Incorrect VM isolation

Virtualization is the modern way building a datacenter or just running business application. It is simple, it saves money for hardware and power. It’s easier to provision servers, it’s easier to move servers, and it’s easier to decommission servers. It’s easier to set up networks. It’s easier from a management perspective all around. Just like with physical machines and physical firewalls, virtual machines should be restricted in communication from one-to-another.

VM Isolation is a critical aspect of keeping virtualized environment safe but this is not that simple when there is virtualization underneath.

Incorrect VM isolation

Virtual machine security can mean many things – securing the images of virtual machines on a host, securing access to the administration of virtual machines, securing software inside virtual machines, ensuring patches for software inside a VM remain up-to-date, responding to compromises of software inside virtual machines.

Another thing that virtual machine security mean is the isolation of virtual machines from each other. This will ensure that a compromised VM will stay isolated without interacting with other VMs or the hypervisor. The case is not like a compromised physical server where the only way to get at other machines is the network. The attack surface is wider in a virtualized environment.

Incorrect isolation could lead to degradation of business critical application. Servers always have an internal network switch to route the traffic between VMs, that traffic is never visible to the outside network. These internal switch are soft switches like VMWare’s Virtual Switch or XenBridge in XenServer, handle packets in VM-to-VM and VM-to-Network traffic. Controlling this VM-to-VM traffic which is invisible to the outside network is essential since if one VM gets compromised it can potentially compromise rest of the VMs and even the virtual server through this internal network. Implementing a Firewall to provide network traffic & access control is a requirement in most Enterprise deployments and for regulation compliance such as PCI DSS where it explicitly calls for a “firewall at each Internet connection and between any DMZ and the internal network zone”

Mitigation techniques

VM isolation is not only responsibility of the hypervisor itself. Some administrative measurement should be taken. These include:

  • Only intended services and protocol are allowed to and from each virtual machine
  • Data exchange between virtual machines is properly guarded
  • VLAN for network segmentation wherever possible
  • Management vNIC and production vNIC are kept separate on each VM and possibly connect on different physical NIC or at least on separate VLANs

One way to enforce these best practices for VM traffic isolation is use of virtual security appliance which has traffic isolation and firewalling capabilities.

For security enforcement, restricting access to the console or management network is crucial in providing server isolation. Enforcement can occur at two levels of management network access. The first one is at a user-credential level which typically is managed through the vendor-specific management software such vCenter from VMWare or Citrix Essentials from Citrix. The second one is through the network access control, where an admin can set up which IP addresses (clients) are allowed access to the console. This is a simple but very effective way of restricting access.