At a previous job, I had to configure an ESXi server for the first time. It was the first time I had ever built and configured one. Additionally, it was the first time my former employer was using ESXi, so I had to design and engineer the solution, then implement it.

In order to allow future employees to build and operate the server, I wrote an informal operations guide. I just edited that document to make it more generic and I posted it in the File Collection portion of this site. It's a very rough guide, but it also includes a lot of step-by-step pictures.

The one piece that I took out of the guide was the part about networking. While no ESXi operations guide is complete without a networking component since it's integral to the operation of the guest VMs, I simply did not have time to customize that part of the document. ESXi networking can be complicated and the manner in which it needed to be setup for my former employer was extremely complicated, but it was very interesting and I believe others will find the setup useful as well. Therefore I'm splitting that out into a separate blog post, or potentially an additional operations guide, which will be coming.

I wrote an email tonight to a friend of mine who had a question about potential Russian cyberattacks and the differences between a regular DDoS attack and something like Stuxnet. Obviously, an email to a friend is pretty informal and the details about Stuxnet here are completely from memory, but this is accurate to the best of my recollection. For context, my friend had said he thought DDoS was like a medieval siege attack and Stuxnet was more like a targeted terrorist attack. I thought some others might find it interesting at least:

 

I’ve never heard a DDoS attack be described that way, but that’s actually a pretty accurate characterization. As for Stuxnet being like a targeted terrorist strike, I would say it was more of a targeted special operations surgical strike (terrorist strikes are specifically designed to cause mass terror, not necessarily disable/kill infrastructure/capability/personnel of the enemy force as surgical special operations are).

DDoS stands for Distributed Denial of Service. The point is to flood the servers with so much traffic that they are incapable of accepting new connections or responding to any connections that do occur. Either all of the resources of the server are consumed or the pipe leading to the servers is completely filled up, meaning there is not enough bandwidth to handle the incoming traffic. These used to just be DoS attacks, but the “distributed” part came about when pipes got wider (more bandwidth for connections) and servers got beefier (they now have more resources to handle many connections at once). Now, attackers use various methods to recruit a large number of source machines to send traffic toward the victim. As for being just a hacker protest tactic, that’s not completely true. That’s probably its most well-known usage, but DDoS attacks are widely used in digital “protection” rackets, just like the old world Mafia had. Sites that absolutely need to be available at certain times but who also don’t want a lot of attention from authorities, such as gambling websites during the Super Bowl, will be threatened by hackers such that, if the website does not pay a certain amount of protection money, it would be really horrible if a DDoS attack were to happen when you really need your site to be up…

Stuxnet actually didn’t require boots on the ground, which was actually the most impressive part of its design given that the Iranian centrifuges were air-gapped (not connected to a computer network which had Internet access). The only way to spread malware to the centrifuges was to have someone connect an infected removable storage drive (most likely USB) to one of the systems connected to the centrifuge network. Despite this limitation, the creators of the virus were able to design it to automatically infect removable storage devices, then spread silently whenever it was connected to different machines. The virus was released in very targeted areas where intelligence reports indicated those with access to the Iranian nuclear program would be. The real genius is that the virus was specifically designed to infect the Iranian programmable logic controllers (PLCs) that control the centrifuges’ operation. These PLCs were fairly standard off-the-shelf components, meaning that they are in many industrial sites across the world. This is where the boots on the ground came in. Someone, most likely Israeli intelligence, knew the exact configuration of the PLCs, so the Stuxnet virus was designed to only activate itself if it detected the configuration known to belong to the Iranian PLCs. The virus then played havoc with the speed of the centrifuges and continuously destroyed them by rapidly changing speeds or running too quickly in general. The Iranians couldn’t figure out for months why the centrifuges were breaking, though, because the virus was also designed to infect the monitoring systems and alter the output to falsely show that the centrifuges were operating within normal parameters. Given that Stuxnet was released into the wild to find its own way to the Iranian systems, it’s not surprising that the virus was also found in various other industrial control systems around the world once people knew it existed. The virus just never activated because it did not detect the Iranian PLC configuration.

Technology has certainly progressed beyond the point of requiring a single physical server for every task. Using virtualization, I can easily have as many systems as I would like. Virtualization of servers allows for the opportunity to build and use systems for single intended purposes with minimal physical overhead. This is particularly useful for technology enthusiasts or budding professionals who need an environment to "play around with" in order to learn about various systems and services. For example my personal virtualization server, which I will describe in detail below, hosts three CentOS 6 servers, an Ubuntu 12.04 server, and three Windows Server instances, all running different services and purpose-built to run those services or applications efficiently. Additionally, it is easy to build a new server, or even an instance of a desktop OS, whenever I need to test something. I probably don't need all of these systems or all of the ones I'll build in the future, but it's fun and I like scaling my infrastructure to ludicrous proportions despite the fact that I am the only one that uses my network.

