ESXi 6.x Custom Firewall Ruleset Creation

As you may all know, the ESXi host comes with an inbuild firewall similar to firewalld in Linux or Windows inbuilt Firewall and the ESXi firewall is enabled by default.

You can configure incoming and outgoing firewall connections for a service or a management agent from the vSphere Client or at the command line. But to define a custom firewall port for a service needs to be performed at the command line.

This article will help you to create a custom firewall ruleset in ESXi 6.x for any service. Here we take an Example of Syslog. You can refer the below article to know how to configure the syslog in ESXi which leverage the default syslog ports (TCP/UDP 514, 1514) as seen below.

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.esxi.upgrade.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html

-- Important point to remember that once you specify a custom port number in the above config, the logs will not be sent via the port until you create the ESXi custom firewall rule set.

 Syslog Service

Default Firewall Rule set for Syslog

Note- Each ESXi Service is tied to a firewall rule-set and when the service is started the rule-set gets enabled by default and there is no option in GUI to change the default Ports in the firewall rule set.

Why would you want to configure custom port?? It depends on several factors such as Security requirements or Syslog Log Collection Server requirements etc.

 

Set the syslog details in ESXi before creating the customer rule-set for it.

We can set the syslog details either via GUI (syslog.global.loghost) or command line as below:

In the above example, we use the port UDP 22222 as the custom port for syslog and syslog server IP as 192.168.5.5

Note: *The Port has to be configured & listening in the destination server *The Port has to be Allowed in the Network Firewall (if any)

To Set a Custom firewall Rule Set

Few important ESXi firewall commands can be found in the reference link listed at the last.

1.      Login to and browse to the ESXi firewall configuration location and perform a backup of the config.

$ cd /etc/vmware/firewall/

$ cp service.xml service.xml.bak        

      -- service.xml is the firewall config file

2.      No changes are allowed to the “service.xml” file by default only Read access. To enable access permissions, perform the below commands.

$ chmod 644 /etc/vmware/firewall/service.xml    -- To enable write Access

$ chmod +t /etc/vmware/firewall/service.xml       -- To toggle the sticky bit flag (This ensures only the file owner (root) user can modify the file permissions)

Above shows “Operation not permitted” Error, because by default the Firewall is Enabled and Loaded. Hence, disable and unload the firewall first as per Step 3 and perform step 2 again.

3.      To Disable the Firewall & Unload, run below

            $ esxcli network firewall set --enabled false

$ esxcli network firewall unload

4.      Perform Step 2 again to enable write permission to the file.

5.      Open the File in VI Editor to add the custom Rule set. Press “i” to insert and scroll to the bottom to add the new rule set.

6.      Add the below at the bottom of the configuration and save the file.

  <service id="increment the service id by 1 of the last entry">                

    <id>CustomSyslog</id>     

    <rule id='0000'>          

      <direction>outbound</direction>

      <protocol>udp</protocol>

      <porttype>dst</porttype>

      <port>22222</port>      

    </rule> 

    <enabled>true</enabled>

    <required>true</required>

  </service>          

Once saved, change back the permissions for the file to read only

$ chmod 444 /etc/vmware/firewall/service.xml

$ chmod -t /etc/vmware/firewall/service.xml

8.      Then Load the firewall and enable it.

$ esxcli network firewall load

$ esxcli network firewall set --enabled true

$ esxcli network firewall refresh

9.      You can view the new custom RuleSet created in the Firewall list in Gui and command-line as below:

 $ esxcli network firewall get

       $ esxcli network firewall ruleset list | grep -I “syslog”

You will see the new Custom Rule set named “CustomSyslog” is added with outgoing port set to UDP 22222

 Note: This article is written based on ESXi version 6.x

Reference

https://kb.vmware.com/s/article/2008226  

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.upgrade.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8912DD42-C6EA-4299-9B10-5F3AEA52C605.html

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7A8BEFC8-BF86-49B5-AE2D-E400AAD81BA3.html#GUID-7A8BEFC8-BF86-49B5-AE2D-E400AAD81BA3

https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.troubleshooting.doc%2FGUID-54AFB94B-75DE-4895-B1BF-EE498F92B717.html

