[51cto.com] Over the years, people have been worried about the security of the virtualized environment. Many people mistakenly believe that, simply because the environment is virtualized, it will naturally not be so reliable. This is not the case. The virtual environment and physical environment are basically the same, and will suffer the same security problems.
At the same time, there are also views from different camps that the emergence of virtual environments has greatly improved security, and even fundamentally changed the concept of security. This is certainly not the case.
Virtualization has indeed brought about changes. The new hypervisor layer (for more information, see "server virtualization's three major technologies completely broken") has also brought about new security problems, however, they are not earth-shaking changes. Just like adding any new component to an environment-architects and System Engineers need to educate themselves correctly, learn new components, and then make thorough planning during implementation. -- In fact, 51cto.com has been introducing this situation, and has introduced the topic "Creating a secure virtualization environment.
To learn more about virtualization security, I found a well-known and talkative security expert, Edward L. haletky, president of astroarch Consulting, a dabcc analyst, VMWare community expert, has published many works. The following is an excerpt from our conversation:
Reporter:What are the most common security errors when installing VMware vi3?
Edward haletky:That is, the use of a single-layer Virtual Network (flat Virtual Network), because this cannot solve the problem of differences between security areas.
Reporter:The upcoming VMware vsphere 4 (51cto.com editor's note, VMWare vsphere 4 was just released on July 4, late April, and VMWare declared that it was the first cloud operating system in the industry .) Can it effectively solve security problems, especially those that cannot be solved by VMware vi3?
Haletky:There will be some. Vmsafe will make security tools more effective. However, although not all functional improvements can be said, most functional improvements will increase the surface area of attacks.
Reporter:So what do you think of the new vmsafe API? What changes will it bring to us?
Haletky:Vmsafe will fundamentally change the security of virtualization. Now you can use it to build a tool, from which you can see the complete virtual host. For example, when managing a virtual network, each of the three vswitches requires a proxy. Now, each VMware ESX/esxi host requires a proxy. However, using the vmsafe application also increases the attack surface area, because you need to include the Virtual Devices running the proxy. Therefore, the use of a single-layer virtual network on a virtual machine should never continue.
Reporter:What do you think about third-party solutions such as catbird? What else will VMware bring to us after acquiring blue Lane technologies?
Haletky:I think all these third-party tools, such as catbird's V-security and reflex system's vtrust, will compete fiercely with VMware's vshield zones. They are similar in many ways, and zones is better integrated, but these two third-party tools currently provide far more functions than zones. [51cto.com previously reported that VMware will add vshield zones security services to its VDC-OS platform, allowing enterprise users to create so-called "internal" cloud environments within their own data centers. This is similar to the isolation zone in traditional IT infrastructure, but not based on virtual machines rather than physical devices.]
Reporter:VMware's esxi seems safer because it has a relatively small footprint. Is this true, or does esxi have the same security issues as vi3? Is the type of security question the same? Do people seem to be more comfortable with esxi?
Haletky:I think VMware esxi and ESX have the same security issues. The virtualization security solution should not only make the virtual host stronger. Even so, many people mistakenly think that VMware esxi is safer. In addition, most people regard esxi as a device. They only follow VMware's recommendation to do one or two things to improve security, but do not care about its management or access methods. In addition, I believe that most people will enable the SSH feature of esxi. When they do this, they actually lose real security, because esxi does not have in-depth defense.
Reporter:Can you tell us that two or three of the most important security issues that you think are related to VMware may not be known?
Haletky:The first question I mentioned just now is:Use a single-layer virtual network instead of seeking more powerful protection measures. This is necessary when using vmsafe VAPPS.
Another scenario isMany people mistakenly put their ESX host service console and management tools on different sides of the firewall.. In this case, many unnecessary ports are opened. The correct way is to place the ESX console and vcenter tool on the same side of the firewall, and restrict only one protocol to access, such as the encrypted RDP protocol. Administrators should access virtual machines and management tools in this way.
The last common security issue isDo not use network/virtualization host deploymentThis arrangement can prevent zero-day attacks. The incorrect method is to directly deploy it to the production environment. In this case, if an operation error occurs or the virtual machine is deleted, something remains on the hard disk.
Reporter:Do you think that the security of VMware hypervisor is higher or lower than that of competitors such as xen and hyper-V?
Haletky:This is a difficult question to answer. Hypervisor may be safer, but the more important thing is whether the things around it are safer. Compared with vi3, because vmsafe and vmdirectpath are included, the attack surface area of VMware vsphere 4 will also increase. However, for xen and hyper-V, they also have different attack surface areas, which are similar to each other but different from each other. Therefore, hypervisor is not the most critical. The key lies in the direct or indirect access to virtual hosts.
Reporter:We know that you have a book about virtualization that will soon be published. What do you want to talk about and what is the focus of the book?
Haletky:The name of the book is "security of VMware vsphere and virtual underlying architecture: to ensure security of ESX and virtual environments". The content is about all these directly or indirectly exposed virtual hosts, these components constitute a virtual environment. Yes, the book will talk about how to make ESX and esxi stronger, but more than that, it will also involve storage, computing, management, VDI, forensic and other aspects. These aspects were often excluded from the scope of virtualization management, but now the security perspective has been expanded, and all these aspects should be included, because they will certainly affect the security of virtual hosts.
[51cto.com]. Do not reprint it if it is not authorized. For reprinted on the Cooperation site, please specify the source and source of the original article as 51cto.com, and do not modify the original content .]
Original article: top security concerns in a condition alization environment Author: David Marshall
[Edit recommendations]
- Topic: How to build a secure Virtual Environment
- Point of view: the virtualization security field is blank so far
- 5. Block virtualization Security Vulnerabilities