Virtualization Types and Options

All virtual systems, called "guests," have to run on a base system. This base system is called the hypervisor and there are two major types of hypervisors:

• Type 1: Bare-metal hypervisors. These hypervisors are operating systems in themselves and run directly on physical hardware. The only task that can be done with a bare-metal hypervisor is configuring and running a guest OS. The major players in this market, at least the ones I'm most familiar with, are:
  • Microsoft Hyper-V Server. This is a stripped down version of Windows Server used only for running virtual machines. This is a very high quality and stable product, although with a little more resource overhead and support for fewer guest operating system types than other solutions.
  • VMware ESXi. My hypervisor of choice since there is a free version which supports systems with up to 32GB of memory. This is a rock-solid product made for use in production environments with high availability requirements.
  • Xen. I do not have much experience with this hypervisor, but it's certainly on my list. It has a reputation for stability, although it is a bit complex to configure at first.
• Type 2: Hosted hypervisors. These hypervisors run on top of pre-existing operating systems. For instance, there are software hypervisors that run on Windows which enable a guest OS to be run inside of the host OS. Some major type 1 hypervisors are:
  • VMware Workstation. Versions are available for Windows and Mac. This is a paid product, but it provides high quality, stable virtualization.
  • Windows Hyper-V. Hyper-V is a feature built into certain versions of Windows, including Windows 8 Pro and Windows Server 2012, which allows users to run guest operating systems inside of Windows.
  • VirtualBox. A free product available for Windows, Mac, and Linux with a good track record of support and stability, but not something that should be used in a high availability production environment.

Many people who simply want to play around with alternative operating systems will use a type 2 hypervisor to just run a virtual machine on their existing computer. However, those who want have these alternate virtual operating systems to run all the time or want to run a lot of virtual machines have the option of building a separate machine and using it only to run virtual machines.

ESXi -- Stringent Hardware Requirements, but Worth the Effort

ESXi is my chosen virtualization solution due to its combination of stability, ease of setup and management, and free licensing up to 32GB of memory. However, since ESXi is meant to run on server-class hardware in large production environments, there are some stringent hardware requirements. I did not want to spend the money on server hardware, so I had to build a custom machine and carefully select my components. I made sure the components were supported by the version of ESXi I would be running (ESXi 5.5) by comparing the components with the VMware hardware compatibility list. The hardest thing to find was a non-server motherboard that had a compatible networking chipset. I ended up building the system with the following hardware:

• Motherboard: ASUS P8Z77 WS -- this motherboard has dual server-class NICs. Some dual NIC motherboards run each NIC off of a different chipset, but both NICs on this board run on the same model chipset so both ports can be used by ESXi.
• Processor: Intel Core i7-3770K -- I chose the Core i7 to take advantage of the extra cores and threads as much as possible. Component purchasing tip: MicroCenter always has the lowest prices on processors and they have great warranty coverage.
• Memory: Corsair 32GB DDR3 1333 -- just make sure the memory is compatible with the motherboard you select.
• Hard Drive: 2TB Seagate -- If you notice I only bought one hard drive, you'll realize my storage in this system is not setup in a RAID. That's a mistake I'll be rectifying soon.
• Case -- It's a case with sufficient ventilation...I don't understand why people get so worked up over cases.
• 500W PSU -- Once again, the boring component, although I probably could have spent a little more money on a power supply to guarantee clean, steady power.
• DVD-ROM Drive -- No one's gotten excited about a DVD drive since 2004.

ESXi Tips

Here are a few things I've learned about running an ESXi server that will hopefully help some others along the way.

• Attach the "Client Device" to the virtual CD/DVD Drive before exporting virtual machines into OVA format packages. I have not tested in ESXi 5.5, but in at least ESXi 5.1, you must select the Client Device option instead of an image file before exporting to OVA. If you don't and you try to import an OVA with the image file setting, the import will fail.

