vsphere Platform Security Update Day 2 Security Operations VMworld 2017 Content: Not for publication

Size: px

Start display at page:

Download "vsphere Platform Security Update Day 2 Security Operations VMworld 2017 Content: Not for publication"

Constance Sutton
6 years ago
Views:

1 SER1848BU vsphere Platform Security Update Mike Foley #VMworld #SER1848BU

2 vsphere Platform Security Update Day 2 Security Operations VMworld 2017 Content: Not for publication

3 Current Issues

4 Current Issues: SMB v1 on vsphere VMware vsphere components not implemented/affected vsphere components are client only They don t have the ability to run as a server (Server components not compiled/shipped) SMBv1 issues are Windows specific. VMware components not implemented/affected SMBv2 enablement is needed to support SMBv1 disablement on Windows infrastructure SMBv2 currently not enabled by default in 5.5 & 6.0 SMBv2 enabled in 6.5 on VC & 6.5 Update 1 on ESXi SMBv1 disablement on vsphere is not the issue. SMBv2 *enablement* is the issue Order: Ensure vcenter/esxi have SMBv2 enabled Patch your Windows systems to address the vulnerabilities based on Eternal Blue Disable SMBv1 on your Windows systems Remember: SMB negotiation protocols are configured at the server side, not the client (vsphere) side 4

5 Current Issues: TLS 1.0/1.1 Disablement Current state of TLS disablement Minimum version of vsphere where TLS is fixed to Update 3 Some ports on VCSA may not be configurable (syslog) Windows VC ODBC and Oracle are not TLS 1.2 configurable (not VMware) 6.5 or greater All ports on VCSA are TLS 1.2 configurable Hardware compatibility changes moving to 6.5 may affect your 1.2 rollout Older hardware may no longer be on the 6.5 HCL TLS Reconfiguration Tool vsphere tool for everything except CIM See KB for more info At scale CIM fix handled via Powershell script (via William Lam) Older VMware and 3 rd party s/w that connects to your vcenter may hold you back from TLS 1.0/1.1 disablement e.g. Backup/Recovery solutions 5

6 vsphere 6.0 Update 3 Supports TLS 1.0 / 1.1 / 1.2 out of the box TLS 1.0 disablement supported as of GA release Kb articles: Managing TLS protocol configuration for vsphere 6.0 Update 3 ( ) Link to download TLS configuration script for vsphere 6.0 Update 3 Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products ( ) 6

7 vsphere 6.5 Supports TLS 1.0 / 1.1 / 1.2 out of the box TLS 1.0 disablement supported as of GA release Kb articles: Managing TLS protocol configuration for vsphere 6.5 ( ) Link to download TLS configuration script for vsphere VMworld 2017 Content: Not for publication Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products ( ) 7

8 Enabling TLS 1.2 on ESXi CIM Server Not currently changeable via TLS Reconfigurator William Lam created a PowerShell script to automate this - Search for Automating Disabled Protocols 8

9 Key Management for vsphere Encryption Solutions 9

10 Key Managers VM and vsan Encryption leverage KMIP 1.1 compliant key managers Customers request certified solutions, addressed by the Key Manager Certification Program Certified Today More vendors are going through certification Customer demand will drive additional vendors added to the HCL VMware Compatibility Guide - Key Management Server Certification 10

11 Key Manager The next datacenter requirement Encryption is becoming pervasive Regulatory requirements for encryption are growing Key Manager availability is a business critical requirement Not unlike DNS or NTP! Plan like your life depends on this Do you have just one DNS server? No! What if it goes down? THAT is how you should plan key management! 12

12 Key Manager Topology KMS Cluster/Alias KMS A KMS B KMS C vsphere Datastore 13

13 Multi-Site Key Manager Topology Site A KMS Cluster/Alias KMS Cluster/Alias KMS A KMS B KMS CD KMS E KMS F vsphere VMworld 2017 Content: Not for vsphere Site B publication Datastore Datastore 14

14 Multi-Site Key Manager Topology Order is important Site A KMS Cluster /Alias Site B KMS-A KMS-B KMS-C KMS-D KMS-E KMS-F vsphere Datastore SITE A KMS Order KMS-A KMS-B KMS-C KMS-D KMS-E KMS-F SITE B KMS Order KMS-D KMS-E KMS-F KMS-A KMS-B KMS-C vsphere Datastore 15

15 Encryption Overview VM and vsan Encryption Overview

VM Encryption & vsan Comparison Encryption

Point: One Key Per vsan Cluster distribution

Encryption Datastore Support: Any vsphere

16 VM Encryption & vsan Comparison Encryption Point: One Key Per VM Key Manger Support: Multiple via API vsphere SAN Encrypted vc/psc: Not Supported NAS Shared Storage Storage vsan vsphere Encrypted vc/psc: Supported vsan Datastore vsan or Encryption Point: One Key Per vsan Cluster distribution Key Manger Support: One per vsan Cluster VM Encryption Datastore Support: Any vsphere Datastore Datastore Support: vsan Datastore vsan Encryption 18

17 Encryption Nitty-Gritty Keys, Algorithms, etc. XTS-AES-256 length keys for data Key generated by the ESXi host Referred to as the Data Encryption Key or DEK AES-128 or AES-256 for key encryption Key generated by the KMS. Referred to as the Key Encryption Key or KEK VM and vsan Encryption KEK key length is configured on the KMS, not on vcenter Generated by vcenter, not KMS One Time Use Only! AES-256 key 64-bit Nonce vmotion Encryption keys 19

18 PowerCLI Modules for VM Encryption VMworld 2017 Content: Not for publication

19 PowerCLI for VM Encryption: Disk encryption #Encrypt a VM $vmname = Tiny Get-VM -Name $vmname Enable-VMencryption 21

20 What KMS is providing the host keys? 22

21 PowerCLI: Decrypt a VM #Decrypt a VM $vmname = Tiny Get-VM -Name $vmname Disable-VMencryption 23

22 PowerCLI: Shallow Re-Key a Virtual Machine #Shallow Re-Key of a VM Get-VM VM01 Set-VMEncryptionKey -KMSClusterId NewKMS" 24

23 PowerCLI for VM Encryption: Report on Encryption status 25

24 STO1960BU vsphere Encryption for Virtual Machines and vsan Encryption Deep Dive VMworld 2017 Content: Not for publication Jase McCarty & Mike Foley #VMworld #STO1960

25 Least Privilege is everywhere 27

26 Full Admin Full Admin Full Admin Full Admin Me too! Full Admin but why does everyone in IT have Adminstrator/root? 28

27 New Role: No Cryptography Administrator Most of the same privileges as Administrator Power On Power Off Boot Shutdown vmotion Does not include any Cryptographic Operations No Encrypt No Decrypt No Console Access to Encrypted virtual machines No ability to download encrypted VM s 29

28 Encrypted vmotion

29 Encrypted vmotion available for ALL VM s! VMworld 2017 Disabled Do not use encrypted vmotion Opportunistic Use encrypted vmotion if source and destination hosts support it. Required Content: Not for publication Allow only encrypted vmotion. If the source or destination host does not support encrypted vmotion, migration with vmotion fails Virtual Machine vmotion data encrypted/decrypted (NOT vmotion Network!) One time use key and nonce generated by vcenter. Does not use KMS. 33

30 Encrypted vmotion VM vcenter Migration Spec Encryption Key + Nonce ESXi-A ESXi-B vmotion Network Not Encrypted 34

31 PowerCLI: Setting vmotion Encryption get-vm "Tiny" Set-vMotionEncryptionConfig Encryption required Options are: 'disabled' 'opportunistic' 'required' 35

32 vsphere 6.5 Enhanced Logging

33 Logs transform in vsphere 6.5 Pre-6.5: Logs used for GSS/Troubleshooting 6.5: Logs include VC Events Audit Quality and Actionable 37

