The vSphere 5 Security Guide has been officially released. There are a number of changes and enhancements and you should go through each to review the applicability to your environment and compare it to the vSphere 4.1 Hardening Guide. Since the public draft there have also been some significant changes that you should take time to review.
Before we go into the guide and my take on some of the new aspects I want to make you aware of a recent announcement that vSphere 5 has achieved Common Criteria EAL4+ Certification. This is an important benchmark and milestone for vSphere 5. This gives assurance that vSphere 5 can be configured in a secure manner and the security functionality is effective as per the software design. This is particularly important for hypervisors that will run multiple Guest OS instances on them, as they must ensure the isolation and security is enforced as designed.
The hardening guide is now delivered in a spreadsheet which is much easier to use and include in other documents. It’s very easy to follow, sort and search.
vSphere 5 Hardening Guide Official Release
VMware Official Announcement – vSphere 5 Hardening Guide Released
I previously wrote about some of the important changes in the new hardening guide vs the vSphere 4.1 hardening guide in my article vSphere 5 Security Hardening Guide – Public Draft. I would encourage you to review that article if you haven’t already as the points are still very valid. Since that post there have been some additional changes made to the hardening guide to include my recommendations around SSL certificates in particular, as well as clarification around some of the options that impact functionality.
I would like to draw your attention to the vCenter SSL Certificate recommendations in particular. Additional recommendations are made to check the validity of certificates and also to remove any expired or revoked certificates from your environment. These are very important administrative tasks that should be done if you are using custom SSL certs in place of the default self-signed certs. In my previous post I have linked to William Lam’s blogthat contains scripts to help you automate this task. If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy.
William has also updated his vSphere 5 Hardening Guide Script, which will check the options against the guide and also check your certificates. You can find William’s script at the following location:
virtuallyGhetto: vSphere Security Hardening Report Script for vSphere 5
One of the reasons this is so important is that it protects you from possible man in the middle (MiTM) attacks. Another reason is because vCenter and the vSphere Client does not programatically check the validity of a certificate that it already trusts. It is once trusted, always trusted, unless you remove the trust. Without these important administrative tasks vCenter and the vSphere Client will continue to allow access without warning to any component with a previously trusted yet expired or revoked certificate. However any component that leverages Internet Explorer (such as performance overview and many of the vCenter plug-ins) will start to display warnings or cease to function if the certificates expire or are revoked, this is due to the checks that Internet Explorer does on the SSL certificates.
By considering security in your architecture design, making your designs secure by default and taking into account the appropriate level of hardening from the vSphere 5 Hardening guide you will have the best possible chance of limiting any security risks in your environment. Every environment has security risks, it is up to you as the administrator or architect to ensure you have the appropriate configuration, tools, controls and processes in place to limit the risks and balance security with functionality.
Now that we have the official vSphere 5 Hardening Guide I’m sure we will shortly see the vSphere 5 Hardening Template for vCenter Configuration Manager (vCM). If you don’t already have vCM as part of vCenter Operations Manager Suite – Enterprise I would strongly encourage you to purchase vCenter Operations Enterprise (include Operations, Capacity Planning, Virtual Infrastructure Navigator, vCenter Chargeback and vCM), or purchase vCM separately, or at least try it out in a proof of concept implementation. It will allow you to automate your security hardening and reporting across your vSphere Environment, as well as giving you visibility of configuration drift. vCM isn’t just limited to vSphere environments though as it supports native OS and physical systems (Traditional Unix, Linux and Windows). It can provide a one stop hardening, change management, compliance and audit/reporting shop for your environment, or at least the important parts of it. As well as physical bare metal OS provisioning and OS patching.
I hope you get a lot out of the hardening guide a lot of people at VMware have spent probably thousands of man hours compiling it and testing the recommendations and many of us interested parties have provided feedback to try and make this guide as good as it can be. Let me know what you think about the new hardening guide, I’m always keen to get your comments.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
Thanks for your great article