Академический Документы
Профессиональный Документы
Культура Документы
Build GuideHIPAA
Version
Contents
Overview
Security Application Zone (Runs on)
Requirements
Segmentation/firewall
ESXi Host Security
ESXi Host Firewall
Configure NTP Time Synchronization For ESXi Host
Lockdown Mode
Set DCUI (Direct Console UI) Access
Remote Syslog/Logging
Disable MOB (Managed Object Browser)
Zero-Out VMDK (before deletion)
Create A Non-Root Local Admin Account
Configure Host Profile
vSwitch Security
Reject Promiscuous Mode
Reject MAC Address Changes
Reject Forged Transmits
Network Security
Firewall internal
Allowed ports for management
Firewall external
SECURITY MANAGEMENT
DATA PROTECTIONENCRYPTION
Encryption In Flight
Encryption At Rest
VULNERABILITY ASSESSMENT
Intrusion Detection
Deep Packet Inspection
Data Leak Prevention
Data Loss Prevention/Data Loss Protection
vCNS vShield Data Security
Logging And Auditing
EXPLOIT AND MALWARE PROTECTION
Virus Scanning
vCNS vShield Endpoint And VMware Partners AntiVirus And AntiMalware
Software
Configuration And Patch Management
Integrated Solution
SupernaNet.Connect
VCE Vision Intelligent Operations
VMware vCenter
BMC CMDB
Manual Tagging For Compliant CIs
vCenter Inventory Tagging
BMC CMDB Tagging
Automatic Tagging For Compliant CIs
SupernaNet.Connect Mapping File
Monitoring
IDENTITY AND ACCESS MANAGEMENT
LoginTC For OpenVPN
LoginTC Cloud Domain
LoginTC Radius Connector
OpenVPN
LDAP
User
Data protectionbackup/restore/replication
Configuration And Patch Management
Auto Deploy Installation VMWare vSphere 5.1
ComplianceHIPAA
164.306 Security Standards: General Rules.
164.308 Administrative Safeguards
Security Management Process ( 164.308(a)(1))
Key Activities: Conduct Risk Assessment
Technical Implementations:
Key Activities: Develop And Deploy The Information System Activity
Review Process
Technical Implementations:
Technical Implementations:
Key Activities: Develop Appropriate Standard Operating Procedures
Technical Implementations:
Information Access Management ( 164.308(a)(4))
Key Activities: Implement Policies And Procedures For Authorizing
Access
Technical Implementation:
Security Awareness and Training ( 164.308(a)(5))
Implementation Specification: Protection From Malicious Software
Technical Implementation:
164.310 Physical Safeguards
Device And Media Controls ( 164.310(d)(1))
Key Activities: Implement Methods For Final Disposal of EPHI
Technical Implementations:
Key Activities: Develop And Implement Procedures For Reuse Of
Electronic Media
Technical Implementations:
164.312 Technical Safeguards
Access Control ( 164.312(a)(1))
Key Activities: Analyze Workloads And Operations To Identify The
Access Needs Of All Users
Technical Implementations:
Key Activities: Identify Technical Access Control Capabilities
Technical Implementations:
Key Activities: Ensure That All System Users Have Been Assigned A
Unique Identifier
Technical Implementations:
Key Activities: Implement Access Control Procedures Using Selected
Hardware And Software
Description:
Technical Implementations:
Key Activities: Review And Update User Access
Technical Implementations:
Key Activities: Terminate Access If It Is No Longer Required
Technical Implementation:
Audit Controls ( 164.312(b)) - Future In Scope - Security Partner
Key Activities: Determine The Activities That Will Be Tracked Or Audited
Technical Implementation:
Key Activities: Select The Tools That Will Be Deployed For Auditing And
System Activity Reviews
Technical Implementations:
Integrity ( 164.312(c)(1))
Key Activities: Mechanism To authenticate Electronic Protected Health
Information
Technical Implementations:
Overview
This document serves as the master design document for all areas of the design. It
will be designed to allow ISVs to design their product into a functional area. The
scope of phase I design is shown in the Figure 1.
Requirements
1. Must Support one or the other deployment option for VM to VM communications
Segmentation/firewall
vSphere uses Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT)
to provide remote attestation of the hypervisor image based on hardware root of
trust. The hypervisor image comprises the following elements:
ESXi software (hypervisor) in VIB (package) format
Third-party VIBs
Third-party drivers
To leverage this capability, your ESXi system must have TPM and TXT enabled.
ESXi 5.x has a new firewall engine that is not based on iptables.
10
11
We need to set the time configuration of the host to point to the NTP server (specify
IP address) and start the service.
It is recommended to synchronize the ESXi clock with a time server that is located on
the management network rather than directly with a time server on a public
network. This time server can then synchronize with a public source through a
strictly controlled network connection with a firewall.
Lockdown Mode
Enabling lockdown mode disables direct access to an ESXi host, requiring the host to
be managed remotely from vCenter Server. Lockdown limits ESXi host access to the
vCenter server. This is done to ensure that the roles and access controls
implemented in vCenter are always enforced and users cannot bypass them by
logging into a host directly. By forcing all interaction to occur through vCenter Server,
the risk of someone inadvertently attaining elevated privileges or performing tasks
that are not properly audited is greatly reduced. Note: Lockdown mode does not
apply to users who log in using authorized keys. When you use an authorized key file
for root user authentication, root users are not prevented from accessing a host with
SSH even when the host is in lockdown mode. Note that users listed in the
DCUI.Access directory for each host are allowed to override lockdown mode and login
to the DCUI. By default the "root" user is the only user listed in the DCUI.Access list.
Remote Syslog/Logging
Log files are an important component of troubleshooting attacks and obtaining
information about breaches of host security.
12
Remote logging to a central log host provides a secure, centralized store for ESXi
logs. To facilitate this we can use vSphere Syslog Collector tool.
By gathering host log files onto a central host you can more easily monitor all hosts
with a single tool. For security purposes we can aggregate analysis and search to
look for such things as coordinated attacks on multiple hosts. Logging to a secure,
centralized log server also helps prevent log tampering and also provides a longterm audit record.
13
vSwitch Security
Reject Promiscuous Mode
In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC
address. In promiscuous mode, it can listen to all the packets. By default, guest
adapters are set to non-promiscuous mode.
This promiscuous mode security policy can be defined at the virtual switch or port
group level in ESX/ESXi
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A0108820D7250350.html
14
15
16
Network Security
Firewall internal
To safeguard the virtual machines resources, the system administrator lowers the
risk of DoS and DDoS attacks by configuring a resource reservation and a limit for
each virtual machine. The system administrator further protects the ESXi host and
virtual machines by installing software firewalls at the front and back ends of the
DMZ, ensuring that the host is behind a physical firewall, and configuring the
networked storage resources so that each has its own virtual switch.
DMZ setup
http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-A309590A-FFFC-45FF-95AD43242F58D6B4.html
17
Port
Purpose
Traffic Type
22
SSH Server
Incoming TCP
53 (Default)
DNS Client
68 (Default)
DHCP Client
161 (Default)
SNMP Server
Incoming UDP
80 (Default)
Incoming TCP
111 (Default)
18
123
NTP Client
Outgoing UDP
135 (Default)
427 (Default)
443 (Default)
HTTPS access
Incoming TCP
19
513 (Default)
Incoming UDP
logging activity
902 (Default)
903
Incoming TCP
vSphere Replication
Outgoing TCP
2049
devices
This port is used on the VMkernel
20
interface.
3260
Outgoing TCP
devices
5900-5964
5988 (Default)
Incoming TCP
5989 (Default)
8000 (Default)
8009
Outgoing TCP
8182
9009
outgoing UDP
21
http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-ECEA77F5-D38E-4339-9B06FF9B78E94B68.html
Firewall external
More:
http://www.vmware.com/go/compliance
http://www.vmware.com/go/security/
http://www.vmware.com/go/vmsafe/
SECURITY MANAGEMENT
vCloud Networking and Security (vCNS)
vCNS provides basic networking and security functionality for virtualized compute
environments, built using the VMware vCloud Suite. It provides a broad range of
services delivered through virtual appliances, such as a virtual firewall, virtual
private network (VPN), load balancing, NAT, DHCP, and VXLAN-extended networks.
