Husband, Dad, Geek & Senior Technical Marketing Architect for vSphere Security
Author's posts
Apr 07
vSphere 6.5 Security Configuration Guide (Hardening Guide) Release Candidate
Security Configuration Guide? What’s that you ask? That’s what used to be called the vSphere Hardening Guide. Well, I didn’t come up with that name, folks who created it many, many years ago called it that. But like everything else in this world, change comes and change is good.
Jan 26
vSphere 6.5 Security Product Walkthroughs
Are you aware of the VMware Product Walkthrough site? If not, you’re missing out on some really great content. A product walkthrough is a guided “tour” of many of VMware’s products. They are helpful when you want to do a dry run of a task, like encrypting a VM for example, so that you can become familiar with the necessary steps in the vSphere Web Client. A product walkthrough (PWT) is also helpful when demonstrating to your peers or colleagues just how easy security management has become in vSphere 6.5!
Let’s go over the three new PWT’s that focus on vSphere 6.5 security.
VM Encryption
As mentioned in previous blogs, VM Encryption is new to vSphere 6.5 and takes a different approach from all other encryption methods available today. With VM Encryption, the encryption is done at the hypervisor level. Because a hypervisor has complete control over the virtual machine, we can encrypt I/O’s written to the virtual disk before they even reach the storage layer in the hypervisor. This allows for storage independence and ensures that data being written is never “in the clear”.
This PWT will demonstrate just how easy it is to encrypt a virtual machine. It will lead you through the necessary steps of applying the Encryption Storage Policy and end with a visual indicator that the virtual machine is encrypted.
Secure Boot for Virtual Machines
Secure Boot for Virtual Machines is something that’s been asked for quite a while. And our implementation of it could not be more easy to enable. Secure Boot, combined with the EFI firmware, allows operating systems like Windows to boot with a level of assurance that their boot loading components have not been modified by something like a rootkit. When the VM is started, the EFI firmware will validate the digital signature of the OS boot loader against a digital certificate stored in the EFI firmware. The EFI firmware for virtual machines is Secure Boot 2.3 compliant and contains certificates to support Microsoft, Linux and even nested ESXi!
This PWT will guide you through the steps of configuring a virtual machine with EFI firmware to enable Secure Boot. It is literally a checkbox.
Encrypted vMotion
Encrypted vMotion has been asked about for YEARS. It’s here now in vSphere 6.5! And, like VM Encryption, we’ve taken a different approach than you might think. We don’t actually encrypt the vMotion network. What we DO encrypt is the data going over the vMotion network. At the time of migration, a 256-bit key and 64-bit Nonce are created by vCenter. This is a one-time-use key and is not persisted!
This information is added to the migration specification sent to both hosts. Each packet is encrypted with the key and the nonce and only the receiving host can decrypt it. The best part is you don’t have to ask your network team to do anything!
This PWT will show you how to enable Encrypted vMotion on a virtual machine. It will explain the three different options available to set on the virtual machine.
Wrap Up
As pointed out in my previous blog on the PowerCLI Module for VM Encryption, all of these tasks are very easily to automate and incorporate into your existing provisioning and maintenance workflows.
I hope you find these and all the other fantastic PWT’s that the vSphere Tech Marketing Team has created for vSphere 6.5 useful in getting started in upgrading your environment.
If you have questions, I’m on Twitter or you can reply to this blog post.
Thanks for reading,
mike
Dec 19
Introducing VMescape.com
Hi there,
A quick post to introduce to you VMescape.com. In my almost 4 years at VMware as the go to person for vSphere security I have been/am inundated with questions around VM Escape. I’ve talked numerous security professionals off the ledge, I’ve been challenged by customers and spent countless hours explaining away just how hard it is to accomplish.
I’m done. I need an escape from VM Escape. It’s a Monday and I got yet another VM Escape question. After tweeting about it and publishing the oft-used VM Escape Meme for the upteenth time, I looked up on WhoIs and found that vmescape.com was available. $18 later and I now own it for 2 years. #cunningplan
From here on out, when asked, I will shamelessly self-promote my new website. Maybe sometime I’ll add banner ads to help pay for it? Who knows. Regardless, today it’s a single, static page of what a VM Escape theoretically is and links to a TON of content I’ve generated over the years on this topic. It’s only VMware focused because they pay the bills. I’m not interested in shaming other hypervisors. If/When it happens it’s a bad day for everyone.
So, there you go. All the links. It’s self-serve. I’ll add stuff as it comes up.
Until then, when it comes to VM Escape, I’m out.
mike
You must be logged in to post a comment.