First steps in server virtualization

Everywhere you go the concept of virtualization is promoted as a method for reducing costs, increasing technology flexibility, and obtaining a better ROI on equipment. For the most part, virtualization successfully achieves this goal, thus companies are adopting it wholesale. However, virtual environments are often implemented with the same information security controls used in non-virtualized environments. This should not be the case. Virtualization presents a new set of risks to organizations adopting it and it is vital to be aware of risks and information security risk management strategies when implementing a virtualization strategy.

This is the first of three articles. This article provides general information security recommendations for virtual environments. Upcoming articles will discuss virtual machine security policies and backup and business continuity for virtualized environments.

Critical security considerations include:

  • Securing virtual hard disks
  • Reducing the attack surface for hosts
  • Classifying virtual machines
  • Involving information security personnel throughout the lifecycle
  • Segment traffic for administration and storage

Securing virtual hard disks
When servers are virtualized, physical hard drives are turned into virtual hard disks that exist as files on the host. This creates new risks for an organization if access was obtained to a system where virtual hard disks are stored. A malicious user could steal entire servers. Malicious users could access the files and data on the machines and interact with it just like authenticated users would on the system. This is possible because the malicious user could prop the machines up elsewhere or they could simply mount data drives to access data that is not contained within applications. They could perform offline cracking attacks on the machines without alerting the company. Lastly, virtual hard disks could be replaced with untrusted disks containing malicious code.

Therefore, it is clear that virtual hard disks need to be protected from unauthorized access. So how is this accomplished? Firstly, limit administrative access to the hosts. A common practice is to place the hosts in a separate domain so that authenticated users on the user/client facing domain do not have credentials on the host domain. It is also important to secure any machines used to manage the hosts. Centralized management tools like Virtual Center for VMWare or System Center Virtual Machine Manager for Microsoft should have granular access controls set for administrators of the environment.

There is also the issue of credentials. Administrative credentials should take a different format between systems. For example, Joe Black is an administrator on the user/client domain. His username is jblack. He also performs administrative tasks on the hosts in the virtual environment. In this environment his username should not be jblack and he should use a different password from the one he uses in the user/client domain. This way, if his account is compromised on the user/client domain, the virtual domain will not be compromised as well.

Reducing the attack surface for hosts

The hosts in a virtual environment are powerful machines on which multiple guest machines reside. The hosts run software called a hypervisor that manages access to resources such as disk space, network, processing, and memory.

It is important to reduce the attack surface for hosts because a compromised host impacts all machines that reside on it. For example, a host with a virus could impact the operations of other machines on it or a denial of service attack could make all guests on the host unavailable.

Reducing the attack surface of a host involves running the minimum number of services to support its role as a hypervisor and nothing more. Hosts should not be used for other roles such as DNS, file servers, web servers, etc. If those services are desired they should operate in a virtual machine residing on the host rather than the host itself.

If you are running VMWare, only use the services you need. If you are not using SNMP or time services, disable them. If you are using a Microsoft solution, consider the server core edition of Hyper-V or if you install the complete operating system, run only the Hyper-V role.

Classifying virtual machines

Virtual machines or guests, serve different roles such as a file server, domain controller, email server, remote access server, or database. Some roles are more sensitive than others and thus they should be treated differently. The first step is to assign a security classification to all virtual machines. The number of levels you have is determined by your organization’s business rules; however for this article I will use three: standard, secure, and highly secure. An organization may classify one file server that hosts ISO files as standard. A domain controller, email server, and a file server hosting user documents are classified as secure and the database servers, billing servers, and ERP servers are classified as highly secure. In this environment, the file server classified as standard would never be hosted on a server hosting the email server because the guests operate at different security levels. Different hosts would be dedicated for each security level.

You can use host groups to better manage security levels. Both Virtual Center and System Center Virtual Machine Manager use host groups for organizing hosts. Policies can be applied to host groups and you can restrict administrative access to the host groups as well.

It is important to define the security levels and to classify the servers before starting a migration from physical machines to virtual machines. This will mitigate the risk of an impact to higher security systems from access to lower security systems.
Involving information security personnel throughout the lifecycle
Information security personnel are often not involved in the decisions being made towards virtualization when virtualization presents many security considerations. These considerations are then left unquestioned and unresolved. In a study by Gartner in early 2010, they found that 40% of virtualiztion projects did not have involvement by information security personnel. This figure is an improvement over 2009 but it is still quite concerning.

It is unreasonable to expect IT to understand all the business risks and security considerations and it is risky to put sole control in a team without checks and balances. Unless experienced persons are involved in the formation, development, implementation, and management of virtualization environments, key security considerations will remain unresolved and most likely unknown.

Segmenting traffic for administration and storage

Many companies use iSCSI to connect hosts to a storage array. It is a best practice to dedicate a network interface for the iSCSI traffic. This interface should be connected to a dedicated switch fabric or VLAN so that data transfers do not have to contend with user access and so that iSCSI traffic is not sniffed on the user/client network.

Many companies use iSCSI to connect hosts to a storage array. It is a best practice to dedicate a network interface for the iSCSI traffic. This interface should be connected to a dedicated switch fabric or VLAN so that data transfers do not have to contend with user access and so that iSCSI traffic is not sniffed on the user/client network.
Summary
Virtualization is a wonderful technology that can bring increased efficiency to an organization but it comes with additional information security concerns that should be addressed. These information security considerations include securing virtual hard disks, reducing the attack surface for hosts, classifying virtual machines, involving information security personnel throughout the lifecycle, and segmenting traffic for administration and storage. These are some general items to be aware of but implementers should be prepared to go more in depth prior to adopting a virtualization strategy.

For further reading

Virtualization Security Falls Short Among Enterprises, Survey Says

Top 4 virtualization security gotchas

Hot or Not: Virtualization Security

Addressing the Most Common Security Risks in Data Center Virtualization Projects

One thought on “First steps in server virtualization

Leave a Reply

Your email address will not be published. Required fields are marked *