Opinion: Government security guide for VMware ESX helpful but has holes

With security becoming ever more important, I've been reviewing the various guides available to harden the VMware virtual infrastructure.

So far, the results have been disappointing. I've looked at the CISecurity VMware ESX Benchmark and the VMware VI3 Hardening Guidelines.

Now for the Defense Information Systems Agency's (DISA) Security Technical Implementation Guide (STIG). This is a long-awaited document that all levels of the U.S. government will follow to harden and protect their VMware VI3 installations.

DISA publishes a variety of technical implementation guides for different operating systems and other software, each of which offers guidelines on how to set up that particular system to make it as secure as possible. The requirement that sticks out about the guide for ESX, however, is a requirement that ESX installations pass all the technical installation requirements for a Unix system.

That's odd because ESX is not a Unix system. It's not even a real Linux system.

The main component of VI3 is the vmkernel, which is a hypervisor. Yes the service console is Linux or Linux-like, but that is just a small part of the picture. Employing Unix rules for ESX is not a good start. There are too many differences.

The guide does mention that antivirus software is not necessary for ESX. Rather than a solid security analysis, however, the document's given reason for eliminating the need for antivirus is that the recommended tool will not install properly.

Actually, antivirus will install if you created the proper packaging. But that is not a good reason, either way. The real reason to skip antivirus on a VI3 server is that, if configured incorrectly, it will drastically affect performance and throw out false positives at an unusually high rate.

Another issue: The STIG states that virtual machine configuration files should still be world-readable, while the virtual disk should be only owner-readable.

There is often vital information in the configuration including media access control addresses, names and the layout of the virtual hardware. This information should not be world-readable as it can be used to aid in hacking systems.

There are other peculiarities. For example, the STIG does not address Web access, and it has minimal controls regarding VMware ESXi.

When the STIG talks about VMs, however it is missing almost all the isolation tools that would reduce information leakage. The one thing it does address is disabling cut and paste when using the remote consoles. However, this does not disable screen capture and optical character recognition readers to get the data off the remote console.

All in all, the DISA STIG is the most complete guideline I have read. Its coverage of storage, vMotion and virtual networking in general is very good, but it falls flat when discussing the various management avenues for VMware ESX and ESXi.

Virtualization expert Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers (Pearson Education, 2008.) He recently left Hewlett-Packard Co., where he worked in the virtualization, Linux and high-performance technical computing teams. Haletky owns AstroArch Consulting Inc., which provides virtualization, security and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.

This story, "Opinion: Government security guide for VMware ESX helpful but has holes" was originally published by CIO.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon