HP Insight Control Server Provisioning 7.3 Update 1 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP Insight Control including 1yr 24x7 Technical Support and Updates Single Server License

Best PracticeTopic

Lowercase alphabetic character

◦

◦ Uppercase alphabetic character

◦ Special character

Roles

• Clearly define and use administrative roles and responsibilities; for example, the Infrastructure

administrator performs most administrative tasks.

Service

Management

• Consider using the practices and procedures, such as those defined by the Information Technology

Infrastructure Library (ITIL). For more information, see the following website:

http://www.itil-officialsite.com/home/home.aspx

Updates

• Ensure that a process is in place to determine if software and firmware updates are available,

and to install updates for all components in your environment on a regular basis.

Virtual

Environment

• Most security policies and practices used in a traditional environment apply in a virtualized

environment. However, in a virtualized environment, these policies might require modifications

and additions.

• Educate administrators about changes to their roles and responsibilities in a virtual environment.

• Restrict access to the appliance console to authorized users. For more information, see “Restricting

console access” (page 71).

• If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution

has visibility into network traffic in the virtual switch.

• Turn off promiscuous mode in the hypervisor and encrypt traffic flowing over the VLAN to lessen

the effect on any VLAN traffic sniffing.

NOTE: In most cases, if promiscuous mode is disabled in the hypervisor, it cannot be used on

a VM (Virtual Machine) guest. The VM guest can enable promiscuous mode, but it will not be

functional.

• Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from production

machines.

• Ensure proper access controls on Fibre Channel devices.

• Use LUN masking on both storage and compute hosts.

• Ensure that LUNs are defined in the host configuration, instead of being discovered.

• Use hard zoning (which restricts communication across a fabric) based on port WWNs

(Worldwide Names), if possible.

• Ensure that communication with the WWNs is enforced at the switch-port level.

Hypervisor and virtual machine security considerations

As a virtual appliance, the security of the appliance relies on the security of the host hypervisor,

in the same way that a physical appliance relies on the physical security of the datacenter.

Administrative access to the host hypervisor needs to be controlled to ensure the security of the

appliance. The appliance software image on the VM has been hardened but the hypervisor must

be configured to limit access to the virtual appliance console and virtual hard drive (VMware vmxd

file or Hyper-V vhd file)) to secure the appliance.

Creating a login session

You create a login session when you log in to the appliance through the browser or some other

client (for example, using the REST API). Additional requests to the appliance use the session ID,

which must be protected because it represents the authenticated user.

When using the REST API, you should set the session idle timeout to a shorter duration or use the

default duration of 24 hours and be sure to logout and end the session when done. The screen

62 Security considerations