{ "authors": [ { "email": "rules@neuralwall.io", "name": "NeuralWall Rules Team", "org": "NeuralWall" } ], "description": { "en": "This scenario covers the network flows of a central virtualization management\nappliance that orchestrates a pool of hypervisors. The appliance exposes an HTTPS\nweb UI and REST API to administrators (management access) as well as a dedicated\nappliance administration interface on a separate port. It drives managed hypervisors\nvia a bidirectional management channel, resolves DNS and synchronises its clock via\nNTP. Conditional services cover network provisioning of hypervisors, host lifecycle\nmanagement and patching, replication, SNMP monitoring, and log collection. An\noutbound flow to the Internet enables secure download of updates. The legacy\nclear-text management protocol is blocked as a hardening measure. Provenance\n(original vendor product) is documented in the Sources section.\n", "fr": "Ce scénario couvre les flux réseau d'une appliance centrale de gestion de\nvirtualisation qui orchestre un parc d'hyperviseurs. L'appliance expose une\ninterface web HTTPS et une API REST aux administrateurs (accès de gestion) ainsi\nqu'une interface d'administration de l'appliance elle-même sur un port dédié.\nElle pilote les hyperviseurs gérés via un canal de gestion bidirectionnel, résout\nDNS et synchronise son horloge via NTP. Des services conditionnels couvrent le\nprovisioning réseau des hyperviseurs, la gestion du cycle de vie et le patch des\nhôtes, la réplication, la supervision SNMP et la collecte de logs. Un flux sortant\nvers Internet permet le téléchargement sécurisé des mises à jour. Le protocole de\ngestion en clair hérité (non chiffré) est bloqué en durcissement. La provenance\n(produit éditeur d'origine) est documentée dans la section Sources.\n" }, "id": "enterprise_virtualization_manager", "mitre_attack": [ { "name": "Exploit Public-Facing Application", "tactic": "initial-access", "technique_id": "T1190" }, { "name": "Exploitation of Remote Services", "tactic": "lateral-movement", "technique_id": "T1210" }, { "name": "Compromise Software Supply Chain", "tactic": "initial-access", "technique_id": "T1195.002" }, { "name": "Valid Accounts", "tactic": "defense-evasion", "technique_id": "T1078" }, { "name": "External Remote Services", "tactic": "initial-access", "technique_id": "T1133" } ], "references": [ { "endpoints": [ "dl.broadcom.com", "vcsa.vmware.com" ], "product": "vCenter Server 9.0", "retrieved": "2026-06-18", "title": "Required Ports for vCenter Server", "url": "https://ports.broadcom.com", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 431697 — Configuring SSL inspection exclusion for update repository", "url": "https://knowledge.broadcom.com/external/article?legacyId=431697", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 390098 — Migration des dépôts de mises à jour (depot/hostupdate/vapp-updates.vmware.com retirés)", "url": "https://knowledge.broadcom.com/external/article?legacyId=390098", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 320264 — Ports utilisés par vSphere Lifecycle Manager", "url": "https://knowledge.broadcom.com/external/article?legacyId=320264", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 326184 — Ports requis vCenter Server (toutes versions)", "url": "https://knowledge.broadcom.com/external/article?legacyId=326184", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 313945 — Configuration NTP sur l'appliance de gestion", "url": "https://knowledge.broadcom.com/external/article?legacyId=313945", "vendor": "Broadcom" } ], "rules": [ { "action": "allow", "application": { "app_id": "virtualization_mgmt_web", "category": "infrastructure", "default_ports": [ "tcp/443" ], "depends_on": [ "dns" ], "risk": 5 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "inbound", "identity": { "device_posture": "compliant", "user_group": [ "virtualization_admins", "infrastructure_admins" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "This rule allows administrators (compliant devices, restricted directory groups)\nand automation tools to reach the manager's main interface over HTTPS. Since the\nmanager is a controlled internal server, ssl_inbound_inspection decrypts inbound\ntraffic to detect exploits targeting the interface (T1190) and malicious uploaded\nfiles. Identity is restricted by directory group (least privilege). Risk is critical\n(risk 5) because compromising the manager enables pivoting to all managed\nhypervisors (T1210). This rule also covers the redirect from HTTP port 80 (see\nrule 3).