Finally, A Way To Measure Real Security On A Virtual Machine

The Center for Internet Security will be floating an early version of a "hardened" set of security guidelines for VMware's ESX Server.

The upcoming VMworld conference will feature, in addition to a raft of new products, the the draft of a guide on how to make virtual machines more secure, addressing one of the most sensitive issues in the burgeoning adoption of virtualization in the data center.

The Center for Internet Security, a non-profit organization that specifies best security practices for Windows and other data center software, will be floating an early version of a "hardened" set of security guidelines for VMware's ESX Server. The center calls its guides benchmarks. They are written with a focus on security performance, not speed, as with other benchmark measures.

The guide was drafted with input from security experts, VMware, Configuresoft, and major virtualization users, said Dave Shackleford, VP of the center, in an interview.

Gartner analyst Neil MacDonald predicts that by 2009, 60% of production virtual machines will be less secure than their physical counterparts. That's because the rapid implementation of virtual machines breaks down some of the old security disciplines in the data center; the separation of duties between server administrators and security administrators is less distinct than with physical servers.

VMware's Virtual Center offers the option of VMotion, or moving a running virtual machine from one physical server to another. After the move, who has primary responsibility for that VM's security?

Many companies can't afford to have their virtual machine hypervisors, which are in direct contact with many system resources, more exposed than their physical machines to intruders or threat of malware.

As a result, the CIS benchmark for ESX Server security is likely to be first in a series of closely examined guides on best practices for implementing virtualization.

When implementing ESX Server, not every system administrator realizes that he's dealing with a version of Red Hat (NYSE: RHT) Linux at its core with Red Hat's VAR log directory, allowing Linux product makers to generate a directory of information specific to their users. Likewise, ESX Server creates another VAR log directory beneath the main one, capturing key information on how the virtual machines are configured, what operating systems are in use, what error messages have been sent, and how host servers are configured.

"There's a lot of information in those logs that you want to protect," and access to it needs to be granted strictly to those who need to know it, said Shackleford. With no awareness of the ESX Server log file, a server administrator won't set those restrictions, he added.

Linux server administrators may also accept default settings for the Net.IPv4 parameters in the Linux kernel. But leaving the parameters untouched can open ESX Server to denial of service attacks, Andrew Bird, VP of marketing at Configuresoft, a supplier of configuration management software, warned in an interview.

These and other issues are covered in the draft of VMware ESX Server Benchmark Version 1.0. It will cover the 2.5 and 3.0 versions of ESX Server and will be available during VMworld in San Francisco Sept. 11-13 at the Configuresoft booth 1120. CIS is still seeking comment on the draft. The finished benchmark will be available for public download from www.cisecurity.org, the center's Web site, by the end of the month.