VMware Security Blog

This paper tackles the subject of DMZ security and virtualization. It covers a number of DMZ security requirements and scenarios, presenting how vSphere users can implement the Cisco Nexus 1000V virtual switch in a DMZ.

With the general availability of VMware vSphere 4 a few weeks ago, I just wanted to highlight for the security community that VMware vShield Zones is also part of that release and now generally available!

vShield Zones is a new product for VMware and one of the newest members of the vSphere 4 product family, based on technology from our acquisition of Blue Lane Technologies.  We had a lot of interest from customers around vShield Zones and had over 200 customers around the world registered for our recent private beta.  It is part of the vSphere package starting with the Advanced Edition and above.

VMware vShield Zones 1.0 offers the following key features and benefits for vSphere 4 environments:

Central Management of Logical Zone Boundaries and Segmentation

• Leverage existing virtual infrastructure containers –  hosts, virtual switches, VLANs – as logical trust or organizational  zones
• Define policies to bridge, firewall, or isolate network  traffic between zone boundaries
• Manage and deploy policies across entire VMware vCenter  Server deployment
• Integrate with VMware vCenter Server and automatically  deploy on existing virtual networks
• Scan and discover existing applications running on  virtual machines to identify application protocol
  

Network Enforcement and Flow Monitoring

• Classify traffic by network or application protocol (e.g.  HTTP, RDP, SNMP)
• Performantly filter traffic with stateful packet  inspection (SPI)
• Track dynamic port connections for protocols such as  FTP
• Track network connections across VMware VMotion migration  events.
• Easily convert observed network flows into precise  network enforcement rules.
• Monitor both allowed and disallowed activity
  

Management and Reporting

• Access the Web-based vShield Manager interface remotely  from any Web browser
• Configure administrators to be common with VMware vCenter  Server or distinct for separation of duties and roles
• View activity hierarchically at individual virtual  machine or aggregate levels and generate graphical or tabular  reports
• Retain log data for archival and compliance  purposes
• Export events and data using syslog format
  

More information about vShield Zones can be found at the product page here: http://www.vmware.com/products/vshield-zones/ <http://www.vmware.com/products/vshield-zones/>
 
vShield Zones 1.0 is downloadable as part of the VMware vSphere evaluation at: https://www.vmware.com/tryvmware/index.php?p=vsphere&lp=1 <https://www.vmware.com/tryvmware/index.php?p=vsphere&lp=1>
 
Documentation and release notes about vShield Zones 1.0 can be found at: http://www.vmware.com/support/pubs/vsz_pubs.html <http://www.vmware.com/support/pubs/vsz_pubs.html>
 

Just in case anyone missed the news from VMworld Europe 2009 last month, VMware launched a new security offering called VMware vShield Zones for our vSphere (formerly VI) platform.  We think this is pretty exciting, as it's the first datacenter security product from VMware, and highlights Security's elevation to one of the six key pillars of our Virtual Datacenter OS architecture.  (For those keeping score, I don't count vCenter Update Manager as a security product only because the patch management vendors themselves tend to more self-identify with system and configuration management....)

vShield Zones is based on our acquistion of Blue Lane Technologies last October.  It is based on Blue Lane's mature application-aware network stack, but instead of offering virtual patching, it has all-new modules providing network flowing monitoring/auditing as well as network firewalling.  Of course these are packaged as a virtual appliance and provides inter-VM visibility and enforcement specifically for logically partitioning the interior of the virtual datacenter.  This is great for meeting security and compliance policies around virtualizing DMZ's, meeting PCI network segmentation requirements, or isolating multiple tenants in the cloud.  For more information about vShield Zones, visit the product page at http://www.vmware.com/products/vshield-zones/.

vShield Zones will be shipping in the vSphere 4 teimframe.  We just entered a private beta that is open to all vSphere 4 beta community members; look for a forum post in the vSphere 4 beta community on how to sign up to download the software and documentation.  We appreciate your time and feedback!

A quick intro for those that don't know me since this is my first time posting to our blog.  My name is Rob Randell.  I am a Senior Security and Compliance Specialist for the field here at VMware.  I actually came to VMware through the Determina acquisition back in August of 2007 (I know, it has taken me a long time to post to the blog ;-).  My role here at VMware is to talk to our customers and speak at industry events about the security and compliance implications of virtualization. 

The purpose of this posting is to let you all know about a couple of webcasts that will be taking place over the next couple of weeks.

The first is actually tomorrow (sorry for the late notice) at 2:30pm EST.  It is a Virtualization Security Roundtable hosted by Ed Haletky (Texiwill on the Communities). Chris Hoff, Iben Rodriguez, possibly Michael Berman from Catbird, and I will all be part of the roundtable.   Here is the link you can use to attend this webcast. 

