SEC2284: Securing Government Virtual Environments

This session was a panel discussion with several industry experts and representatives. Panelists included Texiwill (Ed Haletky), the Catbird CTO, a VMware employee, and others. Topics of discussion included:

  • There is no ETA on a DISA STIG for vSphere 4.x or 5.0. DISA is stating that they are relying on vendors to do most of the work, such as hardening guides. So for now you are stuck with the 3.x STIGs which are ESX specific, 90% of which does not apply to ESXi.
  • The NIST 800-125 was released earlier this year and provides some high-level virtualization security guideance.
  • Horizon data center solution is the first FISMA compliant public cloud.
  • I-Assure is a professional services firm that has work with customers such as the Naval Surface Warfare (NSWC) and SPAWAR to rapidly deploy secure, template-driven, virtual datacenters and get them through the C&A process. They can provision entire datacenters in 1/4 of the time it would normally take due to their pre-built templates and established processes/procedures. They’ve even gotten Navy type accrediation for certain products. They have engineers that can STIG a Windows VM or ESXi host in less than 6 minutes using a combination of GPOs and custom scripts.
  • It is very important to put your ESXi management consoles on their separate VLAN and strictly limit access to only authorized devices.
  • Create a trustzone for administrators that access vCenter. vCenter holds the keys and must be tightly controlled.
  • Manage vCenter credentials more tightly than even domain admins or root accounts, since they truly have ALL the keys to the entire kingdom. Virtualization admins must be the most highly trusted people in your organization from both a technical and security perspective.
  • You should separate your storage admins from your virtualization administrators, so you lessen the chance of a virtualization admin going rogue and deleting all of your VMs, erasing backups, and destroying the LUNs, leaving you quite up the creek.
  • Cisco has a good whitepaper on virtualizing multi-tenancy networks you can read here.
  • VMware released updated information for their vCenter Configuration Manager that incorporates DISA STIG findings, which you can find here.
  • It was mentioned there is no one tool or set of tools that can be universally used to perform scans on a virtual environment for the C&A process. Each DAA is different in what they want to see, so you really need to work with your DAA to understand what body of knowledge they want then find the right tools to do the job.
Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments