A customer asked me recently “Why were the Risk Profile definitions pulled out of the vSphere 6 Hardening Guide?”
Category Archives: Security
Running systems in the US Federal Government presents its own unique challenges. From specific system login requirements (CAC/PIV smart cards) to specific regulations like DISA STIG’s, managing systems in this environment comes with a healthy dose of security. Today we’re taking a small step towards making that easier with the introduction of a VMware Fling for ESXi targeting the DISA STIG standards.
Many of the requirements of a STIG come from years of operational experience with other operating systems. Even though ESXi isn’t Linux, there are some common tools that have specific settings requirements that need to be met by the STIG. This VIB simplifies this process and does it in a more secure manner.
Why has the SSLv3 protocol been disabled by default in vSphere 5.5 Update 3b?
Across the industry, enterprise software products and solutions are dropping use of and support for the SSLv3 protocol. The Internet Engineering Task Force (IETF) officially deprecated the SSLv3 protocol in RFC 7568 due to its obsolescence and inherent unfixability. Instead, IETF recommends the latest version of TLS.
VMware is therefore dropping support for SSLv3 on both the server side and the client side in vSphere. The release of vSphere 5.5 Update 3b from VMware disables SSLv3 by default to meet current standards and compliance.
I know, it’s been a while since I blogged. It’s been an insanely busy time here at VMware, especially for vSphere security. VMworld US and Europe vSphere security sessions were very popular! And since then, I’ve been traveling a whole bunch, meeting customers and talking about security operations. A recurring ask has been “How can I learn to run my vSphere and NSX environments more securely?”
Well, that is about to be answered! With input from myself and Chris McCain and the tireless work of the VMware Education team putting the content together I’m proud to say there is now a course for SDD Security Operations!
Entitled “Security Operations for the Software Defined Data Center”, the course is for vSphere admins who are getting pressured to run their infrastructure in a more secure fashion. And based on the crowds in my VMworld sessions, this should be SUPER popular!!!
Here’s a quick overview of the course and it’s objectives:
In the VMware Security Operations for the Software-Defined Data course, we teach you how to use the VMware Software-Defined Data Center (SDDC) product portfolio and tools to better manage administrator access, harden your VMware vSphere® environment, and secure data at rest and in motion. We also cover compliance and automation to help you ensure your deployments align with your security policies.
- Describe the concepts involved in securing a software-defined data center and protecting the data in the data center
- Manage vSphere administrator access to hosts and the VMware vCenter Server™ system based on identified job roles and requirements
- Implement best-practice security of vSphere components based on organizational security policies
- Configure data protection for data at rest and data in motion
- Manage protection for virtual machines, endpoints, and networks
- Use micro-segmentation to protect and manage multitier applications and network data
- Perform activity monitoring and logging, and explore relevant logs to meet compliance requirements
- Use VMware NSX™ security groups, policies, and tags to automate deployment and security processes
- Use automation to respond to security-related events
So, where can you learn more? VMware Education! Here’s the link
If you take the course, please send me some feedback. A lot of hard work went into it, especially by the VMware Education folks. We’re already talking about an update late next year to incorporate “future” stuff.
Thanks for reading!
vSphere 6.0 Update 1 is out and there’s lots of great updates. One that I think many will be interested in is SSLv3 as it relates to Single Sign-On. From the Update 1 Release Notes
SSLv3 protocol disabled by default on port 7444 in vCenter Server 6.0 Update
When you install vCenter Server 6.0 Update 1, the SSLv3 protocol is disabled on port 7444 by default. When you upgrade from an earlier release of vCenter Server to vCenter Server 6.0 Update 1, the SSLv3
protocol remains enabled on port 7444. Workaround: To disable SSLv3 on port 7444 see KB 2131310
VMworld US is only 3 weeks away, and by now you are probably going through the Content Catalog and using Schedule Builder to create your own personal agenda. Since vSphere is still a very popular topic among our customers, particularly with the release of vSphere 6.0 earlier this year, I decided to provide a list of sessions on vSphere 6.0 that are being present at this year’s show. This list is organized by type of sessions, so you can decide which ones best suit your needs.
Sessions on vSphere 6.0 Deployment
- vSphere 6.0 Deployments and Upgrades, Part 1: vCenter Server (INF4944)
- vSphere 6.0 Deployments and Upgrades, Part 2: ESXi (INF5123)
- vCenter Server 6 High Availability (INF4945)
- ‘Zero Touch’ ESXi Deployment, Configuration & Upgrades with Auto Deploy and Host Profiles (INF5800)
Deep Dives into specific features of vSphere 6.0
- vSphere 6 Security Update (INF4758)
- Insight Into vSphere 6 vMotion: Architecture, Features, Performance and Debugging (INF4936)
- Content Library (INF5116)
- DRS Advancements in vSphere 6, Advanced Concepts, and Future Directions (INF5306)
- VMware vSphere Fault Tolerance for Multiprocessor Virtual Machines (INF5729)
- vSphere High Availability (HA) Best Practices (INF5898)
- vSphere 6 Security Deep Dive: Certificates and Identity (INF4946)
- vSphere Web Client – Yesterday, Today and Tomorrow (INF5093)
- vCenter Server Appliance (VCSA) Best Practices & Tips/Tricks (INF4528)
Hands-on Labs on vSphere 6.0
- SPL-SDC-1610 – Virtualization 101: vSphere with Operations Management 6
- SPL-SDC-1602 – vSphere with Operations Management 6: Advanced Topics (which includes a module on What’s New in vSphere 6.0)
Of course, there are a lot of other great sessions that go into more general (version-independent) vSphere topics, but these are the sessions to attend if you want to learn specifically about the latest version. Don’t forget also to visit the VMware booth in the Solutions Exchange, where you can see demos of vSphere 6.0 features (plus a lot of other surprise goodies too). I hope you have a great VMworld!
