Mitigation techniques for management interfaces

13 11 2014

In VMware’s hardening guide, they offer a number of mitigation techniques that can be used to further secure vCenter from exploitation. The majority of the recommended measures around securing vCenter are of an operational nature rather than reconfiguring settings within VMware. A total of six of the options concerning vCenter alone in the documentation include measures that should be taken in the network to avoid the likelihood of MiTM attacks. Much the same as in my earlier post on hypervisors and throughout my blog, isolating these networks from any user reachable subnet is an advised approach for all management interfaces. If an attacker is unable to directly query the target, they are not able to directly exploit it without exploiting another system or finding a flaw in the software controlling the ACL’s. Although the segmentation approach will thwart the majority of conventional attacks, it is the authors opinion that securing such high target interfaces with usernames and passwords is inadequate and that further authentication processes are necessary.

In an article regarding storage security (Schulz, et al., 2005) commented:

“The strength of any authentication mechanism is based on the quality of the implementation and the strength of credentials. If the credentials are weak, or if authentication data is exposed due to faulty implementation, the mechanism itself can and will be defeated”

While not native to the vSphere product, it is possible to use third party solutions, such as HyTrust (HyTrust, 2012) to require ‘two factor authentication’ for access to the interface. It is also possible to enable two-factor authentication on other admin interfaces such as HP’s iLO. This adopts the defence-in-depth model that is used to ensure that the integrity of a system is not dependent on only one element.

When two-factor authentication is not available, standard network protection measures should be followed that are intransigent with traditional aspects of network security, such as strong passwords and account lockout policies.  It is also advisable to use the method of least privilege when creating the accounts that will have access to the management interfaces, to reduce the result of an attack. All management interfaces have differing levels of customization from the lesser granular options of the Cisco UCS to the highly configurable VMware vCenter. When configuring a user account in VMware’s vCenter, an administrator has the ability to granularly allow/deny individual actions on individual machines that are managed in that environment. An example of the granularity of vCenter’s permissions can be seen in Figure 1. Restricting user’s access to only allow access to the areas of the interface that are needed will reduce the total impact to the environment should a compromise of that account occur.

A small percentage of the options available when configuring permissions in vCenter

A small percentage of the options available when configuring permissions in vCenter

Schulz, G. et al., 2005. Virtualization Journal. [Online] Available at: http://virtualization.sys-con.com/node/48056

HyTrust, 2012. Two factors are better than one. [Online] Available at: http://www.hytrust.com/solutions/security/two-factor

Advertisements