Virtualization Security – Part 1 – Hardening Virtual Machines

Bookmark and Share

So you’re thinking of, or have already virtualized your infrastructure. Whether it’s a datacenter consolidation project, a VDI initiative, or something smaller like a test lab implementation, some of the same rules apply when it comes to hardening or locking down the virtual environment.

To start, keep in mind that no environment is completely secure but there are many things you can do to make the systems secure.

Since most of you are working with VMware products, this blog focuses on their software but much of the following information can be applied towards the other vendors as well.

I will be breaking up this virtualization security blog into 5 sections: Hardening Virtual Machines, Hardening the Service Console, Host level Security, Virtual Center Security and thoughts on virtualization security.

There’s a lot to be written about this topic but here are the cliff notes.

Lock down virtual machines as you would physical machines.  A virtual machine is, in most respects, the equivalent of a physical server.  The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system.  Therefore, it is critical that you employ the same security measures in virtual machines that you would for physical servers. 

Ensure that antivirus, antispyware, intrusion detection, and other protection are enabled for every virtual machine in your virtual infrastructure. Make sure to keep all security measures up‐to‐date, including applying appropriate patches. Also consider using VMware’s Update Manager to make sure your Virtual Machines are in compliance using the remediation tool.  

Disable and disconnect unnecessary system components that are not needed to support the application or service running on the system.  Stop unnecessary services and disconnect virtual hardware that is not needed. 

Deploy new virtual machines from a hardened base operating system image template (with no applications installed), so you can ensure that all your virtual machines are created with a known baseline level of security.  

Isolate Virtual Machine networks.  Any virtual machine or group of virtual machines connected to a common network can communicate across those network links and can still be the target of network attacks from other virtual machines on the network.  You should apply network best practices to harden the network interfaces of virtual machines.  Isolate sets of virtual machines on their own network segments to minimize the risks of data leakage from one virtual machine zone to the next across the network.  Use separate physical network adapters for virtual machine zones by creating separate virtual switches for each one.  Maintain separate physical network adapters for virtual machine zones.  Set up virtual local area networks (VLANs) to help safeguard your network.  

Do not use non-persistent disks.  The security issue with non-persistent disk mode is that attackers may undo or remove any traces that they were ever on the machine with a simple shutdown or reboot. Once the virtual machine has been shut down, the vulnerability used to access the virtual machine will still be present, and the attackers may access the virtual machine in the future at a time of their choice. The danger is that administrators may never know if they have been attacked or hacked. 

Continued in Part 2, “Hardening the Hypervisor’s Management Console”.

Tags: , , ,

One Response to “Virtualization Security – Part 1 – Hardening Virtual Machines”

  1. […] part 1 of my series on Virtualization security I covered “Hardening Virtual Machines”. In this post I will address “Hardening the Hypervisor’s Management […]

Contact Us Request a Consultation