Tagged: DISA

VMware vSphere 4.0 Earns Common Criteria EAL4+ Certification

For those working in U.S. Department of Defense (DoD) environments, like me at times, it is great news to hear that VMware vSphere 4.0 has finally earned Common Criteria EAL4+ Certification.  You can find out more about VMware’s Security Certifications and Validations (including this latest one) at their site here: http://www.vmware.com/security/certifications/

According to the VMware press release for the vSphere 4.0 CC EAL4+ Certification,

VMware, Inc. the global leader in virtualization and cloud infrastructure, today announced that VMware vSphere(TM) 4.0 and VMware vCenter(TM) Server 4.0 achieved Common Criteria certification at Evaluation Assurance Level 4 (EAL4+) under the Common Criteria Evaluation and Certification Scheme (CCS). Common Criteria is an international set of guidelines (ISO 15408) that provides a common framework for evaluating security features and capabilities of Information Technology (IT) security products, and EAL4+ is the highest assurance level that is recognized globally by all signatories under the Common Criteria Recognition Agreement (CCRA).

“VMware is committed to serving our U.S. federal government customers’ unique requirements by delivering peace of mind to organizations leveraging virtualization as the foundation for cloud computing, or as the key enabler for server or data center consolidation, telework and Continuity of Operations (COOP) initiatives,” said Aileen Black, vice president public sector, VMware.

As virtualization occupies an increasingly central position within the U.S. federal government’s IT strategy as the cornerstone of modern infrastructures and the foundation for cloud computing, VMware vSphere enables organizations to achieve the benefits of cloud computing while maintaining the security, control and efficiency they require. Achieving EAL4+ certification marks the completion of an intensive effort during which VMware vSphere 4.0 and VMware vCenter Server 4.0 were examined, tested and certified at EAL4+, validating that VMware vSphere is one of the most proven, trusted platforms for modern IT infrastructure.

“VMware has demonstrated a strategic, long-term commitment to the quality of its product development and quality assurance processes,” said Erin Connor, lab director at EWA-Canada. “VMware continues to set the standard for virtualization, and its rigorous efforts ensure that customers can have confidence in the performance and security of their most demanding, mission-critical applications.”

Linux, Unix and Windows Security Readiness Review Scripts

I often get questions from organizations looking to beef up their security policies and procedures. Often enough, this is right after a system has been compromised. Linux and Unix admins will often tout the inherent security framework built into Linux and Unix, but no system that is improperly configured or maintained is safe from threat or attack. As a baseline, I often urge these businesses to take a look at the U.S. Government Information Assurance Security Readiness Review Scripts. These can be run against new or existing builds (servers and desktops) to get a better idea what vulnerabilities exist on the system. They are pretty straightforward, and they usually have readme files that explain how to use them. You can download these scripts at the DISA Website: http://iase.disa.mil/stigs/SRR/index.html

There are scrpts for Unix (Linux), Windows, Oracle and some other exotic and legacy operating systems. Having a baseline for security is important. Not every single server can be hardened down 100% and it is up to your risk assessment people to determine what level of risk is acceptable in trade for functionality. There are a few more resources that I will post about in the future, but these should get you started on the right path to securing your systems. After all, the DoD requires the use of these SRRs, so you should definitely take a look at them at the very least. If you are not sure how to use them or what they do, just Google around for some more information. The better prepared you are from the start, the less of a chance that your systems will be victims of a security breach.