Keeping your hypervisor secure is an important aspect of any system administrator's job, no matter which hypervisor you use. What we cover here are the fundamentals of securing your hypervisor environment.
This guide is intended to be vendor agnostic so that any SysAdmin can evaluate their own infrastructure and consider implementing some additional security measures presented here. We'll take a look at 7 tips that will help ensure that your hypervisor and guests stay secure. Read: Virtualization Admin's Guide to Using Both Hyper-V and VMware
1. Separate Management and VM Traffic
One of the most important and easiest aspects of a securing virtualized infrastructure is keeping the management network and virtual machine (VM) data networks physically secure. When the two are kept separate, there is less risk of VM traffic contaminating the management infrastructure. Check out my article on Hyperjumping to understand how important this practice is. It is also considered best practice to keep live migration traffic out of band with regards to the VM network so that the migration does not impact VM traffic. One last tip, although not security related (but useful), is to consider using a separate physical network and uplink for backup so as not to impact VM performance on the network.
2. Be Responsible with VLAN Access
VLANs (Virtual LANs) are very useful for keeping traffic segregated between networks. However they do take more management. Some systems administrators will allow all VLANs to be sent (trunked) down to the virtual networks. Whilst making life easier, it also means that should a machine be compromised it can potentially (depending on network setup and configuration) allow access to other VLANs it was never intended to talk to. There have been real life VLAN compromises by flooding a switch with too much traffic. At this point it turns into a dumb hub in an attempt to keep up with the traffic and essentially sends all traffic down all paths. The moral of the story? Configure the physical uplinks with only those VLANs that are needed. This might take more time, but it will be worth it.
3. Secure the OOB Interface
One area that is often ignored is the OOB or Out Of Band interface. This means the ILO (HP's Integrated Lights-out) and DRACs (Dell's Remote Access Controller) of this world. Often securing this direct interface to the system is overlooked. Secure these using strong and lengthy usernames and passwords. Both ILO and DRAC provide the ability to integrate with LDAP enabled infrastructure so that you can manage access to the OOB interfaces using groups, and preventing any fat fingered misconfiguration. It should go without saying but never, ever expose OOB infrastructure to the public internet. Using a firewall to restrict access to the OOB subnets to only those IP addresses and subnets of approved administrators is also highly recommended.
4. Keep up to Date with Hypervisor Patches
Even though hypervisors are essentially a thin software shim between the virtual machines and the hardware, they are still essentially a cut down operating system. This means it still needs patching. Therefore, patching your hypervisor becomes just as important. All major vendors provide security updates for their hypervisors, make sure to stay on top of them.
5. Be Careful when Allocating Rights and Permissions
Administrators are the gatekeepers to the hypervisor, and their accounts are the keys. Often in less stringent environments an administrator can get into the bad practice of directly assigning rights to users rather than groups, thinking "it's just temporary." This should never happen. Using Active Directory groups helps in a number of ways. First, assigning rights to groups ensures that all users in the group that perform the same function have the same rights. Second, it makes life easier when an administrator leaves and someone else has to take over. It is also a good idea to restrict access to the management infrastructure to an absolute minimum. If another administrator outside the group needs administrator rights, create a new role and add or remove users as needed.
6. Turn Off Unnecessary Services
Reducing the attack surface of the hypervisor is important. Admittedly some hypervisors are a bit on the flabby side with a larger attack surface. Mitigating this problem is quite simple. Services such as SSH and remote access capable features, not directly needed in every day use, should be turned off. VMware vSphere has a very useful feature called Lockdown mode. This prevents any non authorized access directly to the hosts and forces all the management to go through the vCenter management server. In a well managed environment there should be no direct host management, but everything should be done through the correct management interface.
7. Use Service Accounts Wherever Possible
Any administrator worth their salt should be using service accounts for their non-human users. Service accounts, as the name implies, should be used for management of services. This should be combined with using the principle of least privilege to ensure that the service account has the absolute minimal amount of rights required to perform a service. The really good thing about using this methodology is that it limits what can be done if the account is compromised. Again, use long complex passwords to secure these accounts and change them regularly.
Securing a hypervisor is very much akin to properly securing a physical server, albeit with a lot more to lose should it not be done properly. Keeping a clean and tidy environment is key, and making sure that best practices are adhered to will help ensure your estate is less vulnerable to compromise. I would also advise looking at the resources provided by your hypervisor vendor on more advanced security options that can be used to further enhance security.