SYS.1.5 Virtualization
In the virtualization of IT systems, one or more virtual IT systems are run on a physical IT system. Such a physical IT system is called a "virtualization server"...
Description
Introduction
In the virtualization of IT systems, one or more virtual IT systems are run on a physical IT system. Such a physical IT system is called a “virtualization server”. Multiple virtualization servers can be combined into a virtual infrastructure. Within this infrastructure, the virtualization servers themselves and the virtual IT systems operated on them can be managed jointly.
The virtualization of IT systems offers many advantages for IT Operations in an information domain. For example, costs for hardware procurement, electricity, and cooling can be saved when the resources of physical IT systems are used more efficiently. However, virtualization is also a challenge for operating the information domain. Since the virtualization technology used affects different areas and fields of work in the information domain, knowledge and experience from these areas must be brought together. Furthermore, problems on one virtualization server can also affect all other virtual IT systems operated on the same virtualization server. Similarly, virtual IT systems can mutually interfere with one another in their operation.
Objective
The objective of this building block is to show how virtualization servers can be securely introduced and operated in an information domain.
Scope and Modeling
The building block SYS.1.5 Virtualization is to be applied to every virtualization server.
In addition to the present building block, the relevant server or client building blocks of the SYS IT Systems layer must also be applied to each virtualization server. In addition to the operating system-specific building blocks, the building blocks SYS.1.1 General Server and SYS.2.1 General Client must also be applied, as these building blocks summarize the platform-independent security aspects for servers and clients respectively.
This building block only addresses the virtualization of complete IT systems. Other techniques sometimes associated with the word “virtualization” (e.g., application virtualization via terminal servers, storage virtualization, and containers) are not the subject of this building block.
In the field of software development, the terms “Virtual Machine” and “Virtual Machine Monitor” are also used for runtime environments, e.g., when Java or Microsoft .NET is used. Such runtime environments are likewise not considered in this building block.
Virtual infrastructures are typically managed using special management systems. Since these IT systems provide comprehensive access to the virtualization infrastructure, it is important to adequately secure them. This applies to both the physical or virtual server on which the management software is executed and to the product itself.
Virtualization environments are usually operated together with storage networks (NAS or SAN). The connection and security of these systems are likewise not addressed in this building block (see building block SYS.1.8 Storage Solutions for this purpose).
Virtualization requires the institution’s networks to be structured differently. This topic is not comprehensively addressed in this building block. Instead, the requirements of building block NET.1.1 Network Architecture and Design must be fulfilled. Network virtualization is also not examined in sufficient depth in the present building block.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to describe the threat landscape. The following specific threats and vulnerabilities are of particular significance for building block SYS.1.5 Virtualization.
Deficient Planning of Virtualization
A virtualization server enables the operation of virtual IT systems, integrates IT systems into the data center, and manages their connection to other infrastructure elements such as networks (including storage networks). If no planning is done for how virtualization servers are to be technically and organizationally integrated into the existing infrastructure, this can result in unclear responsibilities for different areas — e.g., for applications, operating systems, and network components. Furthermore, the responsibilities of various areas may overlap, or there may be no appropriate rights structure to separate administrative access for different areas.
Deficient Configuration of Virtualization
Virtualization changes the way servers are provisioned. Resources such as CPU, RAM, network connection, and storage are typically configured centrally via a management system and are no longer determined by hardware and cabling. This can quickly lead to configuration errors. For example, if a highly protection-sensitive virtual IT system is incorrectly placed in an external demilitarized zone (DMZ), it will be reachable from the internet and thus exposed to increased risk.
Insufficient Resources for Virtual IT Systems
Virtualization servers require storage space for operating virtual IT systems, which is provided either locally in the virtualization server itself or in a storage network. If the required storage capacities are not planned to be sufficiently large, there are far-reaching risks for the availability of the virtual IT systems and the integrity of the information processed in them. This is especially true when special virtualization functions such as snapshots or overcommitment of storage space are used.
Bottlenecks can affect not only disk or storage network space, but also processor performance, RAM, or network connectivity. Furthermore, insufficient resources on the virtualization server could cause virtual machines to mutually interfere with one another in their operation and ultimately fail to work correctly or fail entirely.
Information Leakage or Resource Shortages Due to Snapshots
A snapshot can freeze and save the state of a virtual machine. If such a snapshot is restored at a later point in time, all changes made in the interim are lost. This means that previously patched vulnerabilities may be open again. Furthermore, inconsistent data can arise due to open files, file transfers, or database transactions at the time of the snapshot.
In addition, snapshots can be misused in attacks to gain unauthorized access to the data of a virtual IT system. If the snapshot was created during live operation, the contents of the main memory were also saved to disk and can be restored and analyzed in a virtual environment outside the original IT infrastructure. Snapshots can also become very large and thus cause available storage capacity to become tight.
Failure of the Management Server for Virtualization Systems
Since all functions of a virtual infrastructure are controlled and administered via the management server, a failure of this management system means that no configuration changes can be made to the virtual infrastructure. During this time, IT Operations cannot respond to occurring problems such as resource bottlenecks or the failure of individual virtualization servers, and cannot integrate new virtualization servers into the infrastructure or create new virtual IT systems. Live migration and thus the dynamic allocation of resources for individual guest systems is also not possible without the management server.
Misuse of Guest Tools
Guest tools are often executed in virtual machines with very high privileges. This makes them susceptible to misuse, e.g., for denial-of-service attacks, or attackers can use them to take over the entire virtualization server.
Compromise of the Virtualization Software
The virtualization software (also called “hypervisor”) is the central component of a virtualization server. It controls all virtual machines executed on this server and allocates processor and memory resources to them. If this component is successfully attacked, all virtual IT systems running on the virtualization server are also compromised.
Requirements
The following are the specific requirements of building block SYS.1.5 Virtualization. The Information Security Officer (ISO) is responsible for ensuring that all requirements are fulfilled and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They should be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Planners |
Exactly one role should be Primarily responsible. In addition, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
SYS.1.5.A1 DISCONTINUED (B)
This requirement has been discontinued.
SYS.1.5.A2 Secure Use of Virtual IT Systems (B)
Every person administering virtual IT systems MUST know how virtualization affects the IT systems and applications being operated. Access rights for administrators to virtual IT systems MUST be reduced to the actually necessary extent.
It MUST be ensured that the network connections required for the virtual IT systems are available in the virtual infrastructure. It MUST also be checked whether the requirements for isolation and