This article is more than 1 year old
VMware's vSphere cleared for military spook servers
ESX Server 4.0 reporting for duty, sir!
VMware's vSphere 4.0 stack has received its EAL4+ certification for use with military and intelligence services.
To pass muster with government military and intelligence services, virtual servers have to show they can eat nails and piss fire just like physical servers and their operating systems. That's one of the reasons why getting certified for various levels of the Common Criteria security test are important. Considering how virtual machines are the equivalent of putting all of your warheads inside one missile, maybe virtual machine hypervisors should have to prove they are even more secure than a physical server with a single operating system running on it.
The Common Criteria is an international certification that is an amalgam of security standards from North American and European governments that was established in the late 1990s and began to be widely used to prove the security of servers, operating systems, firewalls, and all kinds of devices in the early 2000s. These devices are given different Evaluation Assurance Level (ELA) ratings, and the current high water mark is EAL 7+, which only one product has been certified to and that was back in 2006. A total of 1,272 products have been put through Common Criteria bootcamp; you can check them all out here.
The EAL4+ level is the one that makes governments and those who adopt their securities standards approach something close to comfortable, and it turns out it is the highest level that the countries who created the Common Criteria agree upon. Once you hit EAL5, the arguing about relevance begins.
It takes a while to test and certify a platform using the Common Criteria specs because to get through the EAL4 and higher levels, auditors and security experts have to have access to the source code and go through it with a fine-toothed comb, looking for holes. Anything EAL3 or lower can be certified as secure through a test, but has not had its internals poured over by propellerheads. In addition to a basic EAL security certification, there are other security hoops (called profiles) a vendor can jump through to get extra credit (that's the plus in EAL4+ ratings you see out there).
The three main profiles ones that give you the little plus are: Controlled Access Protection Profile (CAPP), Role-Based Access Control Protection Profile (RBACPP), and Labeled Security Protection Profile (LSPP). IT vendors used to cherry pick which profiles they would test, but Homeland Security, the Defense Department, and similar government agencies the world over want all three these days.
The vSphere 4.0 stack was announced in April 2009 and started shipping later that summer. But the hassle and time it takes to get EAL4+ certification means VMware is only getting its badge now. It will probably take a similar amount of time for VMware to get the vSphere 4.1 and its integral ESX Server 4.1 hypervisor, which debuted this July, through the security tests. VMware's ESX Server and ESXi 3.5 hypervisors and the VirtualCenter 2.5 console were certified at the EAL4+ level in February of this year. ESX Server 3.0.2 and Virtual Center 2.0.2 got their EAL4+ sticker in May 2008.
The full list of operating systems and hypervisors that have been certified under the Common Criteria include most of the products you know. Windows Vista, Windows Server 2008, and Hyper-V are currently certified at the EAL4+ level, and so are Windows Sever 2003 SP2 and Windows XP SP2. Believe it or not, so was Windows Advanced Server and Windows 2000 Professional back in 2002.
Red Hat Enterprise Linux 4 and 5 have their EAL4+ stickers, and so does Novell's SUSE Linux Enterprise Server 9 (with some help from IBM. Novell did not get certifications for SLES 10 and SLES 11, which seems foolish. Solaris 10 was certified at EAL4+ in November 2007, with the with Trusted Extensions certified in June 2008; Solaris 9 made it to EAL4+, but Solaris 8 only EAL4.
Hewlett-Packard's HP-UX 11i v3 passed its EAL4+ tests in November 2009, with v2 getting its EAL4+ grade in May 2006. IBM 5L 5.2 was certified at EAL4+ in November 2002, AIX 5.3 in January 2007, and AIX 6.1 in May 2008. IBM's last six releases (6 through 11) of z/OS V1 for its mainframes have their EAL4+ seals of government approval, and the PR/SM hypervisor for mainframes is rated at EAL5. Oracle's 10g and 11g, IBM's several DB2 generations, and Microsoft's SQL Server databases have EAL4+ certs, too. ®