Virtualization Strategies for the CIO
A hacker can access your virtual infrastructure via several paths. As we discussed in part one of this series, the virtualization layer creates additional points of vulnerability and
Requires Free Membership to View
requires that you secure a host and each individual
virtual machine (VM).
These attack vectors include virtual hard disk files, logging utilities and even virtual machines (VMs). But there's one more attack vector to consider: the network itself. To protect against this risk, it's crucial to follow virtual network security best practices. In this tip, we cover some key tactics.
Network isolation
The key to virtual
network security is isolation. Every host has a management network through which it
communicates with other hosts and management systems. In a virtual infrastructure, the management
network should be isolated physically and virtually. Connect all hosts, clients and management
systems to a separate physical network to secure the traffic. You should also create isolated
virtual switches for your host management network, and never mix virtual-switch traffic with normal
VM network traffic. While this won't address all problems
that virtual switches introduce, it's an important start.
In addition to isolation, there are other virtual network security best practices. Note that the VMkernel network that's used to move live virtual machines from one host to another does so in clear text. That means it's possible to "sniff" the data or perform a man-in-the-middle attack when a live migration occurs. When you expose a host to the Web in a demilitarized zone, or DMZ, be especially vigilant. Always create a separate isolated vSwitch with its own physical network interface cards, and never mix internal and external traffic on a vSwitch. Also, lock down access to your virtual switches so (1) an attacker cannot move VMs from one network to another and (2) so that VMs don't straddle an internal and external network.
In virtual infrastructures where a physical network has been extended to the host as a virtual network, physical network security devices and applications are often ineffective. Often, these devices cannot see network traffic that never leaves the host (because they are, by nature, physical devices). Plus, physical intrusion detection and prevention systems do not protect VMs from threats.
For the best virtual network security strategy, use security applications that are designed specifically for virtual infrastructure, and integrate them directly into the virtual networking layer. This includes network intrusion detection and prevention systems, monitoring and reporting systems, and virtual firewalls that are designed to secure virtual switches and isolate VMs. You can integrate physical and virtual network security to provide complete data center protection.
If you use network-based storage such as iSCSI or Network File System, use proper authentication. For iSCSI, bidirectional Challenge-Handshake Authentication Protocol (or CHAP) authentication is best. Be sure to physically isolate storage network traffic, because the traffic is often sent as clear text. Anyone with access to the same network could listen and reconstruct files, alter traffic or possibly corrupt it.
Virtual network security best practices differ from security measures for traditional physical systems, so consider all possible attack vectors. If you focus your virtual security on only certain areas, you could find that an attacker has snuck in through a door you didn't know was open.
About the author
Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and
systems administration. He is a guru-status moderator on the VMware community VMTN
forums and maintains vSphere-land.com, a
VMware information site.
This was first published in October 2010
Join the conversationComment
Share
Comments
Results
Contribute to the conversation