‫ Microsoft Private Cloud - Overview of Hypervisor Security (second section)

Date: 2013/01/27
In this article we'll take a look at the differences between a traditional data center and the private cloud.
Do not run applications and services on the Host operating system
The purpose of the host operating system is to provide an environment to host the hypervisor, which in this case is Hyper-V. You should not install any applications or services on the host operating system that are not related to supporting the virtualization environment. This is one of the advantages of using a Server Core installation; for example, you can’t use the Web browser on the machine and it’s very difficult, or even impossible, to install many applications and services that might run in non-Server Core installations.
Many organizations today are trying to do more with less, and so might consider installing low overhead services such as DNS, DHCP or Certificate Services on the Hyper-V host operating system. Don’t do it! Each application or service that you install on the host operating system will increase the attack surface and also require more updating of the host operating system. If you want to run additional services, run them in a virtual machine that is hosted by the host operating system.
Dedicate a NIC for management purposes
Your Hyper-V virtual server is going to have multiple physical network interfaces. You’ll probably dedicate a network interface that connects to the production network, while another network interface may connect the server to the Internet, another might connect the machine to a DMZ and another might connect to a partner network. The virtual machines can then be bound to these physical network interfaces so that they can connect only to the resources to which they need to connect. These interfaces should not be assigned IP addressing information and should not be reachable by any host on the network. They should be dedicated for virtual machine use only.
In addition to these interfaces, you should have a dedicated interface for management purposes. These interfaces can be assigned IP addressing information and you can use Windows Firewall with Advanced Security to control who can connect to that interface, perhaps by controlling access by IP address. In addition, you can require authentication and encryption at the network level when connecting to the management interface by using IPsec authentication and encryption.
Do not mix security zones
In Hyper-V arrays (or clusters), it’s possible for virtual machines to be moved automatically so that no single server in the array is overloaded from a memory, processor or network perspective. Because of this, you might find yourself in a situation where you don’t know at a particular point in time where a given virtual machine will be located. This creates a scenario where virtual machines that belong to different security zones can be co-located on the same host virtual server. This is a less than optimal security design because it makes the high security zone virtual machine potentially liable to compromise by the low security zone virtual machine.
When designing your Hyper-V arrays, think about the workloads that will be running on the virtual machines. If you have virtual machines that will be providing remote access services, such as a TMG firewall, or UAG SSL VPN server, or a conventional RRAS based remote access VPN server, then you will need to make sure that you dedicate an array to these Internet facing devices and not mix them with non-Internet facing virtual machines, such as a SQL server or SharePoint server that is tasked with intranet duties only.
Make sure that Hyper-V integration services are installed
Hyper-V integration services do a lot of things, and one of the most important duties of the integration services is to make sure that the time on the virtual machines is synchronized with the host operating system. This makes it possible for you to move the virtual machines around, even to different time zones, and the time on the virtual machines will be automatically synced with the host operating system. This also helps when restoring virtual machine snapshots.
Update virtual machine images offline
In a non-private cloud environment, you would install the operating system and then run Windows Update immediately after installing the operating system. You control this process from end to end so you know that this vital step is going to be performed. But in a virtual environment, it’s possible that users who are less aware of security issues will provision virtual machines and then not update them properly.
You can fix this by using offline update tools to install updates to the virtual machine templates. When the virtual machine templates are updated offline, the virtual machines that are deployed based on those templates will always be up to date with security fixes and updates. You can use the Virtual Machine Servicing Tool (VMST) to accomplish this.
Use appropriate delegation of administration
Finally, make sure that you delegate administration correctly. Make sure that the administrators of the virtual infrastructure or private cloud fabric do not have permissions to access the virtual machine operating systems and that the administrators of the operating systems running on the virtual machines do not have access to the virtual infrastructure or fabric. In fact, you should consider exercising more granular controls over the virtual infrastructure or fabric by using Role Based Access Control. You can accomplish this through the user of Authorization Manager in Windows Server 2008 and Windows Server 2008 R2.
In this article, we took a look at some of the major issues involved with hypervisor security in the Microsoft Private Cloud. For the most part, security requirements in the private cloud are similar to those found in a traditional data center. One of the most obvious examples of where security requirements and considerations differ is hypervisor security, since most private cloud deployments use virtualization as an enabling technology. With this list of security considerations in mind, you can move forward to increase the overall security of your Microsoft private cloud solution.
Related Link:

Microsoft Private Cloud - Overview of Hypervisor Security (first section)


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0