Endpoint & Workload Security

Docs

Docs
(current)
VMware Communities

Twitter Facebook LinkedIn 微博

VMware Cloud provides numerous ways in which workloads can be made resilient to security and other types of incidents.

What to read next

NSX Gateways
Workload network segments that are defined in the SDDC are protected by the NSX Gateways.
Microsegmentation
The NSX Distributed Firewall is included with every Google Cloud VMware Engine . This firewall provides microsegmentation capabilities by inspecting and controlling traffic at the VM network interface. Unlike a traditional firewall, this allows control of network traffic between workloads on the same network segment, as well as from other sources.
Network Egress Controls
The public IP address network service allows you to connect from the internet to a workload virtual machine (VM), a management appliance, or a load balancer running in your private cloud. For example, if you run a web server on your workload VM, you can serve web traffic using a public IP address through the internet. By default, the public IP network service is disabled.
Console Access
Many organizations adopt a mindset for vCenter Server & Google Cloud VMware Engine Console access that is taken directly from traditional data center practices.
Intrusion Detection & Prevention
The NSX Advanced Firewall Add On provides a distributed IDS/IPS, L7 FW and DNS filtering that enhance the capabilities of the existing distributed firewall, providing a distributed, scalable security solution that is fully integrated with the Private Cloud and VMware Aria Operations for Logs for monitoring, and can help address many of the considerations in this document.
VMware Tools
VMware Tools are an important component for virtual machines, supplying drivers for paravirtual devices like the vmxnet3 network interface and the pvscsi virtual SCSI controller, as well as a communications channel between ESXi and the guest operating system. That communications channel is important, as it can ensure that guest operating systems and workload applications shut down gracefully when needed. It will also help the infrastructure detect when virtual machines have booted correctly, as part of vSphere HA actions should a cloud host fail.
In-Guest Controls
Security controls inside workloads are the responsibility of the customer in the Shared Responsibility Model. As discussed earlier in this document, we often suggest that organizations explore using configuration management tools like SaltStack to apply and audit configuration settings on workloads. This has benefits of saving time and ensuring security consistency, but also simplifying template management.
In-Guest Data-at-Rest Protections
VMware Cloud uses vSAN Data-at-Rest encryption to store data in a public cloud provider’s storage. It is possible to use in-guest encryption technologies like Microsoft BitLocker and Linux dm-crypt to protect workloads. This has performance impacts, given the double encryption (BitLocker plus vSAN Encryption), and defeats space efficiency processes like deduplication and compression (your virtual machine will consume its entire allocated disk space). In general, VMware does not suggest using in-guest encryption, but for some very sensitive workloads like Microsoft Active Directory it may be a suitable additional layer of defense. Use it sparingly due to the performance impacts and management overhead.
Storage Policies
As discussed in the Infrastructure Design section, virtual machines can be assigned different vSAN storage policies which have an impact on performance and storage usage. Reviewing these policies and ensuring they match your organization’s risk tolerance and use of Google Cloud VMware Engine Private Cloud is important.
Multicast
L3 Multicast is not supported (e.g. PIM, IGMP snooping). However, and L2 multicast traffic is treated as a broadcast and sent to all ports on the network segment. This enables applications that use multicast to communicate in the same network segment, but does not support the optimization of having the network send traffic only subscribed devices.
Workload Resilience
VMware Cloud offers many of the same resilience features found in local cloud versions of vSphere and Cloud Foundation.

Parent topic: Secure Pillar

Share on Social Media?

:

|

x

" "?