The other webcast is on March 5th at 11am EST.  Chris Farrow and Dave Shackleford from Configuresoft and myself will be hosting an interactive roundtable discussing the need for virtualization security, the challenges in designing and implementing a secure virtual infrastructure and the available resources out there. 

Go here for more details and to register for this event.

I hope to see you all there.

VMware and Foundstone recently completed a two-part white paper on how virtualization affects PCI Compliance.  It takes a pragmatic view at the different components of virtualization technologies and provides a perspective on how enterprises that are looking to deploy such technologies should think about their impact on PCI compliance initiatives.

• Part 1: Mapping PCI Requirements and Virtualization
  This paper presents a mapping for the various and relevant PCI requirements and how these are impacted by virtualization.
• Part 2: A Review of the Top 5 Issues
  This paper highlights what we believe to be the top five issues and concerns that PCI Qualified Security Assessors (QSA’s) have about virtualization technology. For each of these we propose solutions that organizations can rely on to demonstrate compliance while deploying virtualization technology within their PCI environment.

Find them both in the Resources section of the VMware Compliance Center.

We've added some new things pertaining to security and compliance at the vmware.com web site, so I thought I'd highlight a few things to bring you up to date.

• The new VMware Compliance Center includes an overview of the issues involved with virtualization and compliance, a comprehensive listing of partner virtualization compliance solutions, and references such as white papers and recorded webcasts.
• There is a new listing of Free Security and Compliance Utilities.  These tools are provided by VMware partners, and can be downloaded and used right away to help assess and monitor your VI deployment
• The Overview section of the Security Technology site has been updated to present the core issues of virtualization and security in a more streamlined way.  The Resources listing has also been enhanced to include more external resources.
• Although not new, the VMsafe section had received some updates over the summer which you might not have seen.
• Finally, something else that's not new but worth pointing out is the Security Certifications page.  We will be listing all security-related certifications that VMware products receive, so you can check here to see ones we have received.
  

We'll be adding new content to these pages over time, so please be sure to check back regularly.

Today, VMware released a new version of VirtualCenter, VC2.5 Update 3,  a new version of Virtual Consolidated Backup, VCB 1.1 Update 1, and patches for ESXi and ESX 3.5. These and the recently released versions of VMware's hosted products and patches for ESX 3.0.1, 3.0.2 and 3.0.3 address several security issues. The issues are described in a new and an updated security advisory published today.
One of the fixed security issues is a privilege escalation on certain 64-bit guest operating systems, CVE-2008-4279. It allows an attacker with a login account on a guest operating system to elevate their privileges on that system. The flaw doesn't allow for compromising the host system. The other security issues involve password disclosure and an update to JRE.
On a side note, we like to thank everyone that completed our questionnaire on security advisories during the VMworld 2008 Security Lab. Expect a blog post on the results soon.

Today, VMware released a patch for a critical openwsman security issue, CVE-2008-2234. Affected are ESX 3.5 and ESXi 3.5 that have openwsman 2.0.0 installed. VMware Security Advisory VMSA-2008-0015 provides details on the openwsman versioning, on the patches and on the possible workaround. The openwsman service is running by default. This vulnerability can be exploited remotely however best practices provided by VMware recommend that the service console be isolated from the VM network.
The other patches for ESX(i) 3.5 released today update libpng, bind, net-snmp, and Perl. These patches and the patches released last month for ESX 3.0.1, 3.0.2, and 3.0.3 are listed in updated advisories VMSA-2008-0010, VMSA-2008-0011, VMSA-2008-0013, and VMSA-2008-0014. Advisory VMSA-2008-0014 also lists the security issues that are fixed in the new versions of VMware Workstation, Player, ACE, and Server released last month.

The ESX(i) 3.5 Update 2 Virtual Machine power on problem that surfaced today is not related to exploitation of a security issue on ESX. Several customers have been worried that their ESX systems had been compromised by an attack and that this was the cause for not booting of their ESX update 2 Virtual Machines today.

We know that the boot problem is due to an expired license. License expiration was set at August 12 and was not removed prior to releasing ESX(i) Update 2. VMotion is affected by the license expiration as well.

VMware is working very hard to get a patch out of the door. Please see here for a workaround and the latest developments.

9.30 PM
Express patches have become available. Visit this VMware Web site for details.

We have recently released an update to the VI3 Security Hardening guide.  The main changes are:

• new content for ESX 3.5 and VirtualCenter 2.5, including VirtualCenter plug-ins
• a section specific to hardening for ESXi.
• new sections for VM configuration as well as client software
• a greater level of depth for the existing recommendations

To keep things simple, the new version uses the same URL as the previous version:
http://www.vmware.com/resources/techresources/726

As always, this and a lot of other security information for VMware products may be found at http://www.vmware.com/security.

Charu Chaubal
Technical Marketing