In the first post of this two-part series, I described security guidance regimes and tools while focusing on VMware. In this part, I extend the conversation to include Citrix and Microsoft, and provide some advice that is applicable across platforms.
Citrix distributes a “User Security Guide” that has valuable security information for configuring the platform, but is not a benchmark suitable for audit purposes. The latest version is dated March 2012. Since XenServer installs on a Linux platform, the best guidance is to start with the hardening benchmark for your version of Linux, then follow the Citrix document for the XenServer components. The Citrix guide can be found here: http://support.citrix.com/article/CTX120716
Microsoft has a Hardening Guide for Hyper-V, dated March 2009, with an updated online guide for Server 2012. They have an active security forum (that includes Hyper-V) in their “Solutions Accelerator Security and Compliance” blog. Microsoft also has a Security Compliance Manager tool (SCM v220.127.116.11) which automates audits against various pre-configured benchmarks. SCM is updated regularly, and at the time of writing, the current version is dated January 2013.
Microsoft’s guides and tools can be found at the following links:
With the evolution of standards like the Security Content Automation Protocol (SCAP), where multiple specifications for assessing and describing configuration status (XCCDF, CCE, and CPE), vulnerability information (CVE and OVAL), and vulnerability ratings and metrics (CVSS), the need for consistent configuration and implementation guidance has never been greater.
Fortunately, the Microsoft, Citrix, VMware, DISA, and CIS guides offer a variety of configuration recommendations that can be leveraged by all types of organizations. The requirements range from commercial organizations with availability as the focus to military defense systems that have much more stringent hardening needs.
Most major virtualization platforms provide a variety of configuration management tools allowing a “Gold Image” to be defined with a set of known secure configuration parameters that meet internal policies. Then this system can be compared to other hypervisor platforms and/or VMs for automated configuration and reporting on configuration compliance.
Organizations will need to decide which controls are most applicable to them, however, and this largely depends on their business and the nature and location of the systems themselves. For general business and education environments running VMware, the VMware and CIS guides (listed in Part I) will likely provide a good mix of best practices guidance in most areas. For more sensitive military and defense environments, the DISA guide’s more stringent controls and evaluation criteria will be the more suitable choice.
With the latest vSphere guide, VMware has bridged this gap somewhat by differentiating some controls by exposure level and security needs (Enterprise, DMZ, and SSLF settings). The more technical implementation guidance is often found in the CIS and DISA guides, however, so these will still be applicable regardless.
Microsoft and Citrix have very little guidance overall, and other organizations like Red Hat (for KVM) have nothing publicly available at the time of writing.
Over time, the importance of virtualization security, and particularly effective lockdown of the hypervisor, will require stringent and community-vetted guidance from all major virtualization vendors that is updated on a regular basis.
Of course, securing what is running within VMs is as important as creating a secure foundation for a virtualized datacenter. Taking advantage of available guidance allows organizations to ensure virtualization platforms are designed, configured, and maintained to avoid introducing additional vulnerabilities.