What is LUN masking?
LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts.
LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level. LUN Masking implemented at this level is vulnerable to any attack that compromises the HBA.
Some storage controllers also support LUN Masking.
LUN Masking is important because Windows based servers attempt to write volume labels to all available LUN’s. This can render the LUN’s unusable by other operating systems and can result in data loss.
What is SAN zoning?
SAN zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric.
SAN zoning may be utilized to implement compartmentalization of data for security purposes.
Each device in a SAN may be placed into multiple zones.
What are hard and soft zoning?
Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning which is implemented in software.
Hard zoning physically blocks access to a zone from any device outside of the zone.
Soft zoning uses filtering implemented in fibre channel switches to prevent ports from being seen from outside of their assigned zones. The security vulnerability in soft zoning is that the ports are still accessible if the user in another zone correctly guesses the fibre channel address.
What is port zoning?
Port zoning utilizes physical ports to define security zones. A users access to data is determined by what physical port he or she is connected to.
With port zoning, zone information must be updated every time a user changes switch ports. In addition, port zoning does not allow zones to overlap.
Port zoning is normally implemented using hard zoning, but could also be implemented using soft zoning.
What is WWN zoning?
WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric.
A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information.
WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA.
What is a World Wide Name (WWN)?
A World Wide Name, or WWN, is a 64-bit address used in fibre channel networks to uniquely identify each element in a Fibre Channel network.
Soft Zoning utilizes World Wide Names to assign security permissions.
The use of World Wide Names for security purposes is inherently insecure, because the World Wide Name of a device is a user-configurable parameter.
For example, to change the World Wide Name (WWN) of an Emulex HBA, the users simply needs to run the `elxcfg` command.
What are the classes of attacks against SANs?
- Snooping: Mallory reads data Alice sent to Bob in private
Allows access to data
- Spoofing: Mallory fools Alice into thinking that he is Bob
Allows access to or destruction of data
- Denial of Service: Mallory crashes or floods Bob or Alice
What are some attacks against FCP?
- Node Name / Port Name spoofing at Port Login time
- Source Port ID spoofing on dataless FCP commands
- Snooping and spoofing on FC-AL
- Snooping and Spoofing after Fabric reconfiguration
- Denial of Service attacks can be made in User mode
What is FCAP (Fibre Channel Authentication Protocol)?
FCAP is an optional authentication mechanism employed between any two devices or entities on a Fibre Channel network using certificates or optional keys.
What is FCPAP (Fibre Channel Password Authentication Protocol)?
FCPAP (Fibre Channel Password Authentication Protocol) is an optional password based authentication and key exchange protocol which is utilized in Fibre Channel networks.
FCPAP is used to mutually authenticate Fibre Channel ports to each other. This includes E_Port’s, N_Port’s, and Domain Controllers.
What is SLAP (Switch Link Authentication Protocol)?
SLAP is an authentication method for Fibre Channel switches which utilizes digital certificates to authenticate switch ports.
SLAP was designed to prevent the unauthorized addition of switches into a Fibre Channel network.
What is FC-SP (Fibre Channel – Security Protocol)?
Fibre Channel – Security Protocol (FC-SP) is a security protocol for Fibre Channel Protocol (FCP) and fiber connectivity (Ficon).
FC-SP is a project of Technical Committee T11 of the InterNational Committee for Information Technology Standards (INCITS).
FC-SP is a security framework which includes protocols to enhance Fibre Channel security in several areas, including authentication of Fibre Channel devices, cryptographically secure key exchange, and cryptographically secure communication between Fibre Channel devices.
FC-SP is focused on protecting data in transit throughout the Fibre Channel network. FC-SP does not address the security of data which is stored on the Fibre Channel network.
What is ESP over Fibre Channel?
ESP (Encapsulating Security Payload) is an Internet standard for the authentication and encryption of IP packets.
ESP is defined in RFC 2406: IP Encapsulating Security Payload (ESP).
ESP is widely deployed in IP networks and has been adapted for use in Fibre Channel networks. The IETF iSCSI proposal specifies ESP link authentication and optional encryption.
ESP over Fibre Channel is focused on protecting data in transit throughout the Fibre Channel network. ESP over Fibre Channel does not address the security of data which is stored on the Fibre Channel network.
What is DH-CHAP?
DH-CHAP (Diffie Hellman – Challenge Handshake Authentication Protocol) is a forthcoming Internet Standard for the authentication of devices connecting to a Fibre Channel switch.
DH-CHAP is a secure key-exchange authentication protocol that supports both switch-to-switch and host-to-switch authentication.
DH-CHAP supports MD-5 and SHA-1 algorithm-based authentication.
How are iSCSI, iFCP and FCIP secured over IP networks?
The IETF IP Storage (ips) Working Group is responsible for the definition of standards for the encapsulation and transport of Fibre Channel and SCSI protocols over IP networks.
The IPS Working Group’s charter includes responsibility for data security:
Security including authentication, keyed cryptographic data integrity and confidentiality, sufficient to defend against threats up to and including those that can be expected on a public network. Implementation of basic security functionality will be required, although usage may be optional.
The IPS Working Group has created RFC 3723: Securing Block Storage Protocols over IP.
RFC 3723 defines the use of the existing IPsec and IKE (Internet Key Exchange) protocols to secure block storage protocols over IP.
- ESX vs ESXi
- ESXi has no service console which is a modified version of RHEL
- ESXi is extremely thin hence results in fast installation + fast boot
- ESXi can be purchased as an embedded hypervisor on hardware
- ESXi has builtin server health status check
- ESXi 4.1 vs ESXi 5.0 – Migration
- Local upgrade from CD
- VMware update manager (only supports upgrade of ESX/ESXi 4.x to ESXi 5.0)
- ESXi 4.1 vs ESXi 5.0 – Features
- vSphere Auto deploy
- Storage DRS
- HA – Primary/secondary concept changed to master/slave
- Profile driven storage
- VMFS version – 3 → 5
- ESXi firewall
- VMware hardware version – 7 → 8
- VMware tools version – 4.1 → 5
- vCPU – 8 → 32
- vRAM – 256 → 1 TB
- VMs per host – 320 → 512
- RAM per host – 1TB → 2TB
- USB 3.0 support
- HA 5.0
- Uses an agent called FDM – Fault domain manager
- HA now talks directly to hostd instead of using vcenter agent vpxa
- Master/slave concept
- monitors availability of hosts/VMs
- manages VM restarts after host failure
- maintains list of all VMs in each host
- restarting failed VMs
- exchanging state with vcenter
- monitor state of slaves
- monitor running VMs and send status to master and performs restart on request from master
- monitors master node health
- if master fails, participates in election
- Two different heartbeat mechanisms – Network heartbeat and datastore heartbeat
- Network heartbeat
- Sends between slave and master per second
- When slave is not receiving heartbeat from master, checks whether it is isolated or master is isolated or has failed
- Datastore heartbeat
- To distinct between isolation and failure
- Uses ‘Power On’ file in datastore to determine isolation
- This mechanism is used only when master loses network connectivity with hosts
- 2 datastores are chosen for this purpose
- Isolation response
- Leave Powered On
- vMotion enables live migration of running virtual machines from one host to another with zero downtime
- Host must be licensed for vMotion
- Configure host with at least one vMotion n/w interface (vmkernel port group)
- Shared storage (this has been compromised in 5.1)
- Same VLAN and VLAN label
- GigaBit ethernet network required between hosts
- Processor compatibility between hosts
- vMotion does not support migration of applications clustered using Microsoft clustering service
- No CD ROM attached
- No affinity is enabled
- vmware tools should be installed
- What is DRS? Types of DRS
- Distributed Resource Scheduler
- It is a feature of a cluster
- DRS continuously monitors utilization across the hosts and moves virtual machines to balance the computing capacity
- DRS uses vMotion for its functioning
- Types of DRS
- Fully automated – The VMs are moved across the hosts automatically. No admin intervention required.
- Partially automated – The VMs are moved across the hosts automatically during the time of VM bootup. But once up, vCenter will provide DRS recommendations to admin and has to perform it manually.
- Manual – Admin has to act according to the DRS recommendations
- DRS prerequisites
- Shared storage
- Processor compatibility of hosts in the DRS cluster
- vMotion prerequisites
- vMotion is not working. What are the possible reasons?
- Ensure vMotion is enabled on all ESX/ESXi hosts
- Ensure that all vmware pre requisites are met
- Verify if the ESXi/ESX host can be reconnected or if reconnecting the ESX/ESXi host resolves the issue
- Verify that time is synchronized across environment
- Verify that the required disk space is available
- What happens if a host is taken to maintenance mode
- Hosts are taken to maintenance mode during the course of maintenance
- In a single ESX/ESXi setup, all the VMs need to be shutdown before getting into maintenance mode
- In a vCenter setup If DRS is enabled, the VMs will be migrated to other hosts automatically.
- How will you clone a VM in an ESXi without vCenter
- Using vmkftools
- Copy the vmdk file and attach to a new VM
- Using VMware converter
- What is vSAN?
- It is a hypervisor-converged storage solution built by aggregating the local storage attached to the ESXi hosts managed by a vCenter.
- Recommended iSCSI configuration?
- A separate vSwitch, and a separate network other than VMtraffic network for iSCSI traffic. Dedicated physical NICs should be connected to vSwitch configured for iSCSI traffic.
- What is iSCSI port binding ?
- Port binding is used in iSCSI when multiple VMkernel ports for iSCSI reside in the same broadcast domain and IP subnet, to allow multiple paths to an iSCSI array that broadcasts a single IP address.
- iSCSI port binding considerations ?
- Array Target iSCSI ports must reside in the same broadcast domain and IP subnet as the VMkernel port.
- All VMkernel ports used for iSCSI connectivity must reside in the same broadcast domain and IP subnet.
- All VMkernel ports used for iSCSI connectivity must reside in the same vSwitch.
- Currently, port binding does not support network routing.
- Recommended iSCSI configuration of a 6 NIC infrastructure ? (Answer changes as per the infrastructure requirements)
- 2 NICs for VM traffic
- 2 NICs for iSCSI traffic
- 1 NIC for vMotion
- 1 NIC for management network
- Post conversion steps in P2V
- Adjust the virtual hardware settings as required
- Remove non present device drivers
- Remove all unnecessary devices such as serial ports, USB controllers, floppy drives etc..
- Install VMware tools
- Which esxtop metric will you use to confirm latency issue of storage ?
- esxtop –> d –> DAVG
- What are standby NICs
- These adapters will only become Active if the defined Active adapters have failed.
- Path selection policies in ESXi
- Most Recently Used (MRU)
- Round Robin
- Which networking features are recommended while using iSCSI traffic
- iSCSI port binding
- Jumbo Frames
- Ports used by vCenter
- What is ‘No Access’ role
- Users assigned with the ‘No Access’ role for an object, cannot view or change the object in any way
- When is a swap file created
- When the guest OS is first installed in the VM
- The active directory group, where the members will be ESXi administrators by default.
- ESX Admins
- Which is the command used in ESXi to manage and retrieve information from virtual machines ?
- Which is the command used in ESXi to view live performance data?
- Command line tool used in ESXi to manage virtual disk files?
- Port used for vMotion
- Log file location of VMware host
- Can you map a single physical NIC to multiple virtual switches ?
- Can you map a single virtual switch to multiple physical NICs?
- Yes. This method is called NIC teaming.
- VMKernel portgroup can be used for:
- Fault Tolerance Logging
- Management traffic
- Major difference between ESXi 5.1 and ESXi 5.5 free versions
- Till ESXi 5.1 free version there was a limit to the maximum physical memory to 32 GB. But from 5.5 onwards this limit has been lifted.
- Maximum number of LUNs that can be attached to a host (ESXi 5.0)
- Maximum number of vCPUs that can be assigned to a VM (ESXi 5.0)
- What is CPU affinity in VMware? Its impact on DRS?
- CPU refers to a logical processor on a hyperthreaded system and refers to a core on a non-hyperthreaded system
- By setting CPU affinity for each VM, you can restrict the assignment of VMs to a subset of available processors
- The main use of setting CPU affinity is when there are display intensive workloads which requires additional threads with vCPUs.
- DRS will not work with CPU affinity
- VMversion 4 vs VMversion 7
- Version 4
- Runs on ESX 3.x
- Max supported RAM 64 GB
- Max vCPUs 4
- MS cluster is not supported
- 4 NICs/VM
- No USB Support
- Version 7
- Runs on vSphere 4.x
- Max supported RAM 256 GB
- Max vCPUs 8
- MS cluster is supported
- 10 NICs/VM
- USB support
- What happens to the VMs if a standalone host is taken to maintenance mode?
- In case of standalone servers , VMware recommends that VMs should be powered off before putting the server in maintenance mode
- If we put the standalone host in maintenance mode without powering off the VMs, it will remain in the ‘entering maintenance mode’ state until the VMs are all shutdown
- When all the VMs are powered down, the host status changes to ‘under maintenance’
- How can you edit a vm template?
- The VM templates cannot be modified as such
- First , the VM template have to be converted to a virtual machine
- After making necessary machines in the virtual machine, convert the virtual machine back to template
- VMware hardware version comparison