The Mirage Gateway server runs on Linux. You must protect this host from normal OS vulnerabilities.

Use spyware filters, intrusion detection systems, and other security measures mandated by your enterprise policies.

Ensure that all security measures are up-to-date, including OS patches.

The protection configuration codes are executed during the deployment of the OVA template.

Table 1. Protection Configuration for Code MEG01

Configuration Element

Description

Code

MEG01

Name

Keeps the Mirage Gateway system properly patched.

Description

By staying up-to-date on OS patches, OS vulnerabilities are mitigated.

Risk or control

If an attacker gains access to the system and reassigns privileges on the Mirage Gateway system, the attacker can access all CVD transferring through the Mirage Gateway server.

Recommended level

Enterprise

Condition or steps

Employs a system to keep the Mirage Gateway system up -to-date with patches, in accordance with industry-standard guidelines, or internal guidelines where applicable.

Table 2. Protection Configuration for Code MEG02

Configuration Element

Description

Code

MEG02

Name

Provide OS protection on the Mirage Gateway server host.

Description

By providing OS-level protection, vulnerabilities to the OS are mitigated. This protection includes anti-malware, and other similar measures.

Risk or control

If an attacker gains access to the system and reassigns privileges on the Mirage Gateway system, the attacker can access all CVD transferring through the Mirage Gateway server.

Recommended level

Enterprise

Condition or steps

Provides OS protection, such as anti-malware, in accordance with industry-standard guidelines, or internal guidelines where applicable.

Table 3. Protection Configuration for Code MEG03

Configuration Element

Description

Code

MEG03

Name

Restrict privilege user login.

Description

The number of privilege users with permission to log in to the Mirage Gateway system as an administrator should be minimal.

Risk or control

If an unauthorized privilege user gains access to the Mirage Gateway system then the system is vulnerable to unauthorized modification.

Recommended level

Enterprise

Condition or steps

Create specific privilege log-in accounts for individuals. Those accounts should be part of the local administrators' group. There should not be a shell to the account that the account cannot log in, and provide an invalid password for the account.

Table 4. Protection Configuration for Code MEG04

Configuration Element

Description

Code

MEG04

Name

Implement an administrative password policy.

Description

Set a password policy for all Mirage Gateway systems. The password should include the following parameters:

  • A minimum password length

  • Require special character types

  • Require periodic change of the password

Risk or control

If an unauthorized privilege user gains access to the Mirage Gateway system then the system is vulnerable to unauthorized modification.

Recommended level

Enterprise

Condition or steps

Set a password policy on each Mirage Gateway system.

Table 5. Protection Configuration for Code MEG05

Configuration Element

Description

Code

MEG05

Name

Remove unnecessary network protocol.

Description

Mirage Gateway only uses IPv4 communication. You should remove other services, such as file and printer sharing, NFS, sendmail, bind or NIC, and so on.

Risk or control

If an unauthorized privilege user gains access to the Mirage Gateway system then the system is more vulnerable to unauthorized modification.

Recommended level

Enterprise

Condition or steps

Run yast on the Mirage Gateway Suse OS. Disable all network protocols under the Security and Users setting, and the Firewall setting. Retain the following three ports:

  • Mirage Gateway- default tcp 8000

  • Management- default tcp 8080

  • SSH- default tcp 22

Table 6. Protection Configuration for Code MEG06

Configuration Element

Description

Code

MEG06

Name

Disable unnecessary services.

Description

Mirage Gateway requires a minimal number of services for the OS. When you disable unnecessary services you enhance security. This prevents the services from automatically starting at boot time.

Risk or control

If unnecessary services are running, the Mirage Gateway system is more vulnerable to network attack.

Recommended level

Enterprise.

Condition or steps

Disable any services that are not required. Run yast on the Mirage Gateway Suse OS. Disable all network services except those related to SSHD and iSCSI under the Network Services drop-down menu.

Table 7. Protection Configuration for Code MEG07

Configuration Element

Description

Code

MEG07

Name

Use an external firewall in the DMZ to control

Description

Mirage Gateway servers are usually deployed in a DMZ. You must control which protocols and network ports are permitted so that communication with Mirage Gateway is restricted to the required minimum. Mirage Gateway automatically does TCP forwarding to Mirage servers within a datacenter, and ensures that all forwarded traffic is directed from authenticated users.

Risk or control

Allowing unnecessary protocols and ports might increase the possibility of an attack by a malicious user, especially for protocols and ports for network communication from the Internet.

Recommended level

Configure a firewall on either side of the Mirage Gateway server to restrict protocols and network ports to the minimum set required between Mirage clients and the Mirage Gateway servers.

You should deploy the Mirage Gateway server on an isolated network to limit the scope of frame broadcasts. This configuration can help prevent a malicious user on the internal network from monitoring communication between the Mirage Gateway servers and the Mirage server instances.

You might want to use advanced security features on your network switch to prevent malicious monitoring of Mirage Gateway communication with Mirage servers, and to guard against monitoring attacks, such as ARP Cache Poisoning.

Parameter or objects configuration

For more information about the firewall rules that are required for a DMZ deployment, see the VMware Mirage Installation Guide.

Table 8. Protection Configuration for Code MEG08

Configuration Element

Description

Code

MEG08

Name

Do not use the default, self-signed server certificates on a Mirage Gateway server.

Description

When you first install the Mirage Gateway server, the SSL server is unable to work until signed certificates are prepared. The Mirage Gateway server and the SSL server require SSL server certificates signed by a commercial Certificate Authority (CA) or an organizational CA.

Risk or control

Using self-signed certificates leaves the SSL connection more vulnerable to man-in-the-middle attacks. Applying certificates to trusted CA signed certificates mitigates the potential for these attacks.

Recommended level

Enterprise

Condition or steps

For more information about setting up Mirage Gateway SSL certificates, see the VMware Mirage Installation Guide.

Test

Use a vulnerability scanning tool to connect the Mirage Gateway. Verify that it is signed by the appropriate CA.