Virtualization

Stop securing your virtualized servers like another laptop or PC

Many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages. Here are the most common mistakes made and how to prevent them.

Most virtual environments have the same security requirements as the physical world with additions defined by the use of virtual networking and shared storage. However, many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages.

We asked two security pros a couple of questions specific to ensuring security on virtual servers. Here's what they said:

TechRepublic: What mistakes do IT managers make most often when securing their virtual servers?

Answered by Min Wang, CEO and founder AIP US

Wang: Most virtual environments have the same security requirements as the physical world with additions defined by the use of virtual networking and shared storage. However, many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages.

Here are some more specific mistakes IT managers make regularly:

1.  IT managers rely too much on the hypervisor layer to provide security. Instead, they should be taking a 360 degree approach rather than a looking at one section or layer.

2.  When transitioning to virtual servers, too often they misconfigure their servers and the underlying network. This causes things to get even more out of whack when new servers are created and new apps are added.

3.  There’s increased complexity and many IT managers  don’t fully understand how the components interwork and how to properly secure the entire system, not just parts of it.

TechRepublic: Can you provide some tips on what IT managers can do moving forward to ensure their servers remain hack free?

Answered by Praveen Bahethi, CTO of Shilpa Systems

Bahethi:

1.  Logins into the Xen, HyperV, KVM, and ESXi servers, as well as the VMs created within them, should be mapped to a central database such as Active Directory to ensure that all logins are logged.  These login logs should be reviewed for failures on a regular basis as the organization’s security policy defines. By using a centralized login service, the administrative staff can quickly and easily remove privileges to all VMs and the servers by disabling the central account. Password Policies applied in the Centralized Login Servers can then be enforced across the virtualized environment.

2.  The virtual host servers should have a separate physical network interface controller (NIC) for network console and management operations that is tied into a separate out of band network solution or maintained via VLAN separation.  Physical access to the servers and their storage is controlled and monitored. All patches and updates that are being applied are verified to come from the vendors of the software and have been properly vetted with checksums.

3.  Within the virtualized environment, steps should be taken to ensure that the VMs are only able to see traffic destined for them by mapping them to the proper VLAN and vSwitch. The VMs cannot modify their MAC addresses nor have their virtual NICs engaged in snooping the wire with Promiscuous mode. The VMs themselves are not able to copy/paste operations via the console, no extraneous HW is associated with them, and VM to VM communication outside of the network operations is disabled. 

4.  The VMs must have proper firewall and anti-malware, anti-virus, and url-filtering in place so that accessing outside data that contains threats can be mitigated. The use of security software with the hosts using plug-ins that enable security features such as firewalls and intrusion prevention are to be added. As with any proactive security measures, review of logs and policies for handling events need to be clearly defined.

5.  The shared storage should require unique login credentials for each virtual server and the network should be segregated from the normal application data and Out of Band console traffic. This segregation can be done using VLANs or completely separate physical network connections.

6.  The upstream network should only allow traffic required for the hosts and their VMs to only pass their switch ports, dropping all other extraneous traffic. Layer 2 and Layer 3 configuration should be in place for DHCP, Spanning Tree, and routing protocol attacks. Some vendors provide additional features in their third party vSwitches which can also be used to mitigate attacks with a VM server.




About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

2 comments
mark1408
mark1408

I'm a novice in the virtualisation world but even I felt that the post said very little until it got to Praveen Bahethi's comments. (The first part of the article has the same paragraph repeated three times - whoops!)

Min Wang's comments are so generic as to be not much help to a newbie like me. The other stuff I need to try to understand a bit better as I must admit I do tend to treat VMs as like any other physical server as regards security.

marc.laflamme
marc.laflamme

@mark1408 I'll echo your comments exactly. First set of answers were way to vague and the second set are almost too technical...at least some are above my level of expertise...


must be a marc(k) thing...