Compliance Ready Lab

Build GuideHIPAA
Version
Contents
Overview
Security Application Zone (Runs on)
Requirements
Segmentation/firewall
ESXi Host Security
ESXi Host Firewall
Configure NTP Time Synchronization For ESXi Host
Lockdown Mode
Set DCUI (Direct Console UI) Access
Remote Syslog/Logging
Disable MOB (Managed Object Browser)
Zero-Out VMDK (before deletion)
Create A Non-Root Local Admin Account
Configure Host Profile
vSwitch Security
Reject Promiscuous Mode
Reject MAC Address Changes
Reject Forged Transmits
Network Security
Firewall internal
Allowed ports for management
Firewall external
SECURITY MANAGEMENT

vCloud Networking And Security (vCNS)

vShield Manager
vShield Manager Installation
vShield App
Flow Monitoring
App Firewall
vShield App Fail Safe Setting
vShield App Exclusion List
vShield App Installation
Example Of vShield App Firewall Blocking Rule
vShield Edge
vShield Edge Installation
vShield Edge Gateway And Isolated Network Configuration.
vShield Endpoint
vShield Endpoint Installation
Testing Requirements:
vShield Data Security
vShield Data Security Installation
vShield Data Security Policy
Testing Requirements
BMC Server Automation
BSA Architecture
Client Tier
Server Tier
Middle Tier
Installation
BSA Database Server
BSA File Server Agent
BSA Application Server
BSA GUI Console
BSA Compliance Module
Testing Requirement
Setting Discovery Job
Setting Policy-Based Compliance Audit
BMC BladeLogic Decision Support For Server Automation
Installation
Testing Requirement
BMC BladeLogic Atrium Integration
BSA Atrium Integration Diagram
Installation
Testing Requirement
Customizing Data Mapping Between BSA And CMDB
Transferring Business Service Data from Atrium CMDB to BSA
Configuration And Testing
Denial Of Service

DATA PROTECTIONENCRYPTION
Encryption In Flight
Encryption At Rest
VULNERABILITY ASSESSMENT
Intrusion Detection
Deep Packet Inspection
Data Leak Prevention
Data Loss Prevention/Data Loss Protection
vCNS vShield Data Security
Logging And Auditing
EXPLOIT AND MALWARE PROTECTION
Virus Scanning
vCNS vShield Endpoint And VMware Partners AntiVirus And AntiMalware
Software
Configuration And Patch Management
Integrated Solution
SupernaNet.Connect
VCE Vision Intelligent Operations
VMware vCenter
BMC CMDB
Manual Tagging For Compliant CIs
vCenter Inventory Tagging
BMC CMDB Tagging
Automatic Tagging For Compliant CIs
SupernaNet.Connect Mapping File
Monitoring
IDENTITY AND ACCESS MANAGEMENT
LoginTC For OpenVPN
LoginTC Cloud Domain
LoginTC Radius Connector
OpenVPN
LDAP
User
Data protectionbackup/restore/replication
Configuration And Patch Management
Auto Deploy Installation VMWare vSphere 5.1
ComplianceHIPAA
164.306 Security Standards: General Rules.
164.308 Administrative Safeguards
Security Management Process ( 164.308(a)(1))
Key Activities: Conduct Risk Assessment
Technical Implementations:
Key Activities: Develop And Deploy The Information System Activity
Review Process
Technical Implementations:

Technical Implementations:
Key Activities: Develop Appropriate Standard Operating Procedures
Technical Implementations:
Information Access Management ( 164.308(a)(4))
Key Activities: Implement Policies And Procedures For Authorizing
Access
Technical Implementation:
Security Awareness and Training ( 164.308(a)(5))
Implementation Specification: Protection From Malicious Software
Technical Implementation:
164.310 Physical Safeguards
Device And Media Controls ( 164.310(d)(1))
Key Activities: Implement Methods For Final Disposal of EPHI
Technical Implementations:
Key Activities: Develop And Implement Procedures For Reuse Of
Electronic Media
Technical Implementations:
164.312 Technical Safeguards
Access Control ( 164.312(a)(1))
Key Activities: Analyze Workloads And Operations To Identify The
Access Needs Of All Users
Technical Implementations:
Key Activities: Identify Technical Access Control Capabilities
Technical Implementations:
Key Activities: Ensure That All System Users Have Been Assigned A
Unique Identifier
Technical Implementations:
Key Activities: Implement Access Control Procedures Using Selected
Hardware And Software
Description:
Technical Implementations:
Key Activities: Review And Update User Access
Technical Implementations:
Key Activities: Terminate Access If It Is No Longer Required
Technical Implementation:
Audit Controls ( 164.312(b)) - Future In Scope - Security Partner
Key Activities: Determine The Activities That Will Be Tracked Or Audited
Technical Implementation:
Key Activities: Select The Tools That Will Be Deployed For Auditing And
System Activity Reviews
Technical Implementations:
Integrity ( 164.312(c)(1))
Key Activities: Mechanism To authenticate Electronic Protected Health
Information
Technical Implementations:

Person Or Entity Authentication ( 164.312(d))

Key Activities: Determine Authentication Applicability To Current
Systems/Applications
Technical Implementation:
Key Activities: Evaluate Authentication Options Available
Technical Implementation:
References

Overview
This document serves as the master design document for all areas of the design. It
will be designed to allow ISVs to design their product into a functional area. The
scope of phase I design is shown in the Figure 1.

Security Application Zone (Runs on)

Application deployments will follow a deployment method that ensures that a

secure network is in place between the virtual machines that need to communicate.
Applications that adhere to best practices will follow the requirements below for
deployment in the test bed.

Requirements
1. Must Support one or the other deployment option for VM to VM communications

Segmentation/firewall
vSphere uses Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT)
to provide remote attestation of the hypervisor image based on hardware root of
trust. The hypervisor image comprises the following elements:
ESXi software (hypervisor) in VIB (package) format
Third-party VIBs
Third-party drivers

To leverage this capability, your ESXi system must have TPM and TXT enabled.

1. Enable TPM and document

http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-E9B71B85-FBA3-447C-8A60DEE2AE1A405A.html
Cisco Trusted Platform Module
The Cisco Trusted Platform Module (TPM) is a computer chip that securely
stores artifacts such as measurements, passwords, certificates, or
encryption keys, that are used to authenticate the Vblock Systems. The
Cisco TPM provides authentication and attestation services that enable
safer computing in all environments.
The Cisco TPM module is available by default in Vblock Systems as a
component within the Cisco UCS M3 Blade Servers, and is shipped
disabled. For more information, refer to the VCE Vblock Systems Blade
Packs Reference. Refer to Accessing VCE documentation.
VCE supports Cisco TPM hardware but does not support the Cisco TPM
functionality. Using Cisco TPM features involves using a software stack
from a vendor with significant domain experience in trusted computing.
Consult your software stack vendor for configuration and operational
considerations relating to the Cisco TPMs.

ESXi Host Security

ESXi Host Firewall
ESXi includes a firewall between the management interface and the network. The
firewall is enabled by default.
This ESXi Firewall provides a new access control capability for ESXi. We need to
configure this ESXi host firewall to restrict access to services running on the host.

Some important points about this ESXi 5.x firewall:

ESXi 5.x has a new firewall engine that is not based on iptables.

The firewall is enabled by default and allows Internet Control Message

Protocol (ICMP) pings and communication with DHCP and DNS (UDP only)
clients.

The firewall is service oriented.

The ability to restrict access to specific services based on IP address/Subnet

Mask.

There is Host Profile support for the ESXi 5.x firewall.

A new ESXCLI interface (esxcfg-firewall) is available in ESXi 5.x.

We can configure firewall properties to allow or deny access for a service or

management agent. We can also specify which networks are allowed to connect to
each service that is running on the host.
Specify startup policy: set service or client startup option
(automatically/manually/start and stop with host.

Fig.2 ESXi Host Security Profile

10

Fig.3 ESXi Host Firewall

Configure NTP Time Synchronization For ESXi Host

By ensuring that all systems are synchronizing to the time standard, we can make it
simpler to track and correlate an intruders actions when reviewing the relevant log
files. Incorrect time settings can make it difficult to inspect and correlate log files to
detect attacks, and can make auditing inaccurate.

11

We need to set the time configuration of the host to point to the NTP server (specify
IP address) and start the service.
It is recommended to synchronize the ESXi clock with a time server that is located on
the management network rather than directly with a time server on a public
network. This time server can then synchronize with a public source through a
strictly controlled network connection with a firewall.

