Security Think Tank: Configuration is key to virtual security

How should information security professionals get started with securing virtual environments?

Are virtualised servers any different to secure than physical servers? As far as an individual server goes, the answer has to be no, it isn’t any more difficult to secure. 

After all, it will be the same operating system (OS) and the same applications as if it were running on a dedicated piece of physical hardware. My first piece of advice is make sure you know how to effectively and efficiently configure and securely lock down operating systems and applications.

So what is the issue with securing virtual servers? The answer lies in the infrastructure that supports virtual servers. 

Such an infrastructure will typically comprise physical (server) hardware, the virtual machine software that runs on a physical server, Ethernet switches, firewalls, and storage (which could be a NAS or SAN or included with the server hardware). Occasionally the virtual machine software will sit on top of a host operating system.

Virtual servers will connect to the underlying network infrastructure, most likely using VLANs, so my second piece of advice is make sure you know how to effectively, efficiently and securely configure network devices such as routers, switches and firewalls. 

Remember that a single Ethernet switch configured with multiple segments – so that one segment is on the “dirty” side of a firewall, while the other segments service the “clean” side of the firewall – will effectively short-circuit the firewall. You also need to ensure that VLANs do not transverse a firewall or otherwise bridge differing security domains.

My third piece of advice relates to the virtual machine (VM) environment, and put simply is to ensure that you understand the VM technology such that you can configure it in a secure fashion. Things to watch out for include:

  • Where the virtual machine software sits on top of a host operating system, the host OS will need to be securely configured and locked down as well;
  • Take care with input/output configuration, particularly where network storage is in use;
  • Where blade servers are used, remember that most blade chassis/racks include an Ethernet switch to communicate with the individual blades and that that communication may be done at the VLAN level rather than at the switch port level.

To conclude, if you are competent with securing servers running on individual hardware and the applications that run within those servers, there is nothing daunting about moving to the virtualised environment. Just do your research first.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Privacy and data protection