VMworld 2015/vSphere 6 Security Update

From Omnia
Revision as of 20:06, 1 September 2015 by Kenneth (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

vSphere Hardening Guide - READ IT

by Mike Foley

  1. INF4758 on Twitter

http://blogs.vmware.com/vsphere/author/mike_foley

Twitter: @vSphereSecurity

VMware Security Hardening Guides | United States - http://www.vmware.com/security/hardening-guides

vSphere 6.0 Hardening Guide – Overview of coming changes - VMware vSphere Blog - VMware Blogs - https://blogs.vmware.com/vsphere/2015/02/vsphere-6-0-hardening-guide-overview-coming-changes.html

vSphere is secure out of the box, so this guide is more of an "auditing" guide.

Prepares system for operational readiness

  • auditing, control, active directory, ntp, syslog

May disable some ease-of-use features

  • features meant for POC and test environments

Reduces attack surface - disabled un-used functionality

Provides audit guidelines for compliance standards (PCI, HIPAA, SOX, DISA, etc)

Makes the product less susceptible to threats and vulnerabilities

Acts as a tool to generate discussion on risk management

vSphere 6 Hardening Guide - major improvements

  • cleaned up
  • easier to implement
  • new focus on programmatic guidance
  • goal to be mostly accessible via APIs and/or CLIs
  • automation, automation, automation
  • leverage vsphere APIs
  • easier to produce

Programmatic Guidance vs Operational Guidance

  • Science vs Art

Operational Guidance becomes "best practices"

Old guide grouped by tabs. New guide now a flat namespace (taxonomy), easier to parse through.

vCheck Hardening Guide plugin - free powershell script that can send a daily update on various statuses (recommended)

Major security enhancements in vSphere 6.0:

  • increased flexibility in lockdown mode
  • added cac smart card authentication to dcui (fed customers only)
  • improved esxi password and account management
  • enhanced auditing of admin actions
  • certificate lifecycle management for vcenter and esxi

all sorts of new commands added to esxcli

Flexible Lockdown Mode:

  • Normal and Strict (DCUI stopped)

vSphere 6.0 Certificate Manager - generate SSL and CSRs

VMCA - VMware Certificate Authority