An Excellent Risk-Focused Virtualization Security Assessment & Hardening Document
Reader Colin was kind enough to forward me a link to a great security and hardening document which begins to address many of the elements I posted in my recent "Ephiphany…" blog entry regarding virtualization and hardening documentation.
This document was produced by the folks at XtraVirt who describe themselves as "…a company of innovative experts dedicated to VMware virtualisation, storage, operating systems and deployment methods." These guys maintain an impressive cache of tools, whitepapers and commercial products focused on virtualization, many of which are available for download.
I’m rather annoyed and embarrassed that it took me this long to discover this site and its resources!
As a wonderful study in serendipity, I’ve recently signed up to contribute to the follow-on to the CIS Virtualization Benchmark that specifically addresses VMware’s ESX environment. This draft is under construction now, and it represents a good first pass, but continues to need (IMHO) some additional focus on the network/vSwitch elements.
I respectfully suggest that many of the contents of the XtraVirt document, need to make their way into the CIS draft.
One of the other really interesting approaches this document takes is to classify each of the potential hardening elements by risk expressed as a function of threat, likelihood, potential impact and countermeasure as measured against impact to C, I, and A.
Secondly, there is a much-needed section on the VirtualSwitch and network constituent functions.
Here’s the snapshot of the XtraVirt effort:
One of the more difficult challenges found when introducing
virtualisation technologies to a new environment, whether it be your
own or as a consultant to a client, can be gaining the understanding
and support of the IT Security team, especially so if they haven’t been
exposed to virtualisation technologies in the past.As a
Solutions Architect having faced this in this situation on several
occasions and being tied up in weeks of claim and counter-claim about
how secure VMware VI3 was, I tried several approaches; one was to
simply email the published VMware security documents to them, and two
was sit down and explain why and how VI3 was inherently secure.Both
of these approaches could take weeks and at times frustration on both
sides could lead to unnecessary discussions. Although the VMware
documents are excellent and pitched at the right level, I found that
security team engagement could be limited and it wasn’t always enough
to simply provide these on their own as the basis for a solution.So the idea was sown to create the ‘VMware® VI3 Security Risk Assessment Template’ that could be repeatedly used as the basis for any VI3 design submission. There’s
nothing particularly clever about it, the information is already out
there, I just felt it needed to be presented in a customised way for IT
Security review and approval.This MS Word document template is designed to:
· Provide detail of around security measures designed into each major component of VI3
· Provide a ‘best practice’ security framework for VI3 designs that can be repeated again and again
· Detail
real world scenario’s that IT Security personnel can relate to their
environment, including built-in countermeasures and additional
configuration options.· Significantly reduce the time and stress involved with gaining design approvals.
The idea is to take your own VI3 design and apply it to each of the major VI3 components in this template:
· ESX Server – Service Console
· ESX Server – Kernel
· ESX Server – Virtual Networking Layer
· Virtual Machines
· Virtual Storage
· VirtualCenter
This
means that in most cases it’s just a case of filling in the gaps, and
putting a stake in the ground as to which additional configuration
options you wish to implement. In all cases you end up with a
document that should relate to your design and the IT Security teams
have a specific proposal which details all the things they want to see
and understand.The first time I used it (on a
particularly tough Security Advisor who had never seen VMware products
I might add) I had nothing but great feedback which allowed my low
level design to proceed with confidence and saved weeks of explanation
and negotiation.
I’ve reached out to the guys at XtraVirt to both thank them and to gain some additional insight into their work.
I think this is a great effort.
Oh, did you want the link? 😉
/Hoff
Very nice, Hoff, thanks. You know, oftentimes it just plain makes a difference when I see the proposer has done his security homework. If he stands in front of me, sticks his lower lip out, and says, "Don't worry, it's secure" *handwave* — then I reach for my REJECT stamp. If he stares at me as if his IQ has just dropped down into the single digits and mumbles, "Security?" — same thing. But if I get a document that says, "We've thought a lot about the security aspects of what we want to do, and here's what we recommend," and it's halfway reasonable, then I'm much closer to saying yes.
(After I finish the requisite bribe of chocolate, that is.)