Security baselines and security health checks are an important part of any modern day infrastructure. These checks are done periodically throughout the year, usually ever quarter. In my opinion this is a good thing to check and make sure your security settings are following the guidelines that the company has set out to achieve. Here is where I do have a problem. When setting up the guidelines for the different technologies in your infrastructure it would make the most sense that the people establishing the guidelines need to fully understand the technology they are working with. After all, would you really want the midrange or mainframe group to write the policies and guidelines for the Microsoft Windows Servers in your environment?
Now that virtualization has really taken hold and established itself in all major corporations you would think that companies would get a subject matter expert in virtualization to help establish these guidelines for the virtual infrastructure. Unfortunately, this is not what I have been seeing lately. To be fair VMware ESX servers has a lot of Linux based tools to handle administration of the systems, but let’s be clear, VMware ESX Server is NOT Linux. With the last few health checks, that I have been involved with, it has been quite clear that the guidelines and the baseline were established and put together by a Linux focused group.
The last report I had to review and prepare an exception report for listed violations for having openwsman, ftAgent and ftbackbone running on the VMware ESX hosts and the recommendation were to shut down these services. So based on the recommendations we should shut down HA, DRS and system management for the web services. Well, needless to say, this would break and degrade the overall system stability and performance. These same violations showed up for each client. The same violation report also listed hardware monitoring agents as well.
It is for reasons like this that there is a way to get client wide expectations to these policies to be put in place. This is where you create a report on why you disagree with the violations and then you have the ability to defend your recommendations as to why the expectations need to be in place.
With all the importance being placed on security, then again why in the world are the policies being written by people that give the appearance that they have not got a clue or fully understand the technology? Virtualization is here to stay and is only going to get more and more prevalent in the datacenter. Virtualization needs to be considered and looked at as a separate specific technology and companies need to put the time and the effort to treat it as such. Otherwise you leave yourself open to the possibility of failure and downtime because of that lack of understanding of the technology.