{"id":29,"date":"2018-10-15T17:17:51","date_gmt":"2018-10-15T22:17:51","guid":{"rendered":"https:\/\/gr8n8tr0n.wordpress.com\/?p=29"},"modified":"2018-10-15T17:17:51","modified_gmt":"2018-10-15T22:17:51","slug":"the-vsphere-hardening-guide-where-do-i-start","status":"publish","type":"post","link":"http:\/\/blog.virtualnate.net\/wordpress\/2018\/10\/15\/the-vsphere-hardening-guide-where-do-i-start\/","title":{"rendered":"The vSphere Security Configuration Guide – Where do I start?"},"content":{"rendered":"
    \n
  1. Ask yourself the question, what’s my compliance policy for the company, HIPPA, PCI, SOX, DISA, STIG, etc…<\/li>\n
  2. Have I spoken to my internal audit staff?<\/li>\n
  3. Have I spoken to my security team yet?<\/li>\n<\/ol>\n
    The vSphere Security Configuration Guide remember is not the “VMware vSphere Security Configuration Law”, it’s a guide for you to use to best design a security policy around your virtual infrastructure.<\/div>\n

    Step 1 – Collaborate with Security<\/h1>\n
    \n

    I almost want to write a book on ‘How to be successful at Virtual Security’ and step one of that book would include collaborating with your security department to craft a security policy document that describes the methods that will be used to secure the virtual infrastructure. \u00a0Let’s face it, securing your VMware Infrastructure isn’t easy.<\/p>\n

    \"inception_vms_in_vms\"

    this isn’t easy folks<\/p><\/div>\n

    Partnering with your security team upfront vs. designing this yourself and waiting for their blessing after the fact will yield completely different results. \u00a0I think you’ll find that the collaborative method will not only surprise them but go along way in the secure design and crafting of a good security policy document, which ultimately can be used for both internal and external audit representatives as a roadmap for showing your work.<\/p>\n<\/div>\n

    <\/p>\n

    Step 2 – Define Your Configuration Policy<\/h1>\n
    Once you’ve bridged the gap with your security and audit teams, it’s time to look at defining the \u00a0configuration changes to your vSphere infrastructure that will meet your security standards which will ultimately complete\u00a0your joint security policy document. \u00a0If you’ve taken a close look at the vSphere <\/a>Security Configuration <\/a>Guides<\/a>, they can be quite overwhelming. \u00a0I’d suggest you take the time to read and understand what each configuration setting is, how it relates to your security environment, and how it impacts operational procedures for support. \u00a0Also, remember that anything chosen not to be configured based on your environment, you’ll need to ensure you have compensating controls in place to address any audit and compliance challenges.<\/div>\n
    My suggestion is to keep it simple and start with the best practices options first. \u00a0If you’ve read the guides, you’ll notice they are broken down into different risk profiles of a 1, 2 or 3, 1 being more for environments like the FBI or CIA vs 3 being more based off VMware best practice recommendation that everyone should probably implement. \u00a0\"screen-shot-2016-11-17-at-4-22-34-pm\"I would start by reviewing all Risk Profile 3 options and determining how many if not all should be configured for you environment. \u00a0Then move onto RP2 and eventually RP1 options depending on your acceptable risk for your environment. \u00a0Examples could be something like the following:<\/div>\n

    All vSphere environments containing PCI data or DMZ workloads will have RP2 settings implemented, all other environments will have RP1 settings applied<\/p>\n

    I won’t go into an explanation for the additional fields other than to remind you to read and understand then to help determine the RPs to implement. \u00a0Once you’ve identified the settings to be implemented, document accordingly and add to your joint security policy document.<\/div>\n

    Step 3 – Choose Your Tools<\/h1>\n
    Now that you’ve identified the necessary configuration changes to implement, you’ll notice that the Security Configuration guides have various methods of making the configuration changes ranging form PowerCLI to vCLI to ESXi shell commands. \u00a0I’m partial to PowerCLI so let’s start with the tools used for making the configuration changes needed.<\/div>\n

    PowerGUI<\/h2>\n

    This tool isn’t really being supported anymore, but for those that like a GUI like interface, this little gem can help you build out PowerCLI scripts from the samples in the vSphere Hardening Guide and apply to your environment.\u00a0 There’s not a lot of great tools out there other than scripting things yourself, so I’d make sure you’re comfortable with writing your own PowerCLI or VMware CLI scripts to apply to your environment and make sure you test them out ahead of time.\u00a0 You can still download PowerGUI here<\/a>.\u00a0 If you prefer not to use a GUI for running scripts, that’s fine as long as you understand how to build out a robust Powershell server to run scripts in your environment and I’d recommend not using your own laptop.\u00a0 You’ll also need to make sure you have the right VMware PowerCLI package installed based on the version of vSphere you’re running in your environment.<\/p>\n

    \"Quest-PowerGUI_23\"<\/p>\n

    vRealize Configuration Manager<\/h2>\n
    The product has been around for awhile and provides a good platform for setting configuration baselines on your virtual environment.\u00a0 As per VMware summary:\u00a0It collects thousands of asset, security, and configuration data settings from each networked virtual environments system and virtual object, and from Windows, UNIX, and Linux server and workstation and stores them in a centralized Configuration Management Database (CMDB). By leveraging the information stored in the CMDB, IT administrators can ensure that company policies and the actions they perform are appropriate for the IT infrastructure that they support.<\/div>\n
    \"Screen<\/div>\n
    You can download vRealize Configuration Manager Here<\/a><\/div>\n
    Here’s the latest release notes<\/a> and documentation<\/a><\/div>\n
    Part of the challenges is that this product is no longer being developed so the latest version is to my understanding the last version that will be available for customers to use going forward.<\/div>\n
    \"image2\"<\/div>\n

    vRealize Operations Manager and vRealize Orchestrator<\/h2>\n
    If you’re not familiar with vRealize Operations Manager (vROPs), here’s a summary of the product along with one for vRealize Orchestrator (vRO) to start with.<\/div>\n
    \n

    VMware vRealize Operations Manager delivers intelligent operations management with application-to-storage visibility across physical, virtual, and cloud infrastructures. Using policy-based automation, operations teams automate key processes and improve IT efficiency.\u00a0 Using data collected from system resources (objects), vRealize Operations Manager identifies issues in any monitored system component, often before the customer notices a problem. vRealize Operations Manager also frequently suggests corrective actions you can take to fix the problem right away. For more challenging problems, vRealize Operations Manager offers rich analytical tools that allow you to review and manipulate object data to reveal hidden issues, investigate complex technical problems, identify trends, or drill down to gauge the health of a single object.<\/p>\n

    \"vRops<\/p>\n

    VMware vRealize Orchestrator is a drag-and-drop workflow software that simplifies the automation of complex IT tasks. It integrates with VMware vRealize Suite and vCloud Suite\u00ae to adapt and extend service delivery and operational management capabilities. This allows for more seamless integrations with existing infrastructure, tools and processes.<\/p>\n

    \"vRealize<\/p>\n

    vROPs has the ability to report on vSphere Security Configuration Guide configuration parameters.\u00a0 This allows you to leverage the config options applicable to your environment within a policy and apply to your different vSphere environments to report on configuration drift.\u00a0 The challenge though is always around automating the remediation of those configuration drift parameters.\u00a0 vRO can integrate with vROPs in order to truly leverage the automated actions capabilities of vROPs.\u00a0 In other works, if you take the time to build out vRO workflows using the PowerCLI and VMware CLI scripts already provided in the vSphere Security Configuration Guide, you can leverage these workflows to automate the configuration drift of vSphere environment based on the vROPs Security Configuration Guide policy applied to your vSphere infrastructure.\u00a0 Based on my experience, I think VMware has an opportunity to build upon this.\u00a0 I’m working with our internal product management teams on a fling to start testing that will include a vROPs plugin that will leverage a pre-built set of orchestrator workflows.\u00a0 This will allow vSphere Operational and Security teams to use the automated actions capabilities of vROPs to ensure the vSphere infrastructure policy defined is applied at all times.\u00a0 This should reduce the amount of operational work required to keep your vSphere environment within policy and keep your security team’s scanning reports coming back with with a higher compliance rate.<\/p>\n<\/div>\n

    \"Screen<\/div>\n

    Tenable<\/h2>\n
    A quick description on Tenable and why it’s relevant to this article:<\/div>\n
    Built on the leading Nessus technology from Tenable, Tenable.io brings clarity to your security and compliance posture through a fresh, asset-based approach that accurately tracks your resources and vulnerabilities, while accommodating dynamic assets like cloud and containers. Tenable.io maximizes visibility and insight and effectively prioritizes your vulnerabilities, while seamlessly integrating into your environment.<\/div>\n
    \"Screen<\/div>\n
    Tenable and Nessus security scanning products are used widely among most customers by security teams.\u00a0 Tenable makes a VMware vSphere Security Configuration Guide plugin which allows for security teams to independently scan IT infrastructure environments and provide a wholistic view of the entire environment.\u00a0 Based on the results of those scans, reports can be provided to IT teams to take action and work on remediation activities.<\/div>\n
    \"Screen<\/div>\n
    Tenable and VMware Solution Brief can be viewed here<\/a><\/div>\n
    I bring this up again, as part of the main topic of this article, as it’s important to ensure you collaborate with your internal security teams on an operational model to ensure you’re meeting compliance objectives defined by your internal security and controls.\u00a0 You may or may not use Tenable, but more than likely, your security teams are using some method to scan your environment to ensure you’re meeting internal compliance policies.<\/div>\n

    Summary<\/h1>\n
    To quickly recap, work with your security teams and jointly develop a vSphere Infrastructure Security Configuration policy using the data provided in the VMware Security Configuration Guides that’s applicable to your organization.\u00a0 Make sure you plan the right tools to automate and orchestrate the remediation of configuration drift and by partnering with your security teams, you’ll reduce the configuration drift alerts and provide compliance reporting numbers that will make your senior leadership satisfied and prove that you’re able to meet you’re corporate compliance goals and objectives.<\/div>\n","protected":false},"excerpt":{"rendered":"

    Ask yourself the question, what’s my compliance policy for the company, HIPPA, PCI, SOX, DISA, STIG,...<\/p>\n","protected":false},"author":1,"featured_media":1632,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[13,19,31,39,45,54,66,67,70],"class_list":["post-29","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vmware","tag-automation","tag-compliance","tag-hardening","tag-orchestration","tag-security","tag-vcenter","tag-vro","tag-vrops","tag-vsphere"],"_links":{"self":[{"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/posts\/29","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/comments?post=29"}],"version-history":[{"count":0,"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/posts\/29\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/media\/1632"}],"wp:attachment":[{"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/media?parent=29"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/categories?post=29"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.virtualnate.net\/wordpress\/wp-json\/wp\/v2\/tags?post=29"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}