Hypervisor security requires constant diligence to prevent systems from being compromised. By considering security measures at each level of your virtual infrastructure, you will be well on your way to reaching the goals of confidentiality, integrity and availability.
Three goals for IT security
The information security industry uses the CIA acronym -- confidentiality, integrity and availability -- for guiding information security decisions, which can be helpful for virtualization administrators trying to tighten up their data centers.
Confidentiality means making sure that the right people see the right information, and not any more than that. It also excludes unauthorized people from seeing what they shouldn't. For example, an employee needs to see his or her paychecks and tax forms, but the person in the cube next to that person shouldn't necessarily have that access.
Integrity refers to the level of trust in your data. In this context, integrity does not concern the meaning of the data but rather preventing the data from being changed in an unauthorized manner.
Availability means being able to get the data we need, when we need it. Our systems and data need to be available when we require them, despite the variety of factors that could make them unavailable. This includes everything from physical access, business continuity and disaster recovery, and hardware redundancy to prevention
Map out the environment
One of the most important first steps to take when securing your infrastructure is to map out as broad a picture as possible of your entire environment. Using the Maps feature in vCenter is a good start, but you should also include the devices beyond that, especially routers, firewalls, DMZs, external Internet-facing systems and the ports that they require.
Using tools such as NMAP can be a great aid in this. With this approach, you can focus first on the easiest items to secure. This map can be your guide to how potential threats could access your systems, thus revealing areas that need better security.
The risk of not using a map is that you may focus so strongly on one small aspect of security that you miss a glaring security hole. In addition, use the security resources that VMware provides, such as their Hardening Guide spreadsheets and PDF documentation. Following these will help you implement best practices from a security perspective.
When mapping your infrastructure, it helps to imagine who would want to compromise your system, either maliciously or not, and then beat them to the punch. By figuring out the potential attacker's likely target, you can either remove it or make it much more difficult to hit. Trying to think like your adversary gives you a huge advantage in properly securing your virtual environment.
Use layers to prevent access
Keeping your environment secure should be thought of as many layers of security, not a single steel vault. The more layers intruders have to pass through to access your systems and data, the more likely you are to catch them.
For example, having multiple firewalls and access controls located at strategic points, including down to the host and file level, is much more difficult to penetrate than a single firewall.
Steps to secure your virtual environment
Now that we know what our environment looks like, it's time to start locking it down.
- Understand the security settings on each ESXi host in your environment. This is very easy to do using the vCenter client. Simply select the host from the Inventory, then select the Configuration tab. Next, select Security Profile. Then check out the status of Services, Firewall and Lockdown Mode. Shutdown or disable any services that are not required. Study and learn how to use the built-in firewall. If it is appropriate, enableLockdown Mode. Following VMware's recommendations for best practices is a good starting point for keeping your environment secure.
- Harden your ESXi hosts and vCenter servers. Using the VMware Hardening Guide that matches your software versions is a good idea. It is imperative to continue to harden and apply patches to the systems (Windows, Linux) and applications (SQL, Oracle) that support your virtual infrastructure.
- Stay current on all patches and updates. Signing up for VMware's Security Advisories alert email and checking the Security Advisories & Certifications site is a great way to stay current with the latest vulnerabilities and apply patches in a timely manner.
- Strengthen your virtual machines. Be diligent with keeping up on patching and securing your guest virtual machines, as they are just as likely as your ESXi hosts to be a vulnerability target , if not more so.
- Use available security tools. VMware and other vendors understand the importance of security and are responding with an impressive array of software tools to meet the need. Spend time learning about how these applications can further strengthen and enhance your security.
This was first published in September 2013