Opinion: Virtualization security assessment guides inadequate

We've already discussed the relative lack of tools to secure virtualized servers and infrastructures, the problems inherent in adding bolt-on tools, risks in connecting a VM to the wrong part of a network and other security issues.

What we haven't discussed is what tools are available for administrators or security specialists evaluating their own security situation.

Like other virtual security tool categories, virtual security assessment tools are absent or inadequate.

There are, however, three guides to help administrators do their own virtual security assessments, although there are no tools that implement any of these guidelines fully. The problem with the guidelines and the tools is that they are mainly Linux-specific and not really geared towards problems with general virtualization security.

The current tools and guides mainly concern security in the management console, not necessarily checking for security problems within the infrastructure. But first we should look at the current batch of guides available.

The first is from VMware, and is the company's document for hardening the security of your VMware ESX/ESXi host. However, I disagree with some of the items in this guide.

The main issue is the assumption that you require some form of centralized password server like Active Directory or LDAP. Not only do these not provide adequate security, but not everyone has a centralized password server or wants to implement one.

Also, unless you are using Secure LDAP -- rather than regular LDAP -- you will run into issues where the password is sent in clear text. My opinion is that this is really a choice you make and not a requirement.

The second guide is from the U.S. Defense Department's Defense Information Systems Agency (DISA), though this guide is not yet publically available. There is some discussion about both its availability and specifics on the VMware Communities Security and Compliance forum. In addition to being hard to get, VMware Communities posters write that it's largely *NIX-based, and not specifically for ESX.

The last guide is from the Center for Internet Security, a nonprofit membership organization formed to help members codify and improve their electronic security. The CISecurity guide is a version of the group's Linux guide, adapted to fit VMware ESX, though it still does not address items specific to ESX.

VMware's guide is the closest to one that looks at an entire virtualized environment, but it only mentions one or two specific elements about virtualization. These elements relate to the internal settings for virtual NICs and capabilities that can be used when connected virtual switches: promiscuous mode, Mac spoofing or address spoofing.

Within ESX, promiscuous mode is disabled by default. However, the others are not disabled and need to be dealt with properly. There is no mention of network isolation, guest isolation settings or the proper configuration of Active Directory, if it's even in use in a particular installation.

There is more to assessing the security of a virtual environment then the current batch of guidelines and tools cover.

Virtualization expert Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers, Pearson Education (2008.) He recently left Hewlett-Packard Co., where he worked on virtualization, Linux and high-performance technical computing teams. Haletky owns AstroArch Consulting, providing virtualization, security and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.

This story, "Opinion: Virtualization security assessment guides inadequate" was originally published by CIO.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon