Posted by: Eric Siebert
Eric Siebert, Virtualization security, VMware
With all the talk about virtual security these days , you would think that people actually are addressing the concerns over security in virtual environments. However, many administrators resist implementing strict and proper security measures in their environments because of administration inconveniences that tighter security usually causes.
For example, the default settings of VMware ESX prevent users from using secure shell (SSH) to log into the server as the root user. Yet, the first thing many users do is to modify the SSH configuration to allow root access via SSH because this is a more convenient way to log into Service Console. The correct and more secure way to do it would be to setup a separate SSH user account and then use the SU – command to gain root privileges. Xtravirt has published a good step by step guide on how to do this here.
When you virtualize servers, additional security measures should be followed in addition to standard ones that you would use for physical servers. Most importantly, the host system must be protected at all costs: If someone gains control of the host server then all of the VMs that run on the host can be compromised. The Center for Internet Security (CIS) has published some security guidelines for ESX and virtual machines that I would recommend you read through and follow to ensure your environment is secure. Xtravirt has a great security assessment template that they’ve put together that you should look at also.
Virtual networking is another critical area for securing virtual hosts. Virtual switches differ from physical ones and must be properly configured to ensure secure host and virtual machine network traffic. Often, simple recommendations like isolating Service Console and vMotion traffic are not followed, which creates unnecessary risk and exposure of your hosts.
Are you willing to risk losing your data? Data breaches can result in negative press exposure, lawsuits and fines. I would encourage everyone to please take security seriously. Security may cause some administration inconveniences and headaches, but they are a small price to pay to ensure that your servers, and more importantly your company’s sensitive data, is well protected and safe.
To help you with this I’ve included a list of some good virtualization security blogs and websites that you should check out:
- SearchServerVirtualization Security blog (various contributors)
- Rational Survivability (Christofer Hoff)
- VMware Security Blog (VMware)
- Vmtn Security Community
- Security Focus
- Security Top 10 List and Security Links