Transitioning to the 2017 Hands-on Labs

As we prepare to get the latest labs out to you after VMworld, we want to make sure you are prepared for what’s to come. The process is similar to what we have done in year’s past and we will start rolling out a few labs after VMworld in Las Vegas, with the majority coming after VMworld in Barcelona.

As the new labs in the 2017 catalog get released, their 2016 counterparts will be placed in the HOL Archives catalog. The catalog can be found at the bottom of the list.

One thing to note is that once the 2016 labs are placed in the archive catalog, you will likely need to wait a bit longer for your lab to start and make sure the Lab Status indicates‘Ready’ in green before proceeding with you lab.

As a reminder, in order to make room for all this great new content, we will have to retire the 2016 catalog and that will happen on December 1st, 2016. For those of you that may be planning to use our HOL-in-a-Box service for upcoming events, make sure you keep those dates in mind and transition any events to the 2017 labs prior to that date!

Finally, in order to help you find the lab replacing the the 2016 SKU, you can use the table below to find the 2017 SKU that most closely matches it. For the most part, the 2017 SKU lined up to identical content that was in the 2016 SKU. For cases where there was no direct match, you can review the Notes column to see where that content was moved to.

HOL-16XX SKU HOL-16XX Title HOL-17XX Match HOL-17XX Title Notes
HOL-CHG-1695 vSphere 6 Challenge Lab HOL-1704-CHG-2 vSphere 6 Challenge Lab
HOL-HBD-1681 VMware vCloud Air – Jump Start for vSphere Admins HOL-1781-HBD-1 VMware vCloud Air – Jump Start for vSphere Admins
HOL-HBD-1682 VMware vCloud Air – Networking & Security HOL-1781-HBD-2 VMware vCloud Air – Data Center Extension
HOL-HBD-1683 VMware vCloud Air – Manage Your Cloud HOL-1781-HBD-3 VMware vCloud Air – Manage Your Cloud
HOL-HBD-1684 VMware vCloud Air Disaster Recovery HOL-1781-HBD-4 VMware vCloud Air Disaster Recovery
HOL-HBD-1685 Insider Look at the Technology for How VMware Delivers Hands-On Labs HOL-1781-HBD-5 VMware Learning Platform: How You Can Deliver Your Own Hands-On Labs
HOL-HBD-1686 VMware vCloud Air Data Services No Replacement Product EOA May 6th, 2016
HOL-MBL-1650 What’s New with Horizon 7 HOL-1751-MBL-1 Introduction to Horizon 7: Virtual Desktop and Apps
HOL-MBL-1651 Advanced Technical Concepts of Horizon 6 from A to Z HOL-1751-MBL-1 Introduction to Horizon 7: Virtual Desktop and Apps This is the best place to start for Horizon 7 content, but the 1651 content is spread throughout lab SKUs HOL-1751-MBL-1 – 6
HOL-MBL-1652 Secure Delivery and Management of the Transforming Desktop HOL-1751-MBL-6 Horizon 7 Advanced Concepts Closest match, but some content form 1651 is in HOL-1751-MBL-4
HOL-MBL-1653 Advanced Concepts of VMware Workspace Portal HOL-1753-MBL-1 VMware Identity Manager 2.6: Application Management and Delivery Workspace EOA and replaced with Identity Manager
HOL-MBL-1654 Application Delivery and Lifecycle Management HOL-1753-MBL-2 User Applications: Delivery and Lifecycle Management
HOL-MBL-1655 Introducing Flexible Desktop Management for the Mobile User with VMware Horizon FLEX HOL-1755-MBL-1 Horizon FLEX from A to Z
HOL-MBL-1656 Horizon Air – Explore and Manage HOL-1756-MBL-1 Horizon Air from A to Z
HOL-MBL-1657 AirWatch – Introduction to Basic MDM and Console Customization HOL-1757-MBL-1 Introduction to AirWatch
HOL-MBL-1658 AirWatch – Advanced MDM, Content and Horizon Integration HOL-1757-MBL-2 Advanced AirWatch
HOL-MBL-1659 F5 Integration with VMware Mobility HOL-1759-MBL-1 F5 Integration with VMware Horizon Suite
HOL-PRT-1671 Self-service data protection using the EMC Plugin for vRealize Automation and Avamar No Replacement
HOL-PRT-1672 Deploying Palo Alto Networks Next-Generation Security Platform with VMware NSX HOL-1723-SDC-1 Palo Alto Networks Next-Generation Security Platform with VMware NSX
HOL-PRT-1674 Dell Storage presents Virtual Volumes, vSphere Metro Stretched Cluster and more HOL-1708-SDC-2 Virtual Volumes and Storage Policy Based Management Dell VVOL Conent included in the SPBM / VVOL lab
HOL-PRT-1675 NetApp & VMware Automation: Seamlessly Provision and Recover Tier-1 Applications No Replacement
HOL-SDC-1601 Cloud Management with vRealize Operations Standard HOL-1701-USE-2 vRealize Operations and vRealize Business: Optimize Compute Utilization
HOL-SDC-1602 vSphere with Operations Management 6: Advanced Topics HOL-1710-SDC-3 vSphere with Operations Management: Product Deep Dive
HOL-SDC-1603 VMware NSX Introduction HOL-1703-SDC-1 VMware NSX: Introduction and Feature Tour
HOL-SDC-1604 vSphere Performance Optimization HOL-1704-SDC-1 vSphere 6: Performance Optimization
HOL-SDC-1605 High Availability and Resilient Infrastructure HOL-1705-SDC-1 Site Recovery Manager: Data Center Migration and Disaster Recovery
HOL-SDC-1606 Cloud 101 – Deliver your Infrastructure as a Service HOL-1706-SDC-1 Cloud Management Platform: Integrating the Parts
HOL-SDC-1607 From Beginner to Advanced Features with PowerCLI HOL-1721-SDC-5 vSphere Automation with PowerCLI
HOL-SDC-1608 Virtual SAN 6 from A to Z HOL-1708-SDC-1 Virtual SAN 6.2 from A to Z
HOL-SDC-1609 Big Data and vSphere No Replacement
HOL-SDC-1610 Virtualization 101: vSphere with Operations Management 6 HOL-1710-SDC-1 Virtualization 101: vSphere with Operations Management
HOL-SDC-1611 IT Cost Transparency with vRealize Business HOL-1701-USE-2 vRealize Operations and vRealize Business: Optimize Compute Utilization No direct replacement, but Module 5 in HOL-1701-USE-2 comes the closest.
HOL-SDC-1613 IT Outcomes Overview HOL-1706-SDC-6 Guide to SDDC: VMware Validated Designs Use VMware Validated Designs
HOL-SDC-1620 OpenStack with VMware vSphere and NSX HOL-1720-SDC-1 VMware Integrated OpenStack (VIO) with vSphere and NSX
HOL-SDC-1621 vRealize Automation 101: Application and Infrastructure Delivery and DevOps with Code Stream HOL-1721-USE-1 vRealize Automation 7 Basics
HOL-SDC-1622 VMware Development Tools and SDKs HOL-1710-SDC-5 Automate and Develop vSphere easier with a Technical Preview of vSphere Automation API and SDKs
HOL-SDC-1624 VMware NSX and the vRealize Suite HOL-1706-SDC-1 Cloud Management Platform: Integrating the Parts Module 4 of this lab covers integrating vRA and NSX
HOL-SDC-1625 VMware NSX Advanced HOL-1725-SDC-1 VMware NSX Advanced Consumption
HOL-SDC-1627 VMware Software Defined Storage – Advanced Topics HOL-1708-SDC-2 Virtual Volumes and Storage Policy Based Management
HOL-SDC-1628 VMware EVO:RAIL Introduction HOL-1728-SDC-1 VxRail Introduction
HOL-SDC-1630 Cloud-Native Apps: Bringing Microservices and Containers to the Software-Defined Data Center HOL-1730-USE-1 vSphere Integrated Containers
HOL-SDC-1631 vSphere Optimization Assessment HOL-1701-SDC-1 Introduction to the vSphere Optimization Assessment
HOL-SDC-1632 vRealize Automation Advanced: Integration and Extensibility HOL-1721-USE-2 vRealize Automation 7 Advanced

The post Transitioning to the 2017 Hands-on Labs appeared first on VMware Hands-On Lab (HOL) Blog.

Updated Windows Operating System Optimization Tool Guide

By Jason Bassford, Technical Marketing Manager, End-User-Computing Technical-Marketing Center of Excellence, VMware

The VMware OS Optimization Tool (OSOT), a VMware Fling, helps optimize the performance of Windows-based virtual desktops used with View in VMware Horizon 7, VMware Horizon Air Cloud-Hosted Desktops and Apps, and VMware Horizon Air Hybrid-Mode.

The recently published update of the VMware Windows Operating System Optimization Tool Guide (OSOT Guide), which documents the use of the OSOT, includes several changes from the previous version of the guide.

  • Discussion of Windows optimization in general has been removed so that the OSOT Guide can focus on the OSOT itself.
  • Clarifications to procedures and user interface descriptions in many areas have been provided.
  • Features new to the OSOT since the last version of the guide have been documented.

This version of the OSOT Guide is the first major rewrite since 2015. It is accurate as of version b1057 of the OSOT, which was released in February of this year. The current version of the OSOT, released just last week, is b1080. Why is there this discrepancy?

