A hacker can access your virtual infrastructure via several paths. As we discussed in part one of this series, the virtualization layer creates additional points of vulnerability and
These attack vectors include virtual hard disk files, logging utilities and even virtual machines (VMs). But there's one more attack vector to consider: the network itself. To protect against this risk, it's crucial to follow virtual network security best practices. In this tip, we cover some key tactics.
The key to virtual network security is isolation. Every host has a management network through which it communicates with other hosts and management systems. In a virtual infrastructure, the management network should be isolated physically and virtually. Connect all hosts, clients and management systems to a separate physical network to secure the traffic. You should also create isolated virtual switches for your host management network, and never mix virtual-switch traffic with normal VM network traffic. While this won't address all problems that virtual switches introduce, it's an important start.
In addition to isolation, there are other virtual network security best practices. Note that the VMkernel network that's used to move live virtual machines from one host to another does so in clear text. That means it's possible to "sniff" the data or perform a man-in-the-middle attack when a live migration occurs. When you expose a host to the Web in a demilitarized zone, or DMZ, be especially vigilant. Always create a separate isolated vSwitch with its own physical network interface cards, and never mix internal and external traffic on a vSwitch. Also, lock down access to your virtual switches so (1) an attacker cannot move VMs from one network to another and (2) so that VMs don't straddle an internal and external network.
In virtual infrastructures where a physical network has been extended to the host as a virtual network, physical network security devices and applications are often ineffective. Often, these devices cannot see network traffic that never leaves the host (because they are, by nature, physical devices). Plus, physical intrusion detection and prevention systems do not protect VMs from threats.
For the best virtual network security strategy, use security applications that are designed specifically for virtual infrastructure, and integrate them directly into the virtual networking layer. This includes network intrusion detection and prevention systems, monitoring and reporting systems, and virtual firewalls that are designed to secure virtual switches and isolate VMs. You can integrate physical and virtual network security to provide complete data center protection.
If you use network-based storage such as iSCSI or Network File System, use proper authentication. For iSCSI, bidirectional Challenge-Handshake Authentication Protocol (or CHAP) authentication is best. Be sure to physically isolate storage network traffic, because the traffic is often sent as clear text. Anyone with access to the same network could listen and reconstruct files, alter traffic or possibly corrupt it.
Virtual network security best practices differ from security measures for traditional physical systems, so consider all possible attack vectors. If you focus your virtual security on only certain areas, you could find that an attacker has snuck in through a door you didn't know was open.
About the author
Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forums and maintains vSphere-land.com, a VMware information site.
This was first published in October 2010