VMware Capacity Planner Security · 2009. 6. 1. · Capacity Planner to maintain the security of...

VMware Capacity Planner Security

W H I T E P A P E R

VMware VMware Capacity Planner Security

Contents

Introduction....................................................................................................................1

Software Installed at the Customer Site ...................................................................1

Local Network Configuration for Capacity Planner................................................2

Data Collection at the Customer Site ........................................................................3

Transmitting Data to the Information Warehouse .................................................5

Data Handling in the Information Warehouse ........................................................5

Appendix A: Inventory and Performance Information Capacity Planner Collects from Windows Hosts......................................................................................7

Appendix B: Inventory and Performance Information Capacity Planner Collects from UNIX and Linux Hosts ....................................................................... 14

Appendix C: Information Warehouse Datacenter Security................................ 24

Policies and Procedures..............................................................................................................................................................24

Personnel Control...........................................................................................................................................................................24

Disaster Recover and Business Continuity ......................................................................................................................25

Physical Security..............................................................................................................................................................................25 Datacenter Construction ............................................................................................................................................................................. 25 Access Control .................................................................................................................................................................................................. 26 Security Entrance System............................................................................................................................................................................ 26 Access Logging ................................................................................................................................................................................................ 26 Closed Circuit Television System............................................................................................................................................................. 26

Network Infrastructure ................................................................................................................................................................27

Remote Access and VPN............................................................................................................................................................27

Firewall and Intrusion Detection and Prevention.......................................................................................................28

Contents i


Introduction VMware® Capacity Planner is a business and IT capacity planning tool that provides an integrated set of analysis, planning, and decision support functions to enable faster, measurable, and more accurate infrastructure assessment services.

Delivered as a hosted application service, Capacity Planner enables the consultants working with you — consultants from the VMware Professional Services Organization or from certified VMware partners — to provide comprehensive virtualization and system-consolidation assessments. These assessments help you make smart decisions when virtualizing and consolidating datacenter infrastructure, redeploying strategic IT assets, and optimizing workload capacity utilization.

VMware Capacity Planner is agentless — you do not need to install agent software on the computers that Capacity Planner analyzes. Running from a computer on your local network, Capacity Planner rapidly collects infrastructure data, which is initially stored on your local network, then transmitted securely to the Information Warehouse. Capacity Planner provides you an improved view of your IT environment, delivering critical insights into resource utilization that you can use to drive intelligent infrastructure capacity decisions. And drawing on the growing set of industry reference data in the Information Warehouse, Capacity Planner provides unparalleled comparative analysis and benchmarking to help guide system consolidation and capacity optimization decisions for your enterprise.

VMware understands the sensitivity of detailed data about your IT infrastructure and has designed Capacity Planner to maintain the security of that sensitive data at all times. Capacity Planner is also designed to collect the needed data without compromising the security of your IT environment.

This white paper provides descriptions of the data Capacity Planner collects and of the security measures that protect that data as it is stored, transmitted, and analyzed.

Software Installed at the Customer Site The consultant managing your Capacity Planner engagement installs the Capacity Planner Data Collector and its graphical user interface, the Capacity Planner Data Manager, on a computer at your site. Each Collector system can monitor approximately 500 systems in the network. Your consultant installs multiple Collector systems if needed.

The Capacity Planner Data Collector is installed on its own, separate computer connected to the same network as the target systems that Capacity Planner analyzes.

Your consultant can configure Capacity Planner to download any available updates for the Collector and the Data Manager automatically over a secure HTTPS connection.

No agents are installed on any of the target systems. Capacity Planner can analyze target systems running Windows, Linux, or UNIX operating systems. For Windows target systems, Capacity Planner identifies the systems and collects data using standard Microsoft interfaces. For UNIX and Linux systems, Capacity Planner uses simple scripts to collect inventory and performance data using Secure Shell (SSH) connections.

The software at the customer site uses the following basic security methods:

Local administrator accounts are required on all Windows target systems.

On Linux and Unix target systems, root access is required to perform full collection. However, all key metrics required for running consolidation scenarios can be collected using sudo commands.

Introduction 1


Accounts are stored and encrypted on the Collector server.

Capacity Planner uses RC4 password encryption with a private key.

Passwords are not shown in clear text in the Manager.

Local Network Configuration for Capacity Planner The system running the Capacity Planner Data Collector must be able to connect to all the Windows systems it is to analyze using the protocols and ports outlined in Table 1. These ports are general-purpose ports that Windows uses for most of its communications for file and printer sharing and authentication. They include 135, 137 to 139, and 445. The Collector uses these ports to pass credentials to the target systems and to collect data from the target systems.

If the target systems include servers behind firewalls and the needed ports must remain closed, your consultant can install an additional Collector inside the firewall.

Table 1: Microsoft Windows NetBIOS port usage

Port Protocol Service Description Windows services that use this port

135 TCP/UDP Loc-srv/epmap Microsoft DCE Locator service, also known as end-point mapper.

DHCP Server

DNS Server

WINS Server

137 TCP/UDP NetBIOS-ns NetBIOS names service. Firewall administrators frequently see large numbers of incoming packets to port 137. This traffic is caused by Windows servers that use NetBIOS (as well as DNS) to resolve IP addresses to names using the gethostbyaddr() function. As users behind the firewalls surf Windows-based Web sites, those servers frequently respond with NetBIOS lookups.

