## RAG Card — enterprise_virtualization_manager [en] **title:** Enterprise virtualization manager **id:** enterprise_virtualization_manager **version:** 1.0.0 **trust_tier:** community **description:** This scenario covers the network flows of a central virtualization management appliance that orchestrates a pool of hypervisors. The appliance exposes an HTTPS web UI and REST API to administrators (management access) as well as a dedicated appliance administration interface on a separate port. It drives managed hypervisors via a bidirectional management channel, resolves DNS and synchronises its clock via NTP. Conditional services cover network provisioning of hypervisors, host lifecycle management and patching, replication, SNMP monitoring, and log collection. An outbound flow to the Internet enables secure download of updates. The legacy clear-text management protocol is blocked as a hardening measure. Provenance (original vendor product) is documented in the Sources section. **references:** - Broadcom — vCenter Server 9.0 — Required Ports for vCenter Server: https://ports.broadcom.com [endpoints: dl.broadcom.com, vcsa.vmware.com] - Broadcom — vCenter Server — KB 431697 — Configuring SSL inspection exclusion for update repository: https://knowledge.broadcom.com/external/article?legacyId=431697 - Broadcom — vCenter Server — KB 390098 — Migration des dépôts de mises à jour (depot/hostupdate/vapp-updates.vmware.com retirés): https://knowledge.broadcom.com/external/article?legacyId=390098 - Broadcom — vCenter Server — KB 320264 — Ports utilisés par vSphere Lifecycle Manager: https://knowledge.broadcom.com/external/article?legacyId=320264 - Broadcom — vCenter Server — KB 326184 — Ports requis vCenter Server (toutes versions): https://knowledge.broadcom.com/external/article?legacyId=326184 - Broadcom — vCenter Server — KB 313945 — Configuration NTP sur l'appliance de gestion: https://knowledge.broadcom.com/external/article?legacyId=313945 **threat_model.summary:** The virtualization manager is a single control point over the entire hypervisor fleet: its compromise grants access to workloads on all hosted virtual machines. Three attack surfaces dominate. (1) The web/API interface (T1190, T1078): application exploits or stolen administrator credentials provide initial access, followed by a pivot to managed hypervisors (T1210). (2) The Internet update channel (T1195.002): a malicious update package can compromise both the manager and all the hypervisors it drives — a supply-chain vector with a very wide blast radius. (3) The SSH maintenance access (T1133): if left enabled after a maintenance window, it exposes a direct shell to the appliance from the management network. Zone segmentation (management), inbound/outbound TLS inspection, and identity group restrictions reduce these surfaces. **threat_model.attacker_goal:** Gain control of the virtualization manager to pivot to managed hypervisors and compromise workloads or establish fleet-wide persistence. **threat_model.key_controls:** management_zone_segmentation, ssl_inbound_inspection, ssl_forward_proxy, identity_user_group_restriction, block_cleartext_management, update_sandboxing, ssh_restricted_access **mitre_attack:** - T1190 (initial-access): Exploit Public-Facing Application - T1210 (lateral-movement): Exploitation of Remote Services - T1195.002 (initial-access): Compromise Software Supply Chain - T1078 (defense-evasion): Valid Accounts - T1133 (initial-access): External Remote Services **rules:** [0] app_id=virtualization_mgmt_web action=allow direction=inbound zones=trust, management, vpn->management risk=5 profiles=['antivirus', 'ips', 'url_filtering'] decrypt=ssl_inbound_inspection rationale: This rule allows administrators (compliant devices, restricted directory groups) and automation tools to reach the manager's main interface over HTTPS. Since the manager is a controlled internal server, ssl_inbound_inspection decrypts inbound traffic to detect exploits targeting the interface (T1190) and malicious uploaded files. Identity is restricted by directory group (least privilege). Risk is critical (risk 5) because compromising the manager enables pivoting to all managed hypervisors (T1210). This rule also covers the redirect from HTTP port 80 (see rule 3). [1] app_id=appliance_admin_web action=allow direction=inbound zones=management->management risk=5 profiles=['antivirus', 'ips'] decrypt=ssl_inbound_inspection rationale: The appliance administration interface (port 5480) is the only way to manage the appliance's system settings: backup, network configuration, NTP, certificates, OS updates, and SSH enable/disable. It is structurally mandatory (without it, the appliance cannot be managed outside the main interface) and distinct from the 443 management interface. Access is restricted to system administrators only (a narrower directory group than rule 1). ssl_inbound_inspection covers exploits (T1190, T1078). Risk is critical (risk 5): access to this interface allows full reconfiguration of the appliance, including SSH activation. [2] app_id=web_browsing action=allow direction=inbound zones=trust, management, vpn->management risk=2 profiles=['ips'] decrypt=none rationale: Port 80 is accepted solely to allow the automatic redirect to HTTPS 443 (a stable, documented behaviour). No application data is