By creating multiple virtual machines that share resources - such as CPU, memory, hard drive, network devices - organisations are able to reduce costs associated with server operation management. This includes the hardware, maintenance and human resources needed to manage, operate and administer these servers on a daily basis. Further, virtualisation provides a fast, reliable disaster recovery.
However, failure to configure and harden your virtual server might have very unpleasant results, especially when implemented without security considerations. In one case, we witnessed a hacker bringing down an entire virtual infrastructure because of a memory leak flaw on one of the servers. By exploiting this flaw, the hacker was able to consume all the available memory to a point where the entire system crashed.
The phrase 'start secure, stay secure' is a simple philosophy that emphasises security has to begin from the first stage of design and integrated into every step of your virtualisation project.
So, how do we secure a virtual environment? Here is our guide:
1. Design a secure virtual environment
Each solution has its own approach, which does not always suit the organizations needs. Some of these solutions separate each operating system while others create separate “zones” within a shared kernel.
Businesses need to determine security requirements that should correlate with the organisational security policy. A security architect should define parameters such as access control to server console, design of virtual network architecture, design of virtual machines and communication protocols.
When implementing a virtual environment, some of the communication can rely on an internal, virtual network. For example, when a virtual web server communicates with a virtual database, the packets traverse through a virtual network only. A traditional firewall will not be able to filter this communication if needed.
There are a number of possible solutions. One of them is to use a firewall integrated into a virtual server application. The second option is to configure the virtual machines to route all the communication through an external firewall by connecting virtual machines to separate physical network cards. A third option is to use a “virtual” firewall which usually comes in the form of a virtual appliance.