Low Hanging Fruit of Virtualization Security

I was invited to CSI 2010 this year to speak on the Low Hanging Fruit of Virtualizaiton Security. This presentation brought to light some simple to implement features that would give you the most security for what I consider very little cost or effort. These 7 items if implemented will improve the overall security of  your virtual environment.

7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.

The reason for this is that in Escape the VM attacks the paravirtualized drivers are the items usually under attack. You can limit the current attack surface by not installing unneeded device drivers.

6.   Use a centralized directory service to provide authentication

Using Active Directory or an LDAP enabled directory service will allow all hypervisors and management tools to share the same users and groups. This type of change could be made to all tools and hypervisors or use of a tool like the HyTrust appliance which proxies VMware vSphere commands to hypervisors and management tools.

5.   Use a centralized tool to provide authorization.

Most hypervisors and management tools contain different roles and permissions than each other. In VMware parlance, there is one set of permissions for vCenter and each ESX/ESXi hosts have their own making for confusing roles and permissions. Use some method to ensure all Roles and Permissions are the same for each device and resource in use. This could be done via scripted means or by using the HyTrust appliance.

4.    Use a centralized syslog/log server for collecting audit and standard log data for analysis

Virtualization logs grow quite large, very quickly, it is best to log this data to a centralized log server so that the logs of your entire virtualization environment can be analyzed for security issues. Some issues may only show up if you have all the logs. Such as a pattern of attack.

3.    Analyze/Review your log data daily for issues.

Either manually or use a tool to analyze your log files on a daily basis. Tools that will run through the gigabytes of data include RSA Envision, HyTrust (limited), Reflex VMC, Splunk, and logcheck.

2.    Ensure only the hypervisor can access any LUN assigned to a hypervisor.

For IP Storage, this could be done by using a firewall. However, for Fibre Channel SAN you much inspect your zoning and presentation to ensure that the virtualization hosts are the only ones that can see and access the virtualization specific LUNs and Never from a VM.

1.    Firewall your virtualization management tools from the rest of your network.

All Virtualization management consoles and tools should be placed behind a firewall. This firewall should allow only RDP and necessary normal non-virtualization management tools through it. Users would logon to a VM that contains the necessary tools via RDP and manage the virtualization hosts from this location.

Number 1, is the most important change to make to any virtual environment to improve over all security. Penetration testers have shown that it is trivially easy to break the management network of your virtualization hosts if it remains within the flat organizational network. VMware, as do I, recommend a protected virtualization management network. This is by far the lowest hanging fruit of virtualization security.

If you implement all seven of these features you will improve overall security. But if you had to choose from all seven, implement #1.

Posted in SecurityTagged , , , , , , , ,