Guide To Security For Full Virtualization Technologies

7m ago
259.65 KB
35 Pages

Special Publication 800-125Guide to Security for FullVirtualization TechnologiesRecommendations of the National Instituteof Standards and TechnologyKaren ScarfoneMurugiah SouppayaPaul Hoffman

NIST Special Publication 800-125Guide to Security for Full VirtualizationTechnologiesRecommendations of the NationalInstitute of Standards and TechnologyKaren ScarfoneMurugiah SouppayaPaul HoffmanC O M P U T E RS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930January 2011U.S. Department of CommerceGary Locke, SecretaryNational Institute of Standards and TechnologyPatrick D. Gallagher, Director

GUIDE TO SECURITY FOR FULL VIRTUALIZATION TECHNOLOGIESReports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof ofconcept implementations, and technical analysis to advance the development and productive use ofinformation technology. ITL’s responsibilities include the development of technical, physical,administrative, and management standards and guidelines for the cost-effective security and privacy ofsensitive unclassified information in Federal computer systems. This Special Publication 800-seriesreports on ITL’s research, guidance, and outreach efforts in computer security and its collaborativeactivities with industry, government, and academic organizations.National Institute of Standards and Technology Special Publication 800-125Natl. Inst. Stand. Technol. Spec. Publ. 800-125, 35 pages (January 2010)Certain commercial entities, equipment, or materials may be identified in thisdocument in order to describe an experimental procedure or concept adequately.Such identification is not intended to imply recommendation or endorsement by theNational Institute of Standards and Technology, nor is it intended to imply that theentities, materials, or equipment are necessarily the best available for the purpose.ii

GUIDE TO SECURITY FOR FULL VIRTUALIZATION TECHNOLOGIESAcknowledgmentsThe authors, Karen Scarfone of G2, Inc., Murugiah Souppaya of the National Institute of Standards andTechnology (NIST), and Paul Hoffman of the VPN Consortium, wish to thank their colleagues whoreviewed drafts of this document and contributed to its technical content. The authors gratefullyacknowledge and appreciate the contributions from individuals and organizations whose commentsimproved the overall quality of this publication.Trademark InformationAll names are trademarks or registered trademarks of their respective owners.iii

GUIDE TO SECURITY FOR FULL VIRTUALIZATION TECHNOLOGIESTable of ContentsExecutive Summary .ES-11.Introduction . 1- to Full Virtualization. 2- OS Isolation .3-1Guest OS Monitoring .3-2Image and Snapshot Management .3-2Security Recommendations for Virtualization Components . 4- for Full Virtualization .2-1Types of Full Virtualization .2-2Virtualizing Hardware .2-42.3.1 Virtualized Networking. 2-42.3.2 Virtualized Storage . 2-52.3.3 Guest OS Images. 2-6Full Virtualization Use Cases .2-62.4.1 Server Virtualization . 2-62.4.2 Desktop Virtualization . 2-8Virtualization Security Overview . 3- .1-1Purpose and Scope .1-1Audience .1-1Document Structure .1-1Hypervisor Security .4-1Guest OS Security.4-3Virtualized Infrastructure Security .4-4Desktop Virtualization Security .4-5Secure Virtualization Planning and Deployment. 5- .5-2Planning and Design .5-2Implementation .5-3Operations and Maintenance.5-4Disposition.5-5List of AppendicesAppendix A— Glossary . A-1Appendix B— Acronyms and Abbreviations . B-1iv

