Resources: Top 50 Virtualization Security

Questions

Security Questions
1. What audits does VMware carry out on its software (independant and internal)?
2. What security framework do the VMware engineers work to?
3. Are VMware products secure by design?
4. Examples of when ESX Server has been compromised?
5. How do ESX Server security features compare to competitor products?
6. Examples of respected industry organizations using ESX Server?
7. What certifications (EAL, FPS) are assigned to which VMware products?
8. What do analysts say about VMware products (like Gartner and Forrester)?
9. What is VMware doing to continuously improve the security of their products?
10. What technology risks should we be concerned with?
11. What operational risks should we be concerned with?
12. How do we securely design ESX Server in our datacenter?
13. How do we securely deploy ESX Server in our datacenter?
14. How do we securely manage ESX Server in our datacenter?
15. What other organizations, similar to ours, are using ESX Server in their datacenter?
16. What compliance standards are applicable to VMware products?
17. Can we use ESX Server in our DMZ?
18. Where can we get help on security from VMware?
19. Where do we get VMware Security Advisories and Alerts from?
20. Where do I send my security questions to?
21. Are Virtual Machines able to communicate with each other other than across a
routable network
22. Is it safe and secure to connect my DMZ ESX host to an internal Fibre Channel
SAN?
23. Is it secure to connect to and use internal LAN iSCSI Storage with a DMZ ESX host?
24. Is Vmotioning across the LAN secure?
25. How do you ensure that only certain administrators can connect to the ESX Service
Console?
26. How do you removed SSH access to the Service Console for Root?
27. Can a SUDO user drop themselves into a Root shell to gain complete access?
28. Can an administrator gain root access to ESX directly via the VI Client when given
the root password for SUDO access?
29. If someone is physically in front of a ESX host can they use the conventional single
user mode to change the root password at grub?

Generated by Clearspace on 2009-08-28-07:00

1
Resources: Top 50 Virtualization Security Questions

30. How can someone identify whether they're running in a VM or not? (This comes in
both flavors - people who want the ability to determine it, and people who want the
ability to hide it)
31. What functions should be on their own out-of-band network (console. VMotion,
etc...)?
32. Is it possible to encrypt vmdk files?
33. What is the vpxuser account used for, and how is it created? (We need to add the
password reset procedure here for the vpxuser account on ESX 3.5?
34. Is there an audit log that can list what user made a change within VC? (i.e. added a
resounce to a VM, powered down or powered on a VM via VC, etc...)
35. Is there any way I can set the retention of the "Events" data in VC? I need to make
sure it is kept for a specific about of time.
36. Whats the difference from a security perspective between the Bare-Metal Platform
(ESX) and the hosted platforms (Workstation, Server, Player)?
37. What are the security advantages of ESXi over classic ESX?
38. How can I monitor traffic between VMs running on the same vSwitch and the same
VLAN with my IDS?
39. What is VMsafe?
40. What ports need to be opened on my firewall when VC and the Service Console are
separated by the firewall?
41. I ran a vulnerability scanner against my ESX host and received the following
findings, what are legitimate and what are false positives?
42. What is the NSA doing with VMware? (NetTop/
43. What is Blue Pill and what does it have to do with VMware Products?
44. How does VMware ESX / VCMS prevent Denial-Of-Service (DoS) attacks, buffer
overflow, etc? (1st at the host level, 2nd at the VM level)
45. How to prevent a VM of DoS, buffer overflow when the VMs reside on the same
VirtualSwitch and same PortGroup?
46. What about other types of attack, what type of attacks will VMware ESX / VCMS
prevent?
47. What about if my Microsoft AD domains dont have trust relations and I want to allow
users from both domains to manage VI platform using VCMS profiles?
48. I want to create ESX profiles (not VCMS profiles) to allow my admins and users to
logon to ESX hosts when for some reason my VCMS goes down. Question is, how
to integrate ESX console with AD and with different non-trusted domains?
49. What about auditing, any integrated solution?

Generated by Clearspace on 2009-08-28-07:00

2
Resources: Top 50 Virtualization Security Questions

Security Answers

1. What audits does VMware carry out on its software?

VMware carries out both internal audits, by it's security and engineering teams, and also
periodical external audits by a leading security organization.

VMware, like other software companies, acts upon the results of these audits in a
timely manner to ensure that its products are as secure as possible. Like other software
companies, VMware does not disclose the results of these audits, but should updates be
required to released products then a security notice and update will be released via the
normal channels.

2. What security framework do the VMware engineers

work to?
VMware engineers, such as those coding the the hypervisor, have security practices built
in to their coding practices. In addition to automated tools imposing security best practices,
engineers have guidelines to follow and review each others' code once checked in. VMware
software engineers value security very highly and dedicate a significant amount of focus
and effort on ensuring code is secure by design and implementation to reduce the risk of
insecure code entering the product line.

3. Are VMware products secure by design?

"Thin" virtualization, found in software such as VMware ESXi 3.5, is the next step in
virtualization, dramatically strengthening security and manageability.

• Reduced size makes the attack surface much smaller, and reduces the potential for
vulnerabilities

• Independence from a parent partition or console based on a general-purpose OS

means far fewer interfaces to exploit and less malware threats, especially important
given the path of device drivers from the VM to the physical hardware

• Unstructured, console-based interaction for administration is replaced by

authenticated and audited interfaces such as the VI Client and the Remote CLI

See Security Design of the VI3 Architecture

Generated by Clearspace on 2009-08-28-07:00

3
Resources: Top 50 Virtualization Security Questions

VMware products have security features at different levels of the product. Here are some
examples:

• Virtual Machines running on an ESX Server are truly isolated from each other, they
cannot see each others' CPU instructions, memory, network or storage, and they do
not share a "parent domain" which is a full OS. The hypervisor can enforce more
restrictive controls on a VM ethernet network by not allowing it to set its MAC to
promiscuous mode, or change the MAC address, or forge the source MAC address.
There are other controls on the interaction between a virtual machine and the
hypervisor such as the ability to copy data between the guest and the host. Please
see the ESX Server hardening guide for more information.

• The hypervisor in ESX Server is custom designed and written specifically to

be a hypervisor - that's why ESXi is only 32MB in size. There is a common
misunderstanding in the industry that "ESX Server is Linux based". This
misunderstanding arises because the Console Operating System (COS) is Linux,
but the COS != Hypervisor. The COS is like a special virtual machine that runs
on top ofthe hypervisor. It is a customized version of RedHat Linux and it's only
purpose is to boot the hardware , pass control to the hypervisor, then provide
administration features such as a command line. The COS has already been
removed from ESXi. For this reason, the security profile of an ESX Server should
be thought of as "COS Security" and "Hypervisor Security". Most of the Security
Notices you see related to ESX Server are actually for the RedHat Linux programs
in the COS, and due to the customized nature of the COS (e.g. COS does not
run BIND) then most of these notices do not apply anyway (but always check

).

VMware advises that because of the administrative nature of the COS that its network port
should be on a secure, separate management network (like other management devices) and
not on the same network as virtual machines.

ESX Server Architecture

4. Examples of when ESX Server has been

compromised?
ESX Server has a very good record of being secure and safe to run your business
applications on, but no (serious) software company will ever claim that their products are
impossible to hack.

Generated by Clearspace on 2009-08-28-07:00

4
Resources: Top 50 Virtualization Security Questions

There have been some unproven claims of being able to hack "VMware products" - often,
these claims are against hosted (i.e. not ESX Server) products, where the compromise is
actually in the host OS (e.g. Windows or Linux) rather than in the VMware software. See
Security Basicsfor a comparison between Hosted and Bare Metal hypervisors (both are
available from VMware, Workstation is an example of Hosted, ESX Server is Bare Metal).

• Read about Blue Pill

• Chris Hoff, the well known IT Security Professional, challenged such a claim at a
recent industry event.

5. How do ESX Server security features compare to

competitor products?
Comparing ESX Server to competitor products is sometimes described as comparing
apples-to-oranges because of the difference in implementation, capability, quality, and
features.

• On major difference in the design of competitor products is the use of a parent

domainin Hyper-V and Citrix Xen. Whilst in ESX Server the custom built hypervisor
does all the heavy lifting, in these other products a full OS like Windows or Linux
is used which significantly increases the security risk profile for all of your virtual
machines who have to rely on this big footprint - will it be secured properly? What
extraneous programs will be running in it? Who will be able to access it, and what
will they do - will the admin even realise this is a Hyper-V or Citrix Xen host? This
could be a particular disaster as administrators fail to realise which machine they
are on (human error is responsible for 40% of downtime according to Gartner) and
make unfortunate changes, such as a reboot? ESX Server is a true virtualization
appliance, much like a Cisco router or fabric switch - it has been built to do one
thing, and notbe a general purpose OS. Gartner is concerned that the Hyper-V
architecture may cause reliability, vulnerability and maintenance issues because of
its dependency on a single copy of Windows Server 2008, and they have stated that
the Hyper-V architecture raises stability, vulnerability and maintenance concerns.
Check Gartner Report ID:G00154925

• One other important difference is the use of drivers. Hyper-V and Citrix Xen claim
that a superior feature of their product is that they can use any driveravailable
for their host OS (windows or linux) thereby allowing their products to run on
many more hardware configurations compared to ESX Server. However, outside
of Microsoft and Citrix this is perceived as a weakness because the majority of
windows blue-screens are caused by driver failures. The code quality of third-party
drivers is much lower than inhouse at Microsoft or Citrix, and they just do not have
the resources to certify all of those drivers, so the risk is significant. VMware has

Generated by Clearspace on 2009-08-28-07:00

5
Resources: Top 50 Virtualization Security Questions

a limited, well established hardware and driver certification program that only
restricts you to the most well known OEMs and the latest most suitable platforms for
high-performance virtualization.

• VMware ESX Server is also Evaluation Assurance Level 4 (EAL4)accredited

which our competitors do not have. Common Criteria is a public certification that
holds great wieght with many governments throughout the world.

• http://www.commoncriteriaportal.org/files/epfiles/vmware-cert-e.pdf

• We have level two and for ACE, FIPS 140.

http://www.vmware.com/security/certifications/

• Roles and permissionsare very fine-grained in VMware Infrastructure, allowing for

secure delegation of control - this isn't available in competitor products. See Roles
and Permissions

• The next exciting addition to the VMware security landscape is VMsafewhich allows
security vendors to do "outside of VM" security operations. This virtual security
technology provides fine-grained visibility over virtual machine resources, making it
possible to monitor every aspect of the execution of the system and stop previously
undetectable viruses, rootkits and malware before they can infect a system. See
VMsafe

6. Examples of respected industry organizations using

ESX Server?
VMware products like ESX Server have been used for years by recognized US military
organizations, and around the world by all of the Fortune 100 organizations and beyond.

Use this Case Studiesresource to find a reference by organization name (you can change
this to find by product, solution and industry if you prefer).

See the NSA Case Study.

DISA wrote the STIG for the US DOD, and the US Marine Core at VMworld 08 in Vegas to
show their global deployment of ESX Server.

