Virtualization and Cloud Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Mon, July 21, 2008

VMware Appliance is Convenient, But Don't Assume It's Secure

By Edward L. Haletky

Keywords: Virtual server appliance, VMware, ESXi

CONNECTIONS
Microsoft
VMware
Despite its leadership in the virtual server market, VMware has been aware of and preparing for the threat of competition from Microsoft's Hyper-V hypervisor for long enough to roll out not only strategies, but actual products.

One of these is ESXi, a cut-down form of the VMware ESX server designed to be embedded on servers and sold as a pre-installed and virtual-machine-ready. Dell, HP, and IBM all sell hardware with ESXi embedded.

That makes the installation more convenient. But unfortunately it doesn't do much about the security of the appliance.

ESXi is part of the larger virtual infrastructure and should be secured just like any other component. Security guidelines from the federal Defense Information Security Agency and VMware's own Hardening Guidelines start the discussion on this, but it is not sufficient. Securing ESXi includes securing all things that touch it.

This implies securing storage, management tools, networks, operations, virtual machines and everything else connected to the virtual infrastructure. Everything that is part of the virtual infrastructure touches on the virtualization server.

Is ESXi more secure than VMware ESX? Yes and no.

They both boot the same way, or nearly so. The difference is that instead of booting a management appliance virtual machine that contains GNU/Linux, ESXi boots a management appliance virtual machine that contains a Posix environment called Busybox.

ESXi cannot be treated as an appliance. Any exploit found should be addressed by VMware and by any vendor implementing ESXi. Just as there are exploits for every other operating system, there are ones for ESXi and for Busybox.

Like VMware ESX, security patches for VMware ESXi should also come direct from VMware. All you can do is remediate some aspects by implementing better total Virtual Infrastructure Security.

ESXi contains the same VMware daemons that VMware ESX contains including webAccess—which is subject to a fairly well known SSL MiTM attack; vulnerability to that attack exists within ESXi as well as in ESX. Use of webAccess should therefor be restricted to an administrative network.

There are more and more third-party tools becoming available to manage both ESX and ESXi. These also need to be coded properly to use the VMware SDK, which is over VMware webAccess.

In this way VMware ESXi is no different than VMware ESX. Security of ESXi depends on the security of the virtual infrastructure, not the other way around. Use of ESXi might be more convenient in some cases, but be sure not to assume having vendors pre-install it on their hardware means the appliance is secure.

More from IT Drilldown « Back to Virtualization
CASE STUDY
Disaster Can Inspire Quick Move to Desktop Virtualization
In the wake of a hurricane, a Texas hospital system's IT group overcame user reluctance to virtualize desktop PCs. Here's a look at their journey and the thorny little issue that Citrix just solved a few weeks ago: USB port support. Full Story »

More Case Studies »
Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
Maximum Efficiency Gains with Virtualization
Learn best practices to optimize your infrastructure and operations department and gain the most from virtualization. Learn more »
Manage Virtualization Initiatives
Learn how you can better manage virtualization initiatives to recognize this technology's maximum value. Learn more »
 
SPONSORED LINKS
 

White Paper: Right-Sizing Your Power Infrastructure

Taking a Seat at the Executive Table: The Reality of Virtualization

Server Consolidation: Leveraging the Benefits of Virtualization

White Paper: 4 Customer Service Myths

White Paper: Managed Security for a Not-So-Secure World

White Paper: 5 Best Practices for Smartphone Support

White Paper: Next Generation Remote Infrastructure Management

Keeping Your Members Safe from Online Scams and Predators

The Total Economic Impact of Network Security Intrusion Prevention

Join us at the US-Brazil IT-BPO Summit, on November 10th in New York.

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Top Five CIO Challenges

Streamline IT Costs. Boost Performance with WAN Optimization.

Want to know how you can maximize employee productivity?

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

A new fleet of PCs with a total ROI in 10 months. Find your ROI.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

Virtualization Technology as a Business Solution

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

Seven Design Requirements for Web 2.0 Threat Protection

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion

Read the RSA report: Security for Business Innovation

Webcast: Looking to the Cloud for Email and Collaboration Services

64-page prescriptive guide to security, compliance, and IT operations.

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords