This week, I’m pleased to welcome a guest author to our blog: Charu Chaubal of VMware, the author of the VMware Infrastructure 3 Hardening Guide.
As you may know, Tripwire has worked closely with VMware to help make it easier for enterprises to adopt VMware’s recommendations for securely configuring VMware Infrastructure v3 (aka VI3). With that in mind, we thought it might be useful to share VMware’s perspective.
Now, without further ado, here is Charu:
At VMware, we understand that customers need prescriptive guidance on how to deploy and operate a secure virtual environment. On top of the new security aspect that adding a virtualization layer introduces (which seems to be a very active topic of discussion lately), VMware Infrastructure is itself a pretty sophisticated product. Starting at the beginning of 2007, we began to publish various security-related guides, which can all be found at the VMware Security Center. The most important one is the VI3 Security Hardening guide, since a secure foundation is required before anything else. (There are also a number of other guides for securing VI3 from other organizations, such as the Center for Internet Security (CIS) and the Defense Intelligence Security Agency (DISA).)
The latest revision of this guide was published in early July, and accounts for the newest products in the VI3 suite, including ESX 3.5, ESXi 3.5 (now available for free), and VirtualCenter 2.5. We also added more detail in all areas, and introduced new sections, including one on virtual machine configuration parameters and one on client access.
However, we view hardening guides as only part of story. There needs to be a way to “operationalize” the recommendations, so that they can be implemented in a consistent and repeatable manner. One way to do this is to create your own scripts to analyze the configuration of your ESX hosts and report back any deviations from your approved standard. However, why go through all that effort when you have a great tool like ConfigCheck to do it for you?
Finally, I want to emphasize that any hardening guide should only be seen as a starting point. Administrators need to check the applicability of each recommendation, since not all of them would be appropriate for their particular environment. If you thoroughly understand a particular risk area, and believe that you have an alternative mitigation from that listed in a guide, or that the risk is not great in your situation, then you should by all means make your own decision. And, of course, virtualization itself touches all aspects of the IT infrastructure, including storage and networking, and so it is just as important to consult hardening guides for those particular areas in order to address the entire security picture.
About the author: Charu Chaubal is a Senior Architect in Technical Marketing at VMware, where he is chartered with enabling customer adoption and driving key partnerships for datacenter virtualization. His areas of expertise include virtualization security and virtual infrastructure management. Previously, he worked at Sun Microsystems, where he had over 7 years experience with designing and developing distributed resource management and grid infrastructure software solutions.