Security Configuration Guide? What’s that you ask? That’s what used to be called the vSphere Hardening Guide. Well, I didn’t come up with that name, folks who created it many, many years ago called it that. But like everything else in this world, change comes and change is good.
Category: Introducing VMware vSphere 6.5
Are you aware of the VMware Product Walkthrough site? If not, you’re missing out on some really great content. A product walkthrough is a guided “tour” of many of VMware’s products. They are helpful when you want to do a dry run of a task, like encrypting a VM for example, so that you can become familiar with the necessary steps in the vSphere Web Client. A product walkthrough (PWT) is also helpful when demonstrating to your peers or colleagues just how easy security management has become in vSphere 6.5!
Let’s go over the three new PWT’s that focus on vSphere 6.5 security.
As mentioned in previous blogs, VM Encryption is new to vSphere 6.5 and takes a different approach from all other encryption methods available today. With VM Encryption, the encryption is done at the hypervisor level. Because a hypervisor has complete control over the virtual machine, we can encrypt I/O’s written to the virtual disk before they even reach the storage layer in the hypervisor. This allows for storage independence and ensures that data being written is never “in the clear”.
This PWT will demonstrate just how easy it is to encrypt a virtual machine. It will lead you through the necessary steps of applying the Encryption Storage Policy and end with a visual indicator that the virtual machine is encrypted.
Secure Boot for Virtual Machines
Secure Boot for Virtual Machines is something that’s been asked for quite a while. And our implementation of it could not be more easy to enable. Secure Boot, combined with the EFI firmware, allows operating systems like Windows to boot with a level of assurance that their boot loading components have not been modified by something like a rootkit. When the VM is started, the EFI firmware will validate the digital signature of the OS boot loader against a digital certificate stored in the EFI firmware. The EFI firmware for virtual machines is Secure Boot 2.3 compliant and contains certificates to support Microsoft, Linux and even nested ESXi!
This PWT will guide you through the steps of configuring a virtual machine with EFI firmware to enable Secure Boot. It is literally a checkbox.
Encrypted vMotion has been asked about for YEARS. It’s here now in vSphere 6.5! And, like VM Encryption, we’ve taken a different approach than you might think. We don’t actually encrypt the vMotion network. What we DO encrypt is the data going over the vMotion network. At the time of migration, a 256-bit key and 64-bit Nonce are created by vCenter. This is a one-time-use key and is not persisted!
This information is added to the migration specification sent to both hosts. Each packet is encrypted with the key and the nonce and only the receiving host can decrypt it. The best part is you don’t have to ask your network team to do anything!
This PWT will show you how to enable Encrypted vMotion on a virtual machine. It will explain the three different options available to set on the virtual machine.
As pointed out in my previous blog on the PowerCLI Module for VM Encryption, all of these tasks are very easily to automate and incorporate into your existing provisioning and maintenance workflows.
I hope you find these and all the other fantastic PWT’s that the vSphere Tech Marketing Team has created for vSphere 6.5 useful in getting started in upgrading your environment.
If you have questions, I’m on Twitter or you can reply to this blog post.
Thanks for reading,
I’m happy (ok, beyond happy!) to announce that our VM Encryption engineering team has released a PowerCLI module for VM Encryption! In case you weren’t aware, there’s a Github repository of VMware PowerShell modules. Check them out!
Included in there is the new PowerCLI Module for VM Encryption. It’s chock full of lots of great cmdlets and new VI Properties that make your day to day management of vSphere 6.5 VM Encryption easier to automate. The goal here is to help you operationalize security as easily as possible. If you can’t make security easy to incorporate into your day to day operations then people will find a way to not do it.
Encrypting a VM shouldn’t mean having to manage an encryption solution IN the VM. It should be as simple as “Get-VM” and piping that to “Enable-VMEncryption”, right? Well, with VM Encryption it IS! Let’s take a look.