools rather than eliminating them, as more secure environments might do.

•

Dell EMC encourages customers to employ a risk-based approach when hardening Converged

Systems to ensure an appropriate balance between security and manageability.

•

This guide does not focus on a specific security compliance target.

Audience

The intended audience for this guide includes those who are planning, implementing, administering, or auditing security controls in environments containing Converged Systems. The primary audience is technical, but the document addresses the needs of a range of security program professionals.

Customers and partners are expected consumers of this guide.

Prerequisites

Readers of this guide should have a reasonable understanding of the architecture for their Converged

System, particularly the management infrastructure. Refer to the appropriate Dell EMC architecture overview for your product for more information.

Additional information

Dell EMC provides other assistance that might be useful in assisting with security or compliance-related issues, such as:

•

Converged Systems guidance for addressing multi-tenant concerns

•

Protection of management interfaces with enhanced separation of duties, identification, authorization, auditing, and access control

•

Integrating common security technologies with Converged Systems

•

Guidance related to specific compliance frameworks and outcomes (for example, PCI, HIPAA,

FISMA, and so forth)

•

Guidance related to advanced cloud solutions, such as Enterprise Hybrid Cloud solutions

The Glossary provides Converged Systems-specific terms and definitions.

5 | Introduction

Disclaimer

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." Dell EMC MAKES NO

REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN

THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

CERTAIN COMMERCIAL ENTITIES, EQUIPMENT, OR MATERIALS MAY BE IDENTIFIED IN THIS

DOCUMENT IN ORDER TO DESCRIBE AN EXPERIMENTAL PROCEDURE OR CONCEPT

ADEQUATELY. SUCH IDENTIFICATION IS NOT INTENDED TO IMPLY RECOMMENDATION OR

ENDORSEMENT BY Dell EMC, NOR IS IT INTENDED TO IMPLY THAT THE ENTITIES, MATERIALS,

OR EQUIPMENT ARE NECESSARILY THE BEST AVAILABLE FOR THE PURPOSE.

NOTHING IN THIS DOCUMENT SHOULD BE TAKEN TO CONTRADICT STANDARDS AND

GUIDELINES MADE MANDATORY AND BINDING BY LAWS OR RULES OF GOVERNMENTAL

AGENCIES.

Disclaimer | 6

Security strategies

Converged Systems are deployed in a wide range of circumstances and need to address a range of risk conditions. Dell EMC chose to implement a security baseline suitable for the more common, simpler security needs. Dell EMC also tries to ensure that the products can be configured in environments with more challenging security, compliance, and/or operational requirements.

Creating and maintaining the security baseline is a process that is generally aligned with the Risk

Management Framework ( RMF - NIST Special Publication SP 800-37 ).

The methodology for controlling risk and the improving processes includes:

•

Secure development life cycle

•

Risk assessment processes

Between them, these processes yield, among other things:

•

Best practices incorporated into code and architecture

•

Component-level hardening guidelines

•

Coding improvements

•

Risks identified so mitigating options can be proactively surfaced

The primary focus of this document is on component-level controls because the other considerations have been incorporated into the Dell EMC product architecture and software. This section briefly surveys some threats at a system level and provides insight into alternate risk mitigations.

The Dell EMC account team is available to discuss risks falling outside the baseline scenarios.

Secure development

The Dell EMC Secure Development Life cycle (SDL) is a repeatable and measurable process that enables Dell EMC to meet customers’ expectations by:

•

Ensuring that product engineering organizations optimally apply security controls during their product development life cycle

•

Providing product groups with the capability and the information needed to fully assume accountability for the security of the products they ship

•

Assisting Dell EMC customers in understanding and assessing the overall security posture of the product

Threat landscape and security considerations

Dell EMC takes certain precautions in designing and building Converged Systems to ensure that significant security vulnerabilities are minimized.

Dell EMC also recommends additional controls, but does not implement them in the building process due to variances in customer environments and differing customer security policies.

7 | Security strategies

The security baseline contains more information on security considerations for your Converged System.

Administrative control

Dell EMC takes the precaution of changing all default administrator passwords and following a policy of creating complex passwords for all accounts controlling the management interfaces.

In addition, Dell EMC uses a more secure password storage option whenever possible. In addition to these changes to the default settings in administrative access control, Dell EMC recommends employing the following additional security counter measures, provided they do not conflict with your organization’s security policy:

Threat

Counter measures

Administrator impersonation or privilege abuse

•

Use Lightweight Directory Access Protocol (LDAP) server or Windows Active Directory

(AD) authentication for all Converged System components to mitigate password-related threats with password policies and to facilitate entitlements audit.

•

Use low-level privilege roles for all Converged System components.

•

Use separation of duties to the greatest extent feasible when administering Converged

System components.

•

Minimize the use of shared credentials. In particular, minimize the use of the default super user accounts.

•

Capture all event logs with an Secure Information and Event Management (SIEM) system. Audit privilege and role change activity, and set up alerts for this activity.

•

Use strong authentication such as RSA SecurID for administration of Converged

Systems.

•

Use Converged System-aware Identity and Audit Management (IAM) auditing and compliance tool to validate the consistent and appropriate application of privileges and entitlements.

Network connectivity

As with other network environments, Converged Systems need to be protected from network attacks such as spoofing, traffic sniffing, and traffic tampering. All Converged System components are configured to use secure administrative interfaces that are authenticated and encrypted. Non-secure versions of these interfaces are disabled to mitigate network attacks. Converged Systems authenticate, encrypt, and segregate traffic on the management, control, and data planes.

The default Converged System architecture separates traffic creating distinct, dedicated network zones for control, data, VMware vMotion, backup, and other purposes. Converged System network design incorporates security best practices from the component manufacturers for both physical and virtual network components. For example, console interfaces are connected to a control plane that should not be directly accessible to end users.

Connectivity between the planes is regulated by devices outside of the Converged System.

Discuss plane separation with a Dell EMC VMware vArchitect and with Professional

Services before connecting your Converged System into your routing infrastructure.

Threat

Network attacks, including spoofing, sniffing, denial of service, repudiation, man in the middle, and tampering.

Security strategies | 8

Counter measures

•

Enable secure network protocol options only (for example, HTTPS and Secure

Shell (SSH).

•

Avoid autonomous certificate deployments to ones that are fully integrated with site trust infrastructures and train people to not accept self-signed certificates.

•

Disable unused and non-secure network protocols and services.

•

Separate management and control traffic from production application traffic. You can provide this separation by using VLANs.

•

Separate VMware vMotion traffic from production traffic.

•

Separate data protection (backup, BC/DR) traffic from production traffic.

If network segmentation beyond VLANs is required, Converged Systems can be configured to provide enhanced physical or logical separation of network zones. Some configuration options can be supported in the standard product, such as network Access Control Lists (ACLs) on Cisco Nexus switches or

VMware ESXi host firewall rule configuration. Other deployment options might require additional hardware, software, or entitlements (such as Converged Technology Extensions or partner ecosystem solutions). For example, although not part of the standard product architecture, compatible physical or virtual firewall technology can be introduced at critical network boundaries where required, to achieve the required level of security and access control.

Consult with the Dell EMC account team to learn more about options for network segmentation and security.

Management systems

Management system security is vital to the protection of the Converged System and its managed components and resource pools. When a Converged System hosts multiple environments (for example, multiple "tenants" or workloads with distinct security or compliance requirements), the management environment tends to inherit the peak sensitivities of those environments. For example, it accrues the security and compliance obligations (PCI CDE status) or the operational/availability obligations in a VDI setting.

In addition to the Authentication, Authorization and Accounting (AAA) controls, the following are important considerations.

•

Management ports must have banner messages officially notifying users of monitoring, lack of privacy expectations, and civil and criminal responsibilities for malicious or damaging behavior, regardless of intent.

•

Default or well-known accounts with a management port must be removed since they provide an attacker an advantage in attempts to compromise the device.

•

Management ports must be configured to require strong passwords to prevent an attacker from deciphering the password.

•

Management ports must be configured with a relatively short connection timeout period to minimize the risk from session hijacking.

•

Standard operations hygiene must be applied on the systems hosting management applications.

For example, anti-virus, backups, and patching should all be configured. Note that Dell EMC

Support has special guidance regarding operating system patching.

9 | Security strategies

Change and configuration management

Change and configuration management processes are important when using a Converged System.

Anything that can impact the either Dell EMC Support Service Level Agreements (SLAs) or any relevant customer SLAs should be considered as part of change and configuration management.

Dell EMC provides the Release Certification Matrix (RCM) that documents software and firmware versions that have been tested by Dell EMC and are known to interoperate properly.

Patch and update practices

Scheduled and emergency patches and updates protect systems from security vulnerabilities and help ensure performance stability.

Use the Release Certification Matrix (RCM) process for your Converged System as the basis of a patch management program. You can also apply emergency patching to address emerging security threats.

Application of critical security updates should be undertaken carefully and with close coordination with the Dell EMC account team, Customer Advocate, and Dell EMC Support to minimize the risk of unscheduled downtime or other negative business impact.

Just as with other systems and devices in the enterprise, you must maintain Converged Systems updated to latest patch levels to ensure the integrity and availability of the platform and its hosted systems. The patch and update process should include the following practices:

•

Document the version of each hardware and software component

•

Document risk acceptances for patches delayed or not installed

•

Research mitigating controls to reduce risk when patches cannot be installed

•

Follow change management plans to ensure appropriate documentation and approvals

•

Establish regular patch cycles for high and for low priority patches (for example, weekly and monthly)

•

Establish and test processes for emergency out-of-cycle patching

•

Ensure that the patch update cycle satisfies regulatory requirements prior to being audited

•

Ensure that virtualized systems are re-patched if rolled back prior to scheduled patch date

Security strategies | 10

VxRack System FLEX security baseline

In this document, specific configuration guidance on how to mitigate security vulnerabilities and risks is presented using the following parameters:

Control description

Risk and vulnerability

General description of the problem area

Explanation of the actual risk

Dell EMC security standard

The specific applicable hardening standard(s).

The following sections provide detail about baseline security practices for each VxRack System component:

•

Compute layer

•

Network layer

•

Storage layer

•

Virtualization layer

•

Management layer

Compute layer security baseline

VxRack Compute nodes

VxRack Compute - Default Passwords Change


Change the passwords for all default accounts.


Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.


Ensure that passwords are rotated for built-in account administrator.

VxRack Compute - Disable Telnet


Disable telnet



Telnet is not a secure protocol, as it transmits data in clear text.

Ensure that Telnet is disabled. This is configured using the Dell iDRAC Web Console.

In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for Telnet, and click Apply.

11 | VxRack System FLEX security baseline

VxRack Compute - Disable SSH


Disable SSH


Removing any unnecessary services, protocols and scripts reduces the attack vectors a potential hacker would exploit to gain access to sensitive information.


Ensure SSH is disabled. This is configured using the Dell iDRAC Web Console.

In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for SSH, and click Apply.

VxRack Compute - Disable IPMI over LAN


Disable IPMI over LAN


Intelligent Platform Mangement Interface (IPMI) v2.0 has multiple vulnerabilities, and currently there are no patches to fix them. A potential attacker could exploit these vulnerabilities remotely to obtain hashed password for root user, and use an offline password cracking tool to discover the password.


Ensure IPMI over LAN is disabled if IPMI is not needed by any management components.

This is configured using the Dell iDRAC Web Console.

In iDRAC UI, under iDRAC settings > Network > IPMI Settings, uncheck the box titled

Enable IPMI over LAN, and click Apply.

VxRack Compute - Server access using HTTPS


To remotely access Dell servers, use secure communication – HTTPS (TCP port 443).


For any activity conducted remotely, the use of secure protocols adds layers of protection to the transmission of data for those sessions.


HTTPS is enabled by default and TLS 1.2 Only is selected by default.

In iDRAC UI, under iDRAC settings > Network > Services, and verify that HTTPS is enabled and that TLS 1.2 Only is selected.

VxRack Compute - Strong community strings


Define strong, non-trivial community strings where SNMP required.


By not changing the default community string, attackers can more easily discover and potentially exploit or compromise the devices.


Ensure that the read-only community string is changed from "Public."

In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, define a new

SNMP Community Name, and click Apply.

VxRack Compute - Use SNMP V3


Use SNMP v3


SNMP v3 improves security by introducing encryption, integrity check, and improved user authentication model.

VxRack System FLEX security baseline | 12


Ensure that SNMP v3 is selected.

In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, check SNMP v3, and click Apply.

VxRack Compute - Disable VNC


Disable VNC



Disable VNC to reduce attack surface.

Ensure VNC is disabled.

In iDRAC UI, under iDRAC settings > Network > Services > VNC Server, uncheck the box for Enable VNC Server, and click Apply.

VxRack Compute - Disable XML


Disable XML configure file import directly from the USB port.


The USB port allows iDRAC management access from a laptop or tablet connected to the

USB port. An attacker could potentially upload an arbitrary configuration file to the server, or apply an XML configuration file directly to the server.


Ensure that USB XML configuration is disabled in the iDRAC web UI.

Under iDRAC settings > Hardware > USB Management Port > iDRAC Managed: USB

XML Configuration, and select Disabled.

VxRack Compute - Configure syslogs


Centralization of logs increases administration and security investigation capabilities. By configuring hosts to use a central logging server, aggregate analysis and searches become possible and provide visibility into events impacting multiple hosts.


Operational or security-related alerts and events may be missed when logs are not centrally managed.


Ensure that remote syslog setting are configured to send log entries to syslog-capable network management systems.

Under iDRAC Settings > Server > Logs, check Remote Syslog Settings, and define up to three syslog server IP addresses.

VxRack Compute - Configure NTP


Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network. Setting all Vblock System components to the same time source ensures system stability and accuracy of log time stamps.


By not using a centralized, consistent time source, event detection and audits are difficult and may be inaccurate.


Ensure NTP configuration is updated with valid NTP time sources.

In iDRAC UI, under iDRAC Settings > Settings, check Enable Network Protocol (NTP) box, define up to three NTP server IP addresses, and click Apply.


VxRack Compute - Disable USB ports


USB ports should be used only on an as needed basis and should be disabled otherwise.



An attacker could use USB port to introduce malware to the server.

In BIOS setttings > System BIOS Settings > Integrated Devices > Internal USB Port, and set it to off.

VxRack Compute - Disable remote RACADM


The RACADM provides CLI scripting capability to control and configure the servers. The

Remote RACADM allows RACADM tool run on a workstation to remotely execute commands against the server's iDRAC interface. It uses SSL for communications between the workstation and the iDRAC interface.


Disable remote RACADM if this feature is not required to reduce attack surface to prevent an attacker to remotely issue commands against the server, such as power operations, configuration changes.


This feature is enabled by default. Disable it.

In the IDRAC UI, under Network > Services, uncheck the Remote RACADM and click

Apply.

VxRack Compute - Disable IDRAC over SOL


iDRAC can be accessed through SOL (Serial-over-LAN). This allows remote access to the server using SSH, then connect to server serial ports (com1 or com2, depending on BIOS setting) and run iDRAC commands.


Disable iDRAC over SOL to reduce attack surface and prevent an attacker to remotely issue commands against the server, such as power operations, configuration changes.


To disable, in the iDRAC UI, Network > Serial Over LAN, uncheck Enable Serial Over

LAN, click Apply.

Network layer security baseline

Cisco NX-OS devices

Cisco NX-OS: NXOS.strong.passwords


Ensure the Cisco NX-OS device requires the use of strong passwords.




Passwords must be of sufficient length and meet complexity requirements to not only meet policy and regulatory requirements, but to help mitigate guessing or cracking of credentials.

When enabled, the password strength check feature rejects any password that does not meet the following requirements:

•

Must contain a minimum of 8 characters and a maximum of 64 characters

•

Must contain at least three of the following: Lower case letters, upper case letters, digits, special characters

•

Must not contain a character that is repeated more than three times consecutively, such as aaabbb

•

Must not be identical to the username or the reverse of the username

•

Must not be identical to the username or the reverse of the username

•

Must pass a password dictionary check; for example, the password must not be based on a standard dictionary word

•

Must not contain the following symbols: $ (dollar sign), ? (question mark), and =

(equals sign)

•

Should not be blank for local user and admin accounts

Ensure the Cisco NX-OS device requires the use of strong passwords.

Cisco NX-OS: NXOS.CDP.disable


Ensure that the Cisco Discovery Protocol (CDP) is disabled.


Cisco Discovery Protocol (CDP) is a network protocol used to discover other CDP-enabled devices for neighbor adjacency and network topology. CDP can be used by Network

Management Systems (NMS) or during troubleshooting. CDP must be disabled on all interfaces connected to untrusted networks. This is accomplished with the

no CDP enable

interface command. Alternatively, CDP can be disabled globally with the no CDP run global configuration command. Note that CDP might be used by a malicious user for reconnaissance and network mapping.


Ensure that the CDP is disabled.

Cisco NX-OS: NXOS.Telnet.disable


Ensure that Telnet is disabled.


The account credentials or commands being passed during a Telnet session might be compromised, as Telnet provides no encryption.


Ensure that Telnet is disabled.

Cisco NX-OS: NXOS.banner.message


Configure the Cisco Nexus device to display a warning banner at log on.




In some legal jurisdictions, you cannot prosecute or legally monitor malicious users unless they have been notified that they are not permitted to use the system. One way to provide this notification is to place this information in a banner message that is configured with the

Cisco NX-OS banner log on command. From a security perspective, a log on banner should not contain any specific information about the router name, model, software, or ownership. This information might be abused by malicious users.

Configure the Cisco Nexus device to display a warning banner at log on.

Cisco NX-OS: NXOS.SSH.enable


Configure Cisco Nexus device to permit Secure Shell (SSH) connections.


As information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted.

Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in clear text, an attacker might obtain sensitive information about the device and the network.


Ensure that SSH is enabled and configured to use a strong 2048 bit RSA key.

Cisco NX-OS: NXOS.SCP.enable


Ensure SCP is enabled to provide for secure file system transfers.


Dell EMCDell EMC security standard

By not using SCP, sensitive information might be viewed and/or manipulated by an attacker.

Ensure SCP is enabled to provide for secure file system transfers.

Cisco NX-OS: NXOS.SFTP.enable


Ensure SFTP is enabled to provide for secure file system transfers.


By not using SFTP, sensitive information might be viewed and/or manipulated by an attacker.


Ensure SFTP is enabled to provide for secure file system transfers.

Cisco NX-OS: NXOS.console.exec.timeout


Ensure exec-timeout parameter on Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).


To set the interval that the exec command interpreter waits for user input before it terminates a session, run the exec-timeout line configuration command. This command must be used to log out sessions on a VTY or physical terminal line (TTY) that is left idle

(inactive). If a user forgets to log out of an exec session, the connection might remain idle but still active, increasing the potential for someone to gain privileged access to the host.


Ensure exec-timeout parameter on the Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).


Cisco NX-OS: NXOS.vty.exec.timeout


Ensure exec-timeout parameter on Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).


To set the interval that the exec command interpreter waits for user input before it terminates a session, run the exec-timeout line configuration command. This command must be used to log out sessions on a VTY or physical terminal line (TTY) that is left idle

(inactive). If a user forgets to log out of an exec session, the connection might remain idle but still active, increasing the potential for someone to gain privileged access to the host.


Ensure exec-timeout parameter on the Cisco Nexus device console and VTY lines is set to close active sessions after 15 minutes of inactivity (or less).

Cisco NX-OS: NXOS.SNMP.disable


Ensure that Simple Network Management Protocol (SNMP) is disabled unless required.


SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network. It provides valuable system and event information and therefore should be enabled throughout the network infrastructure. SNMP might also be used by attackers for network reconnaissance in preparing for an attack. If

SNMP access is not required, make sure it is disabled.


Ensure that SNMP is disabled unless required.

Cisco NX-OS: NXOS.SNMP.ro.config


Ensure that the default read-only community string is changed from

Public

to a unique value.


Simple Network Management Protocol (SNMP) provides a standardized framework and a common language used for the monitoring and management of devices in a network. It provides valuable system and event information and therefore should be enabled throughout the network infrastructure. SNMP might also be used by attackers for network reconnaissance in preparing for an attack. If SNMP access is not required, make sure it is disabled.


Ensure that the default read-only community string is are changed from unique value.

Public

to a

Cisco NX-OS: NXOS.SNMP.rw.config


Ensure that the read-write community string is changed from the default value of

Private

if Simple Network Management Protocol (SNMP) is used in the environment.


SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network. It provides valuable system and event information and therefore should be enabled throughout the network infrastructure. SNMP might also be used by attackers for network reconnaissance in preparing for an attack. If

SNMP access is not required, make sure it is disabled.


Ensure that the read-write community string is changed from customer-provided value.

Private

to a non-trivial,


Cisco NX-OS: NXOS.remote.syslog.enable


Ensure customer-defined remote syslog server is set.


Remote logging to a central log host provides a secure, centralized store for logs.

Gathering host log files onto a central host makes it easy to monitor all hosts with a single tool. You can also do aggregate analysis and search to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server helps prevent log tampering and also provides a long-term audit record.


Ensure a customer-defined remote syslog server is set. In the absence of a customerdefined remote syslog server, Dell EMC sets the Vision collect syslog messages.

™

Intelligent Operations appliance to

Cisco NX-OS: NXOS.disable.ICMP.redirect


Ensure ICMP redirects are disabled on IOS devices.


ICMP redirects are used to inform a network device of a better path to an IP destination. In some situations, it might be possible for an attacker to cause the Cisco device to send many ICMP redirect messages, which results in an elevated CPU load. For this reason, it is recommended that the transmission of ICMP redirects be disabled.


Ensure that ICMP redirect messages are disabled.

Cisco NX-OS: NXOS.ICMP.unreachable


Ensure that ICMP unreachable messages are disabled.


ICMP messages might be used by an attacker to map a network in preparation for an attack. This behavior allows the sender to bypass the router and forward future packets directly to the destination (or to a router closer to the destination).


Ensure that ICMP unreachable messages are disabled.

Cisco NX-OS: NXOS.disable.unused.interfaces


Ensure that unused switch interfaces are explicitly disabled.


An unused switch interface might be physically connected and become a point of misuse or exploitation.


Ensure that unused switch interfaces are explicitly disabled.

Cisco NX-OS: NXOS.NTP.enable


Ensure that the Cisco Nexus device is configured with a centralized time source to ensure consistency and accuracy.




Network Time Protocol (NTP) is not an especially dangerous service, but any unneeded service can represent an attack vector. If using NTP, be sure to explicitly configure a trusted time source and use proper authentication. Accurate and reliable time can be very useful for logging purposes, such as for forensic investigations of potential attacks. Configuring

NTP authentication provides assurance that NTP messages are exchanged between trusted NTP peers. You should enable authentication for NTP if at all possible. Additionally, for precision and redundancy purposes, you should configure multiple NTP server time sources on the Cisco NX-OS device acting as an NTP client.

Ensure the Cisco Nexus device is configured with a centralized time source to ensure consistency and accuracy.

Cisco NX-OS: NXOS.disable.ip.source.routing


Ensure that IP source routing is disabled.


IP source routing uses the loose source route and record route options in tandem or the strict source route along with the record route option to enable the source of the IP datagram to specify the network path that a packet takes. This function might be used in attempts to route traffic around security controls in the network.


Ensure that IP source routing is disabled.

Cisco NX-OS: NXOS.disable.ip.directed.broadcasts


Ensure that the IP directed broadcast feature is disabled on Cisco Nexus devices.


IP directed broadcast makes it possible to send an IP broadcast packet to a remote IP subnet. Once it reaches the remote network, the forwarding IP device sends the packet as a Layer 2 broadcast to all stations on the subnet. This directed broadcast functionality has been leveraged as an amplification and reflection aid in several attacks, including the smurf attack.

Current versions of Cisco NX-OS have this function disabled by default; however, it can be enabled with the ip directed-broadcast interface configuration command.


Ensure that IP directed broadcast is disabled on Cisco Nexus devices.

Cisco NX-OS: NXOS.ip.source.guard.enable


Ensure that IP Source Guard is enabled.


IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings:

•

Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table

•

Static IP source entries that you configure

Filtering based on trusted IP and MAC address bindings helps prevent attacks that rely on spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker would have to spoof both the IP address and the MAC address of a valid host.


Ensure that IP Source Guard is enabled.


Cisco NX-OS: NXOS.HTTP_Server.disable


Disable HTTP Server.


Removing any unnecessary services, protocols, and scripts reduces the attack vectors a potential hacker might exploit to gain access to sensitive information.


Ensure HTTP Server is disabled.

Cisco NX-OS: NXOS.password.strength-check


Do not disable password strength check. This feature is enabled by default.



Disabling the password strength check does not enforce password complexity for local accounts. Cisco NX-OS can optionally enforce strong password checking when a password is set or entered. This feature is enabled by default and it ensures a password must:

•

Be at least eight characters long.

•

Not contain many consecutive characters (abcde, lmnopq, and so forth)

•

Not contain dictionary words (English dictionary)

•

Not contain many repeating characters (aaabbb, tttttyyyy, and so forth)

•

Not contain common proper names (John, Mary, Joe, Cisco, and so forth)

•

Contain both uppercase and lowercase letters

•

Contain numbers

Ensure that password strength checking is enabled.

Cisco NX-OS: NXOS.SSH.key.length


Ensure that Secure Shell (SSH) is enabled and configured to use a strong 2048 bit RSA key.


As information can be disclosed during an interactive management session, this traffic must be encrypted so that a malicious user cannot gain access to the data being transmitted.

Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in clear text, an attacker might obtain sensitive information about the device and the network.


Ensure that SSH is enabled and configured to use a strong 2048 bit RSA key.

Cisco NX-OS: NXOS.LoggingTimestamp.configure


Configure logging timestamp with millisecond precision.


Configuring logging timestamps helps correlate events across network devices. It is important to implement a correct and consistent logging timestamp configuration to help ensure that you can correlate logging data. Logging timestamps should be configured to include millisecond precision.


Ensure configuration of logging timestamp with millisecond precision.


Cisco NX-OS: NXOS.UnusedServices.disable


Disable unused services for Cisco NX-OS devices.


As a general security best practice, disable any unnecessary services. By default, Cisco

NX-OS does not run any of the typical Transmission Control Protocol (TCP) or User

Datagram Protocol (UDP) small servers often found in Cisco IOS software or other network operating systems. As a result, these services do not need to be explicitly disabled. Cisco

NX-OS is designed to not run remotely-accessible services or protocols by default without explicit configuration. Secure Shell (SSH), Simple Network Management Protocol (SNMP), and Network Time Protocol (NTP) are essential services for running and managing a network. These services are enabled by default. If needed, they can be individually disabled. During initial setup, Cisco NX-OS offers the option to enable Telnet. Note that this service does not load or run at restart time if it is not enabled during this initial setup. If this service is not enabled when the setup script is run, it can be added manually later if needed. Cisco recommends using SSH instead of Telnet for security reasons.


Ensure that CDP, Telnet, and any other unused services (such as TCP small servers) are disabled.

Cisco NX-OS: NXOS.SSH.Retry limit


Secure Shell (SSH) provides a secure, encrypted channel for communication with remote terminals. SSH can be configured to limit the number of authentication attempts in a given time period.



By not configuring SSH authentication parameters, attackers might repeatedly attempt authentication.

Ensure that SSH is configured to allow only three authentication attempts in any one minute.

Cisco NX-OS: NXOS.DHCP.disable


Ensure Dynamic Host Control Protocol (DHCP) services are disabled if not required.


Dynamic Host Control Protocol (DHCP) provides a framework for passing configuration information dynamically to hosts on a TCP/IP network. A DHCP client is a host that uses

DHCP to obtain configuration parameters such as an IP address, DNS server, and so forth.

Due to the nature of DHCP and the services it provides, potential attackers might exploit

DHCP functionality as a means or reconnaissance in preparation for an attack. It is also a risk that a rogue DHCP server could be deployed to provide malicious IP or DNS configurations to hosts. DHCP services should be disabled if not required.


Ensure DHCP services are disabled if not required.

Cisco NX-OS: NXOS.DNS.Resolution.Lookups.disable


The DNS Resolution Lookup automatically tries to resolve unrecognized commands to local host names.



Mistyping a command results in delays as the device attempts to resolve the name.

Ensure domain-lookup feature is disabled.


Cisco NX-OS: NXOS.DefaultPasswords.modify






Ensure all default passwords are changed to sufficiently complex values.

Cisco NX-OS: NXOS.VLAN.Segmentation


Use separate VLANs to isolate sensitive data transmissions.



Without proper identification, documentation, and segmentation of VLANs, network traffic might be viewed from unauthorized sources. Some examples of VLAN best practices are:

•

Ensure that vSphere management traffic is on a restricted network.

•

Ensure that VLAN 1 is not used for in-band management and pruned from all trunks and from all access ports.

•

Ensure that vMotion traffic is isolated.

•

Ensure IP-based storage traffic is isolated.

Ensure that management and system hosts are placed on separate VLANs.

Storage layer security baseline

ScaleIO

For detailed ScaleIO security configuration information, refer to the following Dell EMC resources, available at support.emc.com

:

•

ScaleIO Security Configuration Guide

•

ScaleIO User Guide

ScaleIO: ScaleIO.Passwords.Change




Default accounts and passwords might be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system.


Ensure that passwords are rotated for all built-in accounts.

ScaleIO: ScaleIO.SNMP.Trap.Configure


ScaleIO supports sending Simple Network Management Protocol (SNMP) traps to an

SNMP server.




Defining an incorrect SNMP trap receiver could expose system information to a potential attacker or a rogue trap receiver.

Ensure a correct SNMP trap receiver is configured according to customer requirements.

ScaleIO: ScaleIO.Logging.Configure


Log all successful interactive device management access using centralized syslog.


Logging all successful interactive device management access enables the correlation of events to be viewed when a device is accessed by a host. Not having this in place can negatively impact log review or correlation of events.


Define a syslog server for centralized event monitoring.

Virtualization layer security baseline

Management Virtual Machines

Management VM: VM.disable-disk-shrinking-shrink


Disable disk shrinking feature for virtual disks for normal operations.


Shrinking a virtual disk reclaims unused space in it. The shrinking process itself, which takes place on the host, reduces the size of the disk's files by the amount of disk space reclaimed in the wipe process. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes – that is, users and processes without root or administrator privileges – in virtual machines have the capability to invoke this procedure. A non-root user cannot erase the parts of the virtual disk that require root-level permissions. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial of service. In most datacenter environments, disk shrinking is not done, so you should disable this feature. Repeated disk shrinking can make a virtual disk unavailable. Limited capability is available to non-administrative users in the guest.


Ensure the shrinking of virtual disks is restricted.

Management VM: VM.limit-console-connections-one


Limit sharing of console connections.




By default, more than one user at a time can connect to remote console sessions. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the virtual machine logs in using a VMware remote console during their session, a non-administrator in the virtual machine can connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if a jump box is being used for an open console session and the administrator loses connection to that box, the console session remains open. Allowing two console sessions permits debugging using a shared session.

For highest security, allow only one remote console session at a time.

Ensure only a single connection, at maximum, is allowed to a remote session.

Management VM: VM.disable-console-drag-n-drop


Explicitly disable copy/paste operations.


Information might be improperly disclosed if copy/paste operations are permitted during console sessions. Copy and paste operations are disabled by default. However, if you explicitly disable this feature, audit controls can check that this setting is correct.


Ensure clipboard information (for example, using cut and paste) is not shareable between the virtual machines and the computers running the remote console session.

Management VM: VM.disable-console-copy







Management VM: VM.disable-console-paste







Management VM: VM.disable-console-gui-options








Management VM: VM.disconnect-devices-floppy


Disconnect unused/unauthorized devices.


Virtual devices such as serial and parallel ports, CD/DVD drives, and USB ports might be used to compromise a system. Ensure that no device is connected to a virtual machine if it is not required. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be set to

False

. The parameters listed are not sufficient to ensure that a device is usable; other required parameters specify how each device is instantiated. Any enabled or connected device represents a potential attack channel. When set to

False

, functionality is disabled; however, the device might still show up in the guest operating system.


Ensure that virtual devices are disabled so as to eliminate potential attack vectors.

Management VM: VM.disconnect-devices-serial





False


False




Management VM: VM.disconnect-devices-parallel





False


False





Management VM: VM.disconnect-devices-usb





False


False




Management VM: VM.disconnect-devices-ide





False


False




Management VM: VM.prevent-device-interaction-connect


Prevent unauthorized removal, connection, and modification of devices.


Non-administrative users can reconnect a disconnected CD-ROM drive and access mounted information. Non-administrative users can disconnect or change network adaptor settings and disrupt service to the virtual machine. In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from in the guest operating system. By default, a rogue user with non-administrator privileges in a virtual machine can:

•

Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive

•

Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service


Ensure that virtual devices cannot be disconnected or edited to prevent disruption of services.


Management VM: VM.prevent-device-interaction-edit


Prevent unauthorized removal, connection, and modification of devices.


Non-administrative users can reconnect a disconnected CD-ROM drive and access mounted information. Non-administrative users can disconnect or change network adaptor settings and disrupt service to the virtual machine In a virtual machine, users and processes without root or administrator privileges can connect or disconnect devices, such as network adaptors and CD-ROM drives, and can modify device settings. Use the virtual machine settings editor or configuration editor to remove unneeded or unused hardware devices. If you want to use the device again, you can prevent a user or running process in the virtual machine from connecting, disconnecting, or modifying a device from in the guest operating system. By default, a rogue user with non-administrator privileges in a virtual machine can:

•

Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive

•

Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of service


Ensure that virtual devices cannot be disconnected or edited to prevent disruption of services.

Management VM: VM.limit-log-size


Limit virtual machine logging. Check virtual machine configuration settings and verify that log.rotateSize is set to

100000

.


Normally a new log file is created only when a host is restarted, so the file can grow to be quite large. Use log settings to limit the total size and number of log files. You can limit the maximum log file size to ensure that new log files are created more frequently.

To restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000 KB. Datastores are likely to be formatted with a block size of 2 MB or 4 MB, so a size limit too far below this size would result in unnecessary storage usage. Each time an entry is written to the log, the log size is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, the oldest log file is deleted when a new one is created. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. However, each log entry is limited to 4 KB, so no log files are ever more than 4 KB larger than the configured limit.

Another option is to disable logging for the virtual machine, making troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastore being filled.


Ensure that only the last 10 virtual machine log files are saved, with each restricted to 1 MB in size.

Management VM: VM.limit-log-number


Limit virtual machine logging. Check virtual machine configuration settings and verify that log.keepOld is set to

10

.




Normally a new log file is created only when a host is restarted, so the file can grow to be quite large. Use log settings to limit the total size and number of log files. You can limit the maximum log file size to ensure that new log files are created more frequently.

To restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1,000 KB. Datastores are likely to be formatted with a block size of 2 MB or 4 MB, so a size limit too far below this size would result in unnecessary storage usage. Each time an entry is written to the log, the log size is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, the oldest log file is deleted when a new one is created. A denial-of-service attack that avoids these limits might be attempted by writing an enormous log entry. But each log entry is limited to 4 KB, so no log files are ever more than 4 KB larger than the configured limit.

Another option is to disable logging for the virtual machine, making troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient. Uncontrolled logging can lead to denial of service due to the datastore being filled.

Ensure that only the last 10 virtual machine log files are saved with each restricted to 1 MB in size.

Management VM: VM.limit-setinfo-size


Limit informational messages from the virtual machine to the VMX file.


The configuration file containing the name-value pairs is limited to a size of 1 MB. This capacity should be sufficient for most cases, but you can change this value if necessary.

You might increase this value if large amounts of custom information are being stored in the configuration file. The default limit is 1 MB. This limit is applied even when the sizeLimit parameter is not listed in the VMX file. Uncontrolled size for the VMX file can lead to denial of service if the datastore is filled.


Ensure the VMware VMX configuration file is explicitly configured for 1 MB size restriction.

Management VM: vCenter.restrict-guest-control


Restrict unauthorized VMware vSphere users from being able to execute commands in the guest virtual machine.


By default, VMware vCenter Server administrator role allows users to interact with files and programs inside a virtual machine's guest operating system, which can lessen guest data confidentiality, availability, or integrity. Least Privilege requires that this privilege should not be granted to any users who are not authorized. A non-guest access administrator role should be created with these privileges removed. This role allows administrator privileges excluding those allowing file and program interaction in the guests.


Create a new role for administration that does not allow interaction with guest operating system files or programs.

Management VM: VM.restrict-host-info


Do not send host information to guests.




By enabling a virtual machine to get detailed information about the physical host, an adversary could potentially use this information to inform further attacks on the host. If set to

True

, a virtual machine can obtain detailed information about the physical host. The default value for the parameter is

False

. This setting should not be

True

unless a particular virtual machine requires this information for performance monitoring.

Check virtual machine configuration settings and verify that tools.guestlib.enableHostInfo is set to

False

.

Ensure that information pertaining to the physical host cannot be obtained by the virtual machines.

Management VM: VM.disable-unexposed-features-getcreds


Disable unnecessary features or services.


Some VMX parameters do not apply on VMware vSphere because VMware virtual machines work on vSphere and hosted virtualization platforms such as Workstation and

Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces the number of ways in which a guest might affect the host.


Ensure that configuration settings and parameters are explicitly set to disabled if not required.

Management VM: VM.disable-unexposed-features-unitypush








Management VM: VM.disable-unexposed-features-launchmenu








Management VM: VM.disable-unexposed-features-memsfss






As VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that do not apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them reduces the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus might help prevent successful exploits.


Management VM: VM.disable-independent-nonpersistent


Avoid using independent non-persistent disks.


With non-persistent disk mode, successful attackers, with a simple shutdown or restart, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, production virtual machines should be set to use persistent disk mode.

Additionally, make sure that activity in the virtual machine is logged remotely on a separate server, such as a syslog server or equivalent Windows-based event collector. Without a persistent record of activity on a virtual machine, administrators might never know whether they have been attacked or hacked.


Ensure that configuration settings and parameters are explicitly set to desired values; in this case,

scsiX:Y.mode = Not present

OR not set to

independent nonpersistent

.

Management VM: VM.isolation.tools.autoInstall.disable


Disable tools that require automatic restarting after installation.


Tools auto install can initiate an automatic restart. Disabling this option prevents tools from being installed automatically and prevents automatic machine restarts.

For Linux-based operating systems, Open VM Tools is widely available as a distributionbased package. Consider using this method to manage VM Tools installation. If you do this, disable VM Tools auto-install using this guideline.


Check virtual machine configuration settings to verify that isolation.tools.autoinstall.disable

is set to

True

.

Management VM: VM.HostGuestFileSystem.disable


Disable Host Guest File System transfers.


Certain automated tools use a hypervisor component Host Guest File System. An attacker might potentially use this to transfer files inside the guest operating system.


Disable Host Guest File System transfers.

Management VM: VM.MonitorControl.disable


Disable VM Monitor Control to further hide system information.




Virtual machines running on a hypervisor are "aware" that they are running in a virtual environment and this information is available to tools inside the guest operating system.

This can give attackers information about the platform on which they are run.

Disable VM Monitor Control to further hide system information.

Management VM: VM.host-performance-info.disable


This setting, if enabled, allows the virtual machine to obtain detailed information about the physical host.


Information gained about the physical host might be used to assist in subsequent attacks against the physical host.


Ensure this setting is disabled.

Management VM: VM.Unecessary-Services.disable


Disable any unnecessary functions inside virtual machines.


Disabling unnecessary system components not needed to support the application or service running on the system reduces the number of attack vectors.


Disable any unnecessary functions inside virtual machines.

Management VM: VM.DefaultPasswords.modify


Remove default accounts and passwords.


During installation, the default password is not changed. This must be done manually.



Management VM: VM.ToolsAutoInstall.Disable




Tools that auto-install might initiate an automatic restart that disrupts the current environment.



Management VM: VM.Passwords.Modify




During installation of the vCenter Server Appliance (VCSA), the default password is not changed. This must be done manually.

VDell EMCCE security standard



Management VM: VM.Configure.NTP


Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network.

According to VMware best practices related to time synchronization, configuration of virtual machine time synchronization should be implemented using the native OS tools on the VM.

See VMware KB 1318 for more information concerning best practices for Windows: https://kb.vmware.com/selfservice/microsites/search.do?

language=en_US&cmd=displayKC&externalId=1318

See VMware KB 1006427 for more information concerning best practices for Linux: https://kb.vmware.com/selfservice/microsites/search.do?




VDell EMCCE security standard

NTP is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.

VMware ESXi

VMware ESXi: ESXi.enable-remote-syslog


Configure remote logging for VMware vSphere ESXi hosts.


Remote logging to a central log host provides a secure, centralized store for VMware vSphere ESXi logs. By gathering host log files onto a central host, you can more easily monitor all hosts with a single tool. You can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server helps prevent log tampering and also provides a long-term audit record. To facilitate remote logging, VMware provides the vSphere Syslog Collector.


Ensure remote Syslog is configured to centralize alert and event logging.

VMware ESXi: ESXi.config-ntp


Configure Network Time Protocol (NTP) time synchronization.


Ensuring that all systems use the same relative time source (including the relevant localization offset) and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal Time – UTC), makes it simpler to track and correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate.


Ensure a centralized time source is used to ensure consistency.


VMware ESXi: ESXi.enable-normal-lockdown-mode


Enable Normal Lockdown Mode to restrict access.


Enabling lockdown mode disables direct access to a VMware vSphere ESXi host requiring the host be managed remotely from vCenter Server. This is done to ensure the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. Forcing all interaction to occur through vCenter Server greatly reduces the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited. Lockdown mode does not apply to users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Users listed in the DCUI.Access list for each host are allowed to override lockdown mode and log on to the Direct Console User Interface (DCUI). By default, the root user is the only user listed in the DCUI.Access list.


Enable lockdown mode for all VMware vSphere ESXi host systems, use DCUI for administration or authorized keys for Secure Shell (SSH) access where required.

VMware ESXi: ESXi.config-persistent-logs


Configure persistent logging for all VMware vSphere ESXi hosts.


VMware vSphere ESXi can be configured to store log files on an in-memory file system.

This occurs when the host's

/scratch

directory is linked to

/tmp/scratch

. When this is done, only a single day's worth of logs are stored at any time. In addition log files are reinitialized upon each restart. This presents a security risk as user activity logged on the host is only stored temporarily and does not persistent across restarts. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore.


VMware vSphere ESXi host logging should always be configured to a persistent datastore.

VMware ESXi: vNetwork.reject-mac-changes


Ensure that the MAC Address Changes policy is set to

Reject

.


If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This prevents virtual machines from changing their effective MAC address. It affects applications that require this functionality; for example,

Microsoft Clustering, which requires systems to effectively share a MAC address. This also affects how a layer 2 bridge operates and affects applications that require a specific MAC address for licensing. An exception should be made for the port groups to which these applications connect.

Reject MAC Changes can be set at the vSwitch and/or the Portgroup level. You can override switch level settings at the Portgroup level.


Ensure that the MAC Address Changes policy is set to

Reject

.

VMware ESXi: vNetwork.reject-forged-transmit


Ensure that the Forged Transmits policy is set to

Reject

.




If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.

Forged transmissions is set to

Accept

by default. This means the virtual switch does not compare the source and effective MAC addresses.

To protect against MAC address impersonation, all virtual switches should have forged transmissions set to

Reject

. Reject Forged Transmit can be set at the vSwitch and/or the

Portgroup level. You can override switch level settings at the Portgroup level.

Ensure that the Forged Transmits policy is set to

Reject

.

VMware ESXi: ESXi.disable-mob


Disable Managed Object Browser (MOB).


The Managed Object Browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host. It also enables configurations to be changed. This interface is meant to be used primarily for debugging the VMware vSphere SDK. In vSphere 6.0 this is disabled by default.


Ensure MOB is disabled.

VMware ESXi: ESXi.firewall-enabled


Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host.


Unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks.


Ensure that the ESXi firewall is enabled and configured for all hosts with the appropriate firewall rulesets.



Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall exception is enabled for SSH client.







Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall exception enabled for NTP client.








Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall exception is enabled for syslog.







Configure the VMware vSphere ESXi host firewall to restrict access to services running on the host. Firewall is enabled for netdump.





VMware ESXi: ESXi.DefaultPasswords.modify






Ensure that passwords are rotated for built-in accounts.

VMware ESXi: ESXI.ShellTimeout.config


Configure session timeout to 15 minutes for the Unisphere console.


Establishing a timeout policy for idle sessions mitigates the risk of an unauthorized user performing unauthorized tasks on a host.


Ensure that idle ESXi Shell and Secure Shell (SSH) sessions timeouts are set to 15 minutes.

VMware ESXi: ESXI.CommandShell.disable


Disable ESXi Shell unless needed for diagnostics or troubleshooting.




The ESXi Shell bypasses VMware vCenter role-based access control (RBAC) and audit controls. Disabling this feature allows for a centralized audit system controlled by vCenter.

Only enable this feature to troubleshoot or resolve problems that cannot be fixed through the VMware vSphere client or vCLI.

Ensure that ESXi Shell is disabled unless needed for diagnostics or troubleshooting.

VMware ESXi: ESXi.SNMP.CommunityString


Define strong, non-trivial community strings where Simple Network Management Protocol

(SNMP) is required.


By not changing the default community string, attackers can easily discover and potentially exploit or compromise the devices.


Ensure that the SNMP community strings are changed from the default to a non-trivial, customer-provided value.

VMware ESXi: ESXi.UnusedServices.disable


VMware vSphere ESXi is based on a hardened hypervisor operating system that is designed with minimum attack surface. However, the ESXi configuration should be reviewed to ensure that only required services are enabled in order to further reduce attack surface.


Unused services might provide system information or other functions that can be exploited to attempt to gain access to the system. Services that are nor required should be disabled.

For example, If Simple Network Management Protocol (SNMP) is not used in the environment, it should be disabled.


Ensure that unused services are disabled.

VMware ESXi: ESXI.Auto-Password-Change-Policy.configure


A timer controls how often the vpxuser password must be changed.




Ensure that vpxuser auto-password change is set to automatically change by VMware vCenter every 30 days.

VMware ESXi: ESXi.Password.Complexity


Ensure that passwords meet complexity requirements.




To mitigate the risk of gaining unauthorized access, it is important to use passwords that are not easily guessed and that are difficult for password generators to determine. Starting with vSphere 6.0, user passwords must meet the following requirements:

•

Must contain characters from at least three character classes

•

Passwords containing characters from three character classes must be at least seven characters long

•

Passwords containing characters from all four character classes must be at least seven characters long

•

Cannot contain a dictionary word or part of a dictionary word

Ensure that passwords meet complexity requirements.

VMware vCenter Single Sign On (SSO)

VMware SSO: SSO.verify-SSO-Password-policy


Sample password policy:

•

Minimum password length of eight characters

•

Maximum of three attempts to define a new password of acceptable value before the command fails

•

Minimum of three characters that were not in the previous password

•

Minimum of one numeral in the new password

•

Configure default password expiration period for 90 days


To mitigate the risk of gaining unauthorized access, it is important to use passwords that are not easily guessed and that are difficult for password brute-force tools to determine.


Ensure that complex password policy is set for administrative accounts, particularly for [email protected] or accounts that are members of the Administrators group in vCenter.

VMware vSphere Update Manager

VMware vSphere Update Manager: VUM.audit-vum-login


Ensure VMware vSphere Update Manager administrator account passwords are changed from system build defaults.




Once someone logs on to vSphere Update Manager, it becomes more difficult to prevent what they can do. In general, log on to the Update Manager system should be limited to very privileged administrators, and then only for the purpose of administering vSphere

Update Manager or the host operating system. Anyone logged on to the Update Manager can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes.

To run and use Update Manager, you must use a local system account for the machine on which Update Manager is installed. (Refer to http://pubs.vmware.com/vsphere-60/ index.jsp#com.vmware.vsphere.update_manager.doc/GUID-3632A492-0462-47CF-BC70-

C636544F800D.html

.)

Note that in VUM60u1, the plugin for Web client is automatically installed and all functionality for VUM is available. http://pubs.vmware.com/Release_Notes/en/vsphere/60/ vsphere-update-manager-60u1-release-notes.html

Ensure that the administrator account password for vSphere Update Manager is changed to a unique, sufficiently complex value.

VMware vSphere Update Manager: VUM.NTP.config


Ensure VMware vSphere Update Manager system components are configured to synchronize with a trusted Network Time Protocol (NTP) time source.


Ensuring that all systems use the same relative time source (including the relevant localization offset) and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal Time—UTC), makes it simpler to track and correlate an intruder’s actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate. Incorrect time settings can also introduce log on issues and certificate issues with the Platform Services Controller, as all components rely on coordinated time.

Native time synchronization software, such as NTP is typically more accurate than VMware

Tools periodic time synchronization and is therefore preferred.


Ensure that a trusted NTP time source is configured using a customer-provided NTP source.

VMware vCenter Server Appliance (VCSA)

VMware Virtual Center Server Appliance: VCSA.DefaultPasswords.modify




Default accounts and passwords can be configured by the vendor or during the initial system build. Such accounts and passwords might be used to compromise the production system. For VMware vCenter Server Appliance (VCSA), two accounts in particular to audit are the root account of the virtual appliance (based on hardened SUSE Linux OS) and the vCenter SSO administrator account [email protected] (or other accounts in the

Administrator group).

For the vCenter Server Appliance (VCSA) 6.0 releases, enforce local account password expiration after 90 days by default. This policy locks out the root account when the password expiration date is reached. For more information, see https://kb.vmware.com/selfservice/microsites/search.do?




Ensure that passwords are rotated for built-in accounts.

VMware Virtual Center Server Appliance: VCSA.SNMP.CommunityString


Define strong, non-trivial community strings where Simple Network Management Protocol

(SNMP) is required.




Ensure that the default community strings are changed from unique non-trivial values.

Public

and

Private

to

VMware Virtual Center Server Appliance: VCSA.Logging.config




Logging all successful interactive device management access enables the correlation of events to be viewed when a device is accessed by a host. Not having this in place can negatively impact log review or correlations of events.


Ensure customer-defined remote syslog server is set. In the absence of a customer-defined remote syslog server, Dell EMC sets the Vision syslog messages.

™

Intelligent Operations appliance to collect

VMware Virtual Center Server Appliance: VCSA.NTP.Config


Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.





VMware Virtual Center Server Appliance: VCSA.Unused-Services.Disable


Simple Network Management Protocol (SNMP) is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.



If SNMP is not used in the environment, it cannot be exploited.

SNMP is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.

VMware vNetwork


VMware vNetwork: vNetwork.Forged-MAC-address.policy


By default, forged transmissions are accepted on standard virtual switches and rejected on distributed virtual switches. When accepted, the virtual switch does not compare source and effective MAC addresses. This allows frames with different source and effective MAC addresses to be transmitted.



Effective MAC addresses might be changed to impersonate other network devices.

Set to

Reject

.

VMware vNetwork: vNetwork.PromiscuousMode.config


When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential to read all packets across that network. By default, promiscuous mode is set to

Reject

on standard virtual switches and distributed virtual switches.


Any user logged in to a virtual machine connected to the same dvPort can potentially view traffic destined for other guest or host operating systems.


Set to

Reject

.

VMware vNetwork: vNetwork.Mgt-Segmentation.config


Management interfaces provide access to the VMware vSphere components. Access to these interfaces are not required for normal users to use virtual machines.


VMware management interfaces might be attacked and exploited if connected to noncontrolled networks. This can be mitigated by ensuring management traffic is on a restricted network.


Management interfaces provide access to the vSphere components. Access to these interfaces are not required for normal users to use virtual machines.

VMware vNetwork: vNetwork-Management Network-Access Control.config


Strictly control access to management network to specific hosts.


The management network is necessary for administration and support purposes and needs to be secured on par with the most secure virtual machine running on a host/cluster.


Strictly control access to management network to specific hosts.

VMware vNetwork: vNetwork-Network configuration.verify


Ensure that all virtual switch VLANs are fully documented and have only required VLAN on trunks.


Use best practices to restrict the VLANs required on the VLAN trunk link to only the required VLANs and document accordingly. Unneeded VLANs might enable an administrator to either accidentally or maliciously connect a virtual machine to an unauthorized VLAN.



Ensure that all virtual switch VLANs are fully documented and have only required VLAN on trunks.

VMware vNetwork: vNetwork.Reject.MAC-address-changes.Config


Each virtual network adaptor has an effective MAC address that filters out incoming network traffic with a destination address different from the effective address. By default, requests to change the effective MAC address are set to

Accept

and MAC address changes are set to

Accept

on standard virtual switches and

Reject

on distributed virtual switches.



By changing the effective MAC address, the virtual network adapter can pass frames with an impersonated source MAC address and perform network-based attacks by impersonating an authorized network adaptor.

Set to

Reject

.

VMware vSphere Distributed Switch and DVS networking

VMware vSphere vSwitch and DVS networking: vNetwork.isolate-mgmt-network-vlan


Ensure that VMware vSphere management traffic is on a restricted network.


The VMware vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.


Ensure that management interfaces and traffic are restricted to controlled managementspecific networks.

VMware vSphere vSwitch and DVS networking: vNetwork.isolate-vmotion-network-vlan


Ensure that VMware vMotion traffic is isolated.


VMware vMotion migrations transmit information in plain text that can be viewed by anyone with access to the network over which this information flows. Potential attackers might intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a man-in-the-middle attack in which the contents are modified during migration. Ensure that vMotion traffic is separate from production traffic on an isolated network. This network should be non-routable (no layer-3 router spanning this and other networks), which prevents any outside access to the network.


Ensure that VMware vMotion traffic is isolated and restricted to prevent exposure and compromise.

VMware vSphere vSwitch and DVS networking: vNetwork.isolate-storage-network-vlan


Ensure IP-based storage traffic is isolated.




Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IP-based storage includes iSCSI and NFS. This type of configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network should be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network limits unauthorized users from viewing the traffic.

Ensure that IP-base storage traffic is isolated and restricted to prevent exposure and compromise.

VMware vSphere Web Client

VMware vSphere Web Client: vCenter.web-client-timeout


Ensure VMware vSphere Web Client session setting is modified to terminate idle Web sessions that have been inactive for 15 minutes.


By configuring session timeouts to 15 minutes, administrator sessions are terminated if idle and are disconnected thus reducing the risk of unauthorized access to the vSphere Web

Client and its managed resources.


Ensure vSphere Web Client session setting is set to terminate idle Web sessions that have been inactive for 15 minutes.

Management layer security baseline

VxRack Controller nodes

VxRack Controller - Default Passwords Change






Ensure that passwords are rotated for built-in account administrator.

VxRack Controller - Disable Telnet


Disable Telnet


Telnet is not a secure protocol, as it transmits data in clear text.



Ensure that Telnet is disabled. This is configured using the Dell iDRAC Web Console.

In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for Telnet, and click Apply.

VxRack Controller - Disable SSH


Disable SSH


Removing any unnecessary services, protocols and scripts reduces the attack vectors a potential hacker would exploit to gain access to sensitive information.


Ensure SSH is disabled. This is configured using the Dell iDRAC Web Console.

In iDRAC UI, under iDRAC settings > Network > Services, uncheck the box for SSH, and click Apply.

VxRack Controller - Disable IPMI over LAN


Disable IPMI over LAN.


IPMI v2.0 has multiple high vulnerabilities, and currently there are no patches to fix them. A potential attacker could exploit these vulnerabilities remotely to obtain hashed password for root user, and use an offline password cracking tool to discover the password.


Ensure IPMI over LAN is disabled if IPMI is not needed by any management components.

This is configured using the Dell iDRAC Web Console.

In iDRAC UI, under iDRAC settings > Network > IPMI Settings, uncheck the box titled

Enable IPMI Over LAN, and click Apply.

VxRack Controller - Server access using HTTPS


To remotely access Dell server use secure communication:

• HTTPS (TCP port 443)


For any activity conducted remotely, the use of secure protocols adds layers of protection to the transmission of data for those sessions.


HTTPS is enabled by default and TLS 1.2 Only is selected by default.

In iDRAC UI, under iDRAC settings > Network > Services, and verify that HTTPS is enabled and that TLS 1.2 Only is selected.

VxRack Controller - Strong community strings


Define strong, non-trivial community strings where SNMP required.


By not changing the default community string, attackers can more easily discover and potentially exploit or compromise the devices.


Ensure that the read-only community string is changed from "Public."

In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, define a new

SNMP Community Name, and click Apply.


VxRack Controller - Use SNMP V3


Use SNMP v3


SNMP v3 improves security by introducing encryption, integrity check, and improved user authentication model.


Make sure SNMP v3 is selected.

In iDRAC UI, under iDRAC settings > Network > Services > SNMP Agent, check SNMP v3, and click Apply.

VxRack Controller - Disable VNC


Disable VNC



Disable VNC to reduce attack surface.

Select make sure VNC is unchecked under iDRAC web UI,

In iDRAC UI, under iDRAC settings > Network > Services > VNC Server, uncheck the box for Enable VNC Server, and click Apply.

VxRack Controller - Disable XML


Disable XML configure file import directly from the USB port.


The USB port allows iDRAC management access from a laptop or tablet connected to the

USB port, or apply XML config file directly to the server. An attacker could potentially upload arbitary config file to the server.


Under iDRAC settings > Hardware > USB Management Port > iDRAC Managed: USB

XML Configuration, and select Disabled.

VxRack Controller - Configure syslogs


Centralization of logs increases administration and security investigation capabilities. By configuring hosts to use a central logging server, aggregate analysis and searches become possible and provide visibility into events impacting multiple hosts.


Operational or security-related alerts and events may be missed when logs are not centrally managed.


Under iDRAC UI > Logs > Settings, check Remote Syslog Settings, and define up to three syslog server IP addresses.

VxRack Controller - Configure NTP


Network Time Protocol (NTP) is used to syncronize time updates from a centralized source to systems on a network. Setting all Vblock System components to the same time source ensures system stability and accuracy of log time stamps.




In iDRAC UI, under iDRAC Settings > Settings, check Enable Network Protocol (NTP) box, define up to three NTP server IP addresses, and click Apply.


VxRack Controller - Disable USB ports


The build-in USB ports should be used based on "as needed" basis.



An attacker could use USB port to introduce malware to the server.

In BIOS setttings > System BIOS Settings > Integrated Devices > Internal USB Port, and set it to off.

VxRack Controller - Disable remote RACADM


The RACADM provides CLI scripting capability to control and configure the servers. The

Remote RACADM allows RACADM tool run on a workstation to remotely execute commands against the server's iDRAC interface. It uses SSL for communications between the workstation and the iDRAC interface.


If this feature is not required, disable remote RACADM to reduce attack surface and prevent an attacker from remotely issuing commands against the server, such as power operations, configuration changes.


This feature is enabled by default. Make sure it is disabled.

In the IDRAC UI, under Network > Services, uncheck the Remote RACADM and click

Apply.

VxRACK Controller - Disable IDRAC over SOL SEC302014.1


iDRAC can be accessed through SOL (Serial-over-LAN). This allows remote access to the server using SSH and connection to the server serial ports (com1 or com2, depending on

BIOS setting) and run iDRAC commands.


Disable iDRAC over SOL to reduce attack surface and prevent an attacker from remotely issuing commands against the server, such as power operations or configuration changes.


To disable, in the iDRAC UI, Network > Serial Over LAN, uncheck Enable Serial Over

LAN, click Apply.

System infrastructure security baseline

Panduit Power Distribution Unit (PDU)

Panduit PDU: Panduit.Passwords.Modify








Panduit PDU: Panduit.NTP.Configure


Network Time Protocol (NTP) is used to synchronize time updates from a centralized source to systems on a network. Setting all Converged System components to the same time source ensures system stability and accuracy of log timestamps.





Panduit PDU: Panduit.SNMPCommunityString.Configure


Define PDU traps and strong, non-trivial community strings where Simple Network

Management Protocol (SNMP) is required.




Define PDU traps and strong, non-trivial community strings where SNMP is required.

Panduit PDU: Panduit.Unused-Services.Disable


Simple Network Management Protocol (SNMP) is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.



If SNMP is not used in the environment, it might be exploited.

SNMP is used for managing devices on an IP network. SNMP can be used to only read information as well as set (write) information.

Panduit PDU: Panduit.Logging.Configure




Logging all successful interactive device management access enables the correlation of events to be viewed when a device is accessed by a host. Not having this in place can negatively impact log review or correlation of events.



Panduit PDU: Panduit.Administrative-Access.Configure


Use secure protocols such as HTTPS instead of HTTP.


Using encrypted protocols for device management prevents transmission of authentication credentials in clear text.


Use secure protocols such as HTTPS instead of HTTP.


Log management

This section describes the locations for internal component log files and managing remote system log files.

Internal component log file locations

Operating system

Linux

Windows

File path

/opt/emc/scaleio/mdm/logs

C:\Program Files\emc\scaleio\mdm\logs


Linux

Windows

File path

/opt/emc/scaleio/gateway/logs

C:\Program Files\emc\scaleio\gateway

\logs


Linux

Windows

File path

/opt/emc/scaleio/gateway/logs

C:\Program Files\emc\scaleio\gateway

\logs

Configuring an external syslog server for remote logging

Syslog servers are configured and managed using the following CLI commands:

•

To configure the server and start remote logging: scli -start_remote_syslog -remote_syslog_server_IP <IP> --remote_syslog_server_port

<PORT> --syslog_facility <FACILITY> where:

—

IP is the IP address of the remote server.

—

PORT is the port number for the remote server.

—

FACILITY is a value from 0-23 and is assigned to identify the source of a message from a server.

•

To stop remote logging: scli -stop_remote_syslog -remote_syslog_server_ip <IP>

47 | Log management

Certificate management

Communications between Meta Data Manager (MDM) and external components (such as IM client, CLI client, GUI client, vSphere plug-in and ScaleIO gateway) are encrypted using TLSv1.

Certificates for MDM and ScaleIO Data Server (SDS) are generated during installation. New certificates can be generated using the following CLI commands:

•

For MDM: generate_mdm_certificate

•

For SDS: generate_certificate

Certificate management | 48

Operationalizing Converged Systems

This section describes procedures for operationalizing Converged Systems.

Integrating a new Converged System into a live environment

Converged Systems represent an easy transition to converged infrastructure and virtualization. The rapid and straightforward deployment of Converged Systems should not preclude you from applying company standards. Consider that the Converged System is a new piece in your environment that requires many of the same policies applied to it as your existing infrastructure. The following are some suggestions for integrating new Converged Systems.

•

Apply your existing security policies to the Converged System

•

Use the settings referenced in this document as a starting point

•

Ensure appropriate training of your technical support personnel

•

Leverage Vision Intelligent Operations for assessment and compliance of system configuration against Converged System benchmarks (or custom-tailored Vision software compliance benchmarks)

Ongoing security administration

Converged Systems ship with a default hardened configuration on all components, but these are not intended to be a complete security solution.

Dell EMC security baselines provide a starting point from which you can build a comprehensive security solution that can be managed as part of your existing infrastructure. Make sure the security considerations covered in this document, such as change management, patch management, monitoring, are applied to your Converged System.

To assist in managing your Converged System, Dell EMC releases a new Release Certification Matrix

(RCM) each month. This document describes currently supported versions of hardware and software, and contains information about code revisions and why they were chosen. Regularly review this document to help keep your Converged System current.

As with any new system, ensure it is integrated into your existing security architecture.

•

Integrate the Converged System into your log management system or Security Information &

Event Management (SIEM) .

•

Ensure appropriate coverage by your intrusion detection/prevention systems.

•

Ensure your security and compliance and internal audit departments are familiar with the

Converged System and its components and related operational processes.

Leverage available Dell EMC documentation that detail s system components and subsequent expansions, upgrades, and extensions, as well as Vision Intelligent

Operations compliance reporting capabilities.

49 | Operationalizing Converged Systems

•

Ensure administrative and guest workloads have malware protection and are fully incorporated into patch monitoring and application process, subject to the constraints of the RCM.

Operational checklist

The following list details activities to further secure your Converged System and fully integrate it into your existing architecture. This is a starting point for securing Converged Systems; a more extensive checklist is required for broader security strategies.

•

Configure centralized Authentication, Authorization and Accounting (AAA) and use Role Based

Access Controls (RBAC).

•

Incorporate multi-factor authentication (for example, with RSA SecurID) if required by your security policy.

•

Configure and verify log collection for all event sources in your environment. If no syslog preference is defined, all logs are forwarded to Vision Intelligent Operations. By centrally collecting all Converged System events, all logs can be easily integrated into an existing, onsite event management system.

•

Configure/verify that Network Time Protocol (NTP) is configured properly for your environment. It is preferable to use authenticated NTP where possible.

•

Change default, self-signed certificates on all devices to those provided by a third party certificate authority.

•

Disable unneeded services on network equipment and in operating systems per your current policies.

•

Enable additional protections for networking systems per vendor recommendations.

•

Apply additional VMware hardening guidelines that might apply to your specific environment.

•

Deploy additional protections such as perimeter firewalls, virtual firewalls, IDS/IPS, SIEM per security policy.

•

Socialize the Converged System with your computer security incident response team so that the appropriate response plans can be updated.

•

Per your security policy, run system vulnerability assessments to understand specific areas of concern.

•

Snapshot existing system configurations in order to track configuration drift.

•

Arrange disaster recovery (DR) capabilities for administrative VMs and for key supporting systems. Depending on the organization’s risk profile, the DR plans may require a geographical element.

Operationalizing Converged Systems | 50

Converged System password management

This section contains instructions for modifying the default administrator and/or root accounts and passwords for Converged System components.

Default accounts and passwords are configured by the vendor or during the initial Dell EMC manufacturing build. Such accounts and passwords, if not changed, could be used to compromise the system in production. Modifying the default passwords enhances customer security and facilitates handing over credentials modification from Dell EMC manufacturing to the customer.

Compute

Changing the VxRack System FLEX enclosure password

Use the iDRAC Web console to change the root password.

Procedure

1

Open a Web browser. Type: http://<ip_address_of_iDRAC> .

2

Log on as root.

3

Expand iDRAC Settings.

4

Select User Authentication.

5

Select User ID 2.

ID 2 is the root user.

6

Enable Configure User and click Next.

7

Change the password.

a

Enable Change Password.

b

In New Password, type the new password.

c

In Confirm New Password, re-type the new password.

d

Click Apply.

Storage

51 | Converged System password management

ScaleIO default accounts

The following are default accounts for ScaleIO:

Account

Installation Manager (IM) admin

Details

•

Download IM CLI file

•

Issue installation commands in IM CLI or IM Web client

•

Used for communication between SVM/MDM and SIO-GW Light Installation Agent (LIA) account

SVM root

MDM admin

•

Full administration privileges to all configuration and monitoring activities through the VMware vSphere plug-in

•

Full administration privileges to all configuration and monitoring activities through the CLI and GUI

When changing default account passwords, passwords must meet the following criteria:

•

Between 6 and 31 characters

•

Include at least three of the following groups:

—

[a-z]

—

[A-Z]

—

[0-9]

—

Special characters (!@#$...)

•

No white spaces

Changing the Installation Manager admin password

Procedure

1

Log on to the Installation Manager Web client user admin account.

2

Click Download CLI. Save the file install-CLI.jar on the local machine running the Web client.

3

Use SSH to log on to the IM/GW VM as root.

4

Use SCP to copy the install-CLI.jar file to /opt/emc/scaleio/gateway folder.

5

Type /opt/emc/scaleio/gateway/java -jar install-CLI.jar to load the EMC

ScaleIO Installation Manager CLI shell.

6

Type the following IM CLI: im generate_password --im_password <ADMIN_PASSWORD>

--config_file "<CONFIG_FILE_FULL_PATH>"

The configuration file gatewayUser.properties location for Linux OS is under /opt/emc/ scaleio/gateway/webapps/ROOT/WEB-INF/classes/

Converged System password management | 52

7

Type quit to exit the ScaleIO IM shell.

8

Type service scaleio-gateway restart to restart the gateway service.

9

Log on to the Web client with the new password.

Changing the Light Installation Agent password

About this task

Light Installation Agent (LIA) establishes trust with the Installation Manager through a configurable token.

The LIA token is stored in /opt/emc/scaleio/lia/cfg/conf.txt on each SVM. The password is set at initial installation.

During installation, the IM password and the LIA token are stored in hashed format.

Before you begin

To change the token after LIA runs, you must change the line in the configuration file and restart LIA.

Procedure

1

Write the password (or token) in plaintext in LIA conf file /opt/emc/scaleio/lia/cfg/ conf.txt ("lia_token=XXX")

2

Restart the LIA service.

3

After the restart, on the first startup, the LIA applies hash to the password and rewrites the conf.txt file token with the hashed value.

Changing the SVM root password

Procedure

1

Use SSH to connect to the EMC ScaleIO SVM and log on as root.

2

Type passwd and press Enter.

3

Type the new password and press Enter.

4

Retype the password and press Enter.

Changing the default admin MDM password

Procedure

1

Use SSH to log on as root user.

2

Type the following command: # scli --login --username admin

3

Type the following command: # scli --set_password

4

Type the old password and press Enter.


5

Type the new password and press Enter.

6

Re-type the new password and press Enter.

What to do next

After the MDM admin password is changed, log on to VMware vCenter using the VMware vSphere Web

Client and open the EMC ScaleIO plug-in.

1

Click Scale IO Systems. The cluster state shows as Disconnected-Invalid credentials.

2

Select the ScaleIO cluster. Click Actions and select Update system credentials.

3

In the User name field, type admin. In the Password field, type the new password defined above. Click OK.

4

Go back to the Cluster Status window. The cluster status shows as Normal.

ScaleIO user-defined accounts

Additional user accounts can be added to the ScaleIO MDM. A user role must be assigned.

User role

Monitor

Configurator

Backend Configurator

Frontend Configurator

Administrator

Security Role

Super User

Query

Yes

Yes

Yes

Yes

Yes

No

Yes

Configuration parameters Configuration user credentials

No No

Yes

Yes (backend operations only)

No

No

Yes (frontend operations only)

Yes

No

No

Yes

May configure Configurator and

Monitor users

May define Administrator users and control LDAP

Yes

Only one

Super User is allowed per system and it must be a local user.

Adding a user

To add a user:

1


2

Type the following command: # scli --login --username admin


3

Type the following command: scli --add_user --username <NAME> --user_role

<Monitor|Configure|Administrator>

Modifying a user

To modify a user:

1


2


3

Type the following command: scli --modify_user --username <NAME> --user_role

<Monitor|Configure|Administrator>

Deleting a user

To delete a user:

1


2


3

Type the following command: scli --delete_user --username <NAME>

Displaying users and roles

To display users and roles:

1


2


3

Type the following command: scli --query_users

4

Type the following command: scli --query_user --user_id <ID> | --username

<NAME>

Generating a hashed password

To generate a hashed password for an MDM user on the ScaleIO Gateway, type the following command: im generate_mdm_password --mdm_password <PASSWORD> --config_file /opt/emc/ scaleio/gateway/webapps/ROOT/WEB-INF/classes/gatewayUser.properties file

Virtualization

Changing a VMware ESXi host root password

For security reasons it might be necessary to change the password for the root user on a VMware ESXi host after installation.


Use any of the following methods to change the root password for the VMware ESXi host:

• vSphere Client

•

ESXi shell command

•

ESXi host System Customization menu

Changing the password using VMware vSphere Client

Before you begin

Log on to the ESXi host service console as root user.

Procedure

1

Log on to VMware vSphere Client.

2

Click Home > Inventory.

3

In the left pane, select the ESXi server name or IP address. Tabs for the server appear in the right pane.

4

Select the Local Users & Groups tab.

5

Double-click the root user.

6

Select Change password.

7

In the Edit User - root dialog box, enter and confirm a new password.

8

Click OK.

Changing the password using the ESXi shell command

Before you begin

Log on to the ESXi host service console as root user.

You can also acquire root privileges by executing the su command.

Procedure

1

When prompted, type the current password.

2

To change the root password, type: passwd root.

3

Type the new root password. Press Enter.

4

Verify the password by typing it again.


Changing the password using the ESXi host System Customization menu

Before you begin

Log on to the ESXi host service console as root user.

You can also acquire root privileges by executing the su command.

Procedure

1

From the System Customization menu of the ESXi host, use the keyboard arrows to select

Configure Password. Press Enter.

2

In the Configure Password dialog box, fill in the required fields to change the password:

a

Type the Old Password of the ESXi host.

b

Type the new root password in the New Password field. Re-type it in the Confirm Password field.

c

Press Enter.

Modifying the VMware vCenter Server Single Sign On password

Use this procedure to change the default password for the VMware vCenter Single Sign On administrator account.

Before you begin

Log on to the VMware vSphere Web Client and connect to vCenter.

Access the Web Client using either of the following methods:

•

Open the browser and type the following URL: https://vcenterlp:9443/vsphere-client

•

From the Start menu, choose All Programs > VMware > VMware vSphere Webclient.

Procedure

1

In the left pane, select Administration.

2

Under Administration, select SSO Users and Groups. The admin user displays in the right pane.

3

On the Users tab, right-click the admin user.

4

Set and confirm the password for the admin user account. Be sure to use a strong password as the system validates the password before accepting it.

5

Click OK.


Changing virtual machine operating system administrative passwords

Use this procedure to change the virtual machine operating system server administrator password in

Windows 2008 R2 and Windows 2012.

Changing the server administrator password in Windows 2008 R2

Use this procedure to change the server administrator password in a Windows 2008 R2 environment.

Procedure

1

Log in to the server using the Administrator account.

2

From the Start menu, select Control Panel > User Accounts > User Accounts.

3

Under Make changes to your user account, select Change your password.

4

Type your password in Current password.

5

In New password, type a new password.

6

Retype the password in Confirm new password.

7

In Type a password hint, provide a word or phrase to remind you of your password. This is optional.

8

Click Change password.

Changing the server administrator password in Windows 2012

Use this procedure to change the server administrator password in a Windows 2012 environment.

Procedure

1

Log in to the server using Remote Desktop.

2

Press the Windows key. Type Administrative tools.

3

Double-click Computer Management.

4

Expand Local Users and Groups. Select Users.

5

Right-click Administrator and choose Set Password.

6

Click Proceed.

7

Enter and confirm the new password.

8

Click OK.

Management

The VxRack System management software is installed on the VxRack Controller.


Changing the VxRack Controller password

Use the iDRAC Web console to change the root password.

Procedure

1

Open a Web browser. Type: https://<ip_address_of_iDRAC>.

2

Log on as root.

3

Expand iDRAC Settings.

4

Select User Authentication.

5

Select User ID 2.

ID 2 is the root user.

6

Enable Configure User and click Next.

7

Change the password.

a

Enable Change Password.

b

In New Password, type the new password.

c

In Confirm New Password, re-type the new password.

d

Click Apply.

Vision software credentials

Managing credentials involves changing the default passwords for Vision software to comply with your organization's security policies. It also involves changing access credentials for Converged System components.

When logging on to the VCE Vision dashboard, administrators are notified if any default passwords for

Vision software are still in use and are prompted to change them.

Changing the default password for the root and vision accounts

The Vision Core virtual machine and the MSM virtual machine run on CentOS Linux and have a root user. You should change the default password for the root user on both VMs when you first start using

Vision software.

About this task

You can also follow these steps to change the password for the vision user on the MSM virtual machine.


Before you begin

Start an SSH session to the VM and log on.

Procedure

1

Run the following command: passwd

2

Enter and then confirm the new password when prompted. The following is example output for a successful password change:

[root@hostname ~]# passwd

Changing password for user username.

New password:

Retype new password: passwd: all authentication tokens updated successfully

You must also update the MSM credential manager service with the new password.

3

Use one of the following steps, depending on whether the password was changed on the Vision

Core virtual machine or the MSM virtual machine.

—

MSM virtual machine: a

Run the following command to change the MSM password for credential manager to match the password changed with the passwd command.

/opt/vce/credential-management/bin/credential-manager-cli create -credentialprotocol

SSH -credential-right ADMINISTRATOR -credential-type MSM -host-address MSM-IP

-username <username> where:

MSM-IP is the IP address for the MSM virtual machine.

newpassword is the new password. This must be the same as the new password provided on the passwd command.

username is either root or vision, depending on the account you are changing.

If the password for the MSM admin user account has been changed in a clustered environment, this command fails if the password is not synchronized with the other MSM nodes in the cluster.

The script prompts you for the new password.

b

Enter the new password.

When the password change is complete, the script returns the following message:


Successfully created credential for 'root' @ '10.11.12.13'

—

Vision Core virtual machine: a

Log on to the MSM virtual machine as the root user.

b

Type the following command to change the Vision Core virtual machine root user password for MSM:

/opt/vce/multivbmgmt/install/addSlibHost.sh <core_IPaddress> where core_IPaddress is the IP address for the Vision Core virtual machine where the password was changed.

The script prompts you to update the configuration:

Would you like to update existing configuration? (yes/no) [Default = no]:

c

Respond by entering yes. The script prompts you for the root credentials:

Enter the SSH credentials for System Library host 10.20.30.40 (attempt 1 of 3).

User name [Default: root]:

d

Enter the root (or press Enter) for the username.

e

Type the new password for the Vision Core virtual machine.

The script continues processing with a series of messages. When it has finished, the following message is displayed:

Vision System Library Host(s) at 10.20.30.40 have been added successfully!

The new password for the Vision Core virtual machine is picked up by the MSM virtual machine during the next collection cycle.

What to do next

You can optionally specify a password aging policy with the following command: chage

Run the following command to view help usage: chage -h

Changing the password for the vision-integration user

The vision-integration user authenticates REST API calls internally to the Vision Core virtual machine to facilitate integration between some services. The default password is a complex, encrypted string that


does not need to be known. However, you can change the default password by providing the password for the CAS admin user using a built-in script.

About this task

If you change the password for the vision-integration user, Vision software also updates the password in the necessary properties file.

Before you begin

•

Determine a new password, understanding that the CAS password:

—

Is case sensitive.

—

Must be between 8 and 20 characters in length.

—

Must include one uppercase letter, one digit, and one special character.

—

Cannot contain any of the following special characters: \ / % + ' " ( ) ; : < > |

•

Connect to the Vision Core virtual machine

Procedure

1

Run /opt/vce/fm/bin/integrationChangepw.sh.

The following message displays:

Warning: This script will restart Asset Manager service.

Please ensure that a maintenance window has been scheduled,

and there is no active upgrade session going on.

Do you want to continue ([y/n])?

2

Enter y to continue. The script then prompts you with the following:

Please enter current admin password:

3

Enter the current Central Authentication Service (CAS) administrator password.

4

Enter the new password for the vision-integration user and then confirm it when prompted.

The script restarts the tomcat-asset-mgr service and displays the following message:

CAS password has been changed for vision-integration user.

Changing the Central Authentication Service (CAS) password for the admin user

Vision software uses a Central Authentication Service (CAS) for authentication to web services. As a best practice, you should change the default password for the admin user, which has full administrator privileges.


About this task

Changing the CAS password involves running a script on the Vision Core virtual machine that updates the password, encrypts it, and then saves it internally. After this password is changed, any client applications that are configured with it must be updated, including the Plug-in for vCenter.

