By creating multiple virtual machines which share resources such as CPU, memory, hard drive, network devices and so on, organisations are able to reduce the cost of management of server operation. This includes the hardware, maintenance and human resources needed to manage, operate and administer these servers on a daily basis.
Furthermore, in regard to disaster recovery planning (DRP), virtualisation can also enhance the security level by providing means to faster, more flexible, and more reliable disaster recovery at a lower cost. It also significantly reduces planned and unplanned downtimes.
This demand created many software vendors who would be happy to sell you their product. Examples include OpenVZ, Xen, VirtualBox, Virtual Iron, Virtual PC, VMware, QEMU, Adeos, Mac-on-Linux, Win4BSD, Win4Lin Pro, z/VM, and more.
However, failure to configure and harden your virtual server might have very unpleasant results, especially when implemented without security considerations. In a number of cases we have witnessed a hacker bringing down an entire virtual infrastructure because of a memory leak flaw on one of the servers. By exploiting this flaw, the hacker was able to consume all the available memory to a point where the entire system crashed.
The saying 'Start Secure - Stay Secure' is a simple slogan we use to emphasise that security has to begin from the very first stages of design and integration, and should be integrated into every following step. So, how do we secure a virtual environment?
Design a secure virtual environment
Each solution has its own approach, which does not always suit the organisational needs. Some of these solutions completely separate each OS while others create separate zones with a shared kernel.
Organisations need to determine security requirements that should correlate with the organisational security policy. A security architect should be involved in this stage in order to define parameters such as access control to server consol, design of virtual network architecture, design of virtual machines, communication protocols and so on.
When implementing a virtual environment, some of the communication can relay on an internal, virtual network. For example, when a virtual web server communicates with a virtual database, the packets traverse through a virtual network only. A traditional firewall will not be able to filter this communication if needed.
There are a number of possible solutions. One of them is to use a firewall integrated into a virtual server application. The second option is to configure the virtual machines to route all the communication through an external firewall by connecting virtual machines to separate physical network cards.
A third option is to use a virtual firewall which usually comes in the form of a virtual appliance. These appliances function as traditional firewall devices and can perform functions such as deep packet inspection, session based rules and also filtering.
Hardening virtual guest servers
In most cases we can assume that each virtual machine is fully isolated from another virtual machine running on the same server. These servers need to be hardened and tested periodically as their physical counterparts. Security vulnerabilities existing on one of the virtual machines could allow an attacker to skip from that machine to another in the network.
Hardening virtual host servers
Host servers are responsible for allocating memory and CPU to guest servers, as well as providing access to storage and network devices. By receiving access to file systems on the host server, an attacker will gain access to files stored on virtual machines. It is also possible to shut down the host server which will result in DoS on each of the hosted virtual machines. These are only a few of the possible scenarios.
The host server should be hardened and should undergo very strict access control. Only administrators and dedicated operators should have access to consol and virtual server management interfaces. The server should be updated with the latest security patches and it should be configured in a secure fashion.
Policies, policies, policies
Every security decision should be backed up by an existing and approved policy. These policies should include:
- Password policy (expiration, password length);
- Authentication policy (Token, LDAP, local / etc/passd);
- Access control policy;
- Network connectivity policy (such as separation to VLANs, firewall rules)
It is important to review these policies at least annually to make sure that they are updated with new standards and best practices.
Security auditing should be performed on a periodic basis. Auditing should include:
- Security testing of guest servers' operating system and services
- Security testing of host servers' operating system
- Security testing of host server virtualisation application
- Relevant network equipment (switches, firewalls, routers)
This auditing is important in order to discover security issues such as new vulnerabilities, redundant services, outdated firewall rules and routing tables.
Virtualisation technology offers many operational and financial advantages. It even provides some security benefits. Nevertheless, this concept introduces several security weaknesses. The associated vulnerabilities include potential denial of service, data leakage and others.
With a proper and professional security approach towards the virtualisation concept, one could achieve secure and reliable environment. This approach should include proper secure design, secure configuration of the environment, secure maintenance, and proper periodical security audits.