Virtualization Security Audit and Assessment

BACKGROUND: Introductions, Logistics, Attendee's Learning Objectives. Virtualization Resources, Course CD, have a copy of the audit program available. Virtualization Background, History. Virtualization Benefits. Virtualization as a Control or Security Enhancer. Virtualization Approaches, Vendors, Definitions. Current Developments. General Risks. Applying Virtualization in IS Audit, and in IS Audit Education. Lab Configuration. VMworld, VMware Security Lab, VCP. OVERALL RISKS AND STANDARDS: 10 Key Risks. Gartner Risk Research Results. Other Risk Perspectives, article, blogs, vendors. Standards - Center for Internet Security (3.0 2007, 3.5 in 2009). Standards - VMware Whitepapers (3.52008). Standards - DISA SnG (final 2008). Vulnerabilities - VMSA's and CVE's. Hardware Risks. ESX 3.5 UPDATE 4 = CONTROLS AND SECURITY TECHNIQUES, NETWORK CONFIGURATION & LOGICAL USER ACCESS DEFAULT SETTING "HIGH" (2.X AND 3.X). 20. Remote Connections (throught vCenter, client direct, web direct). Network Configurations and Commands. Ports, SNMP, VLANs, Other. Forwards and Redirects. Iptables Firewall (3.x , not in 2.x). COS Root & VC Administrator controls. Virtual Center Roles & Users. Password Configuration. CONFIGURATION AND OTHER RISKS AND CONTROLS: Patches (VMware not RHEL), VMware Update Manager. Storage Options & Considerations (redundancy, access). Resource Allocation & DOS. Command Line Tools. Logging and Monitoring. Data Discovery. Other. ESX AUDIT/ASSESSMENT APPROACHES AND TOOLS: ESX Audit Program. ESX Policy. Specific Metric Comparison and Enumeration Approaches. Nontechnical Tools and Scope Topics. Tools - Free (or nearly free). Tools Vendor Solutions. Center for Internet Security CIS-CAT 2.1.1. OTHER AUDIT/ ASSESSMENT PROCEDURES: Logging. Patching (VMware Update Manager). Security products and placement. Storage considerations. Build your own tools - VI SDKJAPI (Perl). ESXCFG-INFO
Other Tools -Veeam, vCommander, SearchMyVM, miscellaneous. THE REQUIRED AND ALWAYS ENTERTAINING "MISC": vSphere (aka ESX 4) Differences and New Features. PCIIDSS Considerations. Other - Storage, Backup and continuity topics, ESX 3i. ESX Versions Before 3.5.