The Pace of Development

On a continual monthly basis in 2016, the OSOT has received more downloads than any other End-User-Computing Fling, or even any other End-User-Computing document. It is now more popular and widely used than anyone imagined when it was initially developed. The OSOT also has a lot of community-driven input, and new versions are released at a relatively fast pace.

As this is a Fling, and not formally supported by VMware Global Support Services, it means that while new components have been tested prior to release, they may need additional description. The user interface is also in a state of change as feedback is received and updates made in quick response.

The pace of OSOT development is gratifying, but it poses difficulties in providing up-to-date documentation. In addition, the OSOT Guide rewrite and refocus delayed the task of documenting some specific OSOT details.

Summary and Looking Ahead

When using the updated OSOT Guide, remember that it is documenting the OSOT as of b1057. The b1080 version of the OSOT has several new and exciting features that have been added since b1057. These include:

  • Community-based and reviewed templates.
  • A Horizon Air Hybrid-Mode template for Windows 10.
  • The ability to export a template.

Download the updated OSOT Guide to get an overview of the tool and how to use it, and refer to the OSOT Changelog to see what has been introduced since February.

I look forward to new innovations in the OSOT as we work with our community of supporters.

Feel free to send us feedback at euc_tech_content_feedback@vmware.com.

The post Updated Windows Operating System Optimization Tool Guide appeared first on VMware End-User Computing Blog.

Virtual SAN Enterprise Network Design and Implementation with Brocade

As the growth and adoption of Virtual SAN continues to expand in enterprise data centers, the demand for designs and deployments across routed (L3) networks has increased. One of the fundamental components of the software-defined data center is Virtual SAN designs and deployments which must adhere to the same requirements and demands as the other

The post Virtual SAN Enterprise Network Design and Implementation with Brocade appeared first on Virtual Blocks.

Saving Time with vROps Scheduled Reports

 

By: Kyle Wassink, Blue Medora

 

IT reporting is a common requirement in organizations, from simple one page overviews to comprehensive analysis and forecasting. Depending on how you create these reports, it can be a time consuming task that can be simplified. That’s where vRealize Operations can help with scheduled reports.

 

Creating a Report

The first step in creating a report for vROps is identifying exactly what needs to be included. Is the report for a single resource like a mission critical Nimble Pool or UCS Blade? Or is it for a multiple layers of the stack, from the Oracle Database down into the NetApp Volume for example. What information about the resource(s) do you care about? Do you want to display the information in a table, graph, or pie chart? Once defined, you need to create views.

 

Figure 1: A sample Distribution View that could be added to a vROps report.

 

Reports in vROps are created using something called “views”. Views are self-contained definitions for how to display pieces of information. For example, you could have a view that defines a list of metrics to be displayed for a NetApp Volume in table format with a summary row. To learn how to create views, visit the vROps Views blog series. Once you have identified the information you want in your report and created the necessary views, you are ready to create the report. Navigate to Content > Reports and click the green “+” icon to begin.

 

Figure 2: In Content > Reports, click the green “+” icon to create a new report.

 

Step one is providing a name, and optionally, a description. Once entered, click on the next step. In step two, drag and drop your desired Views from the list on the left to the middle section. If you did your planning and view creation, this should be quick easy! Steps three and four are optional, so we will skip them here for the sake of simplicity. Save your report.

 

Figure 3: Step one and two of creating a report.

 

Save Time by Scheduling Delivery

At this point you have a report ready to run, now you just need to automate it. First things first, manually run your report and ensure it turns out as expected. Second, ensure you have outbound settings defined in the Administration > Outbound Settings if you want to send the report to you (or anyone else). Next, find the report in Content > Reports, click on the “gear” dropdown and select “Schedule report…”.

 

Figure 4: You can schedule reports in the Content > Reports page by clicking “Schedule report…” in the dropdown menu.

 

In the schedule report popup, the first step is to define what resource the report will run against. Once selected, click “Next”. The “Define Schedule” step has two parts: defining the actual schedule and optionally defining the publish settings. In the top section, define the schedule you want the report to run on. This includes the time zone, time of day, start date, and a recurrence schedule.

 

Figure 5: Sample scheduled report settings.

 

If you want to send the report to yourself, management, or anyone else, move on to the bottom section and check “Email report”. Here you can provide the email address(es) where the report will be sent whenever it runs. In the “Select and outbound rule” dropdown, find and select your preferred mail setting which were configured in the Outbound Settings described earlier.

 

Enjoy the Automation

You’ve successfully created and automated your weekly report! No more scrambling on the weekend to put it together for the Monday meeting or remembering to email it out to the team. Repeat the process for other reports to save even more time, or download a trial of any solution from Blue Medora’s True Visibility Suite for vRealize to customize reports from within a management pack.

The post Saving Time with vROps Scheduled Reports appeared first on VMware Cloud Management.

Micro-segmentation Benchmark – NSX Securing “Anywhere” Part VI

Welcome to part 6 of the Micro-segmentation Defined– NSX Securing “Anywhere” blog series.Previous topics covered in this series include

• Part I – Micro-segmentation Defined
• Part II – Securing Physical Environments
• Part III –Operationalizing Micro-segmentation
• Part IV –Service Insertion
• Part V – Context, Visibility, and Containment

Previous posts set the stage by introducing and defining the characteristics of micro-segmentation; showing how it has utility in the modern data center; how we might apply it to our existing software-defined and physical networks; how policy-driven NSX management may be used to deliver comprehensive security; and, that we can use physical and virtual third-party security appliances in conjunction with NSX to create a service chain and apply special processing to our vital network flows.

In this sixth part of the NSX Securing “Anywhere” blog, Chris Krueger of Coalfire Systems will preview some of our work in comprehensively benchmarking VMware NSX micro-segmentation. The Micro-segmentation Benchmark is a project being delivered by Coalfire Systems, Inc. an internationally recognized third party audit organization (3PAO) and leading provider of IT advisory services for security in retail, payments, healthcare, financial services, higher education, hospitality, government,and utilities. Coalfire has provided VMware independent security validation of much of the VMware product line against regulatory compliance objectives such as HIPAA, PCI DSS, FedRAMP, FISMA, NERC CIP, CJIS, etc. through the VMware Reference Architecture Framework series of papers available on VMware Partner Exchange.

The VMware NSX Micro-segmentation Benchmark is an industry first and wehope it encourages scientific review of security products from all vendors. This post presents a preview of the upcoming “Coalfire Research and Opinion Series” paper titled, VMware NSX Micro-segmentation Benchmark – A Micro-audit of NSX Threat Mitigation Effectiveness. If attending VMworld, be sure to check out session SEC10019 and Group Discussion NET10712-GD, where we will dive further into the NSX Micro-segmentation Benchmark and findings.

Guest Co-Author – Chris Krueger, Principal, Cloud and Virtualization, Coalfire Systems, Inc., Coalfire Labs

Objectives of the NSX Micro-audit

The objectives of the NSX micro-audit are to take real-world examples of likely network topologies (network design patterns) and test them against actual threat scenarios taken from the “playbook” of actual “hackers” and penetration testers. Using a reference NSX installation constructed on a multi-cluster VMware ESXi 6.0 test-bed, we wanted to determine the following:

  • Does VMware NSX functionally satisfy NIST SP 800-125B recommendations VM-FW-R1, VM-FW-R2, VM-FW-R3 and VM-FW-R4?
  • Are the precepts of micro-segmentation, as defined in the complete definition, satisfied conceptually and in testing, by NSX?
  • Can real-world threats be stopped by NSX in E-W (peer transits on the L2 network) and N-S (network to network transits via L3), using industry-standard Penetration Testing tools?

In this blog, we will focus on the “heart” of the micro-segmentation benchmark, the determination of NSX’s capacity to stop real-word threats, specifically in the E-W (L2) transit direction. In the complete paper, multiple network design patterns, depicting five network scenarios are explored; and, the NIST SP 800-125B and micro-segmentation complete definition topics are addressed.
Owing to the brevity of this blog, our sampling will concentrate on Design Pattern 1, the Flat Network Segment with Physical Router scenario.

Threat Simulation Methodology

Our examination and testing of the NSX technology is based on simulated exploits that depict likely malware and virus behavior in actual production network scenarios. Our testing uses the Rapid 7 free-edition of MetaSploit, running on a Kali Linux VM. This Kali Linux VM performs the function of an exploited machine, being used as a vector to attack other machines on the network(s).

Our methodology encompasses several traditional aspects of actual attack techniques used by both autonomous threats, and human-coordinated exploits. Brief review of the following cyber kill chain diagram will help illustrate our threat simulation methodology:

Our threat simulation focuses on an abbreviated attack scenario based the Reconnaissance and Exploitation stages of the kill chain. Specifically, we:

  • Recon via use of the “db_nmap –v –A {IP Range}” command on the Kali Linux MetaSploit console
  • Presume Weaponization and Delivery, with the particular MetaSploit exploit scenario (see below) chosen with knowledge of its lethality on the target machine(s)
  • Invoke Exploitation by running the MetaSploit attack and observing the results via the msconsole. Successful exploitation is evident by MetaSploit dropping into the Meterpreter console (SMB and Magento) or other indication of delivery of lethal payload, in the case of the Java ARA
  • Abort our threat simulation with an expectation that subsequent Installation, Command and Control and Actions on Target events would follow an actual Exploitation

Attack via MetaSploit Toolkit

In our particular exploitation scenarios, we are instigating the events through manual use of the MetaSploit console, following these basic steps:

PREPARATION / Recon (2 steps)

  • DB_NMAP Scanner – All targets – Our MetaSploit console running on the Kali Linux require a set of target hosts in it’s database. Pentesters typically use NMAP either externally or the DB_NMAP to generate the list of target IPs to prepare for MetaSploit exploits and use of other utilities. We ran DB_NMAP –v –A before each exploit. Results from the DB_NMAP command generally create an “early revision” of hosts detail, which has a number of inaccuracies in the table, with approximation of OS version, and other details, which a tester typically corrects by loading and running the auxiliary tool SMB_VERSION.
  • Auxiliary Tool SMB_VERSION – All Targets — was used to further refine the version, language and option details on all targets. This is a customary step in many PenTests to correct inaccuracies in machine OS typing, versions, etc. Our process run auxiliary/scanner/smb/smb_version before each exploit.

EXPLOITS / Weaponization (one or several used)

We use the following exploits, which are listed here with reference information that is used to locate them in various threat databases, or is commonly the “handle” for the particular weapon.

  • Classic Worm Exploit – SMB MS08-067 Remote Code Execution
    Targeting Windows Servers and XP workstations and possibly the most (in-)famous exploit of all time for Windows machines, this vulnerability in an SMB Server Service allows remote code execution on the target machine, with full administrator rights. Once exploited, the target machine becomes completely available for hijacking and total domination. In our SMB exploit, our Kali Linux machine acts as the infected PC, and it launches the exploit at other machines in the Network pattern.

Reference to this exploit is found at: https://www.rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS08-067

  • Browser-based Java Atomic Reference Array – CVE-2012-0507 JRE Sandbox Escape
    Lethal to Windows, Linux, Appliances, etc. and one of the most recognized and pervasive exposures found in 2012, this pervasive exploit leverages an unsafe class of Java variable storage to inject malicious code which may cause the Java SE/RE to run privileged code on whatever platform might have browsed the deadly source. Our Java attack creates the deadly payload on the Kali Linux machine and makes it available to all vulnerable machines via either browser or machine automated access to the “URL of death.” This URL contains the poisonous Java JAR, which is then consumed by the client containing the vulnerable JSE/JRE and this code escapes the JRE sandbox to do its’ business. When the target machine (10.0.2.83 in this case) browses to the provided web server, the MetaSploit console confirms delivery of the lethal JAR, by the confirming message “Sending Java AtomicReferenceArray Type Violation Vulnerability” and a generated JAR message

The MetaSploit references for this exploit are: https://www.rapid7.com/db/modules/exploit/multi/browser/java_atomicreferencearray

  • Service-based Magento PHP Unserialize – CVE 2016-4010 Remote Code Execution
    Windows servers and workstations that are hosting the Magento storefront application are targeted in this prime example of an exploit being created on an otherwise secure Windows server/workstation by installation of an application with a vulnerability in it. The Magento_unserialize Remote Code Execution exploit takes advantage of insecure PHP object injection and subsequent execution of that object as a trusted process. Frequent use of Windows administrator group credentials for this service install, give the intruder a platform rapid compromise of the target network.

The threat profile and links for this exploit are here: https://www.rapid7.com/db/modules/exploit/multi/http/magento_unserialize

Real-world Scenario that this Threat Simulation Mimics

These exploits are representative of likely E-W threat traffic, arising from three distinct attack profiles that follow sequentially a phishing/spear-fishing attack that has successfully compromised a system on a trusted network behind a perimeter firewall. Once compromised by a successful attack our “Exploited System” (the Kali Linux MetaSploit box, with other attack tools) then participates in one of these attack profiles:

  • Launches a “worm exploit” and acts as the command relay for the SMB_RCE attack
  • Provides the lethal JAR payload via an Apache server on port 8080 for the JavaARA attack
  • Launches the PHP vulnerability and acts as the command relay for the Magento attack

In addition, the Kali Linux box could be expected to continue Recon operations, be used to run Denial of Service, Man in the Middle, and continue to exploit the target network(s), just as an actual attacker would.

Example of Validation Exercises and Findings from Pattern 1a and 1b Testing

The process of validation consisted of running the aforementioned Kali Linux VM-based reconnaissance (Recon) and MetaSploit exploits (Exploit) against the listed servers, in the Flat Network with Physical Router pattern. This test consisted of a control “a”, where no NSX protections were employed and an NSX protected “b” variation.
Our validation exercises and the results are illustrated with supporting screen-shots of NSX consoles and of the actual VMs under test. Some test results had nuanced outcomes, which when listed in the table, appear with a yellow color-code and a reference to more information which appears in the text below the table.
Our tables use these color-codes with the meanings described:

KEY

Unimpeded – No action of NSX on network flow
NSX Controlled – NSX Firewalled network flows
“ “ w/ caveat – Modified network flows by NSX

Kill Chain designation matches chart on right

Design Patterns 1a and 1b – Flat Network with Physical Router

In the simplest configuration, our single-segment flat network topology, we observed this behavior:

 

 

 

NSX distributed firewall (DFW) functionality was constructed to protect the E-W traffic in this environment, yet left in the “Allow” action state, for the control scenario 1a. Using the service composer, Security Group SG-VDI had was configured to include the exploited Kali, the Win8.1 and Server 2003R2 VMs…

…by application of membership to a security policy VDI:

Which contained the following firewall rule to be applied to the E-W traffic patterns and was subsequently used to NSX Reject (and Block) DFW action in benchmark 1b (after being used in Allow action for 1a):
Shown in the results table above, the 1a behavior matched the expected result for unimpeded recon and exploit, which we see in the following series of screen shots which show the actual recon and SMB exploit events, as performed on the nsx-svr03r2-01 VM:

Kali Linux launch of msfconsole… issuing the initial DB_NMAP of target, which is the first Recon step…

… resulting in an addition to the MS_DB of the hosts, and after Recon step 2, the auxiliary SMB_VERSION tool, gets refined to include fine-grained details of the host profile(s). With intact target host information in the MS_DB, we can proceed with the SMB Exploit against the vulnerable Windows target machine…

… which we now have unfettered access to through the meterpreter console. Exploited success in 1a, followed by similar success in our subsequent JavaARA and Magento exploits.

Scenario 1b begins with the modification of our Firewall rule to Reject, which immediately eliminates all access to the target machines with this “Destination Host Prohibited” ping response, and similar impacts to the reconnaissance DB_NMAP and Aux SMB_Version MetaSploit activities:

All subsequent exploits are impossible without useful recon. Should a HOST_DB table be constructed or otherwise created, the exploit similarly fails, without E-W access to the target:

Summary and Conclusion

The purpose of our review of the VMware NSX networking and security platform was to sort out the facts from the hype, in an actual “micro audit”, where we could present representative E-W/N-S threats against typical network topologies (patterns), and scientifically measure the results. As stated in our “Objectives” section, we wanted to know if NSX functionally satisfied: the NIST SP 800-126 recommendations R1-R4; the defined precepts of micro-segmentation; and could real-world threats be prevented, when launched using actual hacking/penetration testing tools.
In the abbreviated sample based on design pattern 1a/b, provided in this blog, our findings were:

  • NSX provided significant distributed firewall (DFW) protections against E-W in design pattern 1a/b testing
  • Policy-based controls, tight integration with VMware objects and meta-data, the utility of using tools like Service Composer and the support provided by flow tracing and other tools made deployment and operation of NSX very easy and efficient
  • Nuanced controls presented by the firewall actions “Block” and “Reject” deliver granular control to threat scenarios relevant and representative of modern attack surface exploitation

We hope you found this sample tantalizing and encourage you to read the complete paper to get the final word on our micro-segmentation benchmark results. The complete Report will include5 network design patterns benchmarked, service insertion scenarios, ALG / Stateful flow control validation, more comprehensive coverage of NIST recommendation adherence, and much more.

The post Micro-segmentation Benchmark – NSX Securing “Anywhere” Part VI appeared first on The Network Virtualization Blog.

New Virtual SAN 6.2 Performance Record with Intel SSD P3520 Series

WOW!!! I just learned about an incredible piece of information with regards to Virtual SAN and some record breaking performance. This is something that current and potential Virtual SAN customers should be able to love and appreciate. Intel continues to push the boundaries of Virtual SAN with their technologies and flash devices. Last year they

The post New Virtual SAN 6.2 Performance Record with Intel SSD P3520 Series appeared first on Virtual Blocks.

vRealize Operations 6.3: What’s New, Hint it just got even better

VMware vRealize Operations (a.k.a. vROPS) 6.3 became generally available (GA) this week on August 23rd and is now available on vmware.com.

vRealize Operations is now accessible for customers of all sizes with the new vRealize Operations Standard per CPU SKU and fully extensible with comprehensive access to Blue Medora Management Packs. Check out the vRealize Operations webpage for more information here.

The new vROPS 6.3 update includes enhancements to the product stability, performance, and usability. The product update includes a new Home dashboard, new and improved Distributed Resource Scheduler (DRS) and World Load Placement (WLP) dashboards, vSphere 6.x hardening and compliance, and many other new features.

vRealize Operations is available as follows:

  1. as part of vRealize Suite (Standard, Advanced and Enterprise)*
  2. as part of the vCloud Suite (Standard, Advanced and Enterprise)*
  3. as part of the vSphere with Operations Management Enterprise Plus (vSOM ENT+)
  4. a-la-carte on a per VM/OS instance basis
  5. NEW! a-la-carte on per CPU basis for Standard edition only

*Note: vRealize Suite and vCloud Suite do not include VCM. VCM is only available as part of vROPS a-la-carte

New Home Dashboard

The updated home dashboard provides a more simplified and powerful Home Screen. Home dashboard now offers a succinct view of what needs to be addressed, is tied to actionable recommendations, and can solve problems without leaving the dashboard altogether.

Home Dashboard allows actions to be triggered directly from the list of alerts on the Home Dashboard screen. Actions must be included with the first recommendation in an alert definition to appear in the alert list.

New DRS Cluster Dashboard

The new DRS cluster dashboard visualize DRS settings status across environment and includes DRS setting level and migration threshold. vROPS 6.3 can now visualize workload utilization across CPU and memory, identify and resolve hosts not balanced enough within cluster, and identify and resolve Cluster Contention. DRS will automatically move workloads and relieve contention.

Visualize Workload Utilization can display across different dimensions:

  • Default – Highest Workload CPU or Memory
  • CPU Only
  • Memory Only
  • vSphere Limits

The Rebalance Action still balances across both CPU and Memory.

vSphere 6.x hardening (NEW)

vROPS 6.3 now includes vSphere 6.x hardening for:

  • ESXi
  • vCenter server
  • VM’s (3 risk profiles. Profile 1 is the MOST strict.)
  • Network
    • vSphere Distributed Port Group
    • vSphere Distributed Switch

The hardening effect is based upon the latest Hardening Guides, found at http://www.vmware.com/security/hardening-guides.html

  • Coverage is approximately 93% (as per engineering)
  • Coverage is approximately 90% (from 61% as per engineering)

This enhancement adds more security to vSphere with the addition of vROPS 6.3.

vROPS 6.3 vSphere 6.x hardening increased the hardening checks and adds more conditions to check for, including:

  • ESXi – 12 more
  • vCenter server – 1 new
  • VM’s – 3 more
  • Network
    • vSphere Distributed Port Group – 13 new
    • vSphere Distributed Switch – 2 new

To turn on vSphere hardening, go to the initial policy configuration wizard.

  1. Re-run the policy configuration wizard from:
    Administration –> Solutions –> VMware vSphere –> Define Monitoring Goals
  2. Enable the desired hardening alerts in the policy
    • By performing a policy override settings using the vSphere Hardening Guide policy.
    • Step 2 in the Policy editor
  3. Enable the desired hardening alerts in the policy
    • By selecting the alerts and setting them to enabled. Step 6 in the Policy editor

Other notable enhancements in vRealize Operations 6.3 include:

  • SDDC Health Dashboard monitors the VMware
  • SDDC stack components
  • Enhanced UI / UX Visuals
  • SNMP Notification Filters

Summary of What’s New

  • More Actionable UX & WLP/DRS enhancements:
    • New Recommended Actions landing page
    • Configure DRS from vROPs w/ Cluster/DRS Dashboard
    • Data Collection Notification Toolbar
    • Actions directly from Workload Utilization Dashboard
    • Simplified vSphere Config Steps
  • Improved LI Integration:
    • LI MP Installed OOTB
    • Improved LI/vROPs Alerting
  • Enhanced vSphere Monitoring:
    • Support vSphere 6.0 Hardening Guide
    • vROPs/vSphere SDDC Health Monitoring Dashboards
  • Packaging update:
    • New per CPU licensing for vROPs STD
    • Blue Medora management pack bundles aligned with vROPS editions
  • General enhancement:
    • Filtered SNMP Trap Alert Notifications
    • Enhanced SuperMetric capabilities
    • Reduction in default Metrics Collected
    • New API Programming Guide

For more information on these features, please see the vROPs 6.3.0 documentation.

Useful Links

  • Download Landing Page
  • Documentation Landing Page
  • Release Notes

The post vRealize Operations 6.3: What’s New, Hint it just got even better appeared first on VMware Cloud Management.

Is It Possible to Use Your VPS as a Virtual Workspace?

Converting your virtual private server into a fully functional virtual workspace can be achieved under the right circumstances. The general idea behind converting Linux into a virtual workspace is to perform the following two steps:

  1. Install and Configure the GUI
  2. Install and Connect to your VPS with VNC

The Basics of Installing a GUI

You have a couple options as far as installing a GUI for your VPS.

Let’s assume you have Ubuntu. You will want to ensure that you have the necessary resources available on your system to perform this install.

To install the full fledged Unity desktop, open your command line and type:

> sudo apt-get install ubuntu-desktop

Since this VPS is likely a low end box, you probably won’t need the extra features that come with the full fledged desktop.

To install the GUI without bloatware such as Libre Office and others, so you might want to install a lighter version of Unity desktop using the following command:

> sudo apt-get install –no-install-recommends ubuntu-desktop

The Basics of Installing a VNC on your VPS

Now that your desktop environment is installed, lets focus on how to gain access to your new virtual workspace.

Virtual Network Computing, better known as VNC, is a connection protocol that gives a remote operator the ability to send keystrokes and mouse clicks over a network connection allowing the user to interface with a graphical desktop environment on the remote server.

In order to install VNC, simply type the following commands:

> sudo apt-get update

> sudo apt-get install tightvncserver

To complete the VNC server’s initial configuration, use the vncserver command to set up a secure password:

> vncserver

The vncserver command completes the installation of VNC by creating default configuration files and connection information for your VPS to use.

Configuring VNC on your VPS

We must tell our VNC server what commands to perform when it starts up.

These commands are located in a configuration file called xstartup. We will first need to stop the VNC server instance that is running on port 5901:

> vncserver -kill :1

Let’s now back up the original in case we need it later:

> mv ~/.vnc/xstartup ~/.vnc/xstartup.bak

Now we can open a new xstartup file with nano or vim and insert these commands into the file so that they are performed automatically whenever you start or restart your VNC server:

#!/bin/sh

export XKL_XMODMAP_DISABLE=1

unset SESSION_MANAGER

unset DBUS_SESSION_BUS_ADDRESS

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup

[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources

xsetroot -solid grey

vncconfig -iconic &

gnome-panel &

gnome-settings-daemon &

metacity &

nautilus &

gnome-terminal &

gnome-panel &

gnome-session &

To ensure that the VNC server will be able to use this new startup file properly, we’ll need to grant executable privileges to it:

> sudo chmod +x ~/.vnc/xstartup

To easily control our new VNC server, we should set it up as an Ubuntu service. Open a new service file in /etc/init.d with nano or vim:

> sudo nano /etc/init.d/vncserver

The first block of data will be where we declare some common settings that VNC will be referring to a lot, like our username and the display resolution.

#!/bin/bash

PATH=”$PATH:/usr/bin/”

export USER=”your-user”

DISPLAY=”1″

DEPTH=”16″

GEOMETRY=”1024×768″

OPTIONS=”-depth ${DEPTH} -geometry ${GEOMETRY} :${DISPLAY}”

. /lib/lsb/init-functions

case “$1” in

start)

log_action_begin_msg “Starting vncserver for user ‘${USER}’ on localhost:${DISPLAY}”

su ${USER} -c “/usr/bin/vncserver ${OPTIONS}”

;;

stop)

log_action_begin_msg “Stopping vncserver for user ‘${USER}’ on localhost:${DISPLAY}”

su ${USER} -c “/usr/bin/vncserver -kill :${DISPLAY}”

;;

restart)

$0 stop

$0 start

;;

esac

exit 0

Make this service script executable, so that you can use the commands that you just set up:

> sudo chmod +x /etc/init.d/vncserver

Now can start your VNC server instance with the following command:

> sudo service vncserver start

Don’t forget to add the new service on your startup using the following command:

> sudo update-rc.d vncserver defaults

Now you will be able to connect to your remote server using any VNC client. In case you have a firewall installed on your VPS, make you poke a hole in the configuration to have port 5901 open.

2.4 pre-alpha snapshots now available.

pfSense® software version 2.4 pre-alpha snapshots are now available.

pfSense 2.4 will use FreeBSD 11 as a base, and 11.0-RELEASE has not yet occurred.  There will be additional work to use 11.0-RELEASE as a base.

More work at “reduction of technical debt” is occurring in 2.4.  We have decided to not carry forward the kernel patches for Captive Portal.  Instead, it is being re-written to use stock IPFW.  That work is only about 75% complete.  Simultaneously, work is occurring to convert several subsystems (e.g. radius) to use the PEAR equivalents:

There appears to be a bug in pf (likely due to the interaction of one of our patches).  This only manifests under high usage.

New features and changes are listed here.

Full change list:
source and build tools
ports
FreeBSD source

Outstanding bugs/features/todo items:
Everything else

We advise that you do not use this on a production system yet. If you have the time and interest, we encourage you to try this on a scratch system or VM and provide feedback for any issues you find.