Stop securing your virtualized servers like another laptop or PC – Hot Tech Online

Stop securing your virtualized servers like another laptop or PC

stop-securing-your-virtualized

Most virtual
environments have the same security requirements as the physical world with
additions defined by the use of virtual networking and shared storage. However,
many IT managers don’t take the additional steps to secure their virtual
servers, but rather leave them vulnerable to attacks with only antivirus
software and data loss prevention packages.

We asked two security pros a couple of questions specific to ensuring security on virtual servers. Here’s what they said:

TechRepublic: What
mistakes do IT managers make most often when securing their virtual servers?

Answered by Min Wang, CEO and founder AIP US

Wang: Most virtual
environments have the same security requirements as the physical world with
additions defined by the use of virtual networking and shared storage. However,
many IT managers don’t take the additional steps to secure their virtual
servers, but rather leave them vulnerable to attacks with only antivirus
software and data loss prevention packages.

Here are some more specific mistakes IT
managers make regularly:

1. 
IT managers rely too much
on the hypervisor layer to provide security. Instead, they should be taking a
360 degree approach rather than a looking at one section or layer.

2. 
When transitioning to
virtual servers, too often they misconfigure their servers and the underlying
network. This causes things to get even more out of whack when new servers are
created and new apps are added.

3. 
There’s increased
complexity and many IT managers  don’t
fully understand how the components interwork and how to properly secure the
entire system, not just parts of it.

TechRepublic: Can you provide some tips on what IT managers
can do moving forward to ensure their servers remain hack free?

Answered by Praveen
Bahethi, CTO of Shilpa Systems

Bahethi:

1. 
Logins into the Xen, HyperV, KVM, and ESXi servers, as well as
the VMs created within them, should be mapped to a central database such as
Active Directory to ensure that all logins are logged.  These login logs
should be reviewed for failures on a regular basis as the organization’s security
policy defines. By using a centralized login service, the administrative staff
can quickly and easily remove privileges to all VMs and the servers by
disabling the central account. Password Policies applied in the
Centralized Login Servers can then be enforced across the virtualized
environment.

2. 
The virtual host servers should have a separate physical network
interface controller (NIC) for network console and management operations that
is tied into a separate out of band network solution or maintained via VLAN
separation.  Physical access to the servers and their storage is
controlled and monitored. All patches and updates that are being applied are
verified to come from the vendors of the software and have been properly vetted
with checksums.

3. 
Within the virtualized environment, steps should be taken to
ensure that the VMs are only able to see traffic destined for them by mapping
them to the proper VLAN and vSwitch. The VMs cannot modify their MAC addresses nor
have their virtual NICs engaged in snooping the wire with Promiscuous mode. The
VMs themselves are not able to copy/paste operations via the console, no
extraneous HW is associated with them, and VM to VM communication outside of
the network operations is disabled. 

4. 
The VMs must have proper firewall and anti-malware, anti-virus,
and url-filtering in place so that accessing outside data that contains threats
can be mitigated. The use of security software with the hosts using plug-ins
that enable security features such as firewalls and intrusion prevention are to
be added. As with any proactive security measures, review of logs and
policies for handling events need to be clearly defined.

5. 
The shared storage should require unique login credentials for
each virtual server and the network should be segregated from the normal
application data and Out of Band console traffic. This segregation can be
done using VLANs or completely separate physical network connections.

6. 
The upstream network should only allow traffic required for the
hosts and their VMs to only pass their switch ports, dropping all other
extraneous traffic. Layer 2 and Layer 3 configuration should be in place for
DHCP, Spanning Tree, and routing protocol attacks. Some vendors provide
additional features in their third party vSwitches which can also be used to
mitigate attacks with a VM server.

About

No Comments

Leave a Comment

Show Buttons
Hide Buttons