Vmware Vsphere and Virtual Infrastructure Security: Securing the Virtual Environment

A wise person once said that "Virtualization is not a destination, but a journey". The same has also been said about IT Security. In this masterful tome, Mr. Haletky provides us with a soundly written gide book, warning us where the pitfalls are and describing to us the choices we must make on our journey down both the security & virtualization road. Specifically, this book does what any 5 star book should, and accomplishes three things well: 1) Teaches you something new 2) Makes you think 3) Makes you open Google to learn more It is an awesome book, and I highly recommend it to any virtualization admin, as while the products differ, the pitfalls are the same.

In the first half of this year (2009), I was involved on extending my previous research on virtualization security, and specifically, I focused on securing and hardening VMware ESX environments. This stirred up my interest on this book. To sum up what this book is all about: "I would have loved to have this book handy back by that time, as it would have saved me tons of time" Instead, I had to read and compare multiple VMware security guides from VMware, CIS, NIST, etc, and perform an extensive hands-on research on my own. The book offers a very solid and broad analysis of multiple security issues on virtual environments, covering not only the technical aspects associated to the virtualization hosts, virtual machines, and virtual data and storage networks, but also management and operational issues, availability concerns, and other common related tasks on newly deployed, or already established, virtualization setups. The first two chapters focus on security threats and attacks, a basic foundation required for the cross-references available throughout the book,that can be skipped by the on-the-field security readers. The next three chapters focus on offering best practices and security recommendations for different key components of any virtualization platform, such as the hypervisor, the storage network, and virtual clusters. The next couple of chapters cover most of the security aspects that must be considered on the design, deployment and operation of a virtual environment. Although all these chapters provide a very good quality security advice, it is not complemented with hands-on examples. I think this could be improved by adding more detailed sections describing step-by-step how to complete the security recommendations exposed, not just what need to be done. However, I understand it is required to cut the size of the book at some point. A good example of how to extend this idea can be observed on chapter 6, where the integration between VMWare ESX and a directory service is covered in depth. However, both the technical and operational aspects are integrated smoothly, offering a great in-depth overview. Apart from that, the whole recommended list of things to consider in order to get a more secure virtualization infrastructure is summarized in a useful set of boxes called "Security Notes" and spread all throughout the book. These boxes can be easily used as a checklist when deploying or assessing the security of virtual solutions. My favourite chapters are chapter 8, and specially 9, where virtual machine and virtual networking security is analyzed, respectively. Chapter 9 offers a whole set of networking scenarios and discusses pros and cons to the number of (physical and virtual) network cards and its configuration. A very practical and thorough work! The book ends up with three special chapters. Chapter 10 covers the new VMware virtual desktop infrastructure (VDI) and the security issues around it. Due to all the client-based attack

Edward L. Haletky's VMWARE VSPHERE AND VIRTUAL INFRASTRUCTURE SECURITY: SECURING THE VIRTUAL ENVIRONMENT is for IT professionals involved in networking and offers complete hands-on help for securing Vmware Vsphere and Virtual Infrastructure. From considering attacker perspectives and security threats to learning how to secure deployment and management of virtual machines, this offers advanced network coverage for any advanced networking IT pro.

Wow, I was ready for this book. Really, really, really ready! Virtual environments are springing up everywhere and knowing just what to secure within them has been a challenge to identify. This book not only addresses VMware alone, though, it takes a look at issues with securing the entire environment that interrelates with the VMware components and walks you through securing these as well. Anyone running or considering implementing the VMware into their environment should read this book and follow its instruction. For example, I found the chapter on storage security helpful in that you don't typically see such in-depth coverage of the various component of storage in relation to how they can be a problem with Virtual environments. The issues mentioned here not only relate to virtual security, but can also apply to storage security in general. The author is excellent at covering items that you may not normally see addressed when looking at types of attacks in the virtual world. The book overall is organized in such a fashion that it can really stand on its own as a security tool for these environments, providing useful guidance in the first several chapters to help establish a baseline understanding of items such as security at a 10,000 foot view and the different types of attacks that can occur. At the back of the book, three appendices with additional information on security hardening scripts, Tripwire recommended configuration and additional links with suggested reading should you want to dive into related topics more deeply. Other useful features of the book include the occasional `tip', either on implementing your virtual environment or specific security tips are sprinkled throughout the book. Furthermore, there are many useful diagrams that help support the explanation of the complex concepts. On a scale of 1-5, I would most certainly give this book a 5.

When reading this, keep in mind that this does not describe all types of Virtual Memory machines. It talks in detail about the dominant market player, VMware, but alternatives do exist. The book is directed at a system administrator responsible for installing and running instances of VMware vSphere. There is an emphasis here on protecting your [virtual] machines from attackers. One tip is to isolate storage devices from all other networks. In practice this amounts to making sure that someone on the Internet cannot directly access them. NFS is mentioned. Easy to set up, but of all the storage types, it is the least safe. It uses plain text messages in its protocol, and its authorisation steps use the IP address, which is easily spoofed. The book suggests putting NFS machines on their own set of switches, to isolate from other traffic. Or, better yet, run NFS over SSH as a stronger alternative. By the way, these aspects of NFS are not restricted to VM usage. Conventional operating systems using NFS can run into the same problems. VMotion is nifty. It lets you move a VM from one node [physical machine] to another without rebooting that VM. Which greatly improves flexibility in management. This is analogous to the use of logical storage that hides details of physical storage. But far trickier to implement. Longstanding good practises are mentioned that are not just for virtual machines. Like never logging in directly as root. Instead, login as a regular user and then su to root, so that the logfile can record the user. VMFS does have a limitation of 32k of [number of] files. This is one pitfall if you extensively stuff data into a VM. The most interesting comment in the book was how it is not possible to prevent a user from knowing that she is running in a VM. This appears to be a fundamental constraint of VMware. Granted, there are all sorts of hardware related issues that might have made this convenient. But maybe other virtual memory implementations are able to conceal this from the user to a greater extent?