VxRail Security Recommendations

VxRail is often deployed in secure environments and students tend to ask about security measures in our VxRail Administration courses. Let's cover some of the most common security recommendations for your VxRail.

Dell VxRail: Comprehensive Security by Design

The Dell VxRail: Comprehensive Security by Design white paper is not really about recommendations for the administrator, it outlines the security features that the VxRail was built around. It provides a good starting point for a discussion of VxRail security.

VxRail Security Configuration Guide

The VxRail Security Configuration Guide provides a variety of security best practices for administrators. I'll list some of the highlights here.

Secure Boot. There is a section describing enabling or disabling Secure Boot in the Security Configuration Guide, but the details are given in: KB 158364.

Authentication. An extensive authentication section shows the credential, API, and network port used when executing VxRail commands. Here is a helpful illustration:

This section also details all the credentials used internally by VxRail Manager, which are stored permanently by VxRail Manager (very few, actually), and the link to the 7.0 SolVe procedure for changing passwords. In version 8.0, the procedure has been moved to the Administration Guide.

Firewall Rules. This important section is just a link to the firewall rules document.

Certificate Management. I know I get a lot of questions about certificate management in VxRail, so I am happy to see this section in the Security Configuration Guide. The details are actually linked to the SolVe procedure for 7.0, and I will again add the 8.0 link for the topic in the Administration Guide.

Standard Security Events. This section documents a long list of events and their triggers, and where on the VxRail Manager they are logged. Here is a sample:

Event logging can be enhanced through configuration of the "auditd" on the VxRail Manager. Details are provided at the end of this section.

Verifying VxRail Update Bundle. This section shows how administrators can verify the SHA 384 signatures of the VxRail update bundle components.

VxRail STIG Hardening Guide

Dell provides a tested procedure for implementing Department of Defense (DoD) Security Technical Implementation Guidelines (STIG). STIG hardening is done by downloading a collection of PowerShell scripts to a Windows management host and downloading Linux Bash shell scripts to the VxRail Manager. Run the PowerShell script on the Windows host, and it will present a menu of options (below). Notice that it can implement STIG hardening on a new cluster, and also secure newly-added nodes.

The main knowledgebase article on implementing STIG is here.

You can find the complete instructions for the procedure here.

The required scripts are available among the VxRail Drivers & Downloads of the Dell Support site.

VxRail Upgrade

Keeping your VxRail up-to-date is one of the best ways to secure the platform. Dell's goal is to release a VxRail patch within 14 days of an identified, unscheduled VMware vulnerability. Patches for all VxRail software come out on a regular basis. SolVe details the upgrade procedures for all VxRail versions.

VxRail Compliance Drift Report. To detect when your VxRail components are no longer at the correct version, you can run a Compliance Drift Report. This procedure will analyze all of the sub-components of the entire cluster to report their current versions, and will highlight any that are non-compliant. You can easily launch a Compliance Drift Report from the VxRail plugin for vSphere, or from the VxRail API. Here is a brief video on launching the report from the plugin.

VxVerify. An important part of a VxRail upgrade is VxVerify, or the VxRail Manager Health Check. This series of scripts examines the state of your VxRail and reports any issues. While it is specifically targeted for pre-upgrade analysis, there are a few security-related tests also. For instance (name of check in "quotes"):

• "dnslookup" Mismatched or missing DNS names and IP addresses.
• "manage_acc" Unavailable management accounts or mismatched passwords.
• "thump" Certificate mismatch.
• "vxrm_path" Python routines not available in default path.
• "pwe_mystic" or "pwe_root" VxRail Manager user credentials configured with an expiration date.

#IWork4Dell