\n", "fr": "Cette règle autorise les administrateurs (postes conformes, groupes d'annuaire\nrestreints) et les outils d'automatisation à atteindre l'interface principale du\ngestionnaire en HTTPS. Le gestionnaire étant un serveur interne contrôlé,\nssl_inbound_inspection déchiffre le trafic entrant pour détecter les exploits\nvisant l'interface (T1190) et les fichiers malveillants déposés. L'identité est\nrestreinte par groupe annuaire (moindre privilège). Le risque est critique (risk 5)\ncar compromettre le gestionnaire permet de pivoter vers l'ensemble des hyperviseurs\ngérés (T1210). Cette règle couvre aussi la redirection depuis le port HTTP 80\n(voir règle 3).\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" }, "url_filtering": { "credential_phishing": "block" } }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "trust", "management", "vpn" ] } }, { "action": "allow", "application": { "app_id": "appliance_admin_web", "category": "infrastructure", "default_ports": [ "tcp/5480" ], "depends_on": [ "dns" ], "risk": 5 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "inbound", "identity": { "device_posture": "compliant", "user_group": [ "infrastructure_admins" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The appliance administration interface (port 5480) is the only way to manage\nthe appliance's system settings: backup, network configuration, NTP, certificates,\nOS updates, and SSH enable/disable. It is structurally mandatory (without it, the\nappliance cannot be managed outside the main interface) and distinct from the 443\nmanagement interface. Access is restricted to system administrators only (a\nnarrower directory group than rule 1). ssl_inbound_inspection covers exploits\n(T1190, T1078). Risk is critical (risk 5): access to this interface allows full\nreconfiguration of the appliance, including SSH activation.\n", "fr": "L'interface d'administration de l'appliance (port 5480) est le seul moyen de\ngérer les paramètres système de l'appliance : sauvegarde, configuration réseau,\nNTP, certificats, mises à jour OS et activation/désactivation du SSH. Elle est\nstructurellement obligatoire (sans elle, l'appliance ne peut pas être administrée\nhors de l'interface principale) et distincte de l'interface de gestion 443.\nL'accès est restreint aux administrateurs système uniquement (group d'annuaire\nplus étroit que la règle 1). ssl_inbound_inspection couvre les exploits (T1190,\nT1078). Risque critique (risk 5) : accès à cette interface permet la reconfiguration\ntotale de l'appliance, y compris l'activation du SSH.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "5480" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "web_browsing", "category": "networking", "default_ports": [ "tcp/80" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_default" }, "rationale": { "en": "Port 80 is accepted solely to allow the automatic redirect to HTTPS 443 (a stable,\ndocumented behaviour). No application data is transmitted in clear text: the session\nis immediately redirected. IPS in block mode (high severity) detects exploitation\nattempts targeting the HTTP redirect layer. Decryption is not applicable: the HTTP\nflow is not encrypted and the redirect occurs before any data exchange.\n", "fr": "Le port 80 est accepté uniquement pour permettre la redirection automatique vers\nHTTPS 443 (comportement stable et documenté). Aucune donnée applicative ne transite\nen clair : la session est immédiatement redirigée. L'IPS en mode block (high) détecte\nles tentatives d'exploitation visant la couche HTTP de redirection. Le déchiffrement\nest non applicable : le flux HTTP n'est pas chiffré et la redirection intervient avant\ntout échange de données.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "high" } }, "service": { "app_default": true, "ports": [ "80" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "trust", "management", "vpn" ] } }, { "action": "allow", "application": { "app_id": "hypervisor_management", "category": "infrastructure", "default_ports": [ "tcp/902", "udp/902", "tcp/443" ], "depends_on": [ "dns" ], "risk": 5 }, "decryption": { "exclusions": [ "cert_pinned_app" ], "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The manager drives managed hypervisors via a bidirectional channel. The dedicated\nmanagement port (TCP) carries data transfer, configuration, and VM console (MKS).\nThe HTTPS port (TCP 443) is used for configuration channel and agent management on\nthe hypervisor side. The availability heartbeat (UDP) also uses the dedicated\nmanagement port. Decryption is disabled (cert_pinned_app exclusion): managed\nhypervisors present device certificates and a MITM proxy would break the\nauthenticated management channel. IPS detects exploits targeting embedded management\nservices (T1210). Risk is critical (risk 5): this channel is the main pivot vector\nto hypervisors. Note: the UDP heartbeat on the same port is covered by a separate\nservice rule if the firewall distinguishes TCP from UDP.\n", "fr": "Le gestionnaire pilote les hyperviseurs gérés via un canal bidirectionnel. Le port\nde gestion dédié (TCP) véhicule le transfert de données, la configuration et la\nconsole de machine virtuelle. Le port HTTPS (TCP 443) est utilisé pour le canal de\nconfiguration et la gestion des agents côté hyperviseur. Le heartbeat de disponibilité\n(UDP) passe également par le port de gestion dédié. Le déchiffrement est désactivé\n(exclusion cert_pinned_app) : les hyperviseurs gérés présentent des certificats\nd'équipement et une inspection MITM briserait le canal de gestion authentifié.\nL'IPS détecte les exploits visant les services de gestion embarqués (T1210). Risque\ncritique (risk 5) : ce canal est le vecteur principal de pivot vers les hyperviseurs.\nNote : le heartbeat UDP sur le même port est couvert par une règle de service séparée\nsi le pare-feu distingue TCP et UDP.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "902", "443" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "hypervisor_heartbeat", "category": "infrastructure", "default_ports": [ "udp/902" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "The UDP availability heartbeat between the manager and managed hypervisors enables\nrapid detection of unavailable hosts. This flow is fundamental for high-availability\nmanagement and hypervisor health monitoring. IPS in default mode detects protocol\nanomalies on this UDP flow without blocking legitimate probes.\n", "fr": "Le heartbeat de disponibilité UDP entre le gestionnaire et les hyperviseurs gérés\npermet la détection rapide des hôtes indisponibles. Ce flux est fondamental pour\nla gestion de la haute disponibilité et la surveillance de l'état des hyperviseurs.\nL'IPS en mode default détecte les anomalies de protocole sur ce flux UDP sans bloquer\nles sondes légitimes.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "902" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "dns", "category": "networking", "default_ports": [ "udp/53", "tcp/53" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "DNS resolution is structurally mandatory: appliance installation fails if A/PTR\nrecords for its FQDN cannot be resolved. In operation, DNS is required to reach\nmanaged hypervisors, directory controllers, and the update service. The flow is\nrestricted to a controlled internal resolver (no direct Internet resolution). The\ndns_security profile with sinkhole mitigates DNS tunneling from the appliance if\nit were compromised. TCP/53 (DNSSEC or >512-byte responses) is handled by the same\nrule if the firewall supports multi-protocol; otherwise duplicate for tcp/53.\n", "fr": "La résolution DNS est structurellement obligatoire : l'installation de l'appliance\néchoue si les enregistrements A/PTR de son FQDN ne sont pas résolus. En exploitation,\nDNS est requis pour joindre les hyperviseurs gérés, les contrôleurs d'annuaire et le\nservice de mise à jour. Le flux est restreint vers un résolveur interne contrôlé (pas\nde résolution directe vers Internet). Le profil dns_security avec sinkhole atténue le\ntunneling DNS depuis l'appliance si elle était compromise. TCP/53 (réponses DNSSEC ou\n>512 octets) est traité avec la même règle si le pare-feu supporte multi-protocole ;\nsinon, dupliquer pour tcp/53.