Sergey Nivens - Fotolia
Virtual machines and the data inside of them can hold significant information, so security is key. Sometimes all it takes to cause a data breach is for the intruder to snapshot the VM, copy the virtual disk and access the virtual disk file. Encryption, access restrictions within vCenter and other choices will help to limit those attacks and secure virtual machines.
Security is such an important aspect of IT these days, I believe it is important to review some practices that can be used for keeping your environment secure, including those that can help prevent your virtual machines from being stolen. This is not an all-inclusive list; rather is a place to start when protecting your virtual environment. IT security is constantly evolving to meet the latest threats, so being vigilant and adaptable is an absolute necessity.
Guard access to the server console
Using Putty or WinSCP is a method to connect to an ESXi host remotely, typically using secure shell (SSH). It is important to restrict direct access to the ESXi server as much as possible.
In order to have a strong security profile, carefully manage SSH access to your host server's console. Make sure that SSH service is stopped on your ESXi hosts. If you must enable SSH, do so only as long as is required, then stop the service as soon as you are done using it.
Starting the SSH service on your ESXi host will automatically modify your ESXi host firewall to open up port 22 for incoming connections. By default, the firewall setting allows all addresses. From an ease-of-use perspective that is great, but from a security perspective, you are giving away the keys to the kingdom, which is a terrible idea. A better practice is to modify the ESXi firewall on your host to only permit access from the IP address that actually requires it. Once SSH connections are no longer needed, stop the service and verify that the firewall is no longer allowing connections via port 22.
Verify that port 22 is not opened by attempting to telnet or use another port scanning tool.
Protecting your local accounts is another basic step in attaining secure virtual machines. ESXi hosts have local accounts used for access to the server and, thus, they could be exploited for access.
- Use strong passwords for your local accounts.
- Protect your passwords, as well as have a policy for frequent changes to the passwords, lest they become compromised. Once you have a password policy in place, make sure to follow it.
Putting up more walls could also come in handy when securing your data. When the Roman army laid siege to the city of Jerusalem in A.D. 70, the Romans had to break through multiple strong walls to get access to the city, thus greatly extending the time required for them to capture it. Do the same for your virtual environment -- make it difficult to get to.
Don't rely on a single firewall to adequately secure virtual machines. The more barriers and levels of access you put between your environment and those determined to compromise it, the better. Penetration testing can be an effective method to test whether your security systems are as robust and effective as you think they are. Use the results to fortify your environment.
Restrict access to physical media
It's incredible how much data can now be stored on a USB device no bigger than a postage stamp. These small storage devices have truly become a great tool for many of us. Yet, they also expose us to the ease of someone stealing a VM on something small enough to fit on a key fob. Today, there are various security options that can restrict access to USB ports and CD/DVD drives at the desktop level. These restrictions may seem a real inconvenience at first, but considering the amount of data (including entire virtual machines) that can be copied to media and stolen, the price of inconvenience becomes very small indeed. Consider restricting or even eliminating the use of USB ports in your enterprise as a necessary security measure.
Keep your environment clean
A messy virtual infrastructure is much harder to secure than a tidy one. If you were like most teenagers, your bedroom got pretty messy and it was hard to locate things. Likewise, a cluttered virtual environment makes it harder to identify when something is amiss.
- Remove old snapshots once they are no longer needed.
- Decommission servers and appliances that are no longer needed. This falls into the category that I call "Take Away the Target." By decommissioning -- or moving to offline storage -- older machines that may have legacy or unencrypted data, you can reduce your overall vulnerability.
An out-of-date environment is a more vulnerable target to intrusion and theft. As was reported earlier this year, even the ubiquitous OpenSSL can have vulnerabilities. VMware has responded to this vulnerability and issued patches to address it in their products.
In order to avoid setbacks, stay up to date on vulnerabilities. This should not be limited to VMware products, as the OpenSSL issue clearly illustrates. Monitoring security bulletins can go a long way toward being proactive in keeping your infrastructure secure.
Sign up for VMware's Security Advisory notifications, which can help keep you up to date on security issues and fixes. Keeping current on what patches are available can help you stay ahead of the curve by deploying security patches in a timely manner.
Also, make sure to follow security best practices, such as replacing the default SSL certificates from VMware with properly issued Certificate Authority signed SSL certificates, and keep them current.
Education is one of the best tools you have to secure virtual machines. Stay current on vulnerabilities not only pertaining to VMware, but to all the levels in your environment. Keeping a broad perspective of security and taking proactive steps to implement security improvements will go a long way toward keeping your valuable data safe and out of the wrong hands.
Securing virtual machines in the cloud
Keeping virtual machines secure