Manualshelf

HP Insight Control Server Provisioning 7.2 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP Insight Control including 1yr 24x7 Technical Support and Updates Single Server License
31323334353637383940
modifications and additions. Following are numerous security practices recommended by HP in a
virtualized environment. This is only a partial list as differing security policies and implementation
practices make it difficult to provide a complete and definitive list. However, this list will serve as
a good starting point.
Use a separate deployment network. For security and performance reasons, HP recommends
the following:
Establishing a private deployment network separate from the production network
Granting only administrators access to the deployment network
Using a firewall to restrict traffic into the deployment network
Restrict access to the appliance console to authorized users. See “Restricting console access
(page 30) for more details.
Eliminate or disable nonessential services in the management environment. Configure all host
systems, management systems, and network devices so that nonessential services are either
eliminated or disabled, including networking ports when not in use. This can significantly
reduce the number of attack vectors in your environment. The appliance is already configured
this way.
Ensure a process is in place to periodically check for and install patches for all components
in your environment.
Security policy and processes must address the use of virtualization in the environment, for
example:
Educate administrators about changes to their roles and responsibilities in a virtual
environment.
If an IDS is being utilized in your environment, ensure that the IDS solution has visibility
into network traffic in the virtual switch (within a hypervisor).
Mitigate potential sniffing of VLAN traffic by turning off promiscuous mode in the hypervisor
and by encrypting traffic flowing over the VLAN.
NOTE: In most cases, if promiscuous mode is disabled in the hypervisor, it cannot be
utilized on a VM guest (the guest can enable it, but it will not be functional).
Maintain zones of trust (DMZ separate from production machines).
Ensure proper access controls on FC devices.
Use LUN masking on both storage and compute hosts.
Ensure LUNs are defined in the host configuration rather than by discovery.
Use Hard Zoning based on port WWN if possible.
Ensure communication with the WWNs is enforced at the switch port level.
Clearly define and utilize administrative roles and responsibilities (host administrator, network
administrator, and virtualization administrator).
Many components that utilize certificates are delivered with certificates signed by the provider.
To achieve a higher level of security for these components, populate them with trusted
certificates at deployment time.
32 Security considerations