Compared to traditional monitoring tools for a physical network, tools for virtual systems may not provide the same level of insight or monitoring within intra-host communications or traffic flowing between VMs on a virtual network.

They then lead on to say:

Similarly, specialized tools for monitoring and logging virtual environments may be needed to capture the level of detail required from the multiple components, including hypervisors, management interfaces, virtual machines, host systems, and virtual appliances.

VMinformer can help organizations rapidly audit and monitor virtual environments that need to meet PCI-DSS compliance regulations. We ship with out of the box policy templates based on a number of industry standards including PCI-DSS. To find out how sign up for a no obligation 14-day trial here.

PCI Security Standards Virtualization Guidelines Reference -PCI-DSS Guidelines for virtualization

Design

The above design is taken from VMware’s own best practice guidelines for good network design topology. I’m not going to discuss if it is right or wrong what I am going to be asking is it right for you and should you just copy it?

Should I Copy Design’s?

Depends how good they are I guess? But bottom line NO NO NO, DON’T BE STUPID!
Would you after all leave your keys in your front door or give a shotgun to your kids to play with?
Plenty of people and organizations have been guilty of the above even to the level of copying IP address information and default usernames and passwords.

If I had a dollar every time I heard someone say isolate the management network or isolate this network I would be a rich man. Isolation alone does not guarantee security. It can help for sure but unlike the physical world it only takes a few clicks to add a new virtual network interface to a server and hey presto you have just bypassed your firewall by linking your DMZ servers to your internal LAN.

Virtualization Security, VirtSec, Security Virtualization?

Slightly different things depending on your perspective. Virtualization isn’t necessarily any less secure or more secure than traditional physical infrastructure, some people might differ! Virtualization because of its dynamic nature just lends itself to becoming less secure either because of lack of knowledge, the gun-ho approach taken to roll it out or just plain and simple mistakes combined with not enough awareness.

Surely if I have a firewall and install anti-virus and various other security measures I must be secure it’s better than nothing right? Not necessarily so in my opinion you will be giving yourself a false sense of security.

Know your Enemy and Risks

Ultimately know your enemy or at least have an idea and understand what your risks are. What are you ultimately trying to protect? If it is data which invariably it is where is it?, how is currently protected? and how valuable is it compared to the controls you need to put in place to protect it? When doing a risk analysis work out the series of events that could occur and then evaluate them on how likely they are to occur and then weight them. Going through this kind of exercise will prove invaluable later on and may turn up some interesting results that you may never have thought of.

Know what’s going on…

AUDIT, AUDIT and AUDIT some more. If you don’t keep any eye on what is going on in your virtual environment you will never be able to provide adequate security measures to protect it. Don’t just simply do this for a tick in the box for compliance. Do this because you need to drive security measures within your virtual environment and be able to provide accountability not just lip service to the compliance auditors.

If you are looking to assess the security of your virtual infrastructure as well as audit your VMware infrastructure for compliance reasons, what current options are available?

Well you can start by looking at the VMware security hardening guidelines document available at this link which is a good document and can be complimented by other documents such as those from CIS and DISA.  However the information contained in these documents has to be manually applied to your infrastructure which is all well and good if you only have a couple of Virtual machines and one ESX host but when you have 20 + machines to check then this process quickly becomes very time consuming and unrealistic.

So whats the answer?

Well there is a a comprehensive tool available called VMinformer that can do the job for you and will very rapidly check your entire Virtual Infrastructure in a matter of minutes against known industry best practices such as the ones mentioned above.

Reporting

The tool provides reports that can be handed over to your auditors or used in your own reports to meet PCI or similar industry compliance regulations.

To find out more go to vminformer.com