10 ways to harden your vmware infrastructure

Submitted by vcadmin on Sun, 12/21/2008 - 23:37

As more and more companies implement virtualization as part of their infrastructure there are certain basic security measure that must be put in place. Below I have list 10. They are specific to VMware, but if you are using other provider the list will help you to think about your implementation and how you can make it more secure.
 
1. Secure virtual machine as you would secure physical machines
If the guest OS system is accessible from the LAN then it is subject to the same security risks as a physical system. It must be treated as you would a physical system, by keeping the system patch with software update, virus and or firewall software.

2. Disable Unnecessary or Extra functions
By disabling unnecessary system components that are not needed to support the system or its applications you reduce the number of ports that can be attacked. e.g. disable copy and paste operation between the guest operating system and remote console so sensitive information is not inadvertently copied over.

3. Use tested and proven template
Using template not only save time, it can save you the frustration, stress and pressure of restoring a system that was compromised. Not everyone in your team will be as thorough as you are when creating and deploying guest systems. So using a template that has been configured and tested to company standard is a very good security practice.
 

{loadposition picbanner}

4. Prevent virtual Machines from Taking over Resources
Guest systems share the same resources on a host i.e. memory, processor, etc. ESX Server gives you the ability to control and manage the allocation of host resources; by using the resource management capabilities of ESX Server, such as shares and limits. You can control the server resources consumed by a virtual machine so that a virtual machine that has been compromised does not affect other virtual machine on the same ESX Server host.

5. Limit Data flow from the Virtual Machine to the ESX Server Host
Virtual machine uses and processors can be configured to abuse the logging function, either intentionally or inadvertently so that large amounts of data flood the log file. Overtime, the log file can consume so much of the ESX Sever host’s file system space that it fills the hard disks, causing a denial of service as the hosts system can no longer operate. You can avoid this problem by configuring the system to rotate or delete log files when they reach a certain size. You can also disable logging entirely for the virtual machine by doing this you might not have the necessary information to troubleshoot a problem.

6. Keep VI Client use to a minimum
Encourage the use of other remote control system e.g. ssh or terminal services. A user within the VI Console with admin rights can do a lot of damage to your virtual infrastructure. In addition it has a performance hit on the service console, especially it many VI console sessions are open simultaneously.

7. Isolate the management Network
You can configure your service console to use a separate Vlan or configure network access for management tool connections with the service console through a single virtual switch and or more uplink ports. Another option is to give the service console its own physical network segment.

8. Configure the firewall for maximum security
ESX Server has its own firewall as part of the service console that can protect the service console from the rest of the network. By default it is configured maximum security (Ports 902, 80, 443, 22).

9. Use VI Client and Virtual Centre to administer the host(s) instead of Service Console
As best practice it is recommended that you use the GUI (graphical user interface)/VI Client when administering your host by either VI client or Virtual Centre. Using this method is safe and sometime quicker than using the command interface.

10. Limit the Software and services running in the service console
If a utility/tool is not absolutely necessary don’t install it in your production environment. Suppliers of tools, utilities that will enhance your experience of the application and sometime increase your productivity will sometime require additional ports to be open ore require a lower level of security further increasing the avenues of attacks, so be very careful.
*the above list is base on the VMware whitepaper "security hardening"

Tags: