In this tough economic environment, we are always on the lookout for opportunities to do more with less. In my last post, I pointed you to two free tools to help locate rogue SharePoint sites. Keeping with the theme, here’s some free tools for virtualization security.
There are multiple security issues that need to at least considered before undertaking a widespread virtualization initiative. Of the dozens of best practices for securing virtualization, a foundational best practice is to define your own standard(s) for secure configuration of the layer of virtualization software (the hypervisor and the virtual machine monitor) and regularly ensure that the virtualization layer is configured according to your standards.
At least two vendors are providing some capabilities to do this at no cost for VMware’s ESX: Tripwire’s ConfigCheck (Tripwire is best known for file integrity monitoring, but also has configuration management capabilities) and Configuresoft’s Compliance Checker for VMware ESX.
Free is not a sustainable business model, so there are some limitations to the tools. For example, limiting the number of servers scanned or limiting scans to compare against just the VMware or Center for Internet Security hardening guidelines (the idea is to get you to upgrade to an enterprise version where you can expand and modify the configuration definitions).
Of course, doing nothing is also free, but like any enterprise IT platform, we have a responsibility to make sure the virtualization platform has a configuration and vulnerability management process defined and followed.
If you are checking configurations manually or not at all, free tools are a good way to get started.