When Tripwire released ConfigCheck for ESX 3.5 back in June, the product was an instant success and downloaded by tens of thousands of VMware administrators. The free security hardening tool, jointly developed by VMware and Tripwire, could not be used on ESX 3.0 versions, however. On July 21 Tripwire announced the availability of Tripwire ConfigCheck for ESX 3.0 thus now allowing the same security assessment capabilities for the still widely deployed previous version of ESX.

I received a courtesy email about the new version from Kim Blogren of Tripwire’s Public Relations. In the email Kim explained the following about the reason for releasing the new version: (more…)

In my post 730 Days Later - Replace The VirtualCenter Default SSL Certificate I pointed out the SSL certificate installed by VirtualCenter expires after 2 years. I did not document how to replace the default cert, but instead I linked to VMware’s guide for readers to explore. Thank goodness Leo Raikhman has picked up where I left off on his Leo’s Ramblings Blog! Leo has created 2 great “how to” posts for replacing certificates using OpenSSL that are much easier to follow then VMware’s guide.

In the post VirtualCenter CA Configuration Leo covers replacing the default certificate with a stand alone OpenSSL version that expires after 10 years. However, in his post More nonsense with VirtualCenter certificates - part 2 he provides instructions for using a domain enforced Windows Certificate Authority.

Read Leo’s posts in their entirety at the links above, but I am copying his instructions here for my personal knowledgebase. As a matter of fact, I recommend adding Leo’s RSS feed to your reader and bookmarking his site. He has been consistently creating posts relevant and helpful for virtual administrators.

(more…)

Catbird, makers of the V-Security solution for VMware, has announced a new virtual infrastructure security certification. The CVSP certification is designed to train individuals with skills necessary to assess virtual infrastructure for security risks and compliance. A description of the program is found in the Computer Technology Review article Catbird announces Certified Virtual Security Professional Program.

“The CVSP program is designed to enable security engineers, along with IT audit and compliance professionals, to conduct security assessments and implement virtual infrastructure security measures to
maintain compliance with regulatory and internal standards. Graduates of the course will have the ability to analyze the efficacy of their existing virtual security protocols, as well as the know-how to take proactive measures to enhance their existing security.

Upon completion of the CVSP program, students are eligible to sit for the CVSP certification exam, consisting of a practice deployment and a multiple choice test. A background in VMware ESX Server 3.x, Virtual Center 2.x, Linux networking, and network security concepts is recommended for participants, as is a Certified Information Systems Security Professional (CISSP) certification.”

Catbird’s slogan, “Don’t Run Naked”, is definitely the eye opening marketing needed to draw attention to virtual security. From the Catbird web site: (more…)

VMware and Tripwire have released a free tool that analyzes the configuration of ESX servers and compares the results against established best practices. ConfigCheck is a free utility that downloads to your desktop where you can easily assess whether your VMware virtual infrastructure is properly configured for security. According to Tripwire’s download page the tool is available for both Windows and Linux. Tripwire Configcheck was developed as a no cost introduction to the fully featured and licensed version of Tripwire Enterprise.

Both VMware and Tripwire have information about the free product on their websites. The following information from both sources provides a good summary about what the tool can do. (more…)

When I first started VM /ETC by live blogging from VMworld 2007 last September, I posted a few entries about what I call “ton of bricks” moments. This happens to me usually when I am talking to vendors or other engineers about virtualization technologies, strategies or designs and I learn something new that is so simple but so important that it hits me like a ton of bricks. VMware’s Partner Exchange 2008 first such moment happened not because of a single conversation or breakout session, but because of a collective of virtual infrastructure security discussions.

Virtual Infrastructure presents some unique security challenges to administrators. Sure, virtual machines are networked servers just like physical servers and traditional security monitoring and intrusion detection products and processes can be deployed as usual. However, consolidation of servers has changed the attack surface from physical networking to virtualized networks contained within virtualization hosts. If a hacker were to compromise one of your VMs could your current security monitoring alert you of any suspicious activity? What if the activity never reached the core network switch or even the physical NICs of the host server, but instead was kept internal to the host by only attempting to compromise the VMs that shared the virtual switches? What if an intruder brought his own VM and started it up on one of your virtualization hosts, would you know it ever happened?

I have talked with several vendors this week that have solutions to provide visibility and monitoring of the internal virtual network activity and inter-VM communications. These solutions (more…)