Lockdown Mode
Enabling lockdown mode disables direct access to an ESXi host, requiring the host to
be managed remotely from vCenter Server. Lockdown limits ESXi host access to the
vCenter server. This is done to ensure that the roles and access controls
implemented in vCenter are always enforced and users cannot bypass them by
logging into a host directly. By forcing all interaction to occur through vCenter Server,
the risk of someone inadvertently attaining elevated privileges or performing tasks
that are not properly audited is greatly reduced. Note: Lockdown mode does not
apply to users who log in using authorized keys. When you use an authorized key file
for root user authentication, root users are not prevented from accessing a host with
SSH even when the host is in lockdown mode. Note that users listed in the
DCUI.Access directory for each host are allowed to override lockdown mode and login
to the DCUI. By default the "root" user is the only user listed in the DCUI.Access list.

Set DCUI (Direct Console UI) Access

To set this DCUI.Access is to allow only trusted users to override lockdown mode.
Lockdown disables direct host access requiring admins manage hosts from vCenter.
However, if a host becomes isolated from vCenter, the admin would become locked
out and would be unable to manage the host. To avoid potentially becoming locked
out of an ESXi host that is running in locked down mode, set the DCUI.Access to a list
of highly trusted users that are allowed to override the lockdown mode and access
the DCUI.

Remote Syslog/Logging
Log files are an important component of troubleshooting attacks and obtaining
information about breaches of host security.

12

Remote logging to a central log host provides a secure, centralized store for ESXi
logs. To facilitate this we can use vSphere Syslog Collector tool.
By gathering host log files onto a central host you can more easily monitor all hosts
with a single tool. For security purposes we can aggregate analysis and search to
look for such things as coordinated attacks on multiple hosts. Logging to a secure,
centralized log server also helps prevent log tampering and also provides a longterm audit record.

Disable MOB (Managed Object Browser)

The managed object browser (MOB) provides a way to explore the object model used
by the VMkernel to manage the host; it enables configurations to be changed as well.
This interface is meant to be used primarily for debugging the vSphere SDK, but
because there are no access controls it could also be used as a method to obtain
information about a host being targeted for unauthorized access.
We cannot disable MOB while the host is in lockdown mode. We can disable MOB
before we set the host in lockdown mode.
Zero-Out VMDK (before deletion)
To help prevent sensitive data in VMDK files from being read off the physical disk
after it is deleted, the virtual disk should be zeroed out prior to deletion. This will
make it more difficult for someone to reconstruct the contents of the VMDK file. The
CLI command 'vmkfstools-writezeroes' can be used to write zeros to the entire
contents of a VMDK file prior to its deletion.
Create A Non-Root Local Admin Account
ESXi 5.1 allows the creation of individual local user accounts. Being able to create
individual local user accounts on ESXi hosts eliminates the need to share or use the
root accounts and passwords. This approach helps mitigate one of the most
common security risks. This approach facilitates better auditing and traceability
capabilities of the ESXi hosts.
Configure Host Profile
Monitoring Changes To The Configuration
Monitoring for configuration drift and unauthorized changes is critical to ensuring the
security of an ESXi hosts. Host profiles provide an automated method for monitoring

13

host configurations against an established template and for providing notification in

the event that deviations are detected.

vSwitch Security
Reject Promiscuous Mode
In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC
address. In promiscuous mode, it can listen to all the packets. By default, guest
adapters are set to non-promiscuous mode.
This promiscuous mode security policy can be defined at the virtual switch or port
group level in ESX/ESXi
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A0108820D7250350.html

Reject MAC Address Changes

If the virtual machine operating system changes the MAC address, it can send
frames with an impersonated source MAC address at any time. This allows it to stage
malicious attacks on the devices in a network by impersonating a network adaptor
authorized by the receiving network.
Reject MAC Address Changes setting will prevent VMs from changing their effective
MAC address. It will affect applications that require this functionality. An example of
such an application is Microsoft Clustering, which requires systems to effectively
share a MAC address. This will also affect how a layer-2 bridge will operate. This will
also affect applications that require a specific MAC address for licensing. An
exception should be made for the port groups that these applications are connected
to.
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-819666F2B4BF1ACB.html

14

Reject Forged Transmits

By default this forged transmits setting is set to Accept. This means that the
virtual switch does not compare to the source and effective MAC addresses. To
protect against MAC address impersonation, all virtual switches should have forged
transmissions set to Reject.
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A626273798A2F80.html

15

Fig.4 vSwitch Security

16

Network Security
Firewall internal
To safeguard the virtual machines resources, the system administrator lowers the
risk of DoS and DDoS attacks by configuring a resource reservation and a limit for
each virtual machine. The system administrator further protects the ESXi host and
virtual machines by installing software firewalls at the front and back ends of the
DMZ, ensuring that the host is behind a physical firewall, and configuring the
networked storage resources so that each has its own virtual switch.
DMZ setup

http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-A309590A-FFFC-45FF-95AD43242F58D6B4.html

17

Allowed ports for management

This is the list of predetermined TCP and UDP ports used by vCenter, ESXi host and
other network components. Some ports are open by default at installation time as
indicated in this Table as (Default). Depending on our requirement and security
reasons we can configure the firewall to allow or reject access to those TCP and UDP
ports.

Port

Purpose

Traffic Type

22

SSH Server

Incoming TCP

53 (Default)

DNS Client

Incoming and outgoing UDP

68 (Default)

DHCP Client

Incoming and outgoing UDP

161 (Default)

SNMP Server

Incoming UDP

80 (Default)

vSphere Fault Tolerance (FT)

Incoming TCP

(outgoing TCP, UDP)

Outgoing TCP, UDP
HTTP access
The default non-secure TCP Web
port typically used in conjunction with
port 443 as a front end for access to
ESXi networks from the Web. Port 80
redirects traffic to an HTTPS landing
page (port 443).
WS-Management

111 (Default)

RPC service used for the NIS

Incoming and outgoing TCP

18

register by vCenter Virtual Appliance

123

NTP Client

Outgoing UDP

135 (Default)

Used to join vCenter Virtual

Incoming and outgoing TCP

Appliance to an Active Directory

domain

427 (Default)

The CIM client uses the Service

Incoming and outgoing UDP

Location Protocol, version 2 (SLPv2)

to find CIM servers.

443 (Default)

HTTPS access

Incoming TCP

vCenter Server access to ESXi hosts

Default SSL Web port
vSphere Client access to vCenter
Server
vSphere Client access to ESXi hosts
WS-Management
vSphere Client access to vSphere
Update Manager
Third-party network management
client connections to vCenter Server
Third-party network management
clients access to hosts

19

513 (Default)

vCenter Virtual Appliance used for

Incoming UDP

logging activity

902 (Default)

Host access to other hosts for

Incoming and outgoing TCP, outgoing UDP

migration and provisioning

Authentication traffic for ESXi and
remote console traffic
(xinetd/vmware-authd)
vSphere Client access to virtual
machine consoles
(UDP) Status update (heartbeat)
connection fromESXi to vCenter
Server

903

Remote console traffic generated by

Incoming TCP

user access to virtual machines on a

specific host.
vSphere Client access to virtual
machine consoles
MKS transactions (xinetd/vmwareauthd-mks)

1234, 1235 (Default)

vSphere Replication

Outgoing TCP

2049

Transactions from NFS storage

Incoming and outgoing TCP

devices
This port is used on the VMkernel

20

interface.

3260

Transactions to iSCSI storage

Outgoing TCP

devices

5900-5964

RFB protocol, which is used by

Incoming and outgoing TCP

management tools such as VNC

5988 (Default)

CIM transactions over HTTP

Incoming TCP

5989 (Default)

CIM XML transactions over HTTPS

Incoming and outgoing TCP

8000 (Default)

Requests from vMotion

Incoming and outgoing TCP

8009

AJP connector port for vCenter

Outgoing TCP

Virtual Appliance communication with

Tomcat

8100, 8200 (Default)

Traffic between hosts for vSphere

Incoming and outgoing TCP, UDP

Fault Tolerance (FT)

8182

9009

Traffic between hosts for vSphere

Incoming and outgoing TCP, incoming and

High Availability (HA)

outgoing UDP

Used to allow a vCenter Virtual

Incoming and outgoing TCP

Appliance to communicate with the

vSphere Web Client

21

http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-ECEA77F5-D38E-4339-9B06FF9B78E94B68.html

Firewall external
More:
http://www.vmware.com/go/compliance
http://www.vmware.com/go/security/

Information about VMsafe technology for protection of

http://www.vmware.com/go/vmsafe/

virtual machines, including a list of partner solutions

SECURITY MANAGEMENT
vCloud Networking and Security (vCNS)
vCNS provides basic networking and security functionality for virtualized compute
environments, built using the VMware vCloud Suite. It provides a broad range of
services delivered through virtual appliances, such as a virtual firewall, virtual
private network (VPN), load balancing, NAT, DHCP, and VXLAN-extended networks.
Components of vCNS:
1. vShield Manager
2. vShield App
3. vShield Edge
4. vShield Endpoint
5. vShield Data Security
vShield Manager
vShield Manager is the central point of control for all vShield solutions and
integrates seamlessly with VMware vCenter to offer role-based access control and

22

administrative delegation in a unified framework for managing virtualization

security.

Fig.5 vShield Manager Web Interface

23

Fig.6 vShield integrated with VMware vCenter

vShield Manager Installation

Procedure
1. Log in to the vSphere Client and deploy the vShield Manager from the OVA file.
2. Once the installation has been completed, the vShield Manager is installed as a
virtual machine in our vSphere inventory.
3. Power on the vShield Manager virtual machine.
4. Login to the vShield Manager virtual console and set the IP address.
5. Login to the Web GUI for further configurations (vCenter, SSO/Lookup Sever, DNS,
NTP settings).

24

6.Login to the vSphere Client and select the ESX host where the vShield Manager
resides. Verify that vShield appears as a tab. You can then install and configure
vShield components from this vSphere Client.
vShield App
A hypervisor-based firewall that protects applications in the virtual data center from
network based attacks. The vShield App provides the stateful inspection firewall
that is applied at the virtual network interface card (vNIC) level directly in front of
specific workloads.
This vShield App needs to be installed on each ESXi host where the VMs that needs
to be protected by this vShield App reside. For example, install vShield App on each
ESXi hosts in a Cluster so that VMware vMotion operations work and virtual
machines remain protected as they migrate between ESX hosts. By default, a
vShield App virtual appliance cannot be moved by using vMotion.
The System Status option lets us view the health of a vShield App. Details include
system statistics, status of interfaces, software version, and environmental
variables.

Fig.7 vShield App Status

There are two main components provided by vShield App: Flow Monitoring and App
Firewall.

25

Flow Monitoring
The Flow Monitoring is a traffic analysis tool that provides a detailed view of the
traffic on our virtual network that passed through a vShield App. The Flow
Monitoring output defines which machines are exchanging data and over which
application. This data includes the number of sessions, packets, and bytes
transmitted per session. Session details include sources, destinations, direction of
sessions, applications, and ports being used. Session details can be used to create
firewall allow or block rules.

Fig.8 vShield App Flow Monitoring

App Firewall
The App Firewall service is a centralized firewall for ESX hosts. App Firewall enables
us to create rules that allow or block access to and from our virtual machines. Each
installed vShield App enforces the App Firewall rules. Example of the basic rule that
allows everything is shown in the following figure:

26

Fig.9 vShield App Firewall

vShield App Fail-Safe Setting

By default, traffic is blocked when the vShield App appliance fails or is unavailable.
We can change the fail-safe mode to allow traffic to pass. Refer to figure below.

vShield App Exclusion List

We can exclude a set of virtual machines from vShield App protection. This
exclusion list is applied across all vShield App installations within the specified
vShield Manager.
The vShield Manager and service virtual machines are automatically excluded from
vShield App protection. We should exclude the vCenter server and partner service
virtual machines as well to allow traffic to flow freely.

27

Fig.10 vShield app fail-safe and exclusion list

vShield App Installation

Notes:
If the vCenter Server or vCenter Server database virtual machines are on the ESX
host on which we are installing vShield App, we need to migrate them to another
host before installing vShield App.
During the installation process, this warning will be highlighted (Do not install on a
host or cluster where the VC or vShield Manager reside.) Refer to figure below.

28

Fig.11 vShield App Installation Process

Procedure:
1. Log in to the vSphere Client and select an ESX host from the inventory tree.
2. Click the vShield tab and then click Install for the vShield App service.
3. Under vShield App, provide the following information: Datastore, Management
Port Group, IP Address, Netmask, and Default Gateway.
4. Click Install.

Example Of vShield App Firewall Blocking Rule

For example, if we want to block a VM from SSH service, we set the Firewall Rule to
block the SSH traffic from that VM.

29

Fig.12 Set the firewall blocking rule

Test that by trying to create an SSH session from the VM => Error

30

Fig.13 SSH service is blocked

vShield App Flow Monitoring detects that blocked SSH flow.

31

Fig.14 Flow monitoring detects blocked traffic

32

Fig.15 Flow monitoring provides the details about the blocked traffic
vShield Edge
Provides network edge security and gateway services to isolate a virtualized
network, or virtual machines in a port group, vDS port group, or Cisco Nexus 1000V
port group. The vShield Edge provides the stateful inspection firewall that is applied
at the perimeter of the virtual data center.

vShield Edge Installation

1. Log in to vSphere Client and select Network Virtualization tab on the data center
resource from the inventory tree.
2. Click Edges and then click Add to add the vShield Edge.
3. Type a name for the vShield Edge VM.
4. Set CLI user name and password. You can also enable SSH access if required.

33

5. Add Edge Appliance.

6. Add Interfaces (Internal and Uplink Interfaces). Configure Subnets.
7. Configure the Default Gateway.
8. Configure the Default Firewall Policy.
9. Install the vShield Edge.

vShield Edge Gateway And Isolated Network Configuration.

Once the vShield Edge has been installed, you can check the status of this vShield
Edge.

Fig.16 vShield Edge status

To create the gateway service for isolated network you need to configure the uplink
and internal interfaces of the vShield Edge.

vShield Edge will act as the gateway between private and public networks.

34

Fig.17 vShield Edge connectivity diagram

35

Fig.18 vShield Edge interfacesuplink and internal

You also need to configure SNAT (Source Network Address Translation) to provide
the isolated VMs (VMs reside on the isolated network) access to external network
(internet). This SNAT rule is configured to translate a private internal (isolated) IP
address into a public IP address for outbound traffic.
The translated (public) IP address must have been added to the vShield Edge
interface on which you want to add the rule.

36

Fig.19 vShield Edgesource NAT configuration

To control the security of the outbound traffic you can configure the vShield Edge
Firewall Service.

37

Fig.20 vShield Edgefirewall rule

vShield Edge has the traffic monitoring tools to provide interface throughput
statistics.

Fig.21 vShield Edgeinterface throughput statistics

vShield Endpoint
Off-loads antivirus and antimalware agent processing to a dedicated secure virtual
appliance delivered by VMware partners.
vShield Endpoint is installed as a hypervisor module and security virtual appliance
from a third-party antivirus vendor (VMware partners) on an ESX host. With this
vShield Endpoint on the hypervisor level, it can scan guest virtual machines without
the need for agents in every virtual machine.

vShield Endpoint Installation

Select the vShield Tab on the ESXi Host level in the vCenter Inventory Tree, and click
Install.

38

Fig.22 vShield Endpoint installation

Testing Requirements:
1. After you have installed vShield Endpoint on the ESXi host, you need to deploy
and configure a security virtual machine (SVM) to each ESX host according to the
instructions from the anti-virus solution provider.
2. Install the latest version of VMware Tools released for the version of ESX that is on
all virtual machines to be protected. VMware Tools include the vShield Thin Agent
that must be installed on each guest virtual machine to be protected. To include this
vShield component with the VMware Tools, you need to select Interactive Tools
Installation or Interactive Tools Upgrade. In the Setup Type wizard, you can select
the Custom option and from the VMware Device Drivers list, select VMCI Driver,
then select vShield Driver.

39

Fig.23 vShield Endpoint on ESXi host

3. Use the Security Virtual Appliances Management User Interface to manage the
SVM/SVA, e.g., download the latest AntiVirus Signature, set the scanning schedule,
set policy to handle virus and to initiate scanning process.

40

Fig.24 vShield Endpoint and 3rd party security virtual applianceflow control

41

Fig.25 vShield Endpoint status and events log

vShield Data Security
Provides visibility into sensitive data stored within your organization's virtualized
and cloud environments.

vShield Data Security Installation

1. You need to install vShield Endpoint on the ESXi host before you can install
vShield Data Security.
2. Log in to vSphere Client and select the ESXi host from the Inventory Tree.
3. Select vShield Tab and click Install next to the vShield Data Security Option.
4. Specify Data Store, Management Port Group, and set the IP address, Netmask and
Default Gateway for the vShield Data Security Appliance.
5. Click Install.

42

vShield Data Security Policy

To begin using vShield Data Security, you need to create a policy that defines the
regulations that apply to data security in your organization and specifies the areas
of your environment and files to be scanned. A regulation is composed of content
blades, which identify the sensitive content to be detected. vShield supports PCI,
PHI, and PII-related regulations only.

Fig.26 vShield data security with HIPAA regulation setting (based on PHI/PII
category)
vShield Data Security provides the report (e.g. number of violation and details)

43

Fig.27 vShield data security report

Testing vCNS vShield Data Security allows to detect HIPAA Regulation violations.

44

Fig. 28 vCNS vShield data security scan completed report

45

Fig.29 vCNS vShield Data Security report detail

From the Scan History you can see that the vShield Data Security is also able to
detect new data.