 

Read More

Mizrosoft Azure Services #Index

Microsoft Azure Services and Resources #Index

Compute - Virtual machines, virtual machine scale sets, app services

Networking - virtual networks, load balancer, VPN gateway, application gateway, content delivery network
Storage - Blog, disk, file, archive storage and Azure Files
Databases - Cosmos DB, SQL Database, database migration service, SQL Data Warehouse
IoT - IoT Central, IoT Hub
Big Data - HDInsight, Data Lake Analytics
AI - Azure Machine Learning Service, Azure Machine Learning Studio
Serverless - Azure Functions, Logic Apps
Identity services - identity concepts, Azure Active Directory, Multi Factor Authentication concepts
Security products - including both the Azure Security Center, Information Protection, Advanced Threat Protection and security features in the product groups above, like Network Security Groups
Governance - including Policy and Role Based Access Control, but also compliance and privacy concepts.
Monitoring - Azure Monitor and Service Health
Azure tools - like Azure Resource Manager, Azure CLI, Cloud Shell and PowerShell

Azure Blueprints
    This is a service that allows you to define a repeatable set of Azure resources.The definition of the Azure resources can adhere to an organization’s standards, patterns and requirements.Using blueprints , you can orchestrate the deployment of resources such as role assignments, policy assignments, Azure resource manager templates and resource groups.You can use blueprints to upgrade several subscriptions at once .
    
Azure Security Center

•     This is an infrastructure security management system.
•     You can use this tool to improve the security of your Azure based resources and on-premise resources as well.
•     Azure Security Center has in-built support for services such as Azure virtual machines , Function Apps, Azure SQL Server databases.
•     You can also allow Azure Security Center to give recommendations on what to do for on-premise Windows and Linux servers.
•     On these servers, you need to ensure you install the Microsoft Monitoring agent.
•     This service also helps detect and prevent threats at an Infrastructure layer

Azure AD Identity Protection
This is a service that can help detect suspicious actions related to user identities and add more security to the sign-ins to your Azure AD Account.

It can help in detecting the following,

•     Users with leaked credentials
•     Sign-ins from anonymous IP addresses
•     Sign-ins from infected devices
•     Sign-ins from IP addresses with suspicious activity
•     Sign-ins from unfamiliar locations
•     Impossible travel to atypical locations

Azure AD Privileged Identity Management
This is a service that can help manage, control and monitor access to important resources in your organization. With this service, you can provide just-in-time privileged access to Azure AD and Azure resources.

•     Provide time-bound access to resources using start and end dates.
•     Enforce multi-factor authentication to activate any role.
•     Get notifications when privileged roles are activated.
•     Conduct access reviews to ensure users still require the roles.

Read More

Difference between GibiBytes (GiB) and Gigabytes (GB)

GibiBytes is a unit of data. One GiB is approximately 1.074 GB. [One gibibyte is equal to 1073741824bytes = 1024 mebibytes]. Azure virtual disk sizes are measured in Gibibytes (GiB), which are not the same as Gigabytes (GB). Therefore, to obtain an approximate equivalent of your virtual disk size in GB, multiply the size in GiB by 1.074, and that will return a size in GB. For example, 32,767 GiB would be approximately 35,183 GB.

Whereas a Gigabyte is an another unit of data storage capacity, is approximately 1024 Mega Bytes (MB). Normal storage disks uses Gigabyte (GB) terminology to represent the storage capacity.

Read More

Difference between Azure management groups, Subscriptions and Resource groups

image courtesy : https://docs.microsoft.com

Azure management groups help you manage your Azure subscriptions by grouping them together. If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.

Azure subscriptions help you organize access to Azure resources and determine how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and plans by office, department, project, and so on.

Resource groups are containers that hold related resources for an Azure solution. A resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization.

reference : https://docs.microsoft.com

Read More

Hardening your Azure cloud platform and best practices.

A quick reference on Azure Cloud platform security baseline based on CIS.

