Virtualization and Cloud Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Mon, July 14, 2008

Federal Security Guide for VMware ESX: Helpful But Has Holes

By Edward L. Haletky

Keywords: VMware ESX, DISA, security guidelines, virtual security, virtualization security

CONNECTIONS
VMware

With security becoming ever more important, I've been reviewing the various guides available to harden the VMware Virtual Infrastructure.

So far the results have been disappointing, though I've looked at the CISecurity VMware ESX Benchmark and the VMware VI3 Hardening Guidelines. Now for the US Government's Defense Information Systems Agency's Security Technical Implementation Guide (STIG)—a long-awaited document that all levels of the U.S. government will follow to harden and protect their VMware VI3 installations.

DISA publishes a variety of technical implementation guides for different operating systems and other software, each of which offers guidelines on how to set up that particular system to make it as secure as possible. The requirement that sticks out about the guide for ESX, however, is a requirement that ESX installations pass all the technical installation requirements for a Unix system.

That's odd because ESX is not a Unix system. It's not even a real Linux system.

The main component of VI3 is the vmkernel which is a hypervisor. Yes the SC (service console) is LINUX or LINUX like, but that is just a small part of the picture. Employing UNIX rules for ESX is not a good start. There are too many differences.

The guide does mention that antivirus software is not necessary for ESX. Rather than a solid security analysis, however, the document's given reason for eliminating the need for antivirus is that the recommended tool will not install properly.

Actually, antivirus will install if you created the proper packaging. But that is not a good reason either way. The real reason to skip antivirus on a VI3 server is that, if configured incorrectly, it will drastically impact performance and throw out false positives at an unusually high rate.

Another issue: the STIG states that VM configuration files should still be world-readable while the virtual disk should be only owner-readable.

There is often vital information in the configuration including MAC addresses, names, and the layout of the virtual hardware. This information should not be world-readable as it can be used to aid in hacking systems.

There are other peculiarities; for example, the STIG does not address Web Access, and has minimal controls regarding VMware ESXi.

When the STIG talks about VMs, however it is missing almost all the isolation tools that would reduce information leakage. The one thing it does address is disabling cut-and-paste when using the remote consoles. However, this does not disable screen capture and OCR readers to get the data off the remote console.

More from IT Drilldown « Back to Virtualization
CASE STUDY
Disaster Can Inspire Quick Move to Desktop Virtualization
In the wake of a hurricane, a Texas hospital system's IT group overcame user reluctance to virtualize desktop PCs. Here's a look at their journey and the thorny little issue that Citrix just solved a few weeks ago: USB port support. Full Story »

Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
 
SPONSORED LINKS
 

Removing Barriers To Better Server Virtualization Efficiency

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

Upgrading to VMware vSphere with vWire

Maximizing website Return on Information with high-quality search

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

Seven Design Requirements for Web 2.0 Threat Protection

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

64-page prescriptive guide to security, compliance, and IT operations.

A Clear View Toward Virtualization

White Paper: Right-Sizing Your Power Infrastructure

Taking a Seat at the Executive Table: The Reality of Virtualization

Server Consolidation: Leveraging the Benefits of Virtualization

Return on Information: Google Enterprise Search pays you back

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: 4 Customer Service Myths

White Paper: Managed Security for a Not-So-Secure World

White Paper: 5 Best Practices for Smartphone Support

White Paper: Next Generation Remote Infrastructure Management

Keeping Your Members Safe from Online Scams and Predators

The Total Economic Impact of Network Security Intrusion Prevention

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

eZine: A Roadmap to Reducing IT Complexity

 
 
RESOURCE CENTER