Management interfaces

With all the additional functionality of virtualisation come added management requirements. From an infrastructure perspective alone this has resulted in the introduction of a number of infrastructure managements often referred to as the VMMM (virtual machine monitors’ management) in some academic work (van Cleeff, et al., 2009), across multiple vendors including vSphere, XenCenter, System Centre Configuration Manager, Eucalyptus, UVMM and many others. These tools allow administrators to mimic physical interactions with the machines that are now no longer possible in virtual environments. These actions can include creating new machines, adjusting resources allocation and general maintenance of the VM’s.

The addition of management interfaces is not exclusive to the virtual machine portion; either storage or backup and even the infrastructure that runs the virtual hardware (blade chassis) also introduce new management interfaces into the environment. These have the ability to remotely configure arrays, take entire copies of live machines and even turn off the physical hardware that the hypervisors run on.

While all are designed to improve the manageability for administrators, these management interfaces introduce additional code and complexity into environments that create new attack vectors. When exploited, these vectors can lead to an attacker successfully performing actions remotely that would have previously been impossible to achieve in traditional systems. The type of attacks that could be completed, should an attacker gain access to any one of these management interfaces, have the potential to affect numerous machines and services simultaneously, even forcing administrators to implement disaster recovery strategies.