Professional Documents
Culture Documents
Questions
Security Questions
1. What audits does VMware carry out on its software (independant and internal)?
2. What security framework do the VMware engineers work to?
3. Are VMware products secure by design?
4. Examples of when ESX Server has been compromised?
5. How do ESX Server security features compare to competitor products?
6. Examples of respected industry organizations using ESX Server?
7. What certifications (EAL, FPS) are assigned to which VMware products?
8. What do analysts say about VMware products (like Gartner and Forrester)?
9. What is VMware doing to continuously improve the security of their products?
10. What technology risks should we be concerned with?
11. What operational risks should we be concerned with?
12. How do we securely design ESX Server in our datacenter?
13. How do we securely deploy ESX Server in our datacenter?
14. How do we securely manage ESX Server in our datacenter?
15. What other organizations, similar to ours, are using ESX Server in their datacenter?
16. What compliance standards are applicable to VMware products?
17. Can we use ESX Server in our DMZ?
18. Where can we get help on security from VMware?
19. Where do we get VMware Security Advisories and Alerts from?
20. Where do I send my security questions to?
21. Are Virtual Machines able to communicate with each other other than across a
routable network
22. Is it safe and secure to connect my DMZ ESX host to an internal Fibre Channel
SAN?
23. Is it secure to connect to and use internal LAN iSCSI Storage with a DMZ ESX host?
24. Is Vmotioning across the LAN secure?
25. How do you ensure that only certain administrators can connect to the ESX Service
Console?
26. How do you removed SSH access to the Service Console for Root?
27. Can a SUDO user drop themselves into a Root shell to gain complete access?
28. Can an administrator gain root access to ESX directly via the VI Client when given
the root password for SUDO access?
29. If someone is physically in front of a ESX host can they use the conventional single
user mode to change the root password at grub?
30. How can someone identify whether they're running in a VM or not? (This comes in
both flavors - people who want the ability to determine it, and people who want the
ability to hide it)
31. What functions should be on their own out-of-band network (console. VMotion,
etc...)?
32. Is it possible to encrypt vmdk files?
33. What is the vpxuser account used for, and how is it created? (We need to add the
password reset procedure here for the vpxuser account on ESX 3.5?
34. Is there an audit log that can list what user made a change within VC? (i.e. added a
resounce to a VM, powered down or powered on a VM via VC, etc...)
35. Is there any way I can set the retention of the "Events" data in VC? I need to make
sure it is kept for a specific about of time.
36. Whats the difference from a security perspective between the Bare-Metal Platform
(ESX) and the hosted platforms (Workstation, Server, Player)?
37. What are the security advantages of ESXi over classic ESX?
38. How can I monitor traffic between VMs running on the same vSwitch and the same
VLAN with my IDS?
39. What is VMsafe?
40. What ports need to be opened on my firewall when VC and the Service Console are
separated by the firewall?
41. I ran a vulnerability scanner against my ESX host and received the following
findings, what are legitimate and what are false positives?
42. What is the NSA doing with VMware? (NetTop/
43. What is Blue Pill and what does it have to do with VMware Products?
44. How does VMware ESX / VCMS prevent Denial-Of-Service (DoS) attacks, buffer
overflow, etc? (1st at the host level, 2nd at the VM level)
45. How to prevent a VM of DoS, buffer overflow when the VMs reside on the same
VirtualSwitch and same PortGroup?
46. What about other types of attack, what type of attacks will VMware ESX / VCMS
prevent?
47. What about if my Microsoft AD domains dont have trust relations and I want to allow
users from both domains to manage VI platform using VCMS profiles?
48. I want to create ESX profiles (not VCMS profiles) to allow my admins and users to
logon to ESX hosts when for some reason my VCMS goes down. Question is, how
to integrate ESX console with AD and with different non-trusted domains?
49. What about auditing, any integrated solution?
Security Answers
VMware, like other software companies, acts upon the results of these audits in a
timely manner to ensure that its products are as secure as possible. Like other software
companies, VMware does not disclose the results of these audits, but should updates be
required to released products then a security notice and update will be released via the
normal channels.
