Category Archive: Security

Nov 08

vSphere 6.5 Security – Social Media Links

vSphere 6.5 is announced and the interest for the security features has been off the hook! My phone has been ringing like mad and emails are coming in fast and furious from customers and VMware field folks with “Where can I learn more???”. With that in mind, I’ve created this blog post as a repository of social media links that are devoted to vSphere 6.5 Security “stuff”.

First and formost is the vSphere 6.5 “What’s new in vSphere Security” blog

This give a solid overview of all the new security enhancements we are making for vSphere 6.5.

VMworld 2016 – USA and EMEA

Next up are VMworld sessions on vSphere 6.5 security. These links are to the US Sessions where you’ll see lots of content labeled “Tech Preview”. This was because 6.5 wasn’t announced. However, now that it is, I’m happy to say that the slides for Vegas and Europe, where 6.5 was announced, are essentially the same.

VMworld 2016 USA INF8850 vSphere Platform Security

This session gives a higher level overview of all of the new security features in 6.5. Pay close attention to the Secure Boot content!

VMworld 2016 USA INF8856 vSphere Encryption Deep Dive Technology Preview

This session goes into detail on the new VM Encryption technology we introduced in 6.5

VMworld 2016 USA INF8845 vSphere Logs Grow Up! Tech Preview of Actionable Logging with vRealize Loginsight for vCenter

And this session show all of the cool new logging capabilites of vSphere 6.5 and introduces customters to Log Insight for vCenter, a free/limited version of Log Insight that you can use if you are already using vCenter today and don’t have a logging solution.

Post Announcement Content

After the floodgates opened and I was able to publicly talk about the new security features I have embarked on sharing them whereever I can.

VMworld TV

First up was an interview with VMworld TV. In this interview we discuss VM Encryption and Secure Boot for ESXi and virtual machines.

 

Veeam Community Podcast

Next up was an interview done by Michael White (@mwVme)from Veeam for their online interview series. With me are Emad Younis (@emad_younis) and Adam Eckerle (@eck79). Emad, Adam and myself go over our respective vSphere 6.5 area. Michael is always fun to talk to and he doesn’t disappoint here.

 

Virtually Speaking Podcast

Finally, the latest content comes from a very popular podcast called the Virtually Speaking Podcast. This is hosted by Pete Flecha (@vPedroArrow) and John Nicholson (@Lost_Signal).

In this podcast we dive right in to all of the new features like VM Encryption, Logging, Secure Boot and we discuss one that we call “Virtual Machine Sandboxing”. This is an architectural change in the ESXi hypervisor to further secure and isolate virtual machines from the hypervisor. You won’t see any other mention of this in any available content so Pete and John got the scoop!

Virtually Speaking Podcast Episode 29: vSphere 6.5 Security with Mike Foley

Wrap Up

As more content becomes available, I’ll be updating it here. In addition, more blog and demo content around all the new features is being worked on and will be coming out soon so stay tuned!

Thanks for reading,

mike

Apr 19

Supported vSphere vCenter and ESXi Ciphers

Hi everyone,

One question that comes up regularly is “What ciphers are supported on vCenter and ESXi?”. I’m happy to share that we have published a VMware Knowledge Base article outlining the supported ciphers!

With all of the challenges around SSL/TLS the past year or two, having a solid idea of what ciphers are being used is becoming critical information that is necessary for IT and security teams to do their jobs.

Rather than list the ciphers here, I’ll just point you at the KB as it will be the central repository for this information and will be updated as necessary.

Please note that on some products like VCSA you’ll find more than one OpenSSL binary. For example, the VCSA will ship with a default OpenSSL binary from SUSE, the OS provider and from VMware. VMware uses OpenSSL we develop and ship and not the OS binaries. When this list was created it was done using the VMware binaries. This is helpful to understand in case your scanning tools only check against the OS binaries and report a false positive.

If you have questions, please respond directly to the KB using the provided feedback mechanism at the end of the KB article.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Apr 07

Authorized Keys and ESXi 6.0 Update 2 – Changes to OpenSSH

sshWilliam Lam brought up some feedback on Socialcast the other day. The story was of a customer who updated to ESXi 6.0 Update 2 and the SSH keys he was using no longer worked. The customer was advocating for changing the file /etc/sshd_config so that he could continue to use the keys on his ESXi server. IMHO, that’s the wrong course of action.

ESXi 6.0 Update 2 has shipped with an updated version of OpenSSH. The version has been updated to 7.1p1. One of the major changes in this release is the disablement of “ssh-dss” and “ssh-dss-cert-*” (a.k.a DSA) keys. They have also announced the future deprecation of legacy cryptography. I urge you to read more about these changes as they may impact you in other places in your infrastructure.

Now, the customer had added dss keys to the /etc/authorized_keys file so that he could easily log into his ESXi system. Ok, I get that. Adding authorized keys is a supported configuration outlined in this KB.

What happened is that now that ESXi 6.0 U2 is running the new OpenSSH bits his SSH connections were refused. This is expected behavior! This issue could be remediated by generating new keys using RSA keys. As I said above, that is the wrong course of action. You put your ESXi host at risk for convenience?

Please don’t bring up the “but DSA keys are faster/less overhead/etc” argument. I’m pretty darned sure that OpenSSH is using AES-NI instructions (I looked) that are plenty fast for a simple SSH session. Performance is no longer an excuse to use less security! It’s 2016.

Bottom line, if you are using Authorized Keys on your ESXi server and they were generated with DSA keys, it’s time to be proactive and re-generate them with RSA keys.

Final note: Limit who can log into your ESXi host. Only those you trust the most should have access. If you are logging in to “run scripts and stuff” (as many customers tell me they do) then you might want to look into using tools like the vSphere API and scripting tools like PowerCLI or Python.

If you have something you CAN’T do via API or scripting, please let us know! Reply here or send email.

Thanks for reading!

If you liked these posts, please let me know! If you have comments, please reply here, to @vspheresecurity or @mikefoley on Twitter or via email to mfoley@VMware.com or mike@yelof.com

Older posts «