The State of Virtualization Security – Part 1
The current state of virtualization security is four-fold. Good configuration management, secure the Network, good auditing, and harden the virtualization host. Each of these means different things and guides for each of these often contain misplaced information that is often neither of these. Let us look at this in a bit more detail to answer the questions?
- Is virtualization security mostly network security?
- Is virtualization security mostly hardening of the virtualization host?
- Are there good configuration management options available for virtualization hosts?
- Are there good auditing options available for virtualization hosts?
This series of blogs will address each one of there. The first item to address however is network security.
Network security within the virtual environment that surrounds the virtualization hosts comprises several distinct area but encompasses all data in motion. Is it really this simple? The distinct areas are:
- Virtualization Host Networks such as IP Storage, Management, and Live Migration/VMotion
- Virtual Machine Networks including DMZ, Production, VDI, etc.
- Physical Networks uplinked to virtual networks
Each of these specific areas has different attack possibilities from compromising the network at Layer-2, Man in the middle attacks, and certificate injection attacks. Not to mention other network based attacks against specific applications such as SQL Injection and others of that ilk.
There are 3 specific areas within the virtual environment to protect from a networking perspective. Those are:
- Physical Network
This is no different than normal mechanisms currently in use for physical networks.
- Physical to Virtual Uplinks
This is the boundary between the physical and virtual networks. Since this boundary exists it could be a source of attack.
o SR-IOV or Intel VT-d cause this to be much more of a serious matter. In general, these facilities allow for a VMs virtual NIC to be in direct communication with the SR-IOV enabled physical NIC bypassing the hypervisor completely. VMware calls this VMDirectPath or VMFastPath.
o Use of Unified Fabrics such as Converged Network Adapters (CNAs) and Cisco UCS devices in conjunction with Nexus switches will raise the importance of securing the uplinks between the virtualization network and the physical network.
- Virtual Network
Security of the virtual network has always been a concern mainly because of the lack of tools that allow current physical network security mechanisms to see into the virtual network. Several companies have solutions to aid in this.
o Catbird V-Security is an IDS/IPS solution for the virtual network. It works by monitoring the network as well as the virtualization host (VMware ESX) for movement of VMs between virtual switches and portgroups. If the VM is not allowed on those portgroups then traffic to the VM is rejected per the IPS rules. It will also look for virtual switch and portgroup security settings changes. This was the first tool specifically denied to give visibility into the virtual network and to protect it. As they claim it puts a shield around your virtual machines.
o Reflex Systems provides VMC which is more than just an IDS/IPS but tries to determine who did what, when, where, and how within your virtual network of your virtualization host. VMC works with VMware ESX and there are claims it works with Microsoft Hyper-V as well as Citrix XenServer. However the integration for the later is not as robust as for VMware ESX hosts. Not only is VMC tracking your network packets but it will also track who is doing what within your virtualization hosts. Such as who changed a network setting, etc. Currently it can only track actions taken within VMware ESX/ESXi hosts that originate from the VMware Infrastructure Client or related tools. Files edited directly within the service console or placed on an ESXi server using the VMware RCLI vifs are not currently tracked or reported. However, this is one tool that can tell you who did what, when, where, and how up to a point.
o The Hytrust Appliance protects a very specific part of the virtual and physical network and is one of those crossover tools. It is designed to protect the management network to which a virtualization host (VMware ESX) connects. Hytrust does this by acting as a mechanism to enact mandatory access controls with much more granularity than the current virtualization management tools. The Hytrust appliance works as a virtual appliance inline between your management consoles such as the Virtual Infrastructure Client, Secure Shell, and the VMware vCenter server. At this time Hytrust uses its own Roles and Permissions and is not tied into VMware vCenter.
There are more tools becoming available every day to help protect your physical network, virtual network and the interfaces between them. However, how this will be protected in the future depends quite a bit on how virtualization hosts implement SR-IOV and other technologies such as VMsafe. When SR-IOV, Unified Fabrics, and VMsafe are combined, there is a need for a new Network Security Model. If you expand virtualization into the cloud, this new model will be very important.