46

Fig.30 vCNS vShield Data Security scan history

Testing Requirements
1. Set the Policyregulations and rsandards to detect:
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA (Health Insurance Portability and Accountability Act) Low Threshold
PCI-DSS (Payment Card Industry Data Security Standard)
2. Define the Security Group that you want to include in the scan (or use default if
you want to scan the entire vCenter Inventory).

47

Fig.31 Define the security group for the scans participating areas
3. Define Files to Scan.
For example based on the modified date/time

48

Fig.32 Define files to scan

4. Create and store test data with Privacy Information on test system.
Example of data for HIPAA test
============

Medical Record Number: PHI-123-900

49

Account Number: SUP-456-876

SSN: 098765
Date of Birth: 01/01/1980
E-mail Address: super@yummy.com
Date of Admission: 01/12/2000
Date of Discharge: 01/08/2001
Test Result: Positive
Patient Name: Super Duper Yummy
Patient ID: A-345-678
Physician Name: Dr. Very GOOD
Health: Injured
Virus: Influenza
Blood: A+
U.S Address:
10240 Sorrento Valley Rd
San Diego, California
92121

Medical Record Number: PHI-123-901

Account Number: SUP-456-877
SSN: 098766
Date of Birth: 01/01/1981
E-mail Address: peter@yummy.com
Date of Admission: 01/12/2000

50

Date of Discharge: 01/08/2001

Test Result: Positive
Patient Name: Peter Pan
Patient ID: A-345-679
Physician Name: Dr. Very GOOD
Health: Accident
Virus: Chicken Pox
Blood: B+

Medical Record Number: PHI-123-902

Account Number: SUP-456-878
SSN: 098767
Date of Birth: 01/01/1982
E-mail Address: mickey@yummy.com
Date of Admission: 01/12/2004
Date of Discharge: 01/08/2005
Test Result: Negative
Patient Name: Mickye Mouse
Patient ID: A-345-680
Physician Name: Dr. Very GOOD
Health: Negative
Virus: Super Virus
Blood: O

=============

51

Example for PCI test

===============
Credit Card Number
Patients

1.
Name: SuperDuper
Account: 65758
Master Card
Credit Card Number: 5111-1111-1111-1118
Expiration Date:
Expire: 07/07/2015

2.
Name:Looney Tunes
Account: 768690
American Express
Credit Card Number: 3111-1111-1111-1117
Expiration Date:
Expire: 07/08/2015

52

3.
Name:Scooby Doo
Account: 998690
VISA
Credit Card Number: 4111-1111-1111-1111
Expiration Date:
Expire: 07/08/2015

================
5. Initiate scan
Click the Start button to run the scan.
vShield Data Security Virtual Appliance will communicate with the Objects in the
defined Security Group through the vShield Endpoint and VMware Tools vShield
driver.

53

Fig.33 vShield Data Securityflow control

6. Once the scan is done, it will stop by itself and you can see the Report.

BMC Server Automation

BMC Server Automation is part of the BMC BladeLogic Automation Suite. In terms of
compliance, BMC Server Automation helps IT organizations achieve and maintain
compliance by defining and applying configuration policies. When a server or
application configuration deviates from policy, the necessary remediation
instructions can be configured to be either automatically or manually deployed on
the server.
BSA Architecture

54

A BMC Server Automation system has a three-tier architecture that consists of

client, server, and middle tiers.

Client Tier
Client Tier is the interface through which the user accesses the BMC Server
Automation Application. This includes:
The BMC Server Automation console, a graphical user interface (GUI)
A command line interface (BLCLI) that provides application programming interface
(API)level access to the functionality available through the console
Network Shell for ad hoc administration of one or more servers. Network Shell is a
network-scripting language that enables cross-platform access through a command
line interface.
A web interface to the BMC BladeLogic Decision Support for Server Automation
server

Server Tier
This is a tier for servers managed by BMC Server Automation. In order for these
servers to be managed by BMC Server Automation, the RSCD agent needs to be
deployed on remote servers. The BMC Server Automation Application Server
communicates with RSCD agents and initiates all communication to perform ad hoc
and scheduled tasks.

Middle Tier
In this tier, the primary component is the Application Server, which controls
communication between the BMC Server Automation console (Client Tier) and
remote servers (Server Tier). It also controls interaction with the database and file
servers.

55

Fig.34 BMC server automation three-tier architecture

Installation

BSA Database Server

1. For BSA-Database Server, install MS SQL Server 2008 R2.
56

2. Create a database for BSA, create a user login for BSA, and configure user
mapping to give db_owner database role to the BSA user.
3. Run the BSA external script to load the database schema.

BSA File Server Agent

1. Run the RSCD (Remote System Call Daemon) agent installer.
2. You can edit the agent security export file with this option *
rw,user=Administrator. This is to map the all in-bound connection to the
Administrator user.

BSA Application Server

1. Run the BSA Application Server installer
2. Set the password
3. Configure the BSA Application ServerSet the Database connection (database
type, database server, database name, user ID, password
4. Define the BSA File Server and file server storage location
5. Set password for RBACAdmin and BLAdmin users

BSA GUI Console

1. Run the BSA Console installer
2. Install together with the Network Shell Client utility
3. Run to the BSA Console and create the default Profile, define the Application
Server and Authentication method. (e.g. Secure Remote Password)
4. Log in to Console with that profile and user password (BLAdmin user)
5. Run blcontent from the network shell console to load some BSA initial samples
and configurations

BSA Compliance Module

1. Run the Compliance Content installer
2. With the Custom Setup, you can select which Compliance Content Templates you
want to install (e.g., HIPAA, PCI, SOX)

57

Fig.35 BMC server automationcompliance templatesHIPAA

Testing Requirement
For testing, you installed and configured all mid-tier components on a host. You also
installed the BSA console on the same host.
The following components were installed on a Windows 2008 R2 VM:
- BSA Database Server
- BSA File Server Agent
- BSA Application Server

58

- BSA Console
- BSA Compliance Module
Also, configure another server to be managed by the BSAinstall RSCD Agent on
this server.

Setting Discovery Job

1. Create a template under HIPAA folder to discover server with Windows 2008 or
2008 R2 Operating Systems
2. Define the rule for discovery

Fig.36 Rule definition for discovery

59

3. Run the Discover Job based on that template. Once it is done, check the
discovery result.

Fig.37 BSA discover result

Setting Policy-Based Compliance Audit

For this testing, you used the HIPAA template for the policy-based compliance audit.
1. Select the Compliance Template that you want to run. (e.g. HIPAA). Create the
Compliance Job.

60

Fig.38 BSA compliance job

2. Run and check the result

61

Fig.39 BSA compliance result

3. You can export the result as a report (e.g. html format).

62

Fig.40 Compliance report exported into HTML format

BMC BladeLogic Decision Support For Server Automation

BMC BladeLogic Decision Support for Server Automation is a web-based application
that uses the IBM Cognos Business Intelligence and a central reports data
warehouse (the database for storing data used in reports).
This BBDSSA provides the ETL (Extract, Transform, and Load) tool to transfer and
transform data from the BSA databases and populates the reports data warehouse.
The reporting web application reads data from the reports data warehouse.
An Apache web server delivers reporting information to web browsers.
Installation
1. Install a Remote System Call Daemon (RSCD) agent (installed and licensed)

63

2. Install BMC Server Automation Network Shell version 8.1 or later

3. Install Database (e.g. Microsoft SQL Server) and MS SQL client software
4. Create the following databases:
- BSARA_DW_DB
- BSARA_ETL_MASTER_DB
- BSARA_ETL_WORK_DB
- BSARA_PORTAL_DB
5. Create SQL Server Users and configure these users as database owner of their
own corresponding databases:
- BSARA_DW
- BSARA_ETL_MASTER
- BSARA_ETL_WORK
- BSARA_PORTAL_DB
6. Create data warehouse schema on SQL Server
7. Run the BBDSSA installer
8. Configure BBDSSA after installation
Testing Requirement
For testing go through the following steps:
1. Create and Run discovery Job (e.g. to discover windows server)
2. Create and Run Snapshot Job
3. Run ETL
4. Verify Report

64

Fig.41 Example of BBDSSA report (server configuration report)

BMC BladeLogic Atrium Integration

The BMC BladeLogic Atrium Integration enables you to share data about the
endpoint computers in your BMC Server Automation system with the BMC Atrium
CMDB.
To transfer discovered data from the BMC Server Automation database to BMC
Atrium CMDB, the discovered data is first transferred from the BMC Server
Automation database to the BMC BladeLogic Decision Support for Server
Automation database by using the extract, transform, and load (ETL) tool.
The Bladelogic Atrium Integration uses the AIE (Atrium Integration Engine) to do the
following:
Define data exchange and data mapping parameters
Pull data from the BMC BladeLogic Decision Support for Server Automation database

65

 Insert the data into the BMC Atrium CMDB with the BMC BladeLogic Import Dataset

BSA Atrium Integration Diagram

Fig.42 BSA Atrium Integration

Installation
Prior to the BladeLogic Atrium Integration installation, you need to have the
following components:
BMC Server Automation Application Server
BMC Server Automation Console on the computer where BMC BladeLogic Atrium
Integration is to be installed
BMC BladeLogic Decision Support for Server Automation
BMC Remedy AR System
BMC Atrium CMDB
BMC Atrium Integration Engine
66

1. Run ETL first before installing the BladeLogic Atrium Integration

2. Run the installer
3. After installation, you need to run the procedure to add domain names to the
servers in BSA.
4. Create indexes on BMC_BaseElement form
5. Activate the data exchanges in the BMC Atrium Engine Data Exchange Console
6. Enable the BMC BladeLogic Atrium Integration

Testing Requirement
1. Run BSA Discovery and Snapshot Job
2. Run ETL
3. Verify that the Data has been transferred to Atrium CMDB.

67

Fig.43 Data transferred from BSA

Customizing Data Mapping Between BSA And CMDB
If needed, you can customize the data mappings on BMC Server Automation to
control what to transfer. To configure this data mapping you select Atrium
Integration menu from BSA console and choose BL to Atrium Customization option.

68

Transferring Business Service Data From Atrium CMDB To

BSA
Transferring data from BMC Atrium CMDB to the BMC Server Automation database
pulls business service information from BMC Atrium CMDB and associates it with the
corresponding servers in BMC Server Automation as a custom property.
Configuration And Testing
1. Configure Atrium Integration connectivity to the CMDB / AR system.
2. Configure Atrium Import Job (e.g., the production dataset that will be used for the
import job and the business service class name).
69

Fig.44 Atrium Import Job Configuration (CMDB data set name, business service class
name)

70

Fig.45 Atrium Import Job Configuration (CI relationship, BladeLogic custom property)

3. Test by creating the Business Service in CMDB and set the relationship between
server and Business Service.

71

Fig.46 Business Service in CMDB

4. Run the Atrium Import Job.
5. Verify that the Business Service field of the server in BSA is populated with the
info from CMDB.

72

Fig.47 Business Service property for the server

6. Then, you can create Server Smart Group based on this Business Service
classification.

73

Fig.48 BSA Server Smart Group based on Business Service

Denial Of Service
By default, ESXi imposes a form of resource reservation by applying a distribution
algorithm that divides the available host resources equally among the virtual
machines, while keeping a certain percentage of resources for use by other system
components. This default behavior provides a degree of natural protection from DoS

74

and distributed denial-of-service (DDoS) attacks. You set specific resource

reservations and limits on an individual basis to customize the default behavior so
that the distribution is not equal across the virtual machine configuration.

DATA PROTECTIONENCRYPTION
Encryption In Flight
Encryption At Rest
VULNERABILITY ASSESSMENT
Intrusion Detection
Deep Packet Inspection
Data Leak Prevention
Data Loss Prevention/Data Loss Protection
vCNS vShield Data Security

Logging And Auditing

EXPLOIT AND MALWARE PROTECTION

Virus Scanning
vCNS vShield Endpoint And VMware Partners AntiVirus And AntiMalware
Software

75

Configuration And Patch Management

Integrated Solution
Converged Infrastructure needs to be managed as a whole system and not only by
individual components.
An example of an integrated solution for managing vBlock Converged Infrastructure:
1. SupernaNet.Connect
2. VCE Vision software
3. VMware vCenter
4. BMC CMDB
SupernaNet.Connect
SupernaNet.Connect CMDB connector for BMC leverages VCE Vision software and
VMware vCenter to provide a single integration point for automating CMDB CI
discovery along with logical to physical topology with fully automated CI
relationships created in the CMDB.

76

Fig.49 SupernaNet.Connect dashboard

The connector discovers Vblock Systems components, relationships, physical
topology, and creates the CI objects to represent the Vblock Systems in the CMDB.
In addition to physical CI discovery and synchronization, the Connector retrieves
virtual machine, ESX host and data store objects from vCenter and maps the logical
resources to the physical by creating CI objects and relationships dynamically.
VCE Vision Software
VCE Vision software enables and simplifies converged operations. The software acts
as a mediation layer between the Vblock Systems and data center management
tools, dynamically informing those tools about Vblock Systems.

77

Fig.50 VCE Vision Software discovers Vblock Systemsconverged infrastructure

details

VMware vCenter
VMware vCenter Server provides a centralized platform for managing your
VMware vSphere environments.

78

Fig.51 vSphere web client accessing vCenter

BMC CMDB
BMC Atrium CMDB is a configuration management database system to manage data
from across IT and create a more efficient IT infrastructure.

79

Fig.52 BMC Atrium Core Consolelist of CI in CMDB data set

80

Fig.53 BMC Atrium Explorer shows relationships between CIs

81

Fig.54 BMC ITSMasset management

Manual Tagging For Compliant CIs

vCenter Inventory Tagging
In vSphere 5.1 and 5.5 there is a new feature that further enhances the search
capabilities called tags. Tags are the ability to create custom labels and/or metadata
and apply to any object with the vCenter inventory. These tags are fully searchable
so you can now provide granular searches on the attached labels and metadata to
further reduce time when retrieving information. You can also utilize this tagging
feature to tag objects that is part of compliant configuration. For example, in the

82

following figure we set the HIPAA tagging for the VM that is part of HIPAA compliant
setup.

Fig.55 vCenter Inventory Tagging

With this vCenter Inventory Tagging, you can quickly search any vCenter Objects
that has the specific tagging (e.g. HIPAA Tagging).

83

Fig.56 vCenter Search Object based on tagging

BMC CMDB Tagging

In BMC CMDB you can set additional tagging for configuration items to enable these
CIs to be searched based on their tagging. For example, you can utilize the CITag
attribute of the CI to specify that it is compliant to HIPAA.

84

Fig.57 BMC CMDB tagging

Automatic Tagging For Compliant CIs

SupernaNet.Connect Mapping File
You can set the BMCMapping.xml file on SupernaNet.Connect to map the compliant
info to the BMC CMDB attribute. For example, you set BMCMapping.xml file to map
HIPAA to CITag CMDB Attribute.
In BMCMapping.xml file, you add the following configuration:
<TargetAttribute name="CITag" value="HIPAA" type="String"/>

After you have updated the BMCMapping.xml file, you also need to generate the
new version info and update the BMCConfig.xml file with the new generated version
info.
For example:

85

<VersionInfo invalidversionssupported="false">
<SupportedVersion name="NCrmZNFMNCHPtW2VDLD7Yg=="/>
<SupportedVersion name="KMplTPQWNCHPtW2VDLD7Yg=="/>
</VersionInfo>

Then, you run the SupernaNet.Connect synchronization to sync the update to the
CMDB.
Now your CMDB is populated with the CITag info.

Fig.58 CMDB with CITag info

86

Fig.59 CI Property with CITag info

Monitoring

87

In order to comply with monitoring in-scope devices and to find alarms and events
related to potential noncompliance security or authorization issues on Vblock
Systems, the CA Nimsoft Monitor product combined with the SupernaNET.Converge
Probe for Nimsoft with Compliance enhancements allows to select in-scope objects
for monitoring and highlighting the probe UMP Dashboard of any VM, or Vblock
Systems component that has raised an alarm.

The screen shot below shows how the probe simplifies the monitoring function for
compliance.

88

IDENTITY AND ACCESS MANAGEMENT

The authentication system will divide application OS and infrastructure into two
separate unrelated user domains for AAA. This will ensure that a compromise in the
management domain will not translate into a compromise in the application
management domain.

89

LoginTC two-factor authentication will be used to secure the following login access:
1. Infrastructure Domain
a. vCenter SSO Openldap
i.
Add a vCenter Single Sign On Identity Source
ii.
Active Directory LDAP Server and OpenLDAP Server Identity Source Settings
iii.
2. Application Domain

90

LoginTC For OpenVPN

The LoginTC Radius Connector enables OpenVPN to use LoginTC for the two-factor
authentication.
Diagram for the Basic Infrastructure of LoginTC Radius Flow: (Ref: LoginTC web site)

Components for this solution:

91

LoginTC Cloud Domain

You need to create a Radius Domain for the Radius Connector configuration. To
create this domain, you need to log in to the LoginTC Cloud admin
(https://cloud.logintc.com/panel/login) as the administrator user. For this login, you
need the token from the LoginTC app.
Once you have logged in to the LoginTC Cloud admin web console panel, you can
create a domain for Radius Connector:

Each LoginTC Cloud has a unique API key and each domain has a unique Domain ID.
You need this key and ID for the connector configuration. The API key is found on
the LoginTC Cloud Settings page. The Domain ID is found on the domain settings
page.

92

Fig.60 API Key

Fig.61 Domain ID

93

LoginTC Radius Connector

LoginTC Radius Connector is a Virtual Appliance that can be deployed on ESXi host
(or VirtualBox). This Virtual Appliance requires 1 GB RAM and 8 GB of disk space.
At first we need to log in via virtual console to configure the network settings. Then,
you can log in via ssh for further configuration.
Connector Configuration
You need to create a configuration file (/opt/logintc/conf/client.cfg)
[logintc]
api_key=ZPjeNQ6mzfqR6okzLb55zVu5dVn1stPDdLmyKQ1nKPrqQRlwoBcPtSyw23Au
mXFx
#domain_id=a7641569669c5322db4d64e2fb4e79ef2fbfe2b0
domain_id=06902ff4b82d99c75484ebae71e2236f54f0b494

[ldap]
host=sup-pcidc-01.pci.superna.net
bind_dn=cn=LoginTC1,cn=Users,dc=pci,dc=superna,dc=net
bind_password=GoSuperna!
base_dn=dc=pci,dc=superna,dc=net
attr_username=sAMAccountName
attr_name=displayName
attr_email=mail
filter=(objectClass=person)

94

[client]
name=OpenVpn
ip=172.16.84.20
secret=bigsecret
authentication=ldap,logintc

OpenVPN
Install the OpenVPN Radius Plugin on the OpenVPN server.
Configure the OpenVPN (server.conf file)
local 172.16.84.20
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
# plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name

95

push "redirect-gateway def1"

server 10.0.10.0 255.255.255.0
push "dhcp-option DNS 172.16.84.12"
ifconfig-pool-persist ipp.txt
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 5
management localhost 7505
reneg-sec 0

Configure the Radius Plugin:

# The NAS identifier, which is sent to the RADIUS server
NAS-Identifier=OpenVpn

# The service type, which is sent to the RADIUS server

Service-Type=5

96

# The framed protocol, which is sent to the RADIUS server

Framed-Protocol=1

# The NAS port type, which is sent to the RADIUS server

NAS-Port-Type=5

# The NAS IP address, which is sent to the RADIUS server

NAS-IP-Address=172.16.84.20

# Path to the OpenVPN configuration file. The plugin searches for:

# client-config-dir PATH (searches for the path)
# status FILE

(searches for the file, version must be 1)

# client-cert-not-required (if the option is used or not)

# username-as-common-name (if the option is used or not)

OpenVPNConfig=/etc/openvpn/server.conf

# Support for topology option in OpenVPN 2.1

# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet, fill in the right netmask, e.g. from OpenVPN
option "--server NETWORK NETMASK"
subnet=255.255.255.0

97

# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN
option "--server NETWORK NETMASK"
# p2p=10.8.0.1

# Allows the plugin to overwrite the client configuration in client configuration file
directory
# default is true
overwriteccfiles=true

# Allows the plugin to use authorization control files if OpenVPN (>= 2.1 rc8)
provides them
# default is false
# useauthcontrolfile=false

# Only the accounting functionality is used. If no user name is forwarded to the

plugin, the common name of certificate is used.
# as user name for radius accounting
# default is false
# accountingonly=false

# If the accounting is nonessential, nonfatal accounting can be set to true.

# If set to true, all errors during the accounting procedure are ignored, which can
be:
# - radius accounting can fail
98

# - FramedRouted (if configured) may not be configured correctly

# - errors during vendor specific attributes script execution are ignored
# But if set to true, the performance is increased because OpenVPN does not block
during the accounting procedure.
# default is false
nonfatal accounting=false

# Path to a script for vendor specific attributes

# Leave it out if you don't use an own script
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsa script.

# Leave it out if you don't use an own script
# vsanamedpipe=/tmp/vsapipe

# A radius server definition (there could be more than one).

# The priority of the server depends on the order in this file. The first one has the
highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812

99

# The name or ip address of the radius server.

name=172.16.84.17
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=60
# The shared secret.
shared secret=big secret
}

#server
#{
#

# The UDP port for radius accounting

acctport=1813

# The UDP port for radius authentication

authport=1812

# The name or ip address of the radius server

name=127.0.0.1

# How many times should the plugin send the if there is no response?

retry=1

# How long should the plugin wait for a response?

wait=1

# the shared secret.

shared secret=testpw
100

#}

LDAP
Create an LDAP (Active Directory) user for the LoginTC Radius Connector. Provide
this user information in LoginTC Radius Connectors client.cfg file. Set the LDAP as
the first factor authentication and LoginTC as the second factor authentication.
User
For this two-factor authentication with LDAP/Active Directory and LoginTC, create a
user in both Active Directory and LoginTC Radius domain..

Data ProtectionBackup/Restore/Replication

Configuration And Patch Management

This section will capture how to automate tasks related to building a repeatable
infrastructure as simply as possible to remove manual steps.

Auto Deploy Installation VMWare vSphere 5.1

101

User name: administrator

Password: GoSuperna!

102

103

Install Solar Winds TFTP Server (172.16.70.156)

Go to vSphere Client -> Auto Deploy -> Download TFTP Boot Zip

Save TFTP Boot Zip and extract it to TFTP Server folder (\\DMANNING-02\TFTP-Root)

104

Turn off Windows firewall

Start TFTP Server

Add Score Options in DHCP Server (172.16.70.30)

066: 172.16.70.156
067: undionly.kpxe.vmw-hardwired

Run PowerShell as administrator to change the execution policy

105

vSphere PowerCLI should be installed.

Run PowerCLI on 172.16.70.156
Run the command to connect to vCenter Server: connect-VIServer Server
172.16.70.25

Download ESXi 5.1 Offline Bundle .zip file https://my.vmware.com/web/vmware/details?

downloadGroup=VCL-VSP510-ESXI-510-EN&productId=285
Temp Storage Container (\\172.16.70.29)Z:\VCE\vmware\VMware-ESXi-5.1.0799733-depot.zip

NEXT STEPS:
1. Add path to ESXi 5.1 in PowerCLI:
2.

3.
4.
5.

add-esxsoftwaredepot C:\vsphere5.1\ESXi\VMware-ESXi-5.1.0-799733depot.zip
Get-EsxImageProfile
use the Standard image profile
New-DeployRule -Name "FirstBoot" -Item "ESXiStatelessImage" -AllHosts
Add-DeployRule -DeployRule "FirstBoot"

Or
6. New-DeployRule Name FirstTimeBoot Item ESXi-5.0.0-469512-standard
Pattern model=VMware Virtual Platform

106

7. Add-DeployRule -DeployRule FirstTimeBoot

8. And so on

ComplianceHIPAA
164.306 Security standards: General rules
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected
health information that the covered entity creates, receives, maintains, or
transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under subpart E of this section.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach
(1) Covered entities may use any security measures that allow the covered entity to
reasonably and appropriately implement the standards and implementation
specifications as specified in this subpart.
(2) When deciding which security measures to use, a covered entity must take into
account the following factors:
(i) The size, complexity, and capabilities of the covered entity
(ii) The covered entitys technical infrastructure, hardware, and software security
capabilities
(iii) The costs of security measures
(iv) The probability and criticality of potential risks to electronic protected health
information

107

(c) Standards. A covered entity must comply with the standards as provided in this
section and in 164.308, 164.310, 164.312, 164.314, and 164.316 with
respect to all electronic protected health information.
(d) Implementation specifications
In this subpart:
(1) Implementation specifications are required or addressable. If an implementation
specification is required, the word Required appears in parentheses after the title
of the implementation specification. If an implementation specification is
addressable, the word Addressable appears in parentheses after the title of the
implementation specification.
(2) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or
164.316 includes required implementation specifications, a covered entity must
implement the implementation specifications.
(3) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or
164.316 includes addressable implementation specifications, a covered entity must:
(i) Assess whether each implementation specification is a reasonable and
appropriate safeguard for its environment when analyzed with reference to the
likely contribution to protecting the entitys electronic protected health information
(ii) Be applicable to the entity
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and
appropriate:
(1) Document why it would not be reasonable and appropriate to implement the
implementation specification
(2) Implement an equivalent alternative measure if reasonable and appropriate
(e) Maintenance. Security measures implemented to comply with standards and
implementation specifications adopted under 164.105 and this subpart must be
reviewed and modified as needed to continue provision of reasonable and
appropriate protection of electronic protected health information as described at
164.316.

108

 164.308 Administrative Safeguards

Security Management Process ( 164.308(a)(1))
HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and
correct security violations.

Key Activities: Conduct Risk Assessment

Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the
covered entity.
Technical Implementations:
1. vCNS vShield Data Security
vShield Data Security provides visibility into sensitive data stored within our
organization's virtualized and cloud environments. Based on the violations reported
by vShield Data Security, we can ensure that sensitive data is adequately protected
and compliant with regulations around the world.

