Maximize your bottom line...Partner with VMTraining today!

VMTraining - Certified Virtualization Expert

Partner Login

5 Day, Hands-On Bootcamp

“After taking VMware’s® Install and Configure and the DSA class, I thought I knew how to secure our virtual environment. I realized after this class how vulnerable our infrastructure is.” - Alex W, Sr. Network Administrator

If you are using any remote storage (iSCSI, NFS, Fibre Channel), this class will show how an attacker can redirect, then copy or even change information before it arrives at the destination!
Detect potential threats, how to defend and defeat them, and how to establish a solid foundation to build secure virtual data centers from the ground up.
Any regular user inside your network can take full control of your ESX hosts if they know the right exploits.
By taking control of your virtual environment a hacker could disable ALL your VMs at one time.
Prevent theft of confidential records, proprietary files, or sensitive information and ensure compliance with HIPPA, SOX, or STIG standards and regulations.

“This was some of the best training I've ever had.”
-William L.

Hacking Uncovered: VMware®

Hacking Uncovered - VMware® Ultimate Bootcamp®

Overview

A critical and often overlooked aspect of migrating to a virtualized environment is security and setting up security properly. Like physical machines, virtualization technologies are not secure “out of the box” and VMware is no exception. The Advanced Virtualization Security course focuses on “where the vulnerabilities lie” and how to reduce the attack surfaces in the virtualized environment. It goes beyond the typical security protocols administrators use to secure their environments and delves much deeper into the actual working (and short comings) of the VMware environment. Students will take a 360 degree look at the potential threats, how to defend and defeat them, and establish a solid foundation to build secure virtual data centers from the ground up.

Course Objectives

Learn the actual internal workings of VMware, and compare them to physical and virtual devices.
Discover how to securely set up port groups and VLANS.
Understand the aspect of securing failover configurations
Distinguish between Denial of Service Failovers that wide open failovers and closed failovers.
Dive deep into the different layers of security and explore features to include how traffic routes between VM’s and different hosts, common denominators of Physical and Virtual Environments, and how to make the virtual environment the most secure.
Walk away knowing how to secure a VMware environment in a DMZ and how to protect yourself from the common vulnerabilities of VMware attack surfaces from the eyes of an attacker.
Receive in depth information on how to harden you ESX environment, and comprehensively understand all aspects of how to do that.
Demonstrate their proficiency in class working on a state-of-the-art data center and performing hands-on labs to reinforce the learning objectives.
Course developed and taught by a Licensed Penetration Tester who has a long history of vulnerability audits with US National Security Teams and audits of many foreign governments.
Designed and taught from the perspective of how an attacker would get into your Virtual Environment from an attacker who has done JUST THAT!

Who Should Attend

System Administrators and Security Administrators using virtualization software.

Prerequisites

Virtual Infrastructure 3.5 Ultimate Bootcamp® or equivalent. In lieu of hands-on classroom training, an in-depth knowledge of VMware’s ESX virtualization environment is required.

Course Length

5 Days

Hacking Uncovered - VMware® Ultimate Bootcamp®

Hacking Uncovered: VMware® Course Outline*

Chapter 1 - Primer and reaffirming our knowledge

Overview
ESX Networking Components
Virtual Ethernet Adapters and How They Work.
Virtual Switches and How They Work
- Virtual Switches vis-a-vis Physical Switch
- Why The Spanning Tree Protocol is Superfluous
- What are Virtual Ports and Why Should we be Concerned?
- VMWare so-called "Uplink Ports" and their interaction with the Physical equivalent
- Concept of Port Groups - They are out of this (physical) world!
- Uplinks
- Virtual Switch Correctness
VLANs in VMware Infrastructure
NIC Teaming
- Load Balancing
Failover Configurations
Layer 2 Security Features
Managing the Virtual Network with "VirtualCenter"
File System Structure
Kernel
Processes
- When do the processes start?
- Starting and Stopping Processes
- Interacting with Processes
Account and Groups
- Password and Shadow File Formats
Linux and Unix Permissions
- Set UID Programs
Trust Relationships
Logs and Auditing

Chapter 2 - Penetration Testing 101

Overview
What is a Penetration Test?
Benefits of a Penetration test
What is the Cost of a Hack?
- Example
Current Issues
- Malware/Virus
- Active Zombies
- Hash Collisions
- SQL Injection
- Identity Theft
- Social Engineering, EXploits and Chained Exploits
- Chained Exploit Example
The Evolving Threat
Pen Testing Methodology
Types of Tests
Website Review
Common Management Errors
It's not Just about the Tools!

Chapter 3 - Routing and the Security Design of VMware

Overview
Security of Routing Data
How traffic is routed Between Virtual Machines on ESX host

Different vSwitches, same port group and VLAN

Same vSwitch, different port group and VLAN
Same vSwitch, same port group and VLAN

Security Design of the VMware Infrastructure 3 Architecture
VMware Infrastructure Architecture and Security Features
- Virtualization Layer
- CPU Virtualization
- Buffer overflow
- Memory Virtualization
- Virtual Machines
- Service Console
- Virtual Networking Layer
- Virtual Switches
- Virtual Switch LANs
- Virtual Ports
- Virtual Network Adapters
- Virtual Switch Isolation
- Virtual Switch Correctness
- Virtualized Storage
- SAN Security
- VMware Virtual Center

Chapter 4 – Information Gathering, Scanning and Enumeration

Overview
What information does the hacker gather?
Methods of Obtaining Information
Footprinting Defined
- Maltego
- Firefox Add
Google Hacking
Introduction to Port Scanning
Port Scanning Tools
- NMAP
- TCP Connect Port Scan
- Half-Open Scan
- Firewalled Ports
- Service Version Detection
- Additional NMAP Scans
- UDP Scans
Enumeration Overview
- Web Server Banner Grabbing
- Telnet
- SuperScan4
- SMTP Server Banner
- DNS Enumeration
- Zone Transfers
- Backtrack Tools
- Active Directory Enumeration
- LDAP miner
- Null Sessions
- Enumeration with Cain and Abel
- NAT Dictionary Attack Tool
- THC-Hydra
- Cool Stuff with Cain

Chapter 5 – DMZ Virtualization

Overview
Virtualized DMZ Networks
Typical Virtualized DMZ
Three Typical Virtualized DMZ Configurations
- Partially Collapsed DMZ with Separate Physical Trust
- Zones
- Partially Collapsed DMZ with Virtual Separation of Trust
- Zones
- Fully Collapsed DMZ
Best Practices for Achieving a Secure Virtualized DMZ Deployment
- Harden and Isolate the Service Console
- Clearly Label Networks for each Zone within the DMZ
- Set Layer 2 Security Options on Virtual Switches
- Enforce Separation of Duties
- Use ESX Resource Management Capabilities
- Regularly Audit Virtualized DMZ Configuration

Chapter 6 – Remote DataStore Security

Overview
Mask and Zone SAN Resources
- LUN Masking
- SAN Zoning
- Port Zoning
- Hard and Soft Zoning
- WWN Zoning
Classes of Attacks against SANs
Fiber Channel

Fiber Channel – Security Protocol
ESP over Fiber Channel
DH-CHAP
Switch Link

Attacking Fiber Channel
Securing iSCSI, iFCP and FCIP over IP networks

Chapter 7 – Penetration Testing and the Tools of the Trade

Overview
Vulnerabilities in Network Services
Vulnerability Assessment Scanners
- Nessus
- Saint
Windows Password Cracking
- Syskey Encryption
- Cracking Techniques
- Cryptanalysis
Disabling Auditing
- Clearing the Event Log
Alternate Data Streams
- Stream Explorer
Encrypted Tunnels
Port Monitoring Software
Rootkits
Metasploit
Fuzzers
SaintExploit
Core Impact
Penetration Testing Tool Comparison
Wireshark
ARP Cache Poisoning
- Cain and Abel
- Ettercap
- Breaking SSL Traffic
Hash Algorithm
- MD5 Hash Collisions

Chapter 8 – Hardening your ESX Server

Overview
Hardening Your ESX Server
ESX Best Practices

Virtual Machines
Secure Virtual Machines as You Would Secure Physical Machines
Disable Unnecessary or Superfluous Functions
Take Advantage of Templates
Prevent Virtual Machines from Taking Over Resources
Isolate Virtual Machine Networks
Arp Cache Poisoning
VM Segmentation
Minimize Use of the VI Console
Virtual Machine Files and Settings
Disable Copy and Paste Operations Between the Guest Operating System and Remote Console
Limit Data Flow from the Virtual Machine to the Datastore
SetInfo Hazard
Do Not Use Nonpersistent Disks
Ensure Unauthorized Devices are Not Connected
Prevent Unauthorized Removal or Connection of Devices
Avoid Denial of Service Caused by Virtual Disk Modification Operations
Specify the Guest Operating System Correctly
Verify Proper File Permissions for Virtual Machine Files
Configuring the Service Console in ESX 3.5
Configure the Firewall for Maximum Security
Limit the Software and Services Running in the Service Console
Use VI Client and VirtualCenter to Administer the Hosts Instead of Service Console
Use a Directory Service for Authentication
Strictly Control Root Privileges
Control Access to Privileged Capabilities
Establish a Password Policy for Local User Accounts
Do Not Manage the Service Console as if it were a Linux Host
Maintain Proper Logging
Establish and Maintain File System Integrity
Secure the SNMP Configuration
Protect against the Root File System Filling Up
Disable Automatic Mounting of USB Devices

Best Practices ESXi

Configuring Host-level Management in ESXi 3.5
Strictly Control Root Privileges
Control Access to Privileged Capabilities
Maintain Proper Logging
Establish and Maintain Configuration File Integrity
Secure the SNMP Configuration
Ensure Secure Access to CIM
Audit or Disable Technical Support Mode

Configuring the ESX/ESXi Host

Isolate the Infrastructure-related Networks
Configure Encryption for Communication between Clients and ESX/ESXi
Label Virtual Networks Clearly
Do Not Create a Default Port Group
Do Not Use Promiscuous Mode on Network Interfaces
Protect against MAC Address Spoofing
Secure the ESX/ESXi Host Console
Mask and Zone SAN Resources Appropriately
Secure iSCSI Devices through Authentication

VirtualCenter

Set Up the Windows Host for VirtualCenter with Proper Security
Limit Administrative Access
Limit Network Connectivity to VirtualCenter
Use Proper Security Measures when Configuring the Database for VirtualCenter
Enable Full and Secure Use of Certificate-based Encryption
VirtualCenter Server Certificates Replacement
Pre-Installation
During Installation
Post-Installation
Use VirtualCenter Custom Roles
Document and Monitor Changes to the Configuration
VirtualCenter Add-on Components
VMware Update Manager
VMware Converter Enterprise
VMware Guided Consolidation
General Considerations

Client Components

Restrict the use of Linux-based Clients
Verify the Integrity of VI Client
Monitor the Usage of VI Client Instances
Avoid the Use of Plain-Text Passwords

Appendix:
The Basics of SAN Security, Part I
Increasing Security Concerns
Security Domains
- Administrator-to-Security Management Domain
- Host-to-Switch Domain
- Security Management-to-Fabric Domain
Switch-to-Switch Domain
Data Integrity and Security
- So What Is Zoning?
- Zoning Types
- Configuring Zoning Components
- LUN Masking
- Persistent Binding
- Security Technologies
- Host-to-Fabric
- Summary and Conclusions
Security Management Part 2
Fibre Channel Security Management
Authentication and Authorization
Configuration Management
SAN Access
SAN Security Benefits
Host-Based and Switch Based Mapping
Controller-based Mapping
WWN Privileged Access
Redundancy
Management
Summary and Conclusions
Appendix 1 – Malware
Distributing Malware
Malware Capabilities
Netcat
- Netcat Switches
Executable Wrappers
Avoiding Detection
BPMTK
Appendix 2 – SQL Injection
What is SQL Injection?
Why SQL Injection?
Attacking Database Servers
- SQL Ping2
- osql.ex

Hacking Uncovered - VMware® Class Comments

"I was never instructed on how to take a test, I was taught how to penetrate a network. With what I have learned in the class I have no doubt that I will pass the certification."

"This was some of the best training I've ever had."

"This guy is the Darth Vader of the network world. I'm glad he's on our side since this was a security course. He was amazing and bar far the best instructor we've seen here. This guy is world class."

