VMware has announced that it earned Common Criteria Evaluation Assurance Level 4 (EAL4+) for VMware vSphere 4.0 and vCenter Server 4.0. The Common Criteria is an international set of guidelines that provides a common framework for evaluating security features and capabilities of Information Technology (IT) security products, and EAL4+ is the highest assurance level that is recognized globally by all signatories under the Common Criteria Recognition Agreement (CCRA).

For VMware Infrastructure 3 the EAL4+ certification was achieved in June 2008. And VMware announced in August 2009 that it submitted vSphere 4.0 for Common Criteria certification and at that time it expected to earn the certification in H2 2010. Also vSphere 4.1 has been submitted for evaluation.

The reference model used for EAL4+ is called a Protection Profile, which are written by the industry groups. The Protection Profile is used to verify the functionality and the security levels of a certain class of solutions. Based on the Protection Profile, the vendor who wants to have its product certified, writes a Security Target document using the Protection Profile as a template. The Security Target document details the security properties of their solution.

Its important to note that for hypervisors these certifications are still based on Protection Profiles for operating systems, since there still isn’t a protection profile for hypervisors available at this point in time, even though the certification gives a good idea on how the product is performing security wise though.

Because the vendor itself specifies the Security Target document, it’s really interesting to know what isn’t included, especially when you want to compare the product with comparable products which are also EAL4+ certified.

For ESX/ESXi functionalities not included in the Security Target are:

  • Simple Network Management Protocol (SNMP), File Transfer Protocol (FTP), Telnet
  • The use of any authentication method on ESX(i) other than the local password database
  • VMware Software Development Kit (SDK) tools
  • The procfs interface (used to manage CPU resources) on the ESX host Service Console
  • VMware Scripting Application Programming Interface (API) on the ESX host.
  • VMware Consolidated Backup
  • Guest OS patch updates via Update Manager

By earning this certification VMware stays way ahead of Citrix for which XenServer 5.6. and XenDesktop 4.0 achieved EAL2 certification in September this year.

http://virtualization.info/en/news/2010/11/vmware-vsphere-4-0-receives-common-criteria-eal4-certification.html