Posted by: Beth Pariseau
Virtualization security, VMware
Update: A draft of Version 5 of the VMware Security Hardening Guide has been posted, which no longer recommends turning off the VIX API. Conundrum resolved.
Security-conscious VMware shops may encounter an issue when upgrading to Site Recovery Manager 5, which uses an API to reassign IP addresses to VMs during the disaster recovery process.
The vSphere 5 edition of VMware’s Security Hardening Guide is still in the works, but one blogger brought up a potential conflict between the API, called VIX, and a recommendation against enabling it in the Hardening Guide issued with vSphere 4.1.
“SRM now requires that the VIX API be enabled on all protected virtual machines that will have their IP changed during recovery,” according to the blog post by Michael Webster, a VMware Certified Design Expert and director of IT Solutions 2000 Ltd., a VMware consultancy based in Auckland, New Zealand.
Previously, users had the option of changing IP addresses without using the API, which is slower but considered more secure. “This has already caused me design problems in a number of customer environments,” Webster wrote.
However, enterprises that don’t require the highest security measures may not run into an issue, experts say.
Shannon Snowden, a consulting partner at New Age Technologies in Louisville, Ky., said he has yet to run across the problem despite having done several large-scale SRM deployments over the past few months.
“If it is of concern, we could most likely use a couple of scripts to enable it temporarily during the actual SRM event then disable it as a post-recovery step,” Snowden said. “Obviously, I would prefer to have the old way as an option along with the new faster way, instead of having to put together and coordinate scripts.”
While most companies probably won’t be impacted, the use of the VIX API to change the IP address of virtual machines (VMs) may be a problem for customers in government, research and finance industries, said Bill Hill, infrastructure IT lead for a Portland, Ore.-based logistics company. He doesn’t anticipate it will be a problem in his shop, but he can see where it might be for some.
“Ultimately, VIX allows for significantly more access to a virtual machine outside of just changing the IP address,” Hill said.
Other operations enabled by VIX include the ability to copy files from hosts to guests and guests to hosts, for example.
As an alternative to the API, IT pros may be able to use Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to VMs according to MAC address, suggested VMware principal architect Duncan Epping in Webster’s blog’s comments.
But the environments that are concerned with VIX API may also disallow DHCP, according to Webster. “I think in a lot of environments block this at the switch and insist on static IP addresses.” he wrote.
Some applications for data conversion, PDF generation, and multi-factor authentication in Hill’s environment require static IP definition and therefore wouldn’t be able to use the DHCP workaround, he said.
One financial shop running SRM, South Africa’s Investec Bank, will avoid the VIX issue because its layer 2 domain is stretched, so IP addresses don’t have to be reassigned at all.
“If we do a test we actually isolate the environment completely and our VMs have the same IPs as they would have in production,” wrote Etienne Neethling, who administers SRM for the bank, in an email. “And if we had a real DR [situation], they would [also] stay the same.”
However, this approach comes with its own set of challenges, especially over distance.