As many sysadmins will be very familiar with, virtualization has become widely adopted within Data Centers (DCs). VMware has experienced success and rapid growth as the leading tool to implement virtualization in a DC, and has since arguably become the standard virtualization tool worldwide.
The fundamental premise of virtualization is that software workloads, which require hardware to execute, can have their underlying hardware ‘calls’, or requests for hardware execution, made easy to send to any properly configured hardware system for actual execution. This unlocks the ability to run several software virtual machines in parallel on the same physical hardware and makes it easy for organizations to efficiently manage updates and rapid changes to applications and operating systems. It eliminates the traditional “one server, one application” approach to scaling applications in the data center and is attractive to consider in DMZ and remote location environments too.
vCenter is an important component of VMware’s solution, and it has the unique role of orchestrating all of the different underlying systems and software workloads running on them. Previously, each system and each software workload required individual administration and login, whereas vCenter allows them all to be managed from one centralized place. This is a huge win for system administrators and allows them to be much more effective with their time and also much more valuable to the organization.
This increased simplicity and centralization can be a double-edged sword, since it is a very appealing target for malicious actors who have ambitions of controlling or monitoring the orchestration of all of the applications in your DC. Similar to our observations on IPMI, providing a secure foundation for vCenter is a challenge and priority for most organizations since it is so widely interconnected across the IT backbone. In a recent Skyport survey nearly half of respondees listed vCenter as the single most critical IT application to secure.
According to VMware’s deployment guide vCenter should be installed on a dedicated hardware and administered entirely separately from the rest of a company’s infrastructure. Since it is so fundamentally powerful – it has access to all software running in the virtualized environment – extreme care must be taken to ensure that the servers running the software are uninfected, that traffic flowing in and out of the systems are properly monitored and secured, and that physical access to the systems are tightly controlled.
This begs the question: do you actually know everything that your vCenter instance is talking to? Do you know if the hardware it’s running on is compromised? Do you know if the whitelists allowing and disallowing certain traffic flows are up to date?
An ideal solution to this problem would have a number of different characteristics. In many ways, if there existed a vCenter-like interface and control panel for vCenter itself, it would take a large portion of the hassle and security risk out of operating a virtualized DC. This ease of use, combined with some established standard of security, would be a game-changer: simplifying the security of vCenter.
Regarding security, would you be comfortable hiring third party penetration testers to come in and specifically try to compromise your vCenter setup? You should be! Pen-testers certainly won’t think twice about taking advantage of even the slightest vulnerabilities in your current setup, and neither would an attacker.
VMware itself has released plenty of material about the many ways to secure and harden their products, but the reality is that much of this could be condensed into a pre-configured product. Some ideal features of the unicorn perfect vCenter host would include:
Dynamic whitelist capability: Traffic flows into and out of the vCenter application must be tightly restricted to known and approved connections; unknown flows should not be permitted. This is something that can be cumbersome to maintain throughout any changes to your DC layout. An example of of the types of flows that would need to be allowed and maintained would be management control traffic, IP based storage traffic, or permitted inter-VM traffic.
Straightforward audit capability: vCenter provides a powerful interface to provide visibility into the workloads that it administers in the virtualized environment. A platform that allowed the server hosting vCenter itself to be subject to this level of clarity and visibility would be extremely valuable. More importantly, it would allow any unknown and unintended (potentially malicious) code running within the components of the software. This is intended to ‘keep the software and server honest’, or ensure that it is always behaving within the policies set by the administrator.
Tamper-resistant hardware: the prevalence of entirely undetected and unknown scripts, hardware listeners, and other viruses running on servers in most compute environments is surprisingly high. Due to the high number of virtual machines and applications that vCenter has access to, it is imperative that its own server hardware be untampered with and the boot process be entirely free from any malicious listeners or other scripts. Any connected hardware wiretaps, software ‘command-and-control’ code, or other listeners or control vectors should be detectable and the entire system should be compartmentalized to reduce potential damage.
Secure remote management: When hardware is configured for remote management, security holes are often opened unintentionally (recall our earlier post about IPMI). Any approach to remote management for the hardware running vCenter deserves close scrutiny due to the highly sensitive and broad implications of a breach.
Lessened complexity: the high complexity and effort required to integrate and coordinate all of the various types of hardware and software necessary to stand up vCenter is daunting and cumbersome. This makes administration, monitoring of any configuration changes, and malware monitoring a whole separate task that cannot be overlooked. An ideal platform would reduce the possible permutations and variations of how it could be configured to a subset of pre-configured known-good secure configurations, minimizing the potential for human error.
If all of the above is set up and properly configured, a pen-testing agency should have a difficult time getting through. If this is the case, you are running what is probably within the top decile of the most secured IT environments out there. You are also probably spending a large amount of time, money, and energy setting up, integrating, configuring, and maintaining all of the different tools required for all of this to function. What if there were an all-in-one tool that could serve as a pre-secured hosting platform for highly connected and sensitive workloads such as vCenter? SkySecure has set out to provide this level of value to you and your team.
BTW – Attending VMworld? Interested in meeting in person? Email me and I’d be happy to help schedule something.