Home > Blogs > VMTN Blog > Category Archives: security

Category Archives: security

vSphere 6.0 vExpert Blog Articles Covering What’s New, Installation, VVOLS, vMotion, VSAN, Web Client and much much more

Today we announced vSphere 6.0 and the vExpert community has some excellent insight into what this release is about. The articles below are written by VMware vExperts who are the best IT professionals in virtualization.

There are several in depth single as well as multipart articles to help understand this release. Throughout the day we will update this blog with new highlighted blog articles from additional vExperts.  Most of the articles are in English but there are several in international languages as well. Be sure to keep an eye on #VMW28days on Twitter. Be sure to also try vSphere 6 and VSAN today online over at labs online.

Here are some of the highlight topics covered in the articles:

  • What’s new in vSphere 6
  • VMware AppVolumes
  • Install Walkthrough (vSphere & vCenter)
  • Server Design & installation
  • Features & Enhancements of vSphere 6 Web Client
  • Multi-Processor Fault Tolerance
  • How to Install and Configure vSphere 6 Hypervisor
  • vSphere 6 Certificate Authority & Design Decisions
  • VVOL’s
  • What’s new in VSAN
  • vMotion Enhancements & Long Distance vMotion
  • Managing your vSphere 6 Environment

vExpert Blog Articles

Adam Eckerle – Is a TAM for VMware, vExpert, 3xVCAP holder (DCA/DCD/DTD), and passionate about Data Center virtualization technology.

  1. New Features in vSphere 6 – VMware vSphere 6 is another step forward to enabling the Software Defined Data Center (SDDC). There are some very exciting new features that have just been announced so here is a (non-exhaustive) list broken down by area.

Alex Muetstege

  1. Whats’s new in vSphere 6 covering scalability, availability. vCenter Server, vMotion enhancements, Storage, vSphere 6 Pricing

Andrea Casini – I’ve been working in the IT industry for over 14 years designing, implementing and managing IT infrastructures. All the technology I’m passionate about is somehow related to VMware and the revolution they started with virtualization.

  1. vSphere 6 Certificate Lifecycle Management – Since the introduction of SSO, managing certificates have became more and more difficult and problematic. With the introduction of VMCA and VECS VMware is giving us the tools to make this process more streamlined and less cumbersome, making it easy for companies of all sizes to move away from unmanaged self-signed certificates and deploy internal or 3rd party certificates including all vSphere components in the corporate security policy.

Andrea Mauro – Works in IT since 1996 and held several technical certifications (VCP, VCAP, VCDX, MCITP, MCSA, MCSE, CCA). And he’s also a VMware vExpert (2010/2011/2012/2013/2014).

  1. VMware vCenter Server 6 design – This post describe the step by step installation procedure for VMware vSphere 6.0
  2. VMware vSphere 6 Client
  3. VMware vCenter Server 6 adds more cloud features – In this new version vCenter Server has been extended with some new interesting features (partially from vCloud Director capabilities) to make it more cloud oriented.

Andreas Lesslhumer – 16 years in IT, specializing in virtualization and server infrastructure. Virtualization Evangelist and Blogger at Running-System.com

  1. Features and Enhancements of the new vSphere 6 Web Client – Features and Enhancements of the new vSphere 6 Web Client”  waiting for the launch.
  2. vSphere 6 Fault Tolerance highlights and improvements –  vSphere 6 brings some great enhancements to Fault Tolerance. Read more in the article about topics like multi processor VM support and other improvements you can expect.

Andreas Peetz – Virtualization Engineer and Evangelist, Blogger and Tool author, Maintainer of the V-Front Online Depot for ESXi, vExpert since 2012

  1. What’s in ESXi 6.0 for free license and white box users? – Read what the new vSphere version brings for users of the free ESXi license and white box hardware, and how it behaves with community supported drivers and tools.

Ather Beg – Ather Beg is a technology blogger, vExpert and Chief Virtualogist at Virtualogists.com.

