Implementing virtualization in the data center can introduce new security challenges, ranging from virtual sprawl to hypervisor vulnerabilities. However, virtualization can also offer some surprising security and compliance benefits, primarily in the form of configuration management and patching. Several tools are available that can streamline
Hypervisor configuration management processes
The first area to focus on is the hypervisor platform itself. VMware has granular configuration management functionality natively built-in to vSphere called Host Profiles, which can be used to develop a template for ESX and ESXi hypervisor servers. Administrators can configure a secure build of ESX or ESX within the vCenter console, with options ranging from memory reservation to networking controls and local security settings. Once a secure build is defined, Host Profiles can be used to scan other systems and compare them against this “gold standard,” producing compliance reports that auditors will also find useful. Host Profiles can also be used to automate the configuration of the hypervisors to match the standard, greatly simplifying one of the more taxing and time-consuming tasks for virtualization administrators.
There are two important caveats to using Host Profiles, however. First, Host Profiles can only configure the newest versions of ESX and ESXi, and does not support configuration of ESX and ESXi 3.x versions, which many organizations still use. Second, in order to actually configure the servers, they must be placed into “maintenance mode,” which means migrating all virtual machines on that system to other hosts while the changes are applied. This can be a significant operation, and will have to be scheduled accordingly within a defined change window.
VM configuration management processes
For most organizations, a significant amount of time and energy can be spent patching and configuring virtual machines. Fortunately, all major virtualization platforms, including VMware vSphere, Microsoft Hyper-V and Citrix Xen, offer some form of virtual machine template creation and deployment capabilities. In VMware vSphere, a template is a non-bootable master image used to provision new VMs. There are three different options for creating templates:
- “Convert existing VM” involves taking an existing virtual machine and converting it into the non-bootable master image.
- “Clone VM into template” takes an existing virtual machine, but makes a copy of the VM for use as the non-bootable master image.
- “Clone existing template” duplicates an existing template image.
All of these operations can be logged, so security and audit teams can track when templates are created or cloned by reviewing logs.
Once you have a template created, you have three actions that a template can be used for:
- “Clone template” allows you to make a copy of the template. Note that templates can be hot or cold cloned, meaning they can be cloned while the VM is up and running (hot) or turned off (cold).
- “Convert to VM” is useful for updating/patching templates. A template must be converted to a VM, the VM settings may be changed, or the VM may be powered up to be patched, and then you can go through the template creation process again.
- “Deploy VM from this template” is the feature used to deploy standardized VMs based off of a template image.
Similar template creation and management tools are available within Microsoft’s System Center Virtual Machine Manager (SCVMM) and Citrix XenCenter.
Virtualization patch management
Patching is another critical operation that can be simplified within virtual environments. Hypervisors may require specialized tools for downloading and installing patches, such as VMware vSphere Update Manager (VUM). For patching virtual machines, VUM or commercial patching tools like Shavlik’s NetChk platform can be used to patch running or offline virtual machines, giving administrators more flexibility and granularity in how patches get scheduled and deployed.
Alternately, some organizations are setting up traditional patching platforms and tools like Microsoft’s Windows Server Update Services (WSUS) as dedicated virtual machines in a virtualized environment. This improves performance and overall patching effectiveness by bringing the patching tools closer to the virtual machines and allows simpler distributed patching to take place.
A simple configuration and patch management process that employs templates and cloning might look like the following:
1. Define a sound configuration standard for operating systems and applications (using guidance from vendors, the Center for Internet Security, or others).
2. Create virtual machine instances that adhere to the configuration standards, and then convert these to templates.
3. Employ VUM or other patch management tools to patch hypervisors and virtual machines (online or offline). Be sure to also patch the templates, which usually requires converting them to virtual machines first, and then converting back to templates after patching.
By using the right tools and carefully creating processes for configuring and updating virtual systems, administrators may find the tedious tasks associated with patch and configuration management a bit less burdensome.
About the author:
Dave Shackleford is a founder and principal consultant with Voodoo Security and also a certified SANS instructor.
This was first published in August 2011