• The desktop vSphere Client has been deprecated by VMware. The desktop client used for managing the ESXi host will no longer be updated. VMware is pushing for people to use the web client to manage ESXi hosts, but you need to pay for a license to run the web client.
• Use VMware Workstation to manage settings on VM Versions 9 and 10. VMware has been in the virtualization business for a long time and they have extended their virtual machine format continuously to support newer technologies and operating systems. They keep track of which features different virtual machine containers support by using version numbers. Using the vSphere Client, you can only create VMs up through version 8. VMware Workstation can connect to ESXi and create newer VMs though. A free trial of VMware Workstation is available if you only need to do this once.
• ESXi does not natively support NAT. Any virtual machine with a physical network connection will connect directly to the network and must have its own IP address. ESXi will not perform NAT for hosts. However, you can go through the trouble of setting up a software firewall system to route your traffic through. I will likely do a post on this in the future but the summary is that the firewall system would have two virtual NICs, one connected to the network and one connected to an ESXi internal virtual switch. All of the guest machines that you want to perform NAT on would then connect to the internal virtual switch and use the software firewall as the gateway.

Conclusion

In the future, I'll go into detail about my personal network setup and what I use all of my virtual servers for. In the meantime, know that ESXi offers an excellent, high quality, high stability solution for the perfect price: free. If you need to build a virtualization lab at home for playing around or professional development, then my hardware selections will provide you with a high powered system at a much lower cost than a true server.

A couple of people have asked me about LastPass recently so I figured I would write a little about it generally and, more specifically, about how I use it.

No one actually likes using more than one password. We all have enough things to remember, we don't need to clutter our brains with remembering which password we used for which website. That is where password manager apps come into the picture. With such apps you only need to remember one password and the rest of your passwords will be stored, hopefully securely, in the app.

As far as I am concerned, LastPass is the best-of-breed app in the password manager category. In the infancy of its popularity, LastPass was vetted and approved by Steve Gibson. He provides a lengthy review of LastPass' technology at his site and, fortunately, LastPass has continued to be open about its technology. It has also continued to add features over the past few years, both to improve functionality and security.

Why is LastPass Secure?

The company has done everything right in terms of securely encrypting and storing your sensitive data.

• All encryption is done locally on the client, so all the LastPass company ever sees is a pseudorandom blob of data.
• Encryption is performed with AES-256.
• Password hashing is performed using PBKDF2 implemented with SHA-256.
• Users can select the number of hash iterations their password is put through.
• Many multi-factor authentication options are supported.
• Mobile app access to your LastPass vault is restricted. Users have to explicitly allow access from each new mobile app that tries to access their vault.
• The company is open and responsive about their technology, as evidenced by Steve Gibson's interactions with them.

LastPass Has Extensive Functionality

In addition to being secure, LastPass provides an enormous number of features.

• Ability to store and automatically fill forms on websites with many types of personal data, including usernames, passwords, credit card, and address information.
• "Secure Notes" allow users to store other information of their choosing, including text, documents, and images.
• Supported on Windows, Mac, and Linux using Internet Explorer, Safari, Chrome, Firefox, and Opera.
• Extensive mobile support. Apps are available for iOS, Android, Windows Phone, and Blackberry. LastPass Premium is required for this, but it is only $12 per year.

How to Keep Your LastPass Vault Secure

While LastPass is natively secure, there are a number of configurable options which can make LastPass even safer against attackers. All of these options can be configured in the settings page of your LastPass vault.

• In the General tab, make sure your password hash is being iterated at least 5000 times, you only allow logins from countries to which you travel, and you disallow logins from the Tor network.

• In the Security tab, enable as many circumstances as possible for which you will be prompted for your password.
  

• Enable some form of multi-factor authentication.

Conclusion

LastPass is the perfect tool for managing your many online identities, as well as storing sensitive personal information, both securely and conveniently. It's easy to use and available on every platform. Plus, the price is right.

This post originally stated that this was going to be a blog about information security but I decided to expand the topic of this blog to anything technology related, so you can see the edited version below.

As this is the first post on this blog, I feel like it is important to discuss what you will be able to find here as time goes on. While the length, detail, and formality of entries here will vary greatly, all of the content here will focus on technology. Obviously this is a broad topic, but my intent is for the topic to be broad. I will be writing about anything that catches my interest in the realm of technology.

I want to welcome people of all skill levels to read this blog and discuss the posts. We all have our own areas of expertise and it's always best to learn from each other whenever possible.

I have also begun to maintain a collection of files on this site related to technology. This collection will also range in content, but as the collection grows I will make sure to change the organization as necessary. For now, please take a look at the presentation I posted about the basics of information security. I recently gave this presentation to a small group of lawyers who needed more information about security principles in order to understand HIPAA compliance matters and the presentation was very well received.