CISecurity Guide to VMware Security Falls Far Short

I’ve written before about the lack of good tools and guides to security in virtual infrastructures.

The first widely used guide, the CISecurity VMware ESX Security Benchmark, contains a list of tasks to complete including the shell code to implement most of them. Unfortunately it is not as complete as I would like.

There are two benchmarks from CISecurity, one for VMware ESX and the other is for VMs.

The VM Benchmark is much too generic to be of much use. The VMware ESX edition contains settings and other data that are VM specific, rather than focusing on VMware ESX.

Unfortunately, the document includes only a few of the isolation tool settings; there are many many more that will improve security.

All but a few steps written in the benchmark are about the service console.

While it is important to protect the service console that is not the be-all and end-all of security.

Nowhere in the benchmark does it explain how the vmkernel itself can be protected. It also falls short in ways to limit information leakage from access to the SC, and how to prevent this.

Nor does it explain how the vmkernel protects itself. It assumes—as do many people—that the hypervisor is secure. This is the same as assuming that your firmware is above reproach, despite the availability of root kits that live just fine within firmware routines.

While the document does delve into several ESX specific issues, vSwitch Security options, and other virtual network concerns, it falls short of true understanding of this critical area.Unless readers fully understand the intricacies of hypervisor security, they will be missing some aspect of security.

For example, the benchmark states that iSCSI is a clear-text protocol and that the CHAP protocol should be used as part of authentication to keep usernames and passwords from being transmitted across the network in the clear.

But it fails to mention that NFS and Fibre Channel-SAN are also clear text protocols and should be protected.

It does mention that IPsec is not natively supported by VMware ESX. But does not discuss how this really makes a difference?

iSCSI for example supports IPsec only if devices at both ends of a communication link support it. Nor does the document mention that the VMware Consolidated Backup (VCB) Proxy Server, if in use, could become a backdoor to your VM data.

It is also missing information about the data paths used to manage the system. Specifically it is missing critical information about weaknesses in WebAccess for administration. There is missing information about the weak SSL certificates in use on some versions of ESX or how to remediate this.

While the Benchmark was the first of its kind, it is nothing more than the Linux benchmark with some small changes for VMware ESX. Following these steps will increase security but it is by no means a panacea. Do not let it give you a false sense of security.

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.