109

Fig.62 vShield Data Security discovers that files contain ePHI

2. BMC Server AutomationCompliance Module
In BSA a component is a collection of configuration settings that encapsulates a
business or infrastructure service, application, or security policy.
Components can simplify many data center management tasks because a
component provides a higher level of abstraction than do the servers and server
objects that make up the component.
A component template is used to define a component as it establishes rules and
provides necessary information for the component, and then associate the template
with a server. You can include the Compliance Rules in the component template,
e.g. HIPAA security policy. With this compliance template you can run the
compliance audit to assess the security risk of the component. For example, you
can assess whether it does not comply with the HIPAA security policy.

110

The following figure gives an example of how BSA detects noncompliance.

Fig.63 Noncompliance detected

Key Activities: Develop And Deploy The Information System Activity

Review Process
(Implementation Specification (Required))
Description: Implement procedures to regularly review records of information
system activity, such as audit logs, access reports, and security incident tracking
reports.
Technical Implementations:

111

a. BMC CMBD connector features tracking in scope devices, VMs, extract VMware
vCenter, and VCE Vision software logs for the in scope devices and store in a DB on
regular interval.
b. ESXi Remote Syslog/Logging
Log files are an important component of troubleshooting attacks and obtaining
information about breaches of host security.
Remote logging to a central log host provides a secure, centralized store for ESXi
logs. To facilitate this you can use vSphere Syslog Collector tool.
By gathering host log files onto a central host you can more easily monitor all hosts
with a single tool. For security reasons, you can aggregate analysis and searching to
look for such things as coordinated attacks on multiple hosts. Logging to a secure,
centralized log server also helps prevent log tampering and provides a long-term
audit record.

Technical Implementations:
1. Install monitoring software for in scope IT devices that process or handle
compliance data applications using a monitoring tool that can show the alarms,
events from in scope or flagged devices.
2. CA Nimsoft plus SupernaNET.Converge probe can selectively track VMs, compute,
store and network data within a portal to filter alarms and events only to the
devices selected for HIPAA compliance in scope, within the UMP Dashboard portal.

112

Key Activities: Develop Appropriate Standard Operating Procedures

Description: Determine the types of audit trail data and monitoring procedures that
will be needed to derive exception reports.
Technical Implementations:
1. Security logs from VCE Vision software and VMware Vcenter, CMDB attribute
tracks last log sync
2. Implement the Syslog Sever to centralize the logs from the vCNS vShield App. For
example, it detects when unallowed traffic is being blocked by the vShield App
Firewall Rule. Refer to the following Figure. 1006-DROP refers to the vShield App
Firewall Rule ID 1006 blocking the traffic.

Fig.64 Syslog captured firewall-blocked traffic

With the vShield App Flow monitoring, you can get details and statistics about
blocked traffic.
113

Fig.65 vShield App Flow monitoringBlocked Flows status

Information Access Management ( 164.308(a)(4))

HIPAA Standard: Implement policies and procedures to authorize access to
electronic protected health information that are consistent with the applicable
requirements of subpart E of the Privacy Rule.

Key Activities: Implement Policies And Procedures To Authorize

Access
Technical Implementation:
1. vCNS vShield Edge provides the stateful inspection firewall that is applied at the
perimeter of the virtual data center. With this vShield Edge you can configure
isolated/internal network for the application that needs to be protected and use the
vShield Edge Firewall Service to control the access.
2. vCNS vShield App Firewall provides the access control to the data and services
within vSphere virtual data center. We can set firewall rules to protect EPHI
resources from unauthorized access. This vCNS vShield App provides the firewall
service that is applied at the virtual network interface card (vNIC) level directly in
front of specific workloads (VMs).

114

3. ESXi Host Internal Firewall. This is a firewall between the ESXi Hosts
management interface and the network. This ESXi firewall allows ESXi to gain
access control. You need to configure this ESXi host firewall to restrict access to
services running on the host.

Security Awareness And Training ( 164.308(a)(5))

HIPAA Standard: Implement a security awareness and training program for all
members of its workforce (including management).

Implementation Specification: Protection From Malicious Software

Technical Implementation:
1. vCNS vShield Endpoint together with Partners Secure Virtual Appliance (Anti
Virus).
vShield Endpoint offloads antivirus and antimalware agent processing to a
dedicated secure virtual appliance delivered by VMware partners.
vShield Endpoint plugs directly into vSphere and consists of three components:
Hardened secure virtual appliances, delivered by VMware partners
Thin agent for virtual machines to offload security events (included in VMware
Tools)
VMware Endpoint ESX hypervisor module to enable communication between the
first two components at the hypervisor layer

115

Fig.66 vShield Endpoint status and events log

Because the secure virtual applianceunlike a guest virtual machinedoesnt go
offline, it can continuously update antivirus signatures, giving uninterrupted
protection to the virtual machines on the host. Also, new virtual machines (or
existing virtual machines that went offline) are immediately protected with the most
current antivirus signatures when they come online.

164.310 Physical Safeguards

Device And Media Controls ( 164.310(d)(1))

116

HIPAA Standard: Implement policies and procedures governing the receipt and
removal of hardware and electronic media that contain electronic protected health
information into and out of a facility, and the movement of these items within the
facility.

Key Activities: Implement Methods For Final Disposal of EPHI

Implement policies and procedures to address the final disposition of EPHI and/or
the hardware or electronic media on which it is stored.
Technical Implementations:
1. vCNS vShield Data Security
Maintain a current inventory of EPHI on the network by running discovery scan with
vShield Data Security. IT change management can update their data disposal
processes to include the review of discovery reports so that the systems known to
store EPHI data can be properly handled.

Key Activities: Develop And Implement Procedures For Reuse Of

Electronic Media
Implement procedures for the removal of EPHI from electronic media before the
media are made available for reuse.
Technical Implementations:
1. vCNS vShield Data Security
Maintain a current inventory of EPHI on the network by running discovery scan with
vShield Data Security. IT change management can update their processes for
handling the reuse of electronic media to include the review of discovery reports so
that the systems known to store EPHI data can be properly handled.

164.312 Technical Safeguards

Access Control ( 164.312(a)(1))
HIPAA Standard: Implement technical policies and procedures for electronic
information systems that maintain electronic protected health information to allow

117

access only to those persons or software programs that have been granted access
rights as specified in 164.308(a)(4)

Key Activities: Analyze Workloads And Operations To Identify The

Access Needs Of All Users
Technical Implementations:
1. vCNS vShield Data Security
Perform regular discovery scan of EPHI data on Data Center with vShield Data
Security to determine where access controls must be in place.
2. LoginTC Two-Factor Authentication protects the access control for all users.
Access control can be enforced either locally or remotely. LoginTC provides an entry
point of access control to systems and business applications that contain EPHI data.
Users must be provisioned and authorized to obtain a LoginTC credential by their
LoginTC administrator.
Procedures must be in place in the organizations identity proofing process in order
for a LoginTC administrator to provision a LoginTC credential.
Applications/systems containing EPHI data can be enabled with a custom LoginTC
connector to offer two-factor authentication.

Key Activities: Identify Technical Access Control Capabilities

Technical Implementations:

1. LoginTC can protect any system that requires authentication, including VPNs, web
portals, and cloud applications; and with the LoginTC REST API, it can enable twofactor authentication virtually to any system or application that hosts EPHI data.
LoginTC leverages user repositories installed in the clients infrastructure: MS Active
Directory, LDAP or SQL-based systems, synchronizing, and updating users from their
authoritative source(s).

118

Fig.67 LoginTC conceptual overview

Key Activities: Ensure That All System Users Have Been Assigned A
Unique Identifier
Technical Implementations:
1. LoginTC assigns both a unique USERNAME and a unique numeric USERID. The
LoginTC administrator determines the users USERNAME, and optionally the users
EMAILtypically the same username and email stored in the LDAP or MS AD
repositories.
The unique numeric USER ID is randomly generated by the LoginTC system: it is 160
bits or 40 hex characters that uniquely identifies a LoginTC user.
LoginTC transaction logs capture every access to LoginTC-protected systems and
can trace specific users identified by their USERNAME and/or USER ID.

119

Key Activities: Implement Access Control Procedures Using Selected

Hardware and Software
Description:
- Implement the policy and procedures using existing or additional
hardware/software solution(s).
Technical Implementations:
1. 2 Factor Authentication. e.g. OpenVPN integrated with Active Directory and
LoginTC Cloud. User needs to provide password (based on the active directory) and
PIN (based on LoginTC token).
LoginTC Admin is a web-based control panel for LoginTC administrators that
provides:

Credential lifecycle management

Domain (system/application) lifecycle management

Provisioning, reports, auditing

REST API services

Delivery: On-premise VM or cloud service

Designated LoginTC administrators are provided with a 2-day LoginTC Admin

training course that addresses LoginTC access control management, planning,
configuration, integration, and troubleshooting.

