This is a short list of Tools and Documents concerning security in a Virtual Infrastructure.
Tools – page 1
Documents – page 2
Tools
Configuresoft
- Configuresoft’s Center for Policy and Compliance (CP&C) has led the industry in forming opinion and bringing together published security and compliance information to build a rich library of compliance toolkits that are available for download by Configuresoft customers from www.configuresoft.com. These CP&C Compliance Toolkits include:
- VMware Infrastructure 3 Security Hardening Guidelines and VMware Virtual Center Best Practices
- FISMA Compliance Toolkit for Virtual Computing
- GLBA Compliance Toolkit for Virtual Computing
- HIPAA Compliance Toolkit for Virtual Computing
- Sarbanes-Oxley (404) Compliance Toolkit for Virtual Computing
- DISA STIG Compliance Toolkit for Virtual Computing
- http://vmblog.com/archive/2008/04/08/configuresoft-expands-security-and-compliance-coverage-to-include-cis-vmware-esx-3-x-server-benchmark.aspx
HyTrust
HyTrust Appliance – http://www.hytrust.com/product/overview
- The HyTrust™ Appliance offers IT managers and administrators of virtual
infrastructure a centralized, single point of control and visibility for:
- configuration management
- compliance auditing
- access management
- best practices
- process workflow
- security controls
TripWire
http://www.tripwire.com/solutions/virtualization/
ConfigCheck
- ConfigCheck rapidly assesses the security of ESX 3.0 and 3.5 hypervisors compared to the Virtual Infrastructure 3 Security Hardening Guidelines.
- ConfigCheck assesses nearly 100 configurations of the ESX server, and most VI professionals who run the test find significant vulnerabilities. ConfigCheck’s remediation report provides detailed, step-by-step guidance to bring your virtual environment into a state that is secure. ConfigCheck helps you:
- Ensure recommended ESX configurations
- Discover possible vulnerabilities
- Deploy virtualization safely and securely
- Increase security posture of the entire enterprise
- Reduce configuration drift
- http://www.vwire.com/free-tools/configcheck/
VMinformer
- VMinformer is a security tool designed to check the security posture of your VMware environment. The tool comes with pre-defined policies that can be customized to suit your specific requirements and are based on industry best practices such as ‘VMware’s Security best practice hardening guide’ and the ‘DISA ESX STIG’ hardening guide. The policies also contain rules that have been based on extensive research and industry experience.
- Features:
- Connects to your ESX hosts or Virtual Center (v3.0, 3.5 and VC 2.5)
- Pre-defined policies based on industry best practices (VMware security hardening guide)
- Policies can be customized for your environment
- Provides full visibility and monitoring of your ESX hosts and Virtual machines
- Dashboard – Provides a graphical overview of VM’s and Security Posture
- Reporting
- Remediation guidance
Documents
- 4/13/2010 – v4.0
- VMware’s Hardening Guide
- http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html
Xtravirt – VI3 Security Risk Assessment
- 01/05/2008 – V1.0 – 31 pages
- http://www.xtravirt.com/index.php?option=com_content&task=view&id=99&Itemid=124
- Globally recognised as thought leaders Xtravirt continually pioneers new ground in virtualization.
- This Proven Practice was created to assist with the IT security approval process for the design phase of any VI3 implementation. It has been implemented at large security conscious enterprises. It is targeted at virtualisation consultants and IT Security Professionals. It has also been used as a reference in the Center for Internet Security – VMware ESX Server 3.x Benchmark paper
- The proven practice provides a repeatable template which can be easily tailored to suit any VI3 design and provides an IT security team the key security features of VI3 in a context that they can understand and apply their own criteria.
- 1. Virtual Infrastructure Risk Assessment Overview
- 2. ESX Server Service Console
- 3. ESX Server VMkernel
- 4. ESX Server Virtual Networking Layer
- 5. Virtual Machines
- 6. Virtual Storage
- 7. VirtualCenter
VMware ESX 3 Security with SSH and SUDO
- 2008 – 11 pages
- http://knowledge.xtravirt.com/white-papers/security.html
DISA – ESX Server Secure Technical Implementation Guide (STIG)
- 4/28/2008 – Version 1 release 1 – 94 pages
- Developed by Defense Information Systems Agency (DISA) Field Security Operations for the DOD.
- ESX Server infrastructures must provide secure, available, and reliable data for all customers.
This document will assist sites in meeting the minimum requirements, standards, controls, and
options that must be in place for ESX Server infrastructures. - http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf
DISA – Checklist for ESX Server
- 7/21/2008 – Version 1 release 1.1 – 165 pages
- Used by Department of Defense to Audit against the STIG
- DoD Directive 8500.1 requires that “all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines” and tasks DISA to “develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA.” This document is provided under the authority of DoD Directive 8500.1. The use of the principles and guidelines in this STIG will provide an environment that meets or exceeds the security requirements of DoD systems operating at the Mission Assurance Category (MAC) II Sensitive level, containing sensitive information.
VMware – VI3 Hardening Guide and Updates
- Virtual Machines on page 1
- Service Console on page 4
- ESX Server Host on page 13
- VirtualCenter on page 15
CIS (Center for Internet Security) ESX Server Benchmark
- 10/8/2008 – 70 Pages
- Version 1.0
- Published by an independent non-profit organization and developed using a consensus process; this document addresses file permissions, user
accounts, kernel settings, and a number of other specific ESX
attributes that can be secured as part of an overall security and
compliance strategy in virtual server environments. - Based on ESX 3.0 – an update for ESX 3.5 in progress then 4.0 vSphere shortly after that.
- http://www.cisecurity.org/tools2/vm/CIS_VMware_ESX_Server_Benchmark_v1.0.pdf
NSA – VMware ESX Server 3 Configuration Guide
- 03/03/08 – 32 pages
- National Security Agency, Enterprise Applications Division of the Systems and Network Analysis Center (SNAC), Information Assurance Directorate
- This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration concerns. Care must be taken when implementing this guide to address local operation and policy concerns.
- The security changes described in this document apply only to VMware ESX Server 3.0.x and VMware VirtualCenter Server 2.x.
- In this document, we discuss two use cases for VMware ESX Server: server consolidation and remote access. The former represents the traditional purpose of server virtualization, and the latter is characterized by the needs of a specialized audience.
- http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf