The Basics of Virtualization Security

Virtualization security is a critical part of a comprehensive security strategy. In today’s environments which are over 80 % virtualized, virtualization security needs to be applied to all layers — physical, virtual and cloud. This article explains some of the key processes and configuration strategies you need to know:

Top  virtualization security issues

External attacks

If attackers gain access to your host-level or VMware vCenter server, this opens doors for them to access other important VMs, or even create a user account with admin rights that could be used over a long period of time to collect or destroy sensitive company data.

Keeping snapshots on VMs

Snapshots are meant to be retained for only a short time. Attackers or malicious insiders could collect valuable data from snapshots.

Sharing files between VM and host, or copy-pasting between host and remote console

By default, file sharing between VM and host is disabled, as is copy-paste between VM and remote management console. While it is possible to override these defaults using advanced ESXi host system settings, it is not recommended. An attacker who gains access to the management console would be able to copy sensitive data outside of the virtual environment or introduce malware into the VM.

VM sprawl

Another important security risk is the proliferation of VMs, which is often caused by developers or IT admins creating VMs for testing purposes but failing to delete them once the testing period is over. In fact, VMs can be created so easily that IT teams have a tough challenge to track how many there are, and when and where they are deployed. As a result, these VMs are often left unpatched and unprotected. In addition to being vulnerabilities, they also consume valuable hardware and other resources. Proper lifecycle management conducted on regular basis using VM inventory reporting software is the best way to control VM sprawl.

Viruses, ransomware and other malware

VMs are vulnerable to many different kinds of attacks. One of the most common is ransomware, such as Cryptolocker. It’s essential to maintain regular backups of your data off site, where they cannot be encrypted; without backups, you might have to pay the hackers to provide the decryption key. However, even with proper backup management, restoring many VMs is difficult and time consuming. Therefore, you should also train all users on a regular basis to minimize the risk of introducing ransomware.

Best practices for keeping your virtual environment safe

It’s essential to follow general security best practices. In addition, here are two of the most important strategies properly securing your virtual environments:

Use named users and least privilege

For daily purposes, be sure to use only non-root user accounts for connecting to ESXi hosts. Create a named administrator user in vCenter Server and assign specific users that administrator role so you can determine exactly which user logged into what host, at what time, etc., and hold them accountable for the changes they make to your environment.

Minimize the number of open ESXi firewall ports

Stick with the default port settings. Opening additional ports enlarges your attack surface, increasing the risk of your virtual network becoming compromised.

Secure all the parts of the infrastructure

All parts of the infrastructure must be properly secured, from the physical infrastructure (hosts, switches, routers, physical storage) through the virtual infrastructure and guest operating systems, as well as any cloud environments you use. In particular:

  • Hosts should have latest firmware installed and virtualized infrastructure (VMware vSphere or Microsoft Hyper-V) should have the latest security patches installed. It is also important to keep the VMware tools on your virtual machines up to date.
  • All active network elements (switches, routers, load balancers for balancing workloads, etc.) should have the latest firmware deployed.
  • Every operating system should be fully patched via automatic updates. Patch installation should be scheduled for outside of business hours with automatic reboots.
  • Install proper antivirus and antimalware solutions designed for virtualized environments.

Have a strong backup and disaster recovery (DR) plan

A proper backup and DR plan is essential for ensuring business continuity, whether you suffer a malware attack or a hurricane brings down your production datacenter. Having a DR site at a remote datacenter or in the cloud helps mitigates the risk of prolonged downtime. Here are two important tips to keep in mind as you create your DR plan:

  • Back up VMs and physical servers — While it is not possible to back up ESXi itself, it is possible to back up its configuration via the VMware command-line and the scripting application Power CLI. Today, you can use the same tools to back up both physical systems running Windows or Linux and VMs running any OS.
  • Use the 3-2-1 backup rule — Create and keep at least 3 copies of your data and store 2 backup copies on different storage media, with 1 of them located off site.
  • Consider replication — For more DR protection, you can replicate your production VMs to another datacenter, which you can failover to quickly if needed.

Virtualization security tools to protect your environment

Antivirus and anti-malware software

I recommend TrendMicro, which has a nice integration with VMware and offers hybrid-cloud security for organizations that have both on-premises and cloud (Amazon AWS or Microsoft Azure) environments. TrendMicro’s Deep Security software runs at the hypervisor level and installs a small agent in the guest OS. It offers an optional integrated firewall, intrusion prevention system (IPS), and integrity monitoring that runs at the agent level. It is an end-to-end, all-in-one solution with a single dashboard and remote deployment capabilities, so you can deploy the lightweight agents to all of your VMs from a single location.  To prevent AV storms (where AV software scans the VMs at the same time or at boot), the Windows agent includes an anti-malware scan cache with hashes of previously scanned files that are frequently accessed, so they don’t have to be rescanned every time.

McAfee, Sophos and Symantec also offer AV software solutions that are compatible with VM environments.

Backup and replication software

Veeam Backup and Replication can protect physical and VM environments (including hybrid and cloud), and you can manage everything from a single console to ensure proper protection. You can implement the 3-2-1 backup rule, and create and maintain backup files off site in line with best practices. It also offers replication to ensure fast restoration of services if your primary datacenter goes down.

Nakivo, Vembu Technologies and Altaro also offer data backup solutions that are compatible with VMware.

Change auditing software

Monitoring changes across your virtual environment is essential for security. One such virtualization security tool is Netwrix Auditor for VMware. It tracks changes to the configuration of the whole datacenter and its various objects (resource pools, clusters, folders, VMs), and also monitors logons to your virtual environment.

Conclusion

Modern organizations need to defend their virtual environments against a wide range of threats. Key strategies include keeping all software up to date, using AV software, following configuration best practices and conducting regular user training. But even with the best defenses, some threats will get through, so it’s essential to invest in security tools that can track changes and logons to help you maintain security at all levels, all the time.