[Guide] 5 Key Aspects of vSphere Security Hardening
Data security is vital for the well-being of any enterprise today. VMware also provide official a vSphere security hardening guide, and you can read this article to get the key points from it.
Why vSphere security hardening important
Today, cyber-attacks are the daily headline news, and an insecure IT environment is an open invitation. The same is true for your vSphere environments.
According to VMware’s annual Global Incident Response Threat Report 2022 edition, ransomware, zero-day exploits, and deepfakes abound and constantly threatening your cyber security. Take a look at the following statistics:
- Nearly 60% of respondents experienced a ransomware attack in the past 12 months of 2022.
- Zero-day exploits were encountered by 62% of respondents in 2022, an 11% increase from last year.
- Deepfake attacks shot up 13%. 66% of respondents now saying they witnessed them in the past 12 months.
To protect your system infrastructure and data, there are many forms of security hardening you can take. And since it is dangerous to mess with security settings, VMware offers official VMware Security Hardening Guides documents to provide customers with prescriptive guidance on how to deploy and operate VMware products in a secure manner.
Next, this article will outline 5 key aspects of effective vSphere security hardening.
5 key aspects of vSphere security hardening
Security is a process, not a product. To tighten up your data security, you need to take regular practices and maintain good habits. This part will share with you 5 key aspects of vSphere security hardening that you need to consider.
The following information and recommendation refers to the official document vSphere Security Guide 8.0 edition modified on 31 JAN, 2023.
Securing virtual machines in vSphere
A virtual machine (VM) is the base unit of VMware virtualization, allowing you to run multiple operating system environments on a single physical computer, saving physical space, time, and management costs.
To protect virtual machines in vSphere, you need to protect your virtual environment just as you protect your physical machine, keep the guest operating systems patched, and follow other best practices. For example:
- General virtual machine protection such as anti-malware applications and regular backups.
- Use templates to deploy virtual machines to avoid misconfiguration.
- Minimize use of the virtual machine console to avoid malicious attack.
- Prevent virtual machines from taking over resources to avoid Denial of Service (DoS).
- Deactivate unnecessary functions inside virtual machines to reduce attack potential.
Reliable Virtual Machine Backup Software
Neither ESXi host nor vCenter Server provides the feature of virtual machine backup. You can try the agentless VMware backup software - AOMEI Cyber Backup, it enables you to backup multiple VMs either managed by vCenter Server or by standalone ESXi host, and supports both paid and free versions of ESXi 6.5 to 8.0.
Securing VMware ESX/ESXi hypervisor
VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor that allows you to efficiently create and run multiple virtual machines on the same physical server.
The ESXi hypervisor is secured out of the box. Its architecture has many built-in security features, including CPU isolation, memory isolation, and device isolation. You can configure additional features such as lockdown mode, certificate replacement, and smart card authentication for enhanced security.
ESXi mitigates risks to your hosts as follows:
- The ESXi Shell interface and the SSH interface are deactivated by default.
- Only some firewall ports are open by default.
- By default, all ports that are not required for management access to the host are closed.
- ESXi runs only services that are essential to managing its functions.
- By default, weak ciphers are deactivated and communications from clients are secured by SSL.
- An internal web service is used by ESXi to support access by Web clients.
- VMware monitors all security alerts that can affect ESXi security and issues a security patch if needed.
- Insecure services such as FTP and Telnet are not installed, and the ports for these services are closed by default.
- Enabling Secure Boot is done at the system BIOS.
- Working together with Secure Boot, TPM 2.0 provides enhanced security and trust assurance rooted in hardware.
You can take the following further ESXi security measures when evaluation host security and administration:
- Limit access to ESXi hosts.
- Do not access managed ESXi hosts directly.
- Use DCUI only for troubleshooting.
- Use only VMware sources to upgrade ESXi components.
Securing VMware vCenter Server and associated services
vCenter Server is an advanced server management software that provides a centralized platform for controlling vSphere environments for visibility across hybrid clouds. As you protect your vSphere environment, consider that all services that are associated with the vCenter Server instances must be protected.
By default, all data communication between the vCenter Server system and the other vSphere components is encrypted. Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to vCenter Server.
Here are some best practices recommended by VMware to make your vCenter Server more secure:
- Configure Precision Time Protocol (PTP) or Network Time Protocol (NTP).
- Restrict vCenter Server network access.
- Configure a bastion host (also called a jump box).
Securing vSphere virtual networking (vNetwork)
Securing vSphere networking is an essential part of protecting your environment. The virtual networking layer includes virtual network adapters, virtual switches, distributed virtual switches, and ports and port groups. ESXi relies on the virtual networking layer to support communications between virtual machines and their users.
Network security in the vSphere environment shares many characteristics of securing a physical network environment, but also includes some characteristics that apply only to virtual machines.
Consider the following best practices to ensure the network security:
- Isolate network traffic.
- Use firewalls to secure virtual network elements.
- Consider network security policies.
- Secure virtual machine networking with virtual switches and distributed virtual switches.
- Consider VLANs to protect your environment.
- Secure connections to virtualized storage.
- Evaluate the use of Internet Protocol Security (IPSec).
Securing passwords in your vSphere environment
Passwords provide the first line of defense against unauthorized access to your system. Password restrictions, password expiration, and account lockout in your vSphere environment depend on the system that the user targets, who the user is, and how policies are set.
Securing passwords in your vSphere environment includes the following:
- Password for the vCenter Single Sign-On Administrator.
- Passwords for other users of the vCenter Single Sign-On domain.
- Passwords for users from other identity sources.
- Passwords for vCenter Server Direct Console User Interface users.
Data security is vital for the well-being of any enterprise today. Thus, today there are various approaches offered for data protection and security hardening. For example, regular backup and the golden 3-2-1 backup rule.
For vSphere, VMware also provide official a vSphere security hardening guide. This article briefly summarized 5 key aspects and best practices from it. For more details you can also refer to vSphere Security Configuration Guide.