Virtual infrastructure: threats lurk near open doors

Thumbnail: 

According to polls I've conducted on VMware Communities, 80 percent of the people using VMware Virtual Infrastructure trust the security model VMware has used. Yet more than 70 percent are integrating VMware ESX into Active Directory; only a few are augmenting their security with access controls other than - or in addition to - AD.

However, without carefully configured access controls within AD, anyone with a legitimate AD account has the potential to log in to the VMware ESX service console and gain access to restricted data. Some of this data valuable in itself; much of the rest is critical to the system and could be further used by hackers to craft attacks on other data stores.

Even with group policies and other measures in place, there is a lot of room for individual access rights to go unmodified and leave unintentional access permissions in place.

Incorrectly protected configuration and script files could reveal such things as the system password, server configurations, configuration change histories and the names of VM, network and other resources. In addition, it is possible to see how virtual machines are configured, and the logs associated with the running of VMs.

Thankfully the raw Virtual Machine Disk Format (VMDK) is not available to a generic user, but information about the VM is. That in itself creates an issue. Interestingly enough Network File System (NFS)-based datastores are not accessible at all by a regular user from the VMware ESX host.

The host will give information about how the VM is configured, about the networks to which it's connected, and how the disks are setup as well.

Lastly it is possible for the firewall, Virtual Infrastructure Client authorizations, and other information about the VMware ESX Server to be discovered.

This is useful information for a hacker. I have listed only a few but there is quite a bit of information leakage that could be used to possibly subvert the host.

While the AD authentication is secure when using Secure LDAP or Winbind, it is still possible for non-administrators to gain access to systems and gain vital information about the host, VMs, and the entire virtual environment.

To combat this, servers and networks need to be hardened further. More importantly, VM installations need more authentication controls.

There are at least three methods that can be used to limit access to the VMware ESX host built in to the management appliance.

They are: tcpwrappers (tool to limit access via IP to various daemons), pam_access (tool to limit logins to the system by user, group, and IP in addition to limiting logins to only certain times), and the packet filtering firewall (limit access via IP). It is important to apply at least two of the three listed to get full coverage, just in case one fails.

Use these additional tools to further limit access to the Service Console, setting up AD integration or any other form of Single Sign On is an important tool to combat the spread of passwords.

It's not enough, however.

If your security policies dictate who can log in to various physical servers, you need to do the same for VMware ESX. Then you will no longer suffer from possible information leakage and faulty authentication security.

Virtualization expert Edward L. Haletky is the author of 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,' Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.