Components of vCNS:
1. vShield Manager
2. vShield App
3. vShield Edge
4. vShield Endpoint
5. vShield Data Security
vShield Manager
vShield Manager is the central point of control for all vShield solutions and
integrates seamlessly with VMware vCenter to offer role-based access control and
22
23
24
6.Login to the vSphere Client and select the ESX host where the vShield Manager
resides. Verify that vShield appears as a tab. You can then install and configure
vShield components from this vSphere Client.
vShield App
A hypervisor-based firewall that protects applications in the virtual data center from
network based attacks. The vShield App provides the stateful inspection firewall
that is applied at the virtual network interface card (vNIC) level directly in front of
specific workloads.
This vShield App needs to be installed on each ESXi host where the VMs that needs
to be protected by this vShield App reside. For example, install vShield App on each
ESXi hosts in a Cluster so that VMware vMotion operations work and virtual
machines remain protected as they migrate between ESX hosts. By default, a
vShield App virtual appliance cannot be moved by using vMotion.
The System Status option lets us view the health of a vShield App. Details include
system statistics, status of interfaces, software version, and environmental
variables.
25
Flow Monitoring
The Flow Monitoring is a traffic analysis tool that provides a detailed view of the
traffic on our virtual network that passed through a vShield App. The Flow
Monitoring output defines which machines are exchanging data and over which
application. This data includes the number of sessions, packets, and bytes
transmitted per session. Session details include sources, destinations, direction of
sessions, applications, and ports being used. Session details can be used to create
firewall allow or block rules.
App Firewall
The App Firewall service is a centralized firewall for ESX hosts. App Firewall enables
us to create rules that allow or block access to and from our virtual machines. Each
installed vShield App enforces the App Firewall rules. Example of the basic rule that
allows everything is shown in the following figure:
26
27
28
29
30
31
32
Fig.15 Flow monitoring provides the details about the blocked traffic
vShield Edge
Provides network edge security and gateway services to isolate a virtualized
network, or virtual machines in a port group, vDS port group, or Cisco Nexus 1000V
port group. The vShield Edge provides the stateful inspection firewall that is applied
at the perimeter of the virtual data center.
33
vShield Edge will act as the gateway between private and public networks.
34
35
36
37
vShield Endpoint
Off-loads antivirus and antimalware agent processing to a dedicated secure virtual
appliance delivered by VMware partners.
vShield Endpoint is installed as a hypervisor module and security virtual appliance
from a third-party antivirus vendor (VMware partners) on an ESX host. With this
vShield Endpoint on the hypervisor level, it can scan guest virtual machines without
the need for agents in every virtual machine.
38
Testing Requirements:
1. After you have installed vShield Endpoint on the ESXi host, you need to deploy
and configure a security virtual machine (SVM) to each ESX host according to the
instructions from the anti-virus solution provider.
2. Install the latest version of VMware Tools released for the version of ESX that is on
all virtual machines to be protected. VMware Tools include the vShield Thin Agent
that must be installed on each guest virtual machine to be protected. To include this
vShield component with the VMware Tools, you need to select Interactive Tools
Installation or Interactive Tools Upgrade. In the Setup Type wizard, you can select
the Custom option and from the VMware Device Drivers list, select VMCI Driver,
then select vShield Driver.
39
40
Fig.24 vShield Endpoint and 3rd party security virtual applianceflow control
41
42
Fig.26 vShield data security with HIPAA regulation setting (based on PHI/PII
category)
vShield Data Security provides the report (e.g. number of violation and details)
43
44
45
From the Scan History you can see that the vShield Data Security is also able to
detect new data.
46
Testing Requirements
1. Set the Policyregulations and rsandards to detect:
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA (Health Insurance Portability and Accountability Act) Low Threshold
PCI-DSS (Payment Card Industry Data Security Standard)
2. Define the Security Group that you want to include in the scan (or use default if
you want to scan the entire vCenter Inventory).
47
Fig.31 Define the security group for the scans participating areas
3. Define Files to Scan.
For example based on the modified date/time
48
4. Create and store test data with Privacy Information on test system.
Example of data for HIPAA test
============
49
50
=============
51
1.
Name: SuperDuper
Account: 65758
Master Card
Credit Card Number: 5111-1111-1111-1118
Expiration Date:
Expire: 07/07/2015
2.
Name:Looney Tunes
Account: 768690
American Express
Credit Card Number: 3111-1111-1111-1117
Expiration Date:
Expire: 07/08/2015
52
3.
Name:Scooby Doo
Account: 998690
VISA
Credit Card Number: 4111-1111-1111-1111
Expiration Date:
Expire: 07/08/2015
================
5. Initiate scan
Click the Start button to run the scan.
vShield Data Security Virtual Appliance will communicate with the Objects in the
defined Security Group through the vShield Endpoint and VMware Tools vShield
driver.
53
6. Once the scan is done, it will stop by itself and you can see the Report.
54
Client Tier
Client Tier is the interface through which the user accesses the BMC Server
Automation Application. This includes:
The BMC Server Automation console, a graphical user interface (GUI)
A command line interface (BLCLI) that provides application programming interface
(API)level access to the functionality available through the console
Network Shell for ad hoc administration of one or more servers. Network Shell is a
network-scripting language that enables cross-platform access through a command
line interface.
A web interface to the BMC BladeLogic Decision Support for Server Automation
server
Server Tier
This is a tier for servers managed by BMC Server Automation. In order for these
servers to be managed by BMC Server Automation, the RSCD agent needs to be
deployed on remote servers. The BMC Server Automation Application Server
communicates with RSCD agents and initiates all communication to perform ad hoc
and scheduled tasks.
Middle Tier
In this tier, the primary component is the Application Server, which controls
communication between the BMC Server Automation console (Client Tier) and
remote servers (Server Tier). It also controls interaction with the database and file
servers.
55
2. Create a database for BSA, create a user login for BSA, and configure user
mapping to give db_owner database role to the BSA user.
3. Run the BSA external script to load the database schema.
57
Testing Requirement
For testing, you installed and configured all mid-tier components on a host. You also
installed the BSA console on the same host.
The following components were installed on a Windows 2008 R2 VM:
- BSA Database Server
- BSA File Server Agent
- BSA Application Server
58
- BSA Console
- BSA Compliance Module
Also, configure another server to be managed by the BSAinstall RSCD Agent on
this server.
59
3. Run the Discover Job based on that template. Once it is done, check the
discovery result.
60
61
62
63
64
65
Insert the data into the BMC Atrium CMDB with the BMC BladeLogic Import Dataset
Installation
Prior to the BladeLogic Atrium Integration installation, you need to have the
following components:
BMC Server Automation Application Server
BMC Server Automation Console on the computer where BMC BladeLogic Atrium
Integration is to be installed
BMC BladeLogic Decision Support for Server Automation
BMC Remedy AR System
BMC Atrium CMDB
BMC Atrium Integration Engine
66
Testing Requirement
1. Run BSA Discovery and Snapshot Job
2. Run ETL
3. Verify that the Data has been transferred to Atrium CMDB.
67
68
Fig.44 Atrium Import Job Configuration (CMDB data set name, business service class
name)
70
Fig.45 Atrium Import Job Configuration (CI relationship, BladeLogic custom property)
3. Test by creating the Business Service in CMDB and set the relationship between
server and Business Service.
71
72
6. Then, you can create Server Smart Group based on this Business Service
classification.
73
Denial Of Service
By default, ESXi imposes a form of resource reservation by applying a distribution
algorithm that divides the available host resources equally among the virtual
machines, while keeping a certain percentage of resources for use by other system
components. This default behavior provides a degree of natural protection from DoS
74
DATA PROTECTIONENCRYPTION
Encryption In Flight
Encryption At Rest
VULNERABILITY ASSESSMENT
Intrusion Detection
Deep Packet Inspection
Data Leak Prevention
Data Loss Prevention/Data Loss Protection
vCNS vShield Data Security
75
Integrated Solution
Converged Infrastructure needs to be managed as a whole system and not only by
individual components.
An example of an integrated solution for managing vBlock Converged Infrastructure:
1. SupernaNet.Connect
2. VCE Vision software
3. VMware vCenter
4. BMC CMDB
SupernaNet.Connect
SupernaNet.Connect CMDB connector for BMC leverages VCE Vision software and
VMware vCenter to provide a single integration point for automating CMDB CI
discovery along with logical to physical topology with fully automated CI
relationships created in the CMDB.
76
77
VMware vCenter
VMware vCenter Server provides a centralized platform for managing your
VMware vSphere environments.
78
BMC CMDB
BMC Atrium CMDB is a configuration management database system to manage data
from across IT and create a more efficient IT infrastructure.
79
80
81
82
following figure we set the HIPAA tagging for the VM that is part of HIPAA compliant
setup.
83
84
After you have updated the BMCMapping.xml file, you also need to generate the
new version info and update the BMCConfig.xml file with the new generated version
info.
For example:
85
<VersionInfo invalidversionssupported="false">
<SupportedVersion name="NCrmZNFMNCHPtW2VDLD7Yg=="/>
<SupportedVersion name="KMplTPQWNCHPtW2VDLD7Yg=="/>
</VersionInfo>
Then, you run the SupernaNet.Connect synchronization to sync the update to the
CMDB.
Now your CMDB is populated with the CITag info.
86
Monitoring
87
In order to comply with monitoring in-scope devices and to find alarms and events
related to potential noncompliance security or authorization issues on Vblock
Systems, the CA Nimsoft Monitor product combined with the SupernaNET.Converge
Probe for Nimsoft with Compliance enhancements allows to select in-scope objects
for monitoring and highlighting the probe UMP Dashboard of any VM, or Vblock
Systems component that has raised an alarm.
The screen shot below shows how the probe simplifies the monitoring function for
compliance.
88
89
LoginTC two-factor authentication will be used to secure the following login access:
1. Infrastructure Domain
a. vCenter SSO Openldap
i.
Add a vCenter Single Sign On Identity Source
ii.
Active Directory LDAP Server and OpenLDAP Server Identity Source Settings
iii.
2. Application Domain
90
91
Each LoginTC Cloud has a unique API key and each domain has a unique Domain ID.
You need this key and ID for the connector configuration. The API key is found on
the LoginTC Cloud Settings page. The Domain ID is found on the domain settings
page.
92
Fig.61 Domain ID
93
[ldap]
host=sup-pcidc-01.pci.superna.net
bind_dn=cn=LoginTC1,cn=Users,dc=pci,dc=superna,dc=net
bind_password=GoSuperna!
base_dn=dc=pci,dc=superna,dc=net
attr_username=sAMAccountName
attr_name=displayName
attr_email=mail
filter=(objectClass=person)
94
[client]
name=OpenVpn
ip=172.16.84.20
secret=bigsecret
authentication=ldap,logintc
OpenVPN
Install the OpenVPN Radius Plugin on the OpenVPN server.
Configure the OpenVPN (server.conf file)
local 172.16.84.20
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
# plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
95
96
OpenVPNConfig=/etc/openvpn/server.conf
97
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN
option "--server NETWORK NETMASK"
# p2p=10.8.0.1
# Allows the plugin to overwrite the client configuration in client configuration file
directory
# default is true
overwriteccfiles=true
# Allows the plugin to use authorization control files if OpenVPN (>= 2.1 rc8)
provides them
# default is false
# useauthcontrolfile=false
99
#server
#{
#
acctport=1813
authport=1812
name=127.0.0.1
# How many times should the plugin send the if there is no response?
retry=1
wait=1
shared secret=testpw
100
#}
LDAP
Create an LDAP (Active Directory) user for the LoginTC Radius Connector. Provide
this user information in LoginTC Radius Connectors client.cfg file. Set the LDAP as
the first factor authentication and LoginTC as the second factor authentication.
User
For this two-factor authentication with LDAP/Active Directory and LoginTC, create a
user in both Active Directory and LoginTC Radius domain..
Data ProtectionBackup/Restore/Replication
101
102
103
Save TFTP Boot Zip and extract it to TFTP Server folder (\\DMANNING-02\TFTP-Root)
104
105
NEXT STEPS:
1. Add path to ESXi 5.1 in PowerCLI:
2.
3.
4.
5.
add-esxsoftwaredepot C:\vsphere5.1\ESXi\VMware-ESXi-5.1.0-799733depot.zip
Get-EsxImageProfile
use the Standard image profile
New-DeployRule -Name "FirstBoot" -Item "ESXiStatelessImage" -AllHosts
Add-DeployRule -DeployRule "FirstBoot"
Or
6. New-DeployRule Name FirstTimeBoot Item ESXi-5.0.0-469512-standard
Pattern model=VMware Virtual Platform
106
ComplianceHIPAA
164.306 Security standards: General rules
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected
health information that the covered entity creates, receives, maintains, or
transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under subpart E of this section.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach
(1) Covered entities may use any security measures that allow the covered entity to
reasonably and appropriately implement the standards and implementation
specifications as specified in this subpart.
