The Biggest Threat? It May Be You

When it comes to virtual server security, you might just be the weak link. Or, more precisely, your lack of planning, maintenance, and governance of that VM server farm.
Illustration by Jupiterimages Seize Control
All major vendors and a handful of third-party vendors offer centralized management tools for virtual farms. Administrators can control and view every VM in an enterprise from a single console, and these tools are moving cross-platform, allowing control of heterogeneous environments. But these consoles present a risk for conflicting management rights and roles. In the past, large organizations may have relied on physical access restrictions to control who could touch a given server. Virtualization removes those walls, and Web-based consoles can deliver a screen view to anyone's desktop.

VM administration and server admin roles should be clearly defined as each server makes the physical-to-virtual transition. Servers handling sensitive medical, financial, or other privacy-restricted data need to be clearly identified. Access to all utilities, hypervisor consoles, and CLI management should be well thought out, and IP access rules for control and management networks must be clearly defined.

Avoid Cross-Talk
In addition to assessing access to host management network segments, the control channel for VM migration should also be segregated from your primary data networks for performance and security purposes. Live migration, using either vMotion or XenMotion, is facilitated by syncing memory across two hosts to shuttle a running VM from one box to another. That data transfer should occur on a private, secure network analogous to an iSCSI SAN. Setting up network segment settings for migration is straightforward on all virtualization host platforms.

When it comes to the multitude of new products in the virtualization security market, Neohapsis' Shipley says he hasn't seen any worth spending money on. Most companies "should devote resources to nailing down standard operating procedures for their virtual environments first," he says. "Too many lack basic management, vulnerability, and patch management tools."

For companies that have all the basics in place, though, investing in VM firewalls or intrahost virtual security appliances could make sense.