"Tim Pierson is one of the 2 best IT instructors I have ever had. It's a toss-up between him and another instructor as to who's the best. His ability to demonstrate and explain the various security issues was outstanding."

"Tim's wealth of security knowledge and real world experience made this an exceptional learning experience. His demonstrations got our attention and proved just how dangerous the IT world can be."

"Excellent Instructor!"

"Tim Pierson did an outstanding job, he demonstrated very deep understanding of the subject and did an excellent job presenting the material in a manner which made it easy to understand."

"I understand this was a beta course. For the most part, I loved the class. The only thing the course needs is a bit of fine-tuning to work out the pace. The amount of material in the guides could easily cover five days. Also, I think the lab machines should be pre-configured to allow more lab time and less "setup" time, especially if the class is to remain a three day class."

Hacking Uncovered - VMware® Instructor Spotlight

Tim Pierson

Tim Pierson - Security Instructor Tim Pierson has been a technical trainer for the past 23 years and is an industry leader in both Security and Virtualization. He has been the noted speaker at many industry events including Novell's Brainshare, Innotech, GISSA, many military venues including the Pentagon, and numerous nuclear facilities addressing security both in the US and Europe.

He is a contributor to Secure Coding best practices and Co-author of the Global Knowledge Windows 2000 bootcamp. His current projects include contributing author of "VMware Virtual Infrastructure Security: Securing ESX and the Virtual Environment" to be released April 2009 by Pearson publishing and has done work for the bi-monthly Virtualization Security Roundtable Podcast available as a download on iTunes and Talk Shoe as well as the Featured Speaker on Secure Coding and Virtualization Practices at Hacker-Halted in Miami September 2009 and the Hacker-Halted in Kuala Lumpur Malaysia in November 2009.

"I have always been on the defense when it comes to security; it seems to always be a game of catch up. Since I have little understanding of the attack or the vulnerability; I am at the mercy of the patch and coder that wrote it. With this deficiency in my background I needed more information on what the exploits are and the frame of mind on the person creating them."

"I was introduced to Tim my instructor who was also presented as a professional penetration tester and security expert...A class is only as good as the instructor. If I am able to stump the instructor on my first day, then I usually lose confidence in the class. Tim was right on the money with anything that I threw at him. He knew the industry and was current with security practices and procedures. Tim’s best asset was the ability to think out of the box to exploit secure networks and the people that maintain them."

"The atmosphere was professional and light hearted in that I was able to freely ask questions. Tim was able to keep the whole class involved with questions and stories from his experiences. Students would also give input from situations that they experienced in the past."

"I learned the methodology on the exploits that I was performing. I learned how to exploit web pages, web servers, Windows and UNIX environments. I was taught networking concepts (LAN, WAN) and different packet exploits. The Lab environment was sound and real world. Most importantly is that the labs worked. I cannot tell you how many times in training the labs did not produce the required results. We would then go over the labs to see what was happening and learn the concepts that went into the exploit."

"By the third day I had enough training to change the way I looked at a network. The class was changing the way I saw a network. I was not just learning about an exploit, I wanted to know how to modify it. I was not thinking like a security specialist, I was thinking like a penetration tester. This was the most important thing that I took away from this class. I would go back to my hotel thinking about my own enterprise environment. I would cringe at potential vulnerabilities that I might have. I was introduced to a frame of mind, not a tool set."

"After the lecture Tim took time out of his lunch to show me more code. All I had to do was ask, Tim was happy to answer all my questions. By looking at exploits and vulnerabilities I am now better able to secure my corporate environment."

"After taking this class I have an opportunity to take the CPTS test and become certified. The problem with many certification classes is that they tend to teach you how to pass a test. I was never instructed on how to take a test, I was taught how to penetrate a network. With what I have learned in the class I have no doubt that I will pass the certification."

"I now have a better understanding on what I am up against to secure my corporate computing environment."

-Tim Gallagher, Systems Engineer (excerpt)

VMTraining Hacking Uncovered - VMware® Ultimate Bootcamp®

For more information, to schedule a class, or students who wish to get information about attending or request a class in a specific location, please contact our Sales Department at (815) 715-8443.