VMware vCenter 5.1 implemented a new security feature, Single Sign-On (SSO), that uses the Security Assertion Markup Language (SAML) to exchange security tokens. This combats an extremely well-known and prevalent attack within the virtualization management trust zones: SSL Man-in-the-Middle (MiTM) attacks. However, vCenter still supports the old SSL methods as well to maintain backwards compatibility and to allow management when SSO is not in use. Does this new feature change how we look at virtualization and cloud management security best practices? Is it a launch point for implementing other authentication techniques?
At the moment, the only true way to protect your virtualization and cloud management layers is to firmly place them within their own trust zone and only allow things like remote desktop protocols to access this trust zone. Segregation of your virtualization and cloud management layers using such a draconian approach allows your security teams to monitor that trust zone for any inappropriate traffic, perform logging, and apply critical system protections in a targeted manner.
Security Should Be Invisible
I am a firm believer that security should be invisible. For the virtualization and cloud management layers, it is important to segregate, audit, monitor, and control what can be done so that unknown-unknown attacks are prevented. Why? Because it is far easier for an attacker to breach your management networks than it is for them to escape a virtual machine; why should we make this easy for the attacker? Even so, we should make security invisible. This method of segregation changes administrators behavior by requesting that they use a remote desktop protocol to access a well protected virtual machine to perform any management tasks. How many administrators today do not know how to use a remote desktop tool, or do not use one in their daily administrative tasks already? This additional requirement is minor given the benefits:
- Remote access from anywhere required, such jump machines could become part of a VPN workgroup for administrators
- Security folks can audit activities related to virtualization and cloud management in more finely grained detail while leaving the end user computing device (laptop, desktop, etc.) out of this level of audit and security
- It is possible to put onto jump machines and virtualization management servers such security tools as Symantec Critical System Protection to further disallow unknown-unknown and zero-day attacks
- It is inexpensive to implement.
A properly segregated cloud and virtualization management network is the current best practice, and it is inexpensive to implement. However, if you do not implement it fully, vCenter SSO may be your answer.
Follow Best Practices
The best practices for virtualization and cloud security are often not followed. This is changing, but VMware realized that the issues solved by following virtualization and cloud management segregation best practices could be solved another way for a subset of their management tools. This realization does not alleviate the need to follow best practices, but it does help with security. Instead of relying on often misunderstood and badly implemented SSL security mechanisms, SAML provides another security mechanism that does not require passing around of usernames and passwords. Instead, it requires passing around security tokens. This is very useful for communication between vCloud Director and vCenter or between vCenter and vSphere. These are the oft attacked points, and this new SAML approach prevents the trivially easy SSL MiTM attack from being successful.
However, not everything uses vCenter SSO yet, so it is best to still follow security best practices.
SAML Support allows VMware to provide a well-known method to authenticate users against an authentication source. We have been asking for a single place to authenticate users within the vSphere environment for years. We also need a single place to store role-based access controls, and that may be coming as well. Could you imagine a time when SAML not only authenticates but becomes the authorization store as well for all virtualization and cloud management tools? I think they are moving in that direction. In addition, VMware Horizon Application Manager already supports SAML; now they can put the vCloud and vCenter management tools within HAM, passing SAML tokens instead of SSL-encrypted usernames and passwords. In this way, HAM becomes another control layer for who has access to the virtual and cloud management environments.
SAML to the Rescue as a solution to those pesky and easy to implement SSL-based attacks.