Virtual networks and infrastructure differ in many ways from their physical counterparts. Increased flexibility, ease of provisioning and lower cost are some of the attributes that make virtualization a practical choice for many types of businesses. A virtual infrastructure requires a shift in thinking, though, especially when it comes to network security.
Many of the tools and best practices you might use to protect your physical environment are almost useless in a virtual world. Traditional perimeter protection is not enough. The threats are different at the virtual level, so businesses must counter with security options designed with virtualization in mind. Keep these four considerations in mind as you develop your virtualization security strategy.
1. Learn to Manage Virtual Sprawl
One of the perks of a virtual environment is also one of the biggest security drawbacks. A virtual infrastructure is flexible and dynamic. New machines are available within minutes and with very little cost investment. This is a positive attribute for almost any business model, but that scalability factor makes virtualization harder to manage.
Virtual sprawl is a term associated with an expandable virtual environment. As some point, the number of virtual machines outgrows your ability to keep them all secure. It is easy to miss simple details like security patches when you are trying to manage a large number of virtual machines.
In a presentation for the 2015 Rootconf, the lead systems engineer for BrowserStack Aditya Patawaricalled called these “extra” virtual machines wildcards. BrowserStack suffered a breach when attackers used offline virtual machines to gain access to the company’s systems. Patawaricalled suggests you:
- Know how many machines you have at any given time by creating an automated inventory
- Set up appropriate and manageable look outs that will include multi-location monitoring
- Understand who has access to each virtual machine and monitor every IP address
- Look for unlikely situations like table locks
- Avoid database grant statements
- Maintain on and offsite encrypted backups
Effective management is the key to avoiding virtual sprawl. Incorporate the following routines into your operational plans:
- Regularly assessing your virtual environment and determining what machines are necessary and which ones are underutilized.
- Logging your systems centrally and keeping a log of actions on your hardware.
- Creating a patch maintenance schedule to ensure all machines have up to date patches in place.
2. Pay Extra Attention to Virtual Configuration Setups
With virtual servers, your potential for magnifying configuration defects is exponential. If the initial setup is full of security risks such as unnecessary ports, useless and risky services and other vulnerabilities, each virtual machine after that will inherit those same issues.
Poor virtual network configurations are a common problem for businesses. Ensure proper segmentation on any virtual applications that call the host, or the other way around, such as web and database services. Many virtualization platforms provide just three switch security configurations settings:
- Promiscuous mode
- Forged Transmits
- MAC address changes
This ignores virtual systems that make connections to other areas of the network. Look closely at any virtualization platform that enables communication from guest to host and disable them when possible. This would include:
- Device drivers
- Copy/paste functions
- Memory leaks
Fine-tune your system monitoring assets to watch for these communication pathways, as well.
3. Learn to Manage Virtual Machine Lifecycles
This includes conducting system integrity checks and patch management. With the right controls in place, a virtual environment may be easier to manage than a physical one if done right.
Test security patches thoroughly and then follow a basic strategy for implementing and controlling them
Discuss native management offerings with your virtualization vendor but look at helpful third party tools, as well. They can scan for vulnerabilities and work as a separate control measure.
4. Educate Your Team
Risk assessment and compliance is a learned trait, so make sure your team is well trained when it comes to virtual security protocols. The end-user is one of the biggest security risks any company faces. Educate all users about virtualization security concerns and how to avoid creating vulnerabilities. Add additional training for risk management, compliance groups and auditors. Teach them to:
- Use third party tools to enhance monitoring capabilities
- Train compliance staff to create audit records that include visual evidence of security or compliance issues
- Create point-in-time system images/snapshots to document security risks
- Shape security policies specific to virtual environments and the regulations involving them.
- Learn to analyze the risks in the design stages of new virtualization projects, especially when they change the current infrastructure.
Virtualization provides expansion opportunities and scalability that is hard to find within a physical environment. Proper planning and consideration of security best practices will allow you to take advantage of a virtual infrastructure and still have peace of mind.