Reader Colin was kind enough to forward me a link to a great security and hardening document which begins to address many of the elements I posted in my recent "Ephiphany..." blog entry regarding virtualization and hardening documentation.
This document was produced by the folks at XtraVirt who describe themselves as "...a company of innovative experts dedicated to VMware virtualisation, storage, operating systems and deployment methods." These guys maintain an impressive cache of tools, whitepapers and commercial products focused on virtualization, many of which are available for download.
I'm rather annoyed and embarrassed that it took me this long to discover this site and its resources!
As a wonderful study in serendipity, I've recently signed up to contribute to the follow-on to the CIS Virtualization Benchmark that specifically addresses VMware's ESX environment. This draft is under construction now, and it represents a good first pass, but continues to need (IMHO) some additional focus on the network/vSwitch elements.
I respectfully suggest that many of the contents of the XtraVirt document, need to make their way into the CIS draft.
One of the other really interesting approaches this document takes is to classify each of the potential hardening elements by risk expressed as a function of threat, likelihood, potential impact and countermeasure as measured against impact to C, I, and A.
Secondly, there is a much-needed section on the VirtualSwitch and network constituent functions.
Here's the snapshot of the XtraVirt effort:
One of the more difficult challenges found when introducing virtualisation technologies to a new environment, whether it be your own or as a consultant to a client, can be gaining the understanding and support of the IT Security team, especially so if they haven’t been exposed to virtualisation technologies in the past.
As a Solutions Architect having faced this in this situation on several occasions and being tied up in weeks of claim and counter-claim about how secure VMware VI3 was, I tried several approaches; one was to simply email the published VMware security documents to them, and two was sit down and explain why and how VI3 was inherently secure.
Both of these approaches could take weeks and at times frustration on both sides could lead to unnecessary discussions. Although the VMware documents are excellent and pitched at the right level, I found that security team engagement could be limited and it wasn’t always enough to simply provide these on their own as the basis for a solution.
So the idea was sown to create the ‘VMware® VI3 Security Risk Assessment Template’ that could be repeatedly used as the basis for any VI3 design submission. There’s nothing particularly clever about it, the information is already out there, I just felt it needed to be presented in a customised way for IT Security review and approval.
This MS Word document template is designed to:
· Provide detail of around security measures designed into each major component of VI3
· Provide a ‘best practice’ security framework for VI3 designs that can be repeated again and again
· Detail real world scenario’s that IT Security personnel can relate to their environment, including built-in countermeasures and additional configuration options.
· Significantly reduce the time and stress involved with gaining design approvals.
The idea is to take your own VI3 design and apply it to each of the major VI3 components in this template:
· ESX Server – Service Console
· ESX Server – Kernel
· ESX Server – Virtual Networking Layer
· Virtual Machines
· Virtual Storage
This means that in most cases it’s just a case of filling in the gaps, and putting a stake in the ground as to which additional configuration options you wish to implement. In all cases you end up with a document that should relate to your design and the IT Security teams have a specific proposal which details all the things they want to see and understand.
The first time I used it (on a particularly tough Security Advisor who had never seen VMware products I might add) I had nothing but great feedback which allowed my low level design to proceed with confidence and saved weeks of explanation and negotiation.
I've reached out to the guys at XtraVirt to both thank them and to gain some additional insight into their work.
I think this is a great effort.
Oh, did you want the link? ;)