Feeds

VMware's vSphere cleared for military spook servers

ESX Server 4.0 reporting for duty, sir!

Application security programs and practises

VMware's vSphere 4.0 stack has received its EAL4+ certification for use with military and intelligence services.

To pass muster with government military and intelligence services, virtual servers have to show they can eat nails and piss fire just like physical servers and their operating systems. That's one of the reasons why getting certified for various levels of the Common Criteria security test are important. Considering how virtual machines are the equivalent of putting all of your warheads inside one missile, maybe virtual machine hypervisors should have to prove they are even more secure than a physical server with a single operating system running on it.

The Common Criteria is an international certification that is an amalgam of security standards from North American and European governments that was established in the late 1990s and began to be widely used to prove the security of servers, operating systems, firewalls, and all kinds of devices in the early 2000s. These devices are given different Evaluation Assurance Level (ELA) ratings, and the current high water mark is EAL 7+, which only one product has been certified to and that was back in 2006. A total of 1,272 products have been put through Common Criteria bootcamp; you can check them all out here.

The EAL4+ level is the one that makes governments and those who adopt their securities standards approach something close to comfortable, and it turns out it is the highest level that the countries who created the Common Criteria agree upon. Once you hit EAL5, the arguing about relevance begins.

It takes a while to test and certify a platform using the Common Criteria specs because to get through the EAL4 and higher levels, auditors and security experts have to have access to the source code and go through it with a fine-toothed comb, looking for holes. Anything EAL3 or lower can be certified as secure through a test, but has not had its internals poured over by propellerheads. In addition to a basic EAL security certification, there are other security hoops (called profiles) a vendor can jump through to get extra credit (that's the plus in EAL4+ ratings you see out there).

The three main profiles ones that give you the little plus are: Controlled Access Protection Profile (CAPP), Role-Based Access Control Protection Profile (RBACPP), and Labeled Security Protection Profile (LSPP). IT vendors used to cherry pick which profiles they would test, but Homeland Security, the Defense Department, and similar government agencies the world over want all three these days.

The vSphere 4.0 stack was announced in April 2009 and started shipping later that summer. But the hassle and time it takes to get EAL4+ certification means VMware is only getting its badge now. It will probably take a similar amount of time for VMware to get the vSphere 4.1 and its integral ESX Server 4.1 hypervisor, which debuted this July, through the security tests. VMware's ESX Server and ESXi 3.5 hypervisors and the VirtualCenter 2.5 console were certified at the EAL4+ level in February of this year. ESX Server 3.0.2 and Virtual Center 2.0.2 got their EAL4+ sticker in May 2008.

The full list of operating systems and hypervisors that have been certified under the Common Criteria include most of the products you know. Windows Vista, Windows Server 2008, and Hyper-V are currently certified at the EAL4+ level, and so are Windows Sever 2003 SP2 and Windows XP SP2. Believe it or not, so was Windows Advanced Server and Windows 2000 Professional back in 2002.

Red Hat Enterprise Linux 4 and 5 have their EAL4+ stickers, and so does Novell's SUSE Linux Enterprise Server 9 (with some help from IBM. Novell did not get certifications for SLES 10 and SLES 11, which seems foolish. Solaris 10 was certified at EAL4+ in November 2007, with the with Trusted Extensions certified in June 2008; Solaris 9 made it to EAL4+, but Solaris 8 only EAL4.

Hewlett-Packard's HP-UX 11i v3 passed its EAL4+ tests in November 2009, with v2 getting its EAL4+ grade in May 2006. IBM 5L 5.2 was certified at EAL4+ in November 2002, AIX 5.3 in January 2007, and AIX 6.1 in May 2008. IBM's last six releases (6 through 11) of z/OS V1 for its mainframes have their EAL4+ seals of government approval, and the PR/SM hypervisor for mainframes is rated at EAL5. Oracle's 10g and 11g, IBM's several DB2 generations, and Microsoft's SQL Server databases have EAL4+ certs, too. ®

Eight steps to building an HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.