Understanding the vGW Series Hypervisor and Extended VM Security

This topic covers vGW Series security for the hypervisor and VMs that aligns with VMware hardening guidelines. Before you read this topic, read Understanding Hypervisors and vGW Series.

Note: To benefit from this content, you should have a general understanding of VMware hardening guidelines.

The Need for Hypervisor Security

In full virtualization, a layer, commonly called the hypervisor or the virtual machine monitor, exists between the virtualized operating systems and the hardware. This layer multiplexes the system resources between competing operating system instances.

In the hypervisor, the virtualization infrastructure introduces a new layer of abstraction with potential exposure for malware attacks. Attempts to exploit the hypervisor as a target for attacks have increased in the recent past, and they are expected to continue to increase in number and kind in the near future. Attacks on the hypervisor can cause serious disruption such as compromise of sensitive data and denial of service (DoS). Any exposure on the hypervisor can expose guest virtual machines (VMs) that belong to many different tenants. Because the hypervisor is a crucial resource in the virtualized environment, protection of it is vital to overall security.

vGW Series enables you to verify that the hypervisor hosts that you secure meet security and compliance standards needed for a secure environment. The built-in hypervisor compliance checks are based on VMware security hardening guidelines. Additional custom hypervisor compliance checks can be created to automate any needed security compliance checks. You can use the built-in hypervisor compliance checks for hypervisors that have either an IPv4 or IPv6 address.

vGW Series Hypervisor and VM Security, and VMware Hardening Guidelines

vGW Series hypervisor security aligns with VMware hardening guidelines in all ways that are possible. vGW Series does not implement all guidelines for certain reasons. For example:

vGW Series Hypervisor and VM Security Overview

You use the Security Design VM to view and configure information for the hypervisor. You can quickly view the vGW Series compliance checks that correspond with VMware recommendations by selecting VMware-VM and VMware-host in the filter box displayed on the Compliance module Rules tab.

When you select a rule, a pane is displayed that explains the rule and the remediation action to take in response to compliance violations.

From the Edit Rule pane, you can modify the definition of the rule in the following ways. You can change:

Remediation

For each compliance check (rule), specific remediation is suggested. You can also refer to the VMware hardening guidelines for additional information.

Configuration Example

To configure compliance requirements for hypervisors and view information about them, you the VM Tree in conjunction with the Compliance module.

  1. Under Monitoring Groups in the VM Tree, select the Hypervisors group to display the Hypervisor page.

    The Hypervisors page shows the following information:

    • The overall compliance status for the ESX/ESXi hosts in your virtualized environment.
    • For individual hypervisors that belong to the Hypervisors monitoring group, the Compliance Status of Selected VMs table shows the hypervisor IP address, its compliance status, and the number of compliance rules configured for it.
  2. To display information about the rules configured for the hypervisors in the group, click Show Rules.

    The Hypervisors page expands to show the following information:

    • The Compliance Rules for Selected VMs table. This table shows the complete set of rules configured for the hypervisors. For each rule, it shows the following information:
      • The rule name.
      • The weight that is given to the rule.
      • The VMs–in this case, hypervisors–that the rule applies to.
      • The Quarantine state, that is, whether quarantine is enabled for the rule.
      • The overall compliance status of the hypervisors that the rule is assigned to.
    • The Compliance Status of Selected VMs table that shows the following information:
      • The IP address of the hypervisor.
      • The compliance status of the hypervisor in regard to all the rules that are applied to it.
      • The number of rules that apply to it.
  3. To display the configuration of any rule, in the Compliance Rules for Selected VMs table, click the rule name.

    The Edit Rule pane is displayed. It shows the following information:

    • Beneath the name of the rule, a Comment field giving a brief description of it.
    • A Remediation field that suggests a remediation action that you can take to bring the hypervisor into conformance with the rule.

    From the Edit Rule pane, you can modify the definition of the rule in the following ways. You can change:

    • The scope of groups that the rule applies to, in the Compliance Scope list. Click Edit to display the list.
    • The rule weight, in the Weight field, from 1–5.
    • Whether an alert is generated when the compliance state of a hypervisor that belongs to the group changes.
    • Whether non-compliant hypervisors should be quarantined.
    • Whether the vGW Security Design VM should automatically create hypervisors groups for Compliant VMs and Non-Compliant VMs.
  4. To customize the rule’s syntax, from the Edit Rule pane for the rule, click Advanced. For details on configuring Smart Group definitions, see Understanding vGW Series Smart Groups.
  5. Click Test to test the rule against hypervisors in the selected scope, after you configure the rule.
  6. After you are satisfied with the rule definition, click Save.

Related Documentation