Federal Security Guide for VMware ESX: Helpful But Has Holes

With security becoming ever more important, I’ve been reviewing the various guides available to harden the VMware Virtual Infrastructure.

So far the results have been disappointing, though I’ve looked at the CISecurity VMware ESX Benchmark and the VMware VI3 Hardening Guidelines. Now for the US Government’s Defense Information Systems Agency’s Security Technical Implementation Guide (STIG)—a long-awaited document that all levels of the U.S. government will follow to harden and protect their VMware VI3 installations.

DISA publishes a variety of technical implementation guides for different operating systems and other software, each of which offers guidelines on how to set up that particular system to make it as secure as possible. The requirement that sticks out about the guide for ESX, however, is a requirement that ESX installations pass all the technical installation requirements for a Unix system.

That’s odd because ESX is not a Unix system. It’s not even a real Linux system.

The main component of VI3 is the vmkernel which is a hypervisor. Yes the SC (service console) is LINUX or LINUX like, but that is just a small part of the picture. Employing UNIX rules for ESX is not a good start. There are too many differences.

The guide does mention that antivirus software is not necessary for ESX. Rather than a solid security analysis, however, the document’s given reason for eliminating the need for antivirus is that the recommended tool will not install properly.

Actually, antivirus will install if you created the proper packaging. But that is not a good reason either way. The real reason to skip antivirus on a VI3 server is that, if configured incorrectly, it will drastically impact performance and throw out false positives at an unusually high rate.

Another issue: the STIG states that VM configuration files should still be world-readable while the virtual disk should be only owner-readable.

There is often vital information in the configuration including MAC addresses, names, and the layout of the virtual hardware. This information should not be world-readable as it can be used to aid in hacking systems.

There are other peculiarities; for example, the STIG does not address Web Access, and has minimal controls regarding VMware ESXi.

When the STIG talks about VMs, however it is missing almost all the isolation tools that would reduce information leakage. The one thing it does address is disabling cut-and-paste when using the remote consoles. However, this does not disable screen capture and OCR readers to get the data off the remote console.

All in all, the DISA STIG is the most complete guideline I have read. Its coverage of storage, vMotion, and virtual networking in general is very good, but it falls flat when discussing the various management avenues for VMware ESX and ESXi.

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.