VxRail is built on top of the Dell PowerEdge server platform that has embedded hardware and system-level security features to protect the infrastructure with layers of defense. Some of the differentiated security features in PowerEdge servers include:
System lockdown prevents unauthorized or inadvertent changes. This industry-first feature prevents configuration changes that create security vulnerabilities and expose sensitive data.
The cyber-resilient architecture with features such as UEFI Secure Boot, BIOS Recovery capabilities, and signed firmware provides enhanced protection against attacks.
System Erase can discover server-attached storage, including hard disk drives (HDDs), solid state drives (SSDs), self-encrypting drives (SEDs), Instant Secure Erase (ISE), and nonvolatile memory drives (NVMe’s). Data stored on ISE, SED, and NVMe devices can be made inaccessible using cryptographic erase, while devices such as non-ISE SATA HDDs can be erased using data overwrite.
Dell PowerEdge servers are the critical hardware that makes up the nodes in a VxRail cluster. Each node's CPU, memory, and disk resources provide the pooled resources for the cluster, and the network interfaces provide connectivity. The secure Dell PowerEdge servers are therefore the foundation for VxRail security.
PowerEdge servers have an integrated remote access controller, called iDRAC. iDRAC uses secure communication, authentication, and role-based access controls to enable secure remote management and configuration of the physical system. With configurable alerts, iDRAC can send event information to your Security Incident and Event Management (SIEM) system whenever the hardware is accessed, or the configuration is changed. Detecting and reporting unauthorized changes protects the integrity of a VxRail. For more information about the security of Dell PowerEdge servers, see Cyber Resilient Security in Dell PowerEdge Servers.
PowerEdge servers use cryptographically signed and verified firmware to build a system of trust. Leveraging security technologies built right into the silicon. Capabilities like Intel's Trusted Execution Technology (TXT) verify that the server performs only the intended version of firmware, BIOS, and hypervisor while preventing the undetected introduction of malware. The following figure illustrates the hardware Root of Trust.
VxRail can achieve even higher protection levels of server integrity by configuring the nodes with an optional Trusted Platform Management (TPM) module. TPM is an international standard for secure crypto-processors, a dedicated microcontroller that is designed to provide high security for cryptography keys, and an option for all VxRail processors.
Physical security is an essential part of any comprehensive security solution. Because a VxRail may be deployed outside of a traditional data center, physical security (for example, bezel locks) can take on even greater importance. To prevent malware or infected software from being introduced from a USB drive, the USB ports on a VxRail can be disabled and then enabled only when needed.
VxRail nodes also monitor for other events such as chassis openings, parts failure or replacement, firmware changes, and temperature warnings. This information is recorded in the iDRAC Lifecycle Log. A chassis does not have to be opened frequently after it is put into production. Tracking such activity could be an indicator of an attempt to compromise the system.