Here’s a quick blog post for you as you’re going through the VMworld Schedule Builder for VMworld 2015. Below is a list of security sessions that are primarily focused on vSphere Security. The NSX guys have a whole other laundry list of awesome sessions but for now, we’re going to focus on vSphere. Let’s get started!
I’m going to group these by their presenters.
INF4758 – vSphere 6 Security Update Tuesday at 12:30pm
Get updated on what’s new in vSphere from a security perspective. You’ll get an overview of things like the new Lockdown Mode, an introduction to the big changes in vSphere security certificate management and the big changes that were made to the vSphere Hardening Guide.
INF5177 – vSphere Security: Fact .vs. Fiction (A 2014 repeat, back by popular demand!) Wednesday at 4pm
Is your security guy on your case about vSphere Security and thinks “VM Escape” is the primary threat? Learn the facts vs the fiction about security threats and come away feeling empowered to have “that” discussion with your security guy. Better yet, bring him along!
INF5539 – Infrastructure Security Panel Discussion Wednesday at 10am
Industry IT and Security experts get together and talk about the challenges, concerns and goings-on in virtualization and cloud security. The panel consists of folks from Financial and Heathcare, Federal government, Enterprise security and auditing and yours truly. Come prepared to ask questions!
INF6396-GD Platform Security with Mike Foley Wednesday at 11am
This is a group discussion where YOU are the content! No death by PowerPoint, just me facilitating a rountable discussion of you and your peers. We’ll talk about vSphere security and share tips and tricks.
EXPERTSMFO – Meet the Experts with Mike Foley Tuesday at 3pm
Here’s your chance for some one on one time! In my opinion this is one of the most under-utilized opportunities at VMworld. Take advantage of it! Book some time and let’s talk! If you’re looking for a discussion on network security and NSX however, please book time with those folks. Book this and other Meet The Experts sessions when you get to VMworld. It’s usually at the top of the first escalator in Moscone West.
INF5339 – Protect your VM data with VM Encryption for vSphere and vCloud Air
I can’t say anymore than “Get up early and get to this session”. Seriously, I can’t say anymore!
Ryan Johnson and Adam Eckerle
INF4529 – VMware Certificate Management for Mere Mortals
Take two talented IT guys with TONS of real-world customer experience and toss them together with the new vSphere 6 certificate story and you get a great discussion on certs for the everyday IT guy.
INF4946 – vSphere 6 Security Deep Dive: Certificates and Identity
You asked for it and you’re getting it. This is the session for deep diving into vSphere certificate management and identities. Johnny is the Product Manager for Identity Management, SSO and certificate managament.
SDDC6404-QT – The future of Trust and Security
VMware customers range from small to HUGE. All of them (I would hope!) have concerns about security. Some of these concerns can be addressed in some of the sessions listed here. When you need to go even further and dive into the nitty-gritty and bits and bytes, VMware’s Security Group is now there with a new program just for you. Check out what Bob has to share and visit the VMTA folks in the VMware booth!
Hands On Labs!
Check out both HOL-SDC-1610 and HOL-SDC-1620 to check out some security features as part of the vSphere HOL and get hands on with different security features of vSphere. For more information, visit the VMworld 2015 Hands On Labs site.
There you have it.. It’s GREAT to see how much security on the vSphere platform itself has grown and continues to grow. As you’re building out your personal catalog of sessions and want to learn the soup to nuts on certificates, start with my session INF4758, then check out Ryan and Adam’s session INF4529 and wrap it up with Johnny’s mind-blowing session INF4946.
Enjoy and see YOU at VMworld 2015!
A customer recently asked me “How do I replace the “external” SSL certificate of vCenter but still use VMCA in default mode?” Ever curious, I asked “Why?”. His security team required that any “externally” facing management web pages needed to have a custom certificate that chained up to the corporate PKI. But behind that, they were totally cool with using VMCA in default mode (with the self-generated root certificate) for things like ESXi servers and solution users.
It’s time to release the vSphere 6.0 Hardening Guide! As I mentioned back in April, there are a lot of changes that have been made. In talking with customers and auditors in detail for the past year, the conclusion was reached that the Hardening Guide was
- Difficult to understand
- Contained a mix of
- Operational Guidance – How you use the product in your environment
- Programmatic Guidance – What settings should be applied OR audited
Basically, it was NOT easy to implement. And if security is too difficult to implement, people will either not do it or will do it poorly.