Re: Mixing Infrastructure and Research Systems in VMware ESX

[Yonesy Nunez <Yonesy.Nunez () NEWSCHOOL EDU>]

Hello David,

When mixing environments into an ESX cluster please keep in mind the
following security concerns/recommendations:

The main concerns for security that I have arise from the potential
impact from the cluster's management and the usage of the new virtual
machines to the cluster.  Of specific concerns are: denial of service
(via mis-configuration or errant resource hogging), need-to-know
(unnecessary access), and the new attack vectors introduced by the new
virtual machines (or networks).  These are some of the steps that  you
can take to pro-actively mitigate these security concerns.

1.  Isolate virtual machine networks - ensure that physical network
adapters for virtual machine zones are separate either via virtual
switches (within VMware) or VLANs (via your preferred network system
device)
2.  Minimize use of the VI console - ensure that access to the virtual
infrastructure console is only utilized by people who require this
access.  People that have a need to administer the services provided by
the virtual machines (Research and Development) should instead use the
system specific remote access services (RDP for Windows and SSH for
Linux/Unix systems).
3.  Disable unnecessary functions as you migrate from P2V (a great time
to harden these systems if you can!)
4.  Disable copy and paste operations between the guest operating
system and the remote console
5.  Ensure that the GuestInfo file memory is set to: Name:
tools.setInfo.sizeLimit; value: < 1048576 (Choose a virtual machine in
the inventory panel --> click Edit setting --> click Options -->
Advanced/General --> click Configuration Parameters)

For more information please review -->
http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fwww.vmware.com%2Fpdf%2Fvi3_security_hardening_wp.pdf&ei=jf5VSsrrOoewMPvFzZ0I&usg=AFQjCNE24J75dBTG9cBk3lrvuhWBleUBeg&sig2=Y1ikOPiL3W6q5rUVEMxM4w


This will help in defining your guidelines for this integration.  You
should approach this like any other system deployment and follow the
same processes you have in place for ensuring security.  The trick on a
virtual environment is that you have to extend that to the logical
protection of your virtual environment; the preceding document is a
great start.  If you have more questions please feel free to e-mail me
directly.

Best regards,

Yonesy


--
Yonesy F. Nuñez | THE NEW SCHOOL
Director, Information Security
55 W 13th Street, Rm 705 
New York, NY 10003
P| 212.229.5600 x4728
E| yonesy.nunez () newschool edu 


> > > David Carver <David.Carver () OLIN EDU> 7/9/2009 9:50 AM >>>
Hi Folks,

We have an established single-cluster VMware ESX environment which is
home to numerous production infrastructure servers. We're looking at the
possibility of virtualizing several faculty research systems on campus
which we do not currently manage.

Does anybody have any experience in mixing both infrastructure and
research systems in the same ESX cluster? I'm aware at a high level of
our technical options (i.e., setting up separate resource pools and
limiting user access), but I'm interested in knowing if there are any
specific security concerns we should be aware of, what impact this has
had on your overall VMware environment, and what kinds of general
policies / guidelines / restrictions you've put in place.

Thanks,
Dave

--
David Carver
Systems Administrator
Franklin W. Olin College of Engineering