Ask yourself the question, what’s my compliance policy for the company, HIPPA, PCI, SOX, DISA, STIG, etc…
Have I spoken to my internal audit staff?
Have I spoken to my security team yet?
The vSphere Security Configuration Guide remember is not the “VMware vSphere Security Configuration Law”, it’s a guide for you to use to best design a security policy around your virtual infrastructure.
Step 1 – Collaborate with Security
I almost want to write a book on ‘How to be successful at Virtual Security’ and step one of that book would include collaborating with your security department to craft a security policy document that describes the methods that will be used to secure the virtual infrastructure. Let’s face it, securing your VMware Infrastructure isn’t easy.
Partnering with your security team upfront vs. designing this yourself and waiting for their blessing after the fact will yield completely different results. I think you’ll find that the collaborative method will not only surprise them but go along way in the secure design and crafting of a good security policy document, which ultimately can be used for both internal and external audit representatives as a roadmap for showing your work.
Step 2 – Define Your Configuration Policy
Once you’ve bridged the gap with your security and audit teams, it’s time to look at defining the configuration changes to your vSphere infrastructure that will meet your security standards which will ultimately complete your joint security policy document. If you’ve taken a close look at the vSphere Security Configuration Guides, they can be quite overwhelming. I’d suggest you take the time to read and understand what each configuration setting is, how it relates to your security environment, and how it impacts operational procedures for support. Also, remember that anything chosen not to be configured based on your environment, you’ll need to ensure you have compensating controls in place to address any audit and compliance challenges.
My suggestion is to keep it simple and start with the best practices options first. If you’ve read the guides, you’ll notice they are broken down into different risk profiles of a 1, 2 or 3, 1 being more for environments like the FBI or CIA vs 3 being more based off VMware best practice recommendation that everyone should probably implement. I would start by reviewing all Risk Profile 3 options and determining how many if not all should be configured for you environment. Then move onto RP2 and eventually RP1 options depending on your acceptable risk for your environment. Examples could be something like the following:
All vSphere environments containing PCI data or DMZ workloads will have RP2 settings implemented, all other environments will have RP1 settings applied
I won’t go into an explanation for the additional fields other than to remind you to read and understand then to help determine the RPs to implement. Once you’ve identified the settings to be implemented, document accordingly and add to your joint security policy document.
Step 3 – Choose Your Tools
Now that you’ve identified the necessary configuration changes to implement, you’ll notice that the Security Configuration guides have various methods of making the configuration changes ranging form PowerCLI to vCLI to ESXi shell commands. I’m partial to PowerCLI so let’s start with the tools used for making the configuration changes needed.
This tool isn’t really being supported anymore, but for those that like a GUI like interface, this little gem can help you build out PowerCLI scripts from the samples in the vSphere Hardening Guide and apply to your environment. There’s not a lot of great tools out there other than scripting things yourself, so I’d make sure you’re comfortable with writing your own PowerCLI or VMware CLI scripts to apply to your environment and make sure you test them out ahead of time. You can still download PowerGUI here. If you prefer not to use a GUI for running scripts, that’s fine as long as you understand how to build out a robust Powershell server to run scripts in your environment and I’d recommend not using your own laptop. You’ll also need to make sure you have the right VMware PowerCLI package installed based on the version of vSphere you’re running in your environment.
vRealize Configuration Manager
The product has been around for awhile and provides a good platform for setting configuration baselines on your virtual environment. As per VMware summary: It collects thousands of asset, security, and configuration data settings from each networked virtual environments system and virtual object, and from Windows, UNIX, and Linux server and workstation and stores them in a centralized Configuration Management Database (CMDB). By leveraging the information stored in the CMDB, IT administrators can ensure that company policies and the actions they perform are appropriate for the IT infrastructure that they support.
You can download vRealize Configuration Manager Here
Part of the challenges is that this product is no longer being developed so the latest version is to my understanding the last version that will be available for customers to use going forward.
vRealize Operations Manager and vRealize Orchestrator
If you’re not familiar with vRealize Operations Manager (vROPs), here’s a summary of the product along with one for vRealize Orchestrator (vRO) to start with.
VMware vRealize Operations Manager delivers intelligent operations management with application-to-storage visibility across physical, virtual, and cloud infrastructures. Using policy-based automation, operations teams automate key processes and improve IT efficiency. Using data collected from system resources (objects), vRealize Operations Manager identifies issues in any monitored system component, often before the customer notices a problem. vRealize Operations Manager also frequently suggests corrective actions you can take to fix the problem right away. For more challenging problems, vRealize Operations Manager offers rich analytical tools that allow you to review and manipulate object data to reveal hidden issues, investigate complex technical problems, identify trends, or drill down to gauge the health of a single object.
VMware vRealize Orchestrator is a drag-and-drop workflow software that simplifies the automation of complex IT tasks. It integrates with VMware vRealize Suite and vCloud Suite® to adapt and extend service delivery and operational management capabilities. This allows for more seamless integrations with existing infrastructure, tools and processes.
vROPs has the ability to report on vSphere Security Configuration Guide configuration parameters. This allows you to leverage the config options applicable to your environment within a policy and apply to your different vSphere environments to report on configuration drift. The challenge though is always around automating the remediation of those configuration drift parameters. vRO can integrate with vROPs in order to truly leverage the automated actions capabilities of vROPs. In other works, if you take the time to build out vRO workflows using the PowerCLI and VMware CLI scripts already provided in the vSphere Security Configuration Guide, you can leverage these workflows to automate the configuration drift of vSphere environment based on the vROPs Security Configuration Guide policy applied to your vSphere infrastructure. Based on my experience, I think VMware has an opportunity to build upon this. I’m working with our internal product management teams on a fling to start testing that will include a vROPs plugin that will leverage a pre-built set of orchestrator workflows. This will allow vSphere Operational and Security teams to use the automated actions capabilities of vROPs to ensure the vSphere infrastructure policy defined is applied at all times. This should reduce the amount of operational work required to keep your vSphere environment within policy and keep your security team’s scanning reports coming back with with a higher compliance rate.
A quick description on Tenable and why it’s relevant to this article:
Built on the leading Nessus technology from Tenable, Tenable.io brings clarity to your security and compliance posture through a fresh, asset-based approach that accurately tracks your resources and vulnerabilities, while accommodating dynamic assets like cloud and containers. Tenable.io maximizes visibility and insight and effectively prioritizes your vulnerabilities, while seamlessly integrating into your environment.
Tenable and Nessus security scanning products are used widely among most customers by security teams. Tenable makes a VMware vSphere Security Configuration Guide plugin which allows for security teams to independently scan IT infrastructure environments and provide a wholistic view of the entire environment. Based on the results of those scans, reports can be provided to IT teams to take action and work on remediation activities.
Tenable and VMware Solution Brief can be viewed here
I bring this up again, as part of the main topic of this article, as it’s important to ensure you collaborate with your internal security teams on an operational model to ensure you’re meeting compliance objectives defined by your internal security and controls. You may or may not use Tenable, but more than likely, your security teams are using some method to scan your environment to ensure you’re meeting internal compliance policies.
To quickly recap, work with your security teams and jointly develop a vSphere Infrastructure Security Configuration policy using the data provided in the VMware Security Configuration Guides that’s applicable to your organization. Make sure you plan the right tools to automate and orchestrate the remediation of configuration drift and by partnering with your security teams, you’ll reduce the configuration drift alerts and provide compliance reporting numbers that will make your senior leadership satisfied and prove that you’re able to meet you’re corporate compliance goals and objectives.