posted

1 Comment

Mobile data centers in the field help modern military forces stay connected and execute their missions. Cubic Mission Solutions works with VMware to deliver lightweight systems for the U.S. military and its allies that are truly portable, easy to use, and highly secure.

VMware vSphere 6.7 and VMware vSAN 6.7 allow Cubic to build smaller, lighter, military-grade servers that soldiers can carry in a backpack and deploy quickly anywhere in the world, while meeting the defense industry’s strict security requirements.

VMware technology reduced the weight of Cubic’s DTECH C4ISR systems by 91 percent, and they can be deployed four times faster than previous solutions. The Cubic systems are easy to deploy, manage, and scale using the vSphere HTML5 interface.

Cubic is using a number of best practices that help it take advantage of the latest vSphere 6.7 capabilities, from the efficiencies of automation to the security of encryption.

Simplifying and Automating with vSphere 6.7

The vSphere 6.7 HTML5 interface reduces management time and complexity, which is important to military teams in tactical settings. And because they are using the HTML5 client they can remove the Flash player from their systems, thereby further reducing attack vectors in their environment. With vSphere 6.7, they can securely set up a virtual infrastructure in less than two hours.

To provide maximum uptime and optimal performance, Cubic uses the High Availability (HA), Distributed Resource Scheduler (DRS), and vMotion capabilities of vSphere.

Cubic also uses vSphere automation tools like PowerCLI and PowerShell to automate functions. Tom Lynott, director of software architecture at Cubic, developed an application leveraging these tools that his team uses to build out all of its hardware. PowerCLI helps ensure consistent results, something that’s very important when availability and security are big concerns. Using PowerCLI also allows for verifying that systems are configured correctly and for generating a report showing any anomalies.

The Quick Boot feature introduced in vSphere 6.7 makes patching better and faster. This is an important time saver for military units that need to maintain high availability. Lynott indicates a team might maintain a three-server deployment, for example. They will run operations on two servers while they patch the third. During this time, the two operating servers are over utilized and running more slowly. So, the ability to get the third server back online quickly with Quick Boot is helpful. With the ever increasing sophistication of attackers and the corresponding level of patching, being able to quickly respond to these events with minimum downtime is key to mission success.

Leveraging Best Practices for Security

Built-in security features in vSphere 6.7 help Cubic meet stringent military security requirements including Security Technical Implementation Guides (STIGs) set by the U.S. Defense Information Systems Agency (DISA). VMware works with closely with DISA to produce the guidelines. These guidelines are a superset of the vSphere Security Configuration guide (SCG). Since the release of vSphere 6.0, the SCG has been steadily improved. Many guidelines have been “secured by default” to reduce complexity. The overall number of security configuration guidelines has decreased from 68 to 50 but more importantly, the number of steps that required “hardening” has decreased from 24 to five since the release of vSphere 6.0! In future versions of vSphere, we hope to lower that number to just one!

With the vSphere 6.7 upgrade, Cubic also gained support for Trusted Platform Module (TPM) 2.0. With TPM 2.0, Cubic can provide assurance that VMware ESXi will boot with Secure Boot enabled. When Secure Boot is enabled in the host BIOS, then the loading of the bootloader, ESXi kernel, and any driver or application that is not cryptographically signed is prevented. (To learn more and get best practices for enabling TPM from the host, read related blogs on “vSphere 6.7 – ESXi and TPM 2.0” and “Configuring TPM 2.0 on a 6.7 ESXi Host.”).  Because Quick Boot and Secure Boot are mutually exclusive and not used at that same, Cubic uses each for specific situations depending on the deployment requirements and classifications.

Cubic also leverages PowerCLI to enhance security. In version 11, VMware built VM encryption features directly into the PowerCLI, functionality that Cubic uses on a regular basis. Cubic can add a qualifier that says whenever a new VM is created, it is encrypted. Taking this best practice one step further, PowerCLI allows you to re-key all the VMs in one line with PowerShell. (Read the related blog on “PowerCLI for VM Encryption” to learn more.)

Best Practices for Simplifying Encryption

PowerCLI can simplify and fortify encryption. You can encrypt vMotion on every VM using just one line of PowerShell. In addition, you can set up multiple key managers and easily re-key a VM if needed. The security scenario is that if one key manager is compromised, workloads can be re-encrypted with one of the alternate key managers.

Here’s how that works. When you encrypt a VM there’s a data encryption key (DEK) and a key encryption key (KEK). The KEK encrypts the DEK. To re-key a VM to a different KMS means getting a new KEK and using that to re-encrypt the DEK. This a shallow re-key that doesn’t require re-encrypting all of the VM’s data with a new DEK, as a deep re-key would require. Plus, a shallow re-key can be done while the VM is running. (Read the related blog on “PowerCLI for VM Encryption” to learn more.)

Want to learn more?

Check out the Cubic Mission Solutions Case Study PDF and the following video!

“Being able to run VMware on our small form-factor servers was a total game-changer that transformed how Cubic helps the warfighters on the ground. Managing the environment is much easier with vSphere 6.7. We can now migrate and add servers in and out, and we have the ability to patch servers easily.”

– Thomas Lynott, Director of Software Architecture, Cubic Mission Solutions

Take a lab!

For more information on how you can learn how to create a secure datacenter take some of the labs at VMware’s Hands On Labs! They are free!

Thanks for reading,

mike

About the Author

Mike Foley

Mike Foley is a Staff Technical Marketing Architect for vSphere Security at VMware. His primary goal is to help IT Admins build more secure platforms that stand up to scrutiny from security teams with the least impact to IT Operations. Mike is also the current author of the vSphere Security Configuration (formerly Hardening) Guide. Previously, Mike was on the evangelist team at RSA where he concentrated on virtualization and cloud security. Mike was awarded a patent (8,601,544) in December 2013 for dual-band authentication using the virtual infrastructure Mike has a personal blog at https://yelof.com and contributes to the VMware vSphere and Security blogs as well. Follow him at @vSphereSecurity on Twitter