Virtualization Security Assessment Guides Inadequate, Tools Lacking

We’ve already discussed the relative lack of tools to secure virtualized servers and infrastructures, the problems inherent in adding bolt-on tools, risks in connecting a VM to the wrong part of a network and other security issues.

What we haven’t discussed is what tools are available for administrators or security specialists evaluating their own security situation.

Like other virtual security tool categories, virtual security assessment tools are absent or inadequate.

There are, however, three guides to help administrators do their own virtual security assessments, although there are no tools that implement any of these guidelines fully. The problem with the guidelines and the tools is that they are mainly Linux specific and not really geared towards problems with general virtualization security.

The current tools and guides mainly concern security the management console, not necessarily checking for security problems within the infrastructure. But first we should look at the current batch of guides available.

The first is from VMware, and is their document for hardening the security of your VMware ESX/ESXi host. I however disagree with some of the items in this guide.

The main issue is the assumption that you require some form of centralized password server like Active Direcotry (AD), or LDAP. Not only do these not provide adequate security, not everyone has a centralized password server or wants to implement one.

Also, unless you are using Secure LDAP rather than regular LDAP you will run into issues where the password is sent in cleartext. My opinion is that this is really a choice you make and not a requirement.

The second guide is from the U.S. defense department’s Defense Information Systems Agency (DISA), though this guide is not yet publically available. There is some discussion about both its availability and specifics on the VMware Communities Security and Compliance forum. In addition to being hard to get, VMware Communities posters write that it’s largely *NIX based, and not specifically for ESX.

The last guide is from CISsecurity—a non-profit membership organization formed to help members codify and improve their electronic security&mdash. The CISecurity guide is a version of their Linux guide, adapted to fit VMware ESX, though it still does not address items specific to ESX specific.

VMware’s guide is the closest to one that looks at an entire virtualized environment, but it only mentions one or two specific elements about virtualization.

These elements relate to the internal settings for virtual NICs and capabilities that can be used when connected virtual switches: Promiscuous mode, Mac Spoofing, or Address Spoofing.

Within ESX promiscuous mode is disabled by default. However, the others are not and need to be dealt with properly. There is no mention of network isolation, guest isolation settings or the proper configuration of Active Directory, if it’s even in use in a particular installation.

There is more to assessing the security of a virtual environment then the current batch of guidelines and tools cover.

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.