34 vsphere Logging Today: 5.x / 6.0 virtual machine reconfigure Logs really need improvement. I know a change was made, but what happened? What changed? 38

35 Actionable Logging Who, What, When, How 39

36 Virtual Machine Changes being logged 40

37 Logging vcenter role being granted 41

38 Security Operations for VMware vsphere with Log Insight #SER1361BU Mike Foley and Ed Halekty Deep dive into vsphere logging using VMware vrealize Log Insight 42

39 VMC and Security

40 Permissions challenges VC permissions are not fine-grained FileManagment permission on a datastore allows you to copy, delete, and edit anything Customers require these permissions for standard operations (eg backup, restore, etc) VMware needs to protect our service infrastructure (VC, NSX, etc) from customers We have contractual obligations with AWS to prevent users from gaining access to hosts We have SLAs with customers that are dependent on our infrastructure VMs VM VM VM VM VM vsan Datastore vsan Cluster 44

41 Multiple Datastore Support Preventing customers from accessing our infrastructure VMware Mgmt. Datastore VM VM VM VM VM vsan Cluster Customer Administrator (Cloud Admin) Customer Datastore Motivation Provide separate datastore level permissions to enable use cases like VADP based backup Overview Logical separation of physical vsan cluster storage into two datastores Separates management workloads from customer workloads Allows more flexibility for assigning datastore permissions to customer s role

42 VMC Permissions differences Role Privileges Owner Traditional Administrator Role CloudAdmin GlobalCloudAdmin Full Administrator Permissions Privileges for vcenter managed entities: Virtual Machines Resource Pools Datastores Networks Global privileges: Content Library Tagging Storage Profiles Read-Only VMware Customer Customer CONFIDENTIAL 46

43 VM Sandboxing in vsphere 6.5 Architecting another layer of Defense in Depth

44 CONFIDENTIAL 48

45 Virtual Machine (VMX) Sandboxing in vsphere 6.5 Zero Configuration! Nothing to change, nothing to configure Every VM runs in it s own sandbox Policies dictate what the VMX process that runs the VM is allowed to do or access e.g. VMX process has no access to /etc/passwd VMX process can t run scripts on the host VMX process can t initial SSH connections in or out of the host Limits what system calls a VMX process allowed to call Will this solve all my security concerns? No. This is an additional layer of defense in depth There is NO Easy Button when it comes to security 49

46 vsphere Security v.future

47 Disclaimer This presentation may contain product features or functionality that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined. This information is confidential. VMworld 2017 Content: Not for publication The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract.

48 vsphere 6.5 Comprehensive Built-In Security vsphere 6.5 CONFIDENTIAL 53

Technical Preview Comprehensive Built-In Security vsphere 6.5 vsphere.

0 Support Remote Host Attestation Programmatic Security Configuration Simplified

0 The information in this presentation is intended to outline our general product

49 Technical Preview Comprehensive Built-In Security vsphere 6.5 vsphere.future Forensics Logging Limited ESXi Admin AppDefense TPM 2.0 Support Remote Host Attestation Programmatic Security Configuration Simplified VM Encryption vsan Encryption Virtual TPM 2.0 The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 54

Guarantees that secure boot has done its job VMworld 2017 vcenter ESXi Host ESXi Running hostd / DCUI / VM s Secure Boot Verifier VM Kernel Boot Loader UEFI Firmware

50 Remote Host Attestation Secure Infrastructure TPM 2.0 chip on ESXi Host is used to establish Hardware Root of Trust and to keep measurements safe vcenter attests ESXi host for running known VMware software. Guarantees that secure boot has done its job VMworld 2017 vcenter ESXi Host ESXi Running hostd / DCUI / VM s Secure Boot Verifier VM Kernel Boot Loader UEFI Firmware Hardware Technical Preview Content: Not for publication The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 55

51 Remote Host Attestation Secure Infrastructure Securing the Data Center Host s security stance is reported via a comprehensive security dashboard High Value Assets can be allowed to run only on attested ESXi Host Facilitate secure release of encryption keys to ESXi host VMworld 2017 Technical Preview Content: Not for publication The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 56