  1.  vSphere 6: Platform Services Controller (PSC): Design Decisions – This article discusses the new vSphere 6 architecture component Platform Services Controller (PSC), possible configurations, design decisions and their impact for a vSphere install or upgrade.
  2. vSphere 6: VMware Certificate Authority (VMCA): Design Decisions – This article discusses the new vSphere 6 component “VMware Certificate Authority”, deployment configurations, design decisions and their impact for a vSphere install or upgrade.
  3. vSphere 6: Upgrade Considerations – This article discusses the various vSphere 6 upgrade scenarios and paths, points to consider before embarking on an upgrade program and the design decisions involved.

Benjamin Troch  – is a seasoned IT veteran with 15 years+ experience providing (virtual) infrastructure consulting services for some of the largest financial institutions in the world. vExpert 2013/2014, VMware User Group (VMUG) leader for Singapore and SME on VMware technologies Benjamin holds VCAP DCD and DCA certifications alongside MCITP and Citrix CCA certs

  1. vSphere 5 is dead, long live vSphere 6 – Virtualb.eu’s overview of the new platform

Benjamin Ulsamer – Planning, designing and realising VMware & NetApp projects since 10 years as Senior Consultant, Architect, Systems Engineer and Trainer

  1. The easy way to vSphere 6 – Part 01a – Install vCenter 6 on Windows
  2. The easy way to vSphere 6 – Part 01b – Deploy the vCenter Appliance 6
  3. The easy way to vSphere 6 – Part 02 – Install vSphere Client 6 to connect ESXi Hosts
  4. The easy way to vSphere 6 – Part 03 – Install Update Manager 6
  5. The easy way to vSphere 6 – Part 04 – Install Update Manager Client 6
  6. The easy way to vSphere 6 – Part 05 – Update ESXi 5.x Hosts to version 6 via Update Manager 6

Bob Plankers –  IT Generalist specializing in systems management, virtualization, and cloud design & operations.

  1. 9 Things You’ll Love About vSphere 6.0 – vSphere 6.0 has major advancements in many areas, with the addition of major functionality and thousands of minor improvements. Here are 9 big & small things that vSphere users will really enjoy.

Brian Trainor – Is a consulting engineer with UNICOM Systems and has experience in data center management, infrastructure and operations management, and virtual infrastructure design.

  1. The New vSphere 6.0 Web Client – A quick overview of the new and enhanced vSphere Web Client 6.0. This might be one of the most welcome upgrades offered in vSphere 6.0 as significant improvements have been made in performance and user experience.

Chris Nickl – Chris is a Datacenter Architect/Engineer for World Wide Technology’s Professional Services.

  1. What’s cool in vSphere 6? – VMware has finally released version 6.0 of their vSphere Environment.  What are largest new features and enhancements.
  2. VVOLs What are they? – VMware has been talking about VVOLS for over two years.  What are they and how do they help us?
  3. vSphere 6 : vSphere Client is ALIVE!! – The long standing VI-Client that was rumored to be killed off, is in fact still around and works with vSphere 6.
  4. vSphere 6 now supports NFS v4.1 with Authentication – vSphere 6 finally supports NFS version 4.1 and even allows Kerberos authentication.  This will allow NFS Multi-pathing and better authentication.
  5. vSphere 6: Multi-Processor Fault Tolerance – With the announcement of vSphere 6.0, one very cool feature that is new is Multi-Processor Fault Tolerance.  You can now turn FT on for VMs with up to 4 vCPUs.
  6. Installing the new vCenter 6.0 Appliance – VMware has released the new 6.0 vCenter Server Appliance (vCSA).  This will detail how to exactly install it so that you can get your environment running.

Dave Morera – Is an experienced virtualization and storage Architect, with breadth of knowledge in other areas as well.

  1. vSphere 6 Web Client: Let’s go there… – This article highlights the new features of the new vSphere 6 Web Client. The most noticeable features are highlighted based on customer feedback via social media and VMUG meetings.
  2. vSphere 6 Availability Enhancements – This article highlights the new availability enhancements provided in vSphere6. Such enhancements play an important role in maintaining HA and a DR strategy.
  3. VVols: Go for Launch – This article provides a high level view of VVols as well as its requirements. VVols allow for a better management and integration of storage and vSphere 6.

Derek Seaman – Is VMware VCDX #125, and a Senior Solutions and Performance engineer at Nutanix. He specializes in Microsoft enterprise software, and detailed how-to articles for a variety of enterprise products.

  1. vSphere 6.0 Install Pt. 1: Introduction – Back by popular demand and following in the vSphere 5.5 footsteps, this is the first article in a long series of how-to install and upgrade to vSphere 6.0.
  2. vSphere 6.0 Install Pt 2: PSC
  3. PEX 2015: VVOL Overview
  4. What’s new in vSphere 6.0

Edward Haletky

  1. vSphere Upgrade Saga: Planning for vSphere 6.0

Emad Younis

  1. vCenter Appliance (vCSA) 6.0 – New & Improved – vSphere 5.0 introduced us to the vCenter appliance (vCSA). The vCSA continues to evolve with each release and this one is no exception.

Filip Verloy – Is an NSX SE at VMware based in Belgium and has been blogging about virtualization and networking since 2012.

  1. The vSphere 6 blog post focusses on what’s new related to vMotion, including cross vCenter- and long distance vMotion and the new use cases it enables.

Florian Grehl – Is a Hosting Engineer working for a managed services provider in Germany.

  1. vSphere 6 vMotion Enhancements – This article introduces cross vSwitch and cross vCenter vMotion. It also analyses what’s geographically possible with the increased supported RTT of 100ms.
  2. vSphere 6 Web Client Enhancements – This article highlights the changes in the vSphere Web Client and presents a performance analysis compared to the previous version.

Greg Schulz – Five-time VMware vExpert, independent advisory consultant and author of several books, his blog is storageioblog.com and twitter @StorageIO.

  1. VMware Announces vSphere v6 Virtualization Technologies – VMware has announced version 6 (V6) of its virtualization hypervisor called vSphere aka ESXi, this post looks at the announcement and what it means for implementing a software defined data center including coverage of Virtual Volumes (vVOLs).

Iwan Rahabok – A VMware CTO Ambassador and author, started the user community in ASEAN 6+ years ago. The community Facebook group is one of the largest globally.

  1. vSphere 6 First Impressions – A tour of the changes in the UI. Web Client is now cool again!
  2. vSphere 6: Features that are now global – A great enhancements for customers with multiple vCenter Servers. And who doesn’t!
  3. The rise of SDDC Architect – A strategic take on the launch, encouraging VMware professionals to rise up and become the SDDC Architect.

Jason Conine – Virtualization Evangelist, Systems Engineer, MBA, vExpert, VCP5-DCV

  1. VMware vSphere 6.0: What’s New?

Jim Jones – Systems and network administrator working in state government. Jim has over 15 years in the IT industry.

  1. Managing your vSphere 6 Environment – vSphere 6 provides a great deal of enhancements to its manageability and scale. This article will provide the high points.

John Nicholson – (vExpert 2013-2014) is the manager of Client Services for Synchronet.  His focus is on Storage and Virtual Desktop Architecture.

  1. VMware VSAN : What’s new – This article looks at the end management updates to VSAN as well as the implications of the powerful back end updates to the file system.

Josep Ros

  1. Novedades de VMware vSphere 6.0

Kevin Kelling – Is a 4-time VMware vExpert holding an MBA as well as nearly 20 years of Information Technology experience.

  1. Top 6 Features of vSphere 6 – vSphere 6 may just be the most significant release in VMware’s history.  Let’s take a quick walk through the 6 biggest features that enable a whole new world of capabilities and opportunity.

Keith Norbie – Sr. Business Development Manager at SolidFire, and works closely with solutions architects, marketing, sales and channel teams to drive forward some of SolidFire’s most strategic technology partnerships, including VMware and Citrix Systems. Keith has a strong history of experiences working in different channel and business development roles within the enterprise IT and storage market. He is also an active VMware vExpert and member of VMware’s Partner Technical Advisory Board (PTAB).

  1. vSphere 6 Storage – The Future of Storage at Scale

Leon Scheltema – I am a IT professional for over 14 years specialising in Virtualization and Storage, last couple of years focussing on designing virtual infrastructures, Blogger

  1. VMware Reveals vSphere 6 – The article highlights the most important enhancements and new features of the latest vSphere release. In addition a high-level overview of the differences between the vCenter components in the previous version and in the latest version, and how this affects deployment of vCenter nodes.

Michael Webster – Is among a small number of VMware Certified Design Experts (VCDX-066), currently the only VCDX in New Zealand, and a vExpert, with deep experience delivering project management, ITIL based VMware operational readiness and technical architecture consulting services to enterprise and service provider clients around the world.

  1. VMware vSphere Release Revolution for Mobile Cloud Era –  For the first time you will be able to live migrate from private cloud to public cloud, a true hybrid cloud and software defined datacenter. Expect to improve qualify of service for all applications, scale to unprecedented levels, and support even higher levels of service. All while reducing management overheads and complexity across the entire ecosystem. This release has been baking for a while and for good reason. There is a big commitment to product qualify, which was evidenced by the first ever public beta for VMware vSphere.  This is a major release, and is well deserving of the 6.0 version number.

Mohammed Raffic – A VMware vExpert, VMware Employee and an author of the Book “VMware ESXi CookBook”. Independent author and Founder of the blog “www.VMwarearena.com” focusing on VMware Virtualization and Cloud computing. He has more than 7 years of high level knowledge in Remote infrastructure services, consulting, designing, implementing and troubleshooting VMware Virtualization technology.

  1. vSphere 6.0 – New Configuration Maximums – This article focuses about the New Configuration maximums available with vSphere 6.0. It provides the Comparison table between the configuration maximums of vSphere 5.5 and vSphere 6.0.
  2. vSphere 6.0 vMotion Enhancements – vMotion Across vSwitches and vCenter Servers – This article focus about the vMotion enhancements available with vSphere 6.0. It provides detailed information about vMotion across vSwicthes, vMotion across vCenters and Long Distance vMotion.
  3. vSphere 6.0 – What’s New in VMware Fault Tolerance (FT) – This article focus about the VMware vSphere 6.0 Fault Tolerance and its new features. It also provides comparison table between vSphere 5.5 and vSphere 6.0 Fault Tolerance
  4. vSphere 6.0 New Features – Content Library – This article focus about one of the New Feature called “Content Library” available with vSphere 6.0. It also provides details about configuring content library and deploying Virtual Machines from Content Library.
  5. vSphere 6.0 – What’s New in vCenter Server 6.0 – This article focus about the new components and pre-requisites for the installation of vCenter Server 6.0. It also provides the details about 2 different components of vCenter Server along with the details about vCenter Server 6.0 deployment models.
  6. vSphere 6.0 – What’s New in vCenter Server Appliance(vCSA) 6.0 – This article focus about the new Installation type, Deployment Model, Appliance Sizing about the vCenter Server Appliance 6.0. It also provides comparison table between Windows Version of vCenter Server and vCenter Server appliance.
  7. vSphere 6.0 New Features – What is VMware Virtual Volumes (VVols)

Niels Hagoort – I am a virtualization enthusiast with a love for software defined solutions. Working at YaWorks as a Sr. Virtualization Consultant.

  1. vSphere 6: Multi-Processor Fault Tolerance (SMP-FT)
  2. vSphere 6: mClock scheduler & reservations

Paul Braren – “TinkerTry IT @ home” Founder and IT Professional Paul Braren actually enjoys the bleeding edge of technology, residing happily at the forefront throughout his multi-decade IT career. Paul has done many years of customer trainings and virtualization implementations. He’s always been tinkering, but most recently, he’s been honing his photography, videography, and writing skills, with over 500 in-depth articles and over 300 how-to videos at TinkerTry.com.

