4 June, 2008
In December 2004 VMware submitted ESX 2.5 and VirtualCenter 1.2 to Common Criteria, the international standard for computer security, obtaining the Evaluation Assurance Level (EAL) 2 over two years later.
The company submitted VMware Infrastructure 3 as well, obtaining the EAL 4+ this week.
The EAL4+, which means that the product is methodically designed, tested and reviewed, is a high level in the Common Criteria ranking (reaching up to EAL7) but the certification value is really meaningful only when compared against a reference model, the Protection Profile, used to verify the functionality and security levels of a certain class of solutions, and a definition document prepared by the vendor, the Security Target, used to describe the security properties of the specific solution.
The protection profiles are written by the industry groups and a security target may use one of more of them as a template.
For example: to certify Windows 2000 Microsoft submitted a security target which used the Operating System protection profile as reference model.
The OS (without any security patches) was ranked EAL4+ in 2005, accordingly to these documents.
At today there is not a protection profile for the hypervisors or the virtual infrastructures, so that VMware has been free to shape the security target without any constrain and being certified for the definition it provided.
This doesn’t mean that the certification is useless, but that the EAL ranking alone doesn’t imply a secure product.
VMware already submitted VI 3.5 for the same EAL4+ certification.
2 Comments | 
VMware | Tagged: EAL2+, EAL4+, VMware | 
Permalink
Posted by arjanhs
4 June, 2008
Last week, Microsft announced that RC1 is available.
If you’re already running RC0, the upgrade is really simple. Unlike the Beta to RC0 update, virtual network configurations and virtual machine configurations are now compatible and are migrated in-place. The only gotcha to watch out for is that saved states are not compatible, which includes online snapshots. So please make sure online snapshots are deleted and merged, and your virtual machines are shutdown cleanly before applying the update.
If you are still running Hyper-V Beta, take a look at KB949222 for more information. Although that KB was written specifically for Beta to RC0 updates, the same overall information applies for Beta to RC1.
There is one thing in particular worth mentioning about RC1 – after the feedback received by Microsoft that upgrading the Integration Services for Windows Server 2008 virtual machines was inconsistent with all other operating systems, they listened. Starting with RC1, all virtual machines are equal in this regard. Simply run setup.exe from vmguest.iso (Actions/Insert Integration Services Setup Disk in Virtual Machine Connection) regardless of the virtual machine operating system. Note that you still need to apply the main update to the parent partition though!
The links are here:
Windows Server 2008 x64 (Apply this to the parent partition to upgrade to RC1). More info in KB950049.
And if you are using Windows Vista for Remote Management, here’s the tools you need: (KB949587) x64 and x86
Leave a Comment » | 
Hyper-V, Microsoft | Tagged: Hyper-V, Microsoft, RC0, RC1 | 
Permalink
Posted by arjanhs
