Virtualization and Cloud Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Wed, June 18, 2008

Virtualization Security Assessment Guides Inadequate, Tools Lacking

By Edward L. Haletky

Keywords: Virtual security, VM, virtual infrastructure, VMware security guide, virtual security guidelines

CONNECTIONS
VMware
DISA
We've already discussed the relative lack of tools to secure virtualized servers and infrastructures, the problems inherent in adding bolt-on tools, risks in connecting a VM to the wrong part of a network and other security issues.

What we haven't discussed is what tools are available for administrators or security specialists evaluating their own security situation.

Like other virtual security tool categories, virtual security assessment tools are absent or inadequate.

There are, however, three guides to help administrators do their own virtual security assessments, although there are no tools that implement any of these guidelines fully. The problem with the guidelines and the tools is that they are mainly Linux specific and not really geared towards problems with general virtualization security.

The current tools and guides mainly concern security the management console, not necessarily checking for security problems within the infrastructure. But first we should look at the current batch of guides available.

The first is from VMware, and is their document for hardening the security of your VMware ESX/ESXi host. I however disagree with some of the items in this guide.

The main issue is the assumption that you require some form of centralized password server like Active Direcotry (AD), or LDAP. Not only do these not provide adequate security, not everyone has a centralized password server or wants to implement one.

Also, unless you are using Secure LDAP rather than regular LDAP you will run into issues where the password is sent in cleartext. My opinion is that this is really a choice you make and not a requirement.

The second guide is from the U.S. defense department's Defense Information Systems Agency (DISA), though this guide is not yet publically available. There is some discussion about both its availability and specifics on the VMware Communities Security and Compliance forum. In addition to being hard to get, VMware Communities posters write that it's largely *NIX based, and not specifically for ESX.

The last guide is from CISsecurity—a non-profit membership organization formed to help members codify and improve their electronic security&mdash. The CISecurity guide is a version of their Linux guide, adapted to fit VMware ESX, though it still does not address items specific to ESX specific.

VMware's guide is the closest to one that looks at an entire virtualized environment, but it only mentions one or two specific elements about virtualization.

These elements relate to the internal settings for virtual NICs and capabilities that can be used when connected virtual switches: Promiscuous mode, Mac Spoofing, or Address Spoofing.

More from IT Drilldown « Back to Virtualization
CASE STUDY
Disaster Can Inspire Quick Move to Desktop Virtualization
In the wake of a hurricane, a Texas hospital system's IT group overcame user reluctance to virtualize desktop PCs. Here's a look at their journey and the thorny little issue that Citrix just solved a few weeks ago: USB port support. Full Story »

More Case Studies »
Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
 
SPONSORED LINKS
 

Removing Barriers To Better Server Virtualization Efficiency

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

Upgrading to VMware vSphere with vWire

Maximizing website Return on Information with high-quality search

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

Seven Design Requirements for Web 2.0 Threat Protection

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

64-page prescriptive guide to security, compliance, and IT operations.

A Clear View Toward Virtualization

White Paper: Right-Sizing Your Power Infrastructure

Taking a Seat at the Executive Table: The Reality of Virtualization

Server Consolidation: Leveraging the Benefits of Virtualization

Return on Information: Google Enterprise Search pays you back

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: 4 Customer Service Myths

White Paper: Managed Security for a Not-So-Secure World

White Paper: 5 Best Practices for Smartphone Support

White Paper: Next Generation Remote Infrastructure Management

Keeping Your Members Safe from Online Scams and Predators

The Total Economic Impact of Network Security Intrusion Prevention

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

eZine: A Roadmap to Reducing IT Complexity

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords