As VMware documentation and resources are assimilated into Broadcom links will change. The current best landing page for these resources is:
which redirect to
- https://github.com/vmware/vcf-security-and-compliance-guidelines/
- https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-configuration-hardening-guide
respectively. There are older bit.ly links that are being phased out in favor of the brcm.tech links. Organizations which block bit.ly links often do not comprehensively block HTTP 301/302 redirects and may be able to use brcm.tech instead.
We have quite a number of tactical and strategic resources available to users of VMware products, answering many questions.
- vSphere Security & Compliance Playlist on YouTube
- Glossary of Security Terms
- Compliance & Vulnerability Scanner FAQ
- Best Practices for Patching vSphere
Put simply, Broadcom does not support modifications to appliances or the products outside of the documented upgrade and patching processes. Security Configuration Guides, STIGs, Compliance Kit, and other official guidance found in the Knowledge Base are all supported where the guidance used matches the version being deployed.
- VMware Virtual Appliances and Customizations to Operating System and Included Packages
- Support for Security Technical Implementation Guides (STIGs)
The Security Configuration and Hardening Guide (SCG) provides a baseline security hardening recommendation. It offers detailed instructions and best practices for configuring various vSphere components to enhance security and ensure compliance with industry standards. That said, it is a guideline, and your organization may have good reason to deviate from it. Good reasons often include specific workload requirements (especially clustered applications which may need specific network port group security settings), and controls being superseded by regulatory requirements.
- Permanent Link: https://brcm.tech/vcf-scg
- Redirect Target: https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-configuration-hardening-guide
There is a CIS Benchmark for ESX 8.0, but does not include components or features enabled with vCenter or vSAN. When in doubt, or if there is a conflict, use the guidance published by Broadcom.
The product documentation is the reference for how a feature or component works. This repository is meant to augment the product documentation. If the docs answer the question "how?" this repository tries to answer the "why?" or "when?" or "so what?" questions you might have.
Documentation is not always flawless. If you encounter an issue with documentation, please use the feedback mechanism for the documenation, which opens a ticket with the documentation team.
VMware has a defined Secure Software Development Lifecycle and policies for how issues are assessed and managed.
- VMware Product Security: An Overview of VMware's Security Programs and Practices
- VMware External Vulnerability Response and Remediation Policy
VMware Security Advisories, or VMSAs, are formal notifications of a vulnerability that has been reported and resolved in VMware products. They contain information about what the problem is and where it is located, the fixed versions, and sometimes include workarounds and other possible defensive posture.
- Sign Up for Security Alerts via Email
- VMware Cloud Foundation Vulnerability Disclosures & Advisories
- VMware Tanzu Vulnerability Disclosures & Advisories
- Application Networking and Security Vulnerability Disclosures & Advisories
- Software Defined Edge Vulnerability Disclosures & Advisories
There are no automated vulnerability feeds (RSS or otherwise) available at this time.
STIGs are comprehensive hardening guides for US Department of Defense (DOD) systems, based on DOD and NIST requirements.
- Security Technical Implementation Guides (STIGs)
- Support Policy for Security Technical Implementation Guides (STIGs)
There is considerable overlap between the STIGs and the SCG, intentionally. The STIG goes much further in certain areas in order to comply with DOD requirements. If you are not directly subject to the DOD requirements you might consider either using the SCG, or using the STIGs but without editing configurations inside the appliances.
Broadcom maintains certifications and validations for VMware products that help demonstrate our claims of security are true, and to help ease procurement processes.
- Common Criteria
- Federal Information Processing Standard (FIPS) 140-2 & 140-3
- VMware Cloud Trust Center
This section is growing as we update whitepapers and other resources as part of the merger with Broadcom.
- Best Practices for Patching vSphere
- Practical Ideas for Ransomware Resilience
- Designing Infrastructure to Defend Against Ransomware
- Ransomware Defense and Recovery Strategies
On the surface this doesn't look like secure system design, per se, but less is more when it comes to security. Using VCF means less first-order objects to secure (servers, software, etc.) which, in turn, means less second- and third-order objects to secure (network switches, etc.). That means less staff time used, less money spent, and less risk taken.
- Run More VMs and Get Better Performance with VMware vSphere 8
- Run More VMs and Get Better Performance with VMware vSphere 8: The Science
VMware documents the ports, protocols, and requirements for network connectivity so that enterprise firewall admins have an easier time being specific about rule sets.
- Ports and Protocols
- vSphere Firewalling Helper: An Excel spreadsheet that has additional information about network communications and firewalling.
We have a fair amount of information at the following links:
Other resources to help with updates and upgrades beyond patching. Every new version of vSphere and Cloud Foundation brings with it deep security and functional improvements.
There are over 700 different regulatory compliance frameworks that VMware customers apply to their environments, not counting ones developed internally by GRC and Infosec groups within customer organizations. As such, we focus on the most common. Some of these are linked below. It is often helpful to read the requirements directly, versus using interpretations by compliance auditors, vulnerability scanner vendors, and so on.
- NIST SP 800-53 Revision 5
- NIST SP 800-53B Control Baselines
- 800-53-v5-to-ISO 27001-2022 Controls Crosswalk
- North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
- ISO/IEC 27001:2022 - NOTE: neither free nor freely distributable.
- NIST SP 800-171 Revision 3
- PCI DSS 4.0.1 - NOTE: free but requires acceptance of terms to download
- ACSC Information Security Manual
- Australian Government Protective Security Policy Framework
- EU Digital Operational Resilience Act (DORA)
CISA is the United States' coordinator for infrastructure security and resilience. They have a lot of interesting material for anyone in the world, and some highlights are linked below. Bob Plankers' presentations often quote the Risk and Vulnerability Assessments, which are free and available on the CISA website.
- https://www.cisa.gov/
- Risk and Vulnerability Assessments
- Insider Threat Mitigation
- Tabletop Exercise Packages
- Stop Ransomware
The Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) leads the Australian Government’s efforts to improve cyber security.
NCSC supports cybersecurity efforts in the United Kingdom. Their site has useful information for organizations globally, especially their collections in the "Information for..." section of the NCSC site.
Additional information about other non-VMware components that can help with early detection and containment of attacker movement inside IT infrastructure layers.