ESX Virtualization

VMware ESXi, vSphere, VMware Backup, Hyper-V... how-to, videos....

Nakivo Backup and Replication - #1 Backup solution for Virtual, physical, cloud, NAS and SaaS

VMware vSphere 6.7 Security Features

By | Last Updated:

Shares

VMware vSphere 6.7 has been announced today by VMware. In this post, we will focus on VMware vSphere 6.7 Security Features. As you might imagine, VMware has worked hard to bring new security features in order to secure further VMware infrastructures. Also, there will be some information about Virtual Hardware 14 (VMX-14).

If you want to read about other vSphere 6.7 features which have been announced, we have already published some blog posts detailing that. VMware vSAN 6.7 has been announced, VMware vCSA 6.7 or vSphere Update Manager (HTML5) with Quick Boot.

Here are those posts:

Without further wait, let's jump in and talk about vSphere 6.7 Security

VMware vSphere 6.7 Security Features

TPM v2.0

The hardware chip will be used by ESXi host. Within the hardware, there is the UEFI firmware which validates the bootloader and the VM kernel. In the Kernel, a number of measurements are taken, which are stored in the TPM device.

The boot continues and that information is passed to vCenter. It's vCenter which queries the ESXi host and queries the TPM device and compares the hashes which have been reported by ESXi against the hashes reported by TPM.

vCenter then generates a report which looks like this.

Another screenshot from VMware.

Virtualization Based Security (VBS)

When booting W10 VM on VMware ESXi, it boots via MBR or EFI. There is no credential guard support.

In order to enable VBS, you'll need:

  • Hardware virtualization
  • IOMMU
  • EFI Firmware
  • Secure boot

ESXi boots a copy of Windows hypervisor, which boots Windows 10 and all the credentials subsystem within a micro VM.

In order to support VBS, every W10 and Windows server 2016 will be nested VM.

vTPM 2.0 module, present in the Virtual Hardware 14 (New), is available. And the data are secured via VM encryption. However, VM encryption still needs an external Key manager (via VMware partner). The VM home files will be encrypted using the key generated by ESXi host.

The solution does not need hardware TPM.

VMs are provided with trusted Virtual hardware, which is presented to the VM by a host. The ESXi host has a root of trust to physical hardware.

The encrypt VM operations are simplified in the UI within vSphere 6.7, it's all under the same TAB. You can also select which disk you want to encrypt. It possible also to do that with PowerCLI.

FIPS 140-2 for vSphere

There is kernel crypto module and Open SSL module have got through FIPS evaluation.

TLS 1.2

It's ON by default. If you upgrade or migrate host, it will turn ON TLS 1.2. Only key managers that support TLS 1.2 will be supported. (You can downgrade, however).

New Alarms

  • Virtual Machine Locked Alarm
  • Host Requires Encryption Module Enabled Alarm
  • KMS client and server Certificate Status Alarm

If you see an alarm that VM is locked, it usually means that host is unable to unlock a VM. Usually, this happens when network connectivity with KMS is broken.

VMware Virtual Hardware version 14 (VMX-14)

vSphere 6.7 brings Virtual Hardware 14. But when upgrading, you should not just jump in and start upgrading all your VMs to bring them to the latest Virtual Hardware. The VM compatibility level is like changing a motherboard to a VM. You should only do that for those VMs which needs the features introduced in the latest Virtual Hardware 14.

VM Hardware 14 adds support for security and application technologies such as we talked above:

  • VBS, vTPM, vIOMMU
  • vPMEM, updates to vRDMA and vNVMe
  • Per-VM EVC

The resources maximums, like vRAM and vCPU, stay the same. The only thing which changed is the number of virtual disks which has increased from 60 to 256.

More about vSphere 6.7

More from ESX Virtualization

Subscribe to RSS, and social media channels (TwitterFBYouTube)

Shares
Vote !

About Vladan SEGET

This website is maintained by Vladan SEGET. Vladan is as an Independent consultant, professional blogger, vExpert x16, Veeam Vanguard x9, VCAP-DCA/DCD, ESX Virtualization site has started as a simple bookmarking site, but quickly found a large following of readers and subscribers.

Connect on: Facebook. Feel free to network via Twitter @vladan.