Pros and Cons of VMware's New Security Guide
VMware has released another hardening guideline, this time for VMware Virtual Infrastructure 3.5. Its guidance can also apply to version 3.0, though. This guide is useful in that it actually looks as ESXi as more than an appliance, as does the ESX Security Technical Implementation Guide from the U.S. Defense Information Systems Administration (DISA), which I discussed a couple of weeks ago.
The new version of VMware's guide is a vast improvement over the older one, but still only looks at a subset of the entire virtual environment and still maintains that a directory service is required to secure VMware VI3 .x but gives no information on how to achieve this security. Just use one and all will be well is not a good game plan- it may leave you even less secure than before.
I may have my sights set a little high on what I'd like to see from a hardening guideline. Chris Hoff at Rational Security certainly thinks so, and others may as well.
But I don't think so. I just expect something that states it is a hardening guide to actually harden the system and provide for me the means to perform these actions.
The new VMware Guide does give much more information about hardening the virtual machine from a VI3 perspective.
The latest VMware Guide also delves into ESXi even more than the DISA/STIG guide and this provides some invaluable information for those using ESXi.
Unfortunately not much has changed with respect to ESX. There is still quite a few hardening steps missing from this guide that are covered in the other guides.
The main bits that are missing are the steps necessary to actually implement the security. For example one heading is to Label Virtual Networks Clearly. Do they imply that we should not use IPAddress in the names, or network names, or what? What is the appropriate labeling for the virtual networks?
I would like to see 3 guides from VMware: One for just VMs (from the perspective of the virtual infrastructure); One for ESXi; and one for ESX. I would like all these guides to actually show me how to secure my systems instead of using general terms.
Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers," Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.
» posted by ITworld staff
CIO.com
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
