November 02, 2009

Security Book Review: VMware vSphere and Virtual Infrastructure Security - Securing the Virtual Environment

"VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment"
Author: Edward L. Haletky
Editorial: Prentice Hall PTR
Publication date: July 2, 2009
ISBN-10: 0137158009
ISBN-13: 978-0137158003

Summary: The reference for securing virtual environments, in particular, VMware-based.

Score: 5/5

n the first half of this year (2009), I was involved on extending my previous research on virtualization security, and specifically, I focused on securing and hardening VMware ESX environments. This stirred up my interest on this book. To sum up what this book is all about: "I would have loved to have this book handy back by that time, as it would have saved me tons of time" Instead, I had to read and compare multiple VMware security guides from VMware, CIS, NIST, etc, and perform an extensive hands-on research on my own.

The book offers a very solid and broad analysis of multiple security issues on virtual environments, covering not only the technical aspects associated to the virtualization hosts, virtual machines, and virtual data and storage networks, but also management and operational issues, availability concerns, and other common related tasks on newly deployed, or already established, virtualization setups.

The first two chapters focus on security threats and attacks, a basic foundation required for the cross-references available throughout the book, that can be skipped by the on-the-field security readers.

The next three chapters focus on offering best practices and security recommendations for different key components of any virtualization platform, such as the hypervisor, the storage network, and virtual clusters. The next couple of chapters cover most of the security aspects that must be considered on the design, deployment and operation of a virtual environment.

Although all these chapters provide a very good quality security advice, it is not complemented with hands-on examples. I think this could be improved by adding more detailed sections describing step-by-step how to complete the security recommendations exposed, not just what need to be done. However, I understand it is required to cut the size of the book at some point. A good example of how to extend this idea can be observed on chapter 6, where the integration between VMWare ESX and a directory service is covered in depth.

However, both the technical and operational aspects are integrated smoothly, offering a great in-depth overview. Apart from that, the whole recommended list of things to consider in order to get a more secure virtualization infrastructure is summarized in a useful set of boxes called "Security Notes" and spread all throughout the book. These boxes can be easily used as a checklist when deploying or assessing the security of virtual solutions.

My favourite chapters are chapter 8, and specially 9, where virtual machine and virtual networking security is analyzed, respectively. Chapter 9 offers a whole set of networking scenarios and discusses pros and cons to the number of (physical and virtual) network cards and its configuration. A
very practical and thorough work!

The book ends up with three special chapters. Chapter 10 covers the new VMware virtual desktop infrastructure (VDI) and the security issues around it. Due to all the client-based attacks nowadays, most probably it is going to be a de-facto standard pretty soon, so getting involved on the virtualization of client systems is a must. Chapter 11 provides a detailed guide to harden VMware ESX and ESXi hosts, a mandatory initial process for every new virtual deployment. Finally, chapter 12 provides a quick and interesting introduction to digital forensics (and data recovery) on virtual enviroments, mainly focused on how to deal with virtual file systems, such as VMFS, VMDKs, and raw disks. A quick recommended read for forensic analysts interested on expanding their skills to virtual victims.

There are a few things I feel will improve the book contents. Unfortunately, due to the publication deadline, its coverage of the latest VMware vSphere virtual architecture is pretty limited, as the author clarifies. Besides that, considering the frequent security updates and patches released by virtualization vendors, I would have liked to find a better coverage of best practices to update the virtual infrastructure itself. Finally, as mentioned previously, about half of the book includes detailed how-to sections describing how to apply the recommended settings, but the other half misses that how-to portion. I understand this may be a limitation to make the book size manageable (it's over 500 pages now).

This book is highly recommended for IT and security architects, involved in the design of new virtual solutions, as well as virtualization administrators and anyone in charge of the maintenance of a virtual infrastructure. From a security perspective, people evaluating, assessing, and suggesting improvements for virtual solutions should read the book in order to have a full overview of all the security threats and possible countermeasures. Overall, the book is a must read for anyone already involved, or planning to get involved, in virtualization. It really helps to acquire a very broad and extensive knowledge of the security considerations that apply to such a complex and modern IT architectures.

UPDATE: Slashdot review, Amazon review.

Labels: ,


Post a Comment

<< Home