A software package for conducting an automated audit of the virtual environment for errors in the security configuration

Today, many enterprises are at the epicenter of change, due to the fact that new data centers are erasing the boundaries between physical and virtual environments, between the public and private "cloud". When upgrading and optimizing their data centers, organizations are faced with the fact that to ensure the security of next-generation data centers, continuously improving solutions are needed.

In cloud computing, virtualization technology plays a crucial role as a platform. The essence of the concept of cloud computing is to provide end users with remote dynamic access to services, computing resources and applications, including operating systems and infrastructure through various access channels. At the moment, “clouds” can be divided according to the access method into two main types of Public clouds (Public cloud) and Private clouds (Private cloud). Public clouds, as a rule, are provided by service providers via the Internet. Private clouds are organized inside large companies for internal needs in private Intranets. Both types of clouds can consist of thousands of servers hosted in the data center, ensuring the work of tens of thousands of applications. A prerequisite for the effective management of such a large-scale infrastructure is the most complete automation. To provide different types of users - cloud operators, service providers, IT administrators, application users - secure access to computing resources, the cloud infrastructure must provide for the possibility of self-management and delegation of authority.
If we look at Public and Private Clouds, then for most large companies that already have their own developed IT infrastructure and need a high level of confidentiality, performance and availability of their applications, it is preferable to switch to Private Cloud. Public clouds are provided by service providers, therefore, there are concerns about the uncontrollability of all processes hidden within the cloud itself. These are concerns about guarantees of safety and protection of the transmitted information between the cloud and the consumer of the service. And the impossibility of tracking the degree of security of the data centers of the provider. It also affects the geographical location of the data centers of the provider in relation to the consumer, including dependence on the constancy and reliability of the Internet connection, the interruption in which will cause a complete stop to the service. In addition, providers of cloud computing companies expose various values ​​of time to failure and data recovery time, which does not always guarantee the continued availability of the service. The problem of confidentiality and data security in terms of information security on the side of the service provider remains in question. It is this uncontrollable internal processes in the Public Cloud that encourages large private companies to create their own Private Clouds. In addition, the private cloud approach, while properly upgrading existing IT assets and secure communication channels, makes it possible to switch to cloud computing gradually and at a lower cost to the company.
For use in large companies that already have their own developed IT infrastructure, or are building it from scratch, you should consider one of the most dynamically developing VMware Private Clouds platforms based on the VMware vSphere virtualization system.
The use of virtualization software requires a significant change in the approach to ensuring information security systems. It is necessary to note the emergence of a new, fundamentally important object of virtual infrastructure - the hypervisor, which in practice is often ignored and not protected with the help of specialized tools (Figure 1.).


Figure 1. Old and new threats of the virtual environment

According to a study by Gartner, outlined in its press release in January 2010: "By the end of 2012, 60% of virtual servers will be less secure than physical servers." One of the main reasons for this situation, as indicated in the release: “40% of virtual machines are installed without the participation of information security specialists. In Russia, this issue is supplemented by the need to comply with the requirements of regulators, which do not mention virtualization in their guidelines. At enterprises in already existing infrastructures, information systems of various kinds are successfully virtualized at a rapid pace, however, the methods and approaches of protecting information in this case are generally used the same as those provided for physical servers.
')

Virtual infrastructure issues

With the introduction of virtualization technologies, major changes occur in the physical infrastructure. From the point of view of the organization of the network, a new concept such as a virtual switchboard appears, which provides network interaction of virtual machines within one virtualization host. The problem of virtual switches is not controllability of intranet traffic, as well as the possibility of listening to all network traffic between virtual machines. As a solution to the problem of listening to ports, an approach to the organization of VLANs based on virtual switches is possible, where frame tagging occurs at the virtualization host level even before packets enter the physical network.

