Feeds

VMware's vSphere cleared for military spook servers

ESX Server 4.0 reporting for duty, sir!

Internet Security Threat Report 2014

VMware's vSphere 4.0 stack has received its EAL4+ certification for use with military and intelligence services.

To pass muster with government military and intelligence services, virtual servers have to show they can eat nails and piss fire just like physical servers and their operating systems. That's one of the reasons why getting certified for various levels of the Common Criteria security test are important. Considering how virtual machines are the equivalent of putting all of your warheads inside one missile, maybe virtual machine hypervisors should have to prove they are even more secure than a physical server with a single operating system running on it.

The Common Criteria is an international certification that is an amalgam of security standards from North American and European governments that was established in the late 1990s and began to be widely used to prove the security of servers, operating systems, firewalls, and all kinds of devices in the early 2000s. These devices are given different Evaluation Assurance Level (ELA) ratings, and the current high water mark is EAL 7+, which only one product has been certified to and that was back in 2006. A total of 1,272 products have been put through Common Criteria bootcamp; you can check them all out here.

The EAL4+ level is the one that makes governments and those who adopt their securities standards approach something close to comfortable, and it turns out it is the highest level that the countries who created the Common Criteria agree upon. Once you hit EAL5, the arguing about relevance begins.

It takes a while to test and certify a platform using the Common Criteria specs because to get through the EAL4 and higher levels, auditors and security experts have to have access to the source code and go through it with a fine-toothed comb, looking for holes. Anything EAL3 or lower can be certified as secure through a test, but has not had its internals poured over by propellerheads. In addition to a basic EAL security certification, there are other security hoops (called profiles) a vendor can jump through to get extra credit (that's the plus in EAL4+ ratings you see out there).

The three main profiles ones that give you the little plus are: Controlled Access Protection Profile (CAPP), Role-Based Access Control Protection Profile (RBACPP), and Labeled Security Protection Profile (LSPP). IT vendors used to cherry pick which profiles they would test, but Homeland Security, the Defense Department, and similar government agencies the world over want all three these days.

The vSphere 4.0 stack was announced in April 2009 and started shipping later that summer. But the hassle and time it takes to get EAL4+ certification means VMware is only getting its badge now. It will probably take a similar amount of time for VMware to get the vSphere 4.1 and its integral ESX Server 4.1 hypervisor, which debuted this July, through the security tests. VMware's ESX Server and ESXi 3.5 hypervisors and the VirtualCenter 2.5 console were certified at the EAL4+ level in February of this year. ESX Server 3.0.2 and Virtual Center 2.0.2 got their EAL4+ sticker in May 2008.

The full list of operating systems and hypervisors that have been certified under the Common Criteria include most of the products you know. Windows Vista, Windows Server 2008, and Hyper-V are currently certified at the EAL4+ level, and so are Windows Sever 2003 SP2 and Windows XP SP2. Believe it or not, so was Windows Advanced Server and Windows 2000 Professional back in 2002.

Red Hat Enterprise Linux 4 and 5 have their EAL4+ stickers, and so does Novell's SUSE Linux Enterprise Server 9 (with some help from IBM. Novell did not get certifications for SLES 10 and SLES 11, which seems foolish. Solaris 10 was certified at EAL4+ in November 2007, with the with Trusted Extensions certified in June 2008; Solaris 9 made it to EAL4+, but Solaris 8 only EAL4.

Hewlett-Packard's HP-UX 11i v3 passed its EAL4+ tests in November 2009, with v2 getting its EAL4+ grade in May 2006. IBM 5L 5.2 was certified at EAL4+ in November 2002, AIX 5.3 in January 2007, and AIX 6.1 in May 2008. IBM's last six releases (6 through 11) of z/OS V1 for its mainframes have their EAL4+ seals of government approval, and the PR/SM hypervisor for mainframes is rated at EAL5. Oracle's 10g and 11g, IBM's several DB2 generations, and Microsoft's SQL Server databases have EAL4+ certs, too. ®

Internet Security Threat Report 2014

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
Oracle hires former SAP exec for cloudy push
'We know Larry said cloud was gibberish, and insane, and idiotic, but...'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.