Re: Securing VM servers

[John Hoffoss <John.Hoffoss () CSU MNSCU EDU>]

> > > On Thu, May 29, 2008 at 11:00 AM, Jeff Wolfe <wolfe () EMS PSU EDU> wrote: 
> Jenkins, Matthew wrote:
> > Michael, we have two separate clusters here for a private DMZ (we don't
> > have a true DMZ with real IPs, everything is natted here) and our
> > 'production' servers (i.e. database servers, ad, internal applications,
> > file servers, etc.).  If a physical box interconnects two networks there
> > is always a risk.  Hence, if a vulnerability in VMWare were to allow
> > someone to administratively add a second NIC to a VM host in a network
> > that it should not have access to, the result could be that VM host
> > becomes a launch pad for an attack into the other network.  For that
> > reason we decided to separate our clusters.  They do not share network
> > resources or SAN space.  Perhaps we are over paranoid?

That's the general direction we're going. I have a hard time considering VMware [WS/GSX/ESX] as hardened and vetted 
given how new the space is. The same can be said for SANs, we think, though this is an area we have yet to really think 
on.

> I would encourage anyone evaluating VMWare's security to discuss their 
> needs and situation with their VMWare SE. The security implications of 
> running a guest on the free VMWare server are considerably different 
> than running a guest on ESX server. The "exploits" posted earlier in 
> this thread are against VMWare Server, which is a completely different 
> animal from ESX.

Of course you should, but when you ask "are you secure?" what assurance do you have that VMware (or any other vendor) 
is being honest and has actually thoroughly tested their systems? How deeply have they thought about the exposure 
points where an attacker could leverage access to a hypervisor? Rather than blindly trust the vendor's response, I'll 
separate my zones of trust.

I think you'd be kidding yourself if you thought there was no code sharing between Workstation, GSX and ESX, as well. I 
realize they are different, but I don't think they're *that* different.

> Maybe it makes sense to allow a multi-homed ESX cluster, or maybe it 
> does not. In either case, nothing can substitute for a full risk 
> analysis that includes experts from the vendor as well as your own staff.

Multi-homing ESX will present the same risks that multi-homing Windows Server, Solaris, or any other OS. You've bridged 
a gap that would otherwise be protected at multiple levels by varying technologies. You now have the potential for a 
single point of failure. 

> For what it's worth, in my environment, we feel that ESX is up to the 
> task, but your risks/needs are probably different from ours.

The appropriateness of the decision to allow multi-homing will depend on what other factors are present and where they 
are placed: IDS/IPS, file integrity monitoring, SEM, rights management and distribution, et cetera. I don't think there 
is any question that you could do this securely, but the amount of time and work that will go into testing that 
security initially and the energy into ongoing monitoring is higher.

Christopher Hoff has a number of great posts [ http://rationalsecurity.typepad.com/ ] on the  topic of virutalization 
security and I would highly recommend adding his blog to your RSS readers. 

-jth


John T. Hoffoss, CISSP, GCIH
Information Security Specialist
Minnesota State Colleges and Universities
30 7th Street East, Suite 350
St. Paul, MN 55101
Email: john.hoffoss () csu mnscu edu
Office: 651.201.1453
Mobile: 612.867.1432