New technology brings greater challenges and more perceived risks to the IT environment. As businesses demand faster development and greater leveraging of new solutions and features, the speed at which new technologies are adopted often leaves little time for an administrator to keep up with the challenge of ensuring that their virtual server environment isn't left vulnerable.
Virtualisation is one such technology. It introduces a layer of abstraction between physical hardware and virtualised systems, and sometimes introduces a new level of angst regarding security. So how secure is your virtualised environment? As secure you as you want it to be. Here are five simple steps to take to secure a newly virtualised server environment.
1. Employ a firewall with high-level security settings for the hypervisor/virtual host management console. Minimise the risk of any erroneous incoming or outgoing traffic by ensuring that all non-relevant services are blocked by default. While it may be more difficult to plan the installation with the firewall fully enabled, it saves a lot of time and energy. As crazy as it sounds, I've seen virtual server environments where the firewall was disabled to allow the installation of components and features, but never re-applied when things moved into production.
2. Disable unnecessary services and functions. If a server doesn't need something, take it away. The more services or functions a server has, the more resources it needs and the more accessible it becomes. If it doesn't need IIS or Web services, for example, remove it. Eliminate any hardware devices the virtual machine isn't using -- CD-ROMs, USB adapters and other media devices can all be added when required, so disconnect them until that time.
3. Use a single method to manage the virtual sever environment. Many virtualisation technologies have multiple methods for management -- via a management client, console or third-party tool -- but pick a single one for management (this may be guided by the vendor.) Use this as the default method of control, and lock it down using policy-based authorisation. Utilise Active Directory rules and permissions, if possible, or lock down roles and permissions using built-in security features whilst implementing a strict password policy.
4. Remember to treat all virtual machines as if they were physical machines. This means ensuring that all of the protection you would employ on your physical servers is implemented on the virtual machines. Antivirus protection, intrusion detection and security patch levels should become standard practices, or continue when moving or building a machine in a virtual environment.
5. Employ a standard security build as a baseline for all virtual servers. Virtualisation has introduced a way to deploy new systems quicker and easier than previously possible. Most server virtualisation technologies allow the use of templates or clones from which an administrator can deploy new servers. A vanilla-build OS, with a baseline security model applied, can be used as a template to ensure that secure OS features are installed as a bare minimum in new machines.
Whilst the above steps create a good baseline for securing your environment, there's no substitute for clear and logical thinking in the virtual world. Apply the same logical thinking to your virtual server environment as you have to your physical environment, and you're most of the way there.
BIO: Allaster Finke is a senior consultant at GlassHouse Technologies (U.K.), a global provider of IT infrastructure services. He has more than eight years of experience in the design and delivery of IT solutions, with a particular focus on SAN, storage and backup technologies.