On the Utility & Granularity of Virtualization Security Guidelines
Edward Haletky wrote an interesting piece recently titled "CISecurity Guide to VMware Security Falls Far Short" in which he lays down some well-articulated criticisms of the first CIS benchmark for VMware.
Edward’s primary problem with the benchmark can be summarized well by this paragraph:
While the Benchmark was the first of its kind, it is nothing more than the Linux benchmark with some small changes for VMware ESX. Following these steps will increase security but it is by no means a panacea. Do not let it give you a false sense of security.
I think Edward set his expectations a little high prior to review, as I’m pretty sure the word panacea wasn’t used in the syllabus
I don’t disagree with Edward that the flavor of the benchmark is very much a generic set of guidelines focused primarily on securing the underlying Linux-based service console and basic configuration for overall "system" hardening, but we need to realize a couple of things to keep the benchmark in perspective:
- The benchmark was the first of its kind. It’s almost 10 months old! The second version is underway right now as a matter of fact.
- In between when the benchmark was released and now, we’ve seen the emergence of the embedded version of VMware and much needs to change to address that.
- The benchmark was designed to be generic and give virtual system administrators a baseline on basic security hardening, not serve as the end-all, be-all for some mythical security end-state.
- The challenge for those of us who contributed (as I did) was that we had to keep the document vendor/tool agnostic which makes it difficult to frame solutions.
- Lots of things have changed.
Keep in mind that this is a "level 1" benchmark whose settings/actions are as follows:
- Can be understood and performed by system administrators with any level of security knowledge and experience;
- Are unlikely to cause an interruption of service to the operating system or the applications that run on it; and
- Can be automatically monitored either by CIS Scoring Tools or by CIS Certified tools available from security software vendors.
This isn’t about being defensive regarding the benchmark as I’ll agree that we could have done much, much more in terms of providing more meatier substance as it relates to how to better secure the ecosystem of mechanicals that a virtualized environment touches.
However, the scope of a document that effectively addresses the security concerns across this immense landscape would be a huge undertaking.
One of the other difficulties in creating a guideline like this is the fact that those responsible for securing virtualized environments are not security professionals. As I’ve spoken about previously, the operational realities of who is managing and securing our virtualized infrastructure is cause for concern.
Thus, when creating a guide like this, it’s best to start with the underlying basics and then branch out from there; involve the network and security teams as required. As Edward himself wrote in this piece, "Good virtual security requires better IT teamwork," to properly secure your virtualized infrastructure, it’s going to take cooperation and expertise from many camps.
Edward also has written a book titled "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers." Interestingly, I found the security sections weak for many of the same high-level reasons he listed in his review of the CIS benchmark. Security is most definitely in the eye of the "bookholder."
In the meantime, if you’re interested in some additional security/hardening guides and tools for VMware environments, check out the following:
- VMWare – Updated VI3 Security Hardening Guide (7/8/08)
- DoD/DISA – Security Technical Implementation Guide (STIG)
- NSA SNAC – VMware ESX Server 3 Configuration Guide
- Tripwire – ConfigCheck