VM Security - VMware Communities
VM Security - VMware Communities
VM Security - VMware Communities
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>VM</strong>ware vSphere<br />
<strong>Security</strong> & Networking<br />
Ofir Zamir,<br />
SE Team Leader, <strong>VM</strong>ware<br />
© 2009 <strong>VM</strong>ware Inc. All rights reserved
<strong>VM</strong>ware Approach to <strong>Security</strong><br />
Platform<br />
<strong>Security</strong><br />
• Secure hypervisor<br />
architecture<br />
• Platform hardening<br />
features<br />
• Secure<br />
Development<br />
Lifecycle<br />
Secure<br />
Operations<br />
• Prescriptive<br />
guidance for<br />
deployment and<br />
configuration<br />
• Enterprise controls<br />
for security and<br />
compliance<br />
Virtualization of<br />
<strong>Security</strong><br />
• Virtualizationaware<br />
security<br />
• Unique Advantage<br />
of virtualization
<strong>Security</strong> of <strong>VM</strong>ware vSphere<br />
PLATFORM SECURITY
Architecture: Types of Server Virtualization<br />
Hosted (Type 2) Bare-Metal (Type 1)<br />
Virtualization Layer<br />
APP<br />
Windows, Linux, Mac<br />
<strong>VM</strong>ware Workstation<br />
<strong>VM</strong>ware Server<br />
<strong>VM</strong>ware Player<br />
<strong>VM</strong>ware Fusion<br />
Host OS<br />
changes<br />
security<br />
profile<br />
<strong>VM</strong>ware ESX/ESXi
Isolation in the Platform<br />
VLAN A<br />
VLAN B<br />
Virtual Machines<br />
• Are not able to interact with<br />
each other (except via<br />
network)<br />
• Are not aware of underlying<br />
storage -- only their own<br />
virtual disk(s)<br />
• Are subject to strict resource<br />
controls<br />
Virtual Switches<br />
• Are complete, VLAN-capable,<br />
layer-2 switches<br />
• Have no mechanism for<br />
sharing network traffic<br />
<strong>Security</strong> Design of the <strong>VM</strong>ware<br />
Infrastructure 3 Architecture<br />
http://www.vmware.com/resources/techres<br />
ources/727
vSphere Advantages: Best Hypervisor Architecture<br />
<strong>VM</strong>ware Architecture<br />
• True thin hypervisor<br />
• No general-purpose OS<br />
• Direct driver model = I/O scaling<br />
• Drivers optimized for <strong>VM</strong>s<br />
• Page Sharing = Greater Density<br />
• Hypervisor owns the resources<br />
MSFT / Xen Architecture<br />
• Large general purpose OS in mgmt<br />
partition<br />
• Indirect driver model<br />
• Generic drivers in mgmt partition<br />
• I/O throughput degradation under load<br />
• All <strong>VM</strong>s down when mgmt partition fails<br />
(BSOD/Kernel panic)
Secure Implementation<br />
<strong>VM</strong>ware ESXi<br />
• Compact footprint (less than<br />
100MB)<br />
• Fewer patches<br />
• Smaller attack surface<br />
• Absence of general-purpose<br />
management OS<br />
• No arbitrary code running on<br />
server<br />
• Not susceptible to common<br />
threats
Secure Implementation<br />
Platform Hardening<br />
• Integrity in Memory Protection<br />
• ASLR – Randomizes where core<br />
kernel modules load into memory<br />
• NX/XD – Marks writable areas of<br />
memory as non-executable<br />
• Kernel Integrity<br />
• Digital signing – ensures the integrity<br />
of drivers and modules as they are<br />
loaded by the <strong>VM</strong>kernel.<br />
• Integrity on Disk<br />
• TPM – helps assure that image that<br />
is booting off the disk has not been<br />
tampered with since the last reboot.
ESXi <strong>Security</strong> Model<br />
Physical /<br />
Console<br />
Management<br />
Network<br />
Production<br />
Network<br />
CIM Client<br />
<strong>VM</strong><br />
<strong>VM</strong><br />
<strong>VM</strong><br />
vSphere API<br />
vSphere Client<br />
vCLI<br />
vSphere SDK<br />
VC<br />
hostd<br />
vpxa<br />
vmkernel<br />
CIM<br />
Broker<br />
<strong>VM</strong>safe <strong>VM</strong><br />
Tech Support<br />
Mode<br />
DCUI<br />
BIOS<br />
<strong>VM</strong>M<br />
<strong>VM</strong>M<br />
Network<br />
Stack<br />
Storage<br />
Stack<br />
<strong>VM</strong>M<br />
Trust Boundary<br />
IP-based<br />
Storage<br />
Inter-ESX<br />
network<br />
Fibre<br />
Channel<br />
Storage<br />
Keyboard<br />
or iLO/equivalent
Isolation by Design<br />
CPU & Memory Virtual Network Virtual Storage<br />
• <strong>VM</strong>s have limited<br />
access to CPU<br />
• Memory isolation<br />
enforced by<br />
Hardware TLB<br />
• Memory pages<br />
zeroed out before<br />
being used by a <strong>VM</strong><br />
• No code exists to link<br />
virtual switches<br />
• Virtual switches<br />
immune to learning<br />
and bridging attacks<br />
• Virtual Machines only<br />
see virtual SCSI<br />
devices, not actual<br />
storage<br />
• Exclusive virtual<br />
machine access to<br />
virtual disks enforced<br />
by <strong>VM</strong>FS using SCSI<br />
file locks<br />
Confidential - INTERNAL ONLY<br />
<strong>Security</strong> Design of the <strong>VM</strong>ware Infrastructure 3 Architecture<br />
http://www.vmware.com/resources/techresources/727<br />
10
Independently validated<br />
Common Criteria<br />
EAL 4+ Certification<br />
• Highest internationally recognized<br />
level<br />
• Achieved for ESX 3.0; in process<br />
for ESX 3.5 and vSphere 4<br />
DISA STIG for ESX<br />
• Approval for use in DoD information<br />
systems<br />
NSA Central <strong>Security</strong> Service<br />
• guidance for both datacenter and<br />
desktop scenarios<br />
11
<strong>Security</strong> of <strong>VM</strong>ware vSphere<br />
SECURE OPERATIONS
vnic<br />
vnic<br />
vnic<br />
Isolation in the Architecture<br />
Segment out all non-production<br />
networks<br />
<strong>VM</strong>kernel<br />
• Use VLAN tagging, or<br />
Production<br />
Mgmt<br />
Storage<br />
• Use separate vSwitch (see<br />
diagram)<br />
vSwitch1<br />
vmnic1 2 3 4<br />
Prod<br />
Network<br />
Mgmt<br />
Network<br />
vSwitch2<br />
Strictly control access to<br />
management network, e.g.<br />
• RDP to jump box, or<br />
• VPN through firewall<br />
<strong>VM</strong>ware Infrastructure 3 <strong>Security</strong> Hardening Guide<br />
http://www.vmware.com/resources/techresources/726<br />
vCenter<br />
Other ESX/ESXi<br />
hosts<br />
IP-based<br />
Storage<br />
13
vSphere 4: Segmentation of Production Networks<br />
PVLAN (Private VLAN)<br />
Enables Layer-2 isolation between <strong>VM</strong>s on the same<br />
switch, even though they are on the same subnet<br />
Private VLAN traffic isolation<br />
between guest <strong>VM</strong>s<br />
Traffic from one <strong>VM</strong> forwarded out through uplink,<br />
without being seen by other <strong>VM</strong>s<br />
Communication between <strong>VM</strong>s on PVLANs can still<br />
occur at Layer-3<br />
Benefits<br />
Scale <strong>VM</strong>s on same subnet but selectivity restrict<br />
inter-<strong>VM</strong> communication<br />
Avoids scaling issues from assigning one VLAN and<br />
