and between VC server and the ESX hosts

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Hello,

It is best to not open up any ports, instead, place your management tools (vCenter, VIC, Service Console) on a Management Network. You should not really be jumping from your local workstation using the VIC to something behind the management network firewall. Instead create a VM and use RDP in a secure way to get inside the managment network and safely use all your tools. that way you just open one port (RDP) and no others.

This is the best recommendation for increased security. Otherwise you are crossing security zones and even though everything uses SSL, you restricted from where the SSL negotiation takes place and thereby alleviate SSL MiTM attacks against your Management Tools.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

It is best to not open up any ports, instead, place your management tools (vCenter, VIC, Service Console) on a Management Network.

This is easier said then done. I have three management networks that are being managed by a single VC server. I am planning on implementing a Citrix server to run the VIC but even this will not be on my management network.

________________________________

Jason D. Langdon

Hello,

This is easier said then done. I have three management networks that are being managed by a single VC server.

Do you have 3 management networks or 3 clusters. Remember even though its a 'cluster' the management network for all these 'clusters' are one security zone. If they need to be separate security zones completely for security or political reasons then one VC is not the way to go as your VC Server is crossing all these security zones as well.

I am planning on implementing a Citrix server to run the VIC but even this will not be on my management network.

Sounds good.

The real question JD is whether there are actually 4 security zones (1 per cluster + VC) or really just 1 with needed controls on who can access what via roles and permissions?

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

Yikes, I need to jump in here and once again agree with Ed....

Some may find this article helpful. In the past, I have implemented this recipe and managed to sleep better at night with RDP running to...well, we won't mention.

Securing RDP over SSL

Please post your results if you attempt/try this!

Howard

Yikes, I need to jump in here and once again agree with Ed....

I'd be more impressed if you jumped in here and disagreed with Ed......

________________________________

Jason D. Langdon

I am happy to any time he is wrong....

<waiting>....

Do you have 3 management networks or 3 clusters.

I have 4 clusters on 3 management networks

The real question JD is whether there are actually 4 security zones (1 per cluster + VC) or really just 1 with needed controls on who can access what via roles and permissions?

I'm beginning to think that it is just one security zone which spans multiple subnets. The people who log into VC have the same rights and permissions regardless of which cluster they are working on.

________________________________

Jason D. Langdon

903 will be needed between the VC Client and the ESX hosts.

902 and 903 are used by VC to display Virtual Machine ConsolesThanks guys.

________________________________

Jason D. Langdon

Hello,

I'm beginning to think that it is just one security zone which spans multiple subnets. The people who log into VC have the same rights and permissions regardless of which cluster they are working on.

That is usually the case. So I would create a 'management network' that contains VC and anything that will access VC and then bridge within there to the other subnets in some fashion. This is by far the safest way to secure your management interfaces. VIC from production to VC in production through a firewall to SC is just a bit chaotic. While it works, it does have quite a few risks associated with it. Whether those risks are acceptable depends entirely on your company however.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

Hello,

Howard and I have disagreed in the past.... Its not often but... or was that agreed with reservations... chuckle

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]