I know this is not answering the question directly, but hope it may help:

On the "Test Cluster", you may want to consider running ESX on top of ESX. So the ESX is a VM. It is good enough (as in performance is decent) if you are only running a few VM on top.

This allows you to test the functionality.

Cheers!

e1

If the vShield VM goes down a HA event will occur and the Guests behind the Shield will start on another host.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert
VMware Communities User Moderator
Blog: www.planetvm.net
Contributing author on "VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment”. Currently available on roughcuts

Since the vShield VM sits in between the "Protected VMs" and "outside network", what happens if the vShield VM goes down? Do the "Protected VMs" lose access to outside world?

Does a planned maintenance of the vShield VM require downtime of the vShield VM? Planned maintenance here means updating the VM with latest patch or updates.

Thanks in advance

e1

I had the same problem after adding "Read Only" access to group "Users" for a Datacenter.

After that, that rule has precedence over inherited permissions for administrator. Also, administrator has no longer permission to edit the rule, nor anything else like deleting the datacenter tree to create it again.

Access rules in vCenter DB are removed when users or groups are deleted on Active Directory or the local user database at vCenter Server, but "Users" group is a built-in one, and thus can't be deleted by any means.

Finally I went to SQLserver and manually delete the evil access rule.

The schema purposes are not very clear, but I happened to delete only one record and it worked. So I guess that I erased the right entry. Please, note that ids can vary depending on how many permissions you already have. I only had 2 entries because I was working with a test installation.

Here you can find how to do it.

Regards.

Open CMD console:
C:> cd C:Program filesMicrosoft SQL Server90ToolsBinn
C:Program filesMicrosoft SQL Server90ToolsBinn> SQLCMD.EXE -S localhostSQLEXP_VIM -d VIM_VCDB -Q "select id,principal from VPX_access;"
id principal
--------------------------------------------------------------------
1 Administrators
12 Users
(2 rows affected)

C:Program filesMicrosoft SQL Server90ToolsBinn> SQLCMD.EXE -S localhostSQLEXP_VIM -d VIM_VCDB -Q "delete from VPX_access where id=12;"

(1 rows affected)
---
And now restart Virtual Center service.

Hello,

So you scan the single IP from a VM already in that subnet and you get 3 ports opened. This does not look like it is returning anything related to ESXi which would include port 902, etc.

If you scan the single IP from a desktop OUTSIDE that subnet (10.) you get more ports open. This sounds like you are actually scanning the router/firewall/NAT device instead of the actual IP as you see H.323 support. I do not think you are scanning what you intend to scan.

Neither of these scans actually look like the ESXi vmkernel device as the wrong ports are actually opened.

You could scan your vmkernel device, then report your findings and compare that to what your VM is showing, etc.

In all this your vmkernel is NOT part of this network really. You are hitting the vSwitch then the vSwitch goes to the vNIC... vmkernel Management COnsole is not part of this picture at all.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

The nmap command line is "nmap 192.168.81.27" just doing a basic scan no special options. If I do this from my PC that is on a 10.6.3.x network I get all the extra ports. If I do it from 192.168.81.26 server (a guest on the ESXi host) I only get the 3 ports I expect. If I shutdown all the guests on that ESXi box (esxi host ip is 192.168.81.18) and do a nmap -P0 192.168.81.27 I get the results that I have shown. This happens on all the guets on that host 192.168.81.19-30 with same results. It's almost was if the ESXi host is routing the scans and responding to some of them.

The only physical server on the 192.168.81.16 subnet is the ESXi host. No other managment tools are being used. I run the clinet from my desktop on the 10.6.3.x network.

Still haven't weaned completely from Microsoft. The Bat email client with Sandboxie are too good to say goodbye to, especially given that they live in a VM. Also I have too much mastery of Windows to dump all this knowledge and go back to adventures with linux, which last time I did linux was a pain in the neck.

Having said that, my browser appliance is linux-based. And I'm planning to study and experiment with chroot and OpenVZ as a substitute for Sandboxie.

And don't forget, VM's are disposable, it's not the end of the world if a browser appliance gets messed up. As long as bookmarks are kept somewhere safe (I'm keeping a copy online too).

A vShield will need to be on each node in the cluster

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth VCP / vExpert
VMware Communities User Moderator
Blog: www.planetvm.net
Contributing author on "VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment”. Currently available on roughcuts

As far as I understand docs you install vShield agent on all ESXes in case of standard vSwitch, but only one agent for distributed vSwitch.

---
MCSA, MCTS, VCP, VMware vExpert '2009
http://blog.vadmin.ru

Edit:

Or is the documentation wrong and do I just have to install a vShield on each host (even though im using a vDS) in standalone ?

Hello,

In the example you cite, where both keys can be used to encrypt or
decrypt, I do not believe that would meet the definition of Public Key
cryptography.
I agree. However, it does not mean people do not do this already.
Knowing how things work is half the battle.... It is all about the key exchange.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Hello,

If the Malware is embedded in the actual picture and not a hook off some other part of the code, your BMP conversion tool would not know this, unless you have figured out how to undo stegnography, then the Malware is just transferred with the other bits of the image. When you reconvert, the malware still exists within the image. So the BMP becomes just a carrier... The question is then, can the new 'JPG' execute any of that malware.... I am not sure... I imagine it would not be able to do so unless something else came along and rehooked up the pointers, etc.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Hopefully this is a simple one......

I have 3xESXi 4.0 hosts in a DRS cluster. I have followed the VMware instructions as much as possible but im obvisouly doing something wrong.

I have installed vShield manually (on a distributed switch) and vShield manager (is currently located on a vSwitch) and am getting connectivity ok. However, when doing a manual install through vShield Manager. I ONLY have the option "Standalone" in the Clustering Settings. In the guide it says I should have a "Add to Cluster" option - which just isnt visible. This obviously just leaves me with 1 host being protected.

Any ideas?!

Sorry for the delay in marking this answered. Thanks so much for your help.

Ed:

In the example you cite, where both keys can be used to encrypt or
decrypt, I do not believe that would meet the definition of Public Key
cryptography.

Quoting from the horse's (Whitfield Diffie and Martin Hellman) mouth:

http://www.rsa.com/rsalabs/node.asp?id=2165
2.1.1 What is public-key cryptography?

"...each person gets a pair of keys, one called the public key and the
other called the private key. The public key is published, while the
private key is kept secret. The need for the sender and receiver to
share secret information is eliminated; all communications involve
only public keys, and no private key is ever transmitted or shared. In
this system, it is no longer necessary to trust the security of some
means of communications. The only requirement is that public keys be
associated with their users in a trusted (authenticated) manner (for
instance, in a trusted directory). Anyone can send a confidential
message by just using public information, but the message can only be
decrypted with a private key, which is in the sole possession of the
intended recipient."

You are quite correct, however, when it comes to the challenges of
PKI, and the difficulty of public key management.

In that regard, I will offer a shameless plug for my new startup,
Secret 1-2-3.

For anyone who may be interested in testing a new product which will
solve this age-old key distribution problem, may I invite you to sign
up for our beta?

http://www.secret123.com/

Please put a note that you know me from the VMWare communities, and I
will be happy to put you on my "short list" of people who care about
email privacy...

Best,

Howard

P.S. FULL DISCLOSURE: Having now completed my duties at Catbird.com, I
am in the process of launching my next startup, Secret 1-2-3. I am a
principal and founder of Secret 1-2-3, and will be re-joining these
communities in the near future as "Howard123".