  1. Getting my mitts on the vSphere 6 bits including ESXi and vCSA, already enhancing my home lab – It’s been a long wait for vSphere 6.0, and in the home lab, that likely means ESXi 6.0 coupled with VCSA 6.0. The question for IT Pros/home lab enthusiasts: will my efficient/affordable/unsupported equipment still work with this major new release? Wait no more, catch a good glimpse of all that vSphere 6.0 goodness coming soon to your our home lab.
  2. Sneak Preview – Build your own vSphere 6 home datacenter in about an hour – Today, the day vSphere 6 is announced, I’m already ready to show you exactly how I just re-built my home lab today, in about an hour…stick with hard-coded IPs, SSO auto-configuration in the vCSA appliance now works very nicely. The video is now available, exclusively at TinkerTry!

René Bos – Technical Consultant at Conclusion FIT, SnowVM blog

  1. The new features of vSphere 6

Robert Verdam – My main focus is infrastructure (Storage, Networking and Computing), but I’m also very interested in designing and implementing VDI and Server Based Computing-environments.

  1. vSphere 6: vMotion enhancements – A brief history about vMotion and an overview of new exiting vMotion features. Shows what are use-cases and requirements for these new vMotion features.

Roger Lund – Solutions Architect at Deltaware Data Solutions; Blogger,  VMUG leader, Tech Field Day Delegate, and VMware vExpert.

  1. vCenter Server 6.0 New Features
  2. vSphere 6.0 Platform New Features
  3. vSphere 6.0 Fault Tolerance – New Features
  4. vSphere 6 Configuration of Fault Tolerance

Rutger Kosters – Virtualization Consultant working at YaWorks. Tech Junkie!

  1. mClock Scheduler & Reservations – A closer look at the mClock scheduler and how it is used in vSphere 6 for reservations in association with Storage IO Controls.

Sittichai Palanisong – Currently a Systems Engineer manager for VMware. Has 22 years of experiences in IT industry. Started with systems programming using C. Spent 18 years of career in the world of  UNIX and alike environments.   VCP5 and VCAP-DCD5 certified.

  1. What’s New in vSphere 6 (Thai)

Vikas Shitole

  1. vSphere 6.0 : How SIOC works with Storage IO reservation – Yet another vSphere 6.0 feature which will excite you to move your Tier-1 IO intensive apps to vSphere.

Vipin V.K. – Working for a VMware partner company, in India. vExpert 2014/15

  1. vSphere 6 enhancements – Let’s take a look – Discussing some of the new key features with the new vSphere release, vSphere 6.

Vladan Seget – IT Consultant, professional Blogger and owner of vladan.fr ESX Virtualization website.

  1. vSphere 6 Long Distance vMotion – vSphere 6 breaks the traditional boundaries which is a datacenter – Po. Long distance vMotion is a game changer in DR strategies and architecturing DR solutions.
  2. vSphere 6 Features – vCenter Server Details – Windows based vCenter or VCSA? The barrier is gone as VCSA 6 scales the same way as Windows vCenter Server 6 – up to 1000 hosts and 10k VMs including support for linked mode…

Keep your VMware ESXi warranty: Don’t break the security shell

ESXi is not your father’s ESX. There is no Service Console, so trying to fit it into the exact same processes that you’re used to with ESX isn’t recommended. I know, I know, you have all those scripts you’re used to running in the console. VMware is building tools to manage and administer your ESXi from outside the box, and while they’re not quite feature complete, they’re well on their way. So don’t pop the hood; it’s welded shut for a reason.

Link: Keep your VMware ESXi warranty: Don’t break the security shell.

Working with VMware ESXi can be frustrating; you’re
not supposed to enable the Dropbear SSH client or use its technical
support mode without the assistance of a VMware support representative.
System administrators, however, may be tempted to use tech support mode
(or enable Dropbear) to fix problems or manage connections on the fly.
Cracking this security shell, however, can void the VMware ESXi
warranty and break support contracts. In this tip, I’ll explain
alternatives that allow you to manage your ESXi virtual machines
without compromising its security — and possibly breaking a support

Virtualization Team vs. Security Team: It is important to remove the “vs.”!

