Tripwire Offers Virtual Misconfiguration Cure

by Richard Adhikari

The software vendor has released a free utility to help harden ESX hypervisors.

Any seasoned system administrator knows that a misconfigured system can lead to trouble, and that is as much of a problem in the virtual world as in the physical.

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary

The chances of misconfiguring virtual systems are much higher, though, because virtualization is a new technology.

But help is at hand. Configuration assessment and change auditing vendor Tripwire has created a free utility, ConfigCheck, that can analyze and validate the configuration of a VMware ESX hypervisor.

When a misconfiguration is detected, users can click on a VMware site that contains best practices from that vendor's experts, which then helps them remedy the problem.

"VMware has a very secure environment, but it could be misconfigured in such a fashion that it could pose some security risks," Mark Gaydos, Tripwire's vice president of marketing, told InternetNews.com.

Misconfiguration is one of the biggest security issues customers must think about when running any enterprise software, including ESX, Nand Mulchandani, VMware's senior director, product management and marketing, told InternetNews.com.

Virtualization Watch
Recent Articles
» Virtually Speaking: VMware Everywhere
» Virtual Box Hits Real Milestone
» Virtually Speaking: A Cut Above

"There haven't been any attacks against the hypervisor that could be demonstrated to break through, but misconfiguration could put you in a situation where you can get attacked even if you have no vulnerabilities or are fully patched," he said.

About 100 configuration settings in VMware must be set to ensure the most hardened environment possible, and these have, up until now, had to be manually checked.

"We have so many detailed settings people need to think about" and using ConfigCheck regularly will help "rapidly address any issues that come out of that," Mulchandani said.

ConfigCheck leverages the assessment capabilities in Tripwire's flagship Enterprise configuration audit and control product, which combines configuration assessment with change auditing.

VMware considers misconfiguration "a public health issue" for its customer base, so it's "spending a lot of time to raise customers' awareness" in this area, Mulchandani said.

Keep it simple

However, Kurt Roemer, chairman, chief technology officer and chief security strategist at VMware archrival Citrix, thinks having up to 100 configuration options for a hypervisor is unnecessary.

"It's strange that a product that should have inherent security should have so many choices you need to rectify for hardening," he told InternetNews.com.

Citrix ships its XenServer hypervisor "so that it's secure out of the box; we don't provide a lot of knobs for customers to go perturb the security," said Benn Schreiber, the company's senior director of business development. "We've eliminated a lot of children's playing with the toys and messing things up."

Modifications to XenServer are made using its application programming interface (API), its GUI and its XenCenter management console "and you cannot mess things up," Schreiber added.

Sun Microsystems uses the same strategy as Citrix. "Sun's approach is to minimize the possibility of misconfiguring the hypervisor," Vijay Sarathy, senior director of marketing for Sun xVM, told InternetNews.com.

For example, its xVM Server hypervisor, due out this summer in beta, will come as a preconfigured software appliance with secure default settings, Sarathy said.

It will also provide "well-defined interfaces, specifically through a browser-based management console" for administration and will have a self-update capability, Sarathy added.

While Tripwire's utility "probably gives customers a sense of security," it will itself need to be updated regularly to with VMware's technology advances, and that will add to customers' burdens because they'll also have to keep track of the utility, Schreiber said.

According to him, VMware requires a high number of configuration settings because its hypervisor "can run on virtually any processor," whereas XenServer doesn't because it has been designed to run well on the newer processors from Intel and AMD, which incorporate virtualization.

"You need the new processors to run Windows anyway, and we take advantage of the new technology," Schreiber added.

This article was originally published on InternetNews.com.

This article was originally published on Friday Jun 6th 2008
Mobile Site | Full Site