S 4.349 Secure operation of virtual infrastructures

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Normally, several virtual IT systems are operated on virtualisation servers. Since the individual virtual IT systems all depend on this infrastructure, an error on one infrastructure system such as a virtualisation server may have effects on all virtual IT systems operated on this system.

In the following, some notes to be taken into consideration for secure operation of the virtualisation servers and/or virtual infrastructure are provided. Recommendations regarding the virtualisation server itself, which do not concern the aspect of virtualisation and belong to the basic principles of server operations, are described in the safeguards of module S 3.1 General server.

Administration accesses

Virtualisation servers provide functions that can be used to control, maintain, and monitor the virtual IT systems operated on them. These administrative functions can usually be used locally on the virtualisation server itself or via the network from the workstation of an administrator. For this, web-based administration interfaces are provided on the virtualisation server and/or a specific administration software such as VMware vSphere Client.

Furthermore, some virtualisation solutions provide for the option of administrating several virtualisation servers, as well as all virtual IT systems operated thereon from a central system (e.g. Citrix XenCenter, Microsoft System Center Virtual Machine Manager, SUN Management Center, VMware vCenter).

The corresponding network interfaces of the virtualisation servers and/or of the central administration systems allow for complete access to the virtualisation servers and the virtual IT systems. For this reason, the administration interfaces must be protected. For this, safeguard S 5.154 Secure configuration of a network for virtual infrastructures must also be taken into consideration.

Monitoring the operating condition

The administrators of the virtual infrastructure should perform regular monitoring activities in accordance with the security policies (see S 2.477 Planning a virtual infrastructure). These include:

• creating and deleting snapshots
• monitoring the operating condition of the virtualisation servers and the virtual IT systems
• checking the utilisation of resources
• checking whether sufficient processor resources are available in order to satisfy the performance requirements of the virtual IT systems
• checking whether there are main memory bottlenecks endangering the availability of the virtual IT systems
• checking whether there is sufficient bulk memory (hard disk space and/or assigned and total capacity in the storage network)
• checking whether there are bottlenecks regarding the network bandwidth
• checking the connections to the physical networks
• checking the integrity of the configuration of the virtualisation servers and the virtual IT systems (see also S 2.449 Minimum use of console accesses to virtual IT systems, S 4.93 Regular integrity checking, and S 5.8 Regular security checks of the network).

A continuous process for monitoring the resources must be established in particular if the option of overbooking main memory and hard disk space offered by some virtualisation products is used. If this is not performed, massive losses of performance may result as a consequence of excessively utilised main memory. In the event of a bottleneck regarding the hard disk space, all IT systems affected may fail simultaneously. If snapshots are used, the utilisation of the mass memory should also be monitored carefully, since snapshot files normally grow dynamically.

The monitoring tasks to be performed at regular intervals can be automated in many cases (e.g. email notification, etc.).

Testing configuration changes

Configuration changes on the virtualisation servers may affect many IT systems. If errors are committed in the process, all IT systems on these virtualisation servers may be prevented from booting or may lose their connection to required resources. If the configuration on virtualisation servers is changed, this change must be checked for technical correctness before it is enabled. For example, this may be performed with the help of a test environment or the two-man rule.

Review questions:

• Is there a protected access to the administrative interfaces of the virtual infrastructure?
• Are monitoring tasks regarding the virtual infrastructure performed regularly?
• Are configuration changes to the virtualisation infrastructure checked prior to implementation?