Keeping your VMotion Traffic Secure

Here are some best practices published by the VMware Security Blog for keeping your VMotion traffic secure:

1. The most important VMotion best practice is to isolate your VMotion activity from all production network traffic. The current design of VMotion assumes that the VMotion network is secure within a data center, certainly within a rack or set of adjacent racks. In a typical situation, servers in one or more co-located racks would each have one or two network cards dedicated for VMotion; these would be connected to a switch or VLAN that has no other endpoints connected.
Isolating VMotion takes away that most common of staging points for man-in-the-middle: some unpatched box anywhere on the production network that has already been taken over by malware. Indeed why any non-ESX box, compromised or not, would be on this network at all would be immediately in question. The researcher’s assumption is that long-haul VMotion over wide area networks might become popular in the future. However, most companies today already use encrypted links for inter-datacenter traffic.

2. Tightly restrict access to VI administrative accounts and roles. With VMotion isolated, a virtual rogue presence is more plausible than a physical one, but even a compromised guest VM does not have a virtual NIC on the VMotion network, only on the production network. Therefore the rogue VM must be configured in VI to have a vNIC on the VMotion network.

3. Don’t enable promiscuous mode on vswitches. Unlike a physical network card, someone who has taken over a guest VM cannot cannot configure a vNIC to be promiscuous. Another VI admin setting, promiscuous mode (off by default) is configured on the virtual switch port separately from a VM. Also, to manipulate rather than snoop, the proof-of-concept technique requires traffic actually route through the rogue VM, which would not occur naturally on the vswitch."

More Best practices for hardening your VMware Infrastructure environment can be found here.

More information about this article here.

Posted by Gabriel Maciel

No comments: