Virtualization and Cloud Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS

All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Tue, July 08, 2008

VMware's ESX Hardening Guideline Falls Far Short of 'Secure'

Leave a comment

By Edward L. Haletky

PAGE 2

There is also no mention of disabling webAccess, which has known security issues, or even how to minimize the impact of those weaknesses.

In the section about virtual networking, there is no mention of the need to isolate networks or even why to isolate them. The guide is missing quite a bit of information on virtual networking. The DMZ paper fills some of that gap, but the need to do so is alarming.

The VI3 guide contains some discussion of basic security for the Virtual Center Server, at least on how to enable the use of different certificates.

It doesn't cover making these changes within VirtualCenter 2.5, though it does reference another white paper to do this, leaving it up to the reader to determine how to properly build OpenSSL to secure communications, what version to use, or whether or how to use it on a Linux system.

There is no mention of whether the OpenSSL installed on ESX will even work. Nor does it discuss how to make this change within ESXi.

There is much more VMware could go into on security outside the service console, but the guide falls short.

The only difference between the CISecurity Benchmark and the VI3 Hardening guide is that the guide covers more of the entire environment.

The biggest lack is how to apply these guidelines to ESXi. Something has to be done to secure ESXi, but there is no mention of what to do or how to do it.

The Tripwire Configcheck tool is based on the VI3 Hardening Guide and is a good start. However there is much more to do. Do not let this give you a false sense of security. Next we will look at the US Government DISA/STIG security guidelines.

Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers," Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.

« previous page | 1 | 2

Comments

More from IT Drilldown « Back to Virtualization

Articles

Open-Source Virtualization: Who's Biting?

Five Reasons the Google Chrome OS Will Flop

Why Chrome OS Will Fail -- Big Time

Blog Posts

Five Reasons Google Chrome OS Will Succeed

Cloud SLA: Another Point of View

Google's Cheap Cloud Storage: Worth the Price?

CASE STUDY

Disaster Can Inspire Quick Move to Desktop Virtualization

In the wake of a hurricane, a Texas hospital system's IT group overcame user reluctance to virtualize desktop PCs. Here's a look at their journey and the thorny little issue that Citrix just solved a few weeks ago: USB port support. Full Story »

More Case Studies »