\n" }, "security_profiles": { "dns_security": { "action": "block", "sinkhole": true } }, "service": { "app_default": true, "ports": [ "53" ], "protocol": "udp" }, "zones": { "destination": [ "internal" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "ntp", "category": "networking", "default_ports": [ "udp/123" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if direct NTP synchronisation is configured on the\nappliance (via its administration interface). NTP can technically be disabled in\nfavour of synchronisation through the host hypervisor, but is strongly recommended\nin production as it is critical for TLS certificate validity, SSO/Kerberos\nauthentication, and consistency of event logs and high-availability mechanisms.\nIPS in default mode detects NTP protocol anomalies (amplification, non-standard\nmode).\n", "fr": "CONDITIONNEL — À n'activer QUE si la synchronisation NTP directe est configurée\nsur l'appliance (via son interface d'administration). NTP est techniquement\ndésactivable au profit de la synchronisation via l'hyperviseur hôte, mais fortement\nrecommandé en production car il est critique pour la validité des certificats TLS,\nl'authentification SSO/Kerberos et la cohérence des journaux d'événements et des\nmécanismes de haute disponibilité. L'IPS en mode default détecte les anomalies de\nprotocole NTP (amplification, mode hors norme).\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "123" ], "protocol": "udp" }, "zones": { "destination": [ "internal" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "ssh", "category": "remote_access", "default_ports": [ "tcp/22" ], "risk": 4 }, "decryption": { "mode": "ssh_proxy" }, "direction": "inbound", "identity": { "device_posture": "compliant", "user_group": [ "infrastructure_admins" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the appliance SSH service has been explicitly activated\nvia the administration interface for a maintenance operation. SSH is disabled by\ndefault on the appliance (security best practice) and must be re-disabled after the\noperation. This rule should be activated with a time-limited policy (maintenance\nwindow). The ssh_proxy decryption mode allows inspection of commands executed over\nthe SSH tunnel (detection of exfiltration or suspicious commands). Access is\nrestricted to compliant management hosts and the narrowest administration group\n(T1133). log_start is enabled to trace every SSH session opening.\n", "fr": "CONDITIONNEL — À n'activer QUE si le service SSH de l'appliance a été explicitement\nactivé via l'interface d'administration pour une opération de maintenance. Le SSH est\ndésactivé par défaut sur l'appliance (bonne pratique de sécurité) et doit être\nre-désactivé après intervention. Cette règle doit être activée avec une politique de\ndurée limitée (fenêtre de maintenance). Le déchiffrement ssh_proxy permet d'inspecter\nles commandes exécutées via le tunnel SSH (détection d'exfiltration ou de commandes\nsuspectes). L'accès est restreint aux hôtes de gestion conformes et au groupe\nd'administration le plus étroit (T1133). Le log_start est activé pour tracer toute\nouverture de session SSH.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "22" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "network_boot_provisioning", "category": "infrastructure", "default_ports": [ "tcp/6501", "tcp/6502" ], "risk": 3 }, "decryption": { "exclusions": [ "cert_pinned_app" ], "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the hypervisor network provisioning service is in\nplace. This service enables stateless hypervisor automated deployment: hosts being\nprovisioned connect to the manager to receive their system image, configuration\nprofile, and assignment rules. Antivirus and IPS inspect inbound flows. Decryption\nis disabled (cert_pinned_app) as hypervisors booting over the network use device\ncertificates that a proxy cannot impersonate. If provisioning uses UEFI HTTPS Boot\n(modern boot), it goes through TCP 443 (rule 1) and this rule can remain disabled.\n", "fr": "CONDITIONNEL — À n'activer QUE si le service de provisioning réseau des hyperviseurs\nest en place. Ce service permet le déploiement automatisé des hyperviseurs sans état :\nles hôtes en cours de provisioning se connectent au gestionnaire pour recevoir leur\nimage système, leur profil de configuration et leurs règles d'assignation. L'antivirus\net l'IPS inspectent les flux entrants. Le déchiffrement est désactivé (cert_pinned_app)\ncar les hyperviseurs en boot réseau utilisent des certificats d'équipement que le proxy\nne peut pas impersonner. Si le provisioning utilise UEFI HTTPS Boot (boot moderne),\nil passe par TCP 443 (règle 1) et cette règle peut rester désactivée.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "6501", "6502" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "tftp", "category": "networking", "default_ports": [ "udp/69" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the network provisioning service uses legacy PXE boot\n(BIOS or classic iPXE). TFTP enables download of the iPXE boot file when a hypervisor\nPXE-boots. This rule is unnecessary if modern network boot (UEFI HTTPS Boot) is\nconfigured, as it operates entirely over HTTPS 443 (rule 1 or rule 8). TFTP is an\nunencrypted protocol: restrict its use to the segmented management network and consider\nmigrating to UEFI HTTPS boot to eliminate this flow.\n", "fr": "CONDITIONNEL — À n'activer QUE si le service de provisioning réseau utilise le boot\nPXE legacy (BIOS ou iPXE classique). Le TFTP permet le téléchargement du fichier de\nboot iPXE lors du démarrage PXE de l'hyperviseur. Cette règle est inutile si le boot\nréseau moderne (UEFI HTTPS Boot) est configuré, ce dernier passant entièrement par\nHTTPS 443 (règle 1 ou règle 8). TFTP est un protocole non chiffré : limiter son usage\nau réseau de gestion segmenté et envisager la migration vers le boot UEFI HTTPS pour\néliminer ce flux.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "69" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "host_lifecycle_patch_https", "category": "infrastructure", "default_ports": [ "tcp/9087" ], "depends_on": [ "dns" ], "risk": 4 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the host lifecycle management service is activated to\ndrive updates and check compliance of managed hypervisors. This service exposes an\nHTTPS patch/image repository from the manager to hypervisors. If this flow is blocked,\ncompliance checks and remediations fail silently. HTTPS port (9087): the primary flow\nin the current service version (replaces legacy HTTP port 9084). ssl_inbound_inspection\nenables antivirus and sandboxing inspection of distributed content.\n", "fr": "CONDITIONNEL — À n'activer QUE si le service de gestion du cycle de vie des hôtes\nest activé pour piloter les mises à jour et vérifier la conformité des hyperviseurs\ngérés. Ce service expose un dépôt HTTPS de patches et d'images depuis le gestionnaire\nvers les hyperviseurs. Si ce flux est bloqué, les vérifications de conformité et les\nremédiations échouent silencieusement. Port HTTPS (9087) : flux principal depuis la\nversion courante du service (remplace le port HTTP hérité 9084). ssl_inbound_inspection\npermet l'inspection antivirus et sandboxing du contenu distribué.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" }, "sandboxing": { "enabled": true, "file_types": [ "archive", "pe" ] } }, "service": { "app_default": true, "ports": [ "9087" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "host_lifecycle_patch_legacy", "category": "infrastructure", "default_ports": [ "tcp/9084", "tcp/8083" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the host lifecycle service still uses the legacy HTTP\nport (9084) for compatibility-mode hypervisors, or the host configuration store\naccess port (8083). In the current service version, the main flow goes through HTTPS\n9087 (rule 10); these ports are legacy residues. Note: since 9084 is unencrypted\nHTTP, consider migrating to 9087/HTTPS to eliminate this unencrypted flow and close\nthis rule.\n", "fr": "CONDITIONNEL — À n'activer QUE si le service de cycle de vie des hôtes utilise\nencore le port HTTP hérité (9084) pour des hyperviseurs en mode de compatibilité,\nou le port d'accès au magasin de configuration des hôtes (8083). En version courante\ndu service, le flux principal passe par HTTPS 9087 (règle 10) ; ces ports sont des\nrésidus d'héritage. Note : 9084 étant HTTP non chiffré, envisager la migration vers\n9087/HTTPS pour éliminer ce flux non chiffré et fermer cette règle.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "9084", "8083" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "replication_management", "category": "infrastructure", "default_ports": [ "tcp/8043" ], "depends_on": [ "dns" ], "risk": 3 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the virtual machine replication service is deployed.\nThis SOAP flow allows the manager to control the replication appliance (replication\npolicy configuration, monitoring). It is distinct from inter-hypervisor replication\ndata traffic, which belongs to a dedicated hypervisor profile. ssl_inbound_inspection\ninspects inbound HTTPS SOAP flows to the manager.\n", "fr": "CONDITIONNEL — À n'activer QUE si le service de réplication de machines virtuelles\nest déployé. Ce flux SOAP permet au gestionnaire de piloter l'appliance de réplication\n(configuration des politiques de réplication, monitoring). Il est distinct du trafic\nde réplication de données inter-hyperviseurs, qui relève d'une fiche dédiée aux\nhyperviseurs. ssl_inbound_inspection inspecte les flux HTTPS SOAP entrants vers le\ngestionnaire.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "8043" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "snmp", "category": "infrastructure", "default_ports": [ "udp/161" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the manager's SNMP agent is activated and a network\nmanagement system (NMS) performs polling. SNMPv3 with authentication and encryption\nis strongly recommended. Access must be restricted to the NMS IP address. IPS in\ndefault mode monitors SNMP protocol anomalies (unauthorised walk attempts).\n", "fr": "CONDITIONNEL — À n'activer QUE si l'agent SNMP du gestionnaire est activé et qu'un\nsystème de supervision réseau (NMS) effectue du polling. SNMP v3 avec authentification\net chiffrement est fortement recommandé. L'accès doit être restreint à l'adresse IP\ndu NMS. L'IPS en mode default surveille les anomalies de protocole SNMP (tentatives\nde walk non autorisées).\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "161" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "snmp_trap", "category": "infrastructure", "default_ports": [ "udp/162" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if SNMP trap sending is configured on the manager toward\na trap receiver (NMS). The manager emits SNMP UDP traps to the NMS to report\ninfrastructure events. Prefer SNMPv3 with authentication. IPS in default mode\nmonitors anomalies.\n", "fr": "CONDITIONNEL — À n'activer QUE si l'envoi de traps SNMP est configuré sur le\ngestionnaire vers un récepteur de traps (NMS). Le gestionnaire émet des traps SNMP\nUDP vers le NMS pour signaler des événements d'infrastructure. Préférer SNMP v3 avec\nauthentification. L'IPS en mode default surveille les anomalies.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "162" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "syslog", "category": "infrastructure", "default_ports": [ "udp/514", "tcp/514" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if unencrypted syslog collection is configured AND the\ncurrent manager version supports it. VERSION WARNING: unencrypted syslog on UDP/TCP\n514 is supported in version 9.x but is blocked and unsupported from manager\nversion 9.1 onward. If an upgrade to 9.1+ is planned, migrate to syslog TLS\n(rule 16, port 1514) BEFORE the upgrade. Unencrypted syslog exposes event logs\nto interception and tampering on the management network — prefer rule 16 in all\ncircumstances. IPS monitors flow anomalies.\n", "fr": "CONDITIONNEL — À n'activer QUE si la collecte syslog non chiffrée est configurée\nET que la version courante du gestionnaire la supporte. AVERTISSEMENT DE VERSION :\nle syslog non chiffré sur UDP/TCP 514 est supporté en version 9.x mais est bloqué\net non supporté à partir de la version 9.1 du gestionnaire. Si une montée de version\nvers 9.1+ est prévue, migrer vers syslog TLS (règle 16, port 1514) AVANT la mise à\nniveau. Syslog non chiffré expose les journaux d'événements à l'interception et à\nla falsification sur le réseau de gestion — préférer la règle 16 en toutes\ncirconstances. L'IPS surveille les anomalies sur le flux.