On our network (1.0/24) we have a number of servers. One of those servers is running VMware ESX with three virtual machines which are hosting various websites and applications to the outside world.
Currently the server and each of the VM’s have their own local IP address on the same subnet and physical switch as the rest of the network.
I am wondering about the security implications of this. I want to be safe in the knowledge that I haven’t left any gaping security holes open. I presume that because the VM’s are online and are advertised online that it wouldn’t take much effort to trace the local IP and instantly see the other devices (assuming the intruder had a reasonable level of skill & knowledge).
I know that the Netgear prosafe switches that we use support VLANS, and I know the Draytek Vigor 2820 router we use supports both VLANS and a second subnet(?).
I am wondering what the “normal” solution would be and if I need to go as far as setting VLANS up or whether some firewall rules could do this?
Answer
I’m not sure if you’re asking for general guidance on locking systems down or asking if anything special has to take place because of the virtualisation, so I’m going to try and address both issues.
Nothing magical happens here, either good or bad, just because these machines are virtual guests; how would you secure the machines if they were physical servers? Ok then, you still do that (and my version of “that” is outlined below).
Each virtual guest should be secured as you would normally, and you should be wary of hosting any software on the internet-facing virtual machines that expose the workings of the virtual hosts (for example, don’t install the VMWare management console on one of them, don’t directly expose the virtual server storage, etc).
What typically should happen is that you protect your servers via a firewall with a “default deny”(1) policy that only exposes the services you wish to expose to the Internet. If you haven’t got a decent firewall and/or you haven’t configured it in a “default deny” configuration then you need to do this right now.
With that done, you now have a minimal “attack surface”, which means you can concentrate most of your energy on securing and monitoring and patching these services that have been exposed to the outside world.
Your virtual hosts should remain secure because you’ve only exposed a few services on a few virtual guests, so the IP addresses of the virtual hosts themselves are not exposed to the Internet.
Having said all that, it’s not a bad idea to use the VLAN facility you mention to place the IP addresses you’re exposing for the internet facing virtual guests in their own isolated vlan away from any management interfaces for the virtual hosts and any other servers/infrastructure you may have.
It may also be worth considering tools like tripwire to monitor your systems for changes, if you’re worried.
(1) Default Deny is a firewall policy/set of rules that ensures that everything is blocked by default and that you only open the ports/services that you need to open. This should ensure that only the services that absolutely need to be exposed are exposed, and while it is not a security panacea, it does greatly improve your chances of keeping your servers and your network secure.
Attribution
Source : Link , Question Author : dannymcc , Answer Author : Rob Moir
