Securing a vSphere infrastructure requires cooperation from the virtualization and security teams to identify where the threats with virtualization lie and how to address them.
Virtualization-specific security tools and policies can make your vSphere deployment safer than physical hardware, said Mike Foley, senior technical marketing manager for security at VMware, during his 2013 New England VTUG presentation, "Protecting your virtual infrastructure: Virtualization security for the IT guy."
Why the old security ways don't work
As the data center has transformed, so have security needs. Just surrounding a virtual infrastructure with a firewall won't strengthen security, and it leaves "a mess of cabling" to compensate for the inflexible methodology. When you apply traditional security tactics to virtual infrastructures, insider threats remain a liability, and anti-malware security in the OS and applications proves ineffective and complicated for protecting the whole infrastructure, Foley said.
Don't just apply security practices willy-nilly.
Better vSphere security comes from policy-based implementation, Foley said, calling virtualized security "a built-in, not bolt-on, approach" to protecting users and the infrastructure.
VMware's vCloud Networking and Security (vCNS), formerly the vShield suite, lets users segment virtual machines into zones, then apply policies to these VMs. So, for example, that could isolate a company's engineering and finance departments. With security rules and data loss violation alerts in vCNS, IT increases security visibility into the infrastructure, Foley said.
Beyond vCNS, VMware security updates include a new firewall engine in vSphere 5.x that is not based on iptables. Also, thanks to ESXi shell updates, "Active Directory log-ins are essentially root accounts with vSphere 5.x," Foley said. You can add ESXi hosts to an Active Directory domain and use those AD credentials as a user account.
Virtual security is operational -- while you can create a "security meltdown" more easily in the virtual infrastructure than in the physical world, Foley said, you can catch that vulnerability in an instant. He offered some tips on creating a more secure virtualization environment.
Virtual infrastructure security don'ts
- Don't treat the virtual infrastructure with physical infrastructure policies.
- ESXi servers are not UNIX servers. Don't act upon the UNIX shell as if it is an OS.
- Your control pane for virtualization is the door to your virtual infrastructure. Don't leave it unlocked by hosting it on the Internet or the building's LAN.
- Don't give everyone super-admin privileges. For maximum security, have a few employees with a shared password and different sign-in paths, but for decent security, just make sure to assign super-admin privileges to two or three employees.
- Don't have humans manually complete tasks that can be automated. You can run one command and complete a time-sucking task. Not only does this free up the admin for other tasks and avoid so-called fat-finger disasters, you can even generate a report file on the action for review by the security team.
In terms of automation, Foley recommended that VMware admins start using VMware Orchestrator now, calling it "crucial for the future." The free vCenter workflow automation add-on works with multiple vCenter instances, but security-minded admins will appreciate that it limits permissions by task and enables approval levels. For example, junior admins can create a workflow in Orchestrator, but a senior admin must sign off on the work before it goes into the production environment.
Cultural change still a challenge
But overcoming technical hypervisor security challenges is only half the battle. Security teams can hold up innovative virtualization technologies -- such as VMware Storage vMotion -- because of work silos and outdated policies.
"No one told the security guy that he's part of the virtualization group," said Foley, explaining that storage admin, desktop admin, systems admin and other IT roles long ago accepted that virtualization broke down their silos in many ways.
Despite the maturity of virtualization in IT shops, Foley said, VMware still gets asked the question, "How can I trust the hypervisor?" Foley recommends that vSphere admins sit down with their company's security team and review the vSphere Hardening Guide, a spreadsheet of security options for the components that comprise vSphere. Infrastructure management and security will improve if both sides understand what settings will do and what could break in a given scenario. "Don't just apply security practices willy-nilly," Foley said.