VMware vSphere Security Guidance, just the Beginning

On the most recent Virtualization Security Podcast, the panel was joined by VMware’s Charu Chaubal to discuss the latest draft of the VMware vSphere hardening guide. Of note during the conversation was the new layout and scope of the guide which is now split into the following sections:

  • Virtual Machine Hardening
  • ESX/ESXi Hardening
  • Service Console Hardening
  • Virtual Center Hardening

Near the end of the podcast we discussed whether or not the scope of a single virtualization host was too limiting and should not the scope be the cluster of virtualization hosts? In essence, there is hardly ever just one host but generally multiples to enable full redundancy. The guide does not cover this case, but the core, critical components of the vSphere product.

The focus of your security policy and procedures needs to be on the cluster and environment as the whole. The guidance is just one component of this expanded focus.

Other guidance with the scope of the cluster may be forthcoming from VMware and others, but for now the best resources are the guidance from VMware and the book VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment and if you are using the Cisco Nexus 1000v, the guidance from Cisco. Everyone seems to be working on some form of Guidance for vSphere including CISecurity, DISA (who are waiting on VMware to finish), Catbird, etc.

One question not asked during the podcast was:

How different is ESX v4 from ESX v3 with respect to hardening guidance?

The answer is that they are not all that different. There are new technologies of course, such as Fault Tolerance and the Virtual Distributed Switch. In addition, the service console is a newer version of RHEL, which requires slightly different hardening. There are also changes to include all the new APIs, which impact VM hardening and network layout more than anything else.

Early on in the podcast, we discussed the possibility of VM Escapes and if there was any we could do to alleviate those, a compensating control. One suggestion made by another panelist was to not install VMware Tools as the paravirtualized are under constant attack. The response from VMware is to just keep up-to-date with Security Alerts and to continue to use VMware Tools and the paravirtualized drivers.

The most important aspect of the guidance is to properly segment all virtualization management networks behind a firewall. Event to the extent of securing this network from standard production networks by use of that firewall. The other major take away, is that this guidance is just the beginning, you need a well formulated security policy that uses this guidance in conjunction with compliance requirements. This is just one building block to the entire virtualization security stack as outlined in the updated End-to-End Virtualization Security Whitepaper.

Share this Article:

The following two tabs change content below.
Edward Haletky
Edward L. Haletky aka Texiwill is an analyst, author, architect, technologist, and out of the box thinker. As an analyst, Edward looks at all things IoT, Big Data, Cloud, Security, and DevOps. As an architect, Edward creates peer-reviewed reference architectures for hybrid cloud, cloud native applications, and many other aspects of the modern business. As an author he has written about virtualization and security. As a technologist, Edward creates code prototypes for parts of those architectures. Edward is solving today's problems in an implementable fashion.
Edward Haletky

Latest posts by Edward Haletky (see all)

Related Posts:

Leave a Reply

3 Comments on "VMware vSphere Security Guidance, just the Beginning"

Sort by:   newest | oldest | most voted
trackback
VMware vSphere Security Guidance, just the Beginning | The … | VirtualizationDir - Top Virtualization Providers, News and Resources

[…] the original post: VMware vSphere Security Guidance, just the Beginning | The … Plurk This Post Delicious Digg This Post MySpace Ping This Post Reddit This Post […]

trackback
Tweets that mention VMware vSphere Security Guidance, just the Beginning | The Virtualization Practice -- Topsy.com

[…] This post was mentioned on Twitter by VMware Planet V12n, VM Digest and VM Spotlight, topsy_top20k. topsy_top20k said: VMware vSphere Security Guidance, just the Beginning (Virtualization Practice) http://bit.ly/buei4s […]

Member

Well, thanks for the info on VMware. That was a valuable information. By the way I had gathered more info on Computing technologies through the conference cloudslam 2009 http://cloudslam09.com

wpDiscuz