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "high" } }, "service": { "app_default": true, "ports": [ "514" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "syslog_tls", "category": "infrastructure", "default_ports": [ "tcp/1514" ], "risk": 2 }, "decryption": { "exclusions": [ "cert_pinned_app" ], "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable if encrypted TLS syslog log collection is configured on the\nmanager. Recommended in version 9.x, and mandatory from manager version 9.1 onward\n(unencrypted syslog on 514 is blocked from that version). Recommended migration\npath from rule 15. Decryption is disabled (cert_pinned_app) as the TLS syslog\ncollector uses a device certificate for mutual authentication.\n", "fr": "CONDITIONNEL — À activer si la collecte de logs syslog chiffrée TLS est configurée\nsur le gestionnaire. Recommandé en version 9.x, et obligatoire à partir de la\nversion 9.1 du gestionnaire (le syslog non chiffré sur 514 étant bloqué dès cette\nversion). Voie de migration recommandée depuis la règle 15. Le déchiffrement est\ndésactivé (cert_pinned_app) car le collecteur syslog TLS utilise un certificat\nd'équipement pour l'authentification mutuelle.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "1514" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "software_update", "category": "infrastructure", "default_ports": [ "tcp/443" ], "depends_on": [ "dns", "ssl" ], "risk": 4 }, "decryption": { "exclusions": [], "mode": "ssl_forward_proxy" }, "direction": "outbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The manager downloads its updates and hypervisor patches/images from a vendor\nservice on the Internet. This is the only outbound Internet flow and a critical\nsupply-chain vector (T1195.002): ssl_forward_proxy is mandatory to allow antivirus\nand sandboxing to inspect downloaded packages. url_filtering blocks risky categories\nand uncategorised sites. The domain allow-list for the vendor update service is\ndeployment-specific: domains documented by the source are recorded as provenance\n(references[].endpoints), to be set in url_filtering.allow_list at deployment —\nwithout hardcoding a brand into the rule. Deployment note: the vendor update\nservice uses a per-account authentication token; see the provenance documentation\n(references[]) for the recommended SSL inspection exclusion on this specific flow\n(KB 431697). High risk (risk 4): supply-chain vector with wide blast radius.\n", "fr": "Le gestionnaire télécharge ses mises à jour et les patches/images des hyperviseurs\ndepuis un service éditeur sur Internet. C'est le seul flux sortant vers Internet\net un vecteur critique de chaîne d'approvisionnement (T1195.002) : ssl_forward_proxy\nest obligatoire pour permettre à l'antivirus et au sandboxing d'inspecter les\npaquets téléchargés. url_filtering bloque les catégories à risque et les sites non\ncatégorisés. La liste blanche des domaines autorisés (service éditeur de mise à\njour) est spécifique au déploiement : les domaines documentés par la source figurent\nen provenance (references[].endpoints), à reporter en url_filtering.allow_list au\ndéploiement — sans encoder de marque dans la règle. Note de déploiement : le service\néditeur de mise à jour utilise un token d'authentification par compte ; consulter\nla documentation de provenance (references[]) pour l'exclusion d'inspection SSL\nrecommandée sur ce flux spécifique (KB 431697). Risque élevé (risk 4) : vecteur\nsupply chain à large rayon d'impact.