Baseline security checklist for commonly used Azure services. Please fast forward towards the end of this post, if you are looking for the CIS Microsoft Azure Foundations Security Benchmark

• Turn on Azure Security Center - it's free - Upgrade your Azure subscription to Azure Security Center Standard. Security Center's Standard tier helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
• Adopt CIS Benchmarks - Apply them to existing tenants.
• Use CIS VMs for new workloads - from Azure Marketplace.
• Store your keys and secrets in Azure Key Vault (and not in your source code) - Key Vault is designed to support any type of secret: passwords, database credentials, API keys and, certificates.
• Install a web application firewall - Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
• Enforce multi-factor verification for users, especially your administrator accounts- Azure Multi-Factor Authentication (Azure MFA) helps administrators protect their organizations and users with additional authentication methods.
• Encrypt your virtual hard disk files - This will help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.
• Connect Azure virtual machines and appliances to other networked devices by placing them on Azure virtual networks - Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the Internet, or your own on-premises networks.

Related : Azure Cloud Security Documentation Glossary.

Operational Security best practices includes,

• Manage your VM updates - Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. Ensure you have solid processes in place for important operations such as patch management and backup.
• Enable password management and use appropriate security policies to prevent abuse.
• Review your Security Center dashboard regularly to get a central view of the security state of all of your Azure resources and take action on the recommendations.

A variety of security standards can help cloud service customers to achieve workload security when using cloud services. The following recommendations are based on CIS and should not be considered an exhaustive list of all possible security configurations and architectures but just as a starting point.
CIS has two implementation levels, and several categories of recommendations.
Level 1:
Recommended minimum security settings
These should be configured on all systems.
These should cause little or no interruption of services nor reduced functionality.
Level 2:
Recommendations for highly secure environments:
These might result in reduced functionality.

Categories of recommendations

1) Recommendations related to IAM policies
    -Restrict access to the Azure AD administration portal - Level 1
    -Enable Azure Multi-Factor Authentication (MFA) - Level 2
    -Block remembering MFA on trusted devices - Level 2
    -About guests - Level 1
        Ensure that no guest users exist, or alternatively if the business requires guest users, ensure to limit their permissions.
    -Password options
        -Notify users on password resets - Level 1
        -Notify all admins when other admins reset passwords - Level 2
        -Require two methods to reset passwords - Level 1
    -Establish an interval for reconfirming user authentication methods - Level 1
    -Members and guests can invite - Level 2
    -Users to create and manage security groups - Level 2
    -Self-service group management enabled - Level 2
    -Application options - Allow users to register apps - Level 2
2) Azure Security Center baseline
    Azure Security Center (ASC) provides unified security management and advanced threat protection for workloads running in Azure, on-premises, and in other clouds.
    -Enable the Standard pricing tier - Level 2
    -Enable the automatic provision of a monitoring agent - Level 1
        -When automatic provisioning is enabled, Security Center installs the Microsoft Monitoring Agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is strongly recommended.
    -Enable System Updates - Level 1
    -Enable Security Configurations - Level 1
    -Enable Endpoint Protection (*) - Level 1
    -Enable Disk Encryption (*) - Level 1
    -Enable Network Security Groups (*) - Level 1
    -Enable Web Application Firewall (*) - Level 1
    -Enable Vulnerability Assessment (*) - Level 1
    -Enable Storage Encryption (*) - Level 1
    -Enable JIT Network Access (*) - Level 1
    -Enable Adaptive Application Controls (*) - Level 1
    -Enable SQL Auditing & Threat Detection (*) - Level 1
    -Enable SQL Encryption (*) - Level 1
    -Set Security Contact Email and Phone Number - Level 1
    -Enable Send me emails about alerts - Level 1
    -Enable Send email also to subscription owners - Level 1
3) Azure storage accounts baseline
    -Require security-enhanced transfers - Level 1
        Another step you should take to ensure the security of your Azure Storage data is to encrypt the data between the client and Azure Storage. The first recommendation is to always use the HTTPS protocol, which ensures secure communication over the public Internet. You can enforce the use of HTTPS when calling the REST APIs to access objects in storage accounts by enabling Secure transfer required for the storage account. Connections using HTTP will be refused once this is enabled.
    -Enable binary large object (blob) encryption - Level 1
    -Periodically regenerate access keys - Level 1
    -Require Shared Access Signature (SAS) tokens to expire within an hour - Level 1
    -Require SAS tokens to be shared only via HTTPS - Level 1
    -Enable Azure Files encryption - Level 1
    -Require only private access to blob containers - Level 1
        When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request.
4) Azure SQL Database baseline
    Azure SQL Server is a cloud-based relational database server that supports many of the same features as Microsoft SQL Server. It provides an easy transition from an on-premises database into a cloud-based one with built-in diagnostics, redundancy, security and scalability.
    -Enable auditing - Level 1
    -Enable all threat detection types - Level 1
    -Enable the option to send security alerts - Level 1
    -Enable the email service and co-administrators - Level 1
    -Configure audit retention for more than 90 days - Level 1
    -Configure threat detection retention for more than 90 days - Level 1
5) Logging and monitoring baseline
    Logging and monitoring are a critical requirement when trying to identify, detect, and mitigate security threats. Having a proper logging policy can ensure you can determine when a security violation has occurred, but also potentially identify the culprit responsible. Azure Activity logs provide data about both external access to a resources and diagnostic logs, which provide information about the operation of that specific resource.
    -Ensure that a log profile exists - Level 1
    -Ensure that activity log retention is set to 365 days or more - Level 1
    -Create an activity log alert for "Creating a policy assignment" - Level 1
    -Create an activity log alert for "Creating, updating, or deleting a Network Security Group" - Level 1
    -Create an activity log alerts for "Creating or updating an SQL Server firewall rule" - Level 1
6) Networking baseline
    Azure networking services maximize flexibility, availability, resiliency, security, and integrity by design. Network connectivity is possible between resources located in Azure, between on-premises and Azure-hosted resources, and to and from the Internet and Azure.
    -Restrict RDP and SSH access from the Internet - Level 1
        To enable access, use any of the following secure access offerings.
            -Point-to-site VPN
            -Site-to-site VPN
            -Azure ExpressRoute
            -Azure Bastion Host
    -Restrict SQL Server access from the Internet - Level 1
    -Configure the NSG flow log retention period for more than 90 days - Level 2
    -Enable Network Watcher - Level 1
7) Azure VM baseline
    Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.
    -A VM agent must be installed and enabled for data collection for Azure Security Center - Level 1
    -Ensure that OS disk are encrypted - Level 1
    -Ensure only approved extensions are installed - Level 1
    -Ensure that the OS patches for the VMs are applied - Level 1
    -Ensure that VMs have an installed and running endpoint protection solution - Level 1
8) Other baseline security considerations
    -Set an expiration date on all keys in Azure Key Vault - Level 1
    -Set an expiration date on all secrets in Azure Key Vault - Level 1
    -Set resource locks for mission-critical Azure resources - Level 2

Azure doesn't monitor security or respond to security incidents within the customer's area of responsibility. However, Azure does provide many tools (such as Azure Security Center, Azure Sentinel) that are used for this purpose.
 Link : CIS Microsoft Azure Foundations Security Benchmark.
 
 #Reference : docs.microsoft.com

Read More

Azure Cloud Security Documentation Glossary.

Consolidated list of documentations and tutorials related to Microsoft Azure Cloud Security. Can be used to perform a deep dive on Azure security and for the preparation of Azure Security certification,.

• Azure Well-Architected Framework
• Introduction to Azure security
• Azure security documentation
• Using customer-managed keys in Azure Key Vault with Storage Service Encryption
• Start using Azure Active Directory Privileged Identity Management
  
• Privileged Identity Management documentation
  
• What is Azure Security Center?
  
• Azure Security Center documentation
  
• What is Conditional Access?
• Microsoft Security Development Life-cycle
  
• Azure Information Protection documentation
• Azure Sentinel documentation
  
• Azure Key Vault
• Azure Security Center for IoT documentation
• Azure Dedicated HSM documentation
• Azure DDoS Protection Standard overview
• Microsoft security architecture recommendations
• Become an Azure Sentinel Ninja: The complete level 400 training
  

Feel free to share. Happy learning.

Read More