S 5.154 Secure configuration of a network for virtual infrastructures

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Virtualisation servers require numerous communication links. On the one hand, these are links to administration networks and, if required, links to storage networks in order to be able to use corresponding computer centre resources. On the other hand, they provide the virtual IT systems with the respective network connections.

Here, different technologies are used for the different virtualisation products. For some virtualisation products, separate network cards are assigned to the individual virtual IT systems in each case, with these network cards being directly connected to the networks to be used. These may include virtual or physical network cards.

For other virtualisation products, complete network infrastructures are emulated within the virtualisation server. For this, virtual switches are created which provide the required network connections for the virtual IT systems on the one hand and, on the other and, control the transition of the virtual network into the physical network, At the same time, it is also possible to create purely virtual networks without any transition to physical networks.

Some of the virtualisation solutions also support the option of establishing a logical segmentation in addition to a physical segmentation, e.g. with a VLAN (Virtual Local Area Network).

Moreover, the way the communication between virtual IT systems is implemented differs extremely. Sometimes, the communication between virtual IT systems in different networks on the same virtualisation server is routed through the physical network (example: Citrix XenServer, Sun VirtualBox, or VMware ESX), sometimes this communication is always routed within the virtualisation layer so that no routing instance outside of the virtualisation layer is involved in the communication (Sun Solaris Containers).

Several aspects must be taken into consideration in order to obtain a secure configuration of the virtualisation servers' networks:

• The administration interfaces of the virtualisation servers should be connected to a separate network. This must be separated physically or logically from the network the virtual IT systems are operated in. At this point, logically separating the network only using VLAN without any additional safeguards is insufficient, since the virtualisation servers exchange information worthy of protection using the administration interfaces.
• Authentication must be forced for all users of the administration interfaces; anonymous access must not be permitted. Furthermore, the authentication data should be transmitted in encrypted form. Moreover, the administration interfaces should be protected with the help of local packet filters on the virtualisation server itself.
• Within the networks used for storage network access, the targets (=hard disk) and the initiators (=server) can be accessed. This way, the virtualisation servers or the virtual IT systems may be presented with forged initiators or targets. Therefore, access to the resources of the storage networks must be controlled with the help of a suitable authentication procedure. The networks used for the aforementioned must also be separated from the networks of the virtual IT systems. For this, see also S 5.130 Protection of SANs by segmentation.
• If functions such as live migration (VMotion, XENmotion, Live Migration) are used in a virtualised infrastructure, the runtime environment of the virtual IT systems is transported from one virtualisation server to another via the network. Here, all data processed in the IT system is transmitted via the network. This data may have high protection requirements. For this reason, the network used to this end should also be separated.
• The communication of the virtual IT systems with other virtual or physical IT systems should be planned in detail. It must be ensured that existing security policies are taken into consideration. It must not be possible to bypass security gateways or monitoring systems present in the network by means of virtualisation. This particularly applies to virtualisation products where the network traffic between virtualised IT systems is not necessarily routed over physical networks (see above, examples: SUN Solaris Containers and VMware ESX Server).
  -If virtual IT systems must be connected to several networks, it must be appropriately ensured that these networks cannot be used to establish undesired network connections. In particular, no connections between administration networks of the virtualisation servers and the networks of the productive virtual IT systems should be allowed for, so as to prevent the virtualisation servers from being compromised by a compromised virtual IT system.
• In virtual infrastructures, virtual security gateways (virtual firewalls) may also be operated. The use of such gateways directly at the perimeter of the organisation's network and therefore for the separation of networks with greatly differing protection requirements should be verified in detail, however. On the other hand, virtual security gateways may be used to separate internal networks with similar protection requirements. Such gateways must be planned carefully. In doing so, it must be considered that, depending on the selected virtualisation product, the network traffic through the virtualisation layer is not routed as may be expected Moreover, it is not ensured that the protective function of the virtual security gateway is still provided for other virtual or physical IT systems if the virtualisation servers themselves have been compromised. These security gateways can be bypassed very easily once the virtualisation servers have been compromised. Since security gateways themselves are frequently targets of attacks, the virtualisation servers themselves should not be protected exclusively by virtual security gateways. In such cases, the networks involved must be appropriately separated with the help of security gateways. See also S 3.1 Security gateway (firewall).
• Regarding their network integration and their protection with the help of security gateways, virtual IT systems must be treated just like physical IT systems, since the virtualisation servers do not normally provide for any additional protection.

Review questions:

• Has the administration network been separated from the network of the virtual IT systems and is this separation appropriate considering the protection requirements of the virtual IT systems?
• Is any anonymous access to the administration interfaces of the virtualisation servers ruled out?
• Is there an appropriate authentication procedure for the access to storage network resources and have the storage networks been separated from the networks of the virtual IT systems?
• Have the networks for Live Migrations been separated from the networks of the virtual IT systems?
• Are the existing security policies taken into consideration for network connections between virtual and physical IT systems?
• Has it been ensured that security gateways and monitoring systems cannot be bypassed with the help of virtual networks?
• Can it be ruled out that virtual IT systems connected to several networks can be used to establish undesired network connections?
• If virtual security gateways are to be used: Are virtual security gateways used in compliance with the security requirements of the information system?