Author's details

Name: Mike Foley
Date registered: January 4, 2011
URL: https://www.yelof.com
AIM: foleymik
Jabber / Google Talk: mike@yelof.com
Yahoo! IM: mikiefoley


Husband, Dad, Geek Virtualization Evangelist @RSA, the Security Division of EMC. Disclaimer: I might talk favorably about EMC/RSA/Iomega/VMware products #ad

Latest posts

  1. vSphere 6.5 Security Configuration Guide now available — April 14, 2017
  2. vSphere 6.5 Security Configuration Guide (Hardening Guide) Release Candidate — April 7, 2017
  3. vSphere 6.5 Security Product Walkthroughs — January 26, 2017
  4. Introducing VMescape.com — December 19, 2016
  5. PowerCLI for VM Encryption — December 15, 2016

Author's posts listings

Apr 14

vSphere 6.5 Security Configuration Guide now available

Announcing the GA release of the vSphere Security Configuration Guide!


As I mentioned in my previous blog post where I announced the availability of the Security Configuration Guide (SCG) Release Candidate, the term “Hardening Guide” will no longer be used starting with vSphere 6.5.  Only an increasingly small subset of the settings are truly “hardening”.  It’s mostly about configuration and auditing of settings.

Review, Change, Repeat

One of the things I always heard from customers over the years is “Why can’t you ship things secure out of the box”. While we are moving in that direction for those settings we can set, one thing to note is that 65% of today’s guide contain settings that VMware can not set for you or settings that we have already set that should be audited to check to see if the default value has been changed.

Every release we (myself and engineers) review all the settings and “clean house”. Everything is questioned. I started this review process for the 6.0 release and quite frankly, it upset a few apple carts. The guide at that time had grown like a set of firewall rules. As the guide grew over the years, nobody wanted to change anything because they didn’t know what the fallout would be. In my opinion, that is NOT a way to run your security operations. Security in this era DEMANDS that you always question the status quo.

To learn more about the changes in 6.0, I highly recommend you read this blog and the blogs it references. (1st & 2nd)

Because of this review process, we are making great progress towards shipping  “secure by default” and that effort will  be ongoing .

Read the rest of this entry »

Apr 07

vSphere 6.5 Security Configuration Guide (Hardening Guide) Release Candidate

Security Configuration Guide? What’s that you ask? That’s what used to be called the vSphere Hardening Guide. Well, I didn’t come up with that name, folks who created it many, many years ago called it that. But like everything else in this world, change comes and change is good.

Read the rest of this entry »

Jan 26

vSphere 6.5 Security Product Walkthroughs

Are you aware of the VMware Product Walkthrough site? If not, you’re missing out on some really great content. A product walkthrough is a guided “tour” of many of VMware’s products. They are helpful when you want to do a dry run of a task, like encrypting a VM for example, so that you can become familiar with the necessary steps in the vSphere Web Client. A product walkthrough (PWT) is also helpful when demonstrating to your peers or colleagues just how easy security management has become in vSphere 6.5!


 vSphere 6.5 Security Product Walkthroughs

vSphere 6.5 Security Product Walkthroughs

Let’s go over the three new PWT’s that focus on vSphere 6.5 security.

VM Encryption

As mentioned in previous blogs, VM Encryption is new to vSphere 6.5 and takes a different approach from all other encryption methods available today. With VM Encryption, the encryption is done at the hypervisor level. Because a hypervisor has complete control over the virtual machine, we can encrypt I/O’s written to the virtual disk before they even reach the storage layer in the hypervisor. This allows for storage independence and ensures that data being written is never “in the clear”.

This PWT will demonstrate just how easy it is to encrypt a virtual machine. It will lead you through the necessary steps of applying the Encryption Storage Policy and end with a visual indicator that the virtual machine is encrypted.

Secure Boot for Virtual Machines

Secure Boot for Virtual Machines is something that’s been asked for quite a while. And our implementation of it could not be more easy to enable. Secure Boot, combined with the EFI firmware, allows operating systems like Windows to boot with a level of assurance that their boot loading components have not been modified by something like a rootkit. When the VM is started, the EFI firmware will validate the digital signature of the OS boot loader against a digital certificate stored in the EFI firmware. The EFI firmware for virtual machines is Secure Boot 2.3 compliant and contains certificates to support Microsoft, Linux and even nested ESXi!

This PWT will guide you through the steps of configuring a virtual machine with EFI firmware to enable Secure Boot. It is literally a checkbox.

Encrypted vMotion

Encrypted vMotion has been asked about for YEARS. It’s here now in vSphere 6.5! And, like VM Encryption, we’ve taken a different approach than you might think. We don’t actually encrypt the vMotion network. What we DO encrypt is the data going over the vMotion network. At the time of migration, a 256-bit key and 64-bit Nonce are created by vCenter. This is a one-time-use key and is not persisted!

This information is added to the migration specification sent to both hosts. Each packet is encrypted with the key and the nonce and only the receiving host can decrypt it. The best part is you don’t have to ask your network team to do anything!

This PWT will show you how to enable Encrypted vMotion on a virtual machine. It will explain the three different options available to set on the virtual machine.

Wrap Up

As pointed out in my previous blog on the PowerCLI Module for VM Encryption, all of these tasks are very easily to automate and incorporate into your existing provisioning and maintenance workflows.

I hope you find these and all the other fantastic PWT’s that the vSphere Tech Marketing Team has created for vSphere 6.5 useful in getting started in upgrading your environment.

If you have questions, I’m on Twitter or you can reply to this blog post.

Thanks for reading,

Older posts «