Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: March 2012

Monthly Archives: March 2012

vCenter Configuration Manager 5.5 is now Generally Available

As you are probably aware, back in October we unveiled the VMware vCenter Operations Management Suite designed to deliver integrated performance, capacity and configuration management for virtualized and cloud computing environments.  What is less well known is that VMware vCenter Configuration Manager is the anchor for the “configuration” management capabilities within the suite.  Having been part of Configuresoft for several years before it was first purchased by EMC and then sold to VMware, I feel a bit like a dad watching his baby grow up.  The technology that was Configuresoft is at the heart of vCenter Configuration Manager.

 With today marking the general availability of vCenter Configuration Manager 5.5, I am both excited and proud to see this one go out the door.  vCenter Configuration Manager has always been a great solution for ensuring that Operating System software, whether Windows, Linux or Unix is properly configured to meet a broad range of security best practices, vendor hardening guidelines and regulatory mandates (think HIPAA, PCI, SOX etc).  But with this release, vCenter Configuration Manager becomes an indispensable part of the VMware family – addressing core requirements of the Virtual Infrastructure teams looking to leverage the VMware Cloud Infrastructure Suite as the foundation for business critical workloads moving to the cloud.

The primary theme for vCenter Configuration Manager 5.5 release is “Cloud Ready”.  New capabilities within this release significantly increase the ability of the Virtual Infrastructure team to ensure that their VMware Infrastructure is properly configured to meet the rigorous demands associated with virtualizing business critical workloads; including addressing requirements associated with VMware’s own hardening guidelines.  

This new release dramatically increases the ability to track configuration changes and to assess configuration compliance across the VMware Infrastructure including ESX, ESXi, vCenter, vCloud Director and vShield products.  There are also a substantially greater number of new configuration actions that can be executed against vCenter and ESX, ESXi configurations.  These configuration actions can be executed against a single object or in bulk against multiple objects spanning multiple vCenters.  They can be executed as part of an organization’s general configuration management processes or as part of a configuration compliance program. 

The enhancements to vCenter Configuration Manager 5.5 put tremendous visibility and control at the fingertips of the Virtual Infrastructure team responsible for VMware Infrastructure.  To help illustrate this I have included an example of how vCenter Configuration Manager can help manage configuration changes across the VMware Infrastructure (Figure 1). This particular high level dashboard is focused on the Virtual Infrastructure team and shows all changes that have occurred across the VMware Infrastructure for a specific time period.  



You can quickly drill down into any of these dashboards to investigate anything of interest or concern.  In this example I’ve drilled down into a specific vCenter (Figure 2) to understand a change associated with the “client.timeout.normal” setting.  I can see that this setting has been changed from 60 seconds to 10 which I know is out of compliance with operational best practices for vCenter (which calls for this setting to be equal or greater than 60 seconds).

Fig 2

In addition to the ability to see and understand prior changes, vCenter Configuration Manager provides the ability to change configuration settings across the VMware infrastructure (Figure 3).  I can do this for a single object or for multiple objects.  Bulk configuration changes can be directed across objects that span vCenters. 

Fig 3

Finally (Figure 4) I can proactively manage configurations through compliance where I create rules and templates (collections of rules) for any configurations I want to ensure are uniformly applied across my entire virtual data center or subsets of “like objects” in my data center.  vCenter Configuration Manager comes with a rich set of templates out-of-the box that can be used as is or as the starting point for the development of your own internal best practices.  

Fig 4

The new capabilities of vCenter Configuration Manager 5.5 significantly increase the value delivered to customers purchasing the vCenter Operations Management Suite Enterprise Edition where today vCenter Configuration Manager is included to address critically important use cases associated with “hardening” the VMware Cloud Infrastructure Suite. 

Other significant enhancements to vCenter Configuration Manager in this release include:

  • Ability to create machine groups within vCenter Configuration Manager based on organizational constructs (clusters, virtual datacenter, application trust zones) within vCenter, vCloud Director and vShield.
  • Support for configuration and compliance management for virtualization specific constructs such as templates and offline VMs (via VMware vCenter Orchestrator workflows delivered separate from the release)
  • The ability to snapshot a VM before making a configuration change
  • Support for the “Security Content Automation Protocol” (version 1.0) –  important to federal agencies
  • A new REST based API that will allow vCenter Configuration Manager to more fully participate in VMware and 3rd party ecosystem solutions

Early feedback from customers involved in beta testing has been extremely positive.  The increased ability of vCenter Configuration Manager to harden the VMware Infrastructure combined with the existing strength of the product to harden the Operating System (Windows, Linux, Unix) make vCenter Configuration Manager fundamental to clouds built on VMware technology.  More information can be found by visiting the vCenter Configuration Manager page on VMware.com.   Also, be sure to download the free vSphere Compliance Checker which will help you better understand the value that vCenter Configuration Manager delivers to organizations looking to move business critical workloads to the cloud.

Peace Out!

George Gerchow, Director, VMware Center for Policy and Compliance


Thoughts on Visibility, Context, and Control after listening to Chris Young’s keynote from RSA 2012

At RSA last week in San Fran, Chris Young, from Cisco, commanded the stage, he held the audience on the edge of their seats in anticipation, and he said all the right things. Well, that is he said all the right things to make Cisco sound perfectly positioned. And can we really fault them for being so network centric?

He did make some excellent points. Chris said “I believe that visibility and context aware enforcement are two of the things we all need the most in security” which I totally agree with. You obviously can’t take action against an attack if you can’t visualize it. And how do you know if it’s legitimate or not without the context. In fact this has been the premise of IPS and Anomaly Detection tools for over a decade. And yes, those are definitely network based tools.

Have you ever stopped to consider WHY those tools are network based? It’s because that was where the concept of an inline tap was developed. It was easy for an engineer to take the network signal off an ethernet cable and pipe it into an analysis tool without actually interfering with the connection. And that served as a much easier way of monitoring lots of systems communicating without the pain of attaching to every new system as they were added to the network.

The concept of a tap may have been born out of networking, but it can now be applied to a wide range of other technologies. The same idea has been applied and in-use with software agents for at least a decade as well to shim or tap the CPU, memory, storage, and networking stacks inside an OS. Those agents work fairly well, but in recent years they have succumb to attack from malware designed to disable these tools upon takeover of an OS. The reason the malware has been successful against a “host agent”, but not against a network agent comes from the context of execution. When a piece of malware takes over an OS, it has already taken control beyond the scope of what was originally designed. To say it another way, the malware plays with no rules or makes up its own rules on the fly, but the security software and OS are only going to ever adhere to the rules they know. So agent based tools are always at a disadvantage.

So with that context in mind, the security world has been split between network centric tools and software agent tools but because of the inherent dis-advantage of the software agents we’ve seen an uptick in network specific tools over the last several years. To articulate this point, Chris also said “the network is becoming the only constant source of intelligence we can rely on and the only control point we can depend on”. Unfortunately, this is where I will have to disagree with Chris and Cisco’s approach to using only network centric tools. What he failed to acknowledge is another form of tap available and in use today. This technology, like agent based solutions can intercept many different forms of data streams such as CPU, memory, network, or storage. However this solution does NOT have the problem agent based tools have and instead leverages the transparent inspection nature of a network based tap. Sounds like the best of both worlds right?

So what is this tapping tool that Chris neglected to acknowledge? Why of course it’s a Hypervisor! Yes, that’s right, it’s the core competency of virtualization and what I’m describing is an added benefit that has been overlooked by others for many years, but which we at VMware have invested heavily in for nearly half a decade now. All data processing in all forms that ever happens inside a VM is all passed through the hypervisor and all of that data is available to be inspected for any conceivable reason. And we’ve already been creating access methods for the security industry to use for the last 4 years. These tools could be API’s like VMSafe or EPSEC for partners to use, or even our own vShield suite of technology.

Even Cisco is using some of these technologies, like vNetwork and DVFilter, to do their own inspection and enforcement like Chris is advocating. In fact their own implementation while gaining access to these data streams in the hypervisor, they insist on moving the inspection back into their network centric tools via the Nexus 1000v and their Virtual Security Gateway (VSG).

The problem with that approach is that the depth of these protection tools is typically not comprehensive across all of the different threat vectors. What we need to do as an industry is work on ways to better integrate and adopt these tools more rapidly. The unfortunate truth is that each of the security vendors has a core competency and they let that small set of protection tools dictate the direction of their portfolio and development efforts. Whereas our adversaries recognize none of these limits, play with no rules, and exploit our unwillingness to properly implement our defense in depth and breadth strategies. As a call to action we should learn to embrace each of our various tool sets, make it easier for our customers to use our tools in conjunction with one another, and even someday to create an open management framework for shared policy constructs.

We don’t need to focus on the network and the minimal set of inspection points that has to offer in the traditional security model. Instead we should focus on the hypervisor and the near infinite and simultaneous inspection points now available. Only this level or cooperation will allow us to take off our stack specific blinders and instead Visualize the true threat landscape and apply the proper Context to implementing our Control boundaries in this new evolution of IT, we call it Cloud.



Rob Babb is a Senior Systems Engineer on the Security and Compliance Specialist team at VMware. 

RSA Conference San Francisco 2K12 – Back to the Golden Age

Greetings securanerds and compliance aficionados! 

The RSA Conference has made a HUGE come back this year in Tim Tebow\ Jeremy Lin-Sanity "like" fashion and secured it's rightful place as the largest & best security conference on the planet.
Art Coviello got things started with some HEAT as he preached the "Hack Back" message. The Buzz at RSA was intense and fresh as new privacy initiatives and cloud computing are driving life back into the security space along with compliance. The sessions and expo floor were simply PACKED! It was great to see the usual security Titans displaying their knowledge & goods along with up and comers like HyTrust who had their brand on the back of every badge.
For VMware Center for Policy & Compliance (CP&C) , it was immediate action from day uno as we were busier than a one-toothed man in a corn-on-the-cob eating contest! (No offense to my single fanged friends, it is just the truth 🙂
We started off with announcing our upcoming release of vCenter Configuration Manager (vCM) 5.5 part of the vCenter Operations Manager Suite (vCOPS), the best vSphere, Cloud Infrastructure Suite & Config\ Compliance Management Tool in the industry. You will hear more about vCM 5.5 when it goes GA on March 15th but I must give you a sneak peak, 5.5 may be sweeter than Crispy Bacon!
vCM 5.5 Example report showcasing  vCenter and vCD Permissions: 
    Providing a single view of permission levels across vCenters and vCDs that can be filtered by User, Group, Object, etc. 
    NOBODY else in the systems management space today can do this except for vCOPS & vCM!

Check it:
VCM 5.5 Effective Permissions Report


Next was an interview at the RSA booth on EMC Live TV going over our combined integration with VMware, EMC & RSA into Archer (eGRC) solution to deliver "Compliance Across the Stack" bringing together technical controls with policy enforcement. The demo showcases Server, Network and Storage Compliance results in Archer! This is a LARGE step in our Trusted Cloud initiative "Meeting Customers Compliance Requirements to Migrate Tier 1 Apps to vSphere and Cloud Environments".
Here is the Video:   


And our blog on the announcement with screen shots from the integrated Archer   Demo:


We kept the vibe alive as our honorary CP&C member Davi Ottenheimer "The Flying Penguin http://www.flyingpenguin.com/"  threw some deep knowledge at folks during his Sessions:
    CLD-108 Lightning Round: Data Confidentiality and Integrity in the Cloud
    DAS-302: Message in a Bottle – Finding Hope in a Sea of Security Breach Data

