Feeds

VMware's vSphere cleared for military spook servers

ESX Server 4.0 reporting for duty, sir!

Secure remote control for conventional and virtual desktops

VMware's vSphere 4.0 stack has received its EAL4+ certification for use with military and intelligence services.

To pass muster with government military and intelligence services, virtual servers have to show they can eat nails and piss fire just like physical servers and their operating systems. That's one of the reasons why getting certified for various levels of the Common Criteria security test are important. Considering how virtual machines are the equivalent of putting all of your warheads inside one missile, maybe virtual machine hypervisors should have to prove they are even more secure than a physical server with a single operating system running on it.

The Common Criteria is an international certification that is an amalgam of security standards from North American and European governments that was established in the late 1990s and began to be widely used to prove the security of servers, operating systems, firewalls, and all kinds of devices in the early 2000s. These devices are given different Evaluation Assurance Level (ELA) ratings, and the current high water mark is EAL 7+, which only one product has been certified to and that was back in 2006. A total of 1,272 products have been put through Common Criteria bootcamp; you can check them all out here.

The EAL4+ level is the one that makes governments and those who adopt their securities standards approach something close to comfortable, and it turns out it is the highest level that the countries who created the Common Criteria agree upon. Once you hit EAL5, the arguing about relevance begins.

It takes a while to test and certify a platform using the Common Criteria specs because to get through the EAL4 and higher levels, auditors and security experts have to have access to the source code and go through it with a fine-toothed comb, looking for holes. Anything EAL3 or lower can be certified as secure through a test, but has not had its internals poured over by propellerheads. In addition to a basic EAL security certification, there are other security hoops (called profiles) a vendor can jump through to get extra credit (that's the plus in EAL4+ ratings you see out there).

The three main profiles ones that give you the little plus are: Controlled Access Protection Profile (CAPP), Role-Based Access Control Protection Profile (RBACPP), and Labeled Security Protection Profile (LSPP). IT vendors used to cherry pick which profiles they would test, but Homeland Security, the Defense Department, and similar government agencies the world over want all three these days.

The vSphere 4.0 stack was announced in April 2009 and started shipping later that summer. But the hassle and time it takes to get EAL4+ certification means VMware is only getting its badge now. It will probably take a similar amount of time for VMware to get the vSphere 4.1 and its integral ESX Server 4.1 hypervisor, which debuted this July, through the security tests. VMware's ESX Server and ESXi 3.5 hypervisors and the VirtualCenter 2.5 console were certified at the EAL4+ level in February of this year. ESX Server 3.0.2 and Virtual Center 2.0.2 got their EAL4+ sticker in May 2008.

The full list of operating systems and hypervisors that have been certified under the Common Criteria include most of the products you know. Windows Vista, Windows Server 2008, and Hyper-V are currently certified at the EAL4+ level, and so are Windows Sever 2003 SP2 and Windows XP SP2. Believe it or not, so was Windows Advanced Server and Windows 2000 Professional back in 2002.

Red Hat Enterprise Linux 4 and 5 have their EAL4+ stickers, and so does Novell's SUSE Linux Enterprise Server 9 (with some help from IBM. Novell did not get certifications for SLES 10 and SLES 11, which seems foolish. Solaris 10 was certified at EAL4+ in November 2007, with the with Trusted Extensions certified in June 2008; Solaris 9 made it to EAL4+, but Solaris 8 only EAL4.

Hewlett-Packard's HP-UX 11i v3 passed its EAL4+ tests in November 2009, with v2 getting its EAL4+ grade in May 2006. IBM 5L 5.2 was certified at EAL4+ in November 2002, AIX 5.3 in January 2007, and AIX 6.1 in May 2008. IBM's last six releases (6 through 11) of z/OS V1 for its mainframes have their EAL4+ seals of government approval, and the PR/SM hypervisor for mainframes is rated at EAL5. Oracle's 10g and 11g, IBM's several DB2 generations, and Microsoft's SQL Server databases have EAL4+ certs, too. ®

Internet Security Threat Report 2014

More from The Register

next story
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
The DRUGSTORES DON'T WORK, CVS makes IT WORSE ... for Apple Pay
Goog Wallet apparently also spurned in NFC lockdown
IBM, backing away from hardware? NEVER!
Don't be so sure, so-surers
Hey - who wants 4.8 TERABYTES almost AS FAST AS MEMORY?
China's Memblaze says they've got it in PCIe. Yow
Microsoft brings the CLOUD that GOES ON FOREVER
Sky's the limit with unrestricted space in the cloud
This time it's SO REAL: Overcoming the open-source orgasm myth with TODO
If the web giants need it to work, hey, maybe it'll work
'ANYTHING BUT STABLE' Netflix suffers BIG Europe-wide outage
Friday night LIVE? Nope. The only thing streaming are tears down my face
Google roolz! Nest buys Revolv, KILLS new sales of home hub
Take my temperature, I'm feeling a little bit dizzy
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.