Note to all Security-minded folks:

There are, in fact, solutions available today for these specific concerns.

If I may, with all due respect, offer my opinions, viewpoints and rantings...

I would also like to start by mentioning I have been watching these forums for quite some time, and have the greatest respect for Edward and his domain expertise. In fact, he may remember speaking with me while he was still trying to finish his book, and unfortunately, we have as yet been unable to recoonect. (Edward, get back in touch!

Ok, now in regard to Edward's recent comments:

"However, there are new attacks every day and this is an area of current investigation by the black hat and other hacker types."

As well as the white hats. Several dozen vendors are now trying to position themselves in the "virtsec" space. (I hate that name...) One of them, Catbird, I helped launch. The Catbird team is continuosly and vigilanty investigating, confirming and working to mitigate many of these emerging threats.

"There are no protections within the vSwitch that would prevent an administrator or anyone else who has the rights within VC, the host, or the VIC to move a VM from the production network to the DMZ and visa versa. "

This, sadly, is incredibly true today. If you are the "VMware Admin", you are essentially "root" and king of the hill. In traditional security parlance, the "dual controls" built into the physical world network security policy, has not yet been extended into the virtual infrastructure. Remember in the old days, when standing up a server involved things like A) Business Requirements Document/Request, B) Budget Approval, C) Puchasing Process, D)Accounting/Cost Center Process, E )Receiving Process, E) Asset Tagging Process, F) Facilities/Delivery/Handoff Process, and finally, 3 weeks later, get access to the system in your lab! And in the trail of all that process, regulatory compliance and other risk related items, like HIPAA (Healthcare), SOX(Finance/Banking), etc..., are usually satisfied.

But what about your virtual infrastructure?

As Edward mentions, the VMware admin can do what they choose, with "virtually" no oversight (sorry...:-) And yes, this is by design, to make it easy to do all the things you need from a "single pane of glass". But there is a flaw in the that plan, and dual controls is merely the beginning. The fact that a vSwitch has no "onboard" ability to monitor or manage for this, is quite true. As I will mention further down, Catbirds' V-Agent can keep an eye on every vSwitch, for precisely these and other types of risk.

"THere are no protections that would prevent a VM from straddling both networks and thereby possibly being able to see all traffic on both sides. This can be done accidentally or purposefully and could create some havoc."

Again, Edward is dead on. Except for the fact that he has not yet had a chance to be briefed on Catbirds' V-Agent(TM) and V-Security(TM)! The Catbird Network Access Control (NAC) monitor can be configured with an "allowed hosts" baseline, for each vSwitch. Should there be any delta on any vSwitch, regarding new MAC or IP addresses, the NAC monitor would instantly detect and report the event. In addition, it can be confgured to completely block or quarantine one or all network interfaces into and out of that VM. And for good measure, why not run a nessus all-port vulnerability scan? This all works today, and gets the job done right.

"In general due to these issues, it is best to place a DMZ network on its own set of hosts, but if that is not feasible you will have to increase your vigilance within your environment. "

In conclusion, I have to again agree. But how do you perform that "vigilance" if your virtual environment includes 100's or thousands of vm's? Can you say "VDI"? You need sophisticated automation, fully configurable, and extremely easy to use.

"THere are currently no tools that will tell you that something has moved from vSwitch to vSwitch or that something untoward has happened."

Ok, here is where I cordially invite Edward, and the entire VMware Security and Compliance community, to contact Catbird and learn more.

Our CTO, Michael Berman, posts here on occasion, and certainly reads the entire thread. Please introduce yourself, and allow Catbird to accelerate your production deployment today!

Thanks for indulging the blatant product plugs and positioning. The fact is, it is all true, and I sincerely hope we can help raise the bar in best practice for virtual security.

Regards,

Howard Fried

Certified Virtual Security Professional (CVSP)

Executive Advisor, Catbird V-Security

www.catbird.com

Howard,

Thanks for your explanation of Catbird, glad to hear that tools are improving. I do have one question for you...you've labeled yourself a "Certified Virtual Security Professional" - who is the certifying authority and what are the requirements for this certification? Google doesn't seem to know anything about it.

Ken Cline

Technical Director, Virtualization

Wells Landers

VMware Communities User Moderator

Howardcat, how does VDI relate to your reference to the need for"sophisticated automation, fully configurable, and extremely easy to use..." Are you referring to Virtual Desktop Infrastructure?

Gourav, you may want to refer to the following document for information on general security practices within VMWare:

www.vmware.com/pdf/vi3_security_architecture_wp.pdf

Administrative risks aside you could use VLAN tagging to segregate the traffic within the vswitch. A better alternative would be to have separate pNICs. I haven't come across anything stating that vswitches are more or less vulnerable to VLAN hopping than their physical counterparts.

Yes, VDI = Virtual Desktp Infrastructure = Larger number of VM's = More automation required

-Howard

Hello,

Security should be designed into your infrastructure from the beginning. TOo many people bolt it on at the end. It is also important to realize that 70% of all attacks come from inside and NOT outside.... This is the disgruntled employee, an employee being malicious, or a pure accidental action. In order to safe guard against those you need to be ever vigilant. Catbird V-Security is one option to help with this, but there are others as well. Each address a specific security concern and there is not one that addresses them all yet. However, some of these tools add yet another risk to your system. You should fully understand the potential risks before using any piece of software.

There is also the need to assess the security of your virtual infrastructure and so far there is no comprehensive test for that as well. There are several Guides available either in draft stages or out and used: The first is from VMware; THe second is the DISA guide which is not publically available yet; the last is from CISsecurity.

From what I have seen they are all based on the concept that you must secure your Service Console more than anything else. The VMware one has several items that are troublesome to me but does contain the first assessment with more than the Service Console.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello,

From what I have seen they are all based on the concept that you must secure your Service Console more than anything else. The VMware one has several items that are troublesome to me but does contain the first assessment with more than the Service Console.

Ed,

I'm interested in knowing what VMware items are troublesome to you and why. Would you mind taking the time to explaining, briefly, what your concerns are?

Jason

Howard,

You should have Catbird be the authority to provide Virtual Security Training and "Catbird Certified VirtSec Professional" certification and if the modules are good and beneficial, I would like to be the first one to register for it. Security in virtualization is fairly new and it would be great to have some expertise vendors have official training or neither from VMware Inc. as well.

Edward, you might want to come up with your own security certification that would be nice because you seems to know the arena of security and compliance very well. Do you currently teach security online, if please message me offline I'll like to register if modules are beneficial.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

You should have Catbird be the authority to provide Virtual Security Training and "Catbird Certified VirtSec Professional" certification and if the modules are good and beneficial, I would like to be the first one to register for it. Security in virtualization is fairly new and it would be great to have some expertise vendors have official training or neither from VMware Inc. as well.

From within a virtualized environment, how is security any different? You still have various OS's that interact with each other on various levels. If anything, VMware should come out with a Security designation centered around COS security and VMware proprietary functionality.

Stefan:

I think I posted that credential a "bit" early...please bear with me, and I promise to provide full details soon!

Best,

Howard

Jason:

Good question!

"From within a virtualized environment, how is security any different?"

This recent quote from our CTO gives a good high level summary. You may be curious to read the release itself, which talks about a healthcare case study (HIPAA Compliance issues...):

“While virtualization platforms are safe, it’s really easy to inadvertently bypass the traditional

control mechanisms and best-practices common to all physical corporate data centers,” said

Catbird CTO, Michael Berman. “Virtual machine deployment is as simple as a single click from a

single person. Combine that with an ad-hoc approach to network segmentation and the

inadequacies of physical security devices in the virtual world, and now you have potentially

serious compliance and security holes..."

Full Text available at:

Catbird Offers Industry’s First-Ever Comprehensive Virtual Security Assessment

SCOTTS VALLEY, CA (June 2, 2008)

http://www2.catbird.com/pdf/releases/catbird.virtual.security.assessment.release.pdf

Regards,

Howard

<stepping up on soapbox>

PS Regarding vendor provided security, the more the better...to a point. If you don't allow for a 3rd party security vendor ecosystem, you run the risk of having another "Cathedral and the Bazaar" situation. One or two giant virtualization vendors can't "figure it all out" by themselves. The ideal is to have both platform protections built-in, and the opportunity for more advanced and or dynamic capabilities.

<stepping down>

<stepping up on soapbox>

PS Regarding vendor provided security, the more the better...to a point. If you don't allow for a 3rd party security vendor ecosystem, you run the risk of having another "Cathedral and the Bazaar" situation. One or two giant virtualization vendors can't "figure it all out" by themselves. The ideal is to have both platform protections built-in, and the opportunity for more advanced and or dynamic capabilities.

<stepping down>

If you are referring to my comment concerning VMware and having them initiate a security certification then I disagree to a point. If the certification is meant to be vendor specific then it should come from the vendor. On the other hand, there is already a vendor neutral security certification (Security+). It would make more sense to expand the existing certification to encompass virtualization then it would to create a new certification.

Now if you'll excuse me, I have some reading to do.

Hello Jason,

Well about Security certifications, this depends on a whole slew of things. If CISSP included virtualization as its body of knowledge that would be great, but there are several very good certifications that already exist.... CISSP, GIAC, CCE, etc. RedHat also has a very good one, etc. Some even cover Virtualization. If one of them wished to talk to me about helping with virtualization security certs, that is a different question.

As for what I do not like about the current 'Security' Guides out there is that they are all about the hardening of the SC and maybe 1 thing about virtualization. One even goes so far as state that a centralized password server is more secure than not having one. Well I have seen both and that is really a matter of opinion.... It is easily defined within a Security Policy but how can that apply to ESXi? Again its a matter of opinion. But just checking to see if a vSwitch allows promiscuous mode is NOT enough of a check on the virtual infrastructure. There quite a bit more going on then that within a VMware ESX host and what about the VMs?

Virtualization in itself does not increase security, it does increase uptime and mitigates hardware issues (yes they are a part of security per CISSP) but that does not really do it for me when it comes to security of the virtual infrastructure that I define as much more than just VMware ESX.

Currently a virtualization server is treated as a black box by security folks, and that is also a security issue as they truly do not understand how things work. VIrtualization Security is more than just the network, the host, the VMs. It is more than traditional security as well. You need specialized monitoring, and assessment tools, and even more diligence than before.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Is that by any chance your anwser to Kens question?

Tom Howarth

VMware Communities User Moderator

I think I posted that credential a "bit" early...please bear with me, and I promise to provide full details soon!

Please do...

Ken Cline

Technical Director, Virtualization

Wells Landers

VMware Communities User Moderator

Ken:

Sorry for the delayed reply...some technical, er, um, timing issues...

We have announced the CVSP Program, please see here for more details:

Catbird's Press Release:

http://www2.catbird.com/pdf/releases/Catbird_Virtual_Security_Professional.pdf (Requires Adobe Reader)

InformationWeek article:

http://www.informationweek.com/blog/main/archives/2008/07/any_certified_v.htm

Any Certified Virtual Security Professionals Out There?

*,

Jul 2, 2008 09:43 PM*

For course schedule, locations and fees, please have a look at the release.

Regards,

Howard (CSVP...

Ken:

Sorry for the delayed reply!

The CVSP (Certified Virtual Security Professional) Program has just been publicly announced.

Please see the press release here: http://www2.catbird.com/pdf/releases/Catbird_Virtual_Security_Professional.pdf

Plain text included below.

Here is a recent article mentioning the program:

http://www.informationweek.com/blog/main/archives/2008/07/any_certified_v.html

Thanks for your interest!

Regards,

Howard

Howard Fried (CVSP)

Executive Advisor, Catbird V-Security

www.catbird.com

FULL TEXT

==========

PRESS CONTACT

Tony Keller

SS|PR

719-634-8279

tkeller@sspr.com

Catbird Launches Industry's First-Ever Virtual Security Training & Certification Program

Certified Virtual Security Professional Program Fills Gap in Critical New Field of Virtualization Security and Compliance

SCOTTS VALLEY, CA (July 14, 2008)-Catbird, the pioneer in comprehensive security for virtual and physical networks and developer of the V-Agent^TM virtual appliance, today announced the Certified Virtual Security ProfessionalTM (CVSP) Program, the industry's first professional training and certification program for virtual security. The CVSP program provides IT professionals with in-depth knowledge and tools required for best-practice implementation of security in a virtual environment.

