Virtualization Security Guidelines
Link: Virtualization Security Guidelines - blog.scottlowe.org
The Center for Internet Security (CIS) has released some security benchmarks for VMware ESX Server 3.0.x. The ESX security benchmark joins recommendations and guidelines for Windows 2000, Windows XP, Windows Server 2003, Red Hat Linux, and Mac OS X that are also available from the CIS. The CIS has also published a generic virtual machine (VM) security benchmark as well. Taken together, the ESX benchmark and the VM benchmark provide good, solid recommendations around virtualization security.
The ESX/VM benchmarks are available for download here.
With all the hype around virtualization’s impact on security—positive or negative—it’s good to see some concrete and actionable recommendations. If nothing else, these documents will at least provide a starting point for security professionals and virtualization experts to discuss the best way to architect solutions without compromising the security of the network/servers. In fact, we might even find ways to enhance the security of the network/servers.
The debate about whether virtualization is more or less secure (than physical infrastructure) is kind of a meaningless, theoretical argument. Certainly a VM is different than a physical server as it can move, mutate and transform itself. Existing applications and operating systems have known vulnerabilities. Movement and change erodes the visibility of vulnerability scans (over time at an accelerated rate) and static security signatures (with rules tied to IP address).
I've blogged about this topic at www.archimedius.net.
Greg
Posted by: Greg Ness | October 29, 2007 at 04:52 PM