- FBI warns Hit Man e-mail scammer back
- 20 tech habits to improve your life
- Industry mourns slain Cisco exec
- 10 Firefox add-ons for better browsing
- Wireless LANs face scaling challenges
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
With security becoming ever more important, I've been reviewing the various guides available to harden the VMware Virtual Infrastructure.
So far the results have been disappointing, though I've looked at the CISecurity VMware ESX Benchmark and the VMware VI3 Hardening Guidelines. Now for the US Government's Defense Information Systems Agency's Security Technical Implementation Guide (STIG)-a long-awaited document that all levels of the U.S. government will follow to harden and protect their VMware VI3 installations.
DISA publishes a variety of technical implementation guides for different operating systems and other software, each of which offers guidelines on how to set up that particular system to make it as secure as possible. The requirement that sticks out about the guide for ESX, however, is a requirement that ESX installations pass all the technical installation requirements for a Unix system.
That's odd because ESX is not a Unix system. It's not even a real Linux system.
The main component of VI3 is the vmkernel which is a hypervisor. Yes the SC (service console) is LINUX or LINUX like, but that is just a small part of the picture. Employing UNIX rules for ESX is not a good start. There are too many differences.
The guide does mention that antivirus software is not necessary for ESX. Rather than a solid security analysis, however, the document's given reason for eliminating the need for antivirus is that the recommended tool will not install properly.
Actually, antivirus will install if you created the proper packaging. But that is not a good reason either way. The real reason to skip antivirus on a VI3 server is that, if configured incorrectly, it will drastically impact performance and throw out false positives at an unusually high rate.
Another issue: the STIG states that VM configuration files should still be world-readable while the virtual disk should be only owner-readable.
There is often vital information in the configuration including MAC addresses, names, and the layout of the virtual hardware. This information should not be world-readable as it can be used to aid in hacking systems.
There are other peculiarities; for example, the STIG does not address Web Access, and has minimal controls regarding VMware ESXi.
Rss FeedRss Feed
Aging network systems and old habits have dictated how businesses spend their IT budgets. As a...
Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch OfficesThis paper reviews the problem of creating a network where the dynamic availability of services is...
Enterprise Data Center Network Reference ArchitectureUsing a High Performance Network Backbone to Meet the Requirements of the Modern Enterprise Data...
The standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
Stay out of the headlines: Detecting and preventing network intrusionsHow do YOU stay out of the headlines? There is no denying that risk exists in our computer-driven...
We have so many holes punched in our firewalls today that many industry insiders question the value...
IP address management in 2008 - six things to knowRead this Network World Special Brief to learn how Enterprise IT managers must update their...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment