Welcome to vSphere-land!

For better or worse, administrators usually accept the default VMware hypervisor security settings.

VSphere is fairly secure, but VMware security breaches can still occur. Careless mistakes and questionable administrative decisions can weaken infrastructure security — especially if IT pros are more concerned about management convenience than about hardening the hypervisor, hosts and virtual machines (VMs).

To help prevent snafus, here are five ways to maximize VMware hypervisor security.

Firewalls prevent VMware hypervisor security from getting burned
Physical firewalls protect servers and devices directly connected to physical networks, but they aren’t always effective at protecting VMs connected to virtual networks. So use virtual firewalls in conjunction with physical firewalls to ensure that network traffic is secure at every level and nothing slips through the cracks.

Sometimes, virtual machine network traffic doesn’t leave the host or travel over a physical network. Traffic between VMs on the same vSwitch and port group remains inside the host. It travels in the host’s memory, through the virtual network — rather than over the physical network. As such, it’s outside the physical firewall’s protection zone.

Read the full article at searchvmware.com…

Keeping your customer’s physical environment secure is more straightforward than dealing with security in a virtual environment. There are a number of hidden risks and concerns that solution providers need to be prepared for before fielding customer questions about vSphere security.

Virtualization expert Eric Siebert breaks down what you need to know about securing your customer’s vSphere environment, including Payment Card Industry Data Security Standard (PCI DSS) concerns, anti-virus software and ESX firewalls. Siebert also explains which third-party virtualization security products and vendors can be useful to solution providers.

How does security in virtual environments differ from physical environments?

Most of the security-hardening techniques that solution providers would normally use in physical environments apply to virtual environments as well. These techniques are typically used at the guest operating system (OS) level, which is no different in virtual environments. There are, however, other security areas that you need to be concerned with inside virtual environments that don’t exist with traditional physical servers.

Solution providers need to recognize that the host opens up more attack vectors inside virtual environments, with the biggest being toward the ESX Service Console and the ESXi Management Console. These consoles run as privileged virtual machines (VMs) on the host and hold the keys to accessing any VM on the host. There are a variety of methods that can be used to access a host, including Secure Shell, vSphere Client, scripting application programming interfaces (APIs) and Web browser access. All of these access points need to be properly secured to protect the host and its VMs.

Read the full article at searchsystemschannel.com…

VMware security breaches should not be taken lightly, especially now that there’s a spotlight on regulatory compliance and the shift toward cloud computing.

Virtual hosts house many workloads, and if an unscrupulous individual gains unauthorized access to a host, that person can potentially compromise all of its virtual machines (VMs). That means virtualization administrators should pay special attention to preventable VMware security breaches. There are several potential weak points where VMware security breaches can occur.

Making VMware security less like Swiss cheese

Out-of-the-box, VMware vSphere is fairly secure, but you can make it more susceptible to security breaches if you’re not careful with its configuration and remote-access settings.

By default, VMware disables many features that would make administration easier, and enabling these features weakens security. In ESX, for example, administrators typically enable Web user interface. And in ESXi, many IT pros allow access to the remote console through Secure Shell (SSH) connections. These actions may make your job easier, but they open up attack vectors for unauthorized individuals.

An even bigger vulnerability is the host’s management console. It’s the door to your entire virtual infrastructure, so don’t pass out many keys. Lock up the management console tightly and use it only when absolutely needed — which typically isn’t often. Other areas of concern are VM data stores, management and storage network traffic, virtual networking, application programming interfaces, VM-host interconnects, vCenter Server roles and permissions and third-party add-ons.

The bottom line: Know your weak points and make them secure.

Read the full article at searchvmware.com…

In case you needed more encouragement to move to ESXi here’s a good reason. The recent Linux vulnerability that was announced that can give attackers root access to a system effects the ESX 4.x Service Console as well as it is based off Red Hat Linux with the 2.6.28 kernel. The vulnerability affects nearly all 64-bit Linux distros but is not present in 32-bit Linux distros. Because of that the ESX 3.x Service Console is not affected by this. Apparently VMware is aware of this and a patch is in the works so be on the lookout for it and patch your systems immediately. If an attacker were to gain root access to your ESX Service Console they could easily gain access to all your VM’s as well. ESXi systems are not affected at all as they do not run a full Linux operating system and instead run a small POSIX based environment that has a smaller attack surface.

Security is critical in a vSphere environment. Virtual machine (VM) architecture, access methods and management is much different from that for physical servers. Because VMs are encapsulated into a single file that resides on a shared data store, additional attack vectors need to be secured. Further, any change or operation in a virtual environment can have a ripple effect on other residing VMs because all share common infrastructure components. Consequently, having proper security access controls in place is paramount to protect hosts and their VMs.

Because they have multiple components, virtual environments are secured in layers. You can do much of the work to secure an environment through vCenter Server, which provides centralized authentication and authorization services at many different levels inside vSphere. VCenter Server features four main components:

• Privileges. A privilege enables or denies users access to perform actions in vSphere.
• Roles. A role is a set of privileges that can be assigned to a user or group.
• Users and groups. Users and groups are used in permissions to assign roles from Active Directory (AD) or local Windows users/groups.
• Permissions. A permission is assigned to an object in vSphere and is composed of users/groups and a role.

Read the full article at searchsystemschannel.com…

I received an invite today to an upcoming webinar on Virtualization Security and Compliance that is being given by Reflex Systems. What peaked my interest in it was the speakers and topics, one of the speakers is Rob Randall from VMware who is their security guru and also happens to reside in my hometown of Denver. The other speaker is Mike Wronski, VP of Product Management for Reflex Systems. One of the topics is VMsafe which was been announced quite a while ago but very little actual information on it has been released. Here’s what will be discussed in the webinar:

• Leverage VMware’s VMsafe technology in vSphere 4 to achieve greater security in your virtual environment.
• Use segmentation through Trust Zones and classification to safeguard your virtual data center and manage virtual assets more efficiently.
• Add a level of security policy enforcement in your virtual environment by using vTrust dynamic policy enforcement technology.
• Go “beyond the virtual firewall” to apply best practices for specifying policies in a virtual infrastructure.

I’m guessing that Relfex will be showing off and talking about an upcoming product release that leverages the VMsafe API’s that are part of the upcoming vSphere release. Since very little information about VMsafe has been released I’ll be interested to see how the product utilizes VMsafe to better integrate into ESX. The webinar is Wednesday, May. 27th at 2:00pm EST, you can register for it here.

General

vSphere 4.1 Hardening Guide (VMware)
vSphere 4.0 Security Hardening Guide (VMware)
Network Segmentation in Virtualized Environments (VMware)
DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch (VMware)
Anti-Virus Practices for VMware View (VMware)
VMware Fast Path Versus Slow Path Firewalls (chrisbrenton.org)
How to steal a virtual machine and its data in 3 easy steps (SearchVMware)
Five VMware security breaches that should never happen (SearchVMware)
Five ways to maximize VMware hypervisor security (SearchVMware)
VAR concerns and considerations for handling vSphere security: FAQ (SearchSystemsChannel)
VMware releases long-awaited VMsafe security API (SearchSecurity.com)
DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch (VMware)
Safely implementing VMsafe-aware virtual appliances in your data center (SearchVMware)

Compliance

Payment Card Industry Data Security Standard (PCI DSS) Compliance and VMware (VMware)
Achieving Compliance in a Virtualized Environment (VMware)
Virtualization: Security and Compliance Considerations (Webinar) (ConfigureSoft)
How Can You Prove Your Virtualized Environment is PCI Compliant? (Webinar) (ConfigureSoft)
Best Practices for Achieving PCI Compliance in a Virtual Environment (Webinar) (ConfigureSoft)
How Virtualization Affects PCI DSS Part 1: Mapping PCI Requirements and Virtualization (McAfee)
How Virtualization Affects PCI DSS Part 2: A Review of the Top 5 Issues (McAfee)
Security Compliance in a Virtual World (RSA)
IT Audit for the Virtual Environment (SANS)
Meeting the Challenges of Virtualization Security (Trend Micro)

vShield

VShield: Breaking down the VMware security suite (SearchVMware)
Zeroing in on vShield Endpoint and Edge features (SearchVMware)
VShield Manager: Installing VMware’s virtual security appliance (SearchVMware)
Installing VMware vShield Zones for a virtual firewall (SearchVMware)
Top 10 VMware security tips for vShield users (SearchVMware)
vShield products packaging explained (with a focus on vCloud Director) (IT 2.0)
How To Wield the New vShield (Edge, App & Endpoint) (Rational Survivability)
VMware’s (New) vShield: The (Almost) Bottom Line (Rational Survivability)
VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 1 (GeekSilver)
VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 2 (GeekSilver)
VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 3 (GeekSilver)
VMware vSphere vShield 1.0 design flaw with vCenter as VM? (GeekSilver)
VMware vShield Zones - Reviewers Guide (VMware)
vShield Zones 4.1 FAQ (VMware)
Meet the Engineer: VMware vShield Product Family (YouTube video) (VMware)
vShield Zones: What it is and how it works (Pt. 1) (vShield 1.0) (SearchVMware)
Installing and Configuring vShield Zones (Pt. 2) (vShield 1.0) (SearchVMware)
Quick tips for managing vShield Zones (Pt. 3) (vShield 1.0) (SearchVMware)
Introduction to vShield Zones (vShield 1.0) (VMware)
vShield Zones featured on VMTN Community Roundtable Podcast (Talkshoe)
VMware vShield Zones (Musings of Rodos)
Why use vShield Zones? (Virtualization Pro)

General

Security Design of the Vmware Infrastructure 3 Architecture
VMware Infrastructure 3 Security Hardening
VMware ESX Server - Providing LUN Security
Security in a Virtualized Environment (VMworld 2007)
Security Architecture Design and Hardening VI3 (VMworld 2007)
VMware’s Security Response Policy
ESX Security White Paper
VI3 Security Risk Assessment Template
Virtualization Security Playbook
Being escorted out of the cave
Security Implications of the Virtual Data Center
Virtualization and Enterprise Configuration Policy Compliance (VMworld 2007)
Using the Secure Technical Implementation Guide (STIG) with VI3 (VMworld 2007)
Proven Practice: 20 Questions from IT Security Professionals
Top 100 Virtualization Security Questions
CPNI Technical Note 1/2009 Security Considerations For Server Virtualization
Virtualization: Disruptive Technologies Video Interview: Part 1 Part 2 Part 3 Part 4
The Four Horsemen of the Virtualization Security Apocalypse
The Four Horsemen of the Virtualization Security Apocalypse (Slides)

ESX Host

CIS ESX Server 3.x Security Benchmark
How to secure your VMware ESX Server
Security Hardening and Monitoring of VMware Infrastructure 3 (VMworld 2007)
ESX Server Security Technical Implentation Guide
Anti-virus software on the VMware ESX Service Console?

Compliance

Surviving Regulatory Compliance in the Virtual Infrastructure (VMworld 2006)
PCI Knowledgebase
How Server Virtualization Impacts Data Security and PCI Compliance
PCI DSS Security Standard
How to Achieve Security and Satisfy Compliance (VMworld 2007)
Best Practices for Surviving Regulatory Compliance (VMworld 2007)
Achieving Compliance in a Virtualized Environment
Ten Steps to Continuous Compliance: Putting in Place an Enterprise-Wide Compliance Strategy
Reducing the Scope of Your PCI Audit: Innovative Network Segmentation Using Host Intrusion Defense
Staying PCI Compliant in Virtual and Physical Environments
Insights from an Auditor: Ensuring a Successful PCI Audit
VMware Compliance Center
How Virtualization affects PCI DSS - Part 1 Mapping PCI Requirements and Virtualization
How Virtualization affects PCI DSS - Part 2 A Review of the Top 5 Issues

DMZ

DMZ Virtualization with VMware Infrastructure
Proven Practice: Choosing a DMZ Strategy
Preventing VMware ESX or ESXi network security breaches in DMZs

Hacking

Subverting the Windows Kernel for Fun and Profit
On the Cutting Edge: Thwarting Virtual Machine Detection
Detecting the Presence of Virtual Machines Using the Local Data Table
Attacks on Virtual Machine Emulators
Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor
Compatibility is Not Transparency: VMM Detection Myths and Realities
An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments
Hardware Virtualization Rootkits

Networking

Virtual Switch Security
802.1Q VLAN Security Report
Epiphany: For Network/InfoSec Folks, the Virtualization Security Awareness Problem All Starts With the vSwitch…
Oh Noes: We Can’t Monitor/Protect Against Intra-VM Traffic!
Keeping your Vmotion Traffic Secure
Minimizing promiscuous mode port group security breaches
Avoid high-risk data commingling with VMware virtual networks to prevent security vulnerabilities

Virtual Machine

CIS Virtual Machine Security Benchmark
Improving VM Security: Best Practices
Hardening the VMX File
Hardening the VMX File: Redux

1. VMware Infrastructure 3 Security Hardening - A white paper from VMware with tips on securing ESX servers, VirtualCenter and Virtual Machines.
2. Security Design of the VMware Infrastructure 3 Architecture - A white paper from VMware describing the security architecture of VI3 including networking, storage, service console and the hypervisor.
3. Security Hardening and Monitoring of VMware Infrastructure 3 - A VMworld 2007 lab manual that covers real-world examples of securing VI3.
4. VMware ESX Server - Providing LUN Security - A white paper from VMware written in response to LUN security concerns that have been raised.
5. CIS ESX Server 3.x Security Benchmark - Center for Internet Security (CIS) recommended guidelines for securing ESX servers.
6. CIS Virtual Machine Security Benchmark - Center for Internet Security (CIS) recommended guidelines for securing Virtual Machines.
7. Security Architecture Design and Hardening VI3 (VMworld 2007) - A VMworld 2007 presentation on the security design of VI3 and recommended hardening steps.
8. VI3 Security Risk Assessment Template - A great document from Xtravirt to help assess and mitigate security risks with VI3.
9. Security in a Virtualized Environment (VMworld 2007) - A VMworld 2007 presentation comparing physical to virtual security.
10. Virtualization Security Playbook - A compilation of 8 good virtual security articles.