As virtualization adoption grows, organizations are becoming more attuned to the need to properly configure and lock down virtualization. Virtualization is a complex technology with many facets, and there are numerous types of controls that can be implemented to secure these assets. Most security teams are still developing internal policies and processes to define how virtual infrastructure should be enabled and maintained.
In this post, the first of two parts, I identify guidelines and tools to help administrators, focusing primarily on VMware.
Recently, NIST released a draft document (SP800-125a) on hypervisor security that acts as a companion to its well-known overview of virtualization security (SP800-125). In the new guide, NIST makes some fundamental security recommendations, including:
- Choose hardware that supports hardware assisting virtualization, with strong chip support for virtualization functions and security capabilities (such as a Trusted Platform Module, or TPM).
- Disallow non-certified drivers at boot time, if possible.
- Plan carefully for memory and CPU allocation to individual VMs and overall cluster allocation (total VM capacity for memory and CPU utilization)
- Carefully control VM templates and images, storing them off the hypervisors and with integrity checks and access controls in-place
- VM host security (anti-malware and host IDS/IPS) functions should be integrated into the virtual environment and take advantage of the hypervisor kernel.
Many more recommendations in the guide are related to role and privilege management and assignment, overall hypervisor management and management interface protection, among other areas of concern.
As a market leader in the virtualization space, there is more tactical controls guidance available for VMware technologies than others. VMware has released several guides that suggest numerous ways to securely configure Virtual Infrastructure 3 and the newest version of VMware’s enterprise solution, vSphere (both 4.x and 5.x). However, several other well-known guides have been released from organizations such as the Defense Information Systems Agency (DISA) and Center for Internet Security (CIS).
VMware has had a number of benchmarks, starting with Version 3.0 (which was used against all 3.x versions). Version 4.0 and 4.1 were released shortly after those ESX versions, with 4.1 being last updated in June 2011 with version C. For ESXi 5.x, all of the current hardening guides (4.0 and newer) are available from a single Webpage.
VMware’s guides can be found at these locations:
- Virtual Infrastructure 3.x: http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
- The VMware 4.0, 4.1, 5.0, 5.1 and 5.5 benchmarks: http://www.vmware.com/support/support-resources/hardening-guides.html
VMware has also released free Compliance Checker tools:
The compliance checker toolset includes audit checks against multiple benchmarks:
- VMware DISA Compliance Checker for Windows and Linux
- VMware HIPAA Compliance Checker for Windows and Linux
- vSphere 5.5 VMware Hardening Guidelines Checker
- vSphere 5.1 VMware Hardening Guidelines Checker
- vSphere 5.0 VMware Hardening Guidelines Checker
- vSphere 4.1 VMware Hardening Guidelines Checker
- vSphere 4.0 VMware Hardening Guidelines Checker
- PCI 2.0 Compliance Guidelines Checker
With their latest guide, VMware has broken their configuration guidance down into more tactical, actionable categories and scenarios in the interest of aligning more closely with other sources of guidance, and with a variety of network environments. For example, they have included multiple recommendation levels for systems in general enterprise environments, demilitarized zones (DMZs), and high-security environments (Specialized Security Limited Functionality, or SSLF).
For defense and military organizations, controls with SSLF ratings may be more applicable, where enterprises will likely leverage general business scenarios. Security teams that have relied on the DISA STIG may evaluate SSLF controls as complements to their existing base set of configuration options, as an example. It is worth noting that both the CIS and DISA guides still refer to VMware’s older product line, Virtual Infrastructure 3 (and ESX Server 3.5.x). However, many controls are still applicable.
The Center for Internet Security (CIS) is an active participant in the VMware benchmark field. The 5.5 benchmark was made available in August 2014, while older versions address 3.5 and 4.0. They also have a benchmark for Xen, but it is very old. All the benchmarks can be downloaded at the following locations:
- Benchmarks for 3.5 and 4.0, found at:
- 5.5 benchmark released in August 2014:
- Xen 3.2 benchmark:
The DISA STIGs (Security Technical Implementation Guides) are comprehensive audit documents. They include a prioritized checklist for the ESX / ESXi Server, a checklist for vCenter, and hosted Virtual Machines. They also include a brief checklist that covers how DISA requires an audit of virtual infrastructure to be done. All things considered, a well-rounded approach. Two versions are currently active, the ESX 3.x STIG version 1.4, released in 2009, and the ESXi 5 STIG which is broken into 3 separate posts, one each for ESXi, vCenter and Virtual Machines. All of the DISA STIGs for virtualization can be found here: http://iase.disa.mil/stigs/os/virtualization/Pages/index.aspx
As you can see, there is a lot of information and tools to help guide administrators running VMware products. In the next post in this two-part series, I will outline tools for Citrix and Microsoft, and conclude with generally applicable advice.