WINS Server

DNS Server

138 TCP/UDP NetBIOS-dgm NetBIOS datagram. Used by Windows and by services such UNIX services as Samba. It is used primarily by the SMB browser service that collects the information shown in Network Neighborhood on a Windows system.

139 TCP/UDP NetBIOS-ssn NetBIOS session. Windows file and printer sharing.

445 TCP/UDP DNS DNS Direct Hosting port. The Windows 2000 and Windows XP redirector and server components support direct hosting for communicating with other computers running Windows 2000 and Windows XP. Direct hosting does not use NetBIOS for name resolution. DNS is used for name resolution, and the Microsoft networking communication is sent directly over TCP without a NetBIOS header. Direct hosting over TCP/IP uses TCP and UDP port 445 instead of the NetBIOS session TCP port 139.

On UNIX and Linux target systems, the Collector requires access to port 22 for its Secure Shell (SSH) connection.

On Windows target systems, the Collector uses Windows Management Instrumentation control (WMI), the Registry, and Perfmon to collect inventory and performance data. To collect this information, it must connect to the target systems using an account that has at least local administrative rights on the target system. In many environments, the Collector uses a domain

Local Network Configuration for Capacity Planner 2


administrator account with rights on all or most of the target systems, the most convenient approach if the site’s security policies permit it.

The Collector can use multiple accounts to collect data from domains that do not trust each other.

On UNIX and Linux systems, the Collector runs standard system utilities through an SSH connection, so every UNIX and Linux target system must have the SSH server daemon running and configured properly for a successful connection. Root permissions are required for each UNIX or Linux system. Not having root permissions can result in incomplete data collection while executing the scripts remotely because only accounts with root privileges can run some of the utilities that the collector uses.

All user accounts used in Capacity Planner are stored in a database that is in the Collector installation directory. The passwords are encrypted using 128-bit AES encryption. Passwords are not shown in clear text in the Data Manager interface.

The Collector host also needs Internet access so it can send collected data to the Information Warehouse using HTTPS.

Data Collection at the Customer Site The Capacity Planner Data Collector systematically discovers domains and potential target systems in those domains, then inventories the target systems to provide data needed to assess capacity and utilization in your IT environment.

The discovery process uses a combination of:

LanMan browser requests

LDAP requests for Active Directory

DNS queries for legacy

IP scanning

The discover task identifies:

Domains

Systems

Workgroups

Active Directory nodes

The fact that the Collector discovers a system or node in your network does not mean that inventory or performance data must be collected from that system or node. Likewise, a node that is inventoried might not have performance data collected from it. The number of discovered nodes is often greater than the number of nodes that are inventoried or the number of nodes on which performance data is collected.

Your consultant can exclude domains from any further processing. In this case, to proceed with inventory or performance data collection from the nodes in an excluded domain, the domain must be re-enabled for that subsequent processing. This setting is used because often a company does not want to inventory or collect performance data on all of the domains in its network. Your consultant can also add domains and systems to the Collector database manually.

The Collector discovers domains using the WNet API (mpr.dll). The WNet API uses the NetBIOS interface implemented by the Microsoft LAN Manager API to enumerate domains and other

Data Collection at the Customer Site 3


properties that are useful in Capacity Planner analyses. This API uses ports 135–139. If a WINS server is available, it uses that server. Otherwise, the request is broadcast and the first browser service that responds provides the information.

The Collector discovers potential target systems using the netapi32.dll. This API uses the NetBIOS interface implemented by the Microsoft LAN Manager API to enumerate servers of a certain class of system such as workstation, server, SQL Server host, cluster, or IIS host. This API uses ports 135–39. If a WINS server is available, it uses that server. Otherwise, the request is broadcast and the first browser service that responds provides the information.

For Windows target systems, inventory is accomplished using WMI, Registry, and Perfmon API calls. The first thing that happens during inventory collection is mapping an IPC$ resource to the remote system. This is done for authentication and for response time calculations.

After the IPC$ resource is mapped to the remote target system, Collector uses the appropriate inventory method for the target system’s operating system to collect the information needed. The inventory methods include:

WMI — Windows 2000 and Windows XP system data is usually collected using WMI. WMI calls are carried over the standard NetBIOS or Direct Connection communications layers. These communications layers require ports 135 through 139 or 445 to be open.

Remote Registry and Perfmon — Windows NT 4.0 data is collected primarily with Remote Registry calls and Perfmon calls (for memory). These communications layers require ports 135 through 139 to be open.

For UNIX and Linux systems the Collector runs a simple script that runs the uname utility to get the host name and other basic system information.

The inventory collects information on such configuration details as CPU, memory, disk drives, network adapters, software, and services on the target system. (For detailed lists, see Appendix A and Appendix B.) Capacity Planner stores the inventory information on the system that hosts the Data Collector.

Performance information is collected using one of two methods — one method for Windows target systems and the other for Linux and UNIX target systems. The performance collection methods are:

Perfmon — Capacity Planner collects performance data from Windows target systems using the Perfmon API, requiring the establishment of an authenticated connection to any target system from which data is to be collected.

SSH — Capacity Planner collects data from Linux and UNIX target systems using SSH and secure copy (SCP). Two options are available: Your consultant can set the scripts to run on the Collector host system, communicating with the UNIX or Linux target systems over an SSH connection. Or your consultant, working over an SSH connection, can install the scripts on each UNIX or Linux target system. If the scripts run directly on the target systems, they send data to the Collector using SCP.

Capacity Planner stores the performance information on the system that hosts the Data Collector. (For details of performance information that Capacity Planner can collect, see the Capacity Planner Data Collection Guide.) Use your standard file system services to protect the files stored on that local system.

Data Collection at the Customer Site 4


Transmitting Data to the Information Warehouse After collecting inventory and performance data, Capacity Planner makes the data anonymous, then transmits the data over a secure connection to the Information Warehouse where the Data Analyzer aggregates it.

The inventory consists of data on CPU, RAM, hard drive, network interfaces, chassis, software, and services. Capacity Planner sends information on manufacturer, model, version, and status. The performance information includes counter names and statistics related to those counters. You can see the full list of counters using the performance module options in Data Manager.

The Collector sends the collected data to the VMware datacenter in CSV files via an HTTPS connection using SSL encryption. The CSV files sent from the Collector to the datacenter do not contain usernames, passwords, IP addresses, or share information. The CSV files do contain domain names and server names.

In addition to the standard security offered with data anonymity, your consultant can optionally mask server and domain names before the data is transmitted. If you use this additional masking, Capacity Planner replaces names with a pseudonym to further protect your privacy.

After the first set of data is transmitted to the Information Warehouse — usually a manual process after the first round of data collection — Capacity Planner normally synchronizes data automatically every hour. If appropriate, your consultant can set a custom synchronization interval or configure the Collector to use manual synchronization.

The data that Capacity Planner sends to the Information Warehouse includes hardware and software inventory information and performance data. Identifying information such as IP addresses and share names is not sent to the Information Warehouse by default. If appropriate, your consultant can adjust the configuration of the Data Manager to send system-identifiable information such as IP addresses, shares, and serial numbers.

On request, VMware can provide example files that show what kinds of data Capacity Planner collects and what data is transmitted to the Information Warehouse.

Data Handling in the Information Warehouse All client data sent to the Information Warehouse is stored in a secure environment. Firewalls and Intrusion prevention systems in the VMware datacenter protect all customer data stored in the Information Warehouse from unauthorized access. See Appendix C for details of the security measures in effect at VMware datacenters to protect data in the Information Warehouse.

Each customer’s data is stored under a unique identifier known as a corporate code. A unique account and password must be created to access the data. The accounts are created only for authorized users specified by the customer. VMware support and sales teams also have access to the data if they are engaged with the customer or project and the customer or customer’s representative has granted them access. All access to a company's data is audited. Your administrator can review the audit records at any time.

Capacity Planner uses anonymous inventory and performance data from all customers to provide valuable analysis to all users of the product. Capacity Planner removes all unique information such as system names from the data used for this analysis. Capacity Planner uses inventory data to describe configuration and uses performance data to compare your environment’s performance to industry averages. None of the data used in the research features can be traced back to a specific customer.

Data is retained and available until it is archived after one year.

Transmitting Data to the Information Warehouse 5


The data collected during the current year is kept at the weekly level. After one year, data is archived and no longer available online. Archives are retained for five years and contain only raw files. The archived files contain all the company’s data.

Communications between the Information Warehouse and the Dashboard use an HTTPS connection.

In the event of a data security breach with critical consequences, VMware will publish a Dashboard News item and notify the appropriate parties.

Data Handling in the Information Warehouse 6


Appendix A: Inventory and Performance Information Capacity Planner Collects from Windows Hosts The tables in this appendix summarize the key types of information Capacity Planner collects from Windows hosts. VMware will provide an example inventory file upon request.

Table 2: Server information

Setting Registry WMI Viewable in the Data Manager

Viewable in the Capacity Planner Dashboard

Host name Yes Yes Yes Yes

Domain name Yes Yes Yes Yes

Domain type Yes Yes Yes Yes

System partition Yes Yes Yes No

Boot directory Yes Yes Yes No

Path environment setting Yes No Yes No

Legal notice caption Yes No Yes No

Legal notice text Yes No Yes No

Auto logon setting Yes No Yes No

Shutdown with logon setting

Yes No Yes No

Server type Yes Yes Yes Yes

Server serial number Yes Yes Yes Yes

Table 3: Operating system information



Operating system manufacturer Yes Yes Yes Yes

Operating system version / release / service pack

Yes Yes Yes Yes

Appendix A: Inventory and Performance Information Capacity Planner Collects from Windows Hosts 7


Table 4: Motherboard and chassis information



Chassis manufacturer Yes Yes Yes Yes

Chassis model Yes Yes Yes Yes

Chassis BIOS make Yes No Yes Yes

BIOS version Yes Yes Yes No

BIOS date Yes Yes Yes No

Chassis maximum installable RAM Yes Yes Yes Yes

Chassis number of RAM slots Yes Yes Yes Yes

Chassis RAM type Yes Yes Yes Yes

Chassis maximum Installable CPUs Yes Yes Yes Yes

Chassis CPU type Yes Yes Yes Yes

Chassis number of PCI slots Yes Yes Yes Yes

Table 5: CPU information



CPU description Yes Yes Yes Yes

CPU manufacturer Yes Yes Yes Yes

CPU model Yes Yes Yes Yes

CPU current speed No Yes Yes Yes

CPU maximum rated speed Yes Yes Yes Yes

CPU front side bus speed No Yes Yes Yes

CPU cache size Yes Yes Yes Yes

CPU slot number Yes Yes Yes Yes

CPU feature set No Yes Yes No



Table 6: RAM information



RAM manufacturer No Yes Yes Yes

RAM model No Yes Yes Yes

RAM size Yes Yes Yes Yes

RAM speed No Yes Yes Yes

RAM type No Yes Yes Yes

RAM form factor No Yes Yes Yes

RAM data width No Yes Yes Yes

RAM total width No Yes Yes Yes

RAM slot number No Yes Yes Yes

RAM serial number No Yes Yes No

Table 7: Drive adapter information



Drive adapter manufacturer Yes Yes Yes Yes

Drive adapter model Yes Yes Yes Yes

Drive adapter speed No No Yes Yes

Drive adapter type Yes Yes Yes Yes

Table 8: Drive information



Drive manufacturer Yes Yes Yes Yes

Drive model Yes Yes Yes Yes

Drive type Yes Yes Yes Yes

Drive space No Yes Yes Yes

Drive adapter attached Yes Yes Yes No

Scsi adapter attached Yes Yes Yes Yes

Drive unit number Yes Yes Yes No



Table 9: Network adapter information



Network adapter manufacturer Yes Yes Yes Yes

Network adapter model Yes Yes Yes Yes

Network adapter speed Yes Yes Yes Yes

Network adapter type Yes Yes Yes Yes

Network adapter MAC address Yes Yes Yes Yes

Network adapter IP address Yes No Yes No

Network adapter address type (dynamic, static)

Yes No Yes Yes

Network adapter cable type Yes Yes Yes Yes

Table 10: Application information



Application manufacturer Yes Yes Yes Yes

Application name Yes Yes Yes Yes

Application display version Yes Yes Yes Yes

Application major version Yes Yes Yes Yes

Application minor version Yes Yes Yes Yes

Application patch level Yes Yes Yes Yes

Application build number Yes Yes Yes Yes

Application registered company Yes No Yes Yes

Application registered owner Yes No Yes Yes

Application product ID Yes Yes Yes Yes

Application installation date Yes Yes Yes Yes

Application installation location Yes Yes Yes Yes

Application installation source Yes Yes Yes Yes

Application estimated size Yes No Yes No



Table 11: Services information



Service name Yes Yes Yes Yes

Service display name Yes Yes Yes Yes

Service description Yes Yes Yes Yes

Service startup type Yes Yes Yes Yes

Service status Yes Yes Yes Yes

Table 12: Shares information



Share net name Yes Yes Yes No

Share type Yes Yes Yes No

Share remark Yes Yes Yes No

Share permissions Yes Yes Yes No

Share maximum users Yes Yes Yes No

Share path Yes Yes Yes No

Share current users Yes No Yes No

Table 13: Logical volume information



Logical volume path Yes No Yes Yes

Logical volume file system Yes Yes Yes Yes

Logical volume size Yes Yes Yes Yes

Logical volume free space Yes Yes Yes Yes

Logical volume drive type Yes Yes Yes No

Logical volume media type No Yes Yes No

Logical volume compressed status Yes Yes Yes No



Table 14: Printer information



Printer manufacturer Yes No Yes Yes

Printer model Yes Yes Yes Yes

Printer queue path Yes Yes Yes No

Printer port Yes Yes Yes No

Printer type (local or remote) Yes Yes Yes Yes

Table 15: PnP device information



PnP name Yes Yes Yes Yes

PnP type Yes Yes Yes Yes

PnP path Yes Yes Yes Yes

Table 16: Video card information



Video card manufacturer Yes Yes Yes Yes

Video card model Yes Yes Yes Yes

Video card Mmmory Yes Yes Yes Yes

Video card maximum resolution No Yes Yes No

Video card current resolution Yes Yes Yes No

Video card maximum color depth No Yes Yes No

Video card current color depth Yes Yes Yes No

Video card support for 3-D Yes Yes Yes Yes

Video card monitors supported No Yes Yes No

Video card monitors attached Yes Yes Yes Yes



Table 17: Page file information



Page file initial size Yes Yes Yes No

Page file current size No Yes Yes No

Page file maximum size Yes Yes Yes No

Page file location Yes Yes Yes No

Table 18: VMware View performance counters

Perfmon Class Perfmon Metric Perfmon Instance

Process Private bytes *

Process Working set *

Process Elapsed time *

Process % processor time *

Process % user time *

Process Elapsed time *

Server Logon total N/A

Table 19: Performance counters used for Consolidation

Perfmon Class Perfmon Metric Perfmon Instance

System Processor queue length N/A

Processor % processor time *

Memory Pages/sec N/A

Memory Available bytes N/A

Memory Cache bytes N/A

Paging file % usage _Total

Physical disk Disk bytes/sec *

Physical disk Disk transfers/sec *

Server Bytes total/sec N/A



Appendix B: Inventory and Performance Information Capacity Planner Collects from UNIX and Linux Hosts The tables in this appendix summarize the tools Capacity Planner uses to collect information from UNIX and Linux hosts and the key types of information it collects. VMware will provide an example inventory file upon request.