Generated by Clearspace on 2009-08-28-07:00

6
Resources: Top 50 Virtualization Security Questions

7. What certifications (EAL, FPS) are assigned to which

VMware products?
• ESX Server is EAL4 certified. http://www.cse-cst.gc.ca/services/ccs/vmware-e.html

• ACE is FIPS 140 certified. http://www.vmware.com/security/certifications/

8. What do analysts say about VMware products (like

Gartner and Forrester)?
There are huge number of documents from Gartner and Forrester on virtualization, VMware
and their competitors - but many of these are only available on a subscription basis and
cannot be repeated here. However, there are some common statements from Gartner in the
industry -

Gartner says that ESX Server is too expensive, but VMware customers get enormous TCO
and ROI benefits from their deployments which makes this claim appear to be a simple
comparison of ESX Server to Hyper-V and Citrix Xen on cost - as already stated, this is an
apples-to-oranges comparison, but even on cost if you look at the per-VM cost then ESX
Server, even ignoring the long list of features it has compared to the limited competition,
then the cost is competitive because you can fit significantly more virtual machines on an
ESX Server compared to the rest.

Gartner is concerned that the Hyper-V architecture may cause reliability, vulnerability
and maintenance issues because of its dependency on a single copy of Windows Server
2008, and they have stated that the Hyper-V architecture raises stability, vulnerability and
maintenance concerns. Check Gartner Report ID:G00154925

9. What is VMware doing to continuously improve the

security of their products?
In addition to the inclusion of fine-grained security controls, such as roles and permissions,
and granular controls on virtual machines such as ethernet controls, VMware is focused
on reducing the security footprint and exposure of their products as well as innovating new
features with partners.

To reduce the footprint, VMware recently released ESXi which shows that the custom built,
"I was born to be a hypervisor" at the heart of ESXi, is only 32MB (compared to the bloated,

Generated by Clearspace on 2009-08-28-07:00

7
Resources: Top 50 Virtualization Security Questions

2GB+ fully-loaded OS's that act as the all-powerful "parent domain" in Hyper-V and Citrix
Xen).

On the innovation front, VMware has worked with partners (e.g. allowing them access to the
ESX Server source code as part of the Community Source program) to develop VMsafe.

10. What technology risks do we have to be concerned

with?
Introduction of a new management layer

Virtualization software, like all other infrastructure software, requires the ability to manage
the components of the solution. This occurs through a management interface which connect
together virtualization hosts, management servers, IP-based storage, and ancillary services
such as authentication and monitoring. Since there is isolation between the virtual machines
and the hypervisors interfaces, the most important step in securing a virtual deployment is to
design and implement a strict separation for the management layer from any other network
traffic. This greatest reduces the possibility of any attacks on a virtual machine affecting the
virtualization layer or any other virtual machine.

Switches and Servers combined into one device

With VMware Infrastructure, not only can you create multiple VMs on a single host but
also virtual networks as well. This is implemented using software layer-2 virtual switches
with enterprise-class features such as VLANs and hardware NIC teaming for availability
and performance. Virtual networking provides a tremendous amount of flexibility and
cost-savings. You can create a switch with as many ports as you needand you can create
a large number of switches. However, there are several aspects of virtual networking that
affect security:

• Lack of intra-server network visibility: Traditional network-based security tools

rely upon access to the traffic traversing physical switches, typically through a
hardware appliance. When the switch is virtual, new solutions must be employed
that access virtual networking traffic, by running in a virtual appliance for example.

• No separation-by-default of administration: In a non-virtual infrastructure at a

large enterprise, the server team is distinct from the network team, which might be
distinct from the security team. With virtualization, a single administrative interface
controls both virtual machines and virtual networks and the separation must be
re-introduced through the proper definition of roles and privileges.

Generated by Clearspace on 2009-08-28-07:00

8
Resources: Top 50 Virtualization Security Questions

• Elevated risk of misconfiguration: The fact that it is possible to have more than
one virtual switch on a host also represents a significant change. Now, instead of
requiring you to physically unplug a network cable from one switch and insert into
another, you can change the virtual switch of a VM with a simple drop-down menu.
This flexibility of course brings about tremendous efficiencies, but it also elevates the
risk of misconfiguration. This must be mitigated through familiar techniques such as
strong change controls and meticulous log and event monitoring.

Information Leakage with VMotion

Some reports have claimed that, because it is possible to read information off a virtual
machine that is in motion from one host to another, this represents a vulnerability.
This misperception arises from ignoring the fact that virtualization inherently involves a
management layer which sits underneath the production virtual machines. The most basic
security best practices dictate that this management layer operate in a dedicated, isolated
environment. Only by violating this fundamental rule would an environment open itself up to
this kind of problems.

Learn more about the Security of VMotion

11. What operational risks do we have to be concerned

with?
Ease of hardware consolidation

The ability to provision VMs quickly enables unprecedented IT responsiveness. But it also
means you might quickly have a proliferation of systems with unknown configurations. This
can be a big issue for large environments with hundreds or thousands of VMs. You can
avoid this by setting up automated means to:

• Keep track of the configuration of the hosts, VMs, and other VMware Infrastructure
objects, such as clusters, resource pools, folders, etc.

• Regularly audit event logs for suspicious or unexpected activity.

• Manage the lifecycle of virtual machines and build in an approval process for better
IT governance

Other issues

• Virtual Machine mobility: The mobility of VMs provides a tremendous boost to

service levels. With VMotion, you can move VMs with greater resource demands

Generated by Clearspace on 2009-08-28-07:00

9
Resources: Top 50 Virtualization Security Questions

to more lightly-loaded server; DRS makes this load balancing automatic. However,
most current security approaches assume that a server is located at a fixed location.
For example, network-based security appliances that do stateful packet inspection
look at traffic on a specific port for a particular server. This model breaks when you
have VMs that can migrate across different physical servers, so new solutions must
be employed which are compatible with this paradigm.

• Virtual Machine Encapsulation: Because a VM is encapsulated in a handful of files,

making copies of them becomes quite easy. This enables standardization, and also
much easier high availability and disaster recovery. However, many security tools,
such as Antivirus and Patch Management, require that the server be up and running
in order to push out updates, and hence this method not work for VMs that are
turned off but may come online again in the future. New approaches can address
this issue, such as offline patching with VMware Update Manager, or in the future,
VMsafe-based host protection without any host-based agents.

For a better appreciation of the big picture of deploying and operationalizing VMware
Infrastructure in the enterprise, read Practical Implementation Strategies.

12. How do we securely design VMware Infrastructure in

our datacenter?
There are well established best practices for designing VMware Infrastructure:

• Separate the COS network from virtual machines - make sure that the COS is
connected through a dedicated virtual switch to physical NICs that are connected to
a secure management network. This management network should not be available
to virtual machines.
• Separate the vMotion network from virtual machines and the management network
- make sure that the vMotion virtual switch is dedicated to this feature and is
connected to a private, flat LAN that is not routable.
• Use storage security such as LAN zoning to isolate ESX Servers to reduce the
visibility of LUNs and the impact of SCSI Bus Resets.
• Design roles and permissions correctly. See Roles and Permissions.

OTHERS TO ADD

REFERENCES

Generated by Clearspace on 2009-08-28-07:00

10
Resources: Top 50 Virtualization Security Questions

13. How do we securely deploy ESX Server in our

datacenter?
• Follow the ESX 3.5 Hardening Guide
• Deploy security notices to be displayed on all VMware products (VirtualCenter and
ESX Server) such as "Message of the Day" banners.

OTHERS TO ADD

REFERENCES

14. How do we securely manage ESX Server in our

datacenter?
• Send logs remotely to a syslog server
• Monitor ESX Server and ensure the alerts are (a) tested regularly, and (b) have
incident management procedures assigned
• Use tools such as ConfigCheck from Tripwire to monitor configurations
• Enforce strict change control windows on Virtual Machines, VirtualCenter and ESX
Servers. Any changes outside the window should be investigate and acted upon.
Change windows should be changed to reflect new features such as zero-downtime
maintenance with vMotion.
• Only deploy virtual machines from certified templates or via certified automated
releases, do not allow uncontrolled deployment and configuration of virtual machines
or hosts.

OTHERS TO ADD

REFERENCES

15. What other organizations, similar to ours, are using

ESX Server in their datacenter?
Use this Case Studies resource to find a reference by name, product, solution or industry.

Generated by Clearspace on 2009-08-28-07:00

11
Resources: Top 50 Virtualization Security Questions

16. What compliance standards are applicable to VMware

products?
VMware Infrastructure is used in environments where Payment Card Industry (PCI) and
other compliance standards apply.

Using VMware VDI and vmSight for Stronger and Sustainable HIPAA and PCI Compliance

17. Can we use ESX Server in our DMZ?

Absolutely. The Choosing a DMZ Strategy document explains your options.

Chris Hoff makes a great DMZ design point - should you share storage between DMZ and
non-DMZ?- something often overlooked in the design stage. Although your virtual machines,
if using virtual disks and not physical RDMs, will be using virtual disks (VMDKs) via the
hypervisor and therefore have only limited read/write access so the risk footprint is small,
you should check out your virtual machine configurations, your storage configurations and
those of your fabric and arrays to ensure the best practices for LUN zoning and masking are
in effect and that the networks are sufficiently isolated and protected.

18. Where can we get help on security from VMware?

VMware have provided an online Security Center.

Check out the VMware Knowledge Base where you can search for "security" and other
topics.

Read the VMware Security Blog.

Subscribe to the VMware Security Feed.

Security services are also available from VMware Professional Services Organization.
Speak with your local VMware representative to find out more.

19. Where do we get Security Advisories from?

To get automatic notifications of new security articles from VMware, please subscribe to the
Security Alert channel on VMware's RSS feed. Whenever a new security article is published,
VMware will announce it on the security channel.

Generated by Clearspace on 2009-08-28-07:00

12
Resources: Top 50 Virtualization Security Questions

The following pages are maintained by the VMware Security Team:

• Read Security Advisories.

• Read Security Alerts.

20. Where do I send my security questions to?

Post questions in the VIOPS Security zone, or send an email to security@vmware.com.

21. Are Virtual Machines able to communicate with each other

other than across a routable network
(Dan Eason)

No, they are completely isolated and not able to physically talk to each other unless they are
connected to the same virtual network, it is also certified by the NSA (need the PDF steve
for linkage).

22. Is it safe and secure to connect my DMZ ESX host to an

internal Fibre Channel SAN?
(Dan Eason)

Yes this is completely secure, best practice is to implement hard zoning on the fabric switch
and remove NPIV configuration to reduce any exposure of the WWID to the VM guest.

23. Is it secure to connect to and use internal LAN iSCSI Storage

with a DMZ ESX host?
(Dan Eason)

Yes, the connected VMkernel will be completely segregated from any routable VM traffic
unless you use the same subnet.

24. Is Vmotioning across the LAN secure?

(Dan Eason)

Generated by Clearspace on 2009-08-28-07:00

13
Resources: Top 50 Virtualization Security Questions

Best practice stipulates VMotion is configured on its own private VLAN and private subnet,
some even go as far as implementing Cross over cables between VMkernel ports. Bearing
in mind that traffic is being transferred across a private network and the threat is within the
chances of this occuring are minimal however it is still best practice to complement VMotion
design with segregation to ensure Quality of service when vmotioning.

25. How do you ensure that only certain administrators can

connect to the ESX Service Console?
(Dan Eason)

Implementing TCP Wrappers ensures only certain IP address or Subnets can connect to the
SSHD and XINETD daemons

26. How do you remove SSH access to the Service Console for
Root?
(Dan Eason)

Root is disabled by default on ESX, creation of a standard user and usage of SUDO will
ensure that any access is logged by the username which is created and given elevated
rights. ESX will extensively log and record any actions that the delegated username
performs.

27. Can a SUDO user drop themselves into a Root shell to gain
complete access?
(Dan Eason)

If the /etc/sudoers file is configured with commands that they are priviledged to run this will
limit them to a subset of commands i.e. ESXCFG Commands.

28. Can an administrator gain root access to ESX directly via the
VI Client when given the root password for SUDO access?
(Dan Eason)

Generated by Clearspace on 2009-08-28-07:00

14
Resources: Top 50 Virtualization Security Questions

If lockdown mode is enabled on the ESX 3.5 host this will remove any rights that root has to
logon to the ESX host directly with the VI Client, this needs to be configured per ESX host.
This is only possible when the ESX host is managed with Virtualcenter.

29. If someone is physically in front of a ESX host can they use

the conventional single user mode to change the root password
at grub?
(Dan Eason)

If someone has broken into your Datacenter, found your ESX host and gained monitor
access (they are super skilled if you have blades), if you have enabled a password on the
GRUB loader they will need to hack this password to obtain access to change the Root
password in Single user mode, instructions on how to do this are available on the grub
manual at http://www.gnu.org/software/grub/manual/html_node/index.html

Added by Rob Randell 12/3/08----

30. How can someone identify whether they're running in a VM

or not? (This comes in both flavors - people who want the ability
to determine it, and people who want the ability to hide it)
With ESX, it's rather obvious. For example, under Windows, go to the Device
Manager and look under Network Adapters --- you'll see VMware Virtual Ethernet
Adapter. We don't try to hide the fact that you're running in a VM. More generally,
other techniques can be used to determine if you're in a VM. One that will
always work is to use an external time source, as mentioned in this blog post:
http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html. Therefore,
there's really no point in trying to hide the fact that you're running in a virtual machine.
In fact, some black-hat hackers have started writing viruses which specifically do
NOT run in VMware, so as to foil virus researchers who use VMs to study them
http://www.informationweek.com/news/showArticle.jhtml?articleID=194500277

Generated by Clearspace on 2009-08-28-07:00

15
Resources: Top 50 Virtualization Security Questions

So, I guess if you virtualize your infrastructure, you lower your risk of infection

31. What functions should be on their own out-of-band network

(console. VMotion, etc...)?
VMotion should be on its own network, because when a VMotion occurs all contents of the
guests memory are transmitted over the wire in the clear.This could contain session keys,
passwords, and many other types of sensitive data.

COS should be on its own network for the same reason that remote access devices in
servers should be.Anyone who gains access to the COS will have full control over all guests
on the system.

NFS and iSCSI should not be on the same network as the VMs that use them if possible
since the VMs could potentially see other VM's disk data. This is less of an issue than the
first two which are critical

32. Is it possible to encrypt vmdk files?

Its possible to encrypt offline vmdk files using normal file encryption methods. If you wish
to ecrypt online vmdk's, then you must use some sort of hardware/SAN based encryption
tool that is transparent to ESX. Decru (NetApp) is a good example of such a tool. The other
option is to use a guest based encryption tool to do either file level or whole disk encryption
on the data inside the vmdk file.

33. What is the vpxuser account used for, and how is it created?
(We need to add the password reset procedure here for the
vpxuser account on ESX 3.5).
VirtualCenter asks for root credentials upon initial connections to an ESX Server, creates a
user called vpxuser with a randomly generated password, and uses the vpxuser account for
subsequent connections and management operations.

The vpxuser account for each ESX server has a unique, 32 character (256 bit) password
that is generated from a cryptographically random string of data that is mapped to a set of
legal password characters. Once generated, the password is encrypted using RSA with
a 1024-bit key and stored securely in the VirtualCenter database. For encryption details
you can examine the certificate in the "Documents and Settings" folder that is applicable
to VirtualCenter (usually at C:\Documents and Settings\AllUsers\ApplicationData\VMware\

Generated by Clearspace on 2009-08-28-07:00

16
Resources: Top 50 Virtualization Security Questions

VMwareVirtualCenter\SSL). The password is also stored encrypted on the host, like any
local account password (see "man 3 crypt" on an ESX box for details).