• Reduced size makes the attack surface much smaller, and reduces the potential for
vulnerabilities
VMware products have security features at different levels of the product. Here are some
examples:
• Virtual Machines running on an ESX Server are truly isolated from each other, they
cannot see each others' CPU instructions, memory, network or storage, and they do
not share a "parent domain" which is a full OS. The hypervisor can enforce more
restrictive controls on a VM ethernet network by not allowing it to set its MAC to
promiscuous mode, or change the MAC address, or forge the source MAC address.
There are other controls on the interaction between a virtual machine and the
hypervisor such as the ability to copy data between the guest and the host. Please
see the ESX Server hardening guide for more information.
).
VMware advises that because of the administrative nature of the COS that its network port
should be on a secure, separate management network (like other management devices) and
not on the same network as virtual machines.
There have been some unproven claims of being able to hack "VMware products" - often,
these claims are against hosted (i.e. not ESX Server) products, where the compromise is
actually in the host OS (e.g. Windows or Linux) rather than in the VMware software. See
Security Basicsfor a comparison between Hosted and Bare Metal hypervisors (both are
available from VMware, Workstation is an example of Hosted, ESX Server is Bare Metal).
• One other important difference is the use of drivers. Hyper-V and Citrix Xen claim
that a superior feature of their product is that they can use any driveravailable
for their host OS (windows or linux) thereby allowing their products to run on
many more hardware configurations compared to ESX Server. However, outside
of Microsoft and Citrix this is perceived as a weakness because the majority of
windows blue-screens are caused by driver failures. The code quality of third-party
drivers is much lower than inhouse at Microsoft or Citrix, and they just do not have
the resources to certify all of those drivers, so the risk is significant. VMware has
a limited, well established hardware and driver certification program that only
restricts you to the most well known OEMs and the latest most suitable platforms for
high-performance virtualization.
• http://www.commoncriteriaportal.org/files/epfiles/vmware-cert-e.pdf
• The next exciting addition to the VMware security landscape is VMsafewhich allows
security vendors to do "outside of VM" security operations. This virtual security
technology provides fine-grained visibility over virtual machine resources, making it
possible to monitor every aspect of the execution of the system and stop previously
undetectable viruses, rootkits and malware before they can infect a system. See
VMsafe
Use this Case Studiesresource to find a reference by organization name (you can change
this to find by product, solution and industry if you prefer).
DISA wrote the STIG for the US DOD, and the US Marine Core at VMworld 08 in Vegas to
show their global deployment of ESX Server.
Gartner says that ESX Server is too expensive, but VMware customers get enormous TCO
and ROI benefits from their deployments which makes this claim appear to be a simple
comparison of ESX Server to Hyper-V and Citrix Xen on cost - as already stated, this is an
apples-to-oranges comparison, but even on cost if you look at the per-VM cost then ESX
Server, even ignoring the long list of features it has compared to the limited competition,
then the cost is competitive because you can fit significantly more virtual machines on an
ESX Server compared to the rest.
Gartner is concerned that the Hyper-V architecture may cause reliability, vulnerability
and maintenance issues because of its dependency on a single copy of Windows Server
2008, and they have stated that the Hyper-V architecture raises stability, vulnerability and
maintenance concerns. Check Gartner Report ID:G00154925
To reduce the footprint, VMware recently released ESXi which shows that the custom built,
"I was born to be a hypervisor" at the heart of ESXi, is only 32MB (compared to the bloated,
2GB+ fully-loaded OS's that act as the all-powerful "parent domain" in Hyper-V and Citrix
Xen).
On the innovation front, VMware has worked with partners (e.g. allowing them access to the
ESX Server source code as part of the Community Source program) to develop VMsafe.
Virtualization software, like all other infrastructure software, requires the ability to manage
the components of the solution. This occurs through a management interface which connect
together virtualization hosts, management servers, IP-based storage, and ancillary services
such as authentication and monitoring. Since there is isolation between the virtual machines
and the hypervisors interfaces, the most important step in securing a virtual deployment is to
design and implement a strict separation for the management layer from any other network
traffic. This greatest reduces the possibility of any attacks on a virtual machine affecting the
virtualization layer or any other virtual machine.
With VMware Infrastructure, not only can you create multiple VMs on a single host but
also virtual networks as well. This is implemented using software layer-2 virtual switches
with enterprise-class features such as VLANs and hardware NIC teaming for availability
and performance. Virtual networking provides a tremendous amount of flexibility and
cost-savings. You can create a switch with as many ports as you needand you can create
a large number of switches. However, there are several aspects of virtual networking that
affect security:
• Elevated risk of misconfiguration: The fact that it is possible to have more than
one virtual switch on a host also represents a significant change. Now, instead of
requiring you to physically unplug a network cable from one switch and insert into
another, you can change the virtual switch of a VM with a simple drop-down menu.
This flexibility of course brings about tremendous efficiencies, but it also elevates the
risk of misconfiguration. This must be mitigated through familiar techniques such as
strong change controls and meticulous log and event monitoring.
Some reports have claimed that, because it is possible to read information off a virtual
machine that is in motion from one host to another, this represents a vulnerability.
This misperception arises from ignoring the fact that virtualization inherently involves a
management layer which sits underneath the production virtual machines. The most basic
security best practices dictate that this management layer operate in a dedicated, isolated
environment. Only by violating this fundamental rule would an environment open itself up to
this kind of problems.
The ability to provision VMs quickly enables unprecedented IT responsiveness. But it also
means you might quickly have a proliferation of systems with unknown configurations. This
can be a big issue for large environments with hundreds or thousands of VMs. You can
avoid this by setting up automated means to:
• Keep track of the configuration of the hosts, VMs, and other VMware Infrastructure
objects, such as clusters, resource pools, folders, etc.
• Manage the lifecycle of virtual machines and build in an approval process for better
IT governance
Other issues
to more lightly-loaded server; DRS makes this load balancing automatic. However,
most current security approaches assume that a server is located at a fixed location.
For example, network-based security appliances that do stateful packet inspection
look at traffic on a specific port for a particular server. This model breaks when you
have VMs that can migrate across different physical servers, so new solutions must
be employed which are compatible with this paradigm.
For a better appreciation of the big picture of deploying and operationalizing VMware
Infrastructure in the enterprise, read Practical Implementation Strategies.
• Separate the COS network from virtual machines - make sure that the COS is
connected through a dedicated virtual switch to physical NICs that are connected to
a secure management network. This management network should not be available
to virtual machines.
• Separate the vMotion network from virtual machines and the management network
- make sure that the vMotion virtual switch is dedicated to this feature and is
connected to a private, flat LAN that is not routable.
• Use storage security such as LAN zoning to isolate ESX Servers to reduce the
visibility of LUNs and the impact of SCSI Bus Resets.
• Design roles and permissions correctly. See Roles and Permissions.
OTHERS TO ADD
REFERENCES
OTHERS TO ADD
REFERENCES
OTHERS TO ADD
REFERENCES
Using VMware VDI and vmSight for Stronger and Sustainable HIPAA and PCI Compliance
Chris Hoff makes a great DMZ design point - should you share storage between DMZ and
non-DMZ?- something often overlooked in the design stage. Although your virtual machines,
if using virtual disks and not physical RDMs, will be using virtual disks (VMDKs) via the
hypervisor and therefore have only limited read/write access so the risk footprint is small,
you should check out your virtual machine configurations, your storage configurations and
those of your fabric and arrays to ensure the best practices for LUN zoning and masking are
in effect and that the networks are sufficiently isolated and protected.
Check out the VMware Knowledge Base where you can search for "security" and other
topics.
Security services are also available from VMware Professional Services Organization.
Speak with your local VMware representative to find out more.
No, they are completely isolated and not able to physically talk to each other unless they are
connected to the same virtual network, it is also certified by the NSA (need the PDF steve
for linkage).
Yes this is completely secure, best practice is to implement hard zoning on the fabric switch
and remove NPIV configuration to reduce any exposure of the WWID to the VM guest.
Yes, the connected VMkernel will be completely segregated from any routable VM traffic
unless you use the same subnet.
Best practice stipulates VMotion is configured on its own private VLAN and private subnet,
some even go as far as implementing Cross over cables between VMkernel ports. Bearing
in mind that traffic is being transferred across a private network and the threat is within the
chances of this occuring are minimal however it is still best practice to complement VMotion
design with segregation to ensure Quality of service when vmotioning.
Implementing TCP Wrappers ensures only certain IP address or Subnets can connect to the
SSHD and XINETD daemons
26. How do you remove SSH access to the Service Console for
Root?
(Dan Eason)
Root is disabled by default on ESX, creation of a standard user and usage of SUDO will
ensure that any access is logged by the username which is created and given elevated
rights. ESX will extensively log and record any actions that the delegated username
performs.
27. Can a SUDO user drop themselves into a Root shell to gain
complete access?
(Dan Eason)
If the /etc/sudoers file is configured with commands that they are priviledged to run this will
limit them to a subset of commands i.e. ESXCFG Commands.
28. Can an administrator gain root access to ESX directly via the
VI Client when given the root password for SUDO access?
(Dan Eason)
If lockdown mode is enabled on the ESX 3.5 host this will remove any rights that root has to
logon to the ESX host directly with the VI Client, this needs to be configured per ESX host.
This is only possible when the ESX host is managed with Virtualcenter.
If someone has broken into your Datacenter, found your ESX host and gained monitor
access (they are super skilled if you have blades), if you have enabled a password on the
GRUB loader they will need to hack this password to obtain access to change the Root
password in Single user mode, instructions on how to do this are available on the grub
manual at http://www.gnu.org/software/grub/manual/html_node/index.html
So, I guess if you virtualize your infrastructure, you lower your risk of infection
COS should be on its own network for the same reason that remote access devices in
servers should be.Anyone who gains access to the COS will have full control over all guests
on the system.
NFS and iSCSI should not be on the same network as the VMs that use them if possible
since the VMs could potentially see other VM's disk data. This is less of an issue than the
first two which are critical
33. What is the vpxuser account used for, and how is it created?
(We need to add the password reset procedure here for the
vpxuser account on ESX 3.5).
VirtualCenter asks for root credentials upon initial connections to an ESX Server, creates a
user called vpxuser with a randomly generated password, and uses the vpxuser account for
subsequent connections and management operations.
The vpxuser account for each ESX server has a unique, 32 character (256 bit) password
that is generated from a cryptographically random string of data that is mapped to a set of
legal password characters. Once generated, the password is encrypted using RSA with
a 1024-bit key and stored securely in the VirtualCenter database. For encryption details
you can examine the certificate in the "Documents and Settings" folder that is applicable
to VirtualCenter (usually at C:\Documents and Settings\AllUsers\ApplicationData\VMware\
VMwareVirtualCenter\SSL). The password is also stored encrypted on the host, like any
local account password (see "man 3 crypt" on an ESX box for details).
The vpxuser account is created for VC management when a host is added to VC, and
is used only to authenticate the connection between VC and the ESX host. Entries
corresponding to the account are added to /etc/passwd and /etc/shadow but no process
actually runs as vpxuser on ESX.
The vpxuser password is reset every time a host is added to VirtualCenter. If VirtualCenter
gets disconnected from a host, it will try to reconnect with the vpxuser and password that
is stored encrypted in the VirtualCenter database. If that fails, the user will be prompted
to reenter the root password so we can reset (i.e., auto-generate a new password for the
vpxuser account).
34. Is there an audit log that can list what user made a change
within VC? (i.e. added a resounce to a VM, powered down or
powered on a VM via VC, etc...)
All user activity is logged in VirtualCenter database, and is viewable in the Events tab, from
where you can export them as well.
35. Is there any way I can set the retention of the "Events" data
in VC? I need to make sure it is kept for a specific about of time.
VC Events are stored in the DB indefinitely. Only the most recent 1000 show up in the global
view through the UI, but all of them can be exported to a file through file->export events, or
by clicking on the export events button in the events pane.
37. What are the security advantages of ESXi over classic ESX?
38. How can I monitor traffic between VMs running on the same
vSwitch and the same VLAN with my IDS?
43. What is Blue Pill and what does it have to do with VMware
Products?
See question 4.
46. What about other types of attack, what type of attacks will
VMware ESX / VCMS prevent?