Information Security and Access Control Design for Intelligent Network Visibility for VMware Cloud Foundation

You design authentication access, controls, and certificate management for VMware Aria Operations for Networks according to industry standards and the requirements of your organization.

Identity Management Design for Intelligent Network Visibility for VMware Cloud Foundation

This validated solution activates authentication using Active Directory over LDAP to ensure accountability on user access. You can grant access to VMware Aria Operations for Networks to both users and groups to perform tasks, such as view network flows and dashboards.

VMware Aria Operations for Networks integrates with your organization's identity provider. This allows you to use your organization's directory services for authentication to VMware Aria Operations for Networks. You can control authorization by assigning service roles to users. The Admin role allows you to add users to your organization and provide access to VMware Aria Operations for Networks.

VMware Aria Operations for Networks supports three service roles:

Admin
Member
Auditor

Table 1. Design Decisions on Identity Management for Intelligent Network Visibility
Decision ID	Design Decision	Design Justification	Design Implication
INV-VAON-SEC-001	Limit the use of local accounts for interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
INV-VAON-SEC-002	Limit the scope and privileges for accounts used for interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
INV-VAON-SEC-003	Assign VMware Aria Operations for Networks service roles to designated groups.	By assigning Active Directory users with specific VMware Aria Operations for Networks service roles, you introduce improved accountability and facilitate access tracking.	You must maintain the service roles required for users of your organization.

Service Accounts Design for VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

You add and configure accounts associated with vCenter Server and NSX Manager instances to use as service accounts across VMware Cloud Foundation instances. You configure the service accounts to provide integration between VMware Aria Operations for Networks and the data source endpoints.

This solution uses least privileged access and permissions scope required for the integrations.

Table 2. Design Decisions on Service Accounts for Intelligent Network Visibility
Decision ID	Design Decision	Design Justification	Design Implication
INV-VAON-SEC-004	Define a custom vCenter Server role for VMware Aria Operations for Networks that has minimum privileges required to support a vCenter Server integration.	Connects VMware Aria Operations for Networks to the management domain and each VI workload domain vCenter Server instance using a minimum set of privileges.	You must maintain the privileges required by the custom vSphere role.
INV-VAON-SEC-005	Create and assign the custom vCenter Server role to an Active Directory user account as a service account for the management domain and each VI workload domain vCenter Server instance for application-to-application communication between VMware Aria Operations for Networks and vCenter Server.	Provides the following access control features: VMware Aria Operations for Networks accesses each VI workload domain vCenter Server instance with a minimum set of permissions. If there is a compromised account, the accessibility to the destination instance remains restricted. You can introduce an improved accountability in tracking request-response interactions between VMware Aria Operations for Networks and the vCenter Server endpoint.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
INV-VAON-SEC-006	Create and assign the Enterprise Admin role using an NSX client certificate credential for the management domain and each VI workload domain NSX Local Manager instance for application-to-application communication between VMware Aria Operations for Networks and NSX Manager.	Provides integration and data collection of objects managed by NSX Manager for a given workload domain. Client certificate credentials remove the need to protect and maintain either a local or Active Directory domain account and password.	You must manage the credential and the life cycle of certificates and their corresponding private keys.

Password Management Design for Intelligent Network Visibility for VMware Cloud Foundation

Password management design details the decisions covering password policy configuration and password management of the VMware Aria Operations for Networks nodes.

Password Policies for VMware Aria Operations for Networks Platform and Collector Nodes

You can enforce password polices for a VMware Aria Operations for Networks node by using the virtual appliance console. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts. VMware Aria Operations for Networks nodes use Ubuntu Server. By default, for security reasons, the root user is not enabled. The support user has permissions to run the necessary commands in the command line and the consoleuser has full permission to the CLI.

Password Expiration Policy for VMware Aria Operations for Networks

You manage the password expiration policy on a per user basis. You can modify the configuration for a local user to refine the settings and adhere to the policies and regulatory standards of your organization.

Table 3. Default Password Expiration Policy for VMware Aria Operations for Networks
User	Setting	Default	Description
support	`maxdays`	`99999`	Maximum number of days between password change. (By default, the password is set to never expire.)
	`mindays`	`0`	Minimum number of days between password change.
	`warndays`	`7`	Number of days of warning before a password expires.
consoleuser	`maxdays`	`99999`	Maximum number of days between password change (By default, the password is set to never expire.)
	`mindays`	`0`	Minimum number of days between password change.
	`warndays`	`7`	Number of days of warning before a password expires.

Password Complexity Policy for VMware Aria Operations for Networks

You manage the password complexity policy by using the /etc/pam.d/common-password file. You can modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards.

Table 4. Default Password Complexity Policy for VMware Aria Operations for Networks
Setting	Default	Description
`dcredit`	`-1`	Minimum number of numerical characters required.
`ucredit`	`-1`	Minimum number of uppercase characters required.
`lcredit`	`-1`	Minimum number of lowercase characters required.
`ocredit`	`-1`	Minimum number of special characters required.
`minlen`	`14`	Minimum total number of characters required.
`difok`	`3`	Minimum number of unique characters different from the previous password.
`retry`	`3`	Maximum number of retries allowed.
`remember`	`5`	Maximum number of previous passwords remembered.

Account Lockout Policy for VMware Aria Operations for Networks

You manage the account lockout policy by using the /etc/pam.d/common-auth file. You can modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration does not define any parameters. For additional information, see Password Management for Intelligent Network Visibility for VMware Cloud Foundation.

Table 5. Default Account Lockout Policy for VMware Aria Operations for Networks Support and Consoleuser Accounts.
Setting	Default	Description
`deny`	`Not Defined`	Maximum number of authentication failures before the account is locked.
`unlock_time`	`Not Defined`	Amount of time in seconds that the account remains locked.

Table 6. Design Decisions on Password Policies for Intelligent Network Visibility
Decision ID	Design Decision	Design Justification	Design Implication
INV-VAON-SEC-007	Configure the local user password expiration policy for each VMware Aria Operations for Networks platform and collector node.	You configure the local user password expiration policy for each VMware Aria Operations for Networks node to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the support and consoleuser accounts for the VMware Aria Operations for Networks.	You must manage the local user passwords expiration settings on each VMware Aria Operations for Networks platform and collector node by using the appliance console.
INV-VAON-SEC-008	Configure the local user password complexity policy for each VMware Aria Operations for Networks platform and collector node.	You configure the local user password complexity policy for each VMware Aria Operations for Networks to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to local VMware Aria Operations for Networks users.	You must manage the local user password complexity settings on each VMware Aria Operations for Networks platform and collector node by using the appliance console.
INV-VAON-SEC-009	Configure the local user account lockout policy for each VMware Aria Operations for Networks platform and collector node.	You configure the local user account lockout policy for each VMware Aria Operations for Networks node to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to local VMware Aria Operations for Networks users.	You must manage the local user account lockout settings on each VMware Aria Operations for Networks node by using the appliance console.

Password Management for the VMware Aria Operations for Networks Platform and Collector Nodes

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security of the system. To ensure continued access, you must manage the life cycle of the support and consoleuser user passwords for the VMware Aria Operations for Networks nodes.

If a password expires, you must reset the password in VMware Aria Suite Lifecycle and remediate the password across components as required.

Table 7. Design Decisions on Password Management for Intelligent Network Visibility
Decision ID	Design Decision	Design Justification	Design Implication
INV-VAON-SEC-010	Change the VMware Aria Operations for Networkssupport and consoleuser passwords on each VMware Aria Operations for Networks platform and collector node on a recurring or event-initiated schedule.	The password for the VMware Aria Operations for Networkssupport and consoleuser accounts expires based on the default password expiration policy.	You must manage the password change for the support and consoleuser account. You must manage the password change on each VMware Aria Operations for Networks node by using VMware Aria Suite Lifecycle. You must monitor the password expiration for each account.

Certificate Management Design for Intelligent Network Visibility for VMware Cloud Foundation

Access to the VMware Aria Operations for Networks user interface and API requires an SSL connection. By default, VMware Aria Operations for Networks uses a self-signed certificate. To provide secure access to the VMware Aria Operations for Networks user interface and API, replace the default self-signed certificate with a CA-signed certificate.

Design Decisions of Certificates for VMware Aria Operations for Networks

Table 8. Design Decisions on Certificate Management for Intelligent Network Visibility
Decision ID	Design Decision	Design Justification	Design Implication
INV-VAON-SEC-011	Use a CA-Signed certificate containing the fully qualified domain names (FQDNs) of each VMware Aria Operations for Networks platform and collector node in the SAN attributes, when deploying VMware Aria Operations for Networks	Configuring a CA-Signed certificate ensures that the communication to the externally facing Web UI and API for VMware Aria Operations for Networks is encrypted.	Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered. Each time a node is added the certificate must be replaced to include the fully qualified domain name of the additional node.
INV-VAON-SEC-012	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.