- Microsoft lays out SQL Server road map
- Credit card skimming
- Nortel's stock market capitalization plummets
- The Obama campaign's Search Engine to Nowhere
- Will Apple be forced to make more money?
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
With security becoming ever more important, I've been reviewing the various guides available to harden the VMware Virtual Infrastructure.
So far the results have been disappointing, though I've looked at the CISecurity VMware ESX Benchmark and the VMware VI3 Hardening Guidelines. Now for the US Government's Defense Information Systems Agency's Security Technical Implementation Guide (STIG)-a long-awaited document that all levels of the U.S. government will follow to harden and protect their VMware VI3 installations.
DISA publishes a variety of technical implementation guides for different operating systems and other software, each of which offers guidelines on how to set up that particular system to make it as secure as possible. The requirement that sticks out about the guide for ESX, however, is a requirement that ESX installations pass all the technical installation requirements for a Unix system.
That's odd because ESX is not a Unix system. It's not even a real Linux system.
The main component of VI3 is the vmkernel which is a hypervisor. Yes the SC (service console) is LINUX or LINUX like, but that is just a small part of the picture. Employing UNIX rules for ESX is not a good start. There are too many differences.
The guide does mention that antivirus software is not necessary for ESX. Rather than a solid security analysis, however, the document's given reason for eliminating the need for antivirus is that the recommended tool will not install properly.
Actually, antivirus will install if you created the proper packaging. But that is not a good reason either way. The real reason to skip antivirus on a VI3 server is that, if configured incorrectly, it will drastically impact performance and throw out false positives at an unusually high rate.
Another issue: the STIG states that VM configuration files should still be world-readable while the virtual disk should be only owner-readable.
There is often vital information in the configuration including MAC addresses, names, and the layout of the virtual hardware. This information should not be world-readable as it can be used to aid in hacking systems.
There are other peculiarities; for example, the STIG does not address Web Access, and has minimal controls regarding VMware ESXi.
Rss FeedRss Feed
Microsoft SQL Sever's relatively low cost, steadily increasing capabilities and ease of deployment...
HP Polyserve software for SQL ServerThe success of SQL Server has given rise, to a huge growth in the number of servers dedicated to...
Easing the Migration to Microsoft SQL Server 2005There are many business and technological reasons for making the move to SQL Server 2005 and SQL...
Microsoft SQL Server has enjoyed phenomenal success as a database server. Its relatively low cost,...
Minimizing the Risk of Information Security Breaches: Best Practices for SOA Governance and Compliance - Live October 21Today's enterprises face more information security risks and vulnerabilities than ever before....
Migrating to Windows Vista: Necessity and OpportunityThe Vista era of Windows is here. Yet most organizations will retain Windows XP alongside new Vista...
Discover why Unified Threat Management Firewalls are ready for the enterprise today. High...
The Evolution of Network SecurityWe have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment