People News Portfolio About Contact Us

2009 News/Press

Oct 14, 2009

HyTrust Appliance Fills in Single Sign-on Gap for VMware

Eric Siebert, Contributor

Until recently, virtualization administration security had no single sign-on product. The HyTrust Appliance (HTA) was designed to fill this gap as well as provide a more granular layer of security for your virtual environment. With HTA, you eliminate the need to manage multiple user accounts and can use a single authentication directory for all your access methods. In many cases, too much access is assigned to users who need to administer and interact with hosts and virtual machines. This can lead to various problems. HTA helps prevents this by allowing you to define specific and granular access to commands and operations.

HyTrust's background
Founded in 2007, HyTrust is a small company with 24 employees and is based in Mountain View, Calif. HyTrust Appliance is currently the company's only product and focuses on virtualization security. In April 2009, HyTrust emerged from stealth mode and released version 1.0 of the HyTrust Appliance in May 2009. Hytrust version 1.5 included the following updates:

support for vSphere and all versions of ESXi;
two-factor authentication with RSA's SecurID;
security policy enforcement based on Payment Card Industry Data Security Standards (PCI DDS), Comodo Internet Security (CIS) and VMware security recommendations; and
virtual machine (VM)-to-host and VM-to-network segment control

The HyTrust Appliance acts as a single point of access control for the many administration methods of your hosts and vCenter servers, which includes the vSphere Client, Secure Shell (SSH) access to the ESX Service Console, remote command-line interface (Remote-CLI) access to the ESXi management console and ESX Service Console, and Web browser access to ESX hosts and vCenter Servers.

VCenter Server provides a single access point for ESX and ESXi hosts using the vSphere Client, but hosts can be accessed directly, and in many cases, SSH access to an ESX/ESXi management console is needed. When hosts are accessed directly, you need to configure separate local accounts on each host for administrators to use to log in. You could use the default root account on each host, but this is not recommended as a security best practice. Setting up unique accounts, such as using Sudo is the preferred method ,but it is time-consuming and tedious when you have to set it up on each host server. You can configure ESX hosts to authenticate with an external directory such as Active Directory, but this requires additional configuration and is difficult to manage.

Enter HyTrust Appliance. It acts as an authentication proxy. It's essentially a single sign-on application for your entire VMware environment. It also provides authorization control and has granular permissions that can be applied to hosts and vCenter servers. This includes the ability to allow only certain commands (i.e. vmkfstools or esxtop) to be run inside the ESX server, similar to how Sudo is used in Linux environments. In addition to configuring Hytrust to only allow access to specific commands, you can also specify that only certain switches can be used with the commands (i.e. esxcfg-vswitch –l). HTA does not require that an agent be installed on every protected host in your environment, as it acts as the single gatekeeper for all your protected host servers.

HyTrust Appliance and your network
Before you can use the HyTrust Appliance, you may need to reconfigure your network topology; this architecture relies on physical network segregation of your host management network and vCenter Servers from the rest of your network. The proper configuration to use with the appliance is to put your ESX service console and ESXi management console networks on to their own isolated network so no other servers or users have access to it.

While it is possible to do so with virtual local area networks (VLANS) and network access lists, the recommended method is to physically isolate this network on its own network switches instead. Doing so is a best practice even if you don't use HTA; physical segregation of your host management networks is a general security best practice. After you isolate your host management networks, HTA acts as a bridge between the isolated network and the remainder of your network. It can also act as a proxy server for users to access your host servers.

How HyTrust works
So how does it all work? Basically the HyTrust Appliance acts as middleman and intercepts requests destined for the hosts in the protected network and analyzes them. It first checks credentials to ensure that requests are authenticated and then checks to see if they are authorized for the task or operation that they are trying to perform. For SSH sessions to host servers, the appliance terminates the client connection and opens a new connection from the appliance to the destination host on behalf of the client. By doing this, it can control access to what the client can do inside the host and which commands can run. The same is true for vSphere client connections as the appliance will not allow commands to run that a client is not authorized to perform.

What the HyTrust Appliance does is act as a Layer-2 network bridge and inspects all packets traveling through it. If the connection is destined to an ESX/ESXi host or vCenter Server that it is protecting and is on the one of the management ports (80, 443, 22, 902, 903), then the appliance passes the connection to their proxy and manages it. If the connection does not meet both criteria then it simply passes it on.

In essence, HTA acts as both a Layer-2 and a Layer-5 proxy simultaneously. Since the HTA acts as a gatekeeper you might wonder: what if someone simply hops the fence (plugs directly into the protected network) and tries to access a host bypassing the appliance altogether? The appliance implements an extra layer of defense to prevent this from happening by configuring the host server's built-in firewall that protects the management console to only allow connections from specific IP addressed, which includes the HTA and any host or vCenter Server that is protected by the appliance. Simply put, all other IP addresses are blocked from accessing the management console and must go through the appliance.

If HyTrust crashes
So what if the appliance or the host it is running on crashes? Because HyTrust Appliance is a single point of failure you will not be able to access your hosts or vCenter Server using any of the access methods (i.e. vSphere Client) if this happens. Fortunately you can use VMware High Availabilityso the HTA virtual machine (VM) is brought up on another host if the current one crashes. In the unlikely event that the VM is accidently powered off or crashes, however, you would need either physical access to the host management console or to use a remote management board (i.e. HP iLO) to restart the HTA VM. Because of this you should make sure you know which host the VM is located on and also how to use the management console commands (i.e. vmware-cmd) to restart the VM.

Authentication
While HTA relies on Active Directory(AD) or Lightweight Directory Access Protocol) user accounts for authentication, it also uses AD groups for authorization to determine what commands a user is authorized to perform. No schema extensions are required for this and the HTA uses an AD user account that needs read/write access and the ability to create child objects. The HTA replaces the roles and permissions used in vCenter Server with its own that are configured in the HTA user interface (UI), which then uses AD groups to tie them to users.

HTA comes preconfigured with default roles and permissions but you can also import existing ones into HTA from hosts and vCenter servers. Once these roles and permissions have been configured, you enable protection and HTA takes over for all client requests to hosts and vCenter Server. This is all transparent to the clients no matter what access method they use. HTA acts as a transparent proxy, and clients do not have to do anything differently once HTA is enabled. The only noticeable difference is that HTA generates the deny messages for operations instead.

Having a single point of authentication for your entire virtual environment is a great feature in itself, but HTA does more than that. It also provides policy enforcement of security settings for hosts with industry security templates and recommendations such as those provided by CIS, PCI and VMware, or by creating custom ones. Using the HTA UI you can easily assess and remediate your hosts from your security templates and see their compliance levels.

Another useful feature that is also helpful for compliance purposes is that the HTA logs all access methods and operations and stores the information in an easy to read format to provide a centralized logging system.

Implementing HyTrust Appliance
The HyTrust Appliance is available as a physical device that plugs into your network or as a pre-built virtual machine that is supplied as an Open Virtualization Format (OVF) template. There is an Enterprise edition and a free Community edition that allows for management of up to three host servers. The major requirement for using the appliance is that it is 64-bit only, so your host server that runs the appliance must be able to support 64-bit VMs. This applies only to the host that the appliance will run on and not the other protected hosts. HTA supports both ESX and ESXi hosts,versions 3.5 (VMware Infrastructure 3) or 4.0 (vSphere), as well as vCenter Server version 2.5 4.0.