Print
Close Window
From: www.itworld.com
5 tips to audit and improve virtual server security
May 13, 2008 —
On the surface, security
questions surrounding virtual servers don't seem much different than those
for the physical machines on which they run. In fact, starting a virtual security
audit by keeping in mind what you've already learned in the physical world is
an excellent approach. Security analysts say the same practices, principles
and basic common sense apply for a group of virtual servers as for any physical
server farm. But, IT managers also need to factor in some additional considerations,
due to the unique characteristics of the virtual world.
One example: software can be deployed so much more quickly using virtual machines
that some steps in the typical provisioning process may have been eliminated,
says Paul Love, director of information security at Standard
Insurance in Portland, Ore. That, in turn, requires IT departments to make
sure the necessary controls and oversight are in place, with the truncated time
frame in mind.
"With virtual machines, it's very helpful to pay attention to the actual
configuration of the system," Love says. "You need to really have
a stable build so that when you deploy a thousand versions of it, they all meet
management's requirements for what controls should be in place."
When Love's team audits security for its virtual server environment, it doesn't
introduce new steps so much as extend the ones it already has for physical servers,
Love says. That includes looking at the interactions among systems and ensuring
that the operating system on which the virtual machine runs is secure and encounters
no "configuration drift."
"We have to work very closely with change management," Love says.
As background research for auditing and improving your virtual security, you
may want to consult guidance for securing virtual server environments that's
available from the Center
for Internet Security, the Defense
Information Systems Agency and virtual server leader VMware.
"They [IT leaders] need to read these guides and come up with a summary
set of lock-down and hardening policies that are customized for their environments,"
says Nand Mulchandani, senior director of product management and marketing at
VMware.
"If you just do that one thing, you will be vastly more secure and safe."
Virtual security tools can also help, but analysts warn clients to first consider
the products they already use before buying new ones specifically designed for
virtual servers. There are already 10 to 15 vendors offering VM-specific security
tools, and that figure will probably rise to 30 by year's end, says Chris Christiansen,
an analyst at IDC (a sister company to CXO media).
Consider this five-step checklist when securing a virtual server environment:
1. Conduct a full risk assessment to understand how resources have been separated
and aggregated.
"Don't forget what you've learned about risk management and configuration,"
advises Pete Lindstrom, an analyst at Burton
Group. "There's not a whole lot that has changed drastically, except
it's sort of mind-expanding to consider the notion that a physical host has
an entire network segment sitting inside it. That means you need to evaluate
the configurations of the virtual machines themselves. Do that the same way
you do any other configuration audit."
2. Validate the process for creating, deploying, managing and making changes
to virtual machines.
This is particularly important now that steps such as procuring hardware, loading
the operating system, testing and arranging for rack space are no longer required,
says John
Pescatore, an analyst at Gartner.
"It's very important that virtual machines don't necessarily belong to
one group within an organization," adds Standard Insurance's Love. "From
a security standpoint, it helps having a dialog with the people administering
the systems and the network group to understand what's changing in the virtual
environment."
Citing an example of a potential problem, he adds, "You could have a virtual
machine come up and be taken offline before you run your scans."
3. Securely configure the virtualization layer and keep patches up to date.
"Read the hardening guidelines as a starting point to develop a baseline
and then audit against that to ensure the security of the virtualization layer
hasn't drifted," advises Neil
MacDonald, an analyst at Gartner. Tools from vendors such as Configuresoft
and Tripwire can help
with configuration, MacDonald says.
4. Secure the internal virtual switch inside the virtual server. Weigh the
need for additional controls such as a virtual firewall or virtualized intrusion
protection system.
"You have to pay attention to how your VMs are communicating with each
other and with the outside world, and that means through the virtual switch
infrastructure on the physical box," said Lindstrom. "You have to
pay attention to the configuration of those switches and the movement of traffic
and the accessibility to that traffic, from VM to VM and from VM to external
devices."
5. Exert tight controls on access to the service console and management tools
You want to thoughtfully control access to consoles and tools such as VMware's
VMotion and Virtual Center, and their equivalents in other environments. Best
practice calls for management tools to run on a separate network.
"This will make sure the virtual machine cannot snoop into the traffic
that your management console is having with the servers to control them,"
says VMware's Mulchandani. "It's almost like tapping into someone else's
phone."
"Most security problems in the virtual world will be introduced through
misadministration, mismanagement or just plain old mistakes," says MacDonald.
"The fact that we have to use different tools in the physical world than
in the virtual world compounds that problem."
For a further examination of security risks that may be hiding in your virtualized
environment, see How
to Find and Fix 10 Real Security Threats on Your Virtual Servers.
CIO.com