Virtualization Deployment Planning and Security

Virtualization is a huge hot button issue right now, everyone is jumping in feet first, but just because it is new doesn't mean you should install it in your data centers tomorrow. Yes, virtualization could save the federal government up to $30 billion by 2015 (as reported by MeriTalk), and yes, VMWare sponsored research shows significant decreases in operational expenses by those that adopt virtualization technologies. Virtualization could save you a lot of money, which is always nice for strained IT department budgets.

But, without a plan, without identifying risks, and without the proper knowledge at your disposal, none of those savings will ever materialize.

Planning and Identifying Risks

By planning, I don't just mean deciding between Microsoft Hyper-V technology and VMWare ESXi. Virtualization has a whole set of new risks and security concerns that need to be muddled through. If you don't consider these risks and plan for them, your virtualization implementation will fail or worse, appear to succeed until it hacked to pieces by a passing Script Kiddie.

By far the most significant risk to a virtual environment is the consolidation of hosts into one physical layer where one point of failure may be the new lynch pin in you operation. Imagine, for a moment, if a hacker managed to socially engineer one of you admin's passwords or use one of those exploits you've been meaning to patch. Then imagine the hacker taking a nice stroll through your hypervisor. What will he or she find? Well now that he has access to the host layer, he can easily dig into the guest operating system's files or even take them over, or copy them for offline analysis.

Secondarily to the security risk is the operational risk of consolidated servers. What if that shiny new server you just purchased craps out on you due to a faulty install or faulty manufacturing, then what happens to all the virtual servers you just lit up? They all die, with all the business applications on them. Sure, you'll be able to get them back up pretty quickly on a different server (hence the power of virtualization, right?), but the business owners will not pleased with the loss of availability and possibly missing SLAs.

Solutions

Virtual machines require the same sort of security as physical machines, including separation when required. It's important to note that you don't want to over-virtualize; this is where new virtual environments are being created when current servers could easily handle any additional functionality needed (just because it is easy to clone a new machine, you shouldn't necessarily always do it - the more operating systems in a network environment, the more chances for one to be configured incorrectly or become out of date).

As you can see, controls over virtualization are similar to traditional security controls, just with a little twist:

• Control change - only designated virtual machine administrators should be adding, creating or modifying virtual machines (even test machines should be controlled appropriately).
• Put standards in place (such as policies and procedures) - all virtual machines should be created equally based on baselines, and they should be maintained to the same standards throughout their business life.
• Physical separation - virtual machines may be able to communicate within the physical host even when configured properly - i.e., puting your DMZ and your back-end database in the same host isn't a good idea (check out some research describing hacks through a vSphere 5.0 to the host - Aidan Finn has a nice summary here).
• Segregation of duties - determine how to handle segregation of duties between system administrators, security administrators, developers and users. Virtual environments, if configured improperly, can allow any one of these groups to potentially gain access to data they shouldn't.
• Monitor, monitor monitor - can't stress this enough. Make sure the right tools are in place to ensure all communication is monitored. Virtual infrastructures allow for the creation of virtual networks that never leave the host. These networks still require firewalls, sniffers, intrusion detection, etc. Virtual monitoring tools need to be installed in every host to ensure you know what is going between your servers.

Conclusions

Virtual infrastructure needs to be understood by everyone (security admins, system admins, developers, and management) so that everyone understands the risks that are different from physical servers. Once everyone understands the risks, the proper preventive and detective controls need to be put in place to provide the same level of security as with physical servers.

This post was inspired by an ebook article at SCMagazine.com called Virtualization posted January 24,2013 (find original posting here).