How to Ensure VMware Hypervisor Security?
Virtualization has carved a niche in the world of Information Technology (IT) today. Apart from facilitating CIOs in making better use of the resources available, virtualization has also been helpful in lowering costs and deployment of more flexible systems. However, overloading multiple virtual machines onto a single physical server has its own risk. With attackers always on the lookout for relevant data, keeping all data under one server makes the organization vulnerable of losing it if an attack on the hypervisor or virtual machine (VM) monitor is successful. Like any other software, hypervisors also have vulnerabilities that can be exploited. Below discussed are ways through which a CIO can consider to maximize VMware hypervisor security:
Separate Management and VM Traffic—Keeping the management network and virtual machine data networks physically secure is one of the important steps to secure virtualized infrastructure. This helps in reducing the risk of VM traffic corrupting the management infrastructure. Using virtual firewalls simultaneously with physical firewalls further ensures that network traffic is secure. Virtual firewall services helps in viewing and understanding network traffic at the virtual network interface card level of VM by using VMsafe APIs.
Distributing Host Resources Prudently—In a bid to prevent internal distributed-denial-of-service-like attacks, implementing resource controls could prove beneficial. With vSphere’s built-in resource controls like shares, limits and reservations, warranting and prioritizing VM access to host resources, one can segregate host resources into pools and assign them to select VMs. In this regard, the new Storage I/O Control and Network I/O Control features are also proving helpful.
Extending security to the remote console is necessary—Making sure that a VMs console is accessed by a single user at a particular time prevents one from gaining insight into sensitive data. This is necessary as a VMs remote console allows multiple people to connect at the same time. In certain cases, if a user who has access to high level information is logged in at the same time with another user, the second user too gets access to the information. In dealing with this problem, a CIO can look at removing the Console Interaction privilege from certain select users or limiting the console sessions to one user at a time to minimize the risks.
Keeping up-to-date with Hypervisor Patches—Patching the Hypervisor is another step that an organization needs to pay attention to. Though hypervisor is a slight software shim between VMs and hardware, it is still an operating system and one needs to stay up-to-date with it.
Enable Lockdown Mode— Enabling Lockdown Mode, prevents users from bypassing vCenter server security when connecting to ESXi hosts. This helps administrators in making ESXi more secure by reducing its attack surface as well protect virtual machines better. Lockdown Mode which can be enabled through vCenter or the direct console user interface halts direct host access through all means such as APIs that include vSphere CLI and powerCLI apart from vSphere client. This makes sure that all access is granted through vCenter Server.
Though securing a hypervisor is similar to securing a physical server, a CIO can ensure the safety of their virtual environments by strengthening the security in and around VMware Hypervisor.