Rob Randell, one of our security specialists here at VMware, is guest-posting over at Mike D’s blog. (Guys, you’re welcome over here as well.)

Link: Mike D’s Virtualization Blog: Virtualization Team vs. Security Team: It is important to remove the “vs.”!.

Unfortunately, very often this situation is the exception and not the
rule. Many of the customers that I talk to are only talking to me
because they have started a widescale deployment of VMware VI and the
security team gets wind of it once it is well underway or worse some
sort of audit is initiated (PCI, Sarbox, HIPAA, etc…). At this point
the entire architecture needs to be reviewed and very often
rearchitected to meet the necessary security and audit requirements.

See the following article for a great example of this.

(Emphasis mine.) Sounds like a nightmare, so my guess is that you don’t want that to happen to you. Always consult your friendly neighborhood security team first.

What’s New in Security at VMware.com

From the VMware Security Blog, which should be on your short list. (Note that the blog is more for news and updates, but you can get security notifications emailed to you — check the right sidebar of the blog or the Security Center. Note also that this page is separate from the Security Technology page Charu mentions below.)

Link: VMware: VMware Security Blog: What’s New in Security at VMware.com.

  • The new VMware Compliance Center includes an overview of the issues involved with
    virtualization and compliance, a comprehensive listing of partner
    virtualization compliance solutions, and references such as white papers
    and recorded webcasts.
  • There is a new listing of Free Security and Compliance Utilities.
    These tools are provided by VMware partners, and can be downloaded and
    used right away to help assess and monitor your VI deployment
  • The Overview section of the Security Technology site has been updated to present the core issues of virtualization and security in a more streamlined way.  The Resources listing has also been enhanced to include more external resources.
  • Although not new, the VMsafe section had received some updates over the summer which you might not have seen.
  • Finally, something else that’s not new but worth pointing out is the Security Certifications
    page.  We will be listing all security-related certifications that
    VMware products receive, so you can check here to see ones we have

Update to VI3 Security Hardening Guide | VMware Security Blog

Link: VMware: VMware Security Blog: Update to VI3 Security Hardening Guide.

Update to VI3 Security Hardening Guide

We have recently released an update to the VI3 Security Hardening guide.  The main changes are:

  • new content for ESX 3.5 and VirtualCenter 2.5, including VirtualCenter plug-ins
  • a section specific to hardening for ESXi.
  • new sections for VM configuration as well as client software
  • a greater level of depth for the existing recommendations

And if you missed it, see also: DMZ Virtualization with VMware Infrastructure.

VMware Infrastructure Earns Common Criteria EAL4+ Certification | VMware Security Blog

From Eric Betts at the VMware Security Blog — something we’re very proud of.

Link: VMware: VMware Security Blog: VMware Infrastructure Earns Common Criteria EAL4+ Certification.

On May 20, 2008, VMware VI3
(ESX Server 3.0.2 & VirtualCenter 2.0.2) achieved Common Criteria
certification at EAL4+ under the Canadian Common Criteria Evaluation and
Certification Scheme (CCS).  EAL4+ is the
highest assurance level that is recognized globally by all signatories under
the Common Criteria Recognition Agreement (CCRA). …

VMware is the first and only
virtualization vendor for industry standard x86 hardware to successfully
complete the rigorous Common Criteria certification process. Although several operating system vendors
bundle virtualization technologies as part of their products, to
date, none have included virtualization technology as part of their Common
Criteria security certifications.

