I was invited to CSI 2010 this year to speak on the Low Hanging Fruit of Virtualizaiton Security. This presentation brought to light some simple to implement features that would give you the most security for what I consider very little cost or effort. These 7 items if implemented will improve the overall security of  your virtual environment.

7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.

The reason for this is that in Escape the VM attacks the paravirtualized drivers are the items usually under attack. You can limit the current attack surface by not installing unneeded device drivers.

6.   Use a centralized directory service to provide authentication

Using Active Directory or an LDAP enabled directory service will allow all hypervisors and management tools to share the same users and groups. This type of change could be made to all tools and hypervisors or use of a tool like the HyTrust appliance which proxies VMware vSphere commands to hypervisors and management tools.

5.   Use a centralized tool to provide authorization.

Most hypervisors and management tools contain different roles and permissions than each other. In VMware parlance, there is one set of permissions for vCenter and each ESX/ESXi hosts have their own making for confusing roles and permissions. Use some method to ensure all Roles and Permissions are the same for each device and resource in use. This could be done via scripted means or by using the HyTrust appliance.

4.    Use a centralized syslog/log server for collecting audit and standard log data for analysis

Virtualization logs grow quite large, very quickly, it is best to log this data to a centralized log server so that the logs of your entire virtualization environment can be analyzed for security issues. Some issues may only show up if you have all the logs. Such as a pattern of attack.

3.    Analyze/Review your log data daily for issues.

Either manually or use a tool to analyze your log files on a daily basis. Tools that will run through the gigabytes of data include RSA Envision, HyTrust (limited), Reflex VMC, Splunk, and logcheck.

2.    Ensure only the hypervisor can access any LUN assigned to a hypervisor.

For IP Storage, this could be done by using a firewall. However, for Fibre Channel SAN you much inspect your zoning and presentation to ensure that the virtualization hosts are the only ones that can see and access the virtualization specific LUNs and Never from a VM.

1.    Firewall your virtualization management tools from the rest of your network.

All Virtualization management consoles and tools should be placed behind a firewall. This firewall should allow only RDP and necessary normal non-virtualization management tools through it. Users would logon to a VM that contains the necessary tools via RDP and manage the virtualization hosts from this location.

Number 1, is the most important change to make to any virtual environment to improve over all security. Penetration testers have shown that it is trivially easy to break the management network of your virtualization hosts if it remains within the flat organizational network. VMware, as do I, recommend a protected virtualization management network. This is by far the lowest hanging fruit of virtualization security.

If you implement all seven of these features you will improve overall security. But if you had to choose from all seven, implement #1.

Share this Article:

Share Button
Edward Haletky (372 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

[All Papers/Publications...]

Connect with Edward Haletky:


Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *


× 6 = twenty four