Data security follows the CIA triad in order to ensure data is only available to authorized and or specific accounts and that compliance and specifications are met. This includes both physical and user level access to data.
Preventing sensitive information from reaching the wrong people while ensuring appropriate, authorized access to a company's data is a fundamental problem summed up as confidentiality or privacy. VxRail addresses the confidentiality of data in use, data in motion, and data at rest.
Encryption protects the confidentiality of information by encoding it to make it unintelligible to unauthorized recipients. With VxRail, datastore can be encrypted using vSAN's data-at-rest encryption (D@RE), which provides FIPS 140-2 validated protection. Not only does vSAN encryption deliver D@RE to protect your workloads but also vCenter (if hosted on the same cluster) and VxRail Manager. Individual VMs can be encrypted using vSphere Encryption, and VMs in motion can be encrypted using vMotion encryption. Additional levels of encryption may be configured based on the application requirements.
vSphere encryption debuted in vSphere 6.5, and vSAN 6.6 now supports encryption at both the VMs and disk storage levels. In vSphere 7.0 Update 2, VMware has added native key management functionality. This encryption is embedded into the VMware solution and can be used without the use of any additional third-party software. The keys for vSphere encryption are controlled at the hypervisor level; thus, VMs do not have access to them.
vSAN encryption is the easiest and most flexible way to encrypt data at rest because the entire vSAN datastore is encrypted with a single setting. This encryption is cluster-wide for all VMs using the datastore. Normally, encrypted data does not benefit from space-reduction techniques such as deduplication or compression. However, with vSAN, encryption is performed after deduplication and compression, so the full benefit of these space reduction techniques is maintained.
VM Encryption provides the flexibility to enable encryption on a per-VM basis, which means a single cluster can have encrypted and non-encrypted VMs. VM Encryption follows the VM wherever it is hosted. So even if the VM were moved to a datastore outside VxRail, it would remain encrypted.
Also, while VM encryption can be turned on and off, VMs that get encrypted, migration with vSphere vMotion will always use encrypted vSphere vMotion. VMs that are not encrypted can select from the encryption option of Disabled, Opportunistic, and Required when using vMotion. Opportunistic would be used by default on unencrypted VM during vMotion. The following figure summarizes the difference between VM encryption and vSAN encryption:
VxRail supports encrypted vMotion, where VMs are encrypted when they are moved between hosts. This includes vMotion migrations within a VxRail as well as vMotion migrations to or from a VxRail cluster within a vCenter instance. Encrypted vMotion can be used with vSAN encryption to have data at rest encryption and data-in-transit encryption. Encrypted vMotion is enforced for VMs with vSphere Encryption enabled.
Except for vMotion Encryption, where vSphere provides the temporary keys used to encrypt the data in motion, a Key Management Server (KMS) is required for the secure generation, storage, and distribution of the encryption keys. When encryption is enabled, vCenter establishes a trust relationship with the KMS and then passes the KMS connection information to the ESXi hosts. The ESXi hosts request encryption keys directly from the KMS and perform the data encryption and decryption. vCenter connectivity is only required for the initial setup.
Because the KMS is a critical component of the security infrastructure, it should have the same level of redundancy and protection typically applied to other critical infrastructure components, Such as DNS, NTP, and Active Directory. It is important to remember the KMS should be run physically separate from the elements that it encrypts. During startup, the ESXi hosts will request the keys from the KMS. If the KMS is unavailable, the system will not be able to complete the startup.
VxRail and VMware support KMSs that are compatible with Key Management Interoperability Protocol (KMIP) v1.1 or higher such as . VMware maintains a Compatibility Guide of KMSs that have been validated with vSphere.
Within vSphere, encryption is handled by a common set of modules that are FIPS 140-2 validated. These common modules are designed, implemented, and validated by the VMware Secure Development Lifecycle. Having a set of common modules for encryption allows VxRail to make encryption easier to implement, manage, and support.
Encryption is enabled on VxRail through a simple configuration setting in vCenter. Access controls ensure that only authorized individuals are allowed to enable or disable encryption. A "No Cryptography Administrator" role empowers an administrator to do everyday administrative tasks but without the authority to alter encryption settings.
As part of FIPS 140-2 Level 1 compliance, VxRail has added the following updates to VxRail Manager virtual appliance as of VxRail 7.0.010 release.
Data-In-transit encryption adds to the overall VxRail secure posture. Data in-transit encryption is disabled by default and can be enabled at any time, as it does not require a rolling format of vSAN disk groups. Data-in-transit encryption does not require a key manager server (KMS). The FIPS 2-compliant algorithm (AES-GCM-256) encryption keys are auto-generated and, by default, regenerated every 24 hours.
The use of Data-in-transit encryption can be done alongside other vSAN features such as deduplication, compression, and data-at-rest encryption, to name a few. Data-in-transit encryption can be enabled (disabled by default) on hybrid and all-flash nodes.
Dynamic virtual environments such as VxRail often benefit from the flexibility that Software Defined Network (SDN) services provide. The easiest way to provide SDN on VxRail is with VMware NSX, which is an optional software license and not included with VxRail. NSX is a complete network virtualization and security platform that allows administrators to create entire virtual networks. Including virtual routers, virtual firewalls, and virtual load balancers, purely in software. Because this software-defined networking is decoupled from the underlying physical network infrastructure, it is not dependent on VxRail being attached to a particular switch vendor.
NSX with VxRail is an integrated security solution that reduces the need to deploy additional security hardware or software components. With NSX, VxRail administrators configure micro-segmentation to secure and isolate different tenant workloads, control ingress and egress and provide enhanced security for all workloads, including traditional multitier applications and general-purpose VM as well as VDI environments. A few of the benefits of using NSX with VxRail include:
NSX enhances the security posture of an environment and is compliant with the following certifications and standards:
By leveraging the optional VMware NSX platform for security with VxRail, firewall and security policies are built in. It provides a truly converged VxRail as opposed to security sitting externally at the perimeter. Deploying the NSX with VxRail further reduces the time it takes to deploy new application initiatives as security controls become part of the VxRail, rather than additional hardware or software components that are bolted on.
For environments needing even greater security with flexibility, lockdown mode can be configured for the ESXi. In lockdown mode, the ability to perform management operations on individual hosts is limited, forcing management task completion to occur through vCenter where they can be logged against the user who performed them.
Lockdown in "Normal" mode allows a select group of users to be on an allow list, enabling them to manage the servers locally instead of through vCenter; this allow list must include certain VxRail management accounts.
In strict lockdown mode, no users are allowed to manage the servers locally. VxRail does not support lockdown in "Strict" mode.
Unsecured management traffic is a significant security risk. Because of that, VxRail uses management interfaces secured with Transport Layer Security "TLS" vCenter, iDRAC, and HCI System Software all disable the clear text HTTP interface and require the use of HTTPS, which uses TLS. Reference support material for current TLS versions as they are subject to change. In addition, access to the command line of the ESXi servers must use SSH. Therefore, using SSH and HTTPS is vital for securing command and control for a VxRail.
The integrity of a company's data is a fundamental requirement of business operations. VxRail ensures the integrity of your data by maintaining the consistency, accuracy, and trustworthiness of data over its lifecycle by controlling user access and built-in integrity features such as data checksums
Network segmentation is used to isolate private network traffic from public traffic to reduce the attack surface. It is also an effective security control for limiting the movement of an attacker across networks.
VxRail is engineered with multiple levels of network segmentation, including physical segmentation of the hardware management network, virtual segmentation of application and infrastructure networks, and micro-segmentation at the VM and application level with the optional NSX software from VMware. Through segmentation, the visibility of critical administrative tools is limited, preventing attackers from using them against a system. By default, appropriate network segmentation is automatically configured as part of the system's initialization. The administrator has the flexibility to define additional levels of segmentation as required for the application environment. Best practices for network configuration are presented in .
VxRail uses VMware Distributed Virtual Switches that segment traffic by default using separate VLANs for Management, vSAN, vMotion, and application traffic. The vSAN and vMotion networks are private, non-routable networks. Depending on the applications supported by a VxRail network, traffic could be further segmented based on different applications, production and non-production traffic, or other requirements.
The Distributed Virtual Switch on a VxRail is configured by default with vSphere Network I/O Control (NIOC). NIOC allows physical bandwidth to be allocated for different VLANs. Some cyber-attacks, such as a denial of service and worms, can lead to the overuse of resources. This can cause a denial of resources to other services that are not directly under attack. NIOC can guarantee that other services will have the network bandwidth they need to maintain their integrity in the event of an attack on other services. NIOC settings are automatically configured following recommended best practices when the system is initialized. The Dell Network Guide includes details of the Network I/O Control (NIOC) settings for the default VxRail VLANs.
Each VxRail node has a separate physical Ethernet port for the iDRAC hardware management interface. Physically segmenting this network makes it difficult for attackers to gain access to hardware management. Additionally, in the event of a distributed denial-of-service attack, the physically segmented networks will not be affected, limiting the scope of a potential attack.
UEFI secure boot protects the operating system from corruption and rootkit attacks. UEFI secure boot validates that the firmware, boot loader, and VMkernel are all digitally signed by a trusted authority. UEFI secure boot for ESXi validates that the VMware Install Bundles (VIBs) are cryptographically signed. This ensures that the server boot stack runs all genuine software and has not been changed or substituted.
A key part of data integrity is validating that the data retrieved from storage has not been altered since it was written. VxRail uses block level end-to-end data integrity checksum by default. The checksum is created when the data is written. The checksum is then verified on reads, and if the checksum shows that the data had changed from when it was written, it is reconstructed from other members of the RAID group. vSAN also uses a proactive scrubber mechanism to detect and correct potential data corruption, even on infrequently accessed data.
Keeping your IT system updated, making sure hardware is functioning correctly and providing adequate bandwidth are all keystones for maintaining the availability of a company's data to authorized users. VxRail software lifecycle management, vSphere availability features, proactive monitoring, built-in recovery, and physical security of the hardware and secure system configuration ensure maximum system availability. VxRail achieved a 99.9999% uptime (based on Dell Technologies field performance, July 2020, AD# G20000255), which demonstrates how VxRail is greater than the sum of its parts. This impressive feat is a result of a strategically designed, fully validated, and purpose-built automated HCI system.
One of the most critical actions an organization can take to keep its IT infrastructure secure is to keep software updates and patches current. Updates and patches don't just fix issues that might lead to downtime or improve performance; they often fix security vulnerabilities. There is tremendous collaboration within the security community. VxRail being co-engineered with VMware, we are read in early on plans for security fixes, which enables VxRail team to quickly validate and prepare pre-qualified security patches. But not everyone is on the same side, and it becomes a race between the defenders who are working to mitigate and remediate the threats and the attackers whose goal is to exploit the vulnerabilities. VxRail being co-engineered with VMware, we are read in early on plans for security fixes, which enables VxRail team to validate and prepare pre-qualified security patches quickly
VxRail software lifecycle management makes complex and risky update operations easy to install and safe to implement. VxRail HCI system is the only system where all software components are engineered, tested, and released as a bundle. VxRail software bundles may include updates to BIOS, firmware, hypervisor, vSphere, or any included management components. When vulnerabilities are discovered, fixes are quickly developed to mitigate threats regardless of where they are. Update bundles are extensively tested on VxRail hardware platform and the entire VxRail software stack before being released to customers.
Administrators are notified through the HCI System Software when updates are available and can also subscribe to Product and Security Advisories at support.dell.com. The administrator can then download the update bundle directly and initiate or schedule an orchestrated update process. Updates are performed as rolling processes while the system remains online, serving the business. If a reboot is required, the VMs are automatically migrated to other nodes in the cluster before continuing.
HCI System Software lifecycle management reduces complexity, but it also makes the infrastructure more secure by reducing the time and difficulty it takes to patch systems and remove the risk.
VxRail lifecycle management upgrade packages include digital signatures. Digital signatures create a virtual fingerprint that is unique to packages. The use of digital signatures provides a secure way to ensure the upgrade package is authentic and valid. VxRail lifecycle management bundle is calculated using the SHA384 hashing algorithm and stored in a manifest file which is digitally signed, thus ensuring the integrity of the lifecycle management upgrade package and assurance that the source is Dell Technologies. The customer can follow a SolVe procedure to validate the digital signature and message digests in the manifest.
Files that cannot be cryptographically signed, such as firmware, shall be verified using the SHA256 hashing algorithm.
VxRail leverages the built-in vSphere availability features, including VMware High Availability (HA), VMware Distributed Resource Scheduler (DRS), and VMware stretched clusters. These capabilities support VxRail automated software and provide continuous availability of services hosted on VxRail. Therefore, it is recommended that customers use versions of vSphere that include these capabilities.
VMware HA monitors running VMs in a VxRail cluster. If a VM or node fails, HA restarts on another node elsewhere in the cluster. A VM can fail for several reasons, including a cyber-attack, underlying hardware failure, or corrupted software. Although VMware HA does not prevent outages, it minimizes the time it takes to restore services.
VMware DRS spread the VM workload across all the hosts in the cluster. As VM resource demands change, DRS will migrate VM workloads, using vSphere vMotion, to other hosts within the cluster. Cyber-attacks can cause resource issues for VMs not targeted by the attack. Cyber-attacks often cause heavy resource utilization by the VM being attacked. Therefore, heavy utilization of resources at the host level impacts the resources available for other VMs on that host. DRS protects VMs by migrating them away from resource-constrained hosts, enabling the VMs to continue to provide services.
VMware stretched cluster extends VxRail cluster from a single site to stretching the cluster across two sites for a higher level of availability. Only a single instance of a VM exists. However, full copies of its data are maintained at both sites. Should the current site the VM is running on becomes unavailable, then the VM will be restarted at the other site.
Strong security defenses are critical, but a robust and trusted recovery plan is equally important. Backup and replications are the cornerstones of recovery after a breach. In order to aid in recovery, HCI System Software includes file-based backup and restore. Each VxRail incorporates a starter pack for Dell RecoverPoint for VM (RP4VM), which provides best-in-class local and remote replication and granular recovery.
HCI System Software file-based backup and restore protects against the accidental deletion of or the internal corruption of the virtual machine. Backups can be configured to occur regularly or on an as-needed basis. This is an all-inclusive feature that backs up files inside the vSAN datastore, so additional hardware and software are not required.
With RP4VM, if, for example, a VM is compromised or data is damaged or ransomed, the VM and dataset quickly roll back to the point in time prior to the attack, allowing the business to quickly recover. Installed directly from VxRail Manager, RP4VM is deployed, and day-to-day monitoring occurs through the familiar vCenter plugin. Recovery is easy and performed using the vSphere interface.
For organizations that require enhanced, comprehensive data protection capabilities, VxRail supports options including Dell Data Protection Suite for VMware, Dell Power Protect, and Dell Data Domain Virtual Edition.
File-based backups of VxRail HCI System Software help ensure business continuity in the rare event the VxRail VM needs to be rebuilt.