Clustering and security in VMware

In this excerpt from VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment, learn about clustering and security concerns in virtual environments and how to address them.

Security Concerns
Now that we have reviewed the basics that define what composes a cluster within the virtual environment, we need to look further into the security of the cluster elements. In our definitions of threat, vulnerability, and fault from Chapter 1, "What Is a Security Threat?" we know that any failure of a node within a cluster should be considered from a security perspective. Although some failures are easy to track to the root cause, that is not always the case. That is when a security analysis of a fault should be performed in conjunction with normal fault determination.

About the book:
This chapter excerpt on clustering and security (download PDF) is taken from the book VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment. The book is a comprehensive guide to identifying and mitigating virtualization-related security threats on all VMware platforms.
For example, a recent crash of a system was easy to spot after we opened up the system and determined that a heat sink was not properly attached. However, if we did not have access to the box, or if the heat sink looked attached, would we have automatically assumed the failure was due to hardware? In many cases, we would have, but not always. Could it have been a malicious attack? Yet this unexpected failure did not force VMware HA to fail the VMs over to the other nodes in the cluster as we expected. What was the root cause of this VMware HA failure? Could this have been a security issue? Although we will give the answer to this question further on as we explore the parts of the cluster from a security perspective, the general answer is to correlate events within networking, storage, operational, hardware, and VMware log files to find the culprit.

Clusters are one way to mitigate possible failures by either rapidly booting virtual machines or transferring the load from busy systems to less used systems. Business continuity and failover are part of any security architecture because they are employed to mitigate the unknown problems that occur within the data center. The goal is to keep systems running.

About the author:
Virtualization expert Edward L. Haletky is the author of VMware ESX Server in the Enterprise: Planning and Securing Virtualization Servers, Pearson Education (2008). Haletky owns AstroArch Consulting Inc., which provides advice on virtualization, security, network consulting,and development. Haletky is also a 2009 VMware vExpert, guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions.
If failover does occur for some reason, this is when we may have to look at things from a security perspective. Why a node of a cluster crashed, a VM was moved from node to node, or a VM was using more resources than normal could be security concerns and point to a more severe problem. This is not always the case, but it could be the start of an attack.

Process accounting has always been just one part of security research and should remain so within the virtual world. Process accounting is the gathering of data about all processes running within your VMs and virtualization hosts (which include the VMs). Such data would be the length of time a process took to run, which CPUs and other devices were in use, and so on. With clusters of virtualization servers, process accounting needs to now include full virtual machine data and not just the single process running. The performance data stored by the virtual center could be an invaluable research tool that could lead to recognizing a security issue. This illustrates the importance of gathering baseline data. The tool often used to gather this data will be the vm-support command for each virtualization host, or you can export diagnostic data when using the VIC.

Clifford Stoll wrote about his research into computer espionage within the book Cuckoo's Egg (New York: Pocket Books, 1990). In this real-life story, a $0.75 accounting discrepancy on a time-share system led to the capture of a worldwide computer espionage ring. This one discrepancy shows that something apparently minor could be the tip of the iceberg. This is an important point, and a good illustration. If you don't have an idea of what your baseline is and how this compares with current data, you will never know there was a security problem.

Read the rest of this chapter excerpt.

Printed with permission from Prentice Hall. Copyright 2009. VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment by Edward L. Haletky. For more information about this title and other similar books, please visit

Dig Deeper on Virtual machine monitoring, troubleshooting and alerting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.