Virtualization Adapted Adapting Business Processes for Virtual Infrastrcuture (and vice-versa)

2009/04/28

VMware Security Compliance Tools

Filed under: virtualization — Tags: , , , , , , , , , — iben @ 10:37
This is a short list of Tools and Documents concerning security in a Virtual Infrastructure.
Tools – page 1
Documents – page 2

Tools

Configuresoft

  • Configuresoft’s Center for Policy and Compliance (CP&C) has led the industry in forming opinion and bringing together published security and compliance information to build a rich library of compliance toolkits that are available for download by Configuresoft customers from www.configuresoft.com. These CP&C Compliance Toolkits include:
  • VMware Infrastructure 3 Security Hardening Guidelines and VMware Virtual Center Best Practices
  • FISMA Compliance Toolkit for Virtual Computing
  • GLBA Compliance Toolkit for Virtual Computing
  • HIPAA Compliance Toolkit for Virtual Computing
  • Sarbanes-Oxley (404) Compliance Toolkit for Virtual Computing
  • DISA STIG Compliance Toolkit for Virtual Computing
  • http://vmblog.com/archive/2008/04/08/configuresoft-expands-security-and-compliance-coverage-to-include-cis-vmware-esx-3-x-server-benchmark.aspx

HyTrust

HyTrust Appliance – http://www.hytrust.com/product/overview

  • The HyTrust™ Appliance offers IT managers and administrators of virtual
    infrastructure a centralized, single point of control and visibility for:
  • configuration management
  • compliance auditing
  • access management
  • best practices
  • process workflow
  • security controls

TripWire

http://www.tripwire.com/solutions/virtualization/

ConfigCheck

  • ConfigCheck rapidly assesses the security of ESX 3.0 and 3.5 hypervisors compared to the Virtual Infrastructure 3 Security Hardening Guidelines.
  • ConfigCheck assesses nearly 100 configurations of the ESX server, and most VI professionals who run the test find significant vulnerabilities. ConfigCheck’s remediation report provides detailed, step-by-step guidance to bring your virtual environment into a state that is secure. ConfigCheck helps you:
    • Ensure recommended ESX configurations
    • Discover possible vulnerabilities
    • Deploy virtualization safely and securely
    • Increase security posture of the entire enterprise
    • Reduce configuration drift
  • http://www.vwire.com/free-tools/configcheck/

VMinformer

  • VMinformer is a security tool designed to check the security posture of your VMware environment. The tool comes with pre-defined policies that can be customized to suit your specific requirements and are based on industry best practices such as ‘VMware’s Security best practice hardening guide’ and the ‘DISA ESX STIG’ hardening guide. The policies also contain rules that have been based on extensive research and industry experience.
  • Features:
  • Connects to your ESX hosts or Virtual Center (v3.0, 3.5 and VC 2.5)
  • Pre-defined policies based on industry best practices (VMware security hardening guide)
  • Policies can be customized for your environment
  • Provides full visibility and monitoring of your ESX hosts and Virtual machines
  • Dashboard – Provides a graphical overview of VM’s and Security Posture
  • Reporting
  • Remediation guidance

Documents

Xtravirt – VI3 Security Risk Assessment

  • 01/05/2008 – V1.0 – 31 pages
  • http://www.xtravirt.com/index.php?option=com_content&task=view&id=99&Itemid=124
  • Globally recognised as thought leaders Xtravirt continually pioneers new ground in virtualization.
  • This Proven Practice was created to assist with the IT security approval process for the design phase of any VI3 implementation. It has been implemented at large security conscious enterprises. It is targeted at virtualisation consultants and IT Security Professionals. It has also been used as a reference in the Center for Internet Security – VMware ESX Server 3.x Benchmark paper
  • The proven practice provides a repeatable template which can be easily tailored to suit any VI3 design and provides an IT security team the key security features of VI3 in a context that they can understand and apply their own criteria.
  • 1. Virtual Infrastructure Risk Assessment Overview
  • 2. ESX Server Service Console
  • 3. ESX Server VMkernel
  • 4. ESX Server Virtual Networking Layer
  • 5. Virtual Machines
  • 6. Virtual Storage
  • 7. VirtualCenter

VMware ESX 3 Security with SSH and SUDO

  • 2008 – 11 pages
  • http://knowledge.xtravirt.com/white-papers/security.html

DISA – ESX Server Secure Technical Implementation Guide (STIG)

DISA – Checklist for ESX Server

  • 7/21/2008 – Version 1 release 1.1 – 165 pages
  • Used by Department of Defense to Audit against the STIG
  • DoD Directive 8500.1 requires that “all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines” and tasks DISA to “develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA.” This document is provided under the authority of DoD Directive 8500.1. The use of the principles and guidelines in this STIG will provide an environment that meets or exceeds the security requirements of DoD systems operating at the Mission Assurance Category (MAC) II Sensitive level, containing sensitive information.

VMware – VI3 Hardening Guide and Updates

  • 2008 – 18 pages
  • The paper is divided into sections based upon the components of VMware Infrastructure 3:
    • Virtual Machines on page 1
    • Service Console on page 4
    • ESX Server Host on page 13
    • VirtualCenter on page 15
  • The paper also explains in detail the security-related configuration options of the components of VMware Infrastructure 3 and the consequences for security of enabling certain capabilities.
  • CIS (Center for Internet Security) ESX Server Benchmark

    • 10/8/2008 – 70 Pages
    • Version 1.0
    • Published by an independent non-profit organization and developed using a consensus process; this document addresses file permissions, user
      accounts, kernel settings, and a number of other specific ESX
      attributes that can be secured as part of an overall security and
      compliance strategy in virtual server environments.
    • Based on ESX 3.0 – an update for ESX 3.5 in progress then 4.0 vSphere shortly after that.
    • http://www.cisecurity.org/tools2/vm/CIS_VMware_ESX_Server_Benchmark_v1.0.pdf

    NSA – VMware ESX Server 3 Configuration Guide

    • 03/03/08 – 32 pages
    • National Security Agency, Enterprise Applications Division of the Systems and Network Analysis Center (SNAC), Information Assurance Directorate
    • This document is only a guide containing recommended security settings.  It is not meant to replace well-structured policy or sound judgment.  Furthermore this guide does not address site-specific configuration concerns.  Care must be taken when implementing this guide to address local operation and policy concerns.
    • The security changes described in this document apply only to VMware ESX Server 3.0.x and VMware VirtualCenter Server 2.x.
    • In this document, we discuss two use cases for VMware ESX Server: server consolidation and remote access.  The former represents the traditional purpose of server virtualization, and the latter is characterized by the needs of a specialized audience.
    • http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf

    No Comments »

    No comments yet.

    RSS feed for comments on this post. TrackBack URL

    Leave a comment

    You must be logged in to post a comment.

    Powered by WordPress