A collection of links to resources for security hardening, helping organizations make their virtual infrastructure secure and resilient to attacks. This page can be found at https://bob.plankers.com/vmware-security.
VMware Security Advisories
- VMware Cloud Foundation Vulnerability Disclosures & Advisories
- VMware Tanzu Vulnerability Disclosures & Advisories
- Application Networking and Security Vulnerability Disclosures & Advisories
- Software Defined Edge Vulnerability Disclosures & Advisories
VMware Security Configuration & Hardening Guides
The VMware vSphere Security Configuration and Hardening Guide (SCG) provides comprehensive recommendations for securing and optimizing vSphere environments. It offers detailed instructions and best practices for configuring various vSphere components to enhance security, reduce vulnerabilities, and ensure compliance with industry standards.
VMware DISA STIG & STIG Readiness Guides
- Support Policy for Security Technical Implementation Guides (STIGs)
- DISA STIGs and STIG Readiness Guides
VMware Certifications
Certifications are an interesting thing. On the good side, a third-party validating that the products work as advertised, maintain security and isolation between the workloads is a powerful thing. On the down side, any certification is against a very specific configuration, at a very specific point in time. Unless you plan to run exactly that configuration, and I don’t recommend it because it usually is a version that is old running on a very strangely configured server, a certification is no more than a data point in your risk & assurance process.
- FIPS 140-2 and FIPS 140-3 (if you check the certificate you will see what versions of ESXi and such each apply to)
- NIAP & Common Criteria certifications for VMware ESXi
VMware Ransomware
Ransomware can’t be simply patched away like a software bug; it’s a constantly evolving threat that exploits various system vulnerabilities and human errors. Effective protection against ransomware requires a comprehensive security approach, including regular backups, network segmentation, and robust access controls with MFA/2FA.
System Design, Features, and Functions
Good system design incorporates security and resilience from the ground up, creating layers of protection and redundancy throughout the infrastructure. By carefully planning system architecture, access controls, and recovery mechanisms, organizations can significantly reduce their vulnerability to attacks and minimize the impact of both security incidents and operational failures.
Patching & Lifecycle
VMware vSphere patching updates virtual servers and management software to fix security vulnerabilities. This process is essential for protecting virtualized environments from cyber threats and ensuring system stability.
Data-at-Rest & Disk Encryption
- PowerCLI Example to back up TPM Encryption keys on hosts (“TPM Encryption Recovery Key Backup” warning alarm)
- PowerCLI Examples for Key Rotations & Changing Key Providers
Data-in-Transit & Network Encryption
- “Disabling Static Ciphers for TLS in ESXi” – Best choice, however, is to use vSphere 8.0.3 or newer and set the TLS Profile to NIST_2024.
- VMware vSphere Firewall Ports
Workload & Application Protections
In any IT environment, the most critical assets to safeguard are the workloads and data that drive business operations. Protecting these elements is paramount, as they represent the core value and intellectual property of an organization, and their compromise could lead to severe financial and reputational damage.
- Migrating! Coming soon.
More VMware Security Resources
Please visit https://bit.ly/vcf-security for additional links and information.
