The goals for vSphere 6.7 security are twofold: to deliver more user-friendly security capabilities and to suit the needs of customers’ IT and information security (InfoSec) teams.
With vSphere 6.7 security, we were successful in accomplishing both objectives.
vSphere 6.7 Security new features and modifications
The parts that follow go over some of the new features and modifications.
TPM 2.0 Support for ESXi Hosts
A Trusted Platform Module (TPM) is a device that stores encrypted data such as keys, credentials, and hash values on a laptop, desktop, or server system. TPM 1.2 support has been present on ESXi hosts for a long time, although it was mostly used by partners. TPM 2.0 is not backward compatible with TPM 1.2, necessitating the creation of completely new device drivers and APIs. The Trusted Computing Group gives a great explanation of what a TPM is and what it does.
The use of TPM 2.0 by ESXi hosts builds on our work with Secure Boot in vSphere 6.5. In a word, before gathering measurements and saving them in the TPM, we verify that the machine has booted with Secure Boot enabled. These metrics are read by the vCenter Server instance, which compares them to values supplied by the ESXi host. If the values match, the host has booted with Secure Boot enabled, ensuring that only signed code is run and that unsigned code cannot be installed. In the vSphere Client, the vCenter Server system produces an attestation report that shows the condition of each host.
Virtual TPM 2.0 for VMs
VMware developers designed a virtualized TPM 2.0 device to support TPMs for VMs. It appears as a standard TPM 2.0 device on Windows. It can perform cryptographic operations and store credentials just like a physical TPM. Write data from the vTPM to the VM’s NVRAM file and encrypt that file with VM Encryption to safeguard it. The data in the vTPM is kept secure and “travels” with the VM as a result of this. The data in a vTPM is secured if it is moved to another data center and that data center is not configured to connect with the user’s key management system (KMS). The same criteria for VM Encryption apply.
vSphere 6.7 security – ‘Only the “home” files of the virtual machine are encrypted. Unless the user chooses to encrypt VMDKs, they are not encrypted’
A hardware TPM has a number of drawbacks: Because it is a serial device, it is slow. It has a bytes-based protected NVRAM storage size. It’s not meant to support 100 or more virtual machines on a single host. It requires a scheduler for the cryptographic operations it performs since it cannot save all of their TPM data on the physical TPM. Consider 100 VMs attempting to encrypt anything while relying on a serial device that can only process one at a moment to demonstrate this concept.
Consider a vSphere vMotion migration even if the data can be physically stored. Data would have to be securely removed from a physical TPM and copied to the another, then re-signed using the keys of the new TPM. In actuality, all of these procedures are extremely slow and come with extra security concerns and requirements.
Support for Microsoft Virtualization-Based Security
Support for Windows Defender Credential Guard is commonly requested or requested by information security teams. Microsoft implemented virtualization-based security in 2015. (VBS). We worked together with Microsoft to ensure that these features were supported in vSphere 6.7.
When VBS is enabled on a Windows 10 laptop, the system reboots. Instead of just launching Windows 10, the system starts the Microsoft hypervisor. In vSphere environments, the VM that was previously running Windows 10 directly is now running the Microsoft hypervisor, which is also running Windows 10. “Nested virtualization” is the term for this. VMware has a lot of expertise with this and has been using it for years in their VMware Hands-on Labs.
Support for VBS as well as the following vSphere features is enabled via a single checkbox:
- Nested virtualization
- Input–output memory management unit (IOMMU)
- EFI firmware
- Secure Boot
VBS will not be enabled in the VM’s guest OS as a result of this. Follow Microsoft’s instructions to achieve that goal. This can be accomplished via Windows PowerShell scripts, group policies, and other similar methods. The vSphere system’s role is to provide virtual hardware to allow VBS enablement. Users can now activate VBS and switch on features like Windows Defender Credential Guard while using a vTPM.
In vSphere 6.7 security, we improved the functionality of the vSphere Client in a number of ways. It’s quick, well-organized, and comprehensive for most laboratory jobs. On a VM Encryption level, we’ve made some modifications to make things easier for administrators. We still use storage policies in the background, but we’ve consolidated all encryption functions—VM Encryption and Encrypted vMotion—into a single panel under VM Options. This results in a more rational process.
Multiple Syslog Targets
When customers want their syslog stream to flow to two places—for example, IT and teams—customers have demanded UI capabilities to setup multiple syslog targets. VMware vRealize Log Insight has received a lot of positive feedback from IT professionals. Security incident and event management systems with specialized functionality aimed directly toward security operations are commonly used by InfoSec teams. Both can now broadcast a stream of unfiltered syslog events to their respective targets. Up to three different syslog targets are now supported by the VAMI UI.
FIPS 140-2 Validated Cryptographic Modules by Default
Two modules are utilized for cryptographic activities in vSphere (vCenter Server and ESXi) platforms. The VM Encryption and Encrypted vSAN features use the VMware Kernel Cryptographic Module, while the OpenSSL module is used for services like certificate generation and TLS connections. These two modules have been validated according to FIPS 140-2.
Customers have inquired about vSphere’s “FIPS Certification.” FIPS Certified refers to a complete set of hardware and software that has been thoroughly tested and configured. VMware has made certifying vSphere systems for FIPS operations much easier for our partners. Because all FIPS 140-2 cryptographic processes are enabled by default in vSphere systems, they are done to the highest standards.
Read more :