120

LoginTC provides extensive online documentation and know-how guidelines for

planning, integration, configuration, and deployment of all LoginTC required
components.

Fig.68 LoginTC admin panel: domain management

2. ESXiLockdown Mode
Enabling lockdown mode disables direct access to an ESXi host requiring that the
host be managed remotely from vCenter Server. Lockdown limits ESXi host access to
the vCenter server. This is done to ensure that the roles and access controls
implemented in vCenter are always enforced and users cannot bypass them by
logging into a host directly. By forcing all interaction to occur through vCenter Server,
the risk of someone inadvertently gaining elevated privileges or performing tasks
that are not properly audited is greatly reduced. Note: Lockdown mode does not
apply to users who log in using authorized keys. When using an authorized key file
for root user authentication, root users are not prevented from accessing a host with
121

SSH even when the host is in lockdown mode. Note that users listed in the
DCUI.Access list for each host are allowed to override lockdown mode and log in to
the DCUI. By default the "root" user is the only user listed in the DCUI.Access list.

3. ESXiSet DCUI (Direct Console UI) Access

Set this DCUI access to allow only trusted users to override lockdown mode.
Lockdown disables direct host access that require admins to manage hosts from
vCenter. However, if a host becomes isolated from vCenter, the admin gets locked
out and is unable to manage the host. To avoid potentially getting locked out of an
ESXi host that is running in lockdown mode, set the DCUI.Access to a list of highly
trusted users allowed to override the lockdown mode and access the DCUI.

4. ESXiDisable MOB (Managed Object Browser)

The managed object browser (MOB) provides a way to explore the object model used
by the VMkernel to manage the host; it enables configurations to be changed as well.
This interface is meant to be used primarily for debugging the vSphere SDK, but
because there are no access controls it can also be used as a method to obtain
information about a host targeted for unauthorized access.
You cannot disable MOB while the host is in lockdown mode. We can disable MOB
first before we set the host in lockdown mode.

Key Activities: Review And Update User Access

Technical Implementations:
1. LoginTC
Users can access LoginTC protected systems with their smartphones and tablets as
the second factor for access control.
Users mobile platforms must be connected to the Internet. LoginTC works in the
3G/4G and Wi-Fi networks and LoginTC notifications are supported locally,
nationally, and worldwide.

122

LoginTC provisioning and registration is the first step for authorized users to access
EPHI systems and applications:

Self-registration

Bulk upload

LoginTC REST API (used programmatically)

Synchronization with user stores: LDAP, MS AD, SQL, etc.

The LoginTC mobile app can host multiple credentials to access multiple systems,
hence allowing users to seamlessly gain access to multiple applications when
required.

Fig.69 Provisioning LoginTC credential for a new user

123

Fig.70 LoginTC end user experience

Key Activities: Terminate Access If It Is No Longer Required

Technical Implementation:
1. LoginTC:
LoginTC credentials can be revoked in two ways:

The LoginTC administrator access the LoginTC Admin panel and manually
revokes the users credential.

124


If the user record is updated in the master user repository (e.g. MS AD/LDAP)
and the LoginTC synchronization module is in place, the users LoginTC credential
will be updated accordingly in LoginTC Admin.

Audit Controls ( 164.312(b))Future In ScopeSecurity Partner

HiPAA Standard: Implement hardware, software, and/or procedural mechanisms that
record and examine activity in information systems that contain or use electronic
protected health information.

Key Activities: Determine The Activities That Will Be Tracked Or

Audited
Technical Implementation:
1. LoginTC
The LoginTC Admin control panel provides LoginTC administrators with a powerful
reporting and auditing tool.
LoginTC Administrators can select data captured by:

All Domains

Specific Domain

Start Date to End Date

It can also download log data in TXT or CVS format for further analysis or
correlation.

All LoginTC access is monitored for successful, rejected/suspected fraud, or failed

attempts.

125

One of the most powerful LoginTC features is revealed in the LoginTC logs, including
user ignored or suspect notifications that the end user rejects. This feature prevents
phishing or man-in-the-middle attacks and can be acted upon by the LoginTC
administrator, auditors, and security personnel (See previous Figure X LoginTC end
user experience).

These LoginTC controls are extremely useful for recording and examining access
information activity, especially when determining if a security violation has
occurred.

Fig.71 LoginTC admin panel: log management

126

Key Activities: Select The Tools That Will Be Deployed For Auditing
And System Activity Reviews
Technical Implementations:
1. vCNS vShield Data Security:
You can use this as an audit tool as it provides visibility into sensitive data stored
within your organization's virtualized and cloud environments. Based on the
violations reported by vShield Data Security, you can ensure that sensitive data is
adequately protected and compliant with regulations around the world.
For example: you can assign policies at the Security Group basis so that the
application VMs in that Security Group will be scanned for HIPAA data and, if found,
will be reported.
2. BMC Server Automation Compliance Audit
Based on compliance policy, you can run compliance audit for components. The
report will show to which section of the policy the component does not comply. The
following figure gives an example.

127

Fig.72 BSA compliance audit resultred color to indicate noncompliant

The report also shows the number of Passed/Failed (compliant/noncompliant)

128

Fig.73 Compliance report shows number of Passed/Failed (compliant/noncompliant)

Integrity ( 164.312(c)(1))
HIPAA Standard: Implement policies and procedures to protect electronic protected
health information from improper alteration or destruction.

Key Activities: Mechanism To Authenticate Electronically Protected

Health information
Implement electronic mechanisms to corroborate that electronically protected
health information has not been altered or destroyed in an unauthorized manner.
Technical Implementations:
1. vCNS vShield Data Security
Perform regular discovery of EPHI data on Data Center with vShield Data Security to
determine if data has been modified from previous discovery scan by checking the
Scan History and Detail Reports.

129

Fig.74 vShield data securityscan history

130

Fig.75 vShield data securityreport

Person Or Entity Authentication ( 164.312(d))

HIPAA Standard: Implement procedures to verify the identity of a person or entity
seeking access to electronically protected health information.

Key Activities: Determine Authentication Applicability To Current

Systems/Applications
Technical Implementation:

131

1. Two-factor authentication for login

LoginTC implements two-factor authentication for granting access to systems that
contain EPHI records:

LoginTC users must know the USERNAME, and optionally, a PASSWORD, to

pass the first factor test.

LoginTC users must have a smartphone or tablet with a provisioned LoginTC

credential, which is something that the user possess as a second factor.

When notified, the user must unlock the LoginTC credential in the mobile
device with a PIN or passphrase, which is only known to the user.

Using LoginTC two-factor authentication can satisfy the HIPAA Security Rule
requirement to create and maintain security controls that verify user identity when
users are connecting to applications and databases with health data records, either
remotely or via a web application.

132

Fig.76 LoginTC two-factor authentication session

2. vSwitch security to prevent impersonating from network perspective:

a. vSwitch security: reject promiscuous mode

In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC
address. In promiscuous mode, it can listen to all the packets. By default, guest
adapters are set to non-promiscuous mode.
This promiscuous mode security policy can be defined at the virtual switch or port
group level in ESX/ESXi.

133

Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A0108820D7250350.html

b. Reject MAC Address Changes

If the virtual machine operating system changes the MAC address, it can send
frames with an impersonated source MAC address at any time. This allows it to stage
malicious attacks on the devices in a network by impersonating a network adaptor
authorized by the receiving network.

Reject MAC Address Changes setting will prevent VMs from changing their effective
MAC addresses. It will affect applications that require this functionality. An example is
Microsoft Clustering, which requires systems to effectively share a MAC address. This
will also affect how a layer-2 bridge will operate. This will also affect applications that
require a specific MAC address for licensing. An exception should be made for the
port groups that these applications are connected to.
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-819666F2B4BF1ACB.html

c. Reject forged transmits

By default this forged transmits setting is set to Accept. This means that the
virtual switch does not compare the source and effective MAC addresses. To protect
against MAC address impersonation, all virtual switches should have forged
transmissions set to Reject.

134

Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A626273798A2F80.html

135

Fig.77 vSwitch security

136

Key Activities: Evaluate Authentication Options Available

Technical Implementation:
1. LoginTC
LoginTC two-factor authentication can protect systems that contain EPHI records,
and can protect the desktops and mobile platforms used to access those EPHI
systems.

LoginTC can be enabled in:

VPNs

Web access managers

Web portals

SAML federation systems

O/S authentication: Windows/Unix

Mobile browsers

Mobile applications

virtually any platform or system that requires authentication

References
http://www.hipaasurvivalguide.com/hipaa-regulations/164-306.php

137