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "dns_security": { "action": "block", "sinkhole": true }, "ips": { "action": "block", "min_severity": "low" }, "sandboxing": { "enabled": true, "file_types": [ "archive", "pe" ] }, "url_filtering": { "block_categories": [ "malware", "phishing", "c2", "newly_registered_domain", "compromised" ], "credential_phishing": "block", "uncategorized_action": "block" } }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "internet" ], "source": [ "management" ] } }, { "action": "drop", "application": { "app_id": "clear_text_hypervisor_mgmt", "category": "infrastructure", "default_ports": [ "tcp/80" ], "risk": 4 }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "log_start": true, "profile": "siem_high_priority" }, "rationale": { "en": "Hardening: clear-text (HTTP) communication attempts toward hypervisor management\ninterfaces are silently dropped. Modern hypervisors expose their management\ninterfaces only over HTTPS (port 443, rule 4); an HTTP flow toward a hypervisor is\neither a legacy configuration residue or an attempt to bypass encryption (T1557 —\nin-flight interception, credential theft). High-priority logging flags every attempt\nfor investigation. Note: this rule targets internal manager <-> hypervisor flows;\nthe HTTP 80 to HTTPS redirect for administrator clients is covered by rule 3\n(inbound direction).\n", "fr": "Durcissement : les tentatives de communication en clair (HTTP) vers les interfaces\nde gestion des hyperviseurs sont bloquées silencieusement. Les hyperviseurs modernes\nn'exposent leurs interfaces de gestion qu'en HTTPS (port 443, règle 4) ; un flux HTTP\nentrant vers un hyperviseur est soit un résidu de configuration hérité, soit une\ntentative de contournement du chiffrement (T1557 — interception en vol, vol\nd'identifiants). Le log en haute priorité signale toute tentative pour investigation.\nNote : cette règle cible les flux internes gestionnaire <-> hyperviseurs ; la\nredirection HTTP 80 vers HTTPS pour les clients administrateurs est couverte par\nla règle 3 (sens entrant).\n" }, "service": { "ports": [ "80" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } } ], "schema_version": "1.0.0", "threat_model": { "attacker_goal": { "en": "Gain control of the virtualization manager to pivot to managed hypervisors\nand compromise workloads or establish fleet-wide persistence.\n", "fr": "Obtenir le contrôle du gestionnaire de virtualisation pour pivoter vers les\nhyperviseurs gérés et compromettre les charges de travail ou établir une\npersistance à l'échelle du parc.\n" }, "key_controls": [ "management_zone_segmentation", "ssl_inbound_inspection", "ssl_forward_proxy", "identity_user_group_restriction", "block_cleartext_management", "update_sandboxing", "ssh_restricted_access" ], "summary": { "en": "The virtualization manager is a single control point over the entire hypervisor\nfleet: its compromise grants access to workloads on all hosted virtual machines.\nThree attack surfaces dominate. (1) The web/API interface (T1190, T1078):\napplication exploits or stolen administrator credentials provide initial access,\nfollowed by a pivot to managed hypervisors (T1210). (2) The Internet update\nchannel (T1195.002): a malicious update package can compromise both the manager\nand all the hypervisors it drives — a supply-chain vector with a very wide blast\nradius. (3) The SSH maintenance access (T1133): if left enabled after a\nmaintenance window, it exposes a direct shell to the appliance from the management\nnetwork. Zone segmentation (management), inbound/outbound TLS inspection, and\nidentity group restrictions reduce these surfaces.\n", "fr": "Le gestionnaire de virtualisation est un point de contrôle unique sur l'ensemble\ndu parc d'hyperviseurs : sa compromission donne accès aux charges de travail de\ntoutes les machines virtuelles hébergées. Trois surfaces d'attaque dominent.\n(1) L'interface web/API (T1190, T1078) : exploits applicatifs ou vol d'identifiants\nadministrateurs permettent un accès initial, suivi d'un pivot vers les hyperviseurs\ngérés (T1210). (2) Le canal de mises à jour Internet (T1195.002) : un paquet de\nmise à jour malveillant peut compromettre à la fois le gestionnaire et tous les\nhyperviseurs qu'il pilote — vecteur de supply chain à très large rayon d'impact.\n(3) L'accès SSH de maintenance (T1133) : s'il reste activé après intervention,\nil expose un accès shell direct à l'appliance depuis le réseau de gestion.\nLa segmentation de zone (management), l'inspection entrante et sortante (TLS),\net la restriction des groupes d'identité réduisent ces surfaces.\n" } }, "title": { "en": "Enterprise virtualization manager", "fr": "Gestionnaire de virtualisation d'entreprise" }, "trust_tier": "community", "version": "1.0.0" }