Hardening the Infrastructure Security are the security measures provided to protect the infrastructure, especially critical infrastructure. While looking into the infrastructure a lot of organizations have already a high rate of virtualization established. Hypervisor hosts are critical infrastructure components at almost any organization, because a large volume of their digital infrastructure is now running virtual on top of those hypervisor hosts.
Best practices:
- Secure Foundation
- Run Hypervisor hosts with TPM 2.0 chips
- With VMware vSphere make use of the Attestation report with alerts
- Run with network isolation for IPMI/iDRAC/iLO remote access interfaces
- Apply principle of least privilege on these remote access interfaces
- Run measured Boot with support for attestation
Secure Foundation
Most components of the Veeam Availability Infrastructure run on top of that virtualization platform, like VMware vSphere. So how can you know for sure that the foundation is secure and trustworthy? When ESXi hosts are equipped with a TPM 2.0 and are running vSphere 6.7 or later, you can run an attestation report from the VMware vCenter Server including alerts when something changes.
TPM 2.0 establishes a Hardware Root of Trust and is used to store measurements of a known good boot of the ESXi host. This is done by building upon the Secure Boot work done in vSphere 6.5. The Secure Boot (1) validates the bootloader and VMkernel. Various measurements (2) are written to the TPM 2.0 chip. Then VMware vCenter Server validates these measurements against the host event log and VIB metadata and marks the host as attested or not. Status can be Passed, Failed or N/A. Secure Boot VIB verifier (4) continues and validates all remaining VIBs.
The term “attestation” is a declaration or evidence of a result. In this case we are using an attestation of a ESXi host to provide evidence that the host has booted with Secure Boot enabled thereby ensuring only signed code is loaded. An ESXi host can have a status under attestation of Passed, Failed or N/A. Where failed means the host is not trusted in contrary when it has a status Passed. Also, Not Available (N/A) can be a status often referring to that the hardware is not compatible aka no TPM 2.0 chip present or useable.
Network isolation for Remote Access interfaces
A good practice is also to apply the principle of least privilege to Remote Access interfaces like IPMI/iDRAC/iLO to the server console limiting access to firmware/BIOS settings. To provide assurance that ESXi can boot securely means you must have a good security process in place for this kind of access. Limiting access to those interfaces to only the most trusted in your organization and logging all changes to those interfaces. That’s how you establish your “root of trust”.
Measured Boot with support for attestation
The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
Resources:
- VMware Trusted Host Attestation Report Overview
- Microsoft Ignite - Measured boot and host attestation
Credits: Photo by GuerrillaBuzz Crypto PR on Unsplash