In virtual environments, as opposed to physical ones, where each operating system has access to its partition on physical media, or uses network data storage with a dedicated logical partition, in the case of virtualization, several virtual machines are physically located in one partition in order to ensure migration and fault tolerance. Thus, gaining control over such storage with virtual machines, the attacker gains access to a group of virtual machines immediately.
To prevent such threats in SANs, it is necessary to use zoning to provide additional protection for storage facilities and other means of restricting access. In IP networks, it is necessary to separate storage access networks physically or logically using VLAN. You should also separate the public networks from the networks used for the migration of virtual machines, in order to avoid interception of service traffic and its subsequent analysis by the attacker.

A virtual machine is just a collection of files, so it’s easier to steal it, for example, by copying it to removable media. Therefore, the backup process of virtual machines should be organized using specialized software that encrypts the data transfer channel between the virtualization host and the backup storage, as well as encrypts the virtual machine backup files themselves.

A virtual machine is the most potentially dangerous object of a virtual infrastructure, from the point of view of information protection, due to its initial complete insecurity and ease of data modification. In addition, technologies such as “live migration” and “snapshots” can serve as an excellent tool for hiding traces of presence in the hands of an attacker. For example, an attacker, penetrating into the guest operating system of the virtual machine and having sufficient control over the virtualization host management system, can hide the traces of his stay by returning to the previous snapshot of the virtual machine disk. In addition, the theft of the virtual machine snapshot files themselves can lead to a serious leak of information, since they contain all subsequent changes to the data on the virtual disk and a full snapshot of the virtual memory of the virtual machine since the snapshot was taken. Also, one of the threats is the possibility of intentionally capturing all the resources of a virtualization host by one virtual machine, as a result of which other virtual machines can stop their normal operation and cause a denial of service.

A separate security problem is the disk subsystem of virtual machines, in which there are also many vulnerabilities. The most common threats include the ability to access the “old” information on the partition where the new virtual machine disk was created. Since when creating a new disk for a virtual machine, then a VM, the internal disk space is filled as the VM itself accesses the disk sectors, there is a risk of the virtual machine accessing the old, not yet zeroed sectors of the partition, and subsequent removal of information from them, until the restoration of file fragments. The solution to this problem can be considered the use of manual zeroing of newly created virtual disks, the so-called "eager zeroed disk".
Another problem related to the security of the virtual infrastructure disk subsystem is potentially dangerous technology of virtual machine disks, which increase as they are filled with data. Accordingly, if not properly planned, there may be a situation of complete filling of the partition on which VM disks are stored, which is guaranteed to lead to a denial of service at once all virtual machines residing on crowded storage.

It is known that the main tool for centralized management of any virtual infrastructure is the Management Server, which is also one of the main sources of security threat to the infrastructure. Having gained control over the management server, the attacker gains full access to all virtual machines, virtualization hosts, virtual networks and data storages. Therefore, it is necessary to carefully protect the management server itself, and to pay attention to the means of authentication and access control, for which it makes sense to use additional software developed specifically for virtual infrastructures. In addition, in the virtual infrastructure, access to the virtualization server must be done using a secure protocol, usually SSL, and administrator access must be limited by IP addresses. It is also important that the virtual infrastructure management network and the virtual machine production environment network be separated physically or logically to avoid unauthorized interference.

Virtual Infrastructure Security Techniques

The first and most important aspect of protecting a virtual infrastructure is protecting the hypervisor. Since, due to the compromise of the hypervisor alone, it is possible to gain control over all virtual machines under its control and even the entire virtualization infrastructure.
As standard methods of protection, it is recommended to use specialized products for virtual environments, integrate host servers with the Active Directory service, use complexity and password aging policies, and standardize access procedures to host server control tools, use the built-in virtualization host firewall. It is also possible to disable such frequently used services as, for example, web access to the virtualization server. Virtualization servers, like any other operating systems, also need security measures that are commonly implemented in a physical infrastructure, for example, in a timely and regular update of software components.

Based on the above, it is proposed to identify the following main types of threats to the security of virtual environments:
1. Attack to the virtual machine by:
a) attacks from another virtual machine
b) attacks on the disk and virtual machine configuration files
c) attacks on the virtual machine replication network
d) attacks on the network and storage system containing the virtual machine files
e) attacks on virtual machine backup tools

2. Attack on virtualization host by:
a) attacks from the physical network
b) attacks by means of a compromised virtual infrastructure management server
c) attacks on the internal services of the hypervisor SSH, WEB, TELNET, etc.
d) attacks on third-party hypervisor agents

3. Attack to the virtual infrastructure management server by:
a) attacks on the operating system providing control services
b) attacks on the management server DBMS
c) attacks on the base of accounts
d) network attack on the service of interaction and monitoring with virtualization hosts

4. Attack on virtualization host resources by:
a) uncontrolled growth in the number of virtual machines
b) incorrect planning of resource pool delimitation
c) incorrect planning of growing virtual disks of a VM
d) incorrect delimitation of the rights of users and groups of the virtual infrastructure.

Today, there are already specialized systems for protecting the virtual infrastructure, which can be divided into the following classes:
1. Traffic analysis and intrusion prevention software designed specifically for the virtual environment (vShield Zones from VMware, VMC from Reflex)
2. Software for the delineation of access rights in the virtual infrastructure (HyTrust, vGate from the Russian enterprise "Security Code")
3. Software to audit the virtual environment for errors in security configuration (vWire, VMinformer solutions).

The whole set of these tools makes it possible to significantly increase the security of the virtual infrastructure, but none of them is capable of protecting the virtual environment in combination. Therefore, it is necessary to develop and standardize a unified approach to ensuring information security in the form of regulations and standards, necessarily taking into account the recommendations of the manufacturer of the virtualization platform, since it is the technological features of the platform that determine the necessary security measures.

Software package

As one of the approaches to improve the security of cloud computing, I propose a software package for conducting an automated audit of the virtual environment for errors in the security configuration of the VMware vSphere virtual infrastructure. This solution is in pilot development and is a Win32 GUI application. This software uses the standard VMware vSphere SDK interface to interact with the components of the VMware vSphere virtualization platform. At the entrance of the program, the address of a specific VMware ESX virtualization host or the management server of the entire VMware vCenter infrastructure and the user credentials with read permissions are sent. At the output, the program generates a report on the protection status of the object under study and sets the overall security rating for compliance with one of the 3 levels of security offered by VMware Inc company:
1. Enterprise level (Enterprise) This level is designed to protect against most typical attacks on the virtual infrastructure and to ensure a high level of protection of confidential information.
2. The level of the demilitarized zone (DMZ). This level allows you to provide reliable protection for hosts and virtual machines that have an Internet connection.
3. The level of a specialized area with limited functionality (SSLF). This level is designed to ensure the highest possible degree of protection of the virtual infrastructure, including at the expense of losing a certain functionality of the virtual infrastructure in favor of protection from the most clever attacks.

The report is a detailed table divided by the types of threats peculiar to the virtual infrastructure that I suggested above. As tests for security, use is made of tracking configuration parameters of hosts, virtual machines, a management server, and others, based on recommendations from the technical literature and recommendations of the platform manufacturer that I have selected. The basis of these recommendations is a VMware vSphere Hardening Guide technical document describing 3 levels of security of a virtual infrastructure of VMware vSphere, each of these levels corresponds to more than a hundred parameters of virtualization objects. All these parameters are accumulated and analyzed by the program engine in automatic mode and superimposed on the previously created threat pattern in terms of security level. As a result of the received data, the user of the program can, in detail, point by point, track what level of security the analyzed virtual infrastructure corresponds to, and which parameters of the system should be taken into account in order to bring it into compliance.

Conclusion

As a result of the received data, the user of the program can, in detail, point by point, track what level of security the analyzed virtual infrastructure corresponds to, and which parameters of the system should be taken into account in order to bring it into compliance.
The software package for conducting an automated audit of the virtual environment for errors in the security configuration of the virtual infrastructure has been repeatedly put into practice by the system integrator in the framework of private cloud construction projects. Detailed practical application will be discussed in detail in the next article.