?
Solved

Whats the best way to secure a 1ru server running XenServer

Posted on 2014-09-07
4
Medium Priority
?
524 Views
Last Modified: 2016-11-23
Hello,

We are about to collocate a 1ru application server that's currently running XenServer. Ideally we would have the XenServer sitting behind some sort of UTM device however as colocation space is very limited and very expensive we were wondering what the best way would be to secure the server so that we can access and manager XenServer and the remote server administration system (dell idrac) preferably without exposing both to the internet.

We were thinking of using some form of software firewall installed as a virtual server on XenServer. However, this create a catch 22 situation, whereby if there is something wrong with XenServer or the software firewall then we wont be able to reach idrac to remotely administer the server.

We would be grateful for any ideas.

Thanks
0
Comment
Question by:PlumInternet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40308476
You should take on to reference to the CC EAL - See
Common Criteria Documents for XenServer 6.0.2
Common Criteria Documents for XenServer 5.6
Check out the zip Admin guide and configuration for CC evaluation - this will be handy in securing XS. On example extract using IPTABLES
http://www.citrix.com/support/security-compliance/common-criteria.html
1. Make sure the firewall is turned on, remove the default rules, and then set up the following default
actions:
# service iptables start
# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

2. On the management network, allow new incoming connections on port 443 (HTTPS) only:
# iptables -A INPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A INPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr0 -j DROP

3. On the management network, allow new outgoing connections to port 443 (HTTPS), ports 7279/27000
(licensing) and port 123 (NTP) only:
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr0 -j DROP

4. On the storage network, do not allow any new incoming connections:
# iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i xenbr1 -j DROP
5. On the storage network, allow new outgoing connections on ports related to NFS (see the section called
“Firewall on the storage network” in Common Criteria Administrator’s Guide for Citrix XenServer ® 5.6, Platinum Edition for more details).:
# iptables -A OUTPUT -o xenbr1 -p udp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 111 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 2049 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p udp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -p tcp --dport 26345:26348 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o xenbr1 -j DROP

6. Finally, save the new firewall configuration and make sure it is turned on after reboot:
# service iptables save
# chkconfig iptables on
Specifically is to achieve as many for the below - secure by default on itself is bare minimal
1. Securing the XenServer itself.
- There is another sample reference from the hardening guide, specifically not forgetting to cover the Xenserver hypervisor setting to configure PAM to limit users with access to critical services such as XAPI (or “XenAPI” is the management tool stack used in XenServer, it is the Xenserver "heart" that manages everything – all the resources in your XenServer environment)
http://www.ptsecurity.com/download/XenServer-Free-5-6-SHG.pdf

(archive maybe still be handy)
XenServer 5.0 Update 3 User Security Guide - http://support.citrix.com/article/CTX120716.

2. Securing iDRAC.
-Accessing them from a dedicated management network (out band band) e.g. avoid direct internet, use some ACLs in your router to prevent unauthorized IPs from accessing it. If you can, put it on a private IP block so this is less of an issue. Dell recommends the iDRAC port be on a physically dedicated LAN

- Where possible,  disabling as much communication between the system and the DRAC as possible will reduce your attack surface. One thing to be aware of is that local access to the DRAC requires administrative access to the OS running on the server but does not require authentication beyond that. If you're running Unix and run racadm or omconfig (or one of the IPMI tools) as root, you will have administrative access to the DRAC.
(my fear is if you have managed to get on locally, given unlimited time, the question to ask and likely possible is "can you brute force other devices on the management network". Imagine insider or attack take on that route)
0
 
LVL 64

Expert Comment

by:btan
ID: 40308481
not forgetting trust but verify e.g. using auditing to baseline the server posture in ref to also some best practice (below is one from Nessus)
http://www.tenable.com/blog/new-nessus-configuration-checks-available-for-citrix-xenserver
0
 

Author Comment

by:PlumInternet
ID: 40311330
Hi Btan,

Thanks for your comments. I don't think I have articulated the problem correctly.

We would like to collocate a single server with XenServer installed. How could we configure/setup the server to enable us to access idrac and XenServer Manager without exposing both the internet.

Thanks
0
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 40311397
Actually regardless the colocate, fundamental lockdown and hardening applies as I shared to have idrac for local management and not remote management via thru internet. Likwise no remote management access (on the Dom0 and xapi, the management toolstack) through internet as well. These are to reduce exposure unless it is authoirsed and approved to go thru VPN (secure or equivalent "out of band" means) to tunnel into the intranet and via management segment to access and manage the Xenserver.

Since XenServer is bare metal installation, iDRAC will also be accessed into that same Host once it is enabled and iDRAC card is connected to network. the use of "xe" need some form of Role Based (e.g. pool admin, pool operator, vm pwr admin, vm operator and read only) Access Control for least privileges determined by the task to perform. You can work off  with RBAC using the xe CLI. Do also have RBAC audit log record any operation taken by a logged-in user.

Note that the user subject is authenticated via the Active Directory server to verify which containing groups the subject may also belong to.

 - pls also see the configuration guide stated in the either the below which I shared the link in last post (note the pdf is within the zip download) on Common Criteria Documents for XenServer 5.6

Note that each XenServer host has one or more networks, which are virtual Ethernet switches. Networks without an association to a PIF (represents a physical network interface) are considered internal, and can be used to provide connectivity only between VMs on a given XenServer host, with no connection to the outside world. Networks with a PIF association are considered external, and provide a bridge between VIFs (represents a virtual interface) and the PIF connected to the network, enabling connectivity to resources available through the PIF's NIC.

Both XenCenter and the xe CLI allow configuration of networking options, control over which NIC is used for management operations, and creation of advanced networking features such as virtual local area networks (VLANs) and NIC bonds. And use VLAN with host management interfaces.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question