VxRail is built on top of the Dell PowerEdge server platform with embedded hardware and system-level security features to protect the infrastructure with layers of defense. Additionally, VxRail uses the VMware set of tools to further enhance the security that VxRail provides to the end user. VxRail provides a preconfigured and tested stack for all security capabilities.
- Data security—Datastores on VxRail can be encrypted using vSAN data-at-rest encryption (D@RE) providing FIPS140-2 validated protection. Also, VMs can be encrypted individually using vSphere encryption. VMs in motion can be encrypted using vMotion encryption. A Key Management Server (KMS) is required for secure generation, storage, and distribution of encrypted keys, except when using vMotion encryption. VxRail and VMware support KMSs that are compatible with Key Management Protocol (KMIP) v1.1 or higher.
- Integrity—To maintain integrity, network segmentation is built into VxRail as part of the system’s initialization (for example, separating the management networks, vSAN network, and guest VM networks). Furthermore, the administrator has the ability and flexibility to define additional levels of segmentation as required for the application environment. Other features include the Distributed Virtual Switch (DVS) on vSphere, which runs the Network I/O Control (NIOC) by default. This physically allocates and restricts bandwidth to different VLANs to prevent attacks such as Denial of Service.
- Availability—The VxRail HCI system provides software components and upgrades that are engineered, tested, and released as a bundle. Updates are performed as rolling processes while the system remains online serving the business. If a reboot is required, the VMs are automatically migrated to other nodes in the cluster before continuing. VxRail leverages vSphere availability features such as High Availability (HA), VMware Distributed Resource Scheduler (DRS), and VMware Stretched Clusters. These features help provide continuous availability of services hosted on VxRail.
For backup and recovery, VxRail incorporates a starter pack for Dell RecoverPoint for VMs (RP4VMs), which provides local and remote replication and granular recovery. Also, the HCI System Software file-based backup and restore protects against the accidental deletion of or the internal corruption of the VM. Backups can be configured to occur regularly or on an as-needed basis.
Other security components supported by VxRail are authentication, authorization, and accounting. The Single Sign-On (SSO) feature handles authentication on VxRail, leveraging an existing centralized identity management system. For authorization, vSphere allows creation of custom rules and roles to support the principal of least privilege. VxRail supports accounting by providing vRealize Log Insight, which compiles VMware logs, including servers, network devices, storage, and applications. For organizations that already have a log management system or Security Incident and Event Management (SIEM) system, VxRail integrates easily using the standard Syslog protocol.
VxRail also supports physical security. The system includes a feature to disable USB ports on the system, and VxRail nodes can monitor for events such as chassis openings, parts failure or replacement, firmware changes, and temperature warnings.
The following lists some of the standards and certifications that the VxRail system satisfies:
- FIPS 140-2 Data-at-Rest Encryption: PowerEdge servers used by VxRail have been validated.
- Common Criteria EAL 2+: PowerEdge servers and vSphere components used by VxRail currently hold a full certification.
- NIST Cybersecurity Framework
- DISA-STIG: Dell offers manual and automated steps for configuring VxRail to comply with DoD Information Network (DISA) STIG requirements.
- IPv6: VxRail passed USGv6 interoperability testing for IPv6 in dual stack mode and the higher standard for IPv6 Ready testing.
- Trusted Platform Module: TPM 1.2 and 2.0 are optionally available with VxRail. vSphere supports TPM1.2 and TPM 2.0.
For a more comprehensive guide on VxRail security features and guidance, see the White Paper: Dell VxRail: Comprehensive Security by Design.