VMworld 2012: VMware vSphere Hardening to achieve regulatory compliance INF-SEC1840

This was a panel discussion going over the history of the vSphere hardening guides, current state, some common issues, and future direction for ensuring compliance with regulations such as HIPPA, PCI, DoD STIGs, etc. Upshot is that VMware really listened to customers with there vSphere 5.0 hardening guide and it’s now in a spreadsheet format. Their Configuration Manager product can also scan your environment against the hardening guides and provide a comprehensive report. Next year Configuration Manager will have additional security scanning enhancements.

  • History of the vSphere Hardening Guide
    • Security best practices document, mostly a Linux security best practices guide since the console operation system had the most security concerns. ~2008
    • vSphere 4.0 Hardening Guide – Guidelines organized into formal sections and tabular format. ~2010
      • PDF format was hard to cut and paste from, and limited mitigation and verification information. Categorization not standardized.
    • vSphere 5.0 Hardening Guide
      • Excel spreadsheet format only
      • Better organized
      • Categorized by component (VM, vSphere, ESXi, etc.)
      • Added PowerCLI and CLI automation steps
      • William Lam script
  • SCAP – Security Content Automation Protocol
  • vSphere5 XCCDF was created – Available soon
    • Allows tools to automate the scanning of a vSphere environment and report back
  • XCCDF can present human readable text for manual remediation steps
  • Future: VMware Configuration Manager will possible do SCAP scans
  • Security Hardening: The Past
    • Not timely, different output formats, not always automated, homebrew scripts
  • Security Hardening: The Present
    • OVAL – Open Vulnerability Assessment Language
    • Community driven, supported definitions
    • Supports multiple platforms: Windows, Ubuntu, Solaris, RHEL
    • OVAL strengths: Unified format, scoring, wide adoption, more timely, extensible
    • OVAL weaknesses – Host based, not cloud ready, default vulnerability scanning
  • VMware vCenter Configuration Manager
    • SCAP 1.0 validated
    • Speaks XCCDF, OVAL
    • Assess OS Patch Status
    • Unified Reporting of results
    • SCAP 1.2 in progress
    • Provides auditing and remediation
    • VCM in 2013 will provide much more robust support
    • Supports Windows hardening checks
  • Draft vSphere 5.0 (not 5.1) DISA STIG maybe out by the end of the year.
Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments