360 Virtualization Security · PDF file10.1 Configure security group ... click “Add a vSphere Distributed Switch” in the right side. 4 4) ... select the “Distributed port...

360 Virtualization Security

Installation Guide

Version 7.0

Date 2017-9-1

1

Content

Installation Guide (VMware NSX) ...................................................................................................... 2

1. Preparations of Installation ............................................................................................... 2

2. Create and Add Distributed network ................................................................................ 3

3. Install NSX Manager .......................................................................................................... 5

4. Register vCenter Server To NSX Manager ....................................................................... 20

5. Add and Distribute License ............................................................................................. 23

6. Configure the Agent Virtual Machine ............................................................................. 27

7. Install Guest Introspection ................................................................................................... 28

8. Install and configure Management Center .......................................................................... 33

8.1Management Center of Installation ........................................................................... 33

8.2 Configure Management Center ................................................................................. 48

9. Deploy Security VM ............................................................................................................. 57

10 Configure security groups and security policy ................................................................... 65

10.1 Configure security group ......................................................................................... 65

10.2 Configure security policy ......................................................................................... 68

10.3 Apply Security Policy ............................................................................................ 71

11. Install VMware-tools in Protected windows VM ............................................................... 73

12. Install Guest Introspection in Protected Linux VM ............................................................ 76

13.Uninstall the Security Modules of Host .............................................................................. 79

14. Troubleshooting ................................................................................................................ 83

Appendix： ............................................................................................................................. 88

1. Install ESXi Host and vCenter ............................................................................................... 88

2.Add ESXi Host to vCenter ................................................................................................... 101

3.Windows operating system supports: ................................................................................ 103

4.Linux operating system supports: ...................................................................................... 103

2

Installation Guide (VMware NSX)

1. Preparations of Installation

1) Related software of VMware

ESXi host

vCenter

NSX Manager

2) NSX security modules

Guest Introspection

3) IP of Guest Introspection and NSVM security VM

4) Version introduction of and NSX Manager and ESXi

3

2. Create and Add Distributed network

Premise：Host has at least 2 network card to configure distributed network

1) Login vCenter via vSphere Client

2) Click “Inventory- Inventory -Networking” to enter into network configuration

3) Select data center, click “Add a vSphere Distributed Switch” in the right side.

4

4) Select corresponding version in the dialog box of “Create vSphere Distributed

Switch”, configure “Number of Uplink ports” as 1 in the tab page of “General

Properties”, because only one network card needs to be added in distributed

switch, click “Next”.

5) In the tab page of “Add Hosts and Physical Adapters” select “Add now”,

select host and physical adapter, click “Next” till finish.

5

6) Back to the page of host and cluster, click host, click “Configuration-Network

Adapters” to view, another extranet card has been added to distributed switch.

3. Install NSX Manager

Recommend that users use OVF template to deploy NSX Manager, it will be more quick and

convenient, taking the template of 6.3NSX-Manager as an example,

VMware-NSX-Manager-6.3.1-5124716.ov

1) Select the host which need be installed with NSX Manager, then click menu “File”- Depoly

OVF Template”, open the dialog box of “Deploy OVF Template” as following:

6

2) Click the button of “ Browse” in the dialog box, select the template of NSX Manager, click

the “Next”

3) Click “Next “ in the page of “OVF template Details”

7

4) Select “Accept”, and click the button of “Next” in the page of End User License

Agreement.

8

5) In the page of “Name and location” configure the name of NSX Manager, and click “Next”

9

6) Select the resource pool within which you wish to deploy this template in the page of

“ Resource Pool”, then click “Next”

10

7) Select a destination storage for the virtual machine files in the page of “Storage”, then

click “Next”

11

8) Click “Next” in the page of “Disk Format”

12

9) Select the Destination Network int the page of “Network Mapping”, then click “Next”

13

10) Configure the password for the WebUI and CLI of the NSX Manager In the page of

“Properties”, network parameter, the server address of NTP, select to enable SSH, and click

“Next”

14

15

16

11) Select “Turn on the power after deployment” and Click “Finish” in the page of “Ready to

Complete”

17

12) The system starts to deploy NSX Manager,and it shows the process.

