It has been a couple of weeks since the release of the vSphere 5.1 Hardening Guide. Right around that time there was a call for updated content for the VMware Mobile Knowledge Portal app Well, I really wanted to see the updated Hardening Guide available on that  platform. That presented a challenge. For most customers, the format of releasing it as an Excel spreadsheet meets their need but have you looked at a spreadsheet on an iPad? Not a pretty sight.

So, using Microsoft Word’s Mail Merge capability I whipped up a proof of concept and showed it to a couple of folks. When your boss says “That’s awesome!” you know you’re on the right track. After some updating, we came out with a decent template and I’m happy to say that it looks great on my old iPad.

Here’s some examples:

First, a picture of the Mobile Knowledge Portal app itself. You can see a list of all the Hardening Guide content.

Now the Introduction Page that explains what the Hardening Guide contains

Finally, here’s an example of Hardening Guide data reformatted for a tablet. This is useful for browsing through all the guidelines.

If you don’t have the VMKP, get it now for iPad and Android! Here’s some more info about the app and where to get it.

Get it for iPad on iTunes
Get it for Android tablets at Google Play

The VMKP is designed to provide a simple way for VMware customers to view technical collateral around the Datacenter & Cloud Infrastructure and Infrastructure & Operations Management products.
VMKP 2.0 adds the following enhancements over the original version
- Android and iPad support
- Ability to rate collateral
- Ability to provide feedback to VMware on pieces of collateral
- Integration with Facebook and Twitter to let others know what you have been reading on the VMKP
- Mechanism to request additional collateral items

I hope you find this useful. If you have feedback, please send it on!

Thanks,

mike

Feed back to VMware’s announcement of vSphere 5.1 achieving “In-Evaluation” has been overwhelmingly successful.  However, it also caused quite a flurry of questions regarding the change in EAL level from EAL4+ to EAL2+ and questions on EAL4 vs. EAL2.  This blog posting will help with clarifying VMware’s position and overview of reform changes in-progress with Common Criteria.

Information Technology (IT) customers often leverage third party validations, such as Common Criteria, for assurance of IT product features & implementation and compliance with a known standard.  Common Criteria is a methodology framework for the evaluation of IT products, mutually recognized by 26 member nations (up to EAL4) and is an ISO standard (ISO-15408).   These factors, among many others, have contributed to the success, acceptance and often the requirement for Common Criteria certifications for Government and Defense related procurement sales.  However, as with any technology, process or standard, they must evolve and adapt to address current technologies and industry trends to remain relevant.   Common Criteria is evolving to address such needs.

The National Information Assurance Partnership (NIAP) in cooperation with other countries has initiated a series of changes for reform.  Changes include enlisting the help of industry through technical communities for development of new Protection Profiles (PP), improving consistency, speed and efficiency of evaluations.  As part of the reform, requirements for specific EAL levels will be replaced with “Approved Protection Profiles” and products will be listed as “PP Compliant”.  These products which implement the functionality described in the protection profile will then be evaluated in a consistent manner and against the same security threats which have been observed by the larger security community.  In the event that there is no protection profile in place at the time of entering the evaluation evaluations will be accepted up to a maximum evaluation level of EAL2 which is roughly consistent with the level of detail in the current protection profiles.

Security claims for prior Common Criteria evaluations were driven by vendor developed Security Targets and optional Protection Profiles.  While this provided vendors with greater flexibility, it also enabled opportunity for inconsistent evaluations.  Going forward products will be required to conform to a set of security claims from a mandatory protection profile.  This baseline will improve consistency across evaluations, testing laboratories and international schemes.

The Common Criteria certification of vSphere 5.1 @ EAL2+ demonstrates VMware’s continued commitment to evolving standards, validation of the latest VMware platform and providing assurance to our customers.

The National Information Assurance Partnership (NIAP) developed a FAQ which provides in-depth details on the Common Criteria reform titled “Frequently Asked Questions for NIAP/CCEVS and the Use of Common Criteria in the US (28 March 2012)”

The FAQ below is based on specific questions and discussions at VMware:

Q: Why is vSphere being certified at EAL2?

A: As stated in the NIAP FAQ, the ability to certify at EAL4 was sunset as part of the Common Criteria reform.  When vSphere started the certification process, EAL2 was the target level for commercial software.

Q: You just stated that Common Criteria evaluations at EAL4 are no longer possible, I searched and discovered VMware vCNS 5.1.2 on the “In-Evaluation” list at EAL4?  What gives??

A: Correct.  Short answer is timing and timelines.  vCNS entered into evaluation when while EAL4’s were still being accepted.  However, when vSphere entered into evaluation, certifications at EAL4 were no longer being accepted.

Q: Does certifying at EAL2+ mean that vSphere 5.1 is less secure?

A: No, absolutely not!  The certification process by which vSphere 5.1 is being evaluated  is changing.  vSphere 5.1 remains the trusted center piece of the industry-leading virtualization platform for building flexible cloud infrastructures with performance and reliability to run the most demanding enterprise applications.

Q: Why didn’t vSphere 5.1 conform to a mandatory Protection Profile?

A: When vSphere 5.1 entered into evaluation a protection profile for virtualization was not available.  vSphere 5.1 will be a Security Target based evaluation.  The vSphere 5.1 Security Target contains a full comprehensive set of security claims where applicable, portions were leveraged from existing protection profiles like General Purpose Operating System (GPOS).

Also see NIAP FAQ questions #14 & #16.

VMware was an active participant in the Tech Community that developed the foundation content for the Virtualization Protection Profile.  The Protection Profile for Virtualization is currently under development and the estimated completion date is Q3/2013.

See complete NAIP PP lists:

-       Completed:    http://www.niap-ccevs.org/pp/

-       In draft:          http://www.niap-ccevs.org/pp/draft_pps/

Q: Why is vSphere 5.1 being certified through Canada and not the US?

A: Common Criteria certifications up to EAL4+ are mutually recognized by all member nations.  All schemes are governed and accredited by identical standards, so location isn’t important.  The decision to certify though Canada was a decision based on several business factors.

Also see the Common Criteria Recognition Agreement “Vision Statement”.

Q: Why are some products still being certified at EAL4 through other schemes?

A: While the US, Canada and most other schemes are in lock-step agreement with proposed timelines and processes for reform, some schemes decided to postpone new NIAP direction and continue to perform evaluations at EAL4 for specific country requirements.

Join the conversation:

VMware community discussion: “VMware Common Criteria Security Certification Update”

The package comes in 4 versions:

• Full – Has all recommendations present in the hardening guide
• Profile 1 – Has only Profile 1 recommendations
• Profile 2 – Has only Profile 2 recommendations
• Profile 3 – Has only Profile 3 recommendations

Pick the packages based on the profile you are wanting to adhere to! You can download the packages using VCM Content Wizard and begin to use it.

Compliance Rule Groups and Templates for vSphere 5.1 Hardening Guide:

vSphere 5.1 Hardening Guide Rule Groups and Templates – 1

vSphere 5.1 Hardening Guide Rule Groups and Templates – 2

 One-Click Collection Filter Set to collect all data needed for Compliance assessment:

vSphere 5.1 Hardening Guide Collection Filter Set

Track your compliance posture using these great dashboards:

vSphere 5.1 Hardening Dashboard – 1

You can also break down the compliance results by data type and vCenter Server to see where most of your infractions are coming from::

vSphere 5.1 Hardening Guide Dashboard – 2

From there, you can see the individual rules behind the content that is surfaced in our dashboards:

vSphere 5.1 Hardening – Compliance Assessment Detailed Results

 
Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content. Yes! That is right, we can also remediate non compliant results with a right click in both the virtual and physical world!

Start Green Stay Green!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F

I’m pleased to announce to availability of the official release of the vSphere 5.1 Hardening Guide. The guide is being released as an Excel spreadsheet only. This guide follows the same format as the 5.0 guide.

All reference and documentation URL’s and code samples have been updated for 5.1. The guide is available here

The permanent home will be here soon: http://vmware.com/go/securityguides

Also available is a separate document containing the Change Log for the guide. The Change Log is available here

Thanks to everyone who contributed feedback on the Public Drafts and also the team at VMware for their outstanding work in making this guide possible.

mike

We’d love to hear your feedback, good and bad, on the contents of the guide. I would encourage you to post your reply in the Security and Compliance Communities forum but if you have more sensitive concerns, send it to me at mfoley@vmware.com. The intent is to publish the final GA copy in two weeks with any changes/updates incorporated so get your inputs in as soon as possible!

The vSphere 5.1 Security Hardening Guide has been posted to the VMware Communities in the “Security and Compliance” area, in the Documents tab. A separate Change Log document has also been published with the RC Guide.

Thanks to everyone who provided feedback on the Rev A Draft, and also to the team at VMware who contributed to this guide in many significant ways.

Thanks,
mike foley

The VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of latest Center for Internet Security (CIS) and Defense Information Security Agency (DISA) Compliance toolkit packages for VMware vCenter Configuration Manager (VCM).

The highlights of this release are as below:

1. CIS has new content for
   • AIX 5.3-6.1 and
   • RHEL 6
2. DISA has new content for
   • HP-UX 11.23 and 11.31
   • Solaris 10
   • AIX 6.1 and
   • RHEL 5

Apart from the new ones, the older ones are also packaged together respectively. You can download the packages using CCW tool and begin to use it.

Below are some snapshots to give you a quick feel of the update:

CIS Rule Groups and Templates

DISA Rule Groups and Templates

Dashboard View 1

Dashboard View 2

Detailed Compliance Assessment Results

Stay tuned, DISA Compliance Checker for Windows and Linux is coming soon!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F

For those who need to prioritize deployments, there are 3 security bulletins that will need to be addressed right away.

MS13-009 addresses 13 issues across all supported versions of Internet Explorer and MS13-010 addresses issues in the Vector Markup Language (VML) which is used by all versions of Internet Explorer. Both of these issues could allow Remote Code Execution if a user viewed a specially crafted webpage using Internet Explorer.

MS13-020 affecting Windows XP resolves an issue in Microsoft Windows Object Linking and Embedding (OLE) Automation which could allow Remote Code Execution if a user opens a malicious RTF file with an embedded ActiveX control in either Word or WordPad.

In addition to the above mentioned bulletins, for the second time in less than a week, both Microsoft and Adobe released Critical-class bulletins (KB2805940 and APSB13-05) to update Flash Players. These updates address at least 16 distinct vulnerabilities including buffer overflow and use-after-free vulnerabilities that could lead to Code Execution.

All the above mentioned bulletins are now available for deployment via VMware vCenter Configuration Manager (VCM).

Aravind Kolipakkam
Sr. Member of Technical Staff, VMware Center for Policy & Compliance

The highlights of this release are as below:

1. Package aligned with the latest version of VMware vSphere 5.0 Hardening Guide i.e. v1.2 released in Dec 2012
2. The package now comes in 4 versions:

• Full – Has all recommendations present in the hardening guide
• Profile 1 – Has only Profile 1 recommendations
• Profile 2 – Has only Profile 2 recommendations
• Profile 3 – Has only Profile 3 recommendations

Now pick the packages based on the profile you are wanting to adhere to!

You can download the packages using vCM Content Wizard and begin to use it.

With the updated vSphere 5.0 hardening content in vCM, our customers will be able to get great dashboard to track their Compliance posture:

You can also break down the compliance results by data type to see where most of your infractions are coming from:

From there, you can see the individual rules behind the content that is surfaced in our dashboards.  

In this release we provided 20 Rule groups, 8 templates and 15 collection filters.

Keep in mind that vCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content. Yes! That is right, we can also remediate non compliant results with a right click in both the virtual and physical world!

