Virtualization Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Tue, July 08, 2008

VMware's ESX Hardening Guideline Falls Far Short of 'Secure'

By Edward L. Haletky

Keywords: Virtual server, virtual security, VMware security guide

As I've discussed in previous blogs on security for virtual environments, there is a severe lack of comprehensive guidance available on how to secure virtual servers and the parts of an IT infrastructure they touch.

Non-vendor organizations offer some help; more specific documentation is available from the vendors themselves. Even that guidance is somewhat lacking, however.

VMware has several white papers on security, most notable the VI3 Security Hardening guideline and DMZ Virtualization With VI3.

The DMZ paper is useful. But the VI3 Hardening Guideline, which is the place most virtual server managers would start to find security information, falls seriously short of the goal of helping to harden an entire virtual infrastructure or even a single VMware ESX system.

The VI3 Hardening Guideline suffers from the same issues I described in my blog on the CISecurity Benchmark. It gives lip service to the hardening of virtual machines, but most of the discussion is on how to use the remote logging service, and isolate the VM Network.

It does not cover the ability of a virtual machine to isolate itself and the data it protects—abilities with the potential to disallow information leakage to someone who has access to the virtual infrastructure but not to the specific VM being protected.

The discussion on the service console reads like a Linux hardening guideline but is already missing many of the items mentioned in the CISecurity Benchmark.

It further states you should only use the VI Client to access your host (physical) systems. As we all know, this is not only impossible, it fails to address the split-brain authentication and authorization problem of a system with three three separate login facilities.

Furthermore it says you should use a directory service like Active Directory but does not discuss how to structure permissions to disable access to critical files which could contain the root password.

Access to root passwords is possible only if configuration files hold the wrong permissions. While the guide does recommend that IT managers monitor the configuration files to make sure the correct permissions have been granted and have not been changed, it doesn't say what the permissions should be in the first place.

The default setup is, not surprisingly, inadequate. It allows for quite a bit of information leakage.

The guide does start to discuss security of items outside the service console including storage, and networking.

However, the storage discussions focus only on iSCSI, and are misleading even then.

For iSCSI to work within VI3, the service console has to be involved in some way. Hence the statement in the white paper that it's necessary to completely isolate an iSCSI network is incorrect. It cannot be 100% isolated.

More from IT Drilldown « Back to Virtualization
CASE STUDY
For the Kings of Cashmere, Virtualization and 10 Gigabit Ethernet Match Well
At Loro Piana USA, recently dubbed the "kings of cashmere," a server room accident reinforces the need for a stable, disaster-recovery-enabled network of virtual servers. Here's how a new storage array and Neterion 10Gbit/sec Ethernet cards fit into their forward-looking plan for just that. Full Story »

More Case Studies »
Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
MarketSpace White Papers
Twenty-to-One Consolidation on Intel Architecture: New Tools for Virtualization and Workload Management
 Consolidation isn't easy—especially considering the costs and risks that come with bringing multiple applications and operating systems together on a single mainframe or proprietary platform... Learn more »
Building the Virtualized Enterprise with VMware Infrastructure
 Many organizations struggle with their legacy IT infrastructures which are often plagued by high costs, slow response times and inconsistent management... Learn more »
TECHNOLOGY ASSESSMENT: The Impact of Virtualization Software on Operating Environments
 Virtualization is a potential game-changer for modern computing. This IDC Technology Assessment discusses how virtualization technologies impact operating environments, now and in the future... Learn more »
Reducing Server Total Cost of Ownership with VMware Virtualization Software
Technology purchases are often quantified simply by hardware and software costs. But there's more to it. This TCO study takes a holistic view—considering soft dollars too, like ongoing maintenance and... Learn more »
 
SPONSORED LINKS
 

Get IDC's take on one company's foray into storage virtualization.

White Paper: Accelerating the Next Phase of Virtualization

Find out why IDC thinks virtualization is changing operating environments.

Explore the impact virtualization can have on your bottom-line.

Save with 0% Lease Offer on HP Servers and Storage

Find out how to manage virtualization's risks and reap the rewards.

Conquer the realities of managing virtualization

Expand High-Performance Computing (HPC) Capabilities

Power the Platform of Choice for Virtualization in the Enterprise

Virtualization: Simplify. Automate. Lower Costs.

Integrating ActiveRoles With IBM Tivoli Identity Manager 5.0

Quest Authentication Services: Simplify Identity Management

White Paper: Centralized Data Backup and Your WAN

The Right and Wrong Master Data Management Strategies to Start Small and Grow Big

How RFID Improves Data Center Efficiency

Determine the ROI of Web Application Acceleration Managed Services

Achieve a 50:1 Data Deduplication Ratio

Remote Infrastructure Management - What Your Peers are Thinking

Complementary BI: The New Approach to Business Intelligence

Leading university calls on Nokia for mobile unified communications.

Mobility is Growing: Survey Shows Why CIOs are Concerned

Learn what it takes to build a holistic digital collaboration platform

The ECM Paradox: Extending Local Flexibility to Strengthen Central Control

Customer Insight Yields Sales, Marketing Gains

7 Requirements of Data Loss Prevention

Learn how wide-area data services can help deliver the benefits of virtualization

Learn how to leverage virtualization for a 74% savings in TCO.

Find out how you can affordably consolidate applications with VMware.

ESG Research on Server and Storage Virtualization

Get help navigating the management challenges of virtualization.

Narrow the gap between virtualization's benefits and the management risks.

Cash in on the promise of virtualization

High-performance computing is no longer just for Big Business

Stories of real businesses that Virtualized their IT environments

Operational Excellence Is Key to Maximizing IT Investments

Quest Authentication and IBM Tivoli Identity Management

Data Protection: Challenges for the Traveling User

Learn how companies are changing how they reach out to their most profitable customers.

Data Center ROI with RFID Asset Tracking

Improve Web-Enabled SAP Performance

Gartner on Data Deduplication Cost Savings

Data Protection Options Explained

Webcast - "Into the Wild: Managing Laptops Outside the Office"

5 Steps to Successful IT Consolidation

Boost your top- and bottom- lines.

Unified Communications & Collaboration: Game-Changing Business Results

Best Intel Info for IT Pros/Intel Premier IT Professional Program: Stay up to date with roadmaps, technologies & best practices

Make Hidden Trends, Inter-Relationships and Influences Visible.

Improve delivery of product information to customers.

Prudential Financial Protects its Brand with Symantec

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords