I've written before about the lack of good tools and guides to security in virtual infrastructures.

The first widely used guide, the CISecurity VMware ESX Security Benchmark, contains a list of tasks to complete including the shell code to implement most of them. Unfortunately it is not as complete as I would like.

There are two benchmarks from CISecurity, one for VMware ESX and the other is for VMs.

The VM Benchmark is much too generic to be of much use. The VMware ESX edition contains settings and other data that are VM specific, rather than focusing on VMware ESX.

Unfortunately, the document includes only a few of the isolation tool settings; there are many many more that will improve security.

All but a few steps written in the benchmark are about the service console.

While it is important to protect the service console that is not the be-all and end-all of security.

Nowhere in the benchmark does it explain how the vmkernel itself can be protected. It also falls short in ways to limit information leakage from access to the SC, and how to prevent this.

Nor does it explain how the vmkernel protects itself. It assumes—as do many people—that the hypervisor is secure. This is the same as assuming that your firmware is above reproach, despite the availability of root kits that live just fine within firmware routines.

While the document does delve into several ESX specific issues, vSwitch Security options, and other virtual network concerns, it falls short of true understanding of this critical area.Unless readers fully understand the intricacies of hypervisor security, they will be missing some aspect of security.

For example, the benchmark states that iSCSI is a clear-text protocol and that the CHAP protocol should be used as part of authentication to keep usernames and passwords from being transmitted across the network in the clear.

But it fails to mention that NFS and Fibre Channel-SAN are also clear text protocols and should be protected.

It does mention that IPsec is not natively supported by VMware ESX. But does not discuss how this really makes a difference?

iSCSI for example supports IPsec only if devices at both ends of a communication link support it. Nor does the document mention that the VMware Consolidated Backup (VCB) Proxy Server, if in use, could become a backdoor to your VM data.

It is also missing information about the data paths used to manage the system. Specifically it is missing critical information about weaknesses in WebAccess for administration. There is missing information about the weak SSL certificates in use on some versions of ESX or how to remediate this.