Table 20: Tools that collect inventory information

Information Type Operating System Utilities and Files

HP-UX getconf, cstm, uname, /stand/bootconf, /etc/resolv.conf

Solaris uname, /etc/resolv.conf, isainfo

Linux, VMware ESX uname, /etc/resolv.conf

System

AIX uname, /etc/environment

HP-UX PA-RISC swlist

Linux, VMware ESX rpm

Solaris pkginfo

Application

AIX lslpp

HP-UX getconf, ioscan

Linux, VMware ESX dmesg, dmidecode

Solaris prtdiag, psrinfo, prtpicl

Chassis

AIX uname, lsattr

HP-UX machinfo, cstm, ioscan, adb, getconf, model

Linux /proc/cpuinfo, dmidecode

VMware ESX /proc/vmware/sched/ncpus, /proc/cpuinfo, dmidecode

Solaris psrinfo, prtpicl, prtdiag, isainfo

CPU

AIX lsdev, lsattr

HP-UX getconf, cstm

Linux, VMware ESX /proc/meminfo, dmidecode

Solaris prtconf

Memory

AIX lsdev, lsattr

Linux, VMware ESX /proc/scsi, /proc/ide, /proc/driver/cciss, fdisk, hdparm, dmesg, /proc/partitions

HP-UX ioscan, diskinfo

Solaris df, prtvtoc, basename, iostat

Disk

AIX lsdev, lscfg, lsparent, lsattr, bootinfo

Appendix B: Inventory and Performance Information Capacity Planner Collects from UNIX and Linux Hosts 14


Linux, VMware ESX /proc/scsi, /proc/ide, /proc/driver/cciss

HP-UX ioscan

Solaris prtdiag, prtpicl

Drive adapters

AIX lsparent

HP-UX lanadmin, lanscan, netstat

Linux, VMware ESX ifconfig, dmesg, ethtool, mii-tool, lsdev, /proc/interrupts, lspci

Solaris ifconfig, kstat, ndd, dmesg

Network

AIX ifconfig, entstat

HP-UX bdf, /etc/mnttab

Linux, VMware ESX df, /etc/mtab

Solaris df, /etc/mnttab

File systems

AIX df, /etc/filesystems

Exports All showmount

All /etc/inetd.conf Daemons

Linux /etc/rc.d/rc[runlevel].d



Table 21: Tools that collect performance information

Information Type Operating System Utilities and Files

System All vmstat, ps, users, uptime

HP-UX PA-RISC, Solaris vmstat

Linux, VMware ESX Vmstat, /proc/stat

Memory

AIX vmstat, pagesize

Processor All vmstat

HP-UX bdf Logical disk

Solaris, Linux, VMware ESX, AIX df

HP-UX swapinfo

Linux, VMware ESX /proc/swaps

Solaris swap

Page file

AIX lsps

Linux, VMware ESX /proc/partitions, vmstat, /proc/diskstats

HP-UX iostat, vmstat

Physical disk

Solaris, AIX iostat

Linux, VMware ESX /proc/net/dev

HP-UX netstat, lanscan

Solaris netstat, kstat

Network interface

AIX netstat, ifconfig,

Process All ps



Table 22: APP object properties (describes installed applications on the system)

Property Name Value Description

DAPP_Description Product description Describes what the product does.

DAPP_DisplayVersion Version string Full product version string.

DAPP_MajorVersion Major version number Major product version number, which is usually the first number of the version string.

DAPP_MinorVersion Minor version number Minor product version number, which is usually the second number of the version string.

DAPP_Name Product string name Product display name.

DAPP_PatchLevel Patch level or maintenance number Patch level or maintenance number for the product, which is usually the remainder of the version string.

DAPP_Producer Company string Name of the manufacturer that developed or packaged the application.

DAPP_Type App The table that contains stores application information. Also used for operating system information.

ISA_Estimated Size Bytes number Size in bytes of the installed application. Usually the size at installation.

ISA_Identity Identity string Used to uniquely identify the application.

ISA_InstallLoc Path string Location of installed application.

ISA_ProductID Can be the serial number of the application or a tag used by some UNIX software installers.

Table 23: CONTROL object properties (tells the import engine about the information that follows)


DATE Date Time Date the file was generated.

FILETYPE Inv, Perf A tag the engine reads to control processing so that the inventory module only processes inventory and so on.

HOSTNAME Hostname string Used to visually identify the system.

ISRV_Type 2048, 32768 Number that tells VMware what kind of system is being managed.

NISDOMAIN NIS domain string NIS domain of the system.

RUNBY User information for the user who ran the script to generate the output. Useful for debugging. In UNIX, use the ID command.

TIMESTAMP Date-Timestamp Time stamp showing when the file was generated.

UNAME Uname-a Full uname (UNIX) output for the system.

UNIQID Unique ID string A unique ID that identifies the system. If provided will be used to identify the system instead of the host name.

If you do not provide a unique ID, you might overwrite an existing host name. If you have no unique ID, use an FQDN host name.

VERSION 100 Import file format version.



Table 24: CPU object properties (describes the processors installed in the system)


DCPU_Desc CPU description string Full description of the installed CPU.

DCPU_Family CPU family number Family number of the CPU. The Intel Pentium through Pentium III are 6. The Pentium IV is 15.

DCPU_Flags CPU flags string On Linux systems, the serial number in text form.

DCPU_Make Manufacturer string Manufacturer name of the CPU

DCPU_Model CPU model string The combined string of all the model numbers that describe the processor.

DCPU_ModelNum CPU model number Model number of the CPU.

DCPU_PrimCacheData Primary data cached size number Size in KB of the primary data cache.

DCPU_PrimCacheInst Primary instruction cache size number

Size in KB of the primary instruction cache.

DCPU_Rated Speed CPU rated speed number Designed maximum processor speed.

DCPU_SecCacheSize Secondary cache size number Size in KB of the secondary cache.

DCPU_Stepping CPU stepping number Represents any small change in CPU manufacturing.

ISC_CurrCPUSpeed Current CPU speed number Current speed of the processor.

ISC_Identity CPU identity string Unique number that identifies the CPU installed on the system.

ISC_SerialNumber Serial number string A serialized string of functionality. In Windows, this number describes the feature set of the CPU.

ISC_SlotNumber CPU slot number Slot number that holds the CPU.

Table 25: DAEMON object properties (describes the defined init.d, rec.d, or Microsoft Windows services on the system)


DSVC_Description Description string Description of the service or daemon.

DSVC_DisplayName Name string Display name of service or daemon that is displayed in the UI.

DSVC_Name Name string Actual name of the service or daemon that the system references. Usually unique without spaces.

ISS_ExePath Binary path string Full path to the binary that the service or daemon is calling.

ISS_Identity Identity string Unique string that identifies the service or daemon on the system.

ISS_IsActive Active bit (0 or 1) Indicator that the service or daemon is still running. Not always possible on UNIX.

ISS_Status Status string Current status of the service or daemon. On Windows, a service can be in a predefined state: stopped, stopping, started, starting, or paused. On UNIX, the status is a string returned from a status call.



Table 26: DISKINFO object properties (describes the physical drives or RAID arrays installed in the system)


DDR_Cache Drive cache size number Size of drive buffer cache in KB.

DDR_IntType SCSI, IDE, SATA Drive adapter type string. Any string can be used, but for consistency, you should try to use one of the specified values.

DDR_Make Drive make string Manufacturer name of drive.

DDR_Model Drive model string Model name of drive.

DDR_Space Drive size string Size of drive in GB as seen by the operating system.

DDR_TotalCyl Drive total cylinder number Total number of cylinders that the drive reports to the operating system.

DDR_TotalHeads Drive total heads number Total number of heads that the drive reports to the operating system.

DDR_TotalSectors Drive total sectors number Total number of sectors that the drive reports to the operating system.

ISDR_CurIntSpeed Drive current interface speed number

Interface speed in MHz that was negotiated between the drive adapter and the drive. Normally the best speed of the slowest component but can be overridden by the operating system to a slower speed.

ISDR_Identity Drive identity string Unique number that identifies the installed drive.

ISDR_ISDA_Identity Drive adapter identity string Attached drive adapter unique string.

ISDR_Type disk, cdrom

Table 27: DRIVEADPT object properties (describes the drive adapters installed in the system)


DDA_Make Drive adapter Manufacturer name of the drive adapter.

DDA_MaxSpeed Maximum speed number Maximum speed in MB/sec of the drive adapter interface.

DDA_Model Model string Model name of the drive adapter.

DDA_Type SCSI, IDE, SATA Drive adapter type string. Any string can be used, but for consistency, you should try to use one of the specified values.

ISDA_BusNumber Bus number Bus number where the drive adapter is positioned.

ISDA_Identity Drive adapter identity string Unique number that identifies the drive adapter installed on the system.



Table 28: Exports object properties (describes the exported or shared directories on the system)


ISSH_Identity Identity string Unique string that identifies an exported directory.

ISSH_NetName NetName string Share name that is published on the network. On UNIX, this is the same name as the shared directory.

ISSH_Path Path string Full path of the share.

ISSH_Type NFS, WIN Share type string.

ISSH_Permissions Permissions string Share permissions string. Shows the access restrictions to the share. A number on Windows.

Table 29: FILESYS object properties (describes the found file systems currently defined on the system)


ISFA_Type RAM slot number Format of the file system.

ISFS_Identity Identity string Identity string to uniquely identify the file system.

ISFS_Path Path string Mount point.

ISFS_Size File system size number Disk space in bytes on the file system.

ISFS_SpaceFree File system available space number Space in bytes available on the file system.

Table 30: Group object properties (describes the groups of which the system is a member)


CG_Name Group name string Name of the domain or group that the system belongs to.

CGT_Name Group type name string Type of group. Has to be one of the valid group types.

Table 31: MOTHERBOARD object properties (describes the chassis and motherboard used in the system)


DCH_CPUTypeList CPU types string Types of CPUs that this motherboard supports.

DCH_Make Manufacturer string Name of the manufacturer of the chassis or motherboard.

DCH_Model Model string Name of the motherboard or chassis model.



Table 32: NETWORK object properties (describes the physical and virtual network interfaces on the system)


DNIC_Model NIC model string Model name of the network adapter.

DNIC_Type Network medium string

Network medium in use.

ISN_CurSpeed NIC current speed number

Bandwidth in bits per second.

ISN_Identity Identity string Identity string to uniquely identify the network adapter.

SN_IPAddrType Static, dynamic String indicating whether the IP address is static or dynamic.

ISN_IPAddress IP address string Comma-separated string of all of the IP addresses associated with the network adapter.

ISN_MACAddress MAC address string Media access control address for the network adapter.

Table 33: OS object properties (describes the operating system currently running on the target machine)


DAPP_DisplayVersion Version string Full operating system version string.

DAPP_MajorVersion Major version number Major operating system version number, which is usually the first number of the version string.

DAPP_MinorVersion Minor version number Minor operating system version number, which is usually the second number of the version string.

DAPP_Name Product name string Display name of the operating system.

DAPP_PatchLevel Patch level or maintenance number

Patch level or maintenance number for the operating system, which is usually the remainder of the version string.

DAPP_Producer Company string Name of the manufacturer that developed or packaged the operating system.

DAPP_Type Operating system Operating system information in stores application information table.

ISA_Identity Identity string Uniquely identifies the operation system.

ISA_InstallLoc Path string File system path where the operating system is installed.



Table 34: PERF object properties (contains detailed performance data collected during a single collection run)


PERD_CounterAvg Sample average number

Average of all the samples taken during collection.

PERD_CounterInterval Sample interval number

Interval in seconds between each sample.

PERD_CounterMax Sample maximum number

Maximum value observed during collection.

PERD_CounterMin Sample minimum number

Minimum value observed during collection.

PERD_CounterSamples Sample count number

Number of samples taken during collection.

PERD_CounterTime Timestamp number

When collection started.

PERS_Active Active flag bit Indicates that the summary counter is active. Inactive performance objects are either grayed out or hidden in the Data Manager.

PERS_ClassName Class name string Resembles a group name of similar performance data.

PERS_InstanceName Instance name string

Represents distinct performance objects of the same class. If the class does not have instances, the instance name can be left blank or removed from the output.

PERS_MetricName Metric name string

The actual system resource that the performance data represents.

PERS_Type Type number Indicates the type of object that generated this performance summary record. Perfmon=0 Registry=1 WMI=2 Script=3 SNMP=4

Table 35: RAM object properties (describes the physical memory installed in the system or the virtual memory allocated to a virtual system)


DRAM_Size RAM size Size in MB of the RAM module.

ISR_Identity Identity string Types of CPUs this motherboard supports.

ISR_SlotNumber RAM slot number Slot number that holds the RAM module.



Table 36: SYSTEM object properties (describes how the system is configured)


ISRV_ActiveName Host name string Microsoft Windows supports having a different active (NETBIOS) name than the IP host name.

ISRV_ComputerName Host name string Microsoft Windows supports having a different computer NETBIOS name than the IP host name.

ISRV_CurrentLocale Current locale number

Locale that was negotiated while collection occurred.

ISRV_DateTime Date time string Date that the file was generated.

ISRV_DisplayName Host name string Alternate display name for the system.

ISRV_HostName Host name string Used to visually identify the system. Derived from the actual host name.

ISRV_InstallLocale Install locale number

Locale that was chosen during the installation. Applies more to Windows than UNIX. US English is 1033.

ISRV_Path Path string Complete PATH string for the operating system, which uses it to search for application names when executed.

ISRV_Type 2048, 32768 The kind of system being managed. The number for UNIX, Linux, and Xenix is 2048.



Appendix C: Information Warehouse Datacenter Security VMware maintains multiple levels of datacenter security to protect the data in the Capacity Planner Information Warehouse. This appendix summarizes those datacenter security measures.

Policies and Procedures The CIO and IT management are directly responsible for network, system, and overall information

security.

VMware staff dedicated to information security includes IT management and a security engineer. They are responsible for:

Security awareness

Policy enforcement

Risk evaluation

Risk mitigation

Regulatory compliance

Policies and procedures covering the following areas are in effect:

HR practices

Authorized or acceptable use of networked services

Use of corporate email, intranet, and Internet

Password management

Software and hardware acquisition

Change management

Encryption policy and standards

Security related incident response and handling

Data handling policy (including data use, data storage, and destruction of sensitive data)

Third-party access and remote access

Personnel Control All datacenter employees undergo a careful background check that includes the following:

Verification of prior employment

Criminal records search for current county and state of residence

Status to work in the United States through compliance with the Immigration and Naturalization Service I-9 process

Appendix C: Information Warehouse Datacenter Security 24


Datacenter employees in security sensitive positions undergo additional screening that includes criminal conviction screening through an authorized background-reporting agency. The background screen covers a seven-year period and includes all locations in which the employee resided during that period. The background screen includes an additional screen referred to as a government list screen. The government list screen includes the following lists published by the US government:

Department of State: Arms Export Control Debarment List

Department of State: Proliferation List

Department of Commerce: Denied Parties List

Department of Commerce: Entities List

Department of Treasury: Specially Designated National List

Physical security and perimeter controls at the datacenter facilities housing the Information Warehouse data control who has access to the facilities. Those controls include the following:

Security cameras

Biometric hand scanners

Employee identification cards or badges

Visitor identification cards or badges

Monitoring and escorts for visitors passing through critical parts of the company

Disaster Recover and Business Continuity VMware has a disaster recovery and business continuity plan for the datacenter where the Information

Warehouse data is stored. The backup and restore plans are tested quarterly using a paper walkthrough.

Recovery procedures are tested for efficacy. Manual backup and restore procedures are documented and practiced in case the automatic backup fails.

Estimated time to restore services is 72 hours in case of a major disaster.

Physical Security The security and integrity of each datacenter where Information Warehouse data is stored is achieved and maintained by robust facility construction, comprehensive access controls, video surveillance monitoring, 24-hour personnel, and comprehensive policies and procedures.

Datacenter Construction

Critical exterior perimeter walls, doors and windows are constructed of materials that afford UL standard #752, level V ballistic protection.



Access Control

The datacenters use an automated access control system that supports a networked card reader and alarm system. The access control system uses proximity card readers to control access into perimeter doors, shipping and receiving areas, storerooms, and other critical areas. Biometric hand scanners are installed to control access into the most critical areas (network control center, telecommunications node room, and customer vaults). Additional access control measures include:

All datacenters have signs designating them controlled access areas

Mission-critical areas within each data center are designated as restricted

Access into each datacenter and restricted area is controlled by biometric hand scanners and is limited to authorized personnel

Employee card access badges — or contractor or visitor badges — are required to gain entry

All employees, customers, vendors, contractors and visitors must be sponsored by a preapproved sponsor in order to gain access

Security Entrance System

An automated security entrance system controls datacenter access. The system includes the following key features:

The weight system is designed to physically limit access to one person at a time , preventing tailgating

Anti–pass-back prohibits one person from handing off an access badge to someone waiting to enter

Entrances are monitored and recorded by CCTV 24/7 by the security control room

Entrances have integrated metal and explosive detection

Entrances have a two-way audio intercom to the security control room

Entrances have UL-rated ballistic protection

Entrances have intrusion and tampering alarms monitored by the security control room

Integrated card access and biometric access control systems limit access to persons who are verified by hand geometry

Entrance security systems have dedicated UPS and standby emergency power (generator)

Entrances have level V ballistic protection

Entrances are ADA compliant

Access Logging

All datacenters have computer-based enterprise-wide access control systems, used to track all visitors who have datacenter badges. This system logs the identity of each individual and the time that person entered the datacenter. It does not log who goes out, because current fire code prohibits “locking” individuals in datacenters.

Closed Circuit Television System

Datacenter security employs an extensive closed circuit television system to monitor the exterior and interior of each datacenter. Exterior cameras provide views of critical support equipment and perimeter doors. Interior cameras are positioned to monitor all datacenter aisles, requests for



entry (and actual entry) into the datacenter, shipping and receiving areas, high-security vaults, and the datacenter lobby. All cameras are recorded on digital video recorders, 24/7.

Network Infrastructure The following network infrastructure measures protect Information Warehouse data:

Up-to-date network infrastructure and administration procedures

Perimeter scanning and monitoring performed internally

All routers configured with access control lists to allow only specific traffic to pass through

Access to your routers allowed via their console ports only

All networking devices at the latest patch level

Procedure in place to keep track of announcement of vulnerability patches for networking devices

Default passwords changed on networking devices

Controls governing the change frequency and distribution of administrative access to network infrastructure

No wireless access to the network

Intrusion prevention and detection systems, including:

HIDS

NIDS

Rogue device and services detection

Remote Access and VPN Remote access to and remote control of the network connected to the Information Warehouse is protected by all of the following:

RADIUS/TACACS

User ID and password

Token-based access control

SSL certificates

Supervisory and administrative functions are not allowed over unencrypted external links.

VMware collects and reviews audit log data on remote access to the network.




Firewall and Intrusion Detection and Prevention The following measures are in place to detect and prevent intrusion:

Security team keeps track of all known vulnerabilities

Deployment of an intrusion detection system is in process

Incident response team in place

Firewall servers protect the network

Internet-facing systems are behind a firewall that protects against network-based denial of service attacks, blocks ports that are not required for external access, and protects against other network attacks

No other applications (such as DNS) run on the firewall server

Firewall configurations are reviewed every two months

Date post:	01-Aug-2021
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

VMware Capacity Planner Security · 2009. 6. 1. · Capacity Planner to maintain the security of...

Documents