Before you begin

•

Determine a new password, understanding that the CAS password:

—

Is case sensitive.

—

Must be between 8 and 20 characters in length.

—

Must include one uppercase letter, one digit, and one special character.

—

Cannot contain any of the following special characters: \ / % + ' " ( ) ; : < > |

•

Connect to the Vision Core virtual machine

Procedure

1

Run /opt/vce/fm/bin/slibCasChangepw.sh

The script prompts you with the following message:

Warning: This script will restart JBoss, Vision FM Agent and other services.

Please ensure that a maintenance window has been scheduled,

and there is no active upgrade session going on.

Do you want to continue ([y/n])?

2

Enter y to continue. The script then prompts you with the following:

Please enter current user password:

3

Enter the current password for the admin user.

The script then prompts you with the following:

Please enter new password(Press Ctrl C to exit):

4

Enter the new password for the admin user and then confirm it when prompted.

The script restarts services and displays the following message:

CAS password has been changed for admin user.

Please update vCenter plugin Administration Settings and any other client applications using this password.


Ports and protocols

ScaleIO ports and authentication

This section contains ScaleIO ports and authentication.

Port

443

Protocol

TCP

443 TCP

6611, 9011

7072

9099

162

TCP

TCP

TCP

UDP

Description

Used to perform installations using Installation

Manager.

REST. Used to query a ScaleIO cluster or perform operations on a cluster.

Used to provision or query ScaleIO system.

SDCs connect through this port fro data communication and on the MDM for metadata communication.

Installation Manager connects to the Light

Installation Agent to perform installation-related operations.

SNMP traps for system alerts are sent to a trap receiver using this port.

VMware vSphere 6.0 ports and authentication

This section lists ports required for communication between components by VMware vSphere 6.0.

In Microsoft Windows Server 2008, a firewall is enabled by default.

Table 1:

Port

22

80

88

Protocol

TCP/UDP

TCP

TCP

Description

System port for SSHD. This port is used only by the vCenter Server Appliance.

vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server

instead of https://server

.

WS-Management (also requires port 443 to be open).

If using a Microsoft SQL database that is stored on the same virtual machine or physical server as vCenter Server, port 80 is used by the SQL Reporting

Service.

When installing or upgrading vCenter Server, the installer prompts you to change the HTTP port for vCenter Server. Change the vCenter Server HTTP port to a custom value to ensure a successful installation or upgrade.

VMware key distribution center port.

Ports and protocols | 64

Table 1:

Port

389

443

514

636

902

1514 TCP/UDP

2012

2014

2020

6500

6501

6502

7444

8088

9433

11711

65 | Ports and protocols

TCP

TCP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

TCP

TCP

Protocol

TCP/UDP

TCP

UDP

TCP

TCP/UDP

Description

This port must be open on the local and all remote instances of vCenter Server.

This is the LDAP port number for the Directory Services for the vCenter Server group.

If another service is running on this port, it might be preferable to remove the service or change its port number. You can run the LDAP service on any port from 1025 through 65535.

If this instance is serving as the Microsoft Windows Active Directory, change the port number from 389 to an available port from 1025 through 65535.

The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.

The vCenter Server system also uses port 443 to monitor data transfer from

SDK clients.

Port 443 is also used for these services:

•

WS-Management (also requires port 80 to be open)

•

Third-party network management client connections to vCenter Server

•

Third-party network management clients access to hosts vSphere Syslog Collector port for vCenter Server on Windows and vSphere

Syslog Service port for vCenter Server Appliance.

For vCenter Server Enhanced Linked Mode, this is the SSL port of the local instance. If another service is running on this port, it may be preferable to remove it or change its port number.

You can run the SSL service on any port from 1025 through 65535.

The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system.

This port must not be blocked by firewalls between the server and the hosts or between hosts.

Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles vSphere Syslog Collector TLS port for vCenter Server on Windows and vSphere

Syslog Service TLS port for vCenter Server Appliance.

Control interface RPC for vCenter Single Sign-On (SSO).

RPC port for all VMCA (VMware Certificate Authority) APIs.

Authentication framework management.

ESXi Dump Collector port.

Auto Deploy service.

Auto Deploy management.

Secure Token Service.

Workflow Management Service.

vSphere Web Client HTTPS.

VMware Directory service (vmdir) LDAP.

Table 1:

Port

11712

5480

Protocol

TCP

TCP

Description

VMware Directory service (vmdir) LDAPS.

vCenter Server Appliance Web Console (VAMI)

For Appliance based vCenter server, port info table below:

Port

22

80

135

443

514

902

8080

8090

8085

8089

7444

8443 TCP

10080 TCP

10443 TCP

10109 TCP

21000 TCP

21100 TCP

1514

6500

6501

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Protoc ol

TCP

TCP

TCP

TCP

UDP

TCP/U

DP

Description

System port for SSHD vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to

HTTPS port 443. This redirection is useful if you accidentally use http://server/ instead of https://server/ .

Active Directory authentication vCenter Server uses port 443 to:

•

Listen for connections from the vSphere Client.

•

Receive data from the vSphere Client, after it is enabled.

•

Monitor data transfer from SDK clients.

If you use another port number for HTTPS, use ip-address:port when you log on to the vCenter

Server system.

vSphere Syslog Collector server

•

This is the default port used by vCenter Server to:

—

Send data to managed hosts

—

Display virtual machine consoles

•

Managed hosts send a regular heartbeat over UDP port 902 to the vCenter Server system.

•

This port must not be blocked by firewalls between the server and hosts, or between hosts.

Web Services HTTP. Used for the VMware VirtualCenter Management Web Services

TCP connects to the local port to provide SOAP web services

Internal Service Diagnostics/SDK

SDK Tunneling Port vCenter Single Sign-On - VMware Secure Token Service

Web Services HTTPS. Used for the VMware VirtualCenter Management Web Services vCenter Inventory Service HTTP vCenter Inventory Service HTTPS vCenter Inventory Service database

VMware vSphere Profile-Driven Storage Service HTTP

VMware vSphere Profile-Driven Storage Service HTTPS vSphere Syslog Collector server (SSL)

Network coredump server (UDP)

Auto Deploy service


Port

6502

9090

9443

5480

5489 TCP

22000 TCP

22100 TCP

12443 TCP

Protoc ol

TCP

TCP

TCP

TCP

11711 TCP

11712 TCP

8190

8191

TCP

TCP

7331

7343

TCP

TCP

Description

Auto Deploy management vSphere Web Client HTTP vSphere Web Client HTTPS vCenter Server Appliance Web user interface HTTPS vCenter Server Appliance Web user interface CIM service vCenter Server Storage Monitoring Service HTTP vCenter Server Storage Monitoring Service HTTPS

Log Browser vCenter Single Sign-On VMware Directory Service (LDAP) vCenter Single Sign-On VMware Directory Service (LDAPS)

Storage Policy Server HTTP

Storage Policy Server HTTPS

HTML5 remote console for virtual machines

HTML5 remote console for virtual machines, HTTPS vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server/

instead of https://server/

.

Vision Intelligent Operations ports and protocols

Review ports and protocols for communicating with Vision software.

Communication with Vision software occurs through northbound traffic over an external network and through southbound traffic to Converged System components.

Review the ports and protocols to help troubleshoot issues after installation.

Open port assignments

The MSM virtual machine runs a number of small services on various ports. Not all ports on the MSM virtual machine are opened through the firewall. The following ports are available from outside of the

MSM virtual machine.

Port Protocol

22 TCP

80 UDP

Linux Application

SSH

Apache HTTP

Usage

Secure shell (SSH)

Web server providing access to the Vision dashboard and all Vision

REST APIs. Requests are redirected to Port 443

Source

Vision software


Port Protocol

443 TCP

5672 TCP

7000 TCP

9042 TCP, UDP

9160 TCP

9301 TCP

Linux Application

Apache HTTP

RabbitMQ

SSL

Cassandra

Cassandra

Elasticsearch

Usage

HTTPS access to the dashboard and all Vision

REST APIs

Message service used by

Vision software

Cassandra SSL inter-node communication

Cassandra native client port

Cassandra thrift client port

Elasticsearch node-to-node communication

Source

If the port 9301 is not open:

1

In the command line interface, type vi /etc/sysconfig/iptables.

2

Add the following line:

-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9301 -j ACCEPT

3

Type service iptables save.

4

Type service iptables restart.

5

Type netstat -l | grep 9301 to check the status of the port.

LISTEN indicates that the port is open.


Northbound ports and protocols

The third party applications and network management systems (NMS) can use northbound ports and protocols to communicate with Vision software.

Port

80

443

Protoc ol

TCP

TCP

Usage

HTTP

HTTPS

Source Destination Direction

22

8443

18443

4369

5672

TCP

TCP

TCP

TCP

TCP

161 UDP

Default Port

162.This port is configurable.

UDP

Secure shell (SSH)

•

API for System Library

•

API for Vision Security

Inventory Manager

AMQP messaging

AMQP messaging

General SNMP messages

SNMP trap messages

Vision software

RCM content distribution network (CDN) destination addresses that include the following:

*.flexnetoperations

.com

• updates.flexneto

perations.com

• vce.flexnetopera

tions.com

• vceesdie.flexnetoperat

ions.com

Any IP address

Any client or application that uses these APIs.

Outbound

Outbound

Inbound

Inbound

Any client or application that uses this feature.

Any application that subscribes to the Vision software messaging service.

Any application that subscribes to the Vision software messaging service

SNMP client or NMS

SNMP client or NMS

Inbound

Outbound

Inbound

Inbound

Inbound

Refer to the Vision Intelligent Operations Integration Guide for SNMP for instructions on configuring Port 162 for SNMP trap messages.


Southbound ports and protocols

Vision software uses specific ports and protocols for southbound communication with Converged System components.

Port Proto col

69

Usage Source

UDP TFTP traffic from the Configuration Collector to back up Converged System component configuration

Converged System components

162 UDP SNMP trap messages

514 UDP syslog messages

Destination

Vision software

Compute components

Review the ports and protocols that Vision software uses for communication with compute components.

Dell iDRAC

Port

443

Protocol

TCP

Usage Source

iDRAC accesses this port using the RedFish API

Vision software

Destination

iDRAC

Network components

Review the ports and protocols that Vision software uses for communication with network switches, including physical and virtual switches.

Port

22

161

Protocol

TCP

UDP

Usage

Secure shell (SSH)

General SNMP messages

Source

Vision software

Destination

Network switches

Storage components

Review the ports and protocols that Vision software uses for communication with various storage components.

ScaleIO

Port

443

Protocol

TCP

Usage

REST API

Source

Vision software

Destination

ScaleIO


Management components

Vision software communicates with management components using certain ports and protocols.

Port

161

Protocol

TCP

Usage

SNMP

Source

Vision software

Destination

IPI appliance

Virtualization components

Review the ports and protocols that Vision software uses for communication with virtualization components.

Port

443

Protocol

TCP

Usage

XML API

Source

Vision software

Destination

VMware vCenter Server


References

This section contains links for additional security hardening information.

Component

Cisco Nexus

ScaleIO

VMware components

Link

http://www.cisco.com/c/en/us/about/security-center/securing-nx-os.html

https://support.emc.com/docu67402_ScaleIO-2.0-Security-Configuration-

Guide.pdf?language=en_US https://www.vmware.com/security/hardening-guides

References | 72

The information in this publication is provided "as is." Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.

Use, copying, and distribution of any software described in this publication requires an applicable software license.

Copyright

©

2016-2018 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA in February 2018.

Dell EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice.

73 | Copyright

No results