Also, don’t forget about the VMware CP&C FREE compliance checkers!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F

A brief intro for those that don’t know me and my new role. My name is Mike Foley. I’m a Sr. Technical Marketing Manager, working for Charu Chaubal in VMware’s Technical Marketing group. My primary role is that of technical marketing support for security of the core vSphere platform. I come from RSA, where I was their virtualization evangelist/go-to guy for many years. My personal blog is at http://yelof.com and I’m on Twitter as @mikefoley.

I would like to announce the **draft** release of the vSphere 5.1 Security Hardening Guide.  This initial draft release has taken the 5.0 guide and updated it for 5.1. What it does NOT contain at this time is a complete review of functionality around the new 5.1 SSO capabilities. We are working on those parts and hope to have an updated draft very soon.

We’d love to hear your feedback, good and bad, on the contents of the guide. I would encourage you to post your reply in the Security and Compliance Communities forum but if you have more sensitive concerns, send it to me at mfoley@vmware.com.

The vSphere 5.1 Security Hardening Guide has been posted to the VMware Communities in the “Security and Compliance” area, in the Documents tab.  Thanks to everyone who provided feedback on the Public Draft, and also to the team at VMware who contributed to this guide in many significant ways.

Thanks,
mike foley

VMware vShield Endpoint enables Symantec Endpoint Protection 12 – offloading anti-virus and anti-malware agent processing to a dedicated secure virtual appliance – streamlining deployment and monitoring for your VMware environment.

One year ago, there was really only a single option available if a VMware customer wished to use the vShield Endpoint introspection possible on vSphere to protect servers or virtual desktops.  As 2013 begins, the number of partner solutions has grown to a half-dozen and continues to grow. It’s probably an understatement to call the latest of these, “much anticipated”.  The introduction I’m referring to is Symantec’s Endpoint Protection 12.1.2. With the mid-December availability of Symantec’s entry to the field of virtual guest protection, we welcome a new year.

Symantec has been working with the VMware vCloud Security team for several years. Now, I’m glad to see that our shared customers can begin to enjoy the rewards of our strategic alliance.

“We collaborated closely with Symantec so that VMware vShield Endpoint and Symantec Endpoint Protection 12 will work together… our customers need the right security solutions to embrace virtualizing business critical applications and to accelerate cloud adoption.”

Parag Patel, vice president, VMware

Symantec support for VMware vSphere and View deployments delivers the opportunity for a unified solution across your entire infrastructure. Managing operations of both physical and virtual endpoints through single, uniform policies and management, Symantec Endpoint Protection coupled with vShield Endpoint – can now improve virtualization consolidation ratios, and prevent anti-virus storms in the software-defined data center, along with the traditional protection, already relied upon. I’m also glad that the new Symantec Endpoint Protection release continues offering improvement in the detection engine and behavior-based blocking of “zero day” attacks. Technologies like Insight and SONAR allow reduction of anti-virus scans and maximum performance. Effort has been also made to simplify your deployment and updating while improving the quality of reporting.

The additional benefit I’d like to share with customers for coupling Symantec’s protections with vShield Endpoint is the additional layer for defense in depth – agent-less and directly from the VMware Cloud infrastructure, without further guest configuration. This improves your overall security posture and compliance for the growing number of virtual machines deployed in testing, development, and private cloud deployments.

We also made it easier to acquire the vShield Endpoint part of this. Recognizing the value of ensuring security and compliance audit requirements for the expanding roles of virtualization and private clouds, VMware customers with valid Support and Subscription (SnS) contracts for vSphere Essentials Plus or higher editions are now entitled to vShield Endpoint functionality at no extra cost. This means that vShield Endpoint is now licensed with vSphere, and better positioned to deliver you these benefits with Symantec Endpoint Protection today.

Symantec has additional security solutions that work with VMware vShield and vCloud Networking and Security to create a broad set of solutions for VMware customers, to provide:

• Optimized Endpoint Protection for High-density Virtual Environments
• Orchestrated Data Loss Prevention
• Compliance Across Converged Infrastructure
• Protection for Virtual Data Centers Against Advanced Threats
• Integrated Threat Intelligence

There’s more details and information on these protections, including whitepapers and solutions briefs at – VMware Solutions Exchange and Symantec Partner: VMware.