Virtualization and Cloud Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Tue, July 08, 2008

VMware's ESX Hardening Guideline Falls Far Short of 'Secure'

By Edward L. Haletky

Keywords: Virtual server, virtual security, VMware security guide

As I've discussed in previous blogs on security for virtual environments, there is a severe lack of comprehensive guidance available on how to secure virtual servers and the parts of an IT infrastructure they touch.

Non-vendor organizations offer some help; more specific documentation is available from the vendors themselves. Even that guidance is somewhat lacking, however.

VMware has several white papers on security, most notable the VI3 Security Hardening guideline and DMZ Virtualization With VI3.

The DMZ paper is useful. But the VI3 Hardening Guideline, which is the place most virtual server managers would start to find security information, falls seriously short of the goal of helping to harden an entire virtual infrastructure or even a single VMware ESX system.

The VI3 Hardening Guideline suffers from the same issues I described in my blog on the CISecurity Benchmark. It gives lip service to the hardening of virtual machines, but most of the discussion is on how to use the remote logging service, and isolate the VM Network.

It does not cover the ability of a virtual machine to isolate itself and the data it protects—abilities with the potential to disallow information leakage to someone who has access to the virtual infrastructure but not to the specific VM being protected.

The discussion on the service console reads like a Linux hardening guideline but is already missing many of the items mentioned in the CISecurity Benchmark.

It further states you should only use the VI Client to access your host (physical) systems. As we all know, this is not only impossible, it fails to address the split-brain authentication and authorization problem of a system with three three separate login facilities.

Furthermore it says you should use a directory service like Active Directory but does not discuss how to structure permissions to disable access to critical files which could contain the root password.

Access to root passwords is possible only if configuration files hold the wrong permissions. While the guide does recommend that IT managers monitor the configuration files to make sure the correct permissions have been granted and have not been changed, it doesn't say what the permissions should be in the first place.

The default setup is, not surprisingly, inadequate. It allows for quite a bit of information leakage.

The guide does start to discuss security of items outside the service console including storage, and networking.

However, the storage discussions focus only on iSCSI, and are misleading even then.

For iSCSI to work within VI3, the service console has to be involved in some way. Hence the statement in the white paper that it's necessary to completely isolate an iSCSI network is incorrect. It cannot be 100% isolated.

More from IT Drilldown « Back to Virtualization
CASE STUDY
Disaster Can Inspire Quick Move to Desktop Virtualization
In the wake of a hurricane, a Texas hospital system's IT group overcame user reluctance to virtualize desktop PCs. Here's a look at their journey and the thorny little issue that Citrix just solved a few weeks ago: USB port support. Full Story »

Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
Maximum Efficiency Gains with Virtualization
Learn best practices to optimize your infrastructure and operations department and gain the most from virtualization. Learn more »
Manage Virtualization Initiatives
Learn how you can better manage virtualization initiatives to recognize this technology's maximum value. Learn more »
 
SPONSORED LINKS
 

White Paper: Right-Sizing Your Power Infrastructure

Taking a Seat at the Executive Table: The Reality of Virtualization

Server Consolidation: Leveraging the Benefits of Virtualization

White Paper: 4 Customer Service Myths

White Paper: Managed Security for a Not-So-Secure World

White Paper: 5 Best Practices for Smartphone Support

White Paper: Next Generation Remote Infrastructure Management

Keeping Your Members Safe from Online Scams and Predators

The Total Economic Impact of Network Security Intrusion Prevention

Join us at the US-Brazil IT-BPO Summit, on November 10th in New York.

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Top Five CIO Challenges

Streamline IT Costs. Boost Performance with WAN Optimization.

Want to know how you can maximize employee productivity?

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

A new fleet of PCs with a total ROI in 10 months. Find your ROI.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

Virtualization Technology as a Business Solution

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

Seven Design Requirements for Web 2.0 Threat Protection

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion

Read the RSA report: Security for Business Innovation

Webcast: Looking to the Cloud for Email and Collaboration Services

64-page prescriptive guide to security, compliance, and IT operations.

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

 
 
RESOURCE CENTER