Re: Question on CPE:/a:vmware and other hypervisors

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors

Mahadevan Lakshminar

Hi

 

I am new to the group, may be y’all already had this discussion and sorted it out. Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems. From what I have read and as Vmware claims, the vmkernal runs on bare metals and loads few other modules/consoles on top to host the virtual machines - http://www.vmware.com/products/vsphere/esxi-and-esx/index.html

 

Here is a another link (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to one of the documents from DISA Ver 1 Rel 1 which talks about the Security Implementation on ESX Servers. In the first few pages it explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain in detail about Type II VMMs but, towards the end of it as the last line it does refer to ESX Server as a Type I HVM which runs on bare metal alike OS [referred line - VMware ESX Server is considered a Type I “bare metal” hybrid VMM]

 

My other question is if this same rational applies to other hypervisors, should all of them considered as OS or should all hypervisors have a new classification as Hypervisors or Virtual machines (something like cpe:/h:… or cpe:/v:…)

 

Thanks

Maha

[hidden email]

Off: 202-366-4080

CENTECH GROUP

on assignment at DOT-NHTSA

Washington DC 20590

 

Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors

Brant Cheikes

I would be curious to hear feedback from the CPE community on this.  Personally, I’d lean towards classifying virtualization systems and hypervisors as operating systems, and assigning them “o” as the CPE “part”.  What are the arguments against doing so?  I would tend to lean against adding a new distinct “part” value, such as “v”, esp. since that would entail a modification to the specification which currently limits “part” values to “o”, “a”, or “h” (for “hardware” rather than “hypervisor”).

 

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 

From: Mahadevan Lakshminar [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:15 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

 

Hi

 

I am new to the group, may be y’all already had this discussion and sorted it out. Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems. From what I have read and as Vmware claims, the vmkernal runs on bare metals and loads few other modules/consoles on top to host the virtual machines - http://www.vmware.com/products/vsphere/esxi-and-esx/index.html

 

Here is a another link (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to one of the documents from DISA Ver 1 Rel 1 which talks about the Security Implementation on ESX Servers. In the first few pages it explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain in detail about Type II VMMs but, towards the end of it as the last line it does refer to ESX Server as a Type I HVM which runs on bare metal alike OS [referred line - VMware ESX Server is considered a Type I “bare metal” hybrid VMM]

 

My other question is if this same rational applies to other hypervisors, should all of them considered as OS or should all hypervisors have a new classification as Hypervisors or Virtual machines (something like cpe:/h:… or cpe:/v:…)

 

Thanks

Maha

[hidden email]

Off: 202-366-4080

CENTECH GROUP

on assignment at DOT-NHTSA

Washington DC 20590

 


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

An alternative would be to just not specify the "part" of the CPE.  You can argue that Type 1 hypervisors, Type 2 hypervisors, and alternative virtualization engines (e.g. Java VM) are firmware, OS, and/or application or some combination.  Version 2.2 and later make the part designator optional, so I've been exploiting that to avoid trying to build business logic that "tags" an installed "thing" with a part designator during our autodiscovery process.  Noting that the behavior of a null CPE component is "match anything", that seems to be a good fit for hypervisors.  


Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]

-----Original Message-----
From: Cheikes, Brant A. [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:30 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

I would be curious to hear feedback from the CPE community on this.  Personally, I'd lean towards classifying virtualization systems and hypervisors as operating systems, and assigning them "o" as the CPE "part".  What are the arguments against doing so?  I would tend to lean against adding a new distinct "part" value, such as "v", esp. since that would entail a modification to the specification which currently limits "part" values to "o", "a", or "h" (for "hardware" rather than "hypervisor").

 

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 

From: Mahadevan Lakshminar [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:15 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

 

Hi

 

I am new to the group, may be y'all already had this discussion and sorted it out. Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems. From what I have read and as Vmware claims, the vmkernal runs on bare metals and loads few other modules/consoles on top to host the virtual machines - http://www.vmware.com/products/vsphere/esxi-and-esx/index.html 

 

Here is a another link (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to one of the documents from DISA Ver 1 Rel 1 which talks about the Security Implementation on ESX Servers. In the first few pages it explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain in detail about Type II VMMs but, towards the end of it as the last line it does refer to ESX Server as a Type I HVM which runs on bare metal alike OS [referred line - VMware ESX Server is considered a Type I "bare metal" hybrid VMM]

 

My other question is if this same rational applies to other hypervisors, should all of them considered as OS or should all hypervisors have a new classification as Hypervisors or Virtual machines (something like cpe:/h:. or cpe:/v:.)

