security

Anti-virus and the impact in virtualized environments

Duncan Epping · Feb 16, 2011 ·

I was reading Richard Garsthagen’s article about anti-virus solutions yesterday and decided that this deserved a little bit of extra attention as it is an often overlooked area when it comes to architecture and impact. As Richard points out the difference in terms of load that it generates and overhead is enormous. All of these combined will most definitely result in an increase of consolidation ratio. Not only that but is will also seriously lower the risk during for instance a VDI boot storm but also think about the impact of HA initiated restarts. This could cause an enormous amount of IOps and CPU/Memory overhead which in its turn could impact the other virtual machines.

I guess there is no point in rehashing what is written in the whitepaper of what Richard wrote, I just want to point out the whitepaper as I believe it is a good read. As always results may vary but it is pretty obvious that from an architectural and operational perspective End Point Security is most definitely worth looking into and I cannot wait for more vendors to jump on the bandwagon. Download the tolly report here. (I personally found the disk results very interesting…)

VMware vCloud Director Security Hardening Guide

Duncan Epping · Sep 16, 2010 ·

For those looking into deploying vCloud Director (vCD), VMware just published a white paper titled “VMware vCloud Director Security Hardening Guide”. I reviewed the document a couple of weeks ago and thought it was a really good read!

Download:
http://www.vmware.com/files/pdf/techpaper/VMW_10Q3_WP_vCloud_Director_Security.pdf

Description

The VMware® vCloud™ Director Security Hardening Guide helps users who are embarking into the journey of cloud computing understand key security elements and technologies found in VMware’s vCloud Director product. It also provides guidelines and best practices for installation, configuration and operation of secure clouds based on VMware’s vCloud Director.

Workaround for: ESX(i) 4.1 Password Issue

Duncan Epping · Jul 20, 2010 ·

As many of you already know there is an issue with the encryption mechanism of ESX(i) 4.1. When passwords are used which are longer than 8 characters the password will be truncated after the 8th character. As such during authentication only the first 8 characters are used. In other words if you have a 10 character password you will only need to type the first 8 characters correct and the rest can be completely random.

The KB article that was published yesterday contains a workaround to change this behaviour. I recommend everyone to read the article and implement this workaround when your password policy describes passwords longer than 8 characters.

Hytrust Labs….

Duncan Epping · May 13, 2010 ·

During VMware Tech Summit last week one of the few Labs I did get to do myself was the Hytrust Lab. Roughly a year ago I first got introduced to Hytrust.

Hytrust is a policy driven appliance which enhances security and auditing for virtualized environments. Although I had seen multiple demos I had never actually played around with it. I must say I was pleasantly surprised at Tech Summit.

Hytrust sits in between you, the user/admin, and the vCenter/ESX. Basically it proxies the requests based on your role. If the role has no permissions on the specific “task” it will return a message stating “permission denied by Hytrust”.

Now that sounds cool doesn’t it? I guess what was even more impressing was the fact that with Hytrust this also works on ESXi. Yes you are reading that correct, role based “unsupported” mode access to ESXi, that’s something VMware doesn’t even offer at the moment. I tested it, it works great! (Yeah I know it is still not supported, but it does offer a solution to those who need it.)

Another cool thing is the configuration templates for Hosts. It basically enables assessment of security configuration. Hytrust contains several pre-built templates including for instance VMware’s Security Hardening Best Practices. Not only assessment but also the option to remediate when needed.

And I haven’t even talked about the auditing functionality yet. As Hytrust proxies all commands, it is just a small step for them to log all the info and make it audit-able….

After playing around with in Hytrust I fully understand why Cisco invested, it rocks. Just try it out. The Community Edition, free for up to three hosts is available here: Hytrust Appliance v2.0 Community Edition

vSphere Security Hardening Guide

Duncan Epping · Apr 20, 2010 ·

A couple of months ago I blogged about the draft version of the vSphere Security Hardening Guide. Yesterday VMware published the first official version. Keep in mind that any feedback is still highly appreciated and the document is still subject to change.

source article

This document is the official release of the vSphere 4.0 Security Hardening Guide. This version is based on feedback collected during the public draft comment period. We will still be collecting feedback on this document — if there are any typos, errors, or changes, please add them to the comments below.

Overall, there are more than 100 guidelines, with the following major sections:

Introduction

Virtual Machines

Host (both ESXi and ESX)

vNetwork

vCenter

Console OS (for ESX only)

vSphere Hardening Guide April 2010.pdf (951.0 K) View Download