An introduction to virtualization security
by Dave Shackleford - Director of Security Assessments, SANS - Tuesday, 9 March 2010.
Bookmark and Share
Virtualization platforms are software. All software has flaws. Therefore, virtualization platforms have flaws. Simple logic, right? The major virtualization platform vendors, VMware, Xen (now Citrix), and Microsoft, have all had several vulnerabilities over the last few years. However, the major components of a virtualization infrastructure and the IT strategy related to deployment and maintenance of virtualization technologies can be planned and secured fairly well. The following sections will explore the major areas of concern for security professionals.

I. Hypervisor security

The hypervisor is a piece of software, in many cases, unless integrated directly with the host platform (see the next section). The major virtualization vendors release patches for their products like any other software providers, and the key to mitigating the risk of hypervisor vulnerabilities is a sound patch management process.

Examples of sound patch management practices include maintaining the latest service packs for both guests and hosts, alleviating any unnecessary applications that have a history of vulnerabilities, and applying the latest security rollup patches if and when they are supplied by the virtual software vendor.

II. Host/Platform Security

The host platform, which connects the VMM and virtual guests to the physical network, can vary widely in the type of configuration options available. This is largely dependent on system architecture; for example, VMware’s ESX Server platform has a number of similarities to Red Hat Linux.


Given that many of these systems are able to be hardened considerably, a number of “best practice” configuration guidelines can be applied, including setting file permissions, controlling users and groups, and setting up logging and time synchronization. There are many freely available configuration guides from the virtualization platform vendors, the Center for Internet Security (CIS), NSA, and DISA.

III. Securing Communications

Securing communications between the host system and desktops or a management infrastructure component such as VMware’s vCenter is essential in order to prevent eavesdropping, data leakage, and Man-in-the-Middle attacks. Most of the well-known platforms today support SSH, SSL and IPSec for any communications that are required, and one or more of these should be enabled.

IV. Security between guests

One of the biggest security issues facing the virtualized enterprise revolves around the lack of visibility into traffic between guests. Inside a host platform is a virtual switch that each guest connects to – in essence, the host’s physical NICs are abstracted into a switching fabric.

Spotlight

Trojan spyware promoted as Steam keygen

Posted on 29 May 2012.  |  To users looking for keygens for their Steam games, read on: we found something that will make you think twice and probably leave you steering clear of key generators forever.

Daily digest

By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
  

Weekly newsletter

With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
  

 
DON'T
MISS

Tue, May 29th
    COPYRIGHT 1998-2012 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //