Feeds

VMware's vSphere cleared for military spook servers

ESX Server 4.0 reporting for duty, sir!

Beginner's guide to SSL certificates

VMware's vSphere 4.0 stack has received its EAL4+ certification for use with military and intelligence services.

To pass muster with government military and intelligence services, virtual servers have to show they can eat nails and piss fire just like physical servers and their operating systems. That's one of the reasons why getting certified for various levels of the Common Criteria security test are important. Considering how virtual machines are the equivalent of putting all of your warheads inside one missile, maybe virtual machine hypervisors should have to prove they are even more secure than a physical server with a single operating system running on it.

The Common Criteria is an international certification that is an amalgam of security standards from North American and European governments that was established in the late 1990s and began to be widely used to prove the security of servers, operating systems, firewalls, and all kinds of devices in the early 2000s. These devices are given different Evaluation Assurance Level (ELA) ratings, and the current high water mark is EAL 7+, which only one product has been certified to and that was back in 2006. A total of 1,272 products have been put through Common Criteria bootcamp; you can check them all out here.

The EAL4+ level is the one that makes governments and those who adopt their securities standards approach something close to comfortable, and it turns out it is the highest level that the countries who created the Common Criteria agree upon. Once you hit EAL5, the arguing about relevance begins.

It takes a while to test and certify a platform using the Common Criteria specs because to get through the EAL4 and higher levels, auditors and security experts have to have access to the source code and go through it with a fine-toothed comb, looking for holes. Anything EAL3 or lower can be certified as secure through a test, but has not had its internals poured over by propellerheads. In addition to a basic EAL security certification, there are other security hoops (called profiles) a vendor can jump through to get extra credit (that's the plus in EAL4+ ratings you see out there).

The three main profiles ones that give you the little plus are: Controlled Access Protection Profile (CAPP), Role-Based Access Control Protection Profile (RBACPP), and Labeled Security Protection Profile (LSPP). IT vendors used to cherry pick which profiles they would test, but Homeland Security, the Defense Department, and similar government agencies the world over want all three these days.

The vSphere 4.0 stack was announced in April 2009 and started shipping later that summer. But the hassle and time it takes to get EAL4+ certification means VMware is only getting its badge now. It will probably take a similar amount of time for VMware to get the vSphere 4.1 and its integral ESX Server 4.1 hypervisor, which debuted this July, through the security tests. VMware's ESX Server and ESXi 3.5 hypervisors and the VirtualCenter 2.5 console were certified at the EAL4+ level in February of this year. ESX Server 3.0.2 and Virtual Center 2.0.2 got their EAL4+ sticker in May 2008.

The full list of operating systems and hypervisors that have been certified under the Common Criteria include most of the products you know. Windows Vista, Windows Server 2008, and Hyper-V are currently certified at the EAL4+ level, and so are Windows Sever 2003 SP2 and Windows XP SP2. Believe it or not, so was Windows Advanced Server and Windows 2000 Professional back in 2002.

Red Hat Enterprise Linux 4 and 5 have their EAL4+ stickers, and so does Novell's SUSE Linux Enterprise Server 9 (with some help from IBM. Novell did not get certifications for SLES 10 and SLES 11, which seems foolish. Solaris 10 was certified at EAL4+ in November 2007, with the with Trusted Extensions certified in June 2008; Solaris 9 made it to EAL4+, but Solaris 8 only EAL4.

Hewlett-Packard's HP-UX 11i v3 passed its EAL4+ tests in November 2009, with v2 getting its EAL4+ grade in May 2006. IBM 5L 5.2 was certified at EAL4+ in November 2002, AIX 5.3 in January 2007, and AIX 6.1 in May 2008. IBM's last six releases (6 through 11) of z/OS V1 for its mainframes have their EAL4+ seals of government approval, and the PR/SM hypervisor for mainframes is rated at EAL5. Oracle's 10g and 11g, IBM's several DB2 generations, and Microsoft's SQL Server databases have EAL4+ certs, too. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
Turnbull should spare us all airline-magazine-grade cloud hype
Box-hugger is not a dirty word, Minister. Box-huggers make the cloud WORK
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
Do you spend ages wasting time because of a bulging rack?
No more cloud-latency tea breaks for you, users! Get a load of THIS
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.