Vmware Security and Networking

VMware Infrastructure has one of the most widely deployed software suite for optimizing and managing IT environments through virtualization — from the desktop to the data center. Virtualization has become one of the red-hot trends now and its pace will only pickup as people look at cutting operational costs.

Naturally, we should look at wether virtualization, although good for cost cutting, would result in any compromise with security. When used properly, VMware can provide equivalent security and isolation compared to a physical environment. I have noticed that the main problems that seem to arise are from the fact that the right peoplt are NOT managing the right things. Example, the server team manging both the network and servers without the networks team knowing about it. Therefore it is important that roles and responsibilites are assigned and distirbuted properly according to skill set from the beginning.

In any case, I thought I might point out some of the intersting features that ESX Server can protect against some common LAN attacks:
• Virtual switches do not learn from the network in order to populate their forwarding tables. This eliminates a likely vector for deinal-of-service (DoS) or leakage attacks, either as a direct DoS attempt or, more likely, as a side effect of some other attack, such as a worm or virus, as it scans for vulnerable hosts to infect..
• Virtual switches also make private copies of any frame data used to make forwarding or filtering decisions. This is a critical feature and is unique to virtual switches.

It is important to ensure that frames are contained within the appropriate VLAN on a virtual switch. ESX Server does so in the following ways:
• VLAN data is carried outside the frame as it passes through the virtual switch. Filtering is a simple integer comparison. This is really just a special case of the general principle that the system should not trust user accessible data.
• Virtual switches have no dynamic trunking support.
• Virtual switches have no support for what is referred to as native VLAN.

Dynamic trunking and native VLAN are common features in which an attacker may find vulnerabilities that could open isolation leaks. These can lead to a number of attacks that use VLAN hopping to break network security zones.

This is not to say that these features are inherently insecure, but even if they are implemented securely, their complexity may lead to misconfiguration and open an attack vector. Hence once again, the need to match the right skillset with the right job.