Everyone talks about good design principles when it comes to securing network infrastructures. It doesn’t matter if you are in a physical or virtual environment these basic design principles apply. But in reality especially in a virtual world are they enough combined with other techniques to raise the bar in terms of security?

Design

The above design is taken from VMware’s own best practice guidelines for good network design topology. I’m not going to discuss if it is right or wrong what I am going to be asking is it right for you and should you just copy it?

Should I Copy Design’s?

Depends how good they are I guess? But bottom line NO NO NO, DON’T BE STUPID!
Would you after all leave your keys in your front door or give a shotgun to your kids to play with?
Plenty of people and organizations have been guilty of the above even to the level of copying IP address information and default usernames and passwords.

If I had a dollar every time I heard someone say isolate the management network or isolate this network I would be a rich man. Isolation alone does not guarantee security. It can help for sure but unlike the physical world it only takes a few clicks to add a new virtual network interface to a server and hey presto you have just bypassed your firewall by linking your DMZ servers to your internal LAN.

Virtualization Security, VirtSec, Security Virtualization?

Slightly different things depending on your perspective. Virtualization isn’t necessarily any less secure or more secure than traditional physical infrastructure, some people might differ! Virtualization because of its dynamic nature just lends itself to becoming less secure either because of lack of knowledge, the gun-ho approach taken to roll it out or just plain and simple mistakes combined with not enough awareness.

Surely if I have a firewall and install anti-virus and various other security measures I must be secure it’s better than nothing right? Not necessarily so in my opinion you will be giving yourself a false sense of security.

No your Enemy and Risks

Ultimately no your enemy and what your risks are. What are you ultimately trying to protect? If it is data which invariably it is where is it?, how is currently protected? and how valuable is it compared to the controls you need to put in place to protect it? When doing a risk analysis work out the series of events that could occur and then evaluate them on how likely they are to occur and then weight them. Going through this kind of exercise will prove invaluable later on and may turn up some interesting results that you may never have thought of.

Know what’s going on…

AUDIT, AUDIT and AUDIT some more. If you don’t keep any eye on what is going on in your virtual environment you will never be able to provide adequate security measures to protect it. Don’t just simply do this for a tick in the box for compliance. Do this because you need to drive security measures within your virtual environment and be able to provide accountability not just lip service to the compliance auditors.

Two researchers from North Carolina State University have developed software that they say can protect virtualization hypervisors from malicious “Blue Pill” rootkit threats.

“HyperSafe enables the hypervisor self-protection from code injection attempts,” said Xuxian Jiang, an assistant professor of computer science at NCSU.

Jiang, along with his PhD. student Zhi Wang, developed the software, called HyperSafe, with funding from the U.S. Army Research Office and the National Science Foundation.

For the rest of this article please follow this link, blue pill.

The main concern I have for anyone searching for practical information about securing their virtual infrastructure is the amount of FUD that is out there. You only have to do a search on google and you know what I am talking about. Sure the vendors themselves have very useful security hardening guides but they are vendor centric and often don’t give you a sense of relevance to your organization or needs. VMware’s latest vSphere 4.0 Security hardening guide is somewhat better than its predecessor as it does try to give the reader a level of relevance in terms of controls as they might pertain to specific environments. Eg. DMZ.

With this in mind I set out to write a short document that would hopefully impart to the reader practical advice on how to secure their virtual environment. You can check out the document at the following link (A Practical Guide to Securing Your Virtual Environment), if you like it or even if you don’t please let me know by leaving your comments below…(spiv)

We are pleased to announce that VMinformer v2.0.2 has now been released!

New Features

- Visual Storage Maps
- Virtual Machine Business Asset Tags
- Report filtering
- Virtual Center Policy Checks
- ISO 27001 Policies

To download the free community edition of the tool please visit the community registration page.

This Thursday 25th at 2.00pm GMT we will be holding a 1 hour webinar on the “Truths and Myths of Virtualization Security”. The webinar will include a demo of VMinformer Enterprise v2.0

To register please follow this link, vminformer.webex.com

If you are unable to attend, the webinar will be recorded so you can watch at a later date.

Putting all your eggs in one basket has never been a great idea – by not securing your virtual environment – you’re doing just that with your corporate data.

Without any security, your virtual host server isn’t far from being an open door – a direct route into your organisation for pretty much anyone with a little knowledge 
to access, compromise or corrupt every virtual machines you’ve got: not an appealing prospect!
Although it’s not impossible for the same thing to happen in a physical world: most servers and PCs have some form of security layer in their build – however basic: there probably isn’t a network out there that doesn’t include IDS, Firewalls, DLP or Anti-Virus in some guise. It provides a minimum level of security against internal and external threats that just doesn’t apply in a new virtual infrastructure. Virtual machines’ lack of individual security provision means that unless it’s over-layered at the management level, they’re wide open to attack – in a way that most PCs or network devices aren’t.
But securing the virtual world isn’t all bad news: a brand new virtual deployment gives you a unique opportunity to implement security policies and procedures from scratch – using the latest technologies. That’s rarely possible in a physical network where legacy systems, multiple vendor solutions, anomalies and upgrades mean that policies and procedures can be difficult to implement and harder still to enforce or police.
Your HyperVisor and management console are the gatekeepers to your whole virtual infrastructure, so not deploying some form of security solutions to protect them isn’t an option, it’s a necessity – unless you like scrambled eggs!

Virtualization Myths

Thought I would share this presentation with everyone from a recent seminar that I gave at the back end of last year entitled “Security in a Virtual World”.

You can check out the presentation at this link: http://bit.ly/8Vh4MM

This appeared on a VMware KB article back in August but some of you may have not seen it. Basically if you use a port scanner like NMAP and scan an ESX host in particular on port 8000, subsequent VMotion events will fail.

The only way to get VMotion to work again is to disable and then re-enable VMotion. It’s interesting that this service is obviously not robust enough to cope with a simple port scan and also highlights the fact that you should be isolating your vmotion network from general network traffic.

The original VMware article can be viewed here, KB1010672

Lab Security’s important, right? Well, so it may be – but when it comes to virtualisation, it’s not hard to get the impression that it isn’t being treated as seriously as it should be. I don’t know about you, but when I read about the take-up of virtualisation, the feeling of foreboding is not unlike seeing a five-year-old play with Daddy’s collection of Samurai swords – while nothing awful has happened yet, one can’t help thinking it’s a matter of when, not if.

More can be read the the following link:

http://www.theregister.co.uk/2009/12/15/virtual_server_security/