Security is on the minds of all these days especially when concerning IT infrastructure. Organizations have to make sure that security is at the top of the list of priorities when it comes to engineering and designing their virtualization solutions. With today’s hybrid workloads traversing between on-premise and cloud environments via public networks, organizations must make sure that virtual machine data is secure over the wire across clouds and datacenters. With VMware vSphere 6.5, organizations have an effective tool in the arsenal to make sure that data is secure as it passes between vSphere environments, whether on-premise, or in the cloud. With VMware vSphere 6.5, virtual machine data copied with the vMotion process can now be encrypted. Let’s take a look at the details of VMware vSphere 6.5 encrypted vMotion and how this is implemented.
The Importance of Encrypting VMware vSphere vMotion Traffic
It’s important to understand the possible security implications of a vMotion operation without encryption. During the process of a virtual machine vMotion in the VMware vSphere environment, the entire memory, disk state, and virtual machine metadata is transferred over the network. If an attacker has sufficient network privileges on the network, VM data can be compromised, memory contents modified, or other alterations made to the guest virtual machine. In traditional VMware vSphere enterprise datacenters, typically vMotion networks are isolated and have no outside connectivity which helps to bolster security with vMotion traffic.
With today’s modern hybrid networks however, virtual machine vMotion traffic can traverse between both secured and unsecured public networks. With that being said, encrypting vMotion traffic is now a necessary security measure that must be taken seriously. With VMware vSphere 6.5, this can now be effectively addressed by organizations moving workloads between clouds, either private or public.
How VMware vSphere 6.5 Encrypted vMotion Works
VMware vSphere 6.5 Encrypted vMotion is implemented at the software layer which means there are no hardware devices or hardware reconfiguration required to implement the process. Traffic is encrypted inside the vmkernel using AES-GCM encryption standards. The VMware vSphere 6.5 encrypted vMotion encryption is end-to-end and provides the security needed to prevent an attacker who may have gained unauthorized network access from eavesdropping on vMotion sessions again without a dedicated network, additional hardware, or hardware changes.
Encrypted vMotion does not utilize well known encryption protocols such as SSL or IPsec. This is the case primarily for performance reasons. VMware has created a custom protocol above the TCP layer that enables the encryption of the vMotion process. The custom protocol allows VMware vSphere 6.5 encrypted vMotion to stay within the kernel process space. If SSL were used, this would result in both the kernel and user process space being involved which would drastically impact performance. In ESXi, IPsec is only implemented with IPv6, so is not really an option to ensure encrypted vMotion can be implemented across the board.
A note concerning SSL is that it IS involved in the encrypted vMotion process if the vMotion is a across vCenter servers. The source vCenter server generates the migration specification that includes the encryption key and passes this along to the target vCenter server via a secure SSL channel.
The VMware vSphere encrypted vMotion process starts with vCenter Server. The vCenter Server generates a 256-bit encryption key and a 64-bit nonce and both are included in the “migration specification”. The 64-bit nonce is used to prevent replays over the network by creating a unique counter for all packets sent over the network. The migration specification is passed along to both the source and destination ESXi hosts involved in the vMotion operations. Packets are encrypted using the encryption key by the sending host and the counter incremented. Then at the receiving side, the packets are decrypted using the same key. After the vMotion is successful, the key that is generated is discarded. A new key is generated for every new vMotion operation.
An overview of VMware vSphere 6.5 Encrypted vMotion operation workflow
VMware vSphere 6.5 Encrypted vMotion Configuration
The configuration of VMware vSphere 6.5 encrypted vMotion is very straightforward and can be configured granularly at the virtual machine level. After logging into the web client, view the settings of the virtual machine. Click the VM Options >> Encryption >> Encrypted vMotion. Expand the Encryption settings and select the desired setting for Encrypted vMotion. The settings are as follows:
Disabled – Encrypted vMotion traffic is disabled with this setting. This would be the state of pre-6.5 environments. The vMotion traffic using this setting would be vulnerable from a security standpoint.
Opportunistic – This is the default setting. Using the opportunistic setting provides the option for encrypted vMotion if both the source and destination hosts support it. If you have upgraded both vCenter and ESXi hosts from 6.0 to 6.5, virtual machines will be set to use the opportunistic setting.
Required – The required setting enforces encryption for the vMotion operation to be successful. If either the source or destination host do not support the vMotion operation, the vMotion will fail.
Another important aspect to note concerning the Encrypted vMotion settings – If a virtual machine itself is encrypted, encrypted vMotion is required and cannot be changed.
Setting Encrypted vMotion Settings on a virtual machine
Thoughts on VMware vSphere Security with Encrypted vMotion
Organizations today must think about security in every aspect of their virtualization infrastructure. While traditional VMware vSphere vMotion networks are typically configured with isolated networks, modern hybrid topologies are requiring the use of both private and public networks. When performing vMotion operations between clouds or datacenters, making sure the disk, memory, and metadata information transferred with a vMotion operation is secure is necessary. Utilizing the new VMware vSphere 6.5 encrypted vMotion technology ensures vMotion operations are secure from potential attackers who may have network access to the vMotion traffic across the wire. Utilizing the new encrypted vMotion technology is an easy “win” for organizations looking to bolster the security of new hybrid topologies and requires no additional hardware or underlying network configuration. It is extremely easy and intuitive to implement this technology and helps organizations ensure the security of virtual machine data in today’s hybrid environments.
Experience modern data protection with this latest Vembu BDR Suite v.3.8.0 FREE edition. Try the 30 days free trial here: https://www.bdrsuite.com/vembu-bdr-suite-download/
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.