Hello and welcome to Web Informant.TV I'm Dave Strom your host and reviewer. Today we look at the high trust appliance that allows you to manage the excess and deployment of VMware ESX servers and manage the virtual machine guest that are contained in them. There are two part of the products a management appliance that lives inside your data center and a web browser based consul that were looking at here that is used to set up and control its operations along with giving a dash board view of what’s going on.
If you're running lots of VM you're probably concern with limiting their access, so there are only a few trusted staff to make changes to that configuration. And a virtualized environment it’s easy to make copies of your critical servers, so want to ensure that not everyone in your company has the ability to do so. This is where the high trust appliance comes into play. It works and it segregate the management consul traffic from the network that is used for the daily operations of the actual VM’s themselves.
You can see the two networks in this slide. What is happening is that the appliance terminates all SLL and management sessions between the ESX servers and they're clients. This ensures that ordinary users can mock around with the VM configuration and you can also apply fine grain security policies to particular administrative rights to enforce separation of duties. In addition with high trust you can use enterprise directory credentials. There is no need to match multiple host base credentials or use a share route account to connect. For example, let’s say we try to connect as a network administrator to and ESX host via SSH and do a simple units command PS to show the running processes. If we set up our security correctly we see the file in denial message because we've turned to have access for this group of users.
To set up the appliance we bring up its web match and the cancel click on the host tab to show the host summary screen where you can see what’s being protected as we miles over the entries. It also shows which protective bench mark is being used for each server. To protect another ESX host we got to tab and click on the add button and this brings up a screen showing we enter the particulars.
Most important part of the product is under the host bench mark tab. You can select from a variety of compliance bench marks and set them up for different users to be able to just audit or also perform remediation. Here is a list of the different bench marks that are available including the sender for internet security CIS and ones matching the VMware’s best practices. To get more information at CIS bench marks we browse on over to their website.
Lets look at the VM were best practices is bench mark. Ones we click on the detail button we can see two columns to check off what we want to apply to our particular servers. We can just perform an assessment or assess and then remediate the server to comply with the particular bench marks. If we go back to the host screen we can click on a particular server and the remediate button and well see the screen progress bar on the right along with the last time it was access.
Any good security should set up regular scheduled assessments at the host screen we select one of our protected servers and then click on schedule events button this will bring up the screen showing where we can select the particular bench mark to run at the end of all in seconds specified. I like the three levels of immigration of the product. First is how it immigrates with the active directory so you don’t have to reassign particular security roles for your various staff. To bring up the configuration, authentication menus here and enter the AD information accordingly you don’t have to make any changes to your existing AD schemers.
There is also a demo mode that sets up 12 different roles you can evaluate the appliance before connecting to a live AD server you can set up find a range security roles under policy roles tab and if we click on one of this you'll see dozens of privileges that we can assign to each role. Speaking of immigration the appliance can grab policies from VMware virtual center management software. Go to policies resources and you can see here the policies we've imported in our clients.
One final immigration instance is how you don’t need to use the appliances web interface but can access it through a plug in inside the VMware virtual infrastructure management client. It appears as an extra tab at the top of the screen labeled high trust and we can see the same menus that we were looking at on its own web. If we've done everything correctly we can secure our ESX box to not allow any users who are not application owners to start and stop the VM they are contain in it. Here you see you're connected using the virtual infrastructure client as a network admin user and we try to stop the VM instance showing that we've been blocked.
But as an administrators and network I can create a new virtual switch. What’s missing well high trust clients also produces central audit logs they are great for compliance the immigrated log viewing piece as you see here still needs some more work. It’s helpful though to ensure you're consistently deploying new VM server instances it can monitor events. Another thing missing is the ability to manage other high providers besides ESX and of course high trusted plans for adding that.
Here is more information about pricing there are different schemes depending on whether you want to purchase the hardware clients were just around the software application and there is also a fully functional free version as well. Thanks for watching Web Informant.TV this has been David Strom feel free to send me email David@Strom.com.
Transcription by:
Scribe4you Transcription Services