Mike

Author's details

Name: Mike Foley
Date registered: January 4, 2011
URL: https://www.yelof.com
AIM: foleymik
Jabber / Google Talk: mike@yelof.com
Yahoo! IM: mikiefoley

Biography

Husband, Dad, Geek Virtualization Evangelist @RSA, the Security Division of EMC. Disclaimer: I might talk favorably about EMC/RSA/Iomega/VMware products #ad

Latest posts

  1. Secure Boot for ESXi 6.5 – Hypervisor Assurance — May 4, 2017
  2. vSphere 6.5 Security Configuration Guide now available — April 14, 2017
  3. vSphere 6.5 Security Configuration Guide (Hardening Guide) Release Candidate — April 7, 2017
  4. vSphere 6.5 Security Product Walkthroughs — January 26, 2017
  5. Introducing VMescape.com — December 19, 2016

Author's posts listings

May 04

Secure Boot for ESXi 6.5 – Hypervisor Assurance

I’ve talked about how vSphere has been moving towards a “secure by default” stance over the past few years. This can clearly be seen in the new vSphere 6.5 Security Configuration Guide where the number of “hardening” steps are growing smaller with every release. In this blog post we will go over another “secure by default” feature of vSphere 6.5 that provides hypervisor assurance, Secure Boot for ESXi.

One of the coolest things in 6.5, in my opinion, is the adoption of Secure Boot for ESXi. Now, you might say “But my laptop has had Secure Boot since Windows 8, what’s the big deal?”

Well, the “big deal” is that we’ve gone beyond the default behavior of Secure Boot and we now leverage the capabilities of the UEFI firmware to ensure that ESXi not only boots with a signed bootloader validated by the host firmware but that it also ensures that unsigned code won’t run on the hypervisor. Best of all, it’s simple to implement! Let’s dive in!

Read the rest of this entry »

Apr 14

vSphere 6.5 Security Configuration Guide now available

Announcing the GA release of the vSphere Security Configuration Guide!

Rename

As I mentioned in my previous blog post where I announced the availability of the Security Configuration Guide (SCG) Release Candidate, the term “Hardening Guide” will no longer be used starting with vSphere 6.5.  Only an increasingly small subset of the settings are truly “hardening”.  It’s mostly about configuration and auditing of settings.

Review, Change, Repeat

One of the things I always heard from customers over the years is “Why can’t you ship things secure out of the box”. While we are moving in that direction for those settings we can set, one thing to note is that 65% of today’s guide contain settings that VMware can not set for you or settings that we have already set that should be audited to check to see if the default value has been changed.

Every release we (myself and engineers) review all the settings and “clean house”. Everything is questioned. I started this review process for the 6.0 release and quite frankly, it upset a few apple carts. The guide at that time had grown like a set of firewall rules. As the guide grew over the years, nobody wanted to change anything because they didn’t know what the fallout would be. In my opinion, that is NOT a way to run your security operations. Security in this era DEMANDS that you always question the status quo.

To learn more about the changes in 6.0, I highly recommend you read this blog and the blogs it references. (1st & 2nd)

Because of this review process, we are making great progress towards shipping  “secure by default” and that effort will  be ongoing .

Read the rest of this entry »

Apr 07

vSphere 6.5 Security Configuration Guide (Hardening Guide) Release Candidate

Security Configuration Guide? What’s that you ask? That’s what used to be called the vSphere Hardening Guide. Well, I didn’t come up with that name, folks who created it many, many years ago called it that. But like everything else in this world, change comes and change is good.

Read the rest of this entry »

Older posts «