Sunday, June 21, 2020

Security Recommendation and Hardening on Virtual Environments - Chapter Four


After the following "Security Recommendation & Hardening" series: Chapter One, Two and Three, in this part I write about some other important settings and requirements:

1. Implement the vSphere Update Manager (VUM): Updating/upgrading each one of critical components in the virtual infrastructure is a vital procedure. For example, to upgrade an ESXi host we can do it manually via the ESXCLI command-lines, but to achieve this goal with more accurate and better performance, we can implement the VUM inside the vSphere environment . Via the VUM deployment, it's easy to synchronize the update repository for receiving new updates for VM/VA, ESXi hosts, vCenter Server, VMware and other 3rd Party related products. Even we can import new installation sources/update files to the VUM repository for updating the vSphere components on the schedule intervals.

2. Disable access to the MOB: Managed Object Browser is used for debugging purposes via the vSphere SDK. It's an interface to explore and also change the configuration of object models used by the VMkernel for managing the ESXi host. Of course after release of vSphere 6.0 this option is disabled by default (But it's still enabled in the vCenter server) but in older versions you should disable it if you don't really need it, correspond to the security considerations.

3. Restrict the Inter-VM TPS: Transparent Page Sharing is a de-duplication technique that lets the identical set of memory contents have been shared between the virtual machines. So the ESXi host can reclaim the redundant copies and keep only one of them that is shared by multiple VMs. Although in some recent academic research that leverages TPS to gain unauthorized access to data under certain highly controlled conditions and also, VMware believes the risk of TPS being used to gather sensitive information is low, but it's recommended to restrict/disable TPS usage between VMs (Inter-VM TPS). While the TPS is permitted and can be used inside individual VMs (Intra-VM TPS), from the vSphere 6.0 Inter-VM TPS is disabled by default.
For more information about this feature and its security considerations, you can read the following VMware Knowledge Base links:
KB2080735, KB2097593, KB2091682

4. Remove unused devices: Keeping media connected to the VMs, like ISO files or other removable devices that have been used for temporary actions like guest OS installation, and forgetting to remove them, is a bad and sadly usual administration habit that can cause problem especially while a host is failed, or a VM reboots, so the guest OS couldn't boot successfully. So always keep in mind to remove any unnecessary connected devices from your virtual machines.

5. Monitor VMDirectPath I/O activities: For some performance purposes, we may need to use DirectPath I/O Passthrough feature to dedicate a physical device from the ESXi host to a virtual machine. However, it can cause some problems especially during the HA operating while an ESXi belongs to a cluster failed and then that VM tries to reach to a healthy host inside the cluster for the reboot. So always try to avoid using a dedicated device for your VMs, or separately add a VM override inside the cluster setting and choose disable action in the "host isolation response" for those specific VMs with passthrough devices.

However, in this chapter, some titles are not exactly security, but lack of attention to these matters can cause some security breaches especially in the domain of guest OS servicing in the future.


No comments:

Post a Comment

I will start a new journey soon ...