The CVSP curriculum encompasses emerging industry standards and guidelines, including requirements established by government agencies and virtualization platform vendors, as well as seasoned real world experience from Catbird consultants in the field. Course topics include migration of existing physical best practices to virtual infrastructure, virtual security implementation architecture, compliance solutions to ensure separation of duties, secondary controls and change controls within a virtual context, virtual network configuration and management. CVSP graduates will be fully-trained in guiding their customers' or their own virtualization security strategies.

"Virtualization security is a critical requirement in the planning and deployment of production-ready virtualized environments, but IT professionals have had to scramble to figure this stuff out on their own," noted Michael Berman, CTO of Catbird. "Catbird's CVSP provides the training and certification IT professionals need to come up to speed quickly."

The two-part program includes one full day of coursework, supplemented by a second day of hands-on lab work and Q&A time. Completion of the one-day course gives trainees introductory, actionable information. Students

in the two-day course graduate with an advanced understanding of the myriad of security and compliance issues surrounding virtualization security with hands-on training on avoidance and mitigation. The CVSP course is delivered by authorized training centers.

"It's about time that expert training in virtual security would be available to security engineers in a professional setting," commented Dusty Wince, CEO of Catbird training partner Knowledge Consulting Group. "Our CVSP-certified engineers have all been extremely satisfied by what they have learned and can apply within the virtual environment on clients' sites. This is a growing need that Catbird has wisely filled."

The CVSP program is designed to enable security engineers, along with IT audit and compliance professionals, to conduct security assessments and implement virtual infrastructure security measures to maintain compliance with regulatory and internal standards. Graduates of the course will come away with the ability to analyze the efficacy of their existing virtual security protocols, as well as the know-how to take proactive measures to enhance their existing security. Upon completion of the CVSP program, students are eligible to sit for the CVSP certification exam, consisting of a practice deployment and a multiple choice test. A strong background in VMware ESX Server 3.x, Virtual Center 2.x, Linux networking, and network security concepts is recommended for participants, as is a Certified Information Systems Security Professional (CISSP) certification.

"Our clients' virtualization deployments were moving from the lab into production and we realized we needed additional training to ensure they did not compromise compliance or security in the process," said Chad Kireta of solution provider Prevent Strategies, in Chambersburg, PA. "We were thrilled to discover that Catbird's CVSP was available to help educate us and move our customers' virtualization plans forward."

Catbird is a pioneer in the virtual security industry. Its V-Security suite is the industry's first and only comprehensive security and compliance solution for virtual and physical infrastructures. V-Security is a fully-automated Security-as-a-Service solution built upon a unique stateless architecture that is 100% plug-and-play for both physical and virtual environments. V-Security includes VMShield^TM, a dedicated security solution specifically designed to control and secure the virtual machine console, and HypervisorShield^TM to guard against unauthorized hypervisor network access and attack. Via its IPS/IDS, Rogue VM monitoring, firewall and policy enforcement, Catbird is one-stop shopping for the most critical areas in virtual network security.

Catbird's V-Security is delivered through Catbird partners. The CVSP is available through authorized training centers. For more information about this or Catbird's full line of stateless enterprise-grade in-the-cloud security solutions, visit the company's Web site at www.catbird.com or contact your local Catbird Partner.

About Catbird

Catbird is the industry leader in comprehensive security for virtualized and physical environments, and winner of the 2007 VARBusiness Technology Innovator Award for Virtualization. Via Catbird V-Security and the Catbird V-Agent virtual appliance, Catbird is the only company delivering best-practice security for Hypervisor, Guest VMs and Policy/Regulatory Security Compliance. As companies migrate mainstream servers and desktops to virtual environments, uncertainty over security and compliance can impact deployment plans. Catbird's protection eliminates these worries and keeps virtualization plans on track. Founded in 2000 by Internet pioneer Ron Lachman, the company's in-the-cloud architecture protects thousands of customer systems and networks who rely on Catbird and its partners to protect their valuable IT assets from external and

internal threats. The private company is based in Silicon Valley, and is currently recruiting new partners and resellers.

1. # # # #

Howard,

What's the course fee and exam cost? I couldn't locate any authorize training center can you give some details especially in Orlando areas?

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Ken (And all those interested in more details regarding the CVSP Program):

The CVSP website is up, and you can find all the details here:

http://www2.catbird.com/our_services/cvsp.php

Best regards,

Howard