Home > Blogs > VMware vSphere Blog


Virtual Appliances getting more secure with vSphere 5.5 – Part 1

With VMworld San Francisco in our rear view mirror, the flow of information coming in from many sources is staggering! Well, in that spirit, here’s some more!

At VMware we take security very seriously. We are working very hard to deliver products that are more secure out of the box. The direction we have taken is to ship hardened systems where you have to make a conscious decision to loosen controls. An outcome of this effort is some great changes to virtual appliances!

Virtual Appliance Security

As you may know, virtual appliance deployments for VMware products provide customers with the ability to rapidly deploy and configure infrastructure components. But some of the feedback we have received is “How do I secure the appliance operating system?” We’ve taken that feedback seriously and I’d like to take the opportunity to say that as of vSphere 5.5, many of our virtual appliances will ship with the ability to meet or exceed current high-governance compliance requirements.

The most common reference for implementing these security requirements are the NIST 800.53 and US Department of Defense Information Systems Agency (DISA) Security Technical Information Guides (STIG). The latest iteration of the STIG, called the Security Requirements Guide (SRG), is an effort by DISA to merge both the NIST 800.53 and the STIG guidance into a single security guide that cross-references both sets of technical requirements.

The end result of all of this work is 14 hardened virtual appliances across 9 products all leveraging a common virtual appliance platform operating system. This effort closes 91-95% of the identified platform vulnerabilities in shipping code! These are the products that now meet this hardened standard.

•    vCenter Server Virtual Appliance 5.5 (VCSA)
•    vCenter Orchestrator 5.5 (vCOva)
•    vCenter Operations Manager 5.7.1 (vCOPs)
•    vCenter Infrastructure Navigator 5.7 (VIN)
•    vCloud Automation Center Virtual Appliance 6.0 (vCACva)
•    vCenter Management Assistant (vMA)
•    VMware Log Insight 1.0
•    Horizon Workspace Manager 1.5
•    vCloud Connector 2.5.1 (vCC)

Patching

VMware security teams are leading the effort to address all related patch requirements to the appliance OS platform. We will have more information on that when it is available.

Unnecessary Accounts

As part of the hardening effort of the virtual appliances, all unnecessary accounts have been removed.

Just Enough Operating System

When you remove unnecessary code/packages from an OS, you are removing opportunities for attack. This is called “limiting the attack surface”. The virtual appliance OS has undergone extensive review of what is needed in order run the applications it was designed for. VMware security teams have removed packages deemed unnecessary for the operations of the virtual appliance.

Firewalls

Out of the box, the virtual appliance OS firewalls rules are set to limit network access to just those things that are needed to do its job.

Password Complexity Rules

Out of the box the VMware Hardened Virtual Appliances ship with strong password complexity rules. Running the DOD script called out in Part 2 changes those rules to match the requirements of the DISA STIG.

Caveat: The passwd command in SLES-based virtual appliance OS still does not support “enforce_for_root” for the root user.  This means that password changes should be executed as the account owner, not root, once you create new accounts.  If you run passwd as root (to change the password of the root account), then you must manually ensure the password complexity requirements are met.  When creating a new user account, it is wise to create the user and set a temp password as root, then force the user to login and re-run the passwd command as that user to ensure the complexity requirements are met.

Conclusion

Security is a journey, not a destination. VMware is committed to further securing virtual appliances. This is a GREAT first step on that journey!

The Part 2 of this blog post will contain information on Site-Specific updates you may make for further compliance needs. Pay close attention to the section on password expiration!

Thanks for reading and DO get in touch if you want to see a blog post on something that concerns you around vSphere security. I’m always looking for new topics!

mike

Check out Parts 2, 3 and 4 for more!

This entry was posted in Security, vSphere and tagged on by .
Mike Foley

About Mike Foley

Mike Foley is a Senior Technical Marketing Manager at VMware. His primary focus is on security of the core platform (vSphere). He is the current keeper of the vSphere Hardening Guide. His primary goal is to help IT/VI Admins build more secure platforms that stand up to scrutiny from security teams. Previously, Mike was on the evangelist team at RSA where he concentrated on virtualization and cloud security and contributed as a member of the product architect team. Mike has a blog at http://yelof.com and contributes to the VMware vSphere and Security blogs as well. Follow him at @vSphereSecurity on Twitter

18 thoughts on “Virtual Appliances getting more secure with vSphere 5.5 – Part 1

  1. Pingback: Virtual Appliances getting more secure with vSphere 5.5 – Part 2 | VMware vSphere Blog - VMware Blogs

  2. Pingback: Virtual Appliances getting more secure with vSphere 5.5 – Part 3 | VMware vSphere Blog - VMware Blogs

  3. Pingback: Jase's Place » VMware vCSA 5.5 – Ready for Prime-time & the War Fighter

  4. Pingback: Public Sector Initiatives | VMware for Public Sector Blog - VMware Blogs

  5. Pingback: Welcome to vSphere-land! » vSphere 5.5 Link-O-Rama

  6. Lacy Smalls

    There are some interesting time limits in this article but I don�t know if I see all of them center to heart. There is some validity but I will take hold opinion until I look into it further. Good article , thanks and we want more! Added to FeedBurner as well

  7. Loree Meeter

    There are some attention-grabbing closing dates in this article but I don�t know if I see all of them heart to heart. There may be some validity but I will take hold opinion until I look into it further. Good article , thanks and we wish more! Added to FeedBurner as well

  8. Taina Russel

    That is the right weblog for anybody who wants to find out about this topic. You understand a lot its nearly laborious to argue with you (not that I truly would want…HaHa). You definitely put a brand new spin on a subject thats been written about for years. Nice stuff, simply nice!

  9. Arie Tuesburg

    There is a list made annually of unsafe toys which have been proven to be dangerous and every parent should see clearly. It’ll tell you if toys could be unhealthy into a child. Reading this list will keep you from getting a seemingly harmless toy that is certainly actually quite dangerous.

  10. Rueben Crisp

    The next time I read a weblog, I hope that it doesnt disappoint me as much as this one. I imply, I do know it was my option to read, however I really thought youd have one thing interesting to say. All I hear is a bunch of whining about one thing that you possibly can fix if you happen to werent too busy looking for attention.

  11. tom ford solglasögon

    The following time I learn a blog, I hope that it doesnt disappoint me as a good deal as this 1. I imply, I know it was my choice to learn, but I really thought youd have one thing fascinating to say. All I hear is a bunch of whining about something which you could fix need to you werent too busy looking for attention.

Comments are closed.