(2) When deciding which security measures to use, a covered entity must take into
account the following factors:
(i) The size, complexity, and capabilities of the covered entity
(ii) The covered entitys technical infrastructure, hardware, and software security
capabilities
(iii) The costs of security measures
(iv) The probability and criticality of potential risks to electronic protected health
information
107
(c) Standards. A covered entity must comply with the standards as provided in this
section and in 164.308, 164.310, 164.312, 164.314, and 164.316 with
respect to all electronic protected health information.
(d) Implementation specifications
In this subpart:
(1) Implementation specifications are required or addressable. If an implementation
specification is required, the word Required appears in parentheses after the title
of the implementation specification. If an implementation specification is
addressable, the word Addressable appears in parentheses after the title of the
implementation specification.
(2) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or
164.316 includes required implementation specifications, a covered entity must
implement the implementation specifications.
(3) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or
164.316 includes addressable implementation specifications, a covered entity must:
(i) Assess whether each implementation specification is a reasonable and
appropriate safeguard for its environment when analyzed with reference to the
likely contribution to protecting the entitys electronic protected health information
(ii) Be applicable to the entity
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and
appropriate:
(1) Document why it would not be reasonable and appropriate to implement the
implementation specification
(2) Implement an equivalent alternative measure if reasonable and appropriate
(e) Maintenance. Security measures implemented to comply with standards and
implementation specifications adopted under 164.105 and this subpart must be
reviewed and modified as needed to continue provision of reasonable and
appropriate protection of electronic protected health information as described at
164.316.
108
109
110
111
a. BMC CMBD connector features tracking in scope devices, VMs, extract VMware
vCenter, and VCE Vision software logs for the in scope devices and store in a DB on
regular interval.
b. ESXi Remote Syslog/Logging
Log files are an important component of troubleshooting attacks and obtaining
information about breaches of host security.
Remote logging to a central log host provides a secure, centralized store for ESXi
logs. To facilitate this you can use vSphere Syslog Collector tool.
By gathering host log files onto a central host you can more easily monitor all hosts
with a single tool. For security reasons, you can aggregate analysis and searching to
look for such things as coordinated attacks on multiple hosts. Logging to a secure,
centralized log server also helps prevent log tampering and provides a long-term
audit record.
Technical Implementations:
1. Install monitoring software for in scope IT devices that process or handle
compliance data applications using a monitoring tool that can show the alarms,
events from in scope or flagged devices.
2. CA Nimsoft plus SupernaNET.Converge probe can selectively track VMs, compute,
store and network data within a portal to filter alarms and events only to the
devices selected for HIPAA compliance in scope, within the UMP Dashboard portal.
112
114
3. ESXi Host Internal Firewall. This is a firewall between the ESXi Hosts
management interface and the network. This ESXi firewall allows ESXi to gain
access control. You need to configure this ESXi host firewall to restrict access to
services running on the host.
115
116
HIPAA Standard: Implement policies and procedures governing the receipt and
removal of hardware and electronic media that contain electronic protected health
information into and out of a facility, and the movement of these items within the
facility.
117
access only to those persons or software programs that have been granted access
rights as specified in 164.308(a)(4)
1. LoginTC can protect any system that requires authentication, including VPNs, web
portals, and cloud applications; and with the LoginTC REST API, it can enable twofactor authentication virtually to any system or application that hosts EPHI data.
LoginTC leverages user repositories installed in the clients infrastructure: MS Active
Directory, LDAP or SQL-based systems, synchronizing, and updating users from their
authoritative source(s).
118
Key Activities: Ensure That All System Users Have Been Assigned A
Unique Identifier
Technical Implementations:
1. LoginTC assigns both a unique USERNAME and a unique numeric USERID. The
LoginTC administrator determines the users USERNAME, and optionally the users
EMAILtypically the same username and email stored in the LDAP or MS AD
repositories.
The unique numeric USER ID is randomly generated by the LoginTC system: it is 160
bits or 40 hex characters that uniquely identifies a LoginTC user.
LoginTC transaction logs capture every access to LoginTC-protected systems and
can trace specific users identified by their USERNAME and/or USER ID.
119
120
2. ESXiLockdown Mode
Enabling lockdown mode disables direct access to an ESXi host requiring that the
host be managed remotely from vCenter Server. Lockdown limits ESXi host access to
the vCenter server. This is done to ensure that the roles and access controls
implemented in vCenter are always enforced and users cannot bypass them by
logging into a host directly. By forcing all interaction to occur through vCenter Server,
the risk of someone inadvertently gaining elevated privileges or performing tasks
that are not properly audited is greatly reduced. Note: Lockdown mode does not
apply to users who log in using authorized keys. When using an authorized key file
for root user authentication, root users are not prevented from accessing a host with
121
SSH even when the host is in lockdown mode. Note that users listed in the
DCUI.Access list for each host are allowed to override lockdown mode and log in to
the DCUI. By default the "root" user is the only user listed in the DCUI.Access list.
122
LoginTC provisioning and registration is the first step for authorized users to access
EPHI systems and applications:
Self-registration
Bulk upload
The LoginTC mobile app can host multiple credentials to access multiple systems,
hence allowing users to seamlessly gain access to multiple applications when
required.
123
The LoginTC administrator access the LoginTC Admin panel and manually
revokes the users credential.
124
If the user record is updated in the master user repository (e.g. MS AD/LDAP)
and the LoginTC synchronization module is in place, the users LoginTC credential
will be updated accordingly in LoginTC Admin.
All Domains
Specific Domain
It can also download log data in TXT or CVS format for further analysis or
correlation.
125
One of the most powerful LoginTC features is revealed in the LoginTC logs, including
user ignored or suspect notifications that the end user rejects. This feature prevents
phishing or man-in-the-middle attacks and can be acted upon by the LoginTC
administrator, auditors, and security personnel (See previous Figure X LoginTC end
user experience).
These LoginTC controls are extremely useful for recording and examining access
information activity, especially when determining if a security violation has
occurred.
Key Activities: Select The Tools That Will Be Deployed For Auditing
And System Activity Reviews
Technical Implementations:
1. vCNS vShield Data Security:
You can use this as an audit tool as it provides visibility into sensitive data stored
within your organization's virtualized and cloud environments. Based on the
violations reported by vShield Data Security, you can ensure that sensitive data is
adequately protected and compliant with regulations around the world.
For example: you can assign policies at the Security Group basis so that the
application VMs in that Security Group will be scanned for HIPAA data and, if found,
will be reported.
2. BMC Server Automation Compliance Audit
Based on compliance policy, you can run compliance audit for components. The
report will show to which section of the policy the component does not comply. The
following figure gives an example.
127
128
129
130
131
When notified, the user must unlock the LoginTC credential in the mobile
device with a PIN or passphrase, which is only known to the user.
Using LoginTC two-factor authentication can satisfy the HIPAA Security Rule
requirement to create and maintain security controls that verify user identity when
users are connecting to applications and databases with health data records, either
remotely or via a web application.
132
In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC
address. In promiscuous mode, it can listen to all the packets. By default, guest
adapters are set to non-promiscuous mode.
This promiscuous mode security policy can be defined at the virtual switch or port
group level in ESX/ESXi.
133
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A0108820D7250350.html
If the virtual machine operating system changes the MAC address, it can send
frames with an impersonated source MAC address at any time. This allows it to stage
malicious attacks on the devices in a network by impersonating a network adaptor
authorized by the receiving network.
Reject MAC Address Changes setting will prevent VMs from changing their effective
MAC addresses. It will affect applications that require this functionality. An example is
Microsoft Clustering, which requires systems to effectively share a MAC address. This
will also affect how a layer-2 bridge will operate. This will also affect applications that
require a specific MAC address for licensing. An exception should be made for the
port groups that these applications are connected to.
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-819666F2B4BF1ACB.html
By default this forged transmits setting is set to Accept. This means that the
virtual switch does not compare the source and effective MAC addresses. To protect
against MAC address impersonation, all virtual switches should have forged
transmissions set to Reject.
134
Ref: http://pubs.vmware.com/vsphere51/index.jsp#com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A626273798A2F80.html
135
136
VPNs
Web portals
Mobile browsers
Mobile applications
References
http://www.hipaasurvivalguide.com/hipaa-regulations/164-306.php
137