S 4.346 Secure configuration of virtual IT systems

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

Virtual IT systems (occasionally also referred to as virtual machines) are first and foremost IT systems. Therefore, they must be handled and modelled similarly to physical IT systems as described in S 2.392 Modelling of virtualisation servers and virtual IT systems.

However, some particularities are applicable to virtual IT systems that must be taken into consideration.

Virtual IT systems must often be provided with access to devices connected to the virtualisation server, e.g. CD or DVD drives, USB dongles, tape drives (SCSI), and other peripheral devices. Here, devices provided by the virtualisation server to the virtual IT systems may often be controlled from the virtual machine using guest tools. For example, the network card can be disabled or data media can be inserted into the virtual CD/DVD drive or diskette drive using the physical drive.

Furthermore, some virtualisation systems provide for the option of overbooking the main memory or the hard disk space. Resources are "overbooked" if more resources may be assigned to the virtual IT systems in total than are actually physically present. In order to avoid resource bottlenecks, the guest tools in virtual IT systems may provide functions in order to control these overbooking functions. For example, the guest tools of the manufacturer VMware (VMware tools) provide a function for occupying the main memory that may be made available to other virtual IT systems (ballooning). These tools may also prepare a virtual hard disk for reducing the size of the file container it is contained in. For this, all occupied blocks of a virtual hard disk are moved to the start of the container and the now free blocks are overwritten using zeroes so that they can be identified as being free by the virtualisation layer.

Therefore, the following aspects must be taken into consideration when commissioning virtual IT systems, along with the safeguards already known from physical server operations:

• Changes to the binary files of kernels, applications, and system libraries have effects on all virtual IT systems operated on the virtualisation server and on the virtualisation server itself for operating system virtualisation, as opposed to server virtualisation. These data must be monitored for modifications, first and foremost since a very high damage potential may be caused by these data being compromised. For this, see also S 4.93 Regular integrity checking.
• By using the guest tools, the users of the virtual IT systems may be able to access data media in diskette or CD/DVD drives of the virtualisation server. These may even be used to control mechanical procedures such as opening and closing the tray of a physical drive. Therefore, there is the possibility of unauthorised access to data media in physical drives or of the data medium being removed from a virtual IT system by opening the drive from another virtual system. The virtual IT systems and the virtualisation server must be configured in such a way that this is ruled out as far as possible. This may be performed most easily if these devices are only exclusively assigned to the virtual IT systems when they are actually needed. When not needed, the connection to these devices should be disconnected. If it is possible to provide CD or DVD data media as image files (ISO images) instead of using physical drives, this option should be used.
• Functions allowing for overbooking main memory or hard disk space must be disabled for the virtual IT systems with high performance requirements or with particularly important data integrity. Resource bottlenecks in the event of an overbooked main memory on a virtualisation server normally result in significant losses of performance regarding the affected virtual IT systems. If the hard disk space is overbooked and if the physically existing space is no longer sufficient, the virtualisation server normally does not allow any further write accesses to the overbooked memory space. This results in hard disk errors in the virtual IT systems that may cause inconsistencies of the stored data.
• The preparation of virtual hard disks regarding a reduction of their physical container results in a strong load on the bulk memories of the virtualisation servers. This may cause limitations of the performance of all virtual IT systems executed on the virtualisation server. If several virtualisation servers access a storage network, all virtualisation servers may be affected by this. Therefore, this function should be disabled when it is not needed.
• Disabling devices such as network cards with the help of guest tools constitutes a virtual equivalent to disconnecting the network cable of a physical system. Since this is often possible in virtualised environments without accessing this system, this function should be deactivated. It should only be activated temporarily if it is absolutely needed.

Some of the functions described above are controlled or facilitated by guest tools that may be installed in the virtual IT systems. Therefore, binding regulations for configuring and using these guest tools in virtual IT systems must be drawn up.

Review questions:

• Is the integrity of the operating system core's, the system libraries', and the shared applications' data guaranteed for environments with operating system virtualisations?
• Have binding regulations regarding the use of guest tools in virtual IT systems been drawn up and implemented?
• Are devices such as CD drives only exclusively connected to a virtual IT system when they are needed in the corresponding IT system?
• Have the overbooking functions for main memory or hard disk space been disabled for virtual IT systems which have high performance requirements or which high protection requirements regarding integrity have been determined for?
• Is the function that can be used to enable or disable devices such as network cards or CD/DVD drives with the help of the guest tools disabled by default?