18

13) After deployment, it will operate the command of “show interface” in the CLI of NSX

Manager to verify the IP address just deployed has applied as expected.

Make sure that NSX Manager can execute the operation of ping on its default gateway,

NTP server, VCenter Server and ESXi host IP

14) Open the WebUI of NSX Manager, Login via the admin user and password

19

15) Click “View Summary“ in the opened page

16) Make sure that VPostgres, RabbitMQ and NSX Management Service are running in the

page of Summary

20

4. Register vCenter Server To NSX Manager

1) Open the WebUI of NSX Manager, Login via admin user and password

2) In the homepage click Manager vCenter Registration

3) Click the button of “Edit” in the right side of vCenter Server page

21

4) Input the address, user name and password of vCenter Server in the dialog box. About user

name, the best choice is the user of [email protected], not root user.

5) Select “Yes” in the page of “ Trust Certificate”

22

6) If the state of vCenter Server is connected, it shows that the registration is successful.

7) Use vsphere Web Client to Login vCenter Server

8) There is an icon of “Network & Security” in the homepage of Vsphere Web Client

23

5. Add and Distribute License

PS: if it is unnecessary to use network, please skip this step.

1) Enter into the page of “Administration” in home page

24

2) Enter into the page of “ Licenses” in “Administration”

25

3) Click the button of “+” in the page, add licenses related with network

4) Input the password of license, configure license name in the dialog box of “ New

Licenses”, then click “Finish”

26

5) In the tab page of “Assets”- “Solutions” select NSX for vSphere, click the button of

“Distribute License”

27

6) Select the license just added in the dialog box, click “OK”.

6. Configure the Agent Virtual Machine

1) Use vsphere Web Client to Login vCenter Server

28

2) Select ESXi host in the page, and turn to the page of “Manager”-”Agent VM Settings”, then

click the button of “Edit” in the right side.

3) In the page of “Agent VM Settings” select correct data store and VM network, then click

“OK”

7. Install Guest Introspection

1) Enter into the page of ”Service Deployments” in the module of network and security,

click the button of “+”

29

2) Open the guide of “ Deploy Network & Security Services”, and select “Guest

Introspection” in the page of “Select service & Schedule”, then click “Next”

3) Select Datacenter and cluster of ESXi hostin the page of “Select clusters”, then click

“Next”

30

4) Configure correct data storage and network in the page of “Select storage and

Management Network”, IP is DHCP by default.

Users can also distribute IP via IP pool, click the button of “ Change”, select “ Use IP

pool” in the dialog box of “Select IP Assignment mode” and click “+” to add static IP

pool.

31

5) Click “Finish” in the page of “ Ready to Complete”

6) After clicking “Finish”, you can see the service of Guest Introspection just added in the

page of service deployment

32

7) The ESXi host will automatically create a virtual machine named after Guest

Introspection

PS: Please make sure that the network selected and NSX Manager are in the same network

segment when the user configure the network of Guest Introspection.

33

8. Install and configure Management Center

8.1Management Center of Installation

Management center can be installed in physical machine or virtual machine

The following is an introduction to VMware virtual machine installation:

Now uploading the media of installation ics-ctrl-7.0.0-2279.x86_64.iso to the

physical server.

Open the interface of vSphere client, select a physical server

Right click data store object, for example：datastore164

34

Double-click ISO folder

35

Open the interface of vSphere client, select the physical server on which you will

36

deploy the virtual machine.

37

38

39

40

41

42

43

44

Tick: Edit settings of virtual machine before finishing

Click the button of “Continue”

Here you can alter the CPU 、memory of virtual machine.

The scale of physical

servers management

Configuration suggestion

1~20s 4CPU，16G memory

20~50s 8CPU，32G memory

More than 50s 16CPU，64G memory

45

Select the iso file just uploaded.

46

Right-click to open virtual machine console

Virtual machine starts from ISO, user will get 60s to consider that whether to

confirm installation or not (If there is no any operation after 60s, it will confirm

installation), after pressing “Enter”, it starts to install.

47

After the installation is completed, you will see the notice of Reboot, select Reboot

to complete installation.