I hope you got a chance to see him in action, if not you can catch Davi live in Vegas singing Sinatra at the Venetian Showroom. (Seriously http://davisingssinatra.com/)
Finally we started wrapping things up with the VMware communities podcast #177 covering the conference with my RSA pal Mike Foley:
Switching gears a bit, we also saw blatant displays where policy & technology could not prevent human action from putting the environment at risk. There were several people who made their way into sessions by telling the door staff "We are with the Speaker". In all cases, the hoodlums were welcomed without any identified credentials, verification from the speaker or proof of having a delegate badge. It just goes to show you that visibility, training and accountability are key ingredients to a securing an infrastructure in a compliant fashion. (Next year just buy a full conference badge people!)
Last but not least and to get your weekend started with a laugh, check out the following HILARIOUS video on VMware security and compliance solutions for the Cloud:
Feel free to hit us up with questions & comments at:
Have a great weekend, snow is falling all over the west so hit the slopes if you can!
Please excuse any typos or grammar mistakes, after all I am ESL and will lean on that as long as possible. 
Peace Out!
George Gerchow – VMware Director, Center for Policy & Compliance


Defense in Depth. Who needs it?

Greetings from San Francisco and the RSA conference! It's been a great week of sessions, meetings, and vendor presentations. While listening to all these great talks, one thing came to inspire me about what I believe we're all seeing in the industry; misconfiguration and mismanagement.

Defense in depth, the process of adding layers of protection to secure an area. It's not a new concept at all. In fact, it has been the mantra of the security industry for at least a decade if not longer and well before that was a widely used military tactic. Usually, this strategy is used to prevent an attacker from exploiting one of your security tools, like a firewall or IPS, and bypassing what would be a single layer of protection. Now I agree that adding layers of well thought out protection makes a ton of sense when those layers are all managed properly, updated regularly, and the threat you're trying to solve is preventing an attacker from bypassing your security device through its own vulnerabilities. The problem though is that nearly every day, and every breach we've heard about in the news, that is not the case. More often than not, the attacker used a valid communication pathway to access a publicly available service, like a web server, and then used an exploit in the code of that application or un-patched service to gain access into the infrastructure. On top of that, the attacker is usually very likely to gain access to other systems in the corporation by simply pivoting from the system they just compromised.

So, why is this possible? Well, it seems that administrators are spending the majority of their time just "keeping the lights on". Meaning our security and operations teams are stretched far too thin. What suffers when administrators don't have enough time? Almost every single time, the existing product/server is going to suffer so that the schedule is kept for the new project(s) being worked on. What that means is that instead of an administrator keeping existing servers patched and up to date in a timely manner, or keeping your security tools functioning properly to begin with, they are actually working on new stuff for the corporation. It also means you need to protect your security teams from becoming the "Jack of all trades, master of none."

This is a horrible conundrum for an IT organization. So back to my title question, the answer is "it depends". I would argue it makes more sense to have 1 layer of really well implemented security and process before going to add other layers. If you can't make that one layer work properly 100% of the time, then you need to go back to what you were doing and make it work. This may not be the answer the business owners want to hear, but it's the answer they MUST hear.

Far too often I see companies move to technologies like DLP, Anomaly Detection, GRC, etc before they've even mastered how to deploy and use an IDS or IPS. That's like learning to jump hurdles in the Olympics before you've mastered walking. The other thing I can tell you is that with Cloud/ITaaS/'X'aaS coming to a datacenter near you soon, the world of security is getting both more complicated and simpler all at the same time. We're seeing customers collapse network domains in the favor of reducing VLANs, but at the same time they are implementing tools like vShield App that allow for network segmentation at layers 2-4 networking level. These new tools make designing networks a more complicated thought process up front, but in the long run simplify the management of those networks.

We face a series of similar paradoxical situations in the future of virtualized security and compliance technologies. It's incumbent upon us all to learn these tools quickly, act on their proper implementation, and by all means make sure to test our designs before we move on to that next layer of our Defense in Depth strategy. I know the temptation and push is strong to add the latest and greatest, but it'll do you no good if it's implemented incorrectly.





Rob Babb is a Senior Systems Engineer on the Security and Compliance Specialist team at VMware.