The VMWare ESX 3.02 EAL-4 certification and its ce...

pciversen · ‎11-12-2008

I have some questions regarding the EAL-4 certification of VMWare ESX 3.02 and Virtual Center 2.02 (http://www.cse-cst.gc.ca/documents/services/ccs/vmware-sec-e.pdf).

In the Certification report (http://www.cse-cst.gc.ca/documents/services/ccs/vmware-cert-e.pdf) it is written:

7.3 Clarification of Scope

VMware® ESX Server and VirtualCenter provides a level of protection that is appropriate

for low robustness environments processing unclassified information.

We are currently in a process considering VMWare ESX 3.02 and Virtual Center 2.02 for a Government customer. The customer processes classified data.

Local security laws demand EAL-4 certification for solution components processing classified data.

My question is:

Is it in your opinion advisable to recommend the VMWare ESX 3.02 and Virtual Center 2.02 products to the customer?

Texiwill · ‎11-12-2008

Hello,

Yes, but this truly depends upon your design. Security of the virtual environment is more than passing EAL-4. But the design and configuration of the virtualization hosts.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

pciversen · ‎11-12-2008

I am aware that the EAL-4 certification is dependant of how the solution is configured.

My concern is that the EAL-4 certification report states that the VMWare ESX 3.02 solution is not suited for processing classified information.

Texiwill · ‎11-13-2008

Hello,

All I can say is that I know ESX is being used within classified environments, so regardless of EAL-4 reports, it is possible and people are doing it today. However if the organization you do work goes by only EAL-4 and this report, then you will have an uphill battle.

I think the main reason for this is that it is still based on DAC and not MAC as well as the lack of two-factor identification support within the management of ESX or other such things within the VMs.... I.e. no way to use a USB dongle easily. Outside of this, it truly depends on your configuration and the classification level of the administrators.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

TomHowarth · ‎11-13-2008

I too can confirm that EESX 3.02 is being used in Clasified and higher locations.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

All

The VMWare ESX 3.02 EAL-4 certification and its certification report - classified information