TripWire ConfigCheck sanity checks your ESX environment

From the TripWire ConfigCheck site:

Tripwire® ConfigCheckTM
is a free utility that rapidly assesses the security of VMware ESX 3.5
hypervisor configurations compared to the VMware Infrastructure 3
Security Hardening guidelines. Developed by Tripwire in cooperation
with VMware, Tripwire ConfigCheck ensures ESX environments are properly
configured—offering immediate insight into unintentional
vulnerabilities in virtual environments—and provides the necessary
steps towards full remediation when they are not.

internetnews.com – TripWire Cures Virtual Misconfiguration:

"There haven’t been any attacks against the hypervisor that could be demonstrated to break through, but misconfiguration could put you in a situation where you can get attacked even if you have no vulnerabilities or are fully patched," [VMware’s Nand Mulchandani] added.

There are about 100 configuration settings in VMware that need to be set to ensure the most hardened environment possible, and these have, up to now, had to be manually checked.

NetworkWorld – Did you say: FREE, SECURITY and VIRTUAL SERVERS?

The ConfigCheck tool is based on VMware’s own security hardening guidelines for ESX Server and future releases will also support VMware’s Infrastructure 3 products. The free tool notifies IT managers of potential conflicts in configurations and also offers fixes to the incompatibilities between actual and desired configurations. The tool links back to the vendors’ virtual security resource center

SearchSecurity.com – Virtualization tool assesses VMware security configurations

"It will be eye-opening when they run ConfigCheck against their systems and gauge that relative to best practices," said Mulchandani. "It will get them thinking about configuration and patching in key areas for security."

Best practices for securing virtual networks

Hezi Moore, co-founder and CTO of Reflex Security, has a nice 3-part primer on how to start thinking about your virtual networks as a guest post on VMblog. While Hezi does mention virtual appliances, he avoids turning this into an ad for Reflex.

Best Practices for Securing Virtual Networks – Part One of Three 

However, virtualized environments face unique network security challenges that can affect the entire organization. Adding
security to your virtual network, such as a virtual security appliance,
can protect critical resources from intrusion, theft, service denial,
regulatory compliance conflicts or other consequences. 

Fortunately, by combining prudent security measures with advancing virtualization technologies, organizations can adopt
and deploy “defense in depth” best practices without the traditional
high costs and complexities associated with physical infrastructure
and enjoy the benefits of a virtualized architecture while avoiding excessive risks. …

Virtualized environments are difficult to visually
inspect and due to virtual server mobility and related issues, they
often have dynamic configurations and server populations. In this context, threats can easily spread, devices can be overlooked, and inappropriate activity can be concealed. To
prevent configuration oversights, rogue devices, auditing omissions and
other issues, the security system should maintain persistent awareness
of all virtualized devices, services and communications. 

Best Practices for Securing Virtual Networks – Part Two of Three

Primarily, organizations have four alternative or
complementary approaches to secure virtualized environments: physical
network security devices, physical device / VLAN configurations, host
intrusion prevention systems and virtualized network security systems. 

Best Practices for Securing Virtual Networks – Part Three of Three

Leverage virtualization platform to enable security

virtualization can present new security challenges, it is a powerful
technology that can have a significant impact on an organization’s
ability to become more efficient, effective and productive. Organizations
should determine not only what business applications can benefit from
virtualization but also what IT applications can benefit from
virtualization and use this trusted platform as an enabler. Determine
which physical devices make most sense to deploy in virtualization and
utilize complementary software like virtual security appliances to
provide the following capabilities in the virtual environment:

  • Security
  • Visibility
  • Control
  • Manageability
  • Policy enforcement
  • Deployment

(And thanks, Dave, for getting this kind of original article out alongside the comprehensive industry and blog news you can find at VMblog.com)

More on VMsafe: it’s a cool adrenalin shot full of the Beatles on Ed Sullivan

Virtualization is mind-blowing stuff, but I have never seen the metaphors get so intricate or the prose get so purple as the blog posts on VMsafe over the past week. Either VMsafe (see our previous post) has touched a nerve, or rhetoric in the security industry  is even more heated than the virtualization industry. I suspect both.

Link: Chris Wolf: VMsafe is cool because … — Server Virtualization Blog.

“VMsafe is a very important technology in my opinion, as it changes
how virtual environments are secured. Today, security appliance virtual
machines (VMs) typically monitor other VMs by connecting to them over a
virtual switch.
The result is virtual network monitoring that resembles physical
network monitoring,” Wolf said. “The current model is fine until VMs
begin to dynamically move across a virtual infrastructure.  …

Wolf continued, “VMsafe also provides the framework for offloading
many security activities to special-purpose security VMs, including
roles such as antivirus monitoring. As we move to an automated or
dynamic data center, having special-purpose security appliances that
are capable of enforcing security policies at the hypervisor level can
ease security management in an environment that will be constantly

Link to another coffee spit-take rant at: Rational Survivability: VMWare’s VMSafe: Security Industry Defibrilator….Making Dying Muscle Twitch Again.

As I mentioned in a prior posting,
VMware’s VMsafe has the potential to inject life back into the
atrophied and withering heart muslce of the security industry and raise
the prognosis from DOA to the potential for a vital economic revenue
stream once more. … For the purpose of this post, I’m going to focus on the security
implications of virtualization and simply summarize by suggesting that
virtualization up until now has quietly marked a tipping point where we
see the disruption stretch security architectures and technologies to
their breaking point and in many cases make much of our invested
security portfolio redundant and irrelevant. …

So, we’ve got this fantastic technological, economic, and cultural
transformation occurring over the last FIVE YEARS (at least,) and the
best we’ve seen as a response from most traditional security vendors is
that they have simply marketed their solutions slimly as
"virtualization ready" or "virtualization aware" when in fact, these
are simply hollow words for how to make their existing "square"
products fit into the "round" holes of a problem space that
virtualization exposes and creates. …

VMSafe represents a huge opportunity for these vendors to claw their
way back to life, making their solutions relevant once more, and
perhaps even more so.

And then in the comments to Hoff’s post, Greg Ness (VP Marketing for Blue Lane) says about the VMsafe introduction that "It felt like the IT industry’s equivalent of the Beatles first performance on Ed Sullivan." and then posts at his own blog. Link: Dispelling Virtsec Myths « ARCHIMEDIUS.

The hardware
infrastructure that emerged with the rise of desktop computing and the
internet is about to collapse back into the server. That
model is infinitely more scalable, more dynamic and more flexible than
the world of pipes, racks and screwdrivers. That is why virtualization
will win out over daisy chains of specialized hardware. …

Some deep security
experts suggest that there are new hypervisor-specific attacks that
pose real, catastrophic threats. As I commented while on an
InformationWeek panel last month, the hypervisor is modern code with a
very lean attack surface. Compare that lean hypervisor code to the
layers of code and sizable population of known vulnerabilities in any
leading operating system or application/database. Then look at the rate
of change now possible in a virtual infrastructure. …

Let’s use the hypervisor layer to deliver improved security. After
all, it is a standardized inflection point that can scale with the
servers and the traffic …

Keeping Your VMotion Traffic Secure

From the VMware Security Blog: Keeping Your VMotion Traffic Secure.

Recently a researcher published a proof-of-concept called
Xensploit which allows an attacker to view or manipulate a VM undergoing live
migration (i.e. VMware’s VMotion) from one server to
another. This was shown to work with
both VMware’s and Xen’s version of live migration. Although impressive, this work by no means
represents any new security risk in the datacenter. It should be emphasized this proof-of-concept
does NOT “take over the hypervisor” nor present
unencrypted traffic as a vulnerability needing patching, as some news
reports incorrectly assert. Rather, it a
reminder of how an already-compromised network, if left unchecked, could be
used to stage additional severe attacks in any environment, virtual or
physical. …

Encryption of all data-in-transit is certainly one well-understood mitigation
for man-in-the-middle attacks.  But the fact
that plenty of data flows unencrypted within the enterprise – indeed perhaps
the majority of data – suggests that there are other adequate mitigations. Unencrypted VMotion traffic is not a flaw,
but allowing VMotion to occur on a compromised network can be. So this is a good time to re-emphasize hardening best practices for VMware
Infrastructure and what benefit they serve in this scenario.