we all know how visualization is evolving in every environment, big or small.
from security prospective we are going to introduce some tips on how to make your visualization as secure as possible .
- Implement defense in depth, which means don’t just secure the network to the VMs also implement firewall on every VM
- Enforce least privilege and separation of duties, which means the admins how is responsible for virtual network interfaces should have any ability to increase the ram for a virtual machine for example.
- Harden the hypervisor and virtual machines os using CIS security standards
- Require multi-factor authentication for all administrative functions, (ie. tokens)
- Separate administrative functions such that hypervisor administrators do not have the ability to modify, delete, or disable hypervisor audit logs.
- Send hypervisor logs to physically separate, secured storage as close to real-time as possible.
- Disable or remove all unnecessary interfaces.
- Establish limits on VM resources, so as DOS attacks on single machine shouldn’t affect the other Virtual machines
- Access to management ports should be strictly limited to the machines
- the management communications should take place on an independent network interface (admin interface) on the host, used only for this purpose (ie. dedicate specific network card with IP that can be accessed only for administration)
- provide packet authentication to prevent spoofed source address attacks
- File Sharing Between Host and Guests must be disabled
- time on guests should sync with the host
- virtual machines can directly or indirectly control physical devices You’re encouraged to disable this connection to host devices for all VMs
- Passwords should be used for BIOS and boot loaders for both hosts and guests.
- install the Hyper-V Role on a Server Core Operating System instead of using a full version of Windows Operating System
- it is recommended to enable BitLocker or any other hard disk encryption on volumes where Hyper-V and Virtual Machine files are stored
- guest to guest communication through hypervisor is prohibited
it’s not a must to implement all these points as it maybe hard for large environments or because of technical skills, but the more you implement the more secure you are.
for questions feel free to use comments below 🙂