vSphere Security - Architecture

In vSphere ESXi 5.0 there are three major components of the security architecture.  Security can and should be applied to all three areas.

1. Virtualization Layer (VMkernel)
2. Virtual Networking Layer
3. Virtual Machines

In this blog we're talking about security at the Virtualization layer. What can we do at the VMkernel layer that would help us secure the system?  There are three things we can do to protect the system at the kernel level.

1. Memory Hardening
2. Kernel Module Integrity
3. Trusted Platform Module (TPM)

The cool part of memory addresses in ESXi 5 is randomness.  User applications, drivers and libraries are located randomly in non-predictable memory.  Does that make you wonder about the algorithm that assigns memory in a non-predictable way?  Me too.  Even chaos shows patterns.  That's why VMware also created non-executable memory protections thanks to advances in microprocessors.  Now if any memory exploits are discovered and malicious code is deployed chances are the code will fail or encounter this randomness and/or protected memory.   Security loves randomness.

Kernel Module Integrity is a fancy term for digital signatures.  Drivers, modules and applications are digitally signed as they are loaded into the VMkernel.  This allows the kernel to identify the providers of drivers, modules and applications and ensures they are VMware-certified.   I really like this over say Android, open source solutions.  Apple does this "certification" of their third-party provided apps.  It's just smart business.  Control the development, certification process and deployment and you'll have higher quality code.  Many vendors provide this method of developing apps for their products.

Trusted Platform Module (TPM) is a measuring tool used each time ESXi boots.  Think of it as an approved configuration that boots to the same place every time.  It's enabled by default and can't be disabled. It measures the VMkernel and a subset of VIBs - vSphere Installation Bundle (not to be mistaken with MIB - Management Information Base used with SNMP).  VIBs allow you to include certain modules into the host image for deployment when building or recovering hosts.  This measurement taken at boot time is stored into a register called the Platform Configuration Register (PCR) 20.  This value can be (and should be) monitored. You want to monitor for any changes to the image.  Another item to monitor is for corruption of images.  TPM is largely a configuration and change management tool.  Alerts should be set up to notify appropriate people when unauthorized changes are made.

In this blog we discussed the features of securing the VMkernel at the Virtualizaiton layer.  There are three main components Memory Hardening, Kernel Module Integrity and Trusted Platform Module (TPM).  All three play a very important and diverse role in the security architecture of vSphere 5.0. Monitoring and/or logging activities of these features and alerting on thresholds is a critical step to ensuring your vSphere environment remains secure.