RSA Session: Mitigating Virtual Machine Security Vulnerabilities
This session was a little more entry level than I expected but made some good points. Had I not been living in the VM world for over two years this talk would have been much more enlightening. The guys started by covering the WHY of virtualization and business justification which I think most of us have heard a million times by now. I was praying that it would get deeper.
Some points that were made on how to wrap better security around your VM environment:
- Limit access to the systems
- Harden the Host OS
- Set resource limits to prevent localized DoS and similar attacks
- Implement access controls (not remote root access for example)
- Disable Unnecessary services
- Ensure time sync is accurate, critical for troubleshooting and incident response.
- Patch, Patch, Patch
If nothing else, take away that you should approach security in a virtualized environment the same way you would in a physical environment. Many of the risks are the same regardless of how things are implemented. If any of the concepts above are new to you, step back and take a serious look at how you are securing things today. There are some additional concerns with vm environments, but unless you focus on securing the basics the advanced attacks are the least of your worries.
What are some of these other risks? You do all of the above and have firewalls in place, an IDS system, DLP systems, etc. Why should you be worried about vm security? Well what about Guest to Guest communication? What about Guest to Host communication? What about Host to Storage communication? Are your security solutions going to see that traffic? Nope. Are they going to protect you? You guessed it…..Nope. If the traffic does not traverse the physical network, your physical security solutions will not be able to protect against it.
Something else that was good to hear other people saying is the risk of a user escaping the guest and accessing the host. I’ve been talking about this for over a year, and most people have told me it is next to impossible. Well these guys not only referenced that it is a possibility, but that it has been done before. Granted, it did not create any major issues, but the fact that it can be done is something to think about. If you needed a reason to run public facing vm’s on a separate physical system than your critical business systems look no further (CVE-2007-4496).
I’m not saying that you need to avoid virtualization or that it is a less secure method of implementing services. What I am saying is that you need to be aware of the pro’s and cons. You need to stay on top of what the risks are and how to mitigate them. You need to implement security not only on the guests, but on the hosts as well. It will be an interesting year in this space, look forward to seeing it all unfold.
Filed under: Security, vmware | Leave a Comment
Tags: Security, virtualization, vmware