Security is one of the key factors when choosing any virtualization solution, and when it's in the space of a data center, this issue is important. The security weakness in this infrastructure results in at least thousands of services being accessed and disclosed by customers' information, which can be a huge blow to your credit or organization. In this series of articles I intend to outline the mechanisms for improving the security of this infrastructure. In the first section, I will introduce you to the vSphere ESXi security enhancements .
Fortunately, the VMware vSphere solution is one of the safest virtualization solutions, and at its various levels, from processing to network and storage, by default, it delivers tremendous security. The reason is its design and its unsurpassed architecture and implementation of the minimum code at runtime. This level of security was not realized before the removal of the console service in the ESXi , and before the removal of those alarming Linux security concerns, it was challenging this solution. However, with the change in vSphere architecture from version 4.1, the claims of security experts were 90% of the security risks that all returned to the Linux operating system.
Let's review a few of the default security measures for this solution:
- Installing a security certificate for service components by default;
- Secure vSphere component communication with daytime security protocols
- Having a firewall and closing unnecessary ports
- Existence of the minimum service required to run loads
- Lock Shell and SSH by default
- Possibility to use dedicated networks based on load (load break)
- Controlling IO usage at network level and storage
VMware engineers have taken special measures to implement high-security critical data services in the data center, and you can see these predefined options by scrolling through the settings for vSphere ESXi in the Network Settings section and in the Storage Options section. Additionally, security settings in your environment should be customized according to the organization's requirements, and so you need to upgrade your system security.
Here are some of the things that you can easily adjust and increase the level of security:
Adopting a User Identity Policy: It is recommended that you use the Active Directory service to control the identity of users and user groups, and define specific policies according to the requirements of each group. The use of complicated passwords, deactivation times, and the assignment of access to user groups on vCenter folders are among these.
Using Resource Pools is one of the things that many virtualization experts ignore when setting up a non-configuration is a security weakness. Resources in the cluster must be managed, managed, and maintained in such a way that critical workloads of high priority and normal low-priority workloads work together. Failure to set resources and allocate service requirements will cause ESX resources to be disrupted as it should not be allocated or worse in one of the services using most of the resources of other services. Given the level of security of each service, ensure its resource level.
Do not use the ROOT user , set a hard password for this account and allow it to be used only in certain cases. The use of profits from this account will make the entire infrastructure unsustainable.
Enable the Strict Lockdown mode to disable direct access to ESXi and allow authorized people to access.
Restrict the ports of the infrastructure management network and, by isolating the network, control the connection of essential services.
To control and use the services, use the monitoring and event logging mechanisms, such as vRealize Log Insight, or the vRealize Operation Manager to know the status of resources and the status of the use of the services, and change management infrastructure.
Enable Host Profile . One of the most useful features in vSphere ESXi is that many people ignore it, while its use is very simple and useful. Create a standard profile of server settings and use it to set up a new server or double standard settings. In this way, you can easily apply server security policies, and you will be aware of the implementation of new settings with standard organization policies.
Saving resources that use iSCSI , NFS , or FC protocols use encryption or decryption to prevent access to sensitive data for unnecessary services. This can be easily implemented using Kerberos in NFS4.1 or using CHAP in the iSCSI protocol .
Provide access to peripheral services only by creating a specific account for that service and allocating access to the required range and preventing the use of an administrator account for the vital services of the organization. This ensures that abuse of the account will not be made and adequate and reasonable access will be granted.
If you are using version 6.5, set the Secure Boot settings to the BIOS server, ensuring that the security of the codes loaded in the system memory is secure.
Use separate networks for service activity and manage the resources required by the service with IO control mechanisms . Such neighborhoods can not afford to borrow excessive amounts of resources from other machines and disturb the service process.
Do not be afraid of the vSphere version up to date . Unlike Linux and Windows, vSphere update packages are among the most up-to-date patches available, and the latest security patches guarantee the stable and dynamic performance of the infrastructure.
- Monitor the security settings periodically to make sure they are accurate. The quality of infrastructure security needs to be tested and upgraded in a timely manner to ensure that a secure footing is provided for the services activity. You will also be aware of the necessary changes in security policies.
In the second section, I'll go to the security settings at vCenter Server level to get the security features and security issues of this solution more evident.