Author Archives: Charu Chaubal

About Charu Chaubal

Charu Chaubal is the Director of Technical Marketing for the Cloud Platform Business Unit at VMware, and runs the team that works on the vSphere product line. He has been at the company since 2006, and has been responsible for customer education and sales enablement for a wide range of datacenter technologies, such as hypervisor security, hyperconverged storage, and virtualization of data science applications. Previously, he worked at Sun Microsystems, where he had over 7 years experience with architecting distributed resource management and HPC infrastructure software solutions.

VMware Common Criteria Update – April 2013

The following is an article from Eric Betts, who manages VMware’s Common Criteria certification program.

Feed back to VMware’s announcement of vSphere 5.1 achieving “In-Evaluation” has been overwhelmingly successful.  However, it also caused quite a flurry of questions regarding the change in EAL level from EAL4+ to EAL2+ and questions on EAL4 vs. EAL2.  This blog posting will help with clarifying VMware’s position and overview of reform changes in-progress with Common Criteria.

Information Technology (IT) customers often leverage third party validations, such as Common Criteria, for assurance of IT product features & implementation and compliance with a known standard.  Common Criteria is a methodology framework for the evaluation of IT products, mutually recognized by 26 member nations (up to EAL4) and is an ISO standard (ISO-15408).   These factors, among many others, have contributed to the success, acceptance and often the requirement for Common Criteria certifications for Government and Defense related procurement sales.  However, as with any technology, process or standard, they must evolve and adapt to address current technologies and industry trends to remain relevant.   Common Criteria is evolving to address such needs.

The National Information Assurance Partnership (NIAP) in cooperation with other countries has initiated a series of changes for reform.  Changes include enlisting the help of industry through technical communities for development of new Protection Profiles (PP), improving consistency, speed and efficiency of evaluations.  As part of the reform, requirements for specific EAL levels will be replaced with “Approved Protection Profiles” and products will be listed as “PP Compliant”.  These products which implement the functionality described in the protection profile will then be evaluated in a consistent manner and against the same security threats which have been observed by the larger security community.  In the event that there is no protection profile in place at the time of entering the evaluation evaluations will be accepted up to a maximum evaluation level of EAL2 which is roughly consistent with the level of detail in the current protection profiles.

Security claims for prior Common Criteria evaluations were driven by vendor developed Security Targets and optional Protection Profiles.  While this provided vendors with greater flexibility, it also enabled opportunity for inconsistent evaluations.  Going forward products will be required to conform to a set of security claims from a mandatory protection profile.  This baseline will improve consistency across evaluations, testing laboratories and international schemes.

The Common Criteria certification of vSphere 5.1 @ EAL2+ demonstrates VMware’s continued commitment to evolving standards, validation of the latest VMware platform and providing assurance to our customers.

The National Information Assurance Partnership (NIAP) developed a FAQ which provides in-depth details on the Common Criteria reform titled “Frequently Asked Questions for NIAP/CCEVS and the Use of Common Criteria in the US (28 March 2012)

The FAQ below is based on specific questions and discussions at VMware:

Q: Why is vSphere being certified at EAL2?

A: As stated in the NIAP FAQ, the ability to certify at EAL4 was sunset as part of the Common Criteria reform.  When vSphere started the certification process, EAL2 was the target level for commercial software.

Q: You just stated that Common Criteria evaluations at EAL4 are no longer possible, I searched and discovered VMware vCNS 5.1.2 on the “In-Evaluation” list at EAL4?  What gives??

A: Correct.  Short answer is timing and timelines.  vCNS entered into evaluation when while EAL4’s were still being accepted.  However, when vSphere entered into evaluation, certifications at EAL4 were no longer being accepted.

Q: Does certifying at EAL2+ mean that vSphere 5.1 is less secure?

A: No, absolutely not!  The certification process by which vSphere 5.1 is being evaluated  is changing.  vSphere 5.1 remains the trusted center piece of the industry-leading virtualization platform for building flexible cloud infrastructures with performance and reliability to run the most demanding enterprise applications.

