Additional virtualisation infrastructure

27 11 2014

Virtual environments introduce a host of new features that are designed to increase the availability and manageability of computer systems. These features include the ability to move live virtual machines across physical hosts with little to no disruption to service and even automatically shift entire workloads and power off unnecessary physical hosts, to better utilise power consumption.

These features rely heavily on networks to transmit information between physical hosts. An example of one feature that is dependent on one of these new networks is VMware’s vMotion. VMotion allows virtual machines to be moved across hosts in an infrastructure, allowing hosts to be taken down for maintenance or patching. This is done by transmitting a snapshot of the VM’s RAM across a network to the receiving host. Features like vMotion mean that systems benefit from extremely high uptime, with relatively low cost implications, in comparison to their traditional counterparts. Although vMotion is a VMware product, the concept of live migration is the same concept across numerous implementations, including Xen’s implementation named ‘XenMotion’.

The information that is now transmitted over these networks as a result of these features can pose serious security considerations that are not comparable in traditional systems. The movement of RAM from outside the chassis of a server tower is something that has not been an issue prior to these features. Now is it possible (in poorly designed implementation) for entire portions of RAM to be sent unencrypted over user-accessible networks.

The new networks introduced into virtual infrastructures are not exclusively reserved for HA features however. The centralisation of storage has also introduced fast, multi-connected, multipath routing storage networks, which connect the hosts to the data stores. The information that traverses these networks is that same that would have been transmitted over the internal SCSI or SATA connection in traditional servers. Storage offers increased capability when compared to its predecessor, an example of its capability is described by (Meth, et al., 2003):

“In a storage area network, it is possible to perform LAN-free and server-free backup operations that copy data from a storage device directly to another storage device without transferring the data across the general-purpose network and the servers.  In other words, data are sent across the dedicated storage area network directly between the source and destination storage devices.”

The Storage area network is an element of the virtual infrastructure that is often left unsecured as it is not uncommonly configured by separate groups of specialists who are not as security conscious as the networking teams (Lewis, 2002). While SAN security is a very pertinent threat when discussing virtual environments, I will not be detailing how attacks and mitigation techniques can be achieved in this blog because of the level of familiarity that is required and the difference in technologies when compared to regular networking. There are however numerous pre-existing guides to SAN security that should be consulted before introducing the technology into any environment (BROCADE, 2007), (Haron, 2002), (Majstor, 2004).

Microsoft , 2012. The OSI Model’s Seven Layers Defined and Functions Explained. [Online] Available at: http://support.microsoft.com/kb/103884?wa=wsignin1.0

Lewis, M., 2002. Unsecure SANs invitation for hackers. [Online] Available at: http://searchstorage.techtarget.com/news/812240/Unsecure-SANs-invitation-for-hackers

BROCADE, 2007. The Growing Need for Security in Storage Area Networks. [Online] Available at: http://www.hds.com/assets/pdf/white-paper-for-security-in-storage-area-networks.pdf

Haron, M., 2002. Is Your Storage Area Network Secure? An Overview of Storage Area Network from Security Perspective. [Online] Available at: http://www.sans.org/reading_room/whitepapers/storage/storage-area-network-secure-overview-storage-area-network-security-perspective_516

Majstor, F., 2004. Storage Area Networks Security Protocols and Mechanisms. [Online] Available at: http://www.employees.org/~franjo/papers/SAN_Security_WP_v1.pdf

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: