VMworld 2015/vSphere 6 Security Update
vSphere Hardening Guide - READ IT
by Mike Foley
- INF4758 on Twitter
http://blogs.vmware.com/vsphere/author/mike_foley
Twitter: @vSphereSecurity
VMware Security Hardening Guides | United States - http://www.vmware.com/security/hardening-guides
vSphere 6.0 Hardening Guide – Overview of coming changes - VMware vSphere Blog - VMware Blogs - https://blogs.vmware.com/vsphere/2015/02/vsphere-6-0-hardening-guide-overview-coming-changes.html
vSphere is secure out of the box, so this guide is more of an "auditing" guide.
Prepares system for operational readiness
- auditing, control, active directory, ntp, syslog
May disable some ease-of-use features
- features meant for POC and test environments
Reduces attack surface - disabled un-used functionality
Provides audit guidelines for compliance standards (PCI, HIPAA, SOX, DISA, etc)
Makes the product less susceptible to threats and vulnerabilities
Acts as a tool to generate discussion on risk management
vSphere 6 Hardening Guide - major improvements
- cleaned up
- easier to implement
- new focus on programmatic guidance
- goal to be mostly accessible via APIs and/or CLIs
- automation, automation, automation
- leverage vsphere APIs
- easier to produce
Programmatic Guidance vs Operational Guidance
- Science vs Art
Operational Guidance becomes "best practices"
Old guide grouped by tabs. New guide now a flat namespace (taxonomy), easier to parse through.
vCheck Hardening Guide plugin - free powershell script that can send a daily update on various statuses (recommended)
Major security enhancements in vSphere 6.0:
- increased flexibility in lockdown mode
- added cac smart card authentication to dcui (fed customers only)
- improved esxi password and account management
- enhanced auditing of admin actions
- certificate lifecycle management for vcenter and esxi
all sorts of new commands added to esxcli
Flexible Lockdown Mode:
- Normal and Strict (DCUI stopped)
vSphere 6.0 Certificate Manager - generate SSL and CSRs
VMCA - VMware Certificate Authority