Introduction
In the landscape of virtualization, organizations rely heavily on robust and resilient systems, ensuring the security of your virtual infrastructure is paramount. VMware vSphere 8 stands as a cornerstone in the realm of virtualization platforms with many enhancements to an already more than mature product providing a powerful and flexible environment for hosting and managing virtual machines. As always, the need for a comprehensive security configuration is imperative to safeguard against potential threats and vulnerabilities.
This blog aims to be your go-to resource for understanding and implementing the essential security hardening measures within vSphere 8. From controlling access to virtualized resources to fortifying communication channels, we will delve into the intricacies of vSphere 8 security configurations. Whether you are a seasoned IT professional or a newcomer to virtualization, this guide will empower you with the knowledge and best practices necessary to enhance the security posture of your vSphere 8 environment.
I have been writing on this blog about the vSphere hardening guide since August 2018 when it was still the vSphere 6.5 Hardening Guide throughout the various iterations of the product until vSphere 8 which we are covering today. As a matter of fact, I was somewhat surprised to see it has come up as VMware has been working towards a secure product out-of-the-box but this new version is actually more of an upgrade compared to the updates in the previous editions.
As an anecdote, note that up until vSphere 6.5 it was called vSphere Hardening Guide, then it was renamed to vSphere Security Configuration Guide and vSphere 8.0 is bringing the two together with vSphere 8 Security Configuration Guide & Hardening.
What is hardening
When referring to hardening in the context of IT, it is about the action of tightening security to reduce the attack area by configuring specific settings, restricting user accesses or applying networking best practices. As mentioned above, we discussed this topic many years ago in the BDRSuite blog when vSphere 6.5 was the current version. However, you can refer to this piece for an introduction to the vSphere Security Configuration Guide (SCG) as it is still current.
Note that some things in the Security Configuration Guide (SCG) are not considered as hardening specifics as a number of recommendations are aimed at auditing purposes or site-specific settings.
What’s new in vSphere Security Configuration Guide 8
The guide still comes as a Microsoft Excel spreadsheets file but there are quite a few improvements in this latest iteration compared to the previous editions of the SCG (or hardening guide for the old timers like me).
Let’s have a look at them:
- System Design, containing security controls that require deeper system design consideration and enablement
- Hardware Configuration, which has guidance for configuring server hardware
- Implementation Priorities a way to help organizations with the most important items so they can focus on them. “P0” being the most important one
- A new column “Changes Highlighted” to make it easier to identify what changed since the last revision
- New mappings and inheritance for the main security frameworks (DISA STIG, FIPS…)
- PowerCLI command examples are now compatible with the latest PowerCLI v13.0.
- Addition of VMware Cloud Foundation (VCF) to the vSphere SCG and hardening
- Introduction of PowerCLI-based auditing tools
Refresher on the CIA triad
The CIA Triad is a foundational concept in IT security which encapsulates the three core principles that are essential for safeguarding information: Confidentiality, Integrity, and Availability.
- Confidentiality ensures that sensitive data is protected from unauthorized access, preventing unauthorized disclosure
- Integrity focuses on maintaining the accuracy and reliability of information, guarding against unauthorized alteration
- Availability means that systems and data must be accessible when needed, safeguarding against disruptions or denial of service
Enforcing these three principles is crucial for creating a robust security framework to provide a comprehensive approach to protect against a wide range of threats and vulnerabilities in your organization.
The VMware Security Configuration Guide website
Since a couple years, VMware made dedicated web pages for specific areas of the SDDCs and one of them is focused on the Security Configuration Guide which you can find at https://core.vmware.com/security-configuration-guide.
There you will find resources to help you tackle security best practices in your environments with things like firewalls, default accounts, certificate cipher suites, network encryption and so on.
Download the vSphere 8 Security Configuration & Hardening Guide (SCG)
In order to download the vSphere 8 SCG and hardening guide, head over to https://core.vmware.com/vmware-vsphere-8-security-configuration-guide and click the link in the Download the Latest Version. You can also download the latest up-to-date version at https://via.vmw.com/scg.
The downloaded contents contain:
- A PDF to explain how to use the SCG and Hardening. Which includes a great advice with “Use Your Head!” to entice people to use common sense on top of this guide
- A spreadsheet with the security hardening baseline controls, discussion, and PowerCLI automation examples for auditing and remediating vSphere objects
- A “Tools” directory with sample vSphere auditing scripts, based in VMware PowerCLI (PowerShell), and separate documentation
With that in mind, the value of the Security Guide lies in the spreadsheet which will allow you to learn a lot about security best practices and about your environment as a whole while evaluating the requirements. Let’s take a closer look at the tabs included in this document:
- Column Definition: This tab is new and I’m glad it is there because making sense of all the columns in the spreadsheet can be daunting as it is a fairly chunky one. I suggest you take a minute to look at this to avoid guesswork
- Disclaimer and License: You guessed it
- System Design: A very interesting page with only P0 and P1 recommendations. This section relates to design of the SDDC as a whole and has arguably wider implications than regular hardening. Those should be discussed with your team and implemented accordingly
- Hardware Configuration: A collection of recommendations regarding your servers, BIOS, IO devices
- Controls: This is where the magic happens and what the hardening guide used to look like. There you will find all your ESXi advanced settings with PowerCLI commands to apply them
- Changes highlighted: A pretty handy addition that will make it easier to see what changed since the last revision as updated cells appear in yellow
What should you do next
As mentioned earlier, the recommendations of the vSphere 8 Security Configuration & Hardening Guide are sorted in three levels of importance with P0, P1 and P2 (P0 being the most important ones).
As a result, you should be going through the document and challenging your environment against the recommendations. This is not to say that you should go all guns blazing applying all the PowerCLI fixes as it might have unforeseen consequences. But rather apply the above mentioned advice “Use Your Head!” and draw up a plan with a list of P0/P1 changes that will have no impact.
Then move on to more involved changes that will take up more of your time and finally evaluate whether the P2 recommendations align with your environments and, of course, if your teams still have the bandwidth to deal with these.
Wrap up
In conclusion, the security hardening of a VMware environment is a critical undertaking that demands attention and diligence in the face of evolving cyber threats. As organizations strongly rely on virtualization to streamline operations and enhance flexibility, the need to fortify these environments against potential vulnerabilities becomes paramount.
Remember that security is an ongoing process rather than a one-time task. Regular audits, updates, and monitoring are essential components of a successful security strategy. Staying informed about emerging threats and vulnerabilities is equally crucial, allowing organizations to adapt their security measures accordingly.
Read More:
Virtualization Trends Series: Network Virtualization: Transforming the World of Networking : Part 7
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.