This is a follow up to a post I made a while back where we took a look at some of the security risks identified by Gartner and some of the Features of Shavlik Protect that can help you reduce these risks. Today we will talk about a couple more of the items.
3 Utilize snapshots for rollback.
Vendors have gotten much better about turning out a stable patch, but it is always good to have an insurance policy. Shavlik Protect supports rollback for patches that the vendor supports rollback. In cases where the vendor does not support rollback the ability to snapshot a virtual machine before executing patches introduces a better and easier way to support rollback. Protect has the ability to snapshot vSphere VMs before andor after patch deployments. This snapshot can be reverted to very quickly and rolls back to the state before execution. Most customers I speak to are concerned that they can revert if needed, but most don’t have to do this often. This is configurable in the Deployment Template under the Hosted VMs/Templates tab.
4 Updating VMware Tools.
One of the most important components to ensure is being updated in your vSphere environment is the VMware Tools. This is the interface between the VM and the infrastructure for many VMware and 3rd party products. Many vSphere admins think their tools are up to date because the summary for that machine shows it is up to date. In fact that is only valid if you applied the latest VM Tools updates to your hypervisor. Then there is a delay and often a reboot required until the status for that VM updates to show it is now out of date. Now you need to update to the latest tools by having them run on VM startup which requires user intervention or by python script through some other means. Throw in a cluster of hypervisors all on different versions and different versions of the tools and it gets to be a real mess. The good news is there is a better way. VMware has made their tools all backward compatible. You can push the latest version of the 5.5 tools to your VMs regardless of what version each host is running on. Shavlik Protect will detect an install of VMware Tools and update to the latest 5.5 tools. This way you can ensure that as long as you have the one set of tools at the latest version and no new vulnerabilities have been discovered you have a secure version on every VM. This was released as a security patch towards the middle of 2013 and most customers would likely already be updating in this way unless they utilize patch groups to approve what gets deployed. You can read more in our FAQ on updating VMware Tools.
These are some of the basics that can help you ensure you are delivering the same level of security to the virtual infrastructure as you are in your physical infrastructure. It is important to make sure the teams involved are all in agreement and utilizing the tools available, and that policies are up to date and describe the coverage to both the physical and virtual infrastructures. Also evaluate other tools you utilize to ensure they also cover your virtual infrastructure effectively.