|
 |
 |
Address Virtualization Specific security issues |
|
Protect your ESX servers from known hypervisors vulnerabilities |
|
Virtualization Vulnerability Monitoring |
|
VM Speicifc Intrusion Prevention |
|
Firewalling & VM NIC Isolation
|
|
VMSprawl Control |
|
VM Escape
|
|
Incorrect VM Isolation |
|
VM Poaching |
|
Uncontrolled VM Migration |
|
Unintentional VM Tools exposure
|
|
Guest VM OS & network vulnerabilities
|
RedCannon VMFW Enforcer™ for ESX is a VM Appliance which can be seamlessly deployed as a VM within ESX server to control & enforce security policies on ESX Server as well authorized VMs running within it’s virtual environment. Through central policy control, VM Enforcer can prevent uncontrolled VM sprawl, Unauthorized VM migration, VM Poaching and a host of other virtualization specific vulnerabilities.
Secure Type-1s, Restrict Type-2s:
Virtualization Environments commonly known as Hypervisors are available in two different modes. Type-1 hypervisors work “bare metal” i.e. directly on top of the physical hardware of the computer while Type- hypervisors run as a process within another Host OS. Majority of the freely available hypervisors are of type-2. Therefore in order to control their usage in the enterprise environment, security solutions used to prevent such use, need to seat within the Host OS where the Type-2 hypervisor could be installed or already installed.
Secure VM Environment Requirements:
An Enterprise VM Security Policy needs to ensure that enforcements are made across every machine that is or can potentially act as virtualization host. Policies such as the following & many more need to be addressed in an Enterprise virtualization Environment.
• Which VMs are allowed to run on which ESX server?
• Should IT allow more than a certain number of VMs on each server?
• Should IT allow VM Migration? To which ESX servers?
• Allow VI Console Access? From which computers?
•
Persistent VM Tagging:
Policies for authorized VMs have to stay with VMs regardless of whether VMs move from one Sever to another or is copied. VMFW VM Enforcer uses a unique patent-pending technique called “VM Tagging” to tag authorized VMs. Like electronic tagging of computers, these VM tags allow VM Enforcer to identify each VM & it’s derived VMs uniquely and thus enforcing central polices for these VMs. The VM Tag moves with the VM whether the VM migrates from one server to another. VM tags also can be used to tag VM templates which subsequently used to create VMs in server environment, retaining the tagged identity of the original VM template.
Secure Hypervisor Enforcement:
Type-1 hypervisors such as VMWare ESX Server are extremely difficult to break-in to since they run bare-metal on the hardware without any OS. However the service console which allows access to certain server functionality could compromise the security of the entire virtualization environment including VMs running within. Central policy control on the ESX server. VM migration as well to secure network access for VM& VM Host applications.
VM Specific Policy Enforcement:
VM Enforcer can enforce individual policies on each Virtual Machine running within ESX server such as whether to allow CD-ROM,, USB drives or multiple NICs from the VM, enforce logging as well CPU & memory usage limits etc.
VM Enforcer offers a seamless policy control across all ESX & ESXi server deployment within the organization or it’s Data Center. VMFW Manager can be used to control all VMFW modules including VM Enforcer for ESX Servers.
Specifications
• Supports VMWare ESX/ESXi Servers
• VM Appliance for seamless plug-in to ESX/ESXi environment
• Web interface for VM n/w config & for file down/up load
• Separate management LAN Interface
|
|
|