transmitted in clear text: the session is immediately redirected. IPS in block mode (high severity) detects exploitation attempts targeting the HTTP redirect layer. Decryption is not applicable: the HTTP flow is not encrypted and the redirect occurs before any data exchange. [3] app_id=hypervisor_management action=allow direction=internal zones=management->management risk=5 profiles=['antivirus', 'ips'] decrypt=none rationale: The manager drives managed hypervisors via a bidirectional channel. The dedicated management port (TCP) carries data transfer, configuration, and VM console (MKS). The HTTPS port (TCP 443) is used for configuration channel and agent management on the hypervisor side. The availability heartbeat (UDP) also uses the dedicated management port. Decryption is disabled (cert_pinned_app exclusion): managed hypervisors present device certificates and a MITM proxy would break the authenticated management channel. IPS detects exploits targeting embedded management services (T1210). Risk is critical (risk 5): this channel is the main pivot vector to hypervisors. Note: the UDP heartbeat on the same port is covered by a separate service rule if the firewall distinguishes TCP from UDP. [4] app_id=hypervisor_heartbeat action=allow direction=internal zones=management->management risk=3 profiles=['ips'] decrypt=none rationale: The UDP availability heartbeat between the manager and managed hypervisors enables rapid detection of unavailable hosts. This flow is fundamental for high-availability management and hypervisor health monitoring. IPS in default mode detects protocol anomalies on this UDP flow without blocking legitimate probes. [5] app_id=dns action=allow direction=internal zones=management->internal risk=2 profiles=['dns_security'] decrypt=none rationale: DNS resolution is structurally mandatory: appliance installation fails if A/PTR records for its FQDN cannot be resolved. In operation, DNS is required to reach managed hypervisors, directory controllers, and the update service. The flow is restricted to a controlled internal resolver (no direct Internet resolution). The dns_security profile with sinkhole mitigates DNS tunneling from the appliance if it were compromised. TCP/53 (DNSSEC or >512-byte responses) is handled by the same rule if the firewall supports multi-protocol; otherwise duplicate for tcp/53. [6] app_id=ntp action=allow direction=internal zones=management->internal risk=2 profiles=['ips'] decrypt=none rationale: CONDITIONAL — Enable ONLY if direct NTP synchronisation is configured on the appliance (via its administration interface). NTP can technically be disabled in favour of synchronisation through the host hypervisor, but is strongly recommended in production as it is critical for TLS certificate validity, SSO/Kerberos authentication, and consistency of event logs and high-availability mechanisms. IPS in default mode detects NTP protocol anomalies (amplification, non-standard mode). [7] app_id=ssh action=allow direction=inbound zones=management->management risk=4 profiles=['ips'] decrypt=ssh_proxy rationale: CONDITIONAL — Enable ONLY if the appliance SSH service has been explicitly activated via the administration interface for a maintenance operation. SSH is disabled by default on the appliance (security best practice) and must be re-disabled after the operation. This rule should be activated with a time-limited policy (maintenance window). The ssh_proxy decryption mode allows inspection of commands executed over the SSH tunnel (detection of exfiltration or suspicious commands). Access is restricted to compliant management hosts and the narrowest administration group (T1133). log_start is enabled to trace every SSH session opening. [8] app_id=network_boot_provisioning action=allow direction=inbound zones=management->management risk=3 profiles=['antivirus', 'ips'] decrypt=none rationale: CONDITIONAL — Enable ONLY if the hypervisor network provisioning service is in place. This service enables stateless hypervisor automated deployment: hosts being provisioned connect to the manager to receive their system image, configuration profile, and assignment rules. Antivirus and IPS inspect inbound flows. Decryption is disabled (cert_pinned_app) as hypervisors booting over the network use device certificates that a proxy cannot impersonate. If provisioning uses UEFI HTTPS Boot (modern boot), it goes through TCP 443 (rule 1) and this rule can remain disabled. [9] app_id=tftp action=allow direction=inbound zones=management->management risk=3 profiles=['ips'] decrypt=none rationale: CONDITIONAL — Enable ONLY if the network provisioning service uses legacy PXE boot (BIOS or classic iPXE). TFTP enables download of the iPXE boot file when a hypervisor PXE-boots. This rule is unnecessary if modern network boot (UEFI HTTPS Boot) is configured, as it operates entirely over HTTPS 443 (rule 1 or rule 8). TFTP is an unencrypted protocol: restrict its use to the segmented management network and consider migrating to UEFI HTTPS boot to eliminate this flow. [10] app_id=host_lifecycle_patch_https action=allow direction=inbound zones=management->management risk=4 profiles=['antivirus', 'ips', 'sandboxing'] decrypt=ssl_inbound_inspection rationale: CONDITIONAL — Enable ONLY if the host lifecycle management service is activated to drive updates