Educause Security Discussion mailing list archives
Re: Mixing Infrastructure and Research Systems in VMware ESX
From: Yonesy Nunez <Yonesy.Nunez () NEWSCHOOL EDU>
Date: Thu, 9 Jul 2009 10:58:50 -0400
Hello David, When mixing environments into an ESX cluster please keep in mind the following security concerns/recommendations: The main concerns for security that I have arise from the potential impact from the cluster's management and the usage of the new virtual machines to the cluster. Of specific concerns are: denial of service (via mis-configuration or errant resource hogging), need-to-know (unnecessary access), and the new attack vectors introduced by the new virtual machines (or networks). These are some of the steps that you can take to pro-actively mitigate these security concerns. 1. Isolate virtual machine networks - ensure that physical network adapters for virtual machine zones are separate either via virtual switches (within VMware) or VLANs (via your preferred network system device) 2. Minimize use of the VI console - ensure that access to the virtual infrastructure console is only utilized by people who require this access. People that have a need to administer the services provided by the virtual machines (Research and Development) should instead use the system specific remote access services (RDP for Windows and SSH for Linux/Unix systems). 3. Disable unnecessary functions as you migrate from P2V (a great time to harden these systems if you can!) 4. Disable copy and paste operations between the guest operating system and the remote console 5. Ensure that the GuestInfo file memory is set to: Name: tools.setInfo.sizeLimit; value: < 1048576 (Choose a virtual machine in the inventory panel --> click Edit setting --> click Options --> Advanced/General --> click Configuration Parameters) For more information please review --> http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fwww.vmware.com%2Fpdf%2Fvi3_security_hardening_wp.pdf&ei=jf5VSsrrOoewMPvFzZ0I&usg=AFQjCNE24J75dBTG9cBk3lrvuhWBleUBeg&sig2=Y1ikOPiL3W6q5rUVEMxM4w This will help in defining your guidelines for this integration. You should approach this like any other system deployment and follow the same processes you have in place for ensuring security. The trick on a virtual environment is that you have to extend that to the logical protection of your virtual environment; the preceding document is a great start. If you have more questions please feel free to e-mail me directly. Best regards, Yonesy -- Yonesy F. Nuñez | THE NEW SCHOOL Director, Information Security 55 W 13th Street, Rm 705 New York, NY 10003 P| 212.229.5600 x4728 E| yonesy.nunez () newschool edu
David Carver <David.Carver () OLIN EDU> 7/9/2009 9:50 AM >>>
Hi Folks, We have an established single-cluster VMware ESX environment which is home to numerous production infrastructure servers. We're looking at the possibility of virtualizing several faculty research systems on campus which we do not currently manage. Does anybody have any experience in mixing both infrastructure and research systems in the same ESX cluster? I'm aware at a high level of our technical options (i.e., setting up separate resource pools and limiting user access), but I'm interested in knowing if there are any specific security concerns we should be aware of, what impact this has had on your overall VMware environment, and what kinds of general policies / guidelines / restrictions you've put in place. Thanks, Dave -- David Carver Systems Administrator Franklin W. Olin College of Engineering
Current thread:
- Mixing Infrastructure and Research Systems in VMware ESX David Carver (Jul 09)
- <Possible follow-ups>
- Re: Mixing Infrastructure and Research Systems in VMware ESX David Auclair (Jul 09)
- Re: Mixing Infrastructure and Research Systems in VMware ESX Yonesy Nunez (Jul 09)