Educause Security Discussion mailing list archives
Re: Virtualization and Security ?
From: "Youngquist, Jason R." <jryoungquist () CCIS EDU>
Date: Tue, 11 Nov 2008 09:05:50 -0600
For VMware ESX 3.0 and 3.5, Tripwire has a free utility called "Tripwire ConfigCheck" which you can download and run against your VMware ESX servers. Based on the VMware Infrastructure 3 Security Hardening guidelines, it will run a check and give you a pass/fail. There's also PDF that can be downloaded which gives suggested remediation options. Here's the URL: http://www.tripwire.com/configcheck/ The one downside, is you can't save the results (or at least I haven't found a good way to, if you find a way to save the results let me know). Thanks. Jason Youngquist Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Tuesday, November 11, 2008 8:41 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Virtualization and Security ? And while your thinking about what Randy said, you may also want to carefully consider what applications you are mixing on the host - it may be obvious, but putting the backup server as a second virtual machine on the same host is counter productive :-) That one is fairly simple, but there are much more subtle combinations that will prove to be a problem. One thing that we ran into was that the administrator of the hosting system should be able to shut down each virtual machine separately - we had one virtual machine compromised over a weekend and the only person available was the admin of the host - so, the whole system was shut down until we could dig up the admin of the bad virtual host. What these virtual machines save in hardware cost, they mostly make up in people and time :-) My 2 cents Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Tuesday, November 11, 2008 9:12 AM -0500 randy marchany <marchany () VT EDU> wrote:
One thing to remember about virtualization is that ALL of your virtual machines now depend on the security of the host machine. This makes system maintenance (patches, new tools, etc.) on the HOST system more difficult because of scheduling issues with the services provided by the VM systems running on the host. So, you need to carefully consider WHAT services are to be run on a host so that you can do maintenance on the host system on a regular schedule. Since the host system now becomes the target, its security is
paramount.
-Randy Marchany VA Tech IT Security Office On Tue, Nov 11, 2008 at 7:37 AM, Rappaport,Jason <jbr32 () drexel edu>
wrote:
Anand - all of our core infrastructure is virtualized (web servers,
database
servers, license servers, etc). We went with VmWare and attended
several
Vmware User Group meetings before we went full steam with this
project.
VmWare does have a free version of its product VmWare server that is
nearly
identical to VI3 (at least the current version is); with the
exception of
performance. In regards to security, we have locked down and restricted all access
to our
virtualization server to on campus access only. The virtual machines
that
sit on top of VI3 are all secured using traditional methodologies
(firewall,
anti virus, anti spyware, etc.). Each virtual machine does daily backups to a NAS device that is
replicated
nightly. In the event of a DR scenario, we have a backup virtualization server (VmWare Server) that we can bring online and restore form the latest backups. We actually had to do this once when we patched VI3 and it corrupted the boot partition. I had the backup virtualization server started within minutes and it took me 90 minutes to restore from the
latest
backups on all VMs; the support contract is well worth it. I am actually working on a project to phase our VmWare server and go
with
Vmware ESXi, which is Vmware's free product that runs on bare metal;
Vmware
Server runs on top of Linux or Windows. I hope that helps. Thanks, Jay __________________________________ Jay Rappaport jasonrap () drexel edu 215.895.1680 office 215.895.6447 fax Systems Administrator Design & Imaging Studios Antoinette Westphal College of Media Arts and Design Drexel University http://drexel.edu/westphal ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand Malwade Sent: Monday, November 10, 2008 5:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Virtualization and Security ? Folks, We are looking into Data Center Consolidation and plan to virtualize
most of
our servers. Now Virtualization can yield sigificant operational
advantages,
but also introduces among others network, security complexity and management challenges. My question to the forum is a) Is anyone fully virtualized ? If so was a Vendor hired to perform
this
function and are there any lessons learnt that i should be aware of
with
the deployment? b) Has anyone run into significant Security and Risk Issues. Thanks, Anand Anand Malwade Information Security Officer, Seton Hall University, Tel: 973 275 2209 malwadan () shu edu
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Virtualization and Security ? Anand Malwade (Nov 10)
- <Possible follow-ups>
- Re: Virtualization and Security ? Rappaport,Jason (Nov 11)
- Re: Virtualization and Security ? randy marchany (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? Youngquist, Jason R. (Nov 11)
- Re: Virtualization and Security ? Bradley, Stephen W. Mr. (Nov 11)
- Re: Virtualization and Security ? HALL, NATHANIEL D. (Nov 11)
- Re: Virtualization and Security ? randy marchany (Nov 11)
- Re: Virtualization and Security ? Eric Case (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? St Clair, Jim (Nov 11)
- Re: Virtualization and Security ? Robert Maxwell (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? Mike Lococo (Nov 11)
- Re: Virtualization and Security ? Jeffrey I. Schiller (Nov 11)
(Thread continues...)