By Alan Sugano
Virtualization is ubiquitous. In 2016, Gartner stated that many organizations have virtualization rates that exceed 75%. The advantages of virtualization are numerous. It helps reduce hardware costs, improves hardware utilization, lowers power requirements, lessens cooling requirements and rack space, makes it easier to recover virtual machines (VM), disaster recovery is simplified, and VMs are hardware agnostic (i.e., provided the virtualization platform is the same, a VM will always “see” the same virtual hardware regardless of underlying physical hardware).
Because of the concentration of company data on ESXi/Hyper-V hosts, it becomes mission critical to secure your virtualization infrastructure properly. Because virtualization resides on a level of abstraction below the Operating System (OS) of the VM guest, a compromise of the virtualization infrastructure makes it very easy to compromise any VM running on that infrastructure.
Let’s assume that you’ve worked hard to accurately audit and secure your:
- Active Directory
- Enterprise Resource and Planning (ERP) Package
- Sarbanes-Oxley Act (SOX) data
- Payment Card Industry (PCI) data
- Controlled Unclassified Information (CUI) - required compliance for Federal Contractors
- Centralized patch management of the OS and Applications
- Perimeter Firewall
And let’s also assume that you’ve properly secured all of network infrastructure except for the virtualization infrastructure. What’s the net effect? All of this hard work will still leave your data at risk of being lost, stolen, or destroyed, and your network is still unsecured. If a threat actor manages to gain access to your virtualization environment, her or she can completely bypass all of the security and controls you’ve worked so hard to implement. Here are just a few things an attacker can do if he/she gains access to your virtualization infrastructure:
- Clone VMs - lone any existing hard drive from a running VM and attach the cloned drive to a “helper” VM. The “helper” VM can then be used to take ownership of all of the files on the cloned drive giving the attacker complete access to the drive without having any credentials to the VM.
- Rogue VMs - It’s difficult enough to track a physical computer that’s become infected or compromised. An attacker could create one or more rogue VMs and further compromise your network. If the attacker suspected a risk of being compromised, he/she could shut down and even delete the VM – it would be like chasing a ghost. That person could take the rogue VM and move it to your disaster recovery site for “safe keeping.”
- Steal all of your data - A threat actor could use your existing backup software and copy backup images of all of your VMs off site.
- Delete all of your online backups - After stealing all of your data, she/he could delete all your online backups.
- Delete all of your VMs - After stealing all of your data and deleting all of your backups, she/he could shut down all of the VMs and delete them.
Of course, these examples represent worst case scenarios, but it’s a significant risk that information security or other assurance professionals often overlook or don’t even consider. A primary tenet of virtualization security is to secure the host at all costs. If your virtualization infrastructure is compromised, any and all security measures can be bypassed in minutes.
To improve the security of your virtualization infrastructure, here are some of the improvements that can be made to your infrastructure:
- Use a Dedicated Management Network - Place all your ESXi/Hyper-V hosts and management computers in a dedicated management network segregated with a VLAN or separate physical switch. Protect entry into this network with a proper firewall and do NOT use a Layer 3 Switch. A firewall will do a MUCH better job of packet inspection (Stateful inspection, anti-malware, intrusion detection, etc.) compared to any Layer 3.
- Establish a separate Forest and Domain for Authentication into the Management Network - Because Active Directory is such a large attack surface, consider standing up Domain Controllers that only live in the management network. Create user accounts with separate user IDs and passwords to authenticate to the management network. This should slow down any attack, and hopefully to stop a full -lown compromise of the virtualization infrastructure.
- Use two-factor authentication for Infrastructure Management - Consider two-factor authentication for all administrators that will access the management network. For that matter, we are now recommending two-factor authentication for ALL users on the network, period. Security professionals agree that two-factor authentication is an effective method of protecting your network.
- Use a SIEM to Monitor the Management and other Siloed Networks - In 2016 it took over 200 days to discover a network compromise. A correctly configured SIEM should significantly reduce the time to identify a compromise, or better yet, stop it before it happens.
- Ensure Patch Management is current - Stay up to date with all patches.
This is not an exhaustive list. It’s just a summary of some of the items you can implement to protect your virtualization infrastructure. More importantly, it’s a wakeup call to include your virtualization infrastructure as part of your regular ops and audit reviews. Please stay safe!