VM Encryption Secure Data Easy to Manage Security Simple setup

automate via PowerCLI User Friendly Easy button to encrypt with a

vcenter Scalable and Efficient 3 rd Party KMIP-Compliant KMS

Fine granular access controls Technical Preview Uses performance

is intended to outline our general product direction and should not

52 VM Encryption Secure Data Easy to Manage Security Simple setup Infrastructure Flexibility (Bring your own KMS) Use vsphere client or automate via PowerCLI User Friendly Easy button to encrypt with a single click Granular reporting of encryption state Easy to customize vcenter Scalable and Efficient 3 rd Party KMIP-Compliant KMS Agentless and guest OS Agnostic. Fine granular access controls Technical Preview Uses performance efficient AES-XTS 256 algorithm The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 57

VM Encryption Workflow Intuitive and easy user experience Technical Preview The information in this presentation is intended to outline our general product

53 VM Encryption Workflow Intuitive and easy user experience Technical Preview The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 58

54 VM Encryption Easy to Manage Security VMworld 2017 Content: Not for Easy button to enable encryption with a single click Granular reporting of the Encryption State of the VM Allows to do further customizations easily Technical Preview publication The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 59

55 Virtual TPM 2.0 Secure Data Enabling TPM for a VM is as simple as adding a virtual device in VM settings! Guest secrets (e.g encryption keys, certificates, device identity etc.) are protected from in-guest attacks VMworld 2017 Technical Preview Content: Not for publication The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 60

) are protected from in-guest attacks Secrets stored in TPM are protected by automatically encrypting VM

Not for publication The information in this presentation is intended to outline our general product

56 Virtual TPM 2.0 Secure Data Enabling TPM for a VM is as simple as adding a virtual device in VM settings! Guest secrets (e.g encryption keys, certificates, device identity etc.) are protected from in-guest attacks Secrets stored in TPM are protected by automatically encrypting VM files VMworld 2017 IOIO IOIO IOIO VM Files ESXi *&* IOI %*^OIO $&* IOI (*&* OIO Technical Preview Content: Not for publication The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 61

57 Introducing VMWare AppDefense Protecting applications running on vsphere enabled private and public clouds VM MANIFEST Processes Processes OS Processes APPDEFENSE MONITOR VM MANIFEST Technical Preview New Product AUTOMATED AND ORCHESTRATED RESPONSE SECURE INFRASTRUCTURE INTEGRATED ECOSYSTEM Snapshot Suspend Block/Alarm Quarantine Network Blocking Service Insertion CAPTURE DETECT RESPOND The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 63

Protecting VMs in Non-Trusted Environments Technical Preview Operator of

application s running on vsphere enabled private and public clouds Data

58 Protecting VMs in Non-Trusted Environments Technical Preview Operator of Public or Private Cloud Host Attestation: Assures that the infrastructure protecting customer data has not been tampered with, i.e. factory original Apps & Customer Data AppDefense: Protects application s running on vsphere enabled private and public clouds Data Encryption: Ensures that customer data is safe from both external and internal threats Virtual TPM 2.0: Shields guest s secrets from in-guest attacks The information in this presentation is intended to outline our general product direction and should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract. 64

59 Questions? #SER1848BU

#STO1960BU vsphere Encryption for Virtual Machines and vsan Encryption Deep Dive

60 Other sessions to consider: #SER1361BU Security Operations for VMware vsphere with VMware vrealize Log Insight #SER1848BU vsphere Platform Security Update #STO1960BU vsphere Encryption for Virtual Machines and vsan Encryption Deep Dive VMworld 2017 Content: Not for publication #GRC2226BU Operate Clouds at Least Privilege

Current Issues

SER1848BE vsphere Platform Security Update Mike Foley Technical Market Architect vsphere Security Abhijat Singh Product Manager vsphere Security #VMworld #SER1848BE Current Issues Current Issues: SMB v1