 

Thanks

Maha

[hidden email] <mailto:[hidden email]>

Off: 202-366-4080

CENTECH GROUP

on assignment at DOT-NHTSA

Washington DC 20590

 

Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

McCormick, Christopher [USA]
Assuming Maha's question of "Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems." is directed towards current mappings in the current CPE Dictionary, I believe the scope of this question needs to be aligned with the Dictionary specification.  As the CPE Dictionary specification states in section 6.1.2, "Each identifier name MUST contain known data (e.g., not the ANY logical value) for the part, vendor, product, and version attributes’ values. This ensures that each identifier name contains the minimum amount of data required to identify a unique product class."

For CPE Dictionary use, the part prefix must be assigned and cannot be specified as 'ANY'.

________________________________________
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [[hidden email]]
Sent: Friday, August 05, 2011 7:22 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

An alternative would be to just not specify the "part" of the CPE.  You can argue that Type 1 hypervisors, Type 2 hypervisors, and alternative virtualization engines (e.g. Java VM) are firmware, OS, and/or application or some combination.  Version 2.2 and later make the part designator optional, so I've been exploiting that to avoid trying to build business logic that "tags" an installed "thing" with a part designator during our autodiscovery process.  Noting that the behavior of a null CPE component is "match anything", that seems to be a good fit for hypervisors.


Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]

-----Original Message-----
From: Cheikes, Brant A. [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:30 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

I would be curious to hear feedback from the CPE community on this.  Personally, I'd lean towards classifying virtualization systems and hypervisors as operating systems, and assigning them "o" as the CPE "part".  What are the arguments against doing so?  I would tend to lean against adding a new distinct "part" value, such as "v", esp. since that would entail a modification to the specification which currently limits "part" values to "o", "a", or "h" (for "hardware" rather than "hypervisor").



/Brant



Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352



From: Mahadevan Lakshminar [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:15 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors



Hi



I am new to the group, may be y'all already had this discussion and sorted it out. Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems. From what I have read and as Vmware claims, the vmkernal runs on bare metals and loads few other modules/consoles on top to host the virtual machines - http://www.vmware.com/products/vsphere/esxi-and-esx/index.html



Here is a another link (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to one of the documents from DISA Ver 1 Rel 1 which talks about the Security Implementation on ESX Servers. In the first few pages it explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain in detail about Type II VMMs but, towards the end of it as the last line it does refer to ESX Server as a Type I HVM which runs on bare metal alike OS [referred line - VMware ESX Server is considered a Type I "bare metal" hybrid VMM]



My other question is if this same rational applies to other hypervisors, should all of them considered as OS or should all hypervisors have a new classification as Hypervisors or Virtual machines (something like cpe:/h:. or cpe:/v:.)



Thanks

Maha

[hidden email] <mailto:[hidden email]>

Off: 202-366-4080

CENTECH GROUP

on assignment at DOT-NHTSA

Washington DC 20590



Classification:  UNCLASSIFIED
Caveats: NONE
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Brant Cheikes
Chris is correct regarding policies for the Official CPE Dictionary, once we adopt CPE 2.3.  Dictionary entries must specify at least part, vendor, product and version.  But there's nothing in either the naming or matching specifications to suggest that a name with part=ANY is invalid.  So Joe could still design his autodiscovery process to generate interim CPE names with part=ANY.  These would be well formed names, but would not be allowed in the Official Dictionary.  That shouldn't be a problem.  He can use the matching capabilities to search the Official Dictionary for matches, using his auto-generated names in the "source" position, and iterating over each Dictionary entry as a candidate "target".  This is all fine and meets conformance requirements.  So I still think we could establish the convention of assigning part=o to all Official Dictionary entries for virtualization systems.

/Brant

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352


-----Original Message-----
From: Mccormick, Christopher [USA] [mailto:[hidden email]]
Sent: Friday, August 05, 2011 10:57 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Assuming Maha's question of "Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems." is directed towards current mappings in the current CPE Dictionary, I believe the scope of this question needs to be aligned with the Dictionary specification.  As the CPE Dictionary specification states in section 6.1.2, "Each identifier name MUST contain known data (e.g., not the ANY logical value) for the part, vendor, product, and version attributes' values. This ensures that each identifier name contains the minimum amount of data required to identify a unique product class."

For CPE Dictionary use, the part prefix must be assigned and cannot be specified as 'ANY'.

________________________________________
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [[hidden email]]
Sent: Friday, August 05, 2011 7:22 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

An alternative would be to just not specify the "part" of the CPE.  You can argue that Type 1 hypervisors, Type 2 hypervisors, and alternative virtualization engines (e.g. Java VM) are firmware, OS, and/or application or some combination.  Version 2.2 and later make the part designator optional, so I've been exploiting that to avoid trying to build business logic that "tags" an installed "thing" with a part designator during our autodiscovery process.  Noting that the behavior of a null CPE component is "match anything", that seems to be a good fit for hypervisors.


Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]

-----Original Message-----
From: Cheikes, Brant A. [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:30 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

I would be curious to hear feedback from the CPE community on this.  Personally, I'd lean towards classifying virtualization systems and hypervisors as operating systems, and assigning them "o" as the CPE "part".  What are the arguments against doing so?  I would tend to lean against adding a new distinct "part" value, such as "v", esp. since that would entail a modification to the specification which currently limits "part" values to "o", "a", or "h" (for "hardware" rather than "hypervisor").



/Brant



Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352



From: Mahadevan Lakshminar [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:15 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors



Hi



I am new to the group, may be y'all already had this discussion and sorted it out. Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems. From what I have read and as Vmware claims, the vmkernal runs on bare metals and loads few other modules/consoles on top to host the virtual machines - http://www.vmware.com/products/vsphere/esxi-and-esx/index.html



Here is a another link (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to one of the documents from DISA Ver 1 Rel 1 which talks about the Security Implementation on ESX Servers. In the first few pages it explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain in detail about Type II VMMs but, towards the end of it as the last line it does refer to ESX Server as a Type I HVM which runs on bare metal alike OS [referred line - VMware ESX Server is considered a Type I "bare metal" hybrid VMM]



My other question is if this same rational applies to other hypervisors, should all of them considered as OS or should all hypervisors have a new classification as Hypervisors or Virtual machines (something like cpe:/h:. or cpe:/v:.)



Thanks

Maha

[hidden email] <mailto:[hidden email]>

Off: 202-366-4080

CENTECH GROUP

on assignment at DOT-NHTSA

Washington DC 20590



Classification:  UNCLASSIFIED
Caveats: NONE
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

McCormick, Christopher [USA]
In reply to this post by WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Has the CPE community ever considered the idea of a universal ("combination" as Joe noted) identifier that is chameleon like in its role.  While it cannot be listed as ANY, maybe some universal part identifier on an entity such as to say, "this is one of the three, not sure what, but it is something worth knowing".  Make the name provisional, as long as we attempt to discover what it is in the end.  What if the CPE community were to consider adopting some sort of universal part identifier that can be applied to situations like I described?  Firmware is a similar beast which I personally believe could use a new mapping, maybe to this new, "combination" identifier since the most effective part reference may not be cpe:/a, o, or h!

This is only a suggestion for the sake of acquiring and increasing the # of assets and dictionaries that can be stood up as well as linking relevant information such as Joe's use case where part isn't used (all the time?).

________________________________________
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [[hidden email]]
Sent: Friday, August 05, 2011 7:22 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

An alternative would be to just not specify the "part" of the CPE.  You can argue that Type 1 hypervisors, Type 2 hypervisors, and alternative virtualization engines (e.g. Java VM) are firmware, OS, and/or application or some combination.  Version 2.2 and later make the part designator optional, so I've been exploiting that to avoid trying to build business logic that "tags" an installed "thing" with a part designator during our autodiscovery process.  Noting that the behavior of a null CPE component is "match anything", that seems to be a good fit for hypervisors.


Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]

-----Original Message-----
From: Cheikes, Brant A. [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:30 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

I would be curious to hear feedback from the CPE community on this.  Personally, I'd lean towards classifying virtualization systems and hypervisors as operating systems, and assigning them "o" as the CPE "part".  What are the arguments against doing so?  I would tend to lean against adding a new distinct "part" value, such as "v", esp. since that would entail a modification to the specification which currently limits "part" values to "o", "a", or "h" (for "hardware" rather than "hypervisor").



/Brant



Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352



From: Mahadevan Lakshminar [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:15 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors



Hi



I am new to the group, may be y'all already had this discussion and sorted it out. Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems. From what I have read and as Vmware claims, the vmkernal runs on bare metals and loads few other modules/consoles on top to host the virtual machines - http://www.vmware.com/products/vsphere/esxi-and-esx/index.html



Here is a another link (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to one of the documents from DISA Ver 1 Rel 1 which talks about the Security Implementation on ESX Servers. In the first few pages it explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain in detail about Type II VMMs but, towards the end of it as the last line it does refer to ESX Server as a Type I HVM which runs on bare metal alike OS [referred line - VMware ESX Server is considered a Type I "bare metal" hybrid VMM]



My other question is if this same rational applies to other hypervisors, should all of them considered as OS or should all hypervisors have a new classification as Hypervisors or Virtual machines (something like cpe:/h:. or cpe:/v:.)



Thanks

Maha

[hidden email] <mailto:[hidden email]>

Off: 202-366-4080

CENTECH GROUP

on assignment at DOT-NHTSA

Washington DC 20590



Classification:  UNCLASSIFIED
Caveats: NONE

Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

McCormick, Christopher [USA]
In reply to this post by Brant Cheikes
' So I still think we could establish the convention of assigning part=o to all Official Dictionary entries for virtualization systems.'

What if a virtualization system does not include a core operating system as part of its offering?  For instance, Microsoft Virtual PC?   I don't believe that virtualization software application should be called an operating system, but honestly, I'd leave it up to the vendor to tell me one way or the other.

Maybe a simple rule of thumb could be:

- If a virtualization software package includes a kernel or core operating system, then cpe:/o

- If a virtualization software package does not include a kernel or core operating system, then cpe:/a

- If a virtualization software package is bundled on hardware and said virtualization software package CANNOT be use, downloaded, configured and used elsewhere, then cpe:/h

________________________________________
From: Cheikes, Brant A. [[hidden email]]
Sent: Friday, August 05, 2011 11:59 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Chris is correct regarding policies for the Official CPE Dictionary, once we adopt CPE 2.3.  Dictionary entries must specify at least part, vendor, product and version.  But there's nothing in either the naming or matching specifications to suggest that a name with part=ANY is invalid.  So Joe could still design his autodiscovery process to generate interim CPE names with part=ANY.  These would be well formed names, but would not be allowed in the Official Dictionary.  That shouldn't be a problem.  He can use the matching capabilities to search the Official Dictionary for matches, using his auto-generated names in the "source" position, and iterating over each Dictionary entry as a candidate "target".  This is all fine and meets conformance requirements.  So I still think we could establish the convention of assigning part=o to all Official Dictionary entries for virtualization systems.

/Brant

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352


-----Original Message-----
From: Mccormick, Christopher [USA] [mailto:[hidden email]]
Sent: Friday, August 05, 2011 10:57 AM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Assuming Maha's question of "Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems." is directed towards current mappings in the current CPE Dictionary, I believe the scope of this question needs to be aligned with the Dictionary specification.  As the CPE Dictionary specification states in section 6.1.2, "Each identifier name MUST contain known data (e.g., not the ANY logical value) for the part, vendor, product, and version attributes' values. This ensures that each identifier name contains the minimum amount of data required to identify a unique product class."

For CPE Dictionary use, the part prefix must be assigned and cannot be specified as 'ANY'.

________________________________________
From: WOLFKIEL, JOSEPH L CIV DISA PEO-MA [[hidden email]]
Sent: Friday, August 05, 2011 7:22 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Classification:  UNCLASSIFIED
Caveats: NONE

An alternative would be to just not specify the "part" of the CPE.  You can argue that Type 1 hypervisors, Type 2 hypervisors, and alternative virtualization engines (e.g. Java VM) are firmware, OS, and/or application or some combination.  Version 2.2 and later make the part designator optional, so I've been exploiting that to avoid trying to build business logic that "tags" an installed "thing" with a part designator during our autodiscovery process.  Noting that the behavior of a null CPE component is "match anything", that seems to be a good fit for hypervisors.


Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]

-----Original Message-----
From: Cheikes, Brant A. [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:30 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

I would be curious to hear feedback from the CPE community on this.  Personally, I'd lean towards classifying virtualization systems and hypervisors as operating systems, and assigning them "o" as the CPE "part".  What are the arguments against doing so?  I would tend to lean against adding a new distinct "part" value, such as "v", esp. since that would entail a modification to the specification which currently limits "part" values to "o", "a", or "h" (for "hardware" rather than "hypervisor").



/Brant



Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352



From: Mahadevan Lakshminar [mailto:[hidden email]]
Sent: Thursday, August 04, 2011 2:15 PM
To: cpe-discussion-list CPE Community Forum
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors



Hi



I am new to the group, may be y'all already had this discussion and sorted it out. Can someone share on what is the justification of why VMWare ESX and ESXi are categorized as Applications and not as Operating Systems. From what I have read and as Vmware claims, the vmkernal runs on bare metals and loads few other modules/consoles on top to host the virtual machines - http://www.vmware.com/products/vsphere/esxi-and-esx/index.html



Here is a another link (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to one of the documents from DISA Ver 1 Rel 1 which talks about the Security Implementation on ESX Servers. In the first few pages it explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain in detail about Type II VMMs but, towards the end of it as the last line it does refer to ESX Server as a Type I HVM which runs on bare metal alike OS [referred line - VMware ESX Server is considered a Type I "bare metal" hybrid VMM]



My other question is if this same rational applies to other hypervisors, should all of them considered as OS or should all hypervisors have a new classification as Hypervisors or Virtual machines (something like cpe:/h:. or cpe:/v:.)



Thanks

Maha

[hidden email] <mailto:[hidden email]>

Off: 202-366-4080

CENTECH GROUP

on assignment at DOT-NHTSA

Washington DC 20590



Classification:  UNCLASSIFIED
Caveats: NONE
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

Adam Montville
In reply to this post by WOLFKIEL, JOSEPH L CIV DISA PEO-MA
The problem with hypervisors is that, taken alone, they fit the definition
of an operating system nicely, but when you consider that they are used to
enable multiple instances of operating systems to share the same hardware,
that definition starts to break down - it's really all about the context.
At what point is a proper "operating system" considered an "application?"
Probably from the perspective of the hypervisor.  But, from the
perspective of the proper operating system, the hypervisor is "hardware."

But, what business processes and stakeholders are we supporting here?
That makes a difference as to how we should view these things.  On the
most abstract level we want asset management, configuration management,
and change management to support certification and accreditation,
continuous monitoring, and risk management processes.

What if we view these "things" from their own point of view?

A proper operating system is just that, an operating system regardless of
whether it's on actual or virtualized hardware.  A hypervisor, to itself,
is an operating system by definition.  If I'm hardening a VMware system, I
don't look at the hosted guests as applications, they're operating systems
with their own hardening guidance.  Similarly, if I'm hardening one of
those guest operating systems, I'm looking at the hypervisor as hardware,
which is to say that I ignore hypervisor-specific hardening.  Instead, I
rely on having a comprehensive set of hardening procedures that trace back
to my standards, processes and policies.

That's the long way to say that it seems that a hypervisor is really just
an operating system.

Virtual machines (JVM, .Net Runtime) are significantly different in my
opinion, because they are by and large applications running on top of a
proper operating system.  I'm sure there are exceptions, but from an
operational perspective, I've not run across any hardware implementations
of the Java Virtual Machine, for example - others may have.

I hope this discussion informs CPE "next" (3.0??).  We should now know
that our view of the world may change as technology evolves, and building
flexibility into the specifications to allow for such change without
updates to the specification seems like a good idea.

Adam



On 8/5/11 4:22 AM, "WOLFKIEL, JOSEPH L CIV DISA PEO-MA"
<[hidden email]> wrote:

>Classification:  UNCLASSIFIED
>Caveats: NONE
>
>An alternative would be to just not specify the "part" of the CPE.  You
>can argue that Type 1 hypervisors, Type 2 hypervisors, and alternative
>virtualization engines (e.g. Java VM) are firmware, OS, and/or
>application or some combination.  Version 2.2 and later make the part
>designator optional, so I've been exploiting that to avoid trying to
>build business logic that "tags" an installed "thing" with a part
>designator during our autodiscovery process.  Noting that the behavior of
>a null CPE component is "match anything", that seems to be a good fit for
>hypervisors.  
>
>
>Joseph L. Wolfkiel
>Engineering Group Lead
>DISA PEO MA/IA52
>(301) 225-8820
>[hidden email]
>
>-----Original Message-----
>From: Cheikes, Brant A. [mailto:[hidden email]]
>Sent: Thursday, August 04, 2011 2:30 PM
>To: [hidden email]
>Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other
>hypervisors
>
>I would be curious to hear feedback from the CPE community on this.
>Personally, I'd lean towards classifying virtualization systems and
>hypervisors as operating systems, and assigning them "o" as the CPE
>"part".  What are the arguments against doing so?  I would tend to lean
>against adding a new distinct "part" value, such as "v", esp. since that
>would entail a modification to the specification which currently limits
>"part" values to "o", "a", or "h" (for "hardware" rather than
>"hypervisor").
>
>
>
>/Brant
>
>
>
>Brant A. Cheikes
>The MITRE Corporation
>202 Burlington Road, M/S K302
>Bedford, MA 01730-1420
>Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352
>
>
>
>From: Mahadevan Lakshminar [mailto:[hidden email]]
>Sent: Thursday, August 04, 2011 2:15 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other
>hypervisors
>
>
>
>Hi
>
>
>
>I am new to the group, may be y'all already had this discussion and
>sorted it out. Can someone share on what is the justification of why
>VMWare ESX and ESXi are categorized as Applications and not as Operating
>Systems. From what I have read and as Vmware claims, the vmkernal runs on
>bare metals and loads few other modules/consoles on top to host the
>virtual machines -
>http://www.vmware.com/products/vsphere/esxi-and-esx/index.html
>
>
>
>Here is a another link
>(http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf)
>to one of the documents from DISA Ver 1 Rel 1 which talks about the
>Security Implementation on ESX Servers. In the first few pages it
>explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II
>HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain
>in detail about Type II VMMs but, towards the end of it as the last line
>it does refer to ESX Server as a Type I HVM which runs on bare metal
>alike OS [referred line - VMware ESX Server is considered a Type I "bare
>metal" hybrid VMM]
>
>
>
>My other question is if this same rational applies to other hypervisors,
>should all of them considered as OS or should all hypervisors have a new
>classification as Hypervisors or Virtual machines (something like
>cpe:/h:. or cpe:/v:.)
>
>
>
>Thanks
>
>Maha
>
>[hidden email] <mailto:[hidden email]>
>
>Off: 202-366-4080
>
>CENTECH GROUP
>
>on assignment at DOT-NHTSA
>
>Washington DC 20590
>
>
>
>Classification:  UNCLASSIFIED
>Caveats: NONE
>
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

WOLFKIEL, JOSEPH L CIV DISA PEO-MA
Classification:  UNCLASSIFIED
Caveats: NONE

Not sure about this, but from my experience, the hosted operating systems see the hypervisor as a collection of virtual hardware and a hosting OS will see the hypervisor as just another application.  Given the heuristics just described, I would expect hypervisors to be either assigned an "h" or an "a" depending on which perspective you're viewing them from.

I suppose it does come down to is the use cases to be supported.  If we have the luxury of having weeks long debates on the mailing list before assigning names to products, then it makes sense to take the time and have a big community consensus.  If we need to have sensors deployed that can detect and assign names to hardware, software, and firmware--even if it's completely new, I don't think it's sustainable to try to have these debates, then build the business logic we come up with into all the systems we deploy.

Joseph L. Wolfkiel
Engineering Group Lead
DISA PEO MA/IA52
(301) 225-8820
[hidden email]


-----Original Message-----
From: Adam Montville [mailto:[hidden email]]
Sent: Tuesday, August 09, 2011 7:33 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors (UNCLASSIFIED)

The problem with hypervisors is that, taken alone, they fit the definition
of an operating system nicely, but when you consider that they are used to
enable multiple instances of operating systems to share the same hardware,
that definition starts to break down - it's really all about the context.
At what point is a proper "operating system" considered an "application?"
Probably from the perspective of the hypervisor.  But, from the
perspective of the proper operating system, the hypervisor is "hardware."

But, what business processes and stakeholders are we supporting here?
That makes a difference as to how we should view these things.  On the
most abstract level we want asset management, configuration management,
and change management to support certification and accreditation,
continuous monitoring, and risk management processes.

What if we view these "things" from their own point of view?

A proper operating system is just that, an operating system regardless of
whether it's on actual or virtualized hardware.  A hypervisor, to itself,
is an operating system by definition.  If I'm hardening a VMware system, I
don't look at the hosted guests as applications, they're operating systems
with their own hardening guidance.  Similarly, if I'm hardening one of
those guest operating systems, I'm looking at the hypervisor as hardware,
which is to say that I ignore hypervisor-specific hardening.  Instead, I
rely on having a comprehensive set of hardening procedures that trace back
to my standards, processes and policies.

That's the long way to say that it seems that a hypervisor is really just
an operating system.

Virtual machines (JVM, .Net Runtime) are significantly different in my
opinion, because they are by and large applications running on top of a
proper operating system.  I'm sure there are exceptions, but from an
operational perspective, I've not run across any hardware implementations
of the Java Virtual Machine, for example - others may have.

I hope this discussion informs CPE "next" (3.0??).  We should now know
that our view of the world may change as technology evolves, and building
flexibility into the specifications to allow for such change without
updates to the specification seems like a good idea.

Adam



On 8/5/11 4:22 AM, "WOLFKIEL, JOSEPH L CIV DISA PEO-MA"
<[hidden email]> wrote:

>Classification:  UNCLASSIFIED
>Caveats: NONE
>
>An alternative would be to just not specify the "part" of the CPE.  You
>can argue that Type 1 hypervisors, Type 2 hypervisors, and alternative
>virtualization engines (e.g. Java VM) are firmware, OS, and/or
>application or some combination.  Version 2.2 and later make the part
>designator optional, so I've been exploiting that to avoid trying to
>build business logic that "tags" an installed "thing" with a part
>designator during our autodiscovery process.  Noting that the behavior of
>a null CPE component is "match anything", that seems to be a good fit for
>hypervisors.  
>
>
>Joseph L. Wolfkiel
>Engineering Group Lead
>DISA PEO MA/IA52
>(301) 225-8820
>[hidden email]
>
>-----Original Message-----
>From: Cheikes, Brant A. [mailto:[hidden email]]
>Sent: Thursday, August 04, 2011 2:30 PM
>To: [hidden email]
>Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other
>hypervisors
>
>I would be curious to hear feedback from the CPE community on this.
>Personally, I'd lean towards classifying virtualization systems and
>hypervisors as operating systems, and assigning them "o" as the CPE
>"part".  What are the arguments against doing so?  I would tend to lean
>against adding a new distinct "part" value, such as "v", esp. since that
>would entail a modification to the specification which currently limits
>"part" values to "o", "a", or "h" (for "hardware" rather than
>"hypervisor").
>
>
>
>/Brant
>
>
>
>Brant A. Cheikes
>The MITRE Corporation
>202 Burlington Road, M/S K302
>Bedford, MA 01730-1420
>Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352
>
>
>
>From: Mahadevan Lakshminar [mailto:[hidden email]]
>Sent: Thursday, August 04, 2011 2:15 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other
>hypervisors
>
>
>
>Hi
>
>
>
>I am new to the group, may be y'all already had this discussion and
>sorted it out. Can someone share on what is the justification of why
>VMWare ESX and ESXi are categorized as Applications and not as Operating
>Systems. From what I have read and as Vmware claims, the vmkernal runs on
>bare metals and loads few other modules/consoles on top to host the
>virtual machines -
>http://www.vmware.com/products/vsphere/esxi-and-esx/index.html
>
>
>
>Here is a another link
>(http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf)
>to one of the documents from DISA Ver 1 Rel 1 which talks about the
>Security Implementation on ESX Servers. In the first few pages it
>explains on Type I and II VMM (Virtual Machine Monitor) and Type I and II
>HVM (Hybrid Virtual Machines). In Section 2.2.1 - page 13 it does explain
>in detail about Type II VMMs but, towards the end of it as the last line
>it does refer to ESX Server as a Type I HVM which runs on bare metal
>alike OS [referred line - VMware ESX Server is considered a Type I "bare
>metal" hybrid VMM]
>
>
>
>My other question is if this same rational applies to other hypervisors,
>should all of them considered as OS or should all hypervisors have a new
>classification as Hypervisors or Virtual machines (something like
>cpe:/h:. or cpe:/v:.)
>
>
>
>Thanks
>
>Maha
>
>[hidden email] <mailto:[hidden email]>
>
>Off: 202-366-4080
>
>CENTECH GROUP
>
>on assignment at DOT-NHTSA
>
>Washington DC 20590
>
>
>
>Classification:  UNCLASSIFIED
>Caveats: NONE
>
Classification:  UNCLASSIFIED
Caveats: NONE


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors

Gary Newman-2
In reply to this post by Mahadevan Lakshminar
Hi Maha,

VMWare ESX and ESXi both use Redhat Linux as their underlying operating system,
which can be easiliy seen through their service console.  IMHO they should be
categorized as operating systems just as are all other Linux variants.  However
I doubt it makes much difference in practice, as explained below.

Due to CPE's genesis, as a way of targeting an XCCDF benchmark to a software
platform, it only used the part for simple taxonomy.  For XCCDF it sufficed to
say, for example, that "this benchmark is for Sql Server" or "this benchmark is
for Windows Vista".  The CPE part is really just informational, and I'm not
aware of any cases where the part differentiates two vendor/product pairs that
are otherwise confused.

The often intermingled question is how and whether cpe should describe
relationships between security "platform layers" such as applications and
operating systems they're running on.  Current cpe use typically includes
boolean logic describing a set of cpes used together (e.g. application & os -
adobe reader and linux, or application and application - gecko and firefox)
without regard to any layering relationship.  That seems to largely suffice for
current benchmarks and vulnerability descriptions.  Perhaps one of the NVD team
can comment on whether that has sufficed for their purposes without need for a
layering description.

My feeling is that description of security layers should be independent of the
cpe part.  Perhaps by addition of relationship operators such as "running on"
to describe the security layering when it's important.  Those relationship
operators could be used with the current boolean logic as appropriate.

-Gary-


>         Hi
>
>         I am new to the group, may be y´all already had this discussion and
> sorted it
>         out. Can someone share on what is the justification of why VMWare ESX
> and ESXi
>         are categorized as Applications and not as Operating Systems. From
> what I have
>         read and as Vmware claims, the vmkernal runs on bare metals and loads
> few other
>         modules/consoles on top to host the virtual machines -
>         http://www.vmware.com/products/vsphere/esxi-and-esx/index.html
>
>         Here is a another link
>
> (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to
>         one of the documents from DISA Ver 1 Rel 1 which talks about the
> Security
>         Implementation on ESX Servers. In the first few pages it explains on
> Type I and
>         II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid
Virtual
>         Machines). In Section 2.2.1 - page 13 it does explain in detail about
> Type II
>         VMMs but, towards the end of it as the last line it does refer to ESX
> Server as
>         a Type I HVM which runs on bare metal alike OS [referred line -
VMware

> ESX
>         Server is considered a Type I "bare metal" hybrid VMM]
>
>         My other question is if this same rational applies to other
> hypervisors, should
>         all of them considered as OS or should all hypervisors have a new
>         classification as Hypervisors or Virtual machines (something like
> cpe:/h:... or
>         cpe:/v:...)
>
>         Thanks
>         Maha
>         [hidden email]
>         Off: 202-366-4080
>         CENTECH GROUP
>         on assignment at DOT-NHTSA
>         Washington DC 20590
Reply | Threaded
Open this post in threaded view
|

Re: Question on CPE:/a:vmware and other hypervisors

Mahadevan Lakshminar
Hi Gary

I would just disagree on " VMWare ESX and ESXi both use Redhat Linux as their underlying operating system ... ". Unlike ESX, ESXi can be installed and run by itself and not based on Linux nor a Linux variant. Below are some resource links to support it.

http://www.vmware.com/files/pdf/VMware-ESXi-41-Operations-Guide-TWP.pdf 

http://www.virtualizationadmin.com/articles-tutorials/vmware-esx-and-vsphere-articles/general/vmware-esxi-server-compare-esx-server.html 

I am in the process of learning more so, correct me if am wrong.

Thanks
Maha

-----Original Message-----
From: Gary Newman [mailto:[hidden email]]
Sent: Wednesday, August 10, 2011 11:03 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Question on CPE:/a:vmware and other hypervisors

Hi Maha,

VMWare ESX and ESXi both use Redhat Linux as their underlying operating system,
which can be easiliy seen through their service console.  IMHO they should be
categorized as operating systems just as are all other Linux variants.  However
I doubt it makes much difference in practice, as explained below.

Due to CPE's genesis, as a way of targeting an XCCDF benchmark to a software
platform, it only used the part for simple taxonomy.  For XCCDF it sufficed to
say, for example, that "this benchmark is for Sql Server" or "this benchmark is
for Windows Vista".  The CPE part is really just informational, and I'm not
aware of any cases where the part differentiates two vendor/product pairs that
are otherwise confused.

The often intermingled question is how and whether cpe should describe
relationships between security "platform layers" such as applications and
operating systems they're running on.  Current cpe use typically includes
boolean logic describing a set of cpes used together (e.g. application & os -
adobe reader and linux, or application and application - gecko and firefox)
without regard to any layering relationship.  That seems to largely suffice for
current benchmarks and vulnerability descriptions.  Perhaps one of the NVD team
can comment on whether that has sufficed for their purposes without need for a
layering description.

My feeling is that description of security layers should be independent of the
cpe part.  Perhaps by addition of relationship operators such as "running on"
to describe the security layering when it's important.  Those relationship
operators could be used with the current boolean logic as appropriate.

-Gary-


>         Hi
>        
>         I am new to the group, may be y´all already had this discussion and
> sorted it
>         out. Can someone share on what is the justification of why VMWare ESX
> and ESXi
>         are categorized as Applications and not as Operating Systems. From
> what I have
>         read and as Vmware claims, the vmkernal runs on bare metals and loads
> few other
>         modules/consoles on top to host the virtual machines -
>         http://www.vmware.com/products/vsphere/esxi-and-esx/index.html 
>        
>         Here is a another link
>        
> (http://iase.disa.mil/stigs/downloads/pdf/esx_server_stig_v1r1_final.pdf) to
>         one of the documents from DISA Ver 1 Rel 1 which talks about the
> Security
>         Implementation on ESX Servers. In the first few pages it explains on
> Type I and
>         II VMM (Virtual Machine Monitor) and Type I and II HVM (Hybrid
Virtual
>         Machines). In Section 2.2.1 - page 13 it does explain in detail about
> Type II
>         VMMs but, towards the end of it as the last line it does refer to ESX
> Server as
>         a Type I HVM which runs on bare metal alike OS [referred line -
VMware

> ESX
>         Server is considered a Type I "bare metal" hybrid VMM]
>        
>         My other question is if this same rational applies to other
> hypervisors, should
>         all of them considered as OS or should all hypervisors have a new
>         classification as Hypervisors or Virtual machines (something like
> cpe:/h:... or
>         cpe:/v:...)
>        
>         Thanks
>         Maha
>         [hidden email]
>         Off: 202-366-4080
>         CENTECH GROUP
>         on assignment at DOT-NHTSA
>         Washington DC 20590