IP subnet per <strong>VM</strong><br />
vSwitch with<br />
Private VLAN<br />
capability<br />
Common<br />
Primary VLAN<br />
on uplinks<br />
Implementation<br />
Available when using Distributed Switch
vNetwork Distributed Switching & Cisco Nexus 1000V Switch<br />
CURRENT<br />
vSwitch<br />
vSwitch<br />
vSwitch<br />
Enterprise networking vendors<br />
can provide proprietary<br />
networking interfaces to monitor,<br />
control and manage virtual<br />
networks<br />
Virtual machines retain policies,<br />
QoS as they move around the<br />
datacenter<br />
vDS<br />
vNetwork Distributed Switch<br />
Cisco Nexus 1000V
Cisco Nexus 1000V Architecture<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
Nexus<br />
1000V<br />
VEM<br />
Nexus<br />
1000V<br />
VEM<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
vSphere<br />
vSphere<br />
Virtual Supervisor Module (VSM)<br />
• Virtual or Physical appliance running<br />
Cisco Virtual NXOS Ethernet (supports Module HA) (VEM)<br />
• Performs • Enables management, advanced networking monitoring, &<br />
configuration Cisco capability Nexus on the 1000V hypervisor Installation<br />
• Tight • • Provides integration ESX & each ESXi with <strong>VM</strong> <strong>VM</strong>ware with dedicated vCenter<br />
“switch port”<br />
• VUM & Manual Installation<br />
• Collection of VEMs = 1 vNetwork<br />
• Distributed VEM installed/upgraded Switch<br />
like an ESX<br />
patch<br />
vCenter<br />
Nexus 1000V VSM
Scaling Server Virtualization with Nexus 1000V<br />
Offload <strong>VM</strong> networking to network team<br />
• Abstracts network configuration from virtualization<br />
team<br />
• Network administrator to provide consistent network<br />
configuration to <strong>VM</strong><br />
Optimize bandwidth to server w/ greater<br />
availability<br />
• Dual connectivity to non-clustered switches<br />
• Quality of Service for <strong>VM</strong>otion, Service Console, and<br />
<strong>VM</strong> traffic<br />
Enable virtual machines to be basic building<br />
blocks of data center<br />
• Consistent network operational model for physical<br />
and virtual infrastructure<br />
• Easier regulatory compliance<br />
SG0 SG1 SG0 SG1<br />
Po1<br />
Po2<br />
Cisco VEM<br />
C P<br />
SC <strong>VM</strong>K<br />
<strong>VM</strong> Data
Cisco Nexus 1000V – Faster <strong>VM</strong> Deployment<br />
Cisco VN-Link: Virtual Network Link<br />
Policy-Based<br />
<strong>VM</strong> Connectivity<br />
Mobility of Network &<br />
<strong>Security</strong> Properties<br />
Non-Disruptive<br />
Operational Model<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
Defined Policies<br />
WEB Apps<br />
HR<br />
DB<br />
DMZ<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
<strong>VM</strong> Connection Policy<br />
• Defined in the network<br />
• Applied in Virtual Center<br />
• Linked to <strong>VM</strong> UUID<br />
vCenter<br />
Nexus 1000V VSM
Cisco Nexus 1000V – Richer Network Services<br />
Cisco VN-Link: Virtual Network Link<br />
Policy-Based<br />
<strong>VM</strong> Connectivity<br />
Mobility of Network &<br />
<strong>Security</strong> Properties<br />
Non-Disruptive<br />
Operational Model<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
<strong>VM</strong>s Need to Move<br />
• <strong>VM</strong>otion<br />
• DRS<br />
• SW Upgrade/Patch<br />
• Hardware Failure<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
VN-Link Property Mobility<br />
• <strong>VM</strong>otion for the network<br />
• Ensures <strong>VM</strong> security<br />
• Maintains connection state<br />
vCenter<br />
Nexus 1000V VSM
Cisco Nexus 1000V - Increased Operational Efficiency<br />
Cisco VN-Link: Virtual Network Link<br />
Policy-Based<br />
<strong>VM</strong> Connectivity<br />
Mobility of Network &<br />
<strong>Security</strong> Properties<br />
Non-Disruptive<br />
Operational Model<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
VI Admin Benefits<br />
• Maintains existing <strong>VM</strong> mgmt<br />
• Reduces deployment time<br />
• Improves scalability<br />
• Reduces operational workload<br />
• Enables <strong>VM</strong>-level visibility<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
Network Admin Benefits<br />
• Unifies network mgmt and ops<br />
• Improves operational security<br />
• Enhances <strong>VM</strong> network<br />
features<br />
• Ensures policy persistence<br />
• Enables <strong>VM</strong>-level visibility<br />
vCenter<br />
Nexus 1000V VSM
Key Features of the Nexus 1000V<br />
Switching<br />
<strong>Security</strong><br />
Provisioning<br />
Visibility<br />
Management<br />
• L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)<br />
• IGMP Snooping, QoS Marking (COS & DSCP)<br />
• Policy Mobility, Private VLANs w/ local PVLAN Enforcement<br />
• Access Control Lists (L2–4 w/ Redirect), Port <strong>Security</strong><br />
• Automated vSwitch Config, Port Profiles, Virtual Center Integration<br />
• Optimized NIC Teaming with Virtual Port Channel – Host Mode<br />
• <strong>VM</strong>otion Tracking, ERSPAN, NetFlow v.9 w/ NDE, CDP v.2<br />
• <strong>VM</strong>-Level Interface Statistics<br />
• Virtual Center <strong>VM</strong> Provisioning, Cisco Network Provisioning, CiscoWorks<br />
• Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)
Policy Based <strong>VM</strong> Connectivity<br />
Enabling Policy<br />
1. Nexus 1000V automatically<br />
enables port groups in<br />
<strong>VM</strong>ware vCenter<br />
2. Server Admin uses vCenter<br />
to assign vnic policy from<br />
available port groups<br />
3. Nexus 1000V automatically<br />
enables <strong>VM</strong> connectivity at<br />
<strong>VM</strong> power-on<br />
WEB Apps:<br />
PVLAN 108, Isolated<br />
<strong>Security</strong> Policy = Port 80 and 443<br />
Rate Limit = 100 Mbps<br />
QoS Priority = Medium<br />
Remote Port Mirror = Yes<br />
1.<br />
3.<br />
vCenter<br />
2.<br />
Nexus<br />
1000V<br />
VEM<br />
Defined Policies<br />
WEB Apps<br />
HR<br />
DB<br />
DMZ<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
vSphere<br />
Nexus 1000V VSM
Policy Based <strong>VM</strong> Connectivity<br />
What can a policy do<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
Policy definition supports:<br />
• VLAN, PVLAN settings<br />
• ACL, Port <strong>Security</strong>, ACL<br />
Redirect<br />
• Cisco Trust Sec (SGT)<br />
• NetFlow Collection<br />
• Rate Limiting<br />
• QoS Marking (COS/DSCP)<br />
• Remote Port Mirror (ERSPAN)<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
vCenter<br />
Nexus 1000V VSM
Mobility of <strong>Security</strong> & Network Properties<br />
Following your <strong>VM</strong>s around<br />
1. vCenter kicks off a<br />
Vmotion (manual/DRS)<br />
and notifies Nexus<br />
1000V<br />
2. During <strong>VM</strong> replication,<br />
Nexus 1000V copies <strong>VM</strong><br />
port state to new host<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
Nexus<br />
1000V<br />
VEM<br />
vSphere<br />
Mobile Properties Include:<br />
Port policy<br />
Interface state and counters<br />
Flow statistics<br />
Remote port mirror session<br />
1.<br />
vCenter<br />
<strong>VM</strong>otion Network Notification<br />
Persistence<br />
• Current: <strong>VM</strong> port <strong>VM</strong>1 config, state Server 1<br />
• New: <strong>VM</strong> monitoring <strong>VM</strong>1 Server statistics 2<br />
2.<br />
Nexus 1000V VSM
Mobility of <strong>Security</strong> & Network Properties<br />
Following your <strong>VM</strong>s around<br />
1. vCenter kicks off a<br />
Vmotion<br />
(manual/DRS) and<br />
notifies Nexus 1000V<br />
2. During <strong>VM</strong><br />
replication, Nexus<br />
1000V copies <strong>VM</strong> port<br />
state to new host<br />
3. Once <strong>VM</strong>otion<br />
completes, port on<br />
new ESX host is<br />
brought up & <strong>VM</strong>’s<br />
MAC address is<br />
announced to the<br />
network<br />
<strong>VM</strong><br />
Nexus<br />
1000V<br />
VEM<br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
vCenter<br />
vSphere<br />
Nexus<br />
1000V<br />
VEM<br />
Network Update<br />
• ARP for <strong>VM</strong>1 sent<br />
to network<br />
• Flows to <strong>VM</strong>1 MAC<br />
redirected to Server 2<br />
vSphere<br />
Nexus 1000V VSM<br />
3.
Source<br />
Group<br />
Cisco Nexus 1000V – <strong>VM</strong> <strong>Security</strong><br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
<strong>VM</strong> <strong>VM</strong> <strong>VM</strong> <strong>VM</strong><br />
I<br />
P C<br />
C<br />
I<br />
vSphere vSphere vSphere<br />
Private VLAN<br />
• Promiscuous port<br />
• Isolated port<br />
• Community port<br />
<strong>Security</strong> Features<br />
• Access Control List<br />
• Port <strong>Security</strong><br />
• DHCP Snooping<br />
• IP Source Guard<br />
• Dynamic ARP Inspection<br />
Cisco TrustSec<br />
• Admission control: 802.1X<br />
• Hop-by-hop crypto: 802.1AE<br />
• <strong>Security</strong> Group Tag<br />
SGACL<br />
Matrix<br />
Destination Group<br />
- +<br />
+ -
<strong>Security</strong>:<br />
Virtual Service Domain<br />
Virtual Service Domain define a logical group of virtual machines<br />
protected by a virtual appliance.<br />
All the traffic entering or leaving the group will be sent to that<br />
particular virtual appliance.<br />
27
Nexus 1000V Installation Application<br />
Even Easier Installation<br />
Virtualization Admin deploy<br />
VSM virtual appliance with<br />
configuration parameters<br />
Network Admin configure<br />
VSM with GUI wizard<br />
Watch the video: https://www.myciscocommunity.com/videos/4057<br />
28
<strong>Security</strong> of <strong>VM</strong>ware vSphere<br />
VIRTUALIZATION OF SECURITY<br />
29
<strong>VM</strong>ware vShield Zones<br />
Capabilities<br />
Define <strong>VM</strong> zones based on familiar VI<br />
containers<br />
Monitor allowed and disallowed<br />
activity by application-based<br />
protocols<br />
One-click flow-to-firewall blocks<br />
precise network traffic<br />
Benefits<br />
Pervasive: well-defined security<br />
posture for inter-<strong>VM</strong> traffic anywhere<br />
and everywhere in virtual<br />
environment<br />
Persistent: monitoring and assured<br />
policies for entire <strong>VM</strong> lifecycle,<br />
including <strong>VM</strong>otion live migrations<br />
Simple: Zone-based rules reduces<br />
policy errors
Protecting data flows - DLP integration with VShields<br />
DLP is now embedded<br />
within the vSphere<br />
infrastructure<br />
Can protect internal data<br />
flows<br />
31
<strong>VM</strong>safe Enables Application Protection<br />
<strong>VM</strong>safe API and Partner Program<br />
• Protect the <strong>VM</strong> by inspection of virtual<br />
components (CPU, Memory, Network and<br />
Storage)<br />
• Run outside the <strong>VM</strong><br />
• Complete integration and awareness of<br />
<strong>VM</strong>otion, Storage <strong>VM</strong>otion, HA, etc.<br />
• Fundamentally changes protection available<br />
for <strong>VM</strong>s running on <strong>VM</strong>ware Infrastructure vs.<br />
physical machines<br />
• Provides an unprecedented level of<br />
security – “Virtual is more secure than<br />
Physical”<br />
ESX with ESX<strong>VM</strong>safe<br />
<strong>VM</strong>safe<br />
http://vmware.com/go/vmsafe
vNetwork Appliance API (aka <strong>VM</strong>safe-Net)<br />
<strong>VM</strong>ware ESX 3.5<br />
<strong>VM</strong>ware ESX<br />
<strong>VM</strong>ware ESX<br />
Appliance <strong>VM</strong><br />
Run the<br />
Firewall in a<br />
Bridge<br />
Appliance<br />
<strong>VM</strong><br />
<strong>VM</strong>ware vSphere<br />
<strong>VM</strong>ware 4 ESX<br />
vSwitch<br />
vSwitch<br />
vSwitch<br />
vNetwork<br />
Appliance<br />
vSwitch<br />
External<br />
Firewall<br />
Appliance<br />
Disadvantages:<br />
• Overhead<br />
• Lack of flexibility<br />
• Lack of Mobility<br />
Advantages:<br />
• Less overhead<br />
• vNetwork Platform<br />
provides mobility
vNetwork Appliance API (aka <strong>VM</strong>safe-Net)<br />
• vNetwork Appliance API can<br />
inspect/alter/drop/inject any<br />
frame on a given port<br />
• Fast Path Agent<br />
• Runs in the Vmkernel<br />
• Might send packets to the<br />
slow path<br />
• Slow Path Agent<br />
• Runs in an Appliance <strong>VM</strong><br />
• APIs for 3 rd Party Vendors to<br />
develop vNetwork Appliances<br />
<strong>VM</strong>ware ESX<br />
VNIC<br />
Local Data Plane<br />
PKT<br />
Appliance <strong>VM</strong><br />
Slow Path Agent<br />
Filter<br />
Filter<br />
Fast Path Agent<br />
Vmkernel
<strong>VM</strong>safe Partner Releases, Q1 2010<br />
Category Partner Solution Status<br />
Firewall<br />
VPN1-VE<br />
Firewall VF 3.0<br />
ALTOR<br />
NETWORKS<br />
UTM - Firewall, IPS, App FW<br />
Firewall, network monitoring<br />
Early Access<br />
GA<br />
IDS/IPS<br />
IBM ISS Proventia<br />
Hybrid host/network IPS + Anti-rootkit + Virtual NAC<br />
GA<br />
DLP<br />
Protecting data flows<br />
DLP integration with VShields<br />
GA<br />
IDS/IPS<br />
<strong>VM</strong>C<br />
vTrust network zoning, network IPS, virtualization mgmt<br />
GA<br />
Antivirus Virusscan for Offline Virtual Images (OVI) 2.0<br />
Offline AV<br />
Antivirus Core Protection for Virtual Machines 1.0<br />
Online / Offline AV<br />
GA<br />
GA
Where to Learn More<br />
<strong>Security</strong><br />
• Hardening Best Practices<br />
• Implementation Guidelines<br />
http://vmware.com/go/security<br />
Compliance<br />
• Partner Solutions<br />
• Advice and Recommendation<br />
http://vmware.com/go/compliance<br />
Operations<br />
• Peer-contributed Content<br />
http://viops.vmware.com
Thank You<br />
© 2009 <strong>VM</strong>ware Inc. All rights reserved