Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Virtualization and Security ?
From: "Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>
Date: Tue, 11 Nov 2008 11:15:49 -0500

There is another one I found last week while in VMware training.

http://compliancechecker.configuresoft.com/

I have not had time to test it but it tests your ESX install against the guidelines from VMware.


I would suggest getting virtualization training well in advance of buying hardware and software so you can make more 
informed decisions of how everything will fit into your environment.


steve

Stephen W. Bradley GCIH CISSP SSCP

Network Security Specialist

Miami University

Security Engineering

Computing & Communication Services

513-529-8129

bradlesw () muohio edu



"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
    Benjamin Franklin, Historical Review of Pennsylvania, 1759
http://www.fairtax.org

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Youngquist, Jason R.
Sent: Tuesday, November 11, 2008 10:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virtualization and Security ?

For VMware ESX 3.0 and 3.5, Tripwire has a free utility called "Tripwire
ConfigCheck" which you can download and run against your VMware ESX
servers.  Based on the VMware Infrastructure 3 Security Hardening
guidelines, it will run a check and give you a pass/fail.  There's also
PDF that can be downloaded which gives suggested remediation options.

Here's the URL:
http://www.tripwire.com/configcheck/

The one downside, is you can't save the results (or at least I haven't
found a good way to, if you find a way to save the results let me know).

Thanks.
Jason Youngquist
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt
Sent: Tuesday, November 11, 2008 8:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virtualization and Security ?

And while your thinking about what Randy said, you may also want to
carefully consider what applications you are mixing on the host - it may
be obvious, but
putting the backup server as a second virtual machine on the same host
is counter productive :-)

That one is fairly simple, but there are much more subtle combinations
that will prove to be a problem.

One thing that we ran into was that the administrator of the hosting
system should be able to shut down each virtual machine separately - we
had one virtual
machine compromised over a weekend and the only person available was the
admin of the host - so, the whole system was shut down until we could
dig up the admin
of the bad virtual host.

What these virtual machines save in hardware cost, they mostly make up
in people and time :-)

My 2 cents
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Tuesday, November 11, 2008 9:12 AM -0500 randy marchany
<marchany () VT EDU> wrote:

One thing to remember about virtualization is that ALL of your virtual
machines now depend on the security of the host machine. This makes
system maintenance (patches, new tools, etc.) on the HOST system more
difficult because of scheduling issues with the services provided by
the VM systems running on the host.  So, you need to carefully
consider WHAT services are to be run on a host so that you can do
maintenance on the host system on a regular schedule.

Since the host system now becomes the target, its security is
paramount.

-Randy Marchany
VA Tech IT Security Office

On Tue, Nov 11, 2008 at 7:37 AM, Rappaport,Jason <jbr32 () drexel edu>
wrote:
Anand - all of our core infrastructure is virtualized (web servers,
database
servers, license servers, etc). We went with VmWare and attended
several
Vmware User Group meetings before we went full steam with this
project.
VmWare does have a free version of its product VmWare server that is
nearly
identical to VI3 (at least the current version is); with the
exception of
performance.

In regards to security, we have locked down and restricted all access
to our
virtualization server to on campus access only.  The virtual machines
that
sit on top of VI3 are all secured using traditional methodologies
(firewall,
anti virus, anti spyware, etc.).

Each virtual machine does daily backups to a NAS device that is
replicated
nightly.

In the event of a DR scenario, we have a backup virtualization server
(VmWare Server) that we can bring online and restore form the latest
backups.  We actually had to do this once when we patched VI3 and it
corrupted the boot partition.  I had the backup virtualization server
started within minutes and it took me 90 minutes to restore from the
latest
backups on all VMs; the support contract is well worth it.

I am actually working on a project to phase our VmWare server and go
with
Vmware ESXi, which is Vmware's free product that runs on bare metal;
Vmware
Server runs on top of Linux or Windows.

I hope that helps.

Thanks, Jay


__________________________________
Jay Rappaport
jasonrap () drexel edu
215.895.1680 office
215.895.6447 fax
Systems Administrator
Design & Imaging Studios
Antoinette Westphal College of Media Arts and Design
Drexel University
http://drexel.edu/westphal


________________________________
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand Malwade
Sent: Monday, November 10, 2008 5:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Virtualization and Security ?


Folks,

We are looking into Data Center Consolidation and plan to virtualize
most of
our servers. Now Virtualization can yield sigificant operational
advantages,
but  also introduces among others network, security complexity and
management challenges.

My question to the forum is

a) Is anyone fully virtualized ?  If so was a Vendor hired to perform
this
function and are there any lessons learnt  that i should be aware of
with
the deployment?

b) Has anyone run into significant Security and Risk Issues.


Thanks,
Anand


Anand Malwade
Information Security Officer,
Seton Hall University,
Tel: 973 275 2209
malwadan () shu edu






Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault