Every now and then, you get that same talk over and over again about ESX security. Bottomline always is that they think ESX (or virtualization at a whole) is not secure enough, but they can never explain why it isn’t or are just biased because of old security rules and thoughts.The only way to try to convince them is to have a set of whitepapers and atricles at hand that give some good insight on ESX security.
Below is a number of links that can help you in this situation. Should you have some good links to share, please add them in the comments.
VMware Infrastructure Earns Common Criteria EAL4+ Certification http://blogs.vmware.com/security/2008/06/vmware-infrastr.html This post talks about the very high Certification VMware has earned. Although it is only for ESX 3.0.2, one can be assured that ESX is designed with security high on the priority list.
Good starting point on your search for security related docs: http://viops.vmware.com/home/community/security.
Two posts about the “Blue Pill” infection that had everybody scared, but turned out to be not so scarry: http://www.vmware.com/vmtn/blog/2006/08/#bluepillpoppers and http://www.vmware.com/vmtn/blog/2006/08/#slashdot_followup.
Also read this post by Christofer Hoff, an open letter to Joanna Rutkowska who researched the Blue Pill exploit. Joanna’s response can be found here http://theinvisiblethings.blogspot.com/2008/04/research-obfuscated.html. And a last response by Chris: http://rationalsecurity.typepad.com/blog/2008/04/perception-vs-v.html
Great doc: 20 Questions from security professionals. Steve Chambers (VMware) has put the 20 most asked questions from security professionals in writing and answers them.
This document discusses the architecture of VMware Infrastructure 3, focusing on the security aspects of the design: Security Design of the VMware Infrastructure 3 Architecture.
Do have a look at VMware’s Security Center.
Some articles about ESX in the DMZ: DMZ virtualization with VI3 and All Your Virtualized Storage Are Belong To Us.
Great collection of documents!!
Thanks! I will bookmark this entry, very useful!
Mike,
Thank you for the links. Just one question, if infrastructure sharing/virtualization is so safe why does the DoD still employ so harsh segregation rules on their infrastructure? For the best of my knowledge they even have 3 network running in parallel for different levels of classification.
Cheers
Andre
Maybe this should be tagged with “security” instead of “workstation” :)