Q: Why didn’t vSphere 5.1 conform to a mandatory Protection Profile?

A: When vSphere 5.1 entered into evaluation a protection profile for virtualization was not available.  vSphere 5.1 will be a Security Target based evaluation.  The vSphere 5.1 Security Target contains a full comprehensive set of security claims where applicable, portions were leveraged from existing protection profiles like General Purpose Operating System (GPOS).

Also see NIAP FAQ questions #14 & #16.

VMware was an active participant in the Tech Community that developed the foundation content for the Virtualization Protection Profile.  The Protection Profile for Virtualization is currently under development and the estimated completion date is Q3/2013.

See complete NAIP PP lists:

–       Completed:    http://www.niap-ccevs.org/pp/

–       In draft:          http://www.niap-ccevs.org/pp/draft_pps/

Q: Why is vSphere 5.1 being certified through Canada and not the US?

A: Common Criteria certifications up to EAL4+ are mutually recognized by all member nations.  All schemes are governed and accredited by identical standards, so location isn’t important.  The decision to certify though Canada was a decision based on several business factors.

Also see the Common Criteria Recognition Agreement “Vision Statement”.

Q: Why are some products still being certified at EAL4 through other schemes?

A: While the US, Canada and most other schemes are in lock-step agreement with proposed timelines and processes for reform, some schemes decided to postpone new NIAP direction and continue to perform evaluations at EAL4 for specific country requirements.

Join the conversation:

VMware community discussion: “VMware Common Criteria Security Certification Update

 

vSphere 5.0 Security Hardening Guide Released

I would like to announce the official release of the vSphere 5.0 Security Hardening Guide.  This version represents a significant step in the evolution of this guide.  Based on feedback from customers and partners, the guide was re-structured from the ground up with the following key aspects:

  • The guide is being released exclusively in spreadsheet format.  Many of you have indicated that, although the accompanying text found in previous versions of the guide is interesting, the specific steps for assessment and remediation of the recommendations are really what matters.  Since people often end up putting the guide into spreadsheet format anyway, we figure we'd save you the trouble!
  • All guidelines have the same set of metadata, and a new standardized and extensible identification scheme.  This will enable customers to more readily adapt the guide to suit their particular environment by selecting the specific guidelines and fields that are of interest to them, and also help them in the generation of standard checklists and similar documents.
  • A primary goal for this guide was to enable greater automatability.  To this end, the guide includes both assessment and remediation commands for the three main vSphere CLIs: vSphere CLI (vCLI), ESXi Shell, and PowerCLI.  References have also been added to sections of the vSphere API documentation that relate to each specific guideline. 
  • The previous recommendation levels have been replaced by a system using Profiles. This is part of the move towards putting the guide into industry-standard format, a potential benefit that will be fully realized in the future.

The Introduction tab of the guide describes the new naming scheme, structure, recommendation levels, and other aspects of the guide in more detail.  Please read this tab first before diving into the rest of the guide, as it provides important context.

The vSphere 5.0 Security Hardening Guide has been posted to the VMware Communities in the "Security and Compliance” area, in the Documents tab.  Thanks to everyone who provided feedback on the Public Draft, and also to the team at VMware who contributed to this guide in many significant ways.

Charu Chaubal
Technical Marketing, Cloud Infrastructure 

VMware vSphere v5.0 Earns Common Criteria EAL4+ Certification

On May 22, 2012, VMware vSphere 5.0 achieved Common Criteria certification at EAL4+ under the Canadian Common Criteria Evaluation and Certification Scheme.

The visibility and focus of security in IT infrastructure environments has increased significantly in recent years, motivating IT professionals to seek systems which help with the protection their valuable data assets.  Common Criteria provides a level of assurance that VMware vSphere 5.0 has achieved specific security design and implementation specifications.  Common Criteria ensures security functional requirements were met through a rigorous standards based evaluation process, which included functional and vulnerability tests in addition to reviews of VMware’s implementation and development processes.  The certification process also included Flaw Remediation which evaluates VMware’s processes for supporting vSphere 5.0 with future security and maintenance updates.    

Common Criteria is an ISO (15408) standard for evaluating IT security which assures vSphere 5.0 has surpassed the required design and testing criteria.  The Common Criteria certification enables a significant number of VMware’s federal, defense, state and local government sales including large private sector sales as well.  These sectors utilize standards based IT testing methodologies as a means of further validation of IT product security. This certification validates VMware’s commitment to security, standards processes and global standards.

VMware was the first x86 virtualization vendor to complete a Common Criteria certification in 2006 and has continued the tradition of certifying each release since then.  This milestone marks the fifth iteration of completing this certification process.  As VMware continues to set the standard in virtualization and cloud computing, be sure to visit VMware’s Security Certifications web page for updates on future Common Criteria and other certifications activities at VMware.

The certification effort has had many resource touch points.  I would like to acknowledge the contributions of VMware teams, Corsec Security, and CGI for their participation in achieving this milestone.

For the most up to date listing of VMware’s certifications, visit the Security Certifications section of VMware’s web site.

Eric Betts
Certifications Manager

 

Using the vShield API

One of VMware's senior Cloud Security Architects, Michael Haines, has started a multi-part blog series on using the vShield API.  He has taken the approach of showing how the vShield API can be used in the daily life of a Network and Security Admin.  In his words

In these series of blogs the Network and Security System Administrator will get hands on programming experience with the vShield API and learn how to consume the API in their own programs and applications. The Network and Security System Administrator does not need to be a developer, although basic programming concepts will help them understand the vShield API better.

He has already posted the Introduction, as well as Part 1 and Part 2.  To keep up with the rest of the series (and to learn more about cloud security), bookmark the VMware vCloud Blog.

vSphere 4.1 Security Hardening Guide released

VMware would like to announce the availability of the final release of the vSphere 4.1 Security Hardening Guide.  The Introduction section describes the scope, structure, recommendation levels, and other aspects of the guide in more detail.  Please read this section first before diving into the rest of the guide, as it provides important context.

Although this version of the guide can be considered as "final" and appropriate for use in production environments, we recognize that there is always room for improvement.  We will continue to welcome comments and corrections on this guide, and we will publish updated versions of the guide from time to time as feedback is accumulated.  This feedback of course will also be incorporated into the hardening guide for future releases of vSphere.

The vSphere 4.1 Security Hardening Guide has been posted to the VMware Communities in the "Security and Compliance” area, in the Documents tab.  Please provide feedback in the Comments area.

Announcing vSphere 4.1 Hardening Guide Public Draft Release

VMware would like to announce the availability of a public draft for the vSphere 4.1 Security Hardening Guide.  This guide is an incremental update to the vSphere 4.0 Security Hardening Guide based on new and changed features of vSphere.  As with the earlier guide, this guide follows a standardized structure and format, which is explained in detail in this posting.

You can find the draft at the following link: http://communities.vmware.com/docs/DOC-14548.  This draft will remain posted for comments until approximately the end of February 2011.  We welcome your feedback on this draft; please provide it in the comments section for that document.

 

VMware vSphere v4.0 Earns Common Criteria EAL4+ Certification

On October 15, 2010, VMware vSphere 4.0 (ESX 4.0, ESXi4.0 and vCenter Server 4.0) achieved Common Criteria certification at EAL4+ under the Canadian Common Criteria Evaluation and Certification Scheme. EAL4+ is the highest assurance level recognized globally by all certificate authorizing schemes under the Common Criteria Mutual Recognition Agreement. 

Many US defense agencies such as the Army and Air Force require a Common Criteria Certification for products they use in their IT environment.  But the scope of entities looking at this certification goes beyond the military and includes state and local governments as well as the Governments of the United Kingdom and France, making it a truly international standard.

This certification path demonstrates VMware’s continued commitment to product security and global standards.  With each iteration through the certification process, the Target of Evaluation (TOE) is expanded to include new virtualization technologies and capabilities from each release.   Over time, features such as “Boot from SAN”, vSphere Command Line Interface (vCLI), Update Manager and Distributed Virtual Switch have been added to the certifications coverage.  By continuing to include new features expands the coverage of each certification, it helps to insure that VMware’s certification efforts meet the needs of a broad and diverse customer base and conform to meaningful, industry relevant security claims. 

VMware was the first x86 virtualization vendor to complete a Common Criteria certification, and this milestone marks the fourth time VMware has completed the Common Criteria process for ESX and Virtual Center and the 2nd time for ESXi.   The journey began with ESX 2.5 & VirtualCenter 1.2 at EAL2, progressed to Virtual Infrastructure 3 (VI3) ESX 3.0 and VirtualCenter 2.0 at EAL4+, evolved and expanded to include both ESX and ESXi 3.5 with VirtualCenter 2.5 EAL4+ and most recently vSphere 4.0, ESX/ESXi and vCenter, at EAL4+.  Of course, we're not resting there — the certification process for vSphere 4.1 is already in progress.

I’d like to take a moment to acknowledge and thank the engineering, security, IT and facility teams as well as the product and release managers for their support, input and guidance throughout the certification process.  Additionally, I’d like to thank VMware’s vendors Corsec Security, Inc. and EWA-Canada, Ltd for their respective parts of this accomplishment.

For the most up to date listing of VMware’s certification efforts, visit the Security Certifications section of VMware’s web site.

Eric Betts
Certifications Manager

 

Meet the Engineer: vShield

This video presents an interview with Serge Maskalik, one of the lead engineers behind the vShield product suite.  Hear his thoughts on the design and motivation behind the vShield products.


 

A New Generation of vShield Security Products

UPDATE: Newer URLs provided below for joining the beta

We are pleased to announce the availability of beta for two new vShield products:

  •  vShield App 1.0 dynamically protects applications within the virtual data center (vDC) from internal threats by ensuring proper segmentation and enforcing rules on business-defined Security Groups.
  •  vShield Edge 1.0 provides a set of perimeter services akin to a DMZ, protecting a customer virtual datacenter or organization and intended to be the boundary between the Service Provider (internal or public) and a tenant organization. vShield Edge also provides network services such as DHCP, VPN, NAT and load balancing.

VMware vShield App is a hypervisor-based, application-aware firewall for virtual data centers (vDCs) which runs on vSphere™ 4 hosts. vShield App protects against web based threats and reduces the risk of policy violations within the vDC with essential security capabilities:

  • Application aware firewall with deep packet inspection
  • Flow monitoring to analyze inter-VM traffic to dynamically enforce security policies
  • Security Groups to simplify policy definition based on business needs
  • Stateful firewall: basic connection control based on source/destination IP address 

vShield App reduces the need for physical firewalls and addresses blind spots by enforcing security policies for inter-VM traffic. Once created, firewall rules accompany VMs dynamically. This change-aware protection prevents sprawl of firewall rules. The hypervisor-based firewall provides introspection of all traffic at the hypervisor layer and eliminates the need for VM connection control using host-based firewalls. This approach improves performance and provides centralized control over all inter-VM traffic. 

vShield Edge eliminates sprawl in hardware and static firewall rules, while also reducing costs and complexity. The distributed architecture drives vDC traffic to its own dedicated network security gateway eliminating performance bottlenecks. vShield Edge accelerates IT compliance and satisfies audit requirements through detailed logging of edge security events and by enabling appropriate views and controls to different administrative groups.

Both vShield App and vShield Edge are managed using vShield Manager and integrate tightly with VMware vSphere and VMware vCenter Server. 

vShield App and vShield Edge are now in a widespread public beta and may be obtained at the following URLs:

We welcome you to try out these products and provide us your feedback.

Come visit us at SANSFIRE 2010

VMware folks will be staffing a booth at the SANSFIRE 2010 event in Baltimore on June 8.  There will also be a Lunch-and-Learn sponsored by VMware on June 10.  Stop by and chat if you want to learn more about virtualization networking, security, and compliance, including the recently released vSphere 4.0 Security Hardening Guide.