Virtualization Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Wed, June 18, 2008

Virtualization Security Assessment Guides Inadequate, Tools Lacking

By Edward L. Haletky

Keywords: Virtual security, VM, virtual infrastructure, VMware security guide, virtual security guidelines

CONNECTIONS
VMware
DISA
We've already discussed the relative lack of tools to secure virtualized servers and infrastructures, the problems inherent in adding bolt-on tools, risks in connecting a VM to the wrong part of a network and other security issues.

What we haven't discussed is what tools are available for administrators or security specialists evaluating their own security situation.

Like other virtual security tool categories, virtual security assessment tools are absent or inadequate.

There are, however, three guides to help administrators do their own virtual security assessments, although there are no tools that implement any of these guidelines fully. The problem with the guidelines and the tools is that they are mainly Linux specific and not really geared towards problems with general virtualization security.

The current tools and guides mainly concern security the management console, not necessarily checking for security problems within the infrastructure. But first we should look at the current batch of guides available.

The first is from VMware, and is their document for hardening the security of your VMware ESX/ESXi host. I however disagree with some of the items in this guide.

The main issue is the assumption that you require some form of centralized password server like Active Direcotry (AD), or LDAP. Not only do these not provide adequate security, not everyone has a centralized password server or wants to implement one.

Also, unless you are using Secure LDAP rather than regular LDAP you will run into issues where the password is sent in cleartext. My opinion is that this is really a choice you make and not a requirement.

The second guide is from the U.S. defense department's Defense Information Systems Agency (DISA), though this guide is not yet publically available. There is some discussion about both its availability and specifics on the VMware Communities Security and Compliance forum. In addition to being hard to get, VMware Communities posters write that it's largely *NIX based, and not specifically for ESX.

The last guide is from CISsecurity—a non-profit membership organization formed to help members codify and improve their electronic security&mdash. The CISecurity guide is a version of their Linux guide, adapted to fit VMware ESX, though it still does not address items specific to ESX specific.

VMware's guide is the closest to one that looks at an entire virtualized environment, but it only mentions one or two specific elements about virtualization.

These elements relate to the internal settings for virtual NICs and capabilities that can be used when connected virtual switches: Promiscuous mode, Mac Spoofing, or Address Spoofing.

Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
MarketSpace White Papers
Twenty-to-One Consolidation on Intel Architecture: New Tools for Virtualization and Workload Management
 Consolidation isn't easy—especially considering the costs and risks that come with bringing multiple applications and operating systems together on a single mainframe or proprietary platform... Learn more »
Building the Virtualized Enterprise with VMware Infrastructure
 Many organizations struggle with their legacy IT infrastructures which are often plagued by high costs, slow response times and inconsistent management... Learn more »
TECHNOLOGY ASSESSMENT: The Impact of Virtualization Software on Operating Environments
 Virtualization is a potential game-changer for modern computing. This IDC Technology Assessment discusses how virtualization technologies impact operating environments, now and in the future... Learn more »
Reducing Server Total Cost of Ownership with VMware Virtualization Software
Technology purchases are often quantified simply by hardware and software costs. But there's more to it. This TCO study takes a holistic view—considering soft dollars too, like ongoing maintenance and... Learn more »
 
SPONSORED LINKS
 

Learn how to leverage virtualization for a 74% savings in TCO.

Find out how you can affordably consolidate applications with VMware.

ESG Research on Server and Storage Virtualization

Get help navigating the management challenges of virtualization.

Narrow the gap between virtualization's benefits and the management risks.

Cash in on the promise of virtualization

High-performance computing is no longer just for Big Business

Stories of real businesses that Virtualized their IT environments

Learn how companies are changing how they reach out to their most profitable customers.

Data Center ROI with RFID Asset Tracking

Improve Web-Enabled SAP Performance

Gartner on Data Deduplication Cost Savings

Data Protection Options Explained

Webcast - "Into the Wild: Managing Laptops Outside the Office"

Complementary BI: The New Approach to Business Intelligence

5 Steps to Successful IT Consolidation

Effective Security with a Continuous Approach to ISO 27001 Compliance

Optimizing Infrastructure Control

Configuration Assessment: Choosing the Right Solution

Boost your top- and bottom- lines.

Unified Communications & Collaboration: Game-Changing Business Results

Best Intel Info for IT Pros/Intel Premier IT Professional Program: Stay up to date with roadmaps, technologies & best practices

Make Hidden Trends, Inter-Relationships and Influences Visible.

Improve delivery of product information to customers.

Prudential Financial Protects its Brand with Symantec

Find out why IDC thinks virtualization is changing operating environments.

Explore the impact virtualization can have on your bottom-line.

Save with 0% Lease Offer on HP Servers and Storage

Find out how to manage virtualization's risks and reap the rewards.

Conquer the realities of managing virtualization

Expand High-Performance Computing (HPC) Capabilities

Power the Platform of Choice for Virtualization in the Enterprise

Virtualization: Simplify. Automate. Lower Costs.

The Right and Wrong Master Data Management Strategies to Start Small and Grow Big

How RFID Improves Data Center Efficiency

Determine the ROI of Web Application Acceleration Managed Services

Achieve a 50:1 Data Deduplication Ratio

Remote Infrastructure Management - What Your Peers are Thinking

Ponemon Study: How Much Does a Data Breach "Cost"?

Data Protection: Challenges for the Traveling User

Optimizing Infrastructure Control

File Integrity Monitoring: Secure Your Virtual and Physical IT Environments

Effective Security with a Continuous Approach to ISO 27001 Compliance

Leading university calls on Nokia for mobile unified communications.

Mobility is Growing: Survey Shows Why CIOs are Concerned

Learn what it takes to build a holistic digital collaboration platform

The ECM Paradox: Extending Local Flexibility to Strengthen Central Control

Customer Insight Yields Sales, Marketing Gains

7 Requirements of Data Loss Prevention

Learn About the Features of the Google Universal Search Solution.

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords