As with any server, security is a key issue for servers supporting hypervisors and a variety of virtual servers. Unlike tools for securing physical servers, however, tools for virtual security are still developing.
There are three major tools available to implement some form of virtual security (VirtSec) for VMware installations specifically: vmSight’s suite offers policy enforcement, monitoring and reporting; Bluelane’s VirtualShield blocks code that exploits known security and OS flaws; and Catbird’s V-Security—billed as an all-in-one solution for hypervisors, VMs and VM-sprawl management. VMware has also promised to provide additional security in the form of its VMsafe products which are, unfortunately, not yet available. Do these tools provide increased security?
vmSight is not a security protection tool, but a compliancy auditing tool. It provides insight into whether or not virtual machines are being accessed and used according to the compliancy model configured within the tool. With the increasingly complex compliancy requirements of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the credit-card companies’ Payment Card Industry Data Security Standard, and the Gramm-Leach-Bliley Act, vmSight is a welcome tool to the field.
Bluelane’s VirtualShield provides a firewall-like device that sits between two virtual switches in order to monitor all and correct, if necessary, any traffic destined for the protected VMs.
Catbird’s V-Security provides virtual intrusion detection and prevention system (IDS/IPS) as well as the network access control, and a vulnerability assessment tool for the physical or virtual machines. It does this by using an IDS/IPS system and an agent that run’s within the physical or virtual machine to be protected.
Yet all these tools require a necessary evil in order to provide this protection — the ability to sniff all traffic on the vSwitches to which they are connected.
In order to do this, the basic security stance of a VMware ESX host must be altered by allowing portgroups with no VLAN ID to make connections using Ethernet adapters in promiscuous mode. That feature is normally disabled as a security measure.
Unlike a physical switch, which can lock down this type of behavior port-by-port, enabling that function for one port does so for others as well. Bluelane alternatively opens up a secondary vSwitch which limits vMotion capability and provides yet another place to put VMs which can bypass VirtualShield’s protection.
Unfortunately, there is nothing currently within VMware Virtual Infrastructure 3 that prevents another VM from being placed on the now unprotected portgroup or vSwitch either accidentally or purposely.
That would leave a VM exposed to disgruntled users or hackers, who could then sniff all the traffic on the vSwitch and this could and will lead to further attacks against the virtual network, virtual, and physical machines attached to the vSwitch and perhaps the network.
It is trivial, with this additional capability, to maliciously gain access to login credentials, credit card numbers, used over web pages, classified documents, and other bits of private data that are valuable in themselves, and can often be used to gain further access into a company’s files.
These tools while trying to increase security could place VI3 further at risk.
The real protections should be lower down, and port level controls should be made available on the vSwitch in order to protect against malicious or accidental use of security sensitive portgroups.
VMware’s security specialists should be thinking in this direction as VMSafe products are developed. Until this happens, use of such tools requires extensive monitoring to see if anything is out of the ordinary — automated monitoring that does not currently exist.
What these security tools do is offer auditing reports that are sorely needed. But users should also be aware that using them unwisely can increase risk at the same time.
Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.