Mitigation techniques for additional infrastructure

15 06 2015

The concept of securing ‘data-in-transit’ is a concept that will be familiar to all staff working in network security today. All secure data traveling across the ‘wire’ should be appropriately secured and this has traditionally been done based on the protocol that they are using, such as SSL/TLS for web communication or whole network encapsulation such as PPTP and IPSec. This issue with using this encryption is that they incur a considerable performance overhead when compared to the original method of transition. VMware has elected to leave the communication unencrypted and instead recommends the use of secure networks, which In the author’s opinion is so that all information is transferred in the shortest possible time, resulting in less disruption during migrations. This is another example of the balance of the confidentiality, integrity and availability triangle discussed throughout this thesis.
VMware have obviously considered the option to encrypt VMotion traffic in the past, as it was an option found under the advance settings of vCenter Server Settings as can be seen in Figure 1. Although the setting appears to allow the requirement of all vMotion traffic, there are examples of vCenter not honouring the setting and continuing to send the information in the clear text (Van Dirmarsch, 2009).

Screen capture from (Van Dirmarsch, 2009) of a setting in vCenter to enable encryption on vMotion traffic

Screen capture from (Van Dirmarsch, 2009) of a setting in vCenter to enable encryption on vMotion traffic

In the version 5.0 of VMware the option is no longer present, as can be seen in figure 2.

Screen capture from an earlier version of vCenter server showing that the ‘VirtualCenter.VmotionEncryption’ option no longer appears

Screen capture from a vCenter 5.0 server showing that the ‘VirtualCenter.VmotionEncryption’ option no longer appears

VMware leave no other realistic option for securing this information other than by isolating the vMotion network, restricting access and ensuring that promiscuous mode is not enabled when communicating through a vSwitch (Wu, 2008). While this might be suitable for networks containing less sensitive data, for the author it offers no option for any defence in debt strategy, other than disabling all automated vMotion features (DRS/DMP) and disabling vMotion at the switch (VMware, 2009).

Due to the risks that surround unencrypted vMotion traffic and VMware’s reluctance to offer any further protection, there are numerous best practice guides available online demonstrating the best methods to configure networks for multiple hardware scenarios. One of the more comprehensive guides is (Kelly, 2012) who demonstrates a number of examples which comply with VMware’s isolation requirements. An example of one of (Kelly, 2012) diagrams is shown in Figure 3 and shows the best practice vSwitch configuration for a six NIC host with isolated iSCSI storage requirements.

Best practice vSwitch configuration for a 6 NIC host with isolated iSCSI storage requirements (Kelly, 2012)

Best practice vSwitch configuration for a 6 NIC host with isolated iSCSI storage requirements (Kelly, 2012)

The example given by (Kelly, 2012) does provide the isolation that is suggested by VMware. However as is seen in Figure 3 the Management network and the vMotion network are on separate logical networks, separated only by a VLAN ID. This is not uncommon for VLAN’s to be used in virtual environments as using multiple physical networks to isolate these services would become both increasingly hard to manage and impractical. It is also impractical to map physical connections in and out of blade environments, without dramatically affecting the redundancy of the chassis, due to slot limitation. VLAN’s, while commonly used by numerous organisations to segment traffic, still carry the information over the same physical ‘cable’ and do not offer the same level of security as physically separated connections. There are tools available that exploit flaws in implementations of VLAN’ing and that allow VLAN ‘hopping’ through frame tagging attacks (Compton, 2012). Although these nested attacks may seem unlikely, they are still a valid threat that should be at least considered.

Van Dirmarsch, K., 2009. The Quest of Encrypted VMotion. [Online] Available at: http://virtualkenneth.com/2009/08/11/v/#more-7

Kelly, P., 2012. VMware vSphere 5 Host Network Designs. [Online]
Available at: http://vrif.blogspot.co.uk/2011/10/vmware-vsphere-5-host-network-designs.html

Wu, W., 2008. VMware Security & Compliance Blog. [Online]
Available at: http://blogs.vmware.com/security/2008/02/keeping-your-vm.html

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s




%d bloggers like this: