Recently, I was involved in a project and tasked with the design and implementation of a small vSphere Cluster, shared storage and a backup solution. At one day, I was asked to take care of “hardening the environment”. So my first question was, “What are the requirements?” I explained that “Hardening” is part of a much larger concept known as “Security Design”. In the process of creating a good design, you must be aware of the impact of design decisions, because most decisions are irreversible, or will cost you a lot of extra money.
The end of the story; unknown requirements, time pressure and the customer could perform a security audit in the near future.
So time to repeat what I have learned during the “vSphere Security Design Training”, review my design and make sure we will be compliant at any time.
Over the years, VMware released documents that can help you building a secure environment. First of all, the “vSphere Security Guide”, the latest 5.1 release is here. This guide presents in-depth information on subjects like:
- Securing the ESXi hosts, Managements interface and the ESXi shell.
- The Lockdown mode.
- ESXi and vCenter authentication and User management.
- Installation of SSL certificates.
- Securing Virtual Machines.
- Securing vCenter Server.
- Best Practices for Virtual Machine and ESXi host security.
Another useful document is “VMware vSphere Security Hardening Guide”. You can find a version of this document for every release of vSphere. Since vSphere 5.0, it comes in the form of an .XLS file, before that, as a .PDF file.
You can find the latest versions of the “VMware vSphere Security Hardening Guide” here:
The “HardeningGuide-vSphere5.1-GA Release-public.xlsx” consists of nine Worksheets. The first Worksheet “Introduction” presents a brief introduction to the guide. The Guide covers the following vSphere components. Between the (..) the number of guidelines.
- Virtual Machines (54).
- ESXi hosts (37).
- Virtual Network (35)
- vCenter Server (including its database and clients) (30).
- vCenter Update Manager (10).
- vCenter Web Client (2).
- vCenter SSO Server (6).
- vCenter Virtual Appliance (VCSA) (3).
Products like the vMA, vCloud Director, and Site Recovery Manager are not covered. Each of the named components has a dedicated Worksheet.
Each guideline of this guide is identified by a ID, that comes in the form of: Product-Version-Component-ID. E.g. vSphere-5.1-esxi-apply-patches , refers to vSphere 5.1 (Product and Version), and Component ESXi. Jump to Worksheet “ESXi” and the first row is the guideline Apply-patches.
Each Component Worksheet has a number of columns, the interesting ones go here:
- Vulnerability Discussion, a brief explanation.
- Profile, 3 profiles available:1, 2 and 3.
Profile indicates the relative increase in security provided by the guidelines. Profile 3 refers to guidelines that should be implanted by everyone. Profile 2 guidelines should be implemented in more sensitive environments. Profile 1 guidelines should only be implemented in the highest security environments, like top-secret government or military.
- Control type, 3 types available: Parameter, Configuration and Operational.
Parameters, refers to system-level parameters, e.g. vSphere-5.1-esxi-disable-ssh, refers to a disabling the SSH service on a ESXi host in various ways.
Configuration, refers to hardware and/or software configuration that should be used. E.g. vSphere-5.1-esxi-config-firewall-access refers to correctly configuring the ESXi firewall.
Operational, refers to ongoing checks that should be part of your day-to-day operation of your environment. E.g. vSphere-5.1-esxi-apply-papply-patches refers to the process of keeping ESXi hosts up-to-date by installing the latest patches.
- Assessment Procedure: describes how to verify settings. Usually it describes where to logon and the steps to the affected setting. In some case the remediation is also presented.
- Is desired value the default? After a default installation, some guidelines do have the desired value out-of-the-box. So at least pay attention to all guidelines where “Is desired value the default?” has a value of “NO”.
- A series of six columns, presents (if applicable) commands to perform the Assessment and Remediation, in the form of; ESXi Shell, vCLI and PowerCLI Commands.
- Negative Functional Impact, if a guideline has any side effects that reduce or prevent normal functionality, you can find the answer in this column.
- Reference, points to documentation or a KB article for further reference.
- Especially for ESXi, the last column “Able to set using Host Profile?” indicates whether or not a guideline can be configured using Host Profiles.
So now we have seen some of the material available to help us to design and build a secure environment. Be aware that these guidelines do not cover operating systems and software running inside a virtual machine. For each of these products, you will have to follow separate security guidelines.
In the next part of this series, I shall discuss some tools that can help us in the assessment of our environment.
As always, I thank you for reading and I welcome your comments.