Mike

Author's details

Name: Mike Foley
Date registered: January 4, 2011
URL: http://www.yelof.com
AIM: foleymik
Jabber / Google Talk: mike@yelof.com
Yahoo! IM: mikiefoley

Biography

Husband, Dad, Geek Virtualization Evangelist @RSA, the Security Division of EMC. Disclaimer: I might talk favorably about EMC/RSA/Iomega/VMware products #ad

Latest posts

  1. vSphere 6.5 Security Product Walkthroughs — January 26, 2017
  2. Introducing VMescape.com — December 19, 2016
  3. PowerCLI for VM Encryption — December 15, 2016
  4. vSphere 6.5 Security – Social Media Links — November 8, 2016
  5. Supported vSphere vCenter and ESXi Ciphers — April 19, 2016

Author's posts listings

Jan 26

vSphere 6.5 Security Product Walkthroughs

Are you aware of the VMware Product Walkthrough site? If not, you’re missing out on some really great content. A product walkthrough is a guided “tour” of many of VMware’s products. They are helpful when you want to do a dry run of a task, like encrypting a VM for example, so that you can become familiar with the necessary steps in the vSphere Web Client. A product walkthrough (PWT) is also helpful when demonstrating to your peers or colleagues just how easy security management has become in vSphere 6.5!

 

 vSphere 6.5 Security Product Walkthroughs

vSphere 6.5 Security Product Walkthroughs

Let’s go over the three new PWT’s that focus on vSphere 6.5 security.

VM Encryption

As mentioned in previous blogs, VM Encryption is new to vSphere 6.5 and takes a different approach from all other encryption methods available today. With VM Encryption, the encryption is done at the hypervisor level. Because a hypervisor has complete control over the virtual machine, we can encrypt I/O’s written to the virtual disk before they even reach the storage layer in the hypervisor. This allows for storage independence and ensures that data being written is never “in the clear”.

This PWT will demonstrate just how easy it is to encrypt a virtual machine. It will lead you through the necessary steps of applying the Encryption Storage Policy and end with a visual indicator that the virtual machine is encrypted.

Secure Boot for Virtual Machines

Secure Boot for Virtual Machines is something that’s been asked for quite a while. And our implementation of it could not be more easy to enable. Secure Boot, combined with the EFI firmware, allows operating systems like Windows to boot with a level of assurance that their boot loading components have not been modified by something like a rootkit. When the VM is started, the EFI firmware will validate the digital signature of the OS boot loader against a digital certificate stored in the EFI firmware. The EFI firmware for virtual machines is Secure Boot 2.3 compliant and contains certificates to support Microsoft, Linux and even nested ESXi!

This PWT will guide you through the steps of configuring a virtual machine with EFI firmware to enable Secure Boot. It is literally a checkbox.

Encrypted vMotion

Encrypted vMotion has been asked about for YEARS. It’s here now in vSphere 6.5! And, like VM Encryption, we’ve taken a different approach than you might think. We don’t actually encrypt the vMotion network. What we DO encrypt is the data going over the vMotion network. At the time of migration, a 256-bit key and 64-bit Nonce are created by vCenter. This is a one-time-use key and is not persisted!

This information is added to the migration specification sent to both hosts. Each packet is encrypted with the key and the nonce and only the receiving host can decrypt it. The best part is you don’t have to ask your network team to do anything!

This PWT will show you how to enable Encrypted vMotion on a virtual machine. It will explain the three different options available to set on the virtual machine.

Wrap Up

As pointed out in my previous blog on the PowerCLI Module for VM Encryption, all of these tasks are very easily to automate and incorporate into your existing provisioning and maintenance workflows.

I hope you find these and all the other fantastic PWT’s that the vSphere Tech Marketing Team has created for vSphere 6.5 useful in getting started in upgrading your environment.

If you have questions, I’m on Twitter or you can reply to this blog post.

Thanks for reading,
mike

Dec 19

Introducing VMescape.com

Hi there,

A quick post to introduce to you VMescape.com.  In my almost 4 years at VMware as the go to person for vSphere security I have been/am inundated with questions around VM Escape. I’ve talked numerous security professionals off the ledge, I’ve been challenged by customers and spent countless hours explaining away just how hard it is to accomplish.

I’m done. I need an escape from VM Escape. It’s a Monday and I got yet another VM Escape question. After tweeting about it and publishing the oft-used VM Escape Meme for the upteenth time, I looked up on WhoIs and found that vmescape.com was available. $18 later and I now own it for 2 years. #cunningplan

From here on out, when asked, I will shamelessly self-promote my new website. Maybe sometime I’ll add banner ads to help pay for it? Who knows. Regardless, today it’s a single, static page of what a VM Escape theoretically is and links to a TON of content I’ve generated over the years on this topic. It’s only VMware focused because they pay the bills. I’m not interested in shaming other hypervisors. If/When it happens it’s a bad day for everyone.

So, there you go. All the links. It’s self-serve. I’ll add stuff as it comes up.

Until then, when it comes to VM Escape, I’m out.

mike

Dec 15

PowerCLI for VM Encryption

Hi everyone,

I’m happy (ok, beyond happy!) to announce that our VM Encryption engineering team has released a PowerCLI module for VM Encryption! In case you weren’t aware, there’s a Github repository of VMware PowerShell modules. Check them out!

Included in there is the new PowerCLI Module for VM Encryption. It’s chock full of lots of great cmdlets and new VI Properties that make your day to day management of vSphere 6.5 VM Encryption easier to automate. The goal here is to help you operationalize security as easily as possible. If you can’t make security easy to incorporate into your day to day operations then people will find a way to not do it.

Encrypting a VM shouldn’t mean having to manage an encryption solution IN the VM. It should be as simple as “Get-VM” and piping that to “Enable-VMEncryption”, right? Well, with VM Encryption it IS! Let’s take a look.

Read the rest of this entry »

Older posts «