Did you know that October is National Cybersecurity Awareness Month? To ensure VMware users are equipped with the knowledge to stay secure all 365, the vSphere team hosted a tweet chat featuring our experts. From the team we have, Mike Foley and Bob Plankers, who are both Technical Marketing Architects for vSphere Security who joined us to share their invaluable insight and tips. We discussed how vSphere can assist with cybersecurity woes, but you’ll have to continue reading to find out more! Check out the full chat recap:
A1: Routine and regular patching and good account & password hygiene practices are the two biggest ways you can stay secure. Beyond that, defense in depth (multiple layers of protections), isolation and firewalling are big helps, too. – Bob
A1: People get scared of patching but it’s really a capacity planning issue, and a political one. Capacity planning being that we need spare capacity in the cluster to vMotion, so a rolling cluster restart can happen without issues. – Bob
A1: Patching is political insofar as it’s easy to make decisions that disable vMotion for some guest OSes, and then that throws a wrench into seamless updates. If you have to do those sorts of things, then it becomes an organizational discussion about how to patch. – Bob
A1: Sign up for the VMware Security Advisories here. They will point you to the latest info on security issues with VMware products and were to get more info. – Mike
A2: Before you install ESXi enable UEFI, Secure Boot, and make sure you have a trusted platform module (TPM) 2.0 installed and correctly enabled. – Bob
A2: If you have these things set up at install time ESXi will see them and do the right things from the start, saving you time and effort. – Bob
A2: Keep SSH turned off! Use it ONLY for troubleshooting. Limit just how many admins have root level access. If they have the “administrator” role then they ARE root! Consider normal or strict lockdown mode! – Mike
A2: Learn more about enabling Secure Boot here. – Mike
A3: Don’t run Bitlocker inside the guest when you have great options in VM Encryption and vSAN Encryption! Both of those are completely guest-agnostic, meaning you’ll have one process to protect your workloads, versus different processes for different releases of OSes. – Bob
A3: VM Encryption can protect a VM in-place, on the storage you have. Downside is that the VM becomes a big random blob of data on your storage array, so if you’re using deduplication that may be an issue. – Bob
A3: VM Encryption also gets you vTPMs and extra permissions in vCenter to help prevent things like decryption. Want to prevent someone from taking a copy of an Active Directory DC? That’ll help a lot with that. – Bob
A3: vSAN Encryption is a native part of vSAN and preserves the ability to deduplicate and compress, which is really nice. You can use the two together – enable VM Encryption to get the permissions and other features, and vSAN Encryption to do the disk part. – Bob
A3: Both features need a Key Management Server (KMS) so there’s some architectural considerations there. It’s important that the KMS be very reliable and protected, else you lose access to your VMs. – Bob
A3: To run Bitlocker you need a TPM. To enable a vTPM you need VM Encryption. So why go into the guest?? Read more about the different types of encryption here. – Mike
A4: Yes, get a TPM installed. They’re $20-40 extra and enable all the advanced attestation features in vSphere 6.7+. Also, if you’re doing vSAN follow the best practices (two disk groups per node, for example). – Bob
A5: Trusted Platform Module, it’s a little piece of hardware that stores information securely. It’s cryptographically bound to the server so it can’t be removed and read later. It is not fast, but it is essential. – Bob
A5: Learn more about TPM 2.0 and how we use it in ESXi with this quick video. And blog. – Mike
A6: The TPM on the server is only for use by ESXi, but if you enable VM Encryption you can use the vTPM feature, which is a TPM 2.0 compliant device for your virtual machines. – Bob
A6: a vTPM is a virtualize TPM device. Secured using VM Encryption. Looks and acts just like a “real” TPM. More info here. – Mike
A6: A quick video overview of a vTPM. vTPM’s root of trust is in the key manager, not the actual TPM hardware. A physical TPM has about 178k of space! FAR too small and slow for multitasking! – Mike
A7: Encrypted vMotion works by having vCenter generate a one-time encryption key, and it gives it to the two ESXi hosts to use while moving the VM. It doesn’t need a KMS or anything special. – Bob
A7: It’s a per-VM setting and by default it’s set to “opportunistic” meaning that it’ll do it if supported. You can set it to required, too (which is a good idea). Do that on your VM templates and use PowerCLI to retrofit existing VMs. – Bob
A8: You can, but you shouldn’t. It just confuses security perimeters. Have the hard conversation with your firewall admins and management. – Bob
A8: A 2nd NIC is only supported for VCHA. VCSA was not designed to straddle two security zones. We HIGHLY recommend you don’t add a 2nd NIC. There’s no way to say, “run this service on this NIC and that service on that NIC”. – Mike
A9: Enable secure boot and host attestation features in ESXi and you’ll have that covered. Please don’t install extra tools on ESXi, it’s an appliance and doing that sort of thing endangers stability and support. – Bob
A9: To that end, unless it’s VMware Global Support Services telling you to install or run something from the ESXi or vCenter Server CLI you should be careful of what you’re doing and the effects on support and stability. – Bob
A9: “Just because you can doesn’t mean you should.” 🙂 – Bob
A9: Enable Secure Boot! It will validate every VIB at boot time and will ensure that only signed code is run. Take it one step further and enable TPM 2.0 to provide a report that confirms to your security folks that Secure Boot is enabled. – Mike
A9: Then us a logging solution to monitor what root users on ESXi are doing. All shell commands get sent to syslog. You can look for strange behaviors. (and logging in to a shell on ESXi should be a break glass scenario!!) – Mike
A10: vSphere has very secure defaults out of the box, but compliance is a measure of the whole solution and not a specific component. That said, vSphere is a trusted part of compliant infrastructures all around the world, as it’s the most secure hypervisor on the market. – Bob
A10: No software is PCI “out of the box”. All software that could be used in a PCI environment is going to need some level of security configuration. What is cool is that since 6.0 the number of steps to configure has shrunk dramatically!! – Mike
A11: Technically you can do anything you want, but if you want support and stability please don’t. ESXi and vCenter Server are appliances and, like your fridge says on the back, no user serviceable parts inside. – Bob
A11: If you do think you need to do something contact Support! They’ll know what to do and how to safely help you. Doubly so if it’s a security concern. We have experts that track all of our components and can advise you. – Bob
A11: This also goes for compliance scanners. They tend to treat ESXi like Linux and, let me be clear, ESXi IS NOT LINUX. Use a scanner that understands vSphere correctly. – Bob
A11: ESXi is not a general-purpose OS and the VCSA is a pre-configured and tested OS. As such, use only VMware mechanisms to keep them up to date and on ESXi, if your vendor supplies a driver then ensure the VIB is digitally signed. We don’t support installation of 3rd party s/w. – Mike
A11: Don’t configure additional repos for VCSA and install other components. This puts your VCSA in an untested and unsupported configuration. Security patches will be release ASAP. You only are one click away from updating on VCSA! – Mike
A12: Download the latest vSphere Security Configuration (nee “hardening”) Guide here. – Mike
A12: Since vSphere 6 we have been making as many of the settings as possible “secure by default.” The number of “hardening” settings is down to a handful. The rest are settings you should audit or settings that are site specific. – Mike
A12: There is not a guide for every release. A new guide only goes out when there’s significant changes. Always use the most recent guide for your release. e.g. 6.7 Update 1 is fine for 6.7 Update 2. – Mike
A12: The vSphere Security Configuration Guide is full of PowerCLI examples, too, and a great way to start automating things in your infrastructure. – Bob
A13: Right now, there are a number of options that plug in via the Active Directory and LDAP connectivity. There is also native RSA SecureID support. But… – Bob
A13: …if you’re going to be at VMworld in Barcelona you should check out @mikefoley’s sessions which will have exciting news and technical previews. – Bob
A13: Today we only support RSA SecurID and SmartCards for 2FA on vSphere. If you are at VMworld in Barcelona or were in San Francisco we had a tech preview on some work, we are considering around federated identity. – Mike
A13: For sure — identity federation is as hot of a topic as the Kubernetes & Project Pacific news. – Bob
A13: This would allow for a 3rd party identity provider to do the authentication and then redirect you to vCenter. The 3rd party idp (MS ADFS in our demo) would be able to support multiple authentication methods. – Mike
A14: @Mikefoley and I have a great session on “vSphere Security: News You Can Use” which will cover all the latest developments, and he also has a number of tech preview sessions about features being considered for the future. – Bob
A14: If you’re a TAM customer there are also sessions on securing AD and designing vSphere with security in mind. – Bob
Thank you joining our National Cybersecurity Awareness Month vSphere Chat, featuring (awesome) experts from #vSphere! See you next time, and keep an eye out for more information in our blog: https://blogs.vmware.com/vsphere/
A huge shout out to our experts, Bob Plankers, @plankers, and Mike Foley, @mikefoley, as well as all the other participants from around the globe who tuned in and contributed. Remember, #BeCyberSmart today and beyond!
Follow us at @vmwarevsphere and stay tuned for our monthly expert chats and join the conversation by using the #vSphereChat hashtag.
Have a specific topic you’d like to cover? Reach out and we’ll bring the topic to our experts for consideration. For now, we’ll see you in the Twittersphere!
