With most organisations actively deploying virtualisation technology today, the criticality of these assets grows by the day.
Unfortunately, there are many potential security issues with the various components of a virtualised infrastructure, and nowhere is this more of a concern than with the hypervisor platforms that host virtual systems and application instances.
There are many threats to hypervisor platforms. Some are focused on the hypervisors themselves – many security researchers have discussed flaws with hypervisor code that could allow directory traversal attacks, code execution through buffer overflows and other exploits, and even compromise through weak or non-existent credentials and poor management practices.
The most practical threats to hypervisor platforms include insiders, such as virtualisation and cloud administrators, as well as threats from attackers who manage to compromise virtual machines running on these systems.
Recent research into side-channel attacks suggests potential compromise of virtual machine data through shared hardware caches and other hypervisor components, as well as perusal of hypervisor files and directories via deliberate modifications to virtual machine disk and configuration files.
The number of announced vulnerabilities for hypervisor platforms has increased dramatically in recent years. Most of the announced vulnerabilities affecting ESXi, for example, were announced in 2011 and 2012.
Numerous critical flaws in memory management and other functions have been found, making application of patches from suppliers a priority for administrators; the challenge, of course, is that patching these systems requires moving virtual machines to additional cluster members and coordinating potentially complex change control windows and plans.
How to lock down hypervisors
There are several key steps teams can take to start effectively locking down hypervisors.
First, as already mentioned, take extra care in integrating hypervisor (and other virtualisation components) into your existing patch management processes. Setting up test systems that mimic production is highly recommended, as this will enable more rapid patching with less potential for negative impact.
Another key step to take when securing hypervisor platforms is to limit remote and console access to the system. Most hypervisor platforms allow multiple types of access, including SSH, RDP and specialised management client and server connectivity.
In general, it is suggested that you take a minimalist approach to hypervisor management, allowing only the access explicitly needed to support the business environment. If possible, restrict this access to only approved and controlled management platforms, with limited console access available in the case of a connectivity problem or other recovery scenario.
Minimising the threat surface
Finally, you should take care to properly configure any available settings and options for the particular hypervisor in use, tuning the system to minimise the threat surface and only allow services needed for successful operation.
This includes many standard hardening tasks, such as limiting the users and groups on the local system, assessing critical file permissions and integrity, turning off services that are unnecessary, and securing those services that are. Every hypervisor platform has a variety of features that need to be evaluated for security, and these will vary from one supplier to the next.
Securing your hypervisors requires a significant amount of planning and knowledge to manage properly. Given the critical nature of these systems, it is highly recommended that security and operations professionals make this a priority if they have not already.
Dave Shackleford (pictured) is the owner and principal consultant at Voodoo Security; senior vice-president of research and CTO at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organisations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualised infrastructures. He has previously worked as CSO for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Shackleford is the author of the book Virtualisation Security: Protecting Virtual Environments. Recently, Dave co-authored the first published course on virtualisation security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.