Welcome to vSphere-land!

Security is critical in a vSphere environment. Virtual machine (VM) architecture, access methods and management is much different from that for physical servers. Because VMs are encapsulated into a single file that resides on a shared data store, additional attack vectors need to be secured. Further, any change or operation in a virtual environment can have a ripple effect on other residing VMs because all share common infrastructure components. Consequently, having proper security access controls in place is paramount to protect hosts and their VMs.

Because they have multiple components, virtual environments are secured in layers. You can do much of the work to secure an environment through vCenter Server, which provides centralized authentication and authorization services at many different levels inside vSphere. VCenter Server features four main components:

• Privileges. A privilege enables or denies users access to perform actions in vSphere.
• Roles. A role is a set of privileges that can be assigned to a user or group.
• Users and groups. Users and groups are used in permissions to assign roles from Active Directory (AD) or local Windows users/groups.
• Permissions. A permission is assigned to an object in vSphere and is composed of users/groups and a role.

Read the full article at searchsystemschannel.com…

I received an invite today to an upcoming webinar on Virtualization Security and Compliance that is being given by Reflex Systems. What peaked my interest in it was the speakers and topics, one of the speakers is Rob Randall from VMware who is their security guru and also happens to reside in my hometown of Denver. The other speaker is Mike Wronski, VP of Product Management for Reflex Systems. One of the topics is VMsafe which was been announced quite a while ago but very little actual information on it has been released. Here’s what will be discussed in the webinar:

• Leverage VMware’s VMsafe technology in vSphere 4 to achieve greater security in your virtual environment.
• Use segmentation through Trust Zones and classification to safeguard your virtual data center and manage virtual assets more efficiently.
• Add a level of security policy enforcement in your virtual environment by using vTrust dynamic policy enforcement technology.
• Go “beyond the virtual firewall” to apply best practices for specifying policies in a virtual infrastructure.

I’m guessing that Relfex will be showing off and talking about an upcoming product release that leverages the VMsafe API’s that are part of the upcoming vSphere release. Since very little information about VMsafe has been released I’ll be interested to see how the product utilizes VMsafe to better integrate into ESX. The webinar is Wednesday, May. 27th at 2:00pm EST, you can register for it here.

VMware releases long-awaited VMsafe security API (SearchSecurity.com)
DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch (VMware)
Safely implementing VMsafe-aware virtual appliances in your data center (SearchVMware.com)
VMsafe - What is happening? (Run Virtual)

General

Security Design of the Vmware Infrastructure 3 Architecture
VMware Infrastructure 3 Security Hardening
VMware ESX Server - Providing LUN Security
Security in a Virtualized Environment (VMworld 2007)
Security Architecture Design and Hardening VI3 (VMworld 2007)
VMware’s Security Response Policy
ESX Security White Paper
VI3 Security Risk Assessment Template
Virtualization Security Playbook
Being escorted out of the cave
Security Implications of the Virtual Data Center
Virtualization and Enterprise Configuration Policy Compliance (VMworld 2007)
Using the Secure Technical Implementation Guide (STIG) with VI3 (VMworld 2007)
Proven Practice: 20 Questions from IT Security Professionals
Top 100 Virtualization Security Questions
CPNI Technical Note 1/2009 Security Considerations For Server Virtualization
Virtualization: Disruptive Technologies Video Interview: Part 1 Part 2 Part 3 Part 4
The Four Horsemen of the Virtualization Security Apocalypse
The Four Horsemen of the Virtualization Security Apocalypse (Slides)

ESX Host

CIS ESX Server 3.x Security Benchmark
How to secure your VMware ESX Server
Security Hardening and Monitoring of VMware Infrastructure 3 (VMworld 2007)
ESX Server Security Technical Implentation Guide
Anti-virus software on the VMware ESX Service Console?

Compliance

Surviving Regulatory Compliance in the Virtual Infrastructure (VMworld 2006)
PCI Knowledgebase
How Server Virtualization Impacts Data Security and PCI Compliance
PCI DSS Security Standard
How to Achieve Security and Satisfy Compliance (VMworld 2007)
Best Practices for Surviving Regulatory Compliance (VMworld 2007)
Achieving Compliance in a Virtualized Environment
Ten Steps to Continuous Compliance: Putting in Place an Enterprise-Wide Compliance Strategy
Reducing the Scope of Your PCI Audit: Innovative Network Segmentation Using Host Intrusion Defense
Staying PCI Compliant in Virtual and Physical Environments
Insights from an Auditor: Ensuring a Successful PCI Audit
VMware Compliance Center
How Virtualization affects PCI DSS - Part 1 Mapping PCI Requirements and Virtualization
How Virtualization affects PCI DSS - Part 2 A Review of the Top 5 Issues

DMZ

DMZ Virtualization with VMware Infrastructure
Proven Practice: Choosing a DMZ Strategy
Preventing VMware ESX or ESXi network security breaches in DMZs

Hacking

Subverting the Windows Kernel for Fun and Profit
On the Cutting Edge: Thwarting Virtual Machine Detection
Detecting the Presence of Virtual Machines Using the Local Data Table
Attacks on Virtual Machine Emulators
Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor
Compatibility is Not Transparency: VMM Detection Myths and Realities
An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments
Hardware Virtualization Rootkits

Networking

Virtual Switch Security
802.1Q VLAN Security Report
Epiphany: For Network/InfoSec Folks, the Virtualization Security Awareness Problem All Starts With the vSwitch…
Oh Noes: We Can’t Monitor/Protect Against Intra-VM Traffic!
Keeping your Vmotion Traffic Secure
Minimizing promiscuous mode port group security breaches
Avoid high-risk data commingling with VMware virtual networks to prevent security vulnerabilities

Virtual Machine

CIS Virtual Machine Security Benchmark
Improving VM Security: Best Practices
Hardening the VMX File
Hardening the VMX File: Redux

1. VMware Infrastructure 3 Security Hardening - A white paper from VMware with tips on securing ESX servers, VirtualCenter and Virtual Machines.
2. Security Design of the VMware Infrastructure 3 Architecture - A white paper from VMware describing the security architecture of VI3 including networking, storage, service console and the hypervisor.
3. Security Hardening and Monitoring of VMware Infrastructure 3 - A VMworld 2007 lab manual that covers real-world examples of securing VI3.
4. VMware ESX Server - Providing LUN Security - A white paper from VMware written in response to LUN security concerns that have been raised.
5. CIS ESX Server 3.x Security Benchmark - Center for Internet Security (CIS) recommended guidelines for securing ESX servers.
6. CIS Virtual Machine Security Benchmark - Center for Internet Security (CIS) recommended guidelines for securing Virtual Machines.
7. Security Architecture Design and Hardening VI3 (VMworld 2007) - A VMworld 2007 presentation on the security design of VI3 and recommended hardening steps.
8. VI3 Security Risk Assessment Template - A great document from Xtravirt to help assess and mitigate security risks with VI3.
9. Security in a Virtualized Environment (VMworld 2007) - A VMworld 2007 presentation comparing physical to virtual security.
10. Virtualization Security Playbook - A compilation of 8 good virtual security articles.