vSphere Security Hardening: How and Why to Prepare Your VMware Environment

Written by Joe Kozlowicz on Wednesday, August 14th 2013 — Categories: Cloud Hosting, Hybrid Cloud, Cloud Hosting, Security, VMware

One vital managed service for Green House Data virtualization deployments is taking steps to ensure the security of your critical data. Although our data center compliance standards attest to our security management protocols, additional steps are necessary to secure data within a vSphere environment. One of our most popular services is therefore the security hardening and audit.

Each level of the deployment must be checked for specific vulnerabilities: vCenter Server, vNetwork, ESXi, VUM, SSO, WebClient, VCSA and the virtual machine level itself. Each level has 10 – 60 components that require assessment and auditing against varied complications like denial of service or configuration issues that could result in overuse of available resources. VMware provides a complete vSphere 5.1 security hardening guide with detailed instructions for each component. Most of the fixes simply involve checking configuration files or adjusting specific settings within vSphere. Other common sense steps include regular and/or automated patching of software and operating systems, changing default passwords, and controlling what accounts/users can access sensitive data like Secure Socket Layer (SSL) certificates. Monitoring tools can provide alerts when events are performed by non-authorized accounts. Expired certificates must be removed from the server. Idle sessions can be set to timeout during inactivity. Many of these tasks can be automated after the initial hardening.

Without SSL certification, sensitive information like credit card information or user credentials can be exposed, especially when traffic is traveling through public networks. SSL certificates are important as they can prevent MitM (man in the middle) attacks, especially when custom SSL certifications are used. MitM attacks occur when an attacker connects independently between two ends of communications, relaying messages between them but controlling the entire connection. SSL authenticates one or both ends, helping avoid a possible MitM situation.

After performing hardening on the hosts, VMs and hypervisor level, we take it all the way through the application stack and verify security as information reaches the network. If encryption is requested, we add it to outgoing communications in addition to IPS / IDS (intrusion prevention / intrusion detection services) that provide early warning signs of attacks. IDS tools examine incoming traffic to capture and provide visibility into network activity in hopes of detecting malicious use. Deploying them both inside and outside of a network router helps determine the location of the attack. An IPS is kind of like a combination of IDS and a firewall, examining packets as the traverse the network and blocking them where necessary.

It is through a combination of all the above preparations that Green House Data considers a vSphere environment fully audited and secure. Although automated scripts can be used to check security hardening settings, confirmation by trained personnel is the only way to be confident in the security of vital business data.

Posted By: Joe Kozlowicz