The Minimalist Guide To VMWare vSphere Security
Cyber-attacks have become much more sophisticated, carried out by nation-sponsored groups or organized cyber criminals. Although virtualized environments are becoming increasingly safe and offer a wide swath of defensive features, it's still important to remain vigilant against cyber-attacks and not fall into a false sense of full security.
There was a time when malware would disappear once it detected a virtualized environment, but this is no longer the case. Malware creators are realizing that IT is growing to be more virtualized. Once malware detects a virtual machine, it will no longer self-destruct or encrypt itself, as it has in the past.
Many IT pros worry that malware and malicious code will spread between their workloads. Because virtualization enables servers to run multiple workloads simultaneously, while sharing some system resources it's critical to have an understanding of real security threats and vulnerabilities. When a virtual machine is reduced to a single file, it's easier to steal. As a result, migrating workloads to the cloud requires different levels of protection.
As you get deeper into a virtualization project, you will face more challenges. With consolidation, would-be hackers find virtualized assets even more appealing. VMware is growing to keep up with this change in interest, but there isn't a single security mechanism to completely protect your workloads using VMware. You need a multi-layered approach within the VM, vSphere, and the virtualization stack.
VMware vSphere 6.5 offers built-in security features
When learning about vSphere, it's important to understand what security features you have available to you. With VMware vSphere 6.5, you get VM Encryption, audit-quality logging, and Secure Boot. Encryption takes place at the ESXi kernel and is executed by applying a storage policy for VM encryption.
Secure Boot ensures every signature of the ESXi is verified. This means you can't install any unsigned code or VIBs. In addition, you can enable Secure Boot on individual VMs. In addition, the benefit of audit-quality logs is that you can find out who did what and where for auditing purposes.
Explaining VM Encryption
VM Encryption is managed through a storage policy-based system that you can manage to define requirements for virtual disks. Through the VM Storage Policies tab, you can apply policies and VM Encryption to VM objects, such as virtual disks. First, you must add a key management server (KMS).
When you encrypt your Virtual Machine Disk files, virtual machine executable (VMX) configuration files, snapshot files and VMX swap files, they are stored in files and encrypted. Moreover, the keys are not exploitable through the VM's memory because encryption is managed by the hypervisor, resulting in better protection against cyber criminals.
Understand how data is accessed
It doesn't matter where your data is located if you can control access. The point of this necessary step is to find any opportunities for a breach. Whether it is virtual or on-premise, cyber-attacks will occur where there is a vulnerability. You can only protect those areas if you know where they are.
Protect communications with the hypervisor
The hypervisor is the spot where hackers can find account names and passwords. To protect it, use your Secure Sockets Layer (SSL) in all communications. If the feature is not installed by default, you should install it yourself to help prevent any cyber-theft issues.
Bring encryption to the hypervisor level
This may seem novel, but when you perform encryption at the hypervisor level instead of the VM, you make encryption more agnostic. This means it's managed through storage policy. You also can utilize the VM Encryption tool in vSphere. You start by setting up a basic proof of concept (POC) implementation for the encryption infrastructure.
VMware has approved vendors such as RSA and Symantec and their plugins, to work with the underlying cryptographic system. Because vendors will ship the VM appliance, all you have to do is install, power, and configure. Essentially, encryption is handed from the encryption VM to its client, the vCenter.
vCenter then provides the keys to the ESXi hosts. They are stored in a way to give you the ability to unlock the VM. In order to configure the encryption server, you must set up a Linux host with Docker.
The next step is to set up the infrastructure by adding the Key Management Service (KMS) to the vCenter by selecting "Key Management Servers" from the vCenter configuration menu. You can then enter the KMS server details into the dialog box.
You'll receive a prompt to accept a certificate. Once you accept the certificate, the KMS will be set to the default. This is how you execute cryptographic configuration, although, you should configure more than one KMS because a single KMS is a single point of failure.
Create an encryption storage policy
You want to create a storage policy that works for you and your company. Understand what your company's objectives are in terms of data governance and security to guide your policy. A storage policy can be created by navigating to VM Storage Policies and clicking on "VM Encryption Policy." Read through all the options to modify as needed.
Next, you should encrypt your VMs. Navigate to the VM you want to encrypt, right-click to edit and expand to see the disks to encrypt. If needed, you can disable VM encryption just as easily as you change the policy for the default data store policy. Before disabling, you have to turn off the VM.
Gather vSphere log files
If an incident occurs, you should collect all of the diagnostic information you need from your services. VMware has a semi-automated feature which does exactly that. You can access the vSphere logs and configuration information through these points:
- The operating system
- Secure Shell
- Local desktop
- The vSphere Client (for ESXi)
- The vSphere Web Client (for vCenter)
One of the simplest options you can use is going through the vSphere Client. If you select Monitor, you can access all vSphere log files from the Monitor menu option in the Logs tab. You can then sort by the log name or its description.
Above that list, you can click on Generate support bundle. This will collect all of the data from your ESXi host. You can then download that log as a file and send it to VMware support if an attack were to take place.
Try VMware Access Point
First released in 2015, Access Point servers were designed to be quick-to-deploy and easy-to-automate. They also allow single sign-on (SSO) so that you only have to log on once to reach all of your resources. Yet, what makes this a good option is that it already comes with several authentication schemes including:
- Active Directory (AD)
- RSA SecurID
VMware Access Point uses the Horizon server as a reverse proxy for requests. You also can configure the server to have separate network interface cards (NIC) to keep varying types of traffic separate.
To separate the NICs, navigate to the Open Virtualization (OVF) and click the cluster where you want to install the server, then click Deploy OVF. Select the OVF, and name it.
The next step is to choose a location and name for the server. You now can configure and select how many NICs you want to use. Select the storage location and execute the configuration of the server networks. Lastly, you must move on to configure the network mask, DNS servers, and gateway.
By separating the NICs, you can separate items such as authentication from VDI traffic. With this in place, hackers will have to work harder to figure out which area of traffic would be worth their time.
Without the right amount of planning and diligence, virtualized environments can be risky. Even with default security systems, you must put them to use to reap the benefits. Remember, hackers are waiting for you to rest on your laurels. Don't give them any reason to suspect that your systems are vulnerable. Instead, give yourself more peace of mind by trying the above tips.