by Edward L. Haletky

Pros and Cons of VMware’s New Security Guide

Aug 01, 20083 mins

The newest version, which includes specifics on hardening VI3.5, improves on previous guidance, but leaves enough gaps that customers following it will still be exposed.

VMware has released another hardening guideline, this time for VMware Virtual Infrastructure 3.5. Its guidance can also apply to version 3.0, though. This guide is useful in that it actually looks as ESXi as more than an appliance, as does the ESX Security Technical Implementation Guide from the U.S. Defense Information Systems Administration (DISA), which I discussed a couple of weeks ago.

The new version of VMware’s guide is a vast improvement over the older one, but still only looks at a subset of the entire virtual environment and still maintains that a directory service is required to secure VMware VI3 .x but gives no information on how to achieve this security. Just use one and all will be well is not a good game plan—it may leave you even less secure than before.

I may have my sights set a little high on what I’d like to see from a hardening guideline. Chris Hoff at Rational Security certainly thinks so, and others may as well.

But I don’t think so. I just expect something that states it is a hardening guide to actually harden the system and provide for me the means to perform these actions.

The new VMware Guide does give much more information about hardening the virtual machine from a VI3 perspective.

The latest VMware Guide also delves into ESXi even more than the DISA/STIG guide and this provides some invaluable information for those using ESXi.

Unfortunately not much has changed with respect to ESX. There is still quite a few hardening steps missing from this guide that are covered in the other guides.

The main bits that are missing are the steps necessary to actually implement the security. For example one heading is to Label Virtual Networks Clearly. Do they imply that we should not use IPAddress in the names, or network names, or what? What is the appropriate labeling for the virtual networks?

I would like to see 3 guides from VMware: One for just VMs (from the perspective of the virtual infrastructure); One for ESXi; and one for ESX. I would like all these guides to actually show me how to secure my systems instead of using general terms.

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.