Unsecured VM migrations

Virtualization is the modern way building a datacenter or just running business application. It is simple, it saves money for hardware and power. It’s easier to provision servers, it’s easier to move servers, and it’s easier to decommission servers. It’s easier to set up networks. It’s easier from a management perspective all around.

Moving or migrating a virtual server from one to another host is simple and often used automated for different reasons like saving energy, to free resource on a host or just maintenance on the host.

Unsecured VM migration

In most of the cases every virtual server has some resource limits, some security rules assigned and tightly connected to the networking. When a VM is moved from one VM host to another, the security policies set up on the new VM host need to be updated with moved VM so that same security policies for that VM can be enforced on the new VM host as well. The dynamic natures of virtual machine migration could potentially open up security risks and exposure for not only the migrated VM but also for the new VM host and other guests OS running on that VM host. Attackers have an advantage in that administrators are likely unaware of having introduced weaknesses and will not be on alert.

An attack can easily hijack the device module process or Hypervisor where these migrations occur. If the process is hijacked, the information of the migrated virtual machine including states of operation system kernel, applications and services running within the operating system, the sensitive data currently being used by those applications and even the inputs from keyboard are accessible to the hackers.

Mitigation techniques

Securing the way a VM is migrated from one host to another includes same techniques as VM traffic isolation:

  • Only intended services and protocol are allowed to and from each virtual machine.
  • Data exchange between virtual machines is properly guarded
  • VLAN for network segmentation wherever possible
  • Management vNIC and production vNIC are kept separate on each VM and possibly connect on different physical NIC or at least on separate VLANs

One way to enforce these best practices for VM traffic isolation is use of virtual security appliance which has traffic isolation and firewalling capabilities.