48

8.2 Configure Management Center

1. Configure IP address

Because management center is responsible for the security of all

hosts and virtual machines, it need communicate with all physical

machine loaded with virtual machines, the IP is very important

and it can not be changed after configuration, we suggest that

users use static IP address. The method of configuration is as

follows:

1) After the installation and reboot, it will enter into the page of

management center xconsole.

49

Select“Configure System”, and press “Enter”

Select“Configure Network”，and press “Enter”

Select“Configure Interface”，and press “ Enter”

50

Input default password vmsecadmin，and press “ Enter”

Select network card, and press “Enter”

51

Select“Static”, configure static IP

Input correct IP address, mask and gateway, and

press”Enter”.

52

System starts to configure interface again.

After configuration, IP becomes static pattern.

53

2. Change password(we suggest changing)

Administrator can change the password of logging on xconsole in

management center .

Select “Authentication” in the xconsole，and press “Enter”

Select “Change Password”and press “Enter”

54

Input old password and new password, then confirm new

password in the dialog box.

After pressing “Enter”, system will notice you that password has

been changed successfully.

55

3. Login management center:

The way of logging on management center is

https://X.X.X.X:8443（X.X.X.X.This is the IP in the first step for

management center），its default user name and password are

admin/sysadmin，administrator Login the system, then go to the

page of “management” --“user management” to add or

delete user

The process of activating product

After logging in the management center via user name and password, click the link

of “System- Settings- License” in the page.

The page will skip to the page of “System”- “Settings”- “License”.

Click “Update license”, and click “select file” in the dialog box.

56

Select the correct license file, then click “OK”

After updating license, the states of system security modules are updated

to“activated”.

57

9. Deploy Security VM

1) Add VMware vSphere host

a) Enter into the page of “Assets” - “hosts” in management center, click “New”,and

open the dialog box of “Add Pool”, then select virtual machine platform, type is

VMware vCenter, then input name, vCenter address, user name

([email protected]) and password, and the security solution is NSX(Only

enable anti-malware), then input the address, user name and password of NSX, last

click “OK”.

It will register NSVM Security Serivce in NSX automatically after adding successfully.

b) After adding successfully, user can see ESXi host in the page of host, its state is

“uninstalled security modules”

58

2) Deploy NSVM Security Service

a) Use vsphere web client to Login vCenter Server

b) Enter into the page of Installation-Service Deployment in the module of network

and security, then click the button of “+”.

59

c) In the guide of “Deploy network and security service” select “NSVM Security

Service”, then click “Next”.

60

d) In the page of “Select clusters”, select the cluster, then click “Next”

61

e) In the page of “ Select storage and Management Network” select that data and

network are “Specified on-host”, select the “Distributed port group” and click

“Next” till finish.

f) Click “Finish”

62

g) AS the following picture, after clicking “Finish”, the page of Service Deployment will

show that the state of NSVM Security Service installation status is scheduled for

install, and the service status is unknown.

h) After about 1 minute, the installation state of NSVM Security Service is succeeded,

and service status is up

63

i) There are some virtual machines named after NSVM Security Service in vCenter,

each vm for one host.

j) Edit the settings of VM, Change the third network card of NSVM to

vmservice-vshield-pg

64

k) The service is available in the page of “Service Definitions-Services/ Service

Managers” .

65

l) In the page of management center, the connection status of this host is connected.

PS：When the number of host is large, the speed of synchronization maybe slows,

just waiting for several minutes.

10 Configure security groups and security policy

10.1 Configure security group

1) Return to homepage, enter into the page of “Service Composer”--”Security

Groups”, click the button of “create new security groups”, then input the name of security

groups in the guide of “New Security Group” , then click “Next” .

66

2) In the TabPage of “ Select the objects to include”, select the type of object “Virtual

machine”, then select the virtual machine which need to be protected in the following

object type box, click the button of , then click “Next”.

67

3) Click “Next”until Finishing.

68

10.2 Configure security policy

1) Enter into the page of “Service-Composer”-“Security Policies”, then click the

button of “Create security policy”.

2) In the guide of “New Security Policy”, configure the name of security policy, then

click “Next”

69

3) Click the button of “+” in the TabPage of Guest Introspection Services

4) In the dialog box of “Add Guest Introspection Service” configure name and

operation, and then select applied and enabled, consent to implement by force, click “Next”.

70

5) Click “Next”until Finish

71

10.3 Apply Security Policy

1) Select the security policy and right click, and then click “ Apply policy” in the open

menu.

72

2) In the dialog box of “Security policy”–“Apply Policy to Security Groups” select

security group created before and click “OK”.

73

3) The application object value of security policy is updated to 1.

11. Install VMware-tools in Protected windows VM

1) Login vSphere Web Client（URL is https://x.x.x.x）

74

2) Select the virtual machine to be protected in the page and enter into the TabPage of

“Summary”, and then click “Install VMware Tools” in the right side of page.

3) Select “Mount” in the dialog box of “Install VMware Tools”.

4) Enter into the virtual machine, open DVD driver.

5) Double click the file of setup.exe, and start to install vm-tools

6) Click “Next” in the dialog box of “ VMware Tools Setup”.

7) Select “Custom’, and then click “Next”.

75

8) Search “VMCI driver” in the tree diagram of figure, select and install “NSX File Introspection

driver”, and then click “Next”.

Versions after vSphere 5.5 U2 are as following:

76

Versions before vSphere 5.5 U2 should search“VMCI driver”, and select to install

“vShield Drivers”to local disk.

9) Click “Install” in the dialog box.

10) After finishing installation, you will get a notice to reboot the system, select “Yes”.

11) Enter into the page of “Asset management”–“Virtual machine/terminal” in the management

center, as the followingpicture; you can see the real-time prevention status of virtual machine

just installed is on state.

12. Install Guest Introspection in Protected Linux VM

Premise：

Make sure that agent and virtual machine have been installed ESX 5.1 or higher version

and Linux.

NSX Guest Introspection supports:

Linux operation system：

RHEL 7 GA（64 digit）

SLES 12 GA（64 digit）

Ubuntu 14.04 LTS（64 digit）

PS: Linux thin agent needs install Glib 2.0 in the target system.

Steps:

Please execute following steps through Root Privilege according to your Linus operating

system.

For Ubuntu System：

a. Use the following commands to get and import VMware to pack public keys：

curl -O

77

https://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub

apt-key add VMWARE-PACKAGING-GPG-RSA-KEY.pub

b. Create a new file named vm.list below /etc/apt/sources.list.d

c. Edit file and include contents as following：

vi /etc/apt/sources.list.d/vm.list

deb https://packages.vmware.com/packages/ubuntu/ trusty main

d. Now, please install software package like this:

apt-get update

apt-get install vmware-nsx-gi-file

For RHEL7 system：

a . Use the following commands to get and import VMware to pack public keys：

curl -O

https://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub

rpm --import VMWARE-PACKAGING-GPG-RSA-KEY.pub

b. Create a new file named vm. Repo below /etc/yum.repos.d

c. Edit file and include contents as following：

vi /etc/yum.repos.d/vm.repo

[vm]

name = VMware

baseurl = https://packages.vmware.com/packages/rhel7/x86_64

enabled = 1

gpgcheck = 1

metadata_expire = 86400

ui_repoid_vars = basearch

d. Now, please install software package like this:

yum install vmware-nsx-gi-file

For SLES system：

a. Use the following commands to get and import VMware to pack public keys：

curl -O

https://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub

rpm --import VMWARE-PACKAGING-GPG-RSA-KEY.pub

b. Add the following memory pool:

zypper ar -f "https://packages.vmware.com/packages/sle12/x86_64/" VMware

c. Now, please install software package like this:

zypper install vmware-nsx-gi-file

Check if the thin agent is running through the command “ service vsepd status” and

management prerogative, it should be running.

Install VMware Tools

a. Login vCenter via vSphere Web Client

78

b. Find “Host and Clusters” in the home page

c. Find the Linux host which needs to be protected, click “Install VMware Tools” in

the right side under the page of “Summary”.

d. Click “ Mount” in the dialog box of “Install VMware Tools”, and mount VMware

Tools to this Linux VM.

79

e. Enter into the console of VM Linux, install vmware tools via the command of “yum

install net-tools” and “yum install perl”

f. Mount the installation package of vmware-tools to /mnt directory

mount /dev/cdrom /mnt

g. Copy tar.gz in /mnt to path/

cp /mnt/VMwareTools-9.10.5-2981885.tar.gz /

h. Uncompress and install

tar zxvf VMwareTools-9.10.5-2981885.tar.gz

cd vmware-tools-distrib/

./vmware-install.pl

Reboot VM after finishing installation.

13.Uninstall the Security Modules of Host

1) Select VMware vSphere to be seleted in the page of “Asset-management”, click

“Delete”, then click “OK” in the dialog box.

2) Login vCenter via vSphere Web Client, enter into the page of

“Networking&Security”- “Service Composer”, select security group, right click to

delete.

80

3) Access to “Security Policies” of “Service Composer” , select the Sercurity policy and

right click “Delete”.

4) In the page of “Installation”-“Service Deployments”, select “NSVM Security Service”

and then click “Delete”

81

5) Right click“NSVM Security Service” of “Service Definition”, then click “Edit settings”

6) Select “NSVM Security Service” instance , right click “Delete”.

82

7) Select ”NSVM Security Service” in the page of “Service Definitions”, right click “Delete”.

83

8) In the “Remove service definition” dialog box, select “Delete service manager”, then

click “Yes”

14. Troubleshooting

1. Failed to add VMware NSX host

1) Please check configuration or practical examples related with NSVM service in

vCenter to make sure if they are deleted first, and please read chapter 13 “Un

stall the security module of host” in this file.

2) Enter into the page of NSX Manager to make sure that if the service status of

vPostgres, RabbitMQ and NSX Management Service are correct.

2. The VM cannot kill virus.

1) First Login Vcenter Vsphere Web Client, select “cluster” in the page of “ local

host and cluster”, then enter into the page of “ Monitor-Guest Introspection”,

and check if the description and status of host, NSVM Security Service, Guest

Introspection are correct.

84

2) Then according to the VM operating system for troubleshooting.

Windows VM

a) Enter into the page of “ Networking & Security” –“Service

Composer “–“Security Groups” in vCenter vSphere Web Client, and

click the value of VM in the Security Groups, then check if the

windows VM is included in the security groups in the dialog box.

85

b) Check if the configuration applied in this windows VM have turned

on “ Real-time protection”. Login management center, enter into

the page of “ Asset Management- VM/Terminal” to check the status

of “ Real-time protection”. If the status is not “ Real-time protection

on”, please change the security configuration matched and turn on

“ Real-time protection”.

c) Then check if this VM has already installed with VMware tools and

“NSX File Introspection Driver” by custom installation.

d) In the command line of VM to run “scquery vsepflt” and check if

the service is existing. The following picture1 shows that is normal;

the picture2 shows the service is unavailable.

Service is normal：

Service is unavailable, please install VMware tools again:

e) If the service is unavailable, please install VMware tools again, and

select the driver of NSX File Introspection under “ VMCI driver” by

custom installation. After installation, reboot VM and make sure

86

that VMware tools has been installed.

Versions before vSphere 5.5 U2 should search“VMCI driver”, and

select to install “vShield Drivers”to local disk

Find “VMCI driver” and select “vShield Drivers” to install it in local

disk.

PS：If there is not “ NSX File Introspection Driver” or the option

of “ vShield Drivers” like the picture above in the dialog box of

“VM ware Tools”, which means that the version of VMware Tools

is old, you need download the new version of VMware Tools. And

this is the website: https://packages.vmware.com/tools/esx

f) Check the security VM of host. Login this security VM through

console or SSH and execute the command of “ifconfig-a”, and the IP

of eth1 is as following:

87

g) Test security and the communication of VM. You can ping the

IP169.254.1.1 of vmsevice-nvmsec-pg from security VM. Security

process monitors TCP48651 port of this machine. If the protected

VM is enabled, it will connect with local 8000 port.

Linux VM

a) Make sure if the operating system of linux VM is supported, refer to

Appendix-Linux OS lists of support.

b) Enter into the page of “ Networking & Security”- “Service

Composer”-“Security Groups “ in vCenter vSphere Web Client, click

the value of “VM” lists in the page of security groups, then check if

the Linux VM is included by security groups in the dialog box.

88

c)

Check if the configuration applied in this linux VM have turned on

“ Real-time protection”. Login management center, enter into the

page of “ Asset Management- VM/Terminal” to check the status of

“ Real-time protection”. If the status isn’t “ Real-time protection on”,

please change the security configuration matched and turn on

“ Real-time protection”.

d) Enter into the command line of linux VM, check through the

command of service vseped status if the service status of vseped is

correct, and the normal is running.

Appendix：

1. Install ESXi Host and vCenter

1) Preparation and introduction of installation

Before installing ESXi host and vCenter, please prepare files as following:

ESXi installation file：

Task ESXi6.0 as an example, ESXi-6.0-Custom-e1000e_3.2.2.1.iso

VCenter installation file：

Take VCenter 6.0 as an example VMware-VCSA-all-6.0.0-3040890.iso

89

2) Install ESXi host

ESXi host’s installation is the same as the VMware, you can deploy it via referring to the

official file of VMware.

http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.install.do

c%2FGUID-7C9A1E23-7FCD-4295-9CB1-C932F2423C63.html

3) Install VCenter

Introduction：The deployment of VMware vCenter Server Appliance（VCSA）6.0 is different

from the previous version, versions before version5.5 can be deployed quickly through

importing the file of OVA, but users must execute installing procedure in windows from

version6.0, then finish the deployment of VCSA through installation guide.

a. Download VMware-VCSA-all-6.0.0-3040890.iso from the official website.

b. Mount the virtual optical drive to the windows machine.

c. Enter into the directory of vsca to install plugin.

90

d. Installing step by step according to the guide of installation.

91

92

e. After finishing the installation of plugin, click vsca-setup.html and open VCSA

virtual machine guide of installation.

f. Click “ Install”.

93

g. In the page of “ End User License Agreement” select “Accept the items of

agreement”.

94

h. In the page of “ Connect to target server” input IP of ESXi host, user name and

password, then click “Next”.

i. In the dialog box of “Certificate Warning” select “Yes”.

95

j. In the page of “Set up virtual machine” input the name and root password of VCSA

virtual machine, and then click“Next”.

96

k. In the page of “Select deployment type” select default, and click “Next”.

l. In the page of “Set up Single Sign-on” input SSO password, domain name and all

sites use default, and then click “Next”.

97

m. In the page of “ Select appliance size” use default option, and then click “Next”.

n. In the page of “Select datastore” select the memory space of virtual machine, and

then click “Next”.

98

o. In the page of “Configure database” select “Use an embedded database”, and then

click “Next”.

99

p. In the page of “ Network settings” select correct network card, the system of IP

address is IPv4, Network Type is static, then configure IP, subnet mask, gateway, DNS, select

to sync the time of device with ESXi, and then click “ Next”.

q. Check whether the parameter is properly configured or not, click “Finish”.

100

r. After clicking “Finish”, starts the progress of installation.

101

4) Install vSphere Client

Download and install in the website

http://www.prolved.com/vsphere-client-downloads/is ok

2.Add ESXi Host to vCenter

1) Login VMwareVSphere Web Client through [email protected]

2) Create Datacenter

102

3) Select Datacenter that just created and give a right click, then select “ New Cluster” in

the menu.

4) Input the name of cluster in the dialog box of “New Cluster”, enable DRS and click “OK”.

103

5) Select the cluster that just created, then click “Add a host”, then operate step by step

according to the guide of “Add host”

3.Windows operating system supports:

Windows XP SP3 and higher versions（32-digit）

Windows Vista（32-digit）

Windows 7（32/64-digit）

Windows 8（32/64-digit）- only vSphere 5.5

Windows 8.1 (32/64) - vSphere 5.5 Patch 2 and higher versions

Windows 10

Windows 2003 SP2 and higher versions（32/64-digit）

Windows 2003 R2（32/64-digit）

Windows 2008（32/64-digit）

Windows 2008 R2（64-digit）

Win2012 (64) - only vSphere 5.5

Win2012 R2 (64) - vSphere 5.5 Patch 2 and higher versions

4.Linux operating system supports:

RHEL 7 GA（64-digit）

104

CENTOS7 GA（64-digit）

SLES 12 GA（64-digit）

Ubuntu 14.04 LTS（64-digit）

105