GUIDE TO SECURITY FOR FULL VIRTUALIZATION TECHNOLOGIESExecutive SummaryVirtualization is the simulation of the software and/or hardware upon which other software runs. Thissimulated environment is called a virtual machine (VM). There are many forms of virtualization,distinguished primarily by computing architecture layer. This publication focuses on the form ofvirtualization known as full virtualization. In full virtualization, one or more OSs and the applicationsthey contain are run on top of virtual hardware. Each instance of an OS and its applications runs in aseparate VM called a guest operating system. The guest OSs on a host are managed by the hypervisor.which controls the flow of instructions between the guest OSs and the physical hardware, such as CPU,disk storage, memory, and network interface cards. The hypervisor can partition the system’s resourcesand isolate the guest OSs so that each has access to only its own resources, as well as possible access toshared resources such as files on the host OS. Also, each guest OS can be completely encapsulated,making it portable. Some hypervisors run on top of another OS, which is known as the host operatingsystem.The recent increase in the use of full virtualization products and services has been driven by manybenefits. One of the most common reasons for adopting full virtualization is operational efficiency:organizations can use their existing hardware (and new hardware purchases) more efficiently by puttingmore load on each computer. In general, servers using full virtualization can use more of the computer’sprocessing and memory resources than servers running a single OS instance and a single set of services. Asecond common use of full virtualization is for desktop virtualization, where a single PC is running morethan one OS instance. Desktop virtualization can provide support for applications that only run on aparticular OS. It allows changes to be made to an OS and subsequently revert to the original if needed,such as to eliminate changes that negatively affect security. Desktop virtualization also supports bettercontrol of OSs to ensure that they meet the organization’s security requirements.Full virtualization has some negative security implications. Virtualization adds layers of technology,which can increase the security management burden by necessitating additional security controls. Also,combining many systems onto a single physical computer can cause a larger impact if a securitycompromise occurs. Further, some virtualization systems make it easy to share information between thesystems; this convenience can turn out to be an attack vector if it is not carefully controlled. In somecases, virtualized environments are quite dynamic, which makes creating and maintaining the necessarysecurity boundaries more complex.This publication discusses the security concerns associated with full virtualization technologies for serverand desktop virtualization, and provides recommendations for addressing these concerns. Most existingrecommended security practices remain applicable in virtual environments. The practices described in thisdocument build on and assume the implementation of practices described in other NIST publications.To improve the security of server and desktop full virtualization technologies, organizations shouldimplement the following recommendations:Secure all elements of a full virtualization solution and maintain their security.The security of a full virtualization solution is heavily dependent on the individual security of each of itscomponents, from the hypervisor and host OS (if applicable) to guest OSs, applications, and storage.Organizations should secure all of these elements and maintain their security based on sound securitypractices, such as keeping software up-to-date with security patches, using secure configuration baselines,and using host-based firewalls, antivirus software, or other appropriate mechanisms to detect and stopattacks. In general, organizations should have the same security controls in place for virtualized operatingsystems as they have for the same operating systems running directly on hardware. The same is true forES-1

GUIDE TO SECURITY FOR FULL VIRTUALIZATION TECHNOLOGIESapplications running on guest OSs: if the organization has a security policy for an application, it shouldapply the same regardless of whether the application is running on an OS within a hypervisor or on an OSrunning on hardware.Restrict and protect administrator access to the virtualization solution.The security of the entire virtual infrastructure relies on the security of the virtualization managementsystem that controls the hypervisor and allows the operator to start guest OSs, create new guest OSimages, and perform other administrative actions. Because of the security implications of these actions,access to the virtualization management system should be restricted to authorized administrators only.Some virtualization products offer multiple ways to manage hypervisors, so organizations should secureeach management interface, whether locally or remotely accessible. For remote administration, theconfidentiality of communications should be protected, such as through use of FIPS-approvedcryptographic algorithms and modules.Ensure that the hypervisor is properly secured.Securing a hypervisor involves actions that are standard for any type of software, such as installingupdates as they become available. Other recommended actions that are specific to hypervisors includedisabling unused virtual hardware; disabling unneeded hypervisor services such as clipboard- or filesharing; and considering using the hypervisor’s capabilities to monitor the security of each guest OSrunning within it, as well as the security of activity occurring between guest OSs. The hypervisor itselfalso needs to be carefully monitored for signs of compromise. It is also important to provide physicalaccess controls for the hardware on which the hypervisor runs. For example, hosted hypervisors aretypically controlled by management software that can be used by anyone with access to the keyboard andmouse. Even bare metal hypervisors require physical security: someone who can reboot the host computerthat the hypervisor is running on might be able to alter some of the security settings for the hypervisor.Carefully plan the security for a full virtualization solution before installing, configuring, anddeploying it.Planning helps ensure that the virtual environment is as secure as possible and in compliance with allrelevant organizational policies. Security should be considered from the initial planning stage at thebeginning of the systems development life cycle to maximize security and minimize costs. It is muchmore difficult and expensive to address security after deployment and implementation.ES-2

GUIDE TO SECURITY FOR FULL VIRTUALIZATION TECHNOLOGIES1.Introduction1.1AuthorityThe National Institute of Standards and Technology (NIST) developed this document in furtherance of itsstatutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002,Public