Virtualization and Cloud Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Mon, July 21, 2008

VMware Appliance is Convenient, But Don't Assume It's Secure

By Edward L. Haletky

Keywords: Virtual server appliance, VMware, ESXi

CONNECTIONS
Microsoft
VMware
Despite its leadership in the virtual server market, VMware has been aware of and preparing for the threat of competition from Microsoft's Hyper-V hypervisor for long enough to roll out not only strategies, but actual products.

One of these is ESXi, a cut-down form of the VMware ESX server designed to be embedded on servers and sold as a pre-installed and virtual-machine-ready. Dell, HP, and IBM all sell hardware with ESXi embedded.

That makes the installation more convenient. But unfortunately it doesn't do much about the security of the appliance.

ESXi is part of the larger virtual infrastructure and should be secured just like any other component. Security guidelines from the federal Defense Information Security Agency and VMware's own Hardening Guidelines start the discussion on this, but it is not sufficient. Securing ESXi includes securing all things that touch it.

This implies securing storage, management tools, networks, operations, virtual machines and everything else connected to the virtual infrastructure. Everything that is part of the virtual infrastructure touches on the virtualization server.

Is ESXi more secure than VMware ESX? Yes and no.

They both boot the same way, or nearly so. The difference is that instead of booting a management appliance virtual machine that contains GNU/Linux, ESXi boots a management appliance virtual machine that contains a Posix environment called Busybox.

ESXi cannot be treated as an appliance. Any exploit found should be addressed by VMware and by any vendor implementing ESXi. Just as there are exploits for every other operating system, there are ones for ESXi and for Busybox.

Like VMware ESX, security patches for VMware ESXi should also come direct from VMware. All you can do is remediate some aspects by implementing better total Virtual Infrastructure Security.

ESXi contains the same VMware daemons that VMware ESX contains including webAccess—which is subject to a fairly well known SSL MiTM attack; vulnerability to that attack exists within ESXi as well as in ESX. Use of webAccess should therefor be restricted to an administrative network.

There are more and more third-party tools becoming available to manage both ESX and ESXi. These also need to be coded properly to use the VMware SDK, which is over VMware webAccess.

In this way VMware ESXi is no different than VMware ESX. Security of ESXi depends on the security of the virtual infrastructure, not the other way around. Use of ESXi might be more convenient in some cases, but be sure not to assume having vendors pre-install it on their hardware means the appliance is secure.

Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
White Papers
Learn how to address key cloud computing challenges
Learn how your organization can face the challenges of: lack of interoperability, security, compliance and application compatibility. Learn more »
VMware: Clearing the fog, a look into the Clouds
Read about VMware's compelling vision & set of products that can help clarify all of the confusion surrounding Cloud Computing. Learn more »
Cloud Computing: A fundamentally new way to deploy IT services
Learn how the VMware vCloud initiative enables you to move to the cloud how you want, when you want, and as much as you want. Learn more »
Calculate Your Specific Potential Virtualization Savings
Discover how organizations are reducing operational costs, and improving efficiency and availability. Learn more »
Forecast: Cloud Computing Looms Big on the Horizon
Read this Executive Guide to learn more about what IT leaders are saying about "Cloud Computing". This is one time when it makes good, practical business sense to have your head in the clouds. Learn more »
 
SPONSORED LINKS
 

Developing A Dynamic, Real-Time IT Infrastructure

Mid-Sized Company CIO Community: infoBOOM!

Read about virtualization and consolidation effort best practices

Building the Virtualized Enterprise with VMware Infrastructure

8 Key Ingredients to Building an Internal Cloud

White Paper: The Building Blocks for Cloud Computing

Taking the Service Desk to the Next Level

Why Data Loss is Increasing--and What You Can Do About It

Data Loss Prevention: A Better Way to Approach Security

Learn how to managing client systems in the enterprise.

Enterprise PBX Buyer's Guide

Secondary Market Primer: Your Network at Half Price

Losing Ground: 2009 TMT Global Security Survey

Accenture IT Consulting: Logical meets technological. More . . .

Stop Application Fraud at the Source with Device Reputation

Top 10 Business and IT Drivers for the Wealth Management Sector

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Learn about The Information Technology Infrastructure Library.

Achieving Pervasive Performance Management

Automating the Generation and Secure Distribution of Excel Reports

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Cloud Computing: Read about VMware's compelling vision & set of products

White Paper: 8 Key Ingredients to Building an Internal Cloud

Learn how a virtualized enterprise can help your company reduce costs

Why Isn't Server Virtualization Saving Us More?

Bottom-Line Benefits of Virtualization

A CIO Executive Guide: Cloud Computing Looms Big on the Horizon

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Communications and Collaboration Needs at Business Organizations

Using Open Source to Deploy Web Applications

Enterprise PBX Comparison Guide

Getting Value from Outdated Networking Equipment

Top-line Performance that's Bottom-line Efficient

Accenture: Outsourcing for uncertain times. Click to learn more.

Learn about the VMware vSphere (TM) & Intel (R) Xeon (R) Processor 5500 Series

Data Center Optimization: Three Key Strategies

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Tips for successful virtualization management.

Smart Decisions: The Role of Key Performance Indicators

Gartner Shares Predictions for 2009

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords