Most virtual environments have the same security requirements as the physical world with additions defined by the use of virtual networking and shared storage. However, many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages.
We asked two security pros a couple of questions specific to ensuring security on virtual servers. Here's what they said:
TechRepublic: What mistakes do IT managers make most often when securing their virtual servers?
Answered by Min Wang, CEO and founder AIP US
Wang: Most virtual environments have the same security requirements as the physical world with additions defined by the use of virtual networking and shared storage. However, many IT managers don’t take the additional steps to secure their virtual servers, but rather leave them vulnerable to attacks with only antivirus software and data loss prevention packages.
Here are some more specific mistakes IT managers make regularly:
1. IT managers rely too much on the hypervisor layer to provide security. Instead, they should be taking a 360 degree approach rather than a looking at one section or layer.
2. When transitioning to virtual servers, too often they misconfigure their servers and the underlying network. This causes things to get even more out of whack when new servers are created and new apps are added.
3. There’s increased complexity and many IT managers don’t fully understand how the components interwork and how to properly secure the entire system, not just parts of it.
TechRepublic: Can you provide some tips on what IT managers can do moving forward to ensure their servers remain hack free?
Answered by Praveen Bahethi, CTO of Shilpa Systems
1. Logins into the Xen, HyperV, KVM, and ESXi servers, as well as the VMs created within them, should be mapped to a central database such as Active Directory to ensure that all logins are logged. These login logs should be reviewed for failures on a regular basis as the organization’s security policy defines. By using a centralized login service, the administrative staff can quickly and easily remove privileges to all VMs and the servers by disabling the central account. Password Policies applied in the Centralized Login Servers can then be enforced across the virtualized environment.
2. The virtual host servers should have a separate physical network interface controller (NIC) for network console and management operations that is tied into a separate out of band network solution or maintained via VLAN separation. Physical access to the servers and their storage is controlled and monitored. All patches and updates that are being applied are verified to come from the vendors of the software and have been properly vetted with checksums.
3. Within the virtualized environment, steps should be taken to ensure that the VMs are only able to see traffic destined for them by mapping them to the proper VLAN and vSwitch. The VMs cannot modify their MAC addresses nor have their virtual NICs engaged in snooping the wire with Promiscuous mode. The VMs themselves are not able to copy/paste operations via the console, no extraneous HW is associated with them, and VM to VM communication outside of the network operations is disabled.
4. The VMs must have proper firewall and anti-malware, anti-virus, and url-filtering in place so that accessing outside data that contains threats can be mitigated. The use of security software with the hosts using plug-ins that enable security features such as firewalls and intrusion prevention are to be added. As with any proactive security measures, review of logs and policies for handling events need to be clearly defined.
5. The shared storage should require unique login credentials for each virtual server and the network should be segregated from the normal application data and Out of Band console traffic. This segregation can be done using VLANs or completely separate physical network connections.
6. The upstream network should only allow traffic required for the hosts and their VMs to only pass their switch ports, dropping all other extraneous traffic. Layer 2 and Layer 3 configuration should be in place for DHCP, Spanning Tree, and routing protocol attacks. Some vendors provide additional features in their third party vSwitches which can also be used to mitigate attacks with a VM server.
Toni Bowers is the former Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.