The vpxuser account is created for VC management when a host is added to VC, and
is used only to authenticate the connection between VC and the ESX host. Entries
corresponding to the account are added to /etc/passwd and /etc/shadow but no process
actually runs as vpxuser on ESX.

The vpxuser password is reset every time a host is added to VirtualCenter. If VirtualCenter
gets disconnected from a host, it will try to reconnect with the vpxuser and password that
is stored encrypted in the VirtualCenter database. If that fails, the user will be prompted
to reenter the root password so we can reset (i.e., auto-generate a new password for the
vpxuser account).

34. Is there an audit log that can list what user made a change
within VC? (i.e. added a resounce to a VM, powered down or
powered on a VM via VC, etc...)
All user activity is logged in VirtualCenter database, and is viewable in the Events tab, from
where you can export them as well.

35. Is there any way I can set the retention of the "Events" data
in VC? I need to make sure it is kept for a specific about of time.
VC Events are stored in the DB indefinitely. Only the most recent 1000 show up in the global
view through the UI, but all of them can be exported to a file through file->export events, or
by clicking on the export events button in the events pane.

Generated by Clearspace on 2009-08-28-07:00

17
Resources: Top 50 Virtualization Security Questions

36. Whats the difference from a security perspective between

the Bare-Metal Platform (ESX) and the hosted platforms
(Workstation, Server, Player)?

37. What are the security advantages of ESXi over classic ESX?

38. How can I monitor traffic between VMs running on the same
vSwitch and the same VLAN with my IDS?

39. What is VMsafe?

VMware VMsafe is a new security technology for virtualized environments that can help to
protect your virtual infrastructure in ways previously not possible with physical machines.
VMsafe provides a unique capability for virtualized environments through an application
program interface (API)-sharing program that enables select partners to develop security
products for VMware environments. The result is an open approach to security that provides
customers with the most secure platform on which they can virtualize their business-critical
applications.

For further details on VMsafe see http://www.vmware.com/technology/security/vmsafe.html

40. What ports need to be opened on my firewall when VC and

the Service Console are separated by the firewall?
Refer to the section "ConnectingtoYourVirtualCenter ServerThroughaFirewall"
on page 77 in Chapter 6 "InstallingVMwareInfrastructureManagement"
of the ESX Server 3 and VirtualCenter Installation Guide at
http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_installation_guide.pdf for
details.

Generated by Clearspace on 2009-08-28-07:00

18
Resources: Top 50 Virtualization Security Questions

41. I ran a vulnerability scanner against my ESX host and

received the following findings, what are legitimate and what are
false positives?

42. What is the NSA doing with VMware? (NetTop/HAP)

43. What is Blue Pill and what does it have to do with VMware
Products?
See question 4.

• Read about Blue Pill

• Chris Hoff, the well known IT Security Professional, challenged such a claim at a
recent industry event.

44. How does VMware ESX / VCMS prevent Denial-Of-Service

(DoS) attacks, buffer overflow, etc? (1st at the host level, 2nd at
the VM level)

45. How to prevent a VM of DoS, buffer overflow when the VMs

reside on the same VirtualSwitch and same PortGroup?

46. What about other types of attack, what type of attacks will
VMware ESX / VCMS prevent?

47. What about if my Microsoft AD domains dont have trust

relations and I want to allow users from both domains to
manage VI platform using VCMS profiles?

48. I want to create ESX profiles (not VCMS profiles) to allow my

admins and users to logon to ESX hosts when for some reason

Generated by Clearspace on 2009-08-28-07:00

19
Resources: Top 50 Virtualization Security Questions

my VCMS goes down. Question is, how to integrate ESX console

with AD and with different non-trusted domains?

49. What about auditing, any integrated solution?

Generated by Clearspace on 2009-08-28-07:00

20