and check compliance of managed hypervisors. This service exposes an HTTPS patch/image repository from the manager to hypervisors. If this flow is blocked, compliance checks and remediations fail silently. HTTPS port (9087): the primary flow in the current service version (replaces legacy HTTP port 9084). ssl_inbound_inspection enables antivirus and sandboxing inspection of distributed content. [11] app_id=host_lifecycle_patch_legacy action=allow direction=inbound zones=management->management risk=3 profiles=['antivirus', 'ips'] decrypt=none rationale: CONDITIONAL — Enable ONLY if the host lifecycle service still uses the legacy HTTP port (9084) for compatibility-mode hypervisors, or the host configuration store access port (8083). In the current service version, the main flow goes through HTTPS 9087 (rule 10); these ports are legacy residues. Note: since 9084 is unencrypted HTTP, consider migrating to 9087/HTTPS to eliminate this unencrypted flow and close this rule. [12] app_id=replication_management action=allow direction=internal zones=management->management risk=3 profiles=['ips'] decrypt=ssl_inbound_inspection rationale: CONDITIONAL — Enable ONLY if the virtual machine replication service is deployed. This SOAP flow allows the manager to control the replication appliance (replication policy configuration, monitoring). It is distinct from inter-hypervisor replication data traffic, which belongs to a dedicated hypervisor profile. ssl_inbound_inspection inspects inbound HTTPS SOAP flows to the manager. [13] app_id=snmp action=allow direction=inbound zones=management->management risk=2 profiles=['ips'] decrypt=none rationale: CONDITIONAL — Enable ONLY if the manager's SNMP agent is activated and a network management system (NMS) performs polling. SNMPv3 with authentication and encryption is strongly recommended. Access must be restricted to the NMS IP address. IPS in default mode monitors SNMP protocol anomalies (unauthorised walk attempts). [14] app_id=snmp_trap action=allow direction=internal zones=management->management risk=2 profiles=['ips'] decrypt=none rationale: CONDITIONAL — Enable ONLY if SNMP trap sending is configured on the manager toward a trap receiver (NMS). The manager emits SNMP UDP traps to the NMS to report infrastructure events. Prefer SNMPv3 with authentication. IPS in default mode monitors anomalies. [15] app_id=syslog action=allow direction=internal zones=management->management risk=3 profiles=['ips'] decrypt=none rationale: CONDITIONAL — Enable ONLY if unencrypted syslog collection is configured AND the current manager version supports it. VERSION WARNING: unencrypted syslog on UDP/TCP 514 is supported in version 9.x but is blocked and unsupported from manager version 9.1 onward. If an upgrade to 9.1+ is planned, migrate to syslog TLS (rule 16, port 1514) BEFORE the upgrade. Unencrypted syslog exposes event logs to interception and tampering on the management network — prefer rule 16 in all circumstances. IPS monitors flow anomalies. [16] app_id=syslog_tls action=allow direction=internal zones=management->management risk=2 profiles=['ips'] decrypt=none rationale: CONDITIONAL — Enable if encrypted TLS syslog log collection is configured on the manager. Recommended in version 9.x, and mandatory from manager version 9.1 onward (unencrypted syslog on 514 is blocked from that version). Recommended migration path from rule 15. Decryption is disabled (cert_pinned_app) as the TLS syslog collector uses a device certificate for mutual authentication. [17] app_id=software_update action=allow direction=outbound zones=management->internet risk=4 profiles=['antivirus', 'ips', 'url_filtering', 'sandboxing', 'dns_security'] decrypt=ssl_forward_proxy rationale: The manager downloads its updates and hypervisor patches/images from a vendor service on the Internet. This is the only outbound Internet flow and a critical supply-chain vector (T1195.002): ssl_forward_proxy is mandatory to allow antivirus and sandboxing to inspect downloaded packages. url_filtering blocks risky categories and uncategorised sites. The domain allow-list for the vendor update service is deployment-specific: domains documented by the source are recorded as provenance (references[].endpoints), to be set in url_filtering.allow_list at deployment — without hardcoding a brand into the rule. Deployment note: the vendor update service uses a per-account authentication token; see the provenance documentation (references[]) for the recommended SSL inspection exclusion on this specific flow (KB 431697). High risk (risk 4): supply-chain vector with wide blast radius. [18] app_id=clear_text_hypervisor_mgmt action=drop direction=internal zones=management->management risk=4 profiles=[] decrypt=— rationale: Hardening: clear-text (HTTP) communication attempts toward hypervisor management interfaces are silently dropped. Modern hypervisors expose their management interfaces only over HTTPS (port 443, rule 4); an HTTP flow toward a hypervisor is either a legacy configuration residue or an attempt to bypass encryption (T1557 — in-flight interception, credential theft). High-priority logging flags every attempt for investigation. Note: this rule targets internal manager <-> hypervisor flows; the HTTP 80 to HTTPS redirect for administrator clients is covered by rule 3 (inbound direction).