VCAP5 DCA Study Guide


Section 7 – Secure a vSphere Environment

Objective 7.1 – Secure ESXi Hosts

Knowledge

  • Identify configuration files related to network security
  • Identify virtual switch security characteristics

Skills and Abilities

  • Add/Edit Remove users/groups on an ESXi host

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=41

  • Customize SSH settings for increased security

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=32

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=72

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-installation-setup-guide.pdf#page=157

  • Enable/Disable certificate checking

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=70

  • Generate ESXi host certificates

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=70

  • Enable ESXi lockdown mode

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=79

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-installation-setup-guide.pdf#page=156

  • Replace default certificate with CA-signed certificate

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=71

http://kb.vmware.com/kb/2015499_draft

  • Configure SSL timeouts

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=73

  • Configure vSphere Authentication Proxy

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=63

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-installation-setup-guide.pdf#page=214

  • Enable strong passwords and configure password policies

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=45

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=90

  • Identify methods for hardening virtual machines

http://www.vmware.com/files/pdf/techpaper/VMW-TWP-vSPHR-SECRTY-HRDNG-USLET-101-WEB-1.pdf#page=10

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=85

http://communities.vmware.com/servlet/JiveServlet/downloadBody/19056-102-1-24817/vSphere50%20Hardening%20-%20Rev%20B.xlsx

  • Analyze logs for security-related messages
  • Manage Active Directory integration

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=61

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-command-line-interface-solutions-and-examples-guide.pdf#page=25

 

Tools

vSphere Command-Line Interface Concepts and Examples

vSphere Installation and Setup Guide

vSphere Troubleshooting Guide

Product Documentation

vSphere Client

vSphere CLI

esxcli

vifs

 

Objective 7.2 – Configure and Maintain the ESXi Firewall

Knowledge

  • Identify esxcli firewall configuration commands

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-command-line-interface-solutions-and-examples-guide.pdf#page=130

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=38

  • Explain the three firewall security levels

Enable / disable

Skills and Abilities

  • Enable/Disable pre-configured services

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=35

  • Configure service behavior automation

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=37

  • Open/Close ports in the firewall

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=35

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-command-line-interface-solutions-and-examples-guide.pdf#page=130

  • Create a custom service (not supported outside of VIB creation)

http://www.virtuallyghetto.com/2011/07/how-to-create-custom-firewall-rules-in.html

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf#page=34

  • Set firewall security level

There aren’t three levels any longer. Can be set to enabled or disabled.

esxcli network firewall set –e true (enable)

esxcli network firewall set –e false (disable)

 

Tools

vSphere Command-Line Interface Concepts and Examples

vSphere Installation and Setup Guide

vSphere Troubleshooting Guide

Product Documentation

vSphere Client

vSphere CLI

esxcli