Home > Blogs > VMware vSphere Blog > Category Archives: Security

Category Archives: Security

VMWorld 2016 Preview – The Software-Defined Data Center – Mission Critical Applications & Databases

Continuing on the theme of making the VMware Software-Defined Data Center real, here is a preview of my abstracts for VMWorld 2016 submitted along with our partners Hitachi Data Systems and NetApp. One session will feature SAP HANA with the Dynamic Tiering option and the other session will feature Oracle 12c with the in-memory option. Both these sessions will showcase full stack SDDC architectures; NSX, vRealize Operations, vROPs Management Packs, and software-defined storage (virtual volumes). For the Oracle session NetApp will be a co-presenter and for the SAP HANA session Hitachi Data Systems will be the co-presenter. Get ready because VMWorld voting opens May 3rd – 24th

Title: The SDDC Stack Day 2 Operations: Oracle 12c RAC Business Intelligence In-Memory Option, SUSE Enterprise Linux, VMware NSX, vRealize Operations – Blue Medora Management Packs, Virtual Volumes on NetApp All Flash Array – AFF8060

Abstract: This session will focus on the Day 2 operations of a fully virtualized Oracle RAC 12c Business Intelligence stack using the in-memory option at multi-terabyte scales, up to 4TB, running SUSE Linux Enterprise Edition 11 on standard Intel x86 servers. The virtualized infrastructure will incorporate several major tenants of the Software-Defined Data Center, compute, network, storage, and operations. We will be deploying VMware NSX, highlighting micro-segmentation techniques by adhering to the network guidelines in the Oracle Enterprise Deployment Reference Topology. The software defined storage will be configured using vSphere 6.0 virtual volumes on a NetApp AFF8060 Flash Array. Day 2 Operational data will be captured and analyzed in VMware vRealize Operations Management and the Blue Medora NetApp vROPs storage management pack and Oracle OEM Adapter.

Title: The SDDC: Full Stack on vSphere SAP Business Warehouse Powered By HANA, NSX, vRealize Operations with Blue Medora Management Packs, SDS – Virtual Volumes on Hitachi Unified Compute Platform and SUSE Linux Enterprise Server.

Abstract: This Software-Defined Data Center is no longer a concept, it is reality. In this session we fully virtualize an industry leading mission critical application and database; SAP Business Warehouse Powered By HANA with the Dynamic Tiering Option running SUSE Linux Enterprise Server for SAP Applications on Intel x86 servers. We will go beyond the use of vSphere to virtualize compute and extend this reference architecture to cover virtual networks and software-defined storage. We will cover the rationale and specific use case behind VMware NSX micro-segmentations for mission critical architectures. We will define and create software-defined storage via VMware Virtual Volumes, using The Hitachi Unified Compute Platform. In addition we will show the value of vRealize Opeations in conjunction with the Blue Medora SAP HANA Management Pack plug-in for vROPs when managing mission critical workloads.

Supported vSphere vCenter and ESXi Ciphers

Hi everyone,

One question that comes up regularly is “What ciphers are supported on vCenter and ESXi?”. I’m happy to share that we have published a VMware Knowledge Base article outlining the supported ciphers!

With all of the challenges around SSL/TLS the past year or two, having a solid idea of what ciphers are being used is becoming critical information that is necessary for IT and security teams to do their jobs.

Rather than list the ciphers here, I’ll just point you at the KB as it will be the central repository for this information and will be updated as necessary.

Please note that on some products like VCSA you’ll find more than one OpenSSL binary. For example, the VCSA will ship with a default OpenSSL binary from SUSE, the OS provider and from VMware. VMware uses OpenSSL we develop and ship and not the OS binaries. When this list was created it was done using the VMware binaries. This is helpful to understand in case your scanning tools only check against the OS binaries and report a false positive.

If you have questions, please respond directly to the KB using the provided feedback mechanism at the end of the KB article.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Authorized Keys and ESXi 6.0 Update 2 – Changes to OpenSSH

sshWilliam Lam brought up some feedback on Socialcast the other day. The story was of a customer who updated to ESXi 6.0 Update 2 and the SSH keys he was using no longer worked. The customer was advocating for changing the file /etc/sshd_config so that he could continue to use the keys on his ESXi server. IMHO, that’s the wrong course of action.

ESXi 6.0 Update 2 has shipped with an updated version of OpenSSH. The version has been updated to 7.1p1. One of the major changes in this release is the disablement of “ssh-dss” and “ssh-dss-cert-*” (a.k.a DSA) keys. They have also announced the future deprecation of legacy cryptography. I urge you to read more about these changes as they may impact you in other places in your infrastructure.

Now, the customer had added dss keys to the /etc/authorized_keys file so that he could easily log into his ESXi system. Ok, I get that. Adding authorized keys is a supported configuration outlined in this KB.

What happened is that now that ESXi 6.0 U2 is running the new OpenSSH bits his SSH connections were refused. This is expected behavior! This issue could be remediated by generating new keys using RSA keys. As I said above, that is the wrong course of action. You put your ESXi host at risk for convenience?

Please don’t bring up the “but DSA keys are faster/less overhead/etc” argument. I’m pretty darned sure that OpenSSH is using AES-NI instructions (I looked) that are plenty fast for a simple SSH session. Performance is no longer an excuse to use less security! It’s 2016.

Bottom line, if you are using Authorized Keys on your ESXi server and they were generated with DSA keys, it’s time to be proactive and re-generate them with RSA keys.

Final note: Limit who can log into your ESXi host. Only those you trust the most should have access. If you are logging in to “run scripts and stuff” (as many customers tell me they do) then you might want to look into using tools like the vSphere API and scripting tools like PowerCLI or Python.

If you have something you CAN’T do via API or scripting, please let us know! Reply here or send email.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Two Factor Authentication for vSphere – RSA SecurID – Part 2

Introduction

In Part 1 of Two Factor Authentication for vSphere – RSA SecurID, we configured RSA Authentication Manager to get it ready for adding the PSC as an Authentication Manager agent. In this post, we’ll configure the Platform Services Controller (PSC) itself by uploading the sdconf.rec file and running the appropriate CLI commands to enable RSA SecurID. We’ll also talk about other authentication options you can enable or disable as you see fit.

Configure Platform Services Controller

Continue reading

Two Factor Authentication for vSphere – RSA SecurID – Part 1

Introduction

This is Part 1 of a 2 part blog series. In this post we’ll talk about setting up RSA SecurID Authentication Manager, some architectural assumptions and what you’ll need to take with you to Part 2.

Two Factor Authentication

Two factor authentication (2FA) has become ubiquitous nowadays. For those of you still in the Dark Ages where you have your password written on a Post-It Note stuck to the bottom of your keyboard, 2FA is “something you have”, like a hardware or software token and “something you know” which would be a secret PIN.

Continue reading

Hardening Guide Risk Profiles Explained

A customer asked me recently “Why were the Risk Profile definitions pulled out of the vSphere 6 Hardening Guide?”

Continue reading

Making Security Easier – An ESXi Fling for US Federal Customers

Running systems in the US Federal Government presents its own unique challenges. From specific system login requirements (CAC/PIV smart cards) to specific regulations like DISA STIG’s, managing systems in this environment comes with a healthy dose of security. Today we’re taking a small step towards making that easier with the introduction of a VMware Fling for ESXi targeting the DISA STIG standards.

DISA STIG

Many of the requirements of a STIG come from years of operational experience with other operating systems. Even though ESXi isn’t Linux, there are some common tools that have specific settings requirements that need to be met by the STIG. This VIB simplifies this process and does it in a more secure manner.

Continue reading

SSLv3 Protocol Disabled by Default in vSphere 5.5 Update 3b

Background

Why has the SSLv3 protocol been disabled by default in vSphere 5.5 Update 3b?

Across the industry, enterprise software products and solutions are dropping use of and support for the SSLv3 protocol. The Internet Engineering Task Force (IETF) officially deprecated the SSLv3 protocol in RFC 7568 due to its obsolescence and inherent unfixability. Instead, IETF recommends the latest version of TLS.

VMware is therefore dropping support for SSLv3 on both the server side and the client side in vSphere. The release of vSphere 5.5 Update 3b from VMware disables SSLv3 by default to meet current standards and compliance.

Continue reading

SDDC Security Operations class from VMware Education

Hey everyone!

I know, it’s been a while since I blogged. It’s been an insanely busy time here at VMware, especially for vSphere security. VMworld US and Europe vSphere security sessions were very popular! And since then, I’ve been traveling a whole bunch, meeting customers and talking about security operations. A recurring ask has been “How can I learn to run my vSphere and NSX environments more securely?”

Well, that is about to be answered! With input from myself and Chris McCain and the tireless work of the VMware Education team putting the content together I’m proud to say there is now a course for SDD Security Operations!

Entitled “Security Operations for the Software Defined Data Center”, the course is for vSphere admins who are getting pressured to run their infrastructure in a more secure fashion. And based on the crowds in my VMworld sessions, this should be SUPER popular!!!

Here’s a quick overview of the course and it’s objectives:

In the VMware Security Operations for the Software-Defined Data course, we teach you how to use the VMware Software-Defined Data Center (SDDC) product portfolio and tools to better manage administrator access, harden your VMware vSphere® environment, and secure data at rest and in motion. We also cover compliance and automation to help you ensure your deployments align with your security policies.

  • Describe the concepts involved in securing a software-defined data center and protecting the data in the data center
  • Manage vSphere administrator access to hosts and the VMware vCenter Server™ system based on identified job roles and requirements
  • Implement best-practice security of vSphere components based on organizational security policies
  • Configure data protection for data at rest and data in motion
  • Manage protection for virtual machines, endpoints, and networks
  • Use micro-segmentation to protect and manage multitier applications and network data
  • Perform activity monitoring and logging, and explore relevant logs to meet compliance requirements
  • Use VMware NSX™ security groups, policies, and tags to automate deployment and security processes
  • Use automation to respond to security-related events

So, where can you learn more? VMware Education! Here’s the link

If you take the course, please send me some feedback. A lot of hard work went into it, especially by the VMware Education folks. We’re already talking about an update late next year to incorporate “future” stuff. :)

Thanks for reading!
mike

vCenter Server 6.0 Update 1 Single Sign On and SSLv3

Hi,

vSphere 6.0 Update 1 is out and there’s lots of great updates. One that I think many will be interested in is SSLv3 as it relates to Single Sign-On. From the Update 1 Release Notes

SSLv3 protocol disabled by default on port 7444 in vCenter Server 6.0 Update


When you install vCenter Server 6.0 Update 1, the SSLv3 protocol is disabled on port 7444 by default. When you upgrade from an earlier release of vCenter Server to vCenter Server 6.0 Update 1, the SSLv3
protocol remains enabled on port 7444. Workaround: To disable SSLv3 on port 7444 see KB 2131310

Continue reading