An important part of maintaining security is ensuring that all the relevant security configuration elements are implemented on all the objects in an environment. An individual VxRail cluster can have up to 64 physical nodes, and multiple VxRail clusters can be managed by one vCenter, thus supporting thousands of VMs. Even a simple change—if it must be configured on all the VMs—could take a significant amount of time to enact. In addition, when performing repetitive tasks, people are prone to make mistakes. This is where automation becomes critical.
Automation allows an environment to have fewer configuration errors and more consistent configuration while increasing efficiency and reducing the time between when a decision is made and implemented, increasing the time to value those decisions.
Compatible tools like vRealize Automation, which allows the automation of vSphere and vSAN. vRealize Automation can also be used to validate that the security configuration has not drifted from its appropriate settings. In addition, because vRealize Automation is a standard VMware tool, many IT virtualization teams already know how to work with vRealize Automation and have created profiles that will work with a VxRail cluster.
The VMware software suite provides VxRail with a highly available, resilient, on-demand virtualized infrastructure. ESXi, vSAN, and vCenter Server are core components of vSphere. ESXi is a hypervisor that is installed on a physical VxRail server node in the factory that enables a single physical server to host multiple logical servers or VMs. vSAN is the software-defined storage that is used by the VMs, and VMware vCenter Server is the management application for ESXi hosts, vSAN, and VMs.
Like Dell, VMware follows a rigorous Secure Software Development Lifecycle process and Security Response Center. VxRail is jointly developed and supported with VMware, ensuring that all components in the solution are designed, built, tested, and deployed with security as a top priority. For more information, see VMware Product Security.
In VxRail, the ESXi hypervisor hosts the VM on cluster nodes. VMs are secure and portable, and each VM is a complete system with processors, memory, networking, storage, and BIOS. VMs are isolated from one another, so when a guest operating system running on a VM fails, other VMs on the same physical host are not affected and continue to run. VMs share access to CPUs and ESXi is responsible for CPU scheduling. Also, ESXi assigns VMs a region of usable memory and manages shared access to the physical network cards and disk controllers that are associated with the physical host. All X86-based operating systems are supported, and VMs on the same physical server hardware can run different operating systems and applications.
Dynamic virtual environments such as VxRail often benefit from the flexibility that software defined security services provide.
VxRail uses VMware Distributed Virtual Switches that segment traffic by default using separate VLANs for Management, vSAN, vMotion, and application traffic. The vSAN and vMotion networks are private, non-routable networks. Depending on the applications supported by a VxRail network, traffic could be further segmented based on different applications, production and non-production traffic, or other requirements.
The Distributed Virtual Switch on a VxRail is configured by default with vSphere Network I/O Control (NIOC). NIOC allows physical bandwidth to be allocated for different VLANs. Some cyberattacks, such as a denial of service and worms, can lead to the overuse of resources. This can cause a denial of resources to other services that are not directly under attack. NIOC can guarantee that other services will have the network bandwidth that they need to maintain their integrity in the event of an attack on other services. NIOC settings are automatically configured following recommended best practices when the system is initialized. The Dell Network Guide includes details of the NIOC settings for the default VxRail VLANs.
Each VxRail node has a separate physical Ethernet port for the iDRAC hardware management interface. Physically segmenting this network makes it difficult for attackers to gain access to hardware management. Also, if a distributed denial-of-service attack occurs, this physically segmented network will not be affected, limiting the scope of a potential attack.
The easiest way to provide advanced capabilities on VxRail is with VMware NSX. NSX requires an optional software license as it is not included with VxRail by default. NSX is a powerful complete network virtualization and security platform that allows administrators to create entire virtual networks. Which decouples from the underlying hardware and enables customers to implement advanced network security services such as micro segmentation that have not been feasible to implement using hardware-based approaches.
Administrators have the flexibility to independently implement NSX security features with VxRail without having to implement any software defined networking. This opens the door for customers to leverage NSX without disrupting existing networking topologies and operating models. With NSX, VxRail administrators can configure micro-segmentation to secure and isolate different tenant workloads, control ingress, and egress and provide enhanced security for all workloads, including traditional multitier applications and general purpose VM as well as VDI environments.
The benefits of using NSX with VxRail include the ability to incorporate intrinsic network security into the virtualized infrastructure stack. Customers can deliver granular protection with network segmentation and micro-segmentation to individual workloads, create context-aware security policies, and leverage IDS/IPS to defend against lateral threats.
All of this can be implemented easily and seamlessly using an available simplified management with security experience that is integrated with the vSphere stack and managed centrally through the vSphere HTML5 Web Client and NSX Manager plug-in respectively.
UEFI secure boot protects the operating system from corruption and rootkit attacks. UEFI secure boot validates that the VxManager operating system, firmware, boot loader, and VMkernel are all digitally signed by a trusted authority. UEFI secure boot for ESXi validates that the VMware Install Bundles (VIBs) are cryptographically signed. This ensures that the server boot stack runs all genuine software and has not been changed or substituted.
A key part of data integrity is validating that the data that is retrieved from storage has not been altered since it was written. VxRail uses block level end-to-end data integrity checksum by default. The checksum is created when the data is written. The checksum is verified on reads, and if the checksum shows that the data had changed from when it was written, it is reconstructed from other members of the RAID group. vSAN also uses a proactive scrubber mechanism to detect and correct potential data corruption, even on infrequently accessed data.
vSAN is policy-driven and designed to simplify storage provisioning and management. vSAN storage policies are based on rule sets that define storage requirements for VMs. Administrators can dynamically change a VM storage policy as requirements change. Examples of SPBM rules are the number of faults to tolerate, the data protection technique to use, and whether storage-level checksums are enabled.