Friday, March 31, 2017

VMware Threat Exploit Found During Pwn2Own Event

The threat was first discovered on Workstation during Pwn2Own hacking event.  With further investigation, it is now found possible on ESXi 6.0U1 and above.

Do check out the VMware Security Advisories here.  The patches are all available currently.

Read about the how this was found during Pwn2Own event on the blog post here.

Tuesday, March 21, 2017

VMware Certification Exam Price Increase

If you have been following the exam news that has been release, starting from 1st April, the price of the exams for all level starting from Foundation, Associate, Professional, Advanced Professional and Expert have all increased.  You can read up the official post here.

I will skip the Foundation and Associate exam since these are just entry level exams.

Looking at Professional (VCP), Advanced Professional (VCAP) and Expert (VCDX), each has increased from $225 to $250, $400 to $450 and $300 + $900 to $995 + $3,000 respectively.  If you look at it its a gradually increase in tier except for the Expert level which one would think twice attempting with an increase over 130%.  With this increased, this exam will be a company sponsored exam moving forward and not meant for one to self sponsor himself at close to $5,000.  Though these prices are affecting the developed countries.

Not sure why the move but it seems like VMware it controlling the number of people attaining VCDX and keeping that title exclusive for now.  The attempt of these exams will definitely decrease drastically especially for VCDX.

If you are keen to pursue any of the exams above, do sign up fast before 1st Apr by voucher or registeration of interest before the hefty price adds on you.

Wednesday, March 8, 2017

VMware vSphere 6.5 Security Questions

Been to many customers and have many questions on how our vSphere 6.5 Security enhancement does and how different is it from others.

So to clear some of the questions and also the articles that are available below will provide more details.

A good place to start is read up this VMware blog post by Mike Foley.  This post detail the new UEFI for ESXi and for VMs and on VM Encryption.  Let us break down some questions that are asked often or unclear:

1) Does all OSes support UEFI?
Modern versions of OS like Microsoft Windows 2012, RedHat 5 and Suse Linux Enterprise 11 SP2 and above .  Unless we are talking about older OS that are dependent on BIOS.

2) Who provide the UEFI firmware?
The hardware server vendors that allows OS or hypervisor to be installed on to be boot from.  Hypervisor or virtualization software vendor that allows running of virtual machine to boot from.

3) How can we prevent BIOs, hypervisor and OS been compromise?
The use of UEFI is to ensure digital signature are in placed and verified.  In such, any attempt to modify these, will not be accepted in by ESXi or OS.  So caveat here is all drivers or files need to have digital certificates and not unknown.  This is very common when you try to install certain drivers especially in Windows, and you can just choose Ignore.  With UEFI boot, it cannot be done anymore.  For ESXi, upon Secure UEFI boot, it will fail to boot if any digital certificate is compromise.  So installing an unknown driver even if you ever manage to force it in, will require a reboot and that reboot will fail to boot.  What you will see is PSOD (Purple Screen of Death).

4) Are certificates provided by VMware?
No.  VMware been eco-partners system friendly, has always been leveraging on customers' investment.  Using VM Encryption requires using existing KMS that is support KMIP 1.1.  Which is good since VMware isn't really a security company with IP that are in that field.  It's better to have the expert do the work.

5) Does it encrypt only the data disk or the OS?
VM encryption been the first release is very well thought.  It encrypts the VM as a whole.  Using powerCLI as stated here, you can have even more control and granularity.  You can choose to encrypt one VMDK but not the other.  Or just the VM files not the VMDKs.  You can also enable CryptoSafe mode on ESXi even though you are not having any VM encryption so to have core dumps been encrypted.

6) Is there an agent and only support certain OS?
No agent is required and this is OS dependent and OS will not be aware since vSphere is doing VM encryption and not OS encryption.  In fact, any OS that is supported by vSphere can be encrypted.  How cool is that?  However, you can still leverage on partners like SafeNet, Hytrust, CloudLink, etc. to do OS encryption within the VM to further secure your data.

7) Can we use physical TPM on ESXi?
Yes, you can use TPM on vSphere but that is just securing the boot up process of ESXi.  Currently ESXi only support up to TPM 1.2.  Comparing to UEFI, the different here is TPM is not backward compatible.  So you will need to make sure all your server hardware support the same TPM version. Not a very good idea isn't it?

8) Does vSphere support virtual TPM?
No. vSphere 6.5 does not have a virtual TPM feature.  As similar to the above, this will encounter a dependency on something e.g. Host Guardian Service Infrastructure for Hyper-V 2016.  vSphere uses Secure UEFI where no such setup requirement is needed.  To change new HGS require some effort with caveats, refer to this article.

9) How easy is it if I need to change the KMS?
Do read the article on PowerCLI, VM encryption allows you to change KMS easily without having to decrypt the whole VM and encrypt again.  This is the fact that the Key Encryption Key (KEK) from KMS is used to encrypt the Data Encryption Key (DEK), in the process of changing, all you need is to decrypt the DEK and encrypt with the new KEK from new KMS.

10) Can we use more than one KMS if we have different workload or requirements?
Yes.  As stated in the PowerCLI post, you can even have different VMDK using different KMS in the same VM!  The control is in your hands.

11) What kind of performance are we talking about on VM encryption?
Refer to this whitepaper.   VM Encryption is leveraging the latest Intel processor technology, AES-NI to accelerate in enabling the encryption process.   The keys generated on ESXi are XTS-AES-256 keys.

12) Can vSphere support disable of TLS 1.0?
Yes.  In vSphere 6.5, there is a TLS Reconfiguration Utility.  By default, vSphere comes with TLS 1.0, 1.1 and 1.2 enabled.  With this tool, you can disable TLS 1.0.  Then you will ask what about vSphere 6.0?  Well in vSphere 6.0 Update 3, the tool is already released.

13) What is the limitation for VM security thus far?
vSphere Replication as of today is still not supported.  So implementing any VM that is on Encryption cannot leverage on vSphere Replication.  This is true for within the cluster or across to another vCenter cluster.
Certain VM files like VMX is not completely encrypted as there are still solution on the market which are not using vSphere API to call for information but read directly from VMX file.  Encrypting it will make these solution breaks.

If you have more questions, do post them in the comments so I can answer that in my best effort.

VMworld 2019 US Two Days Summary

If you have been following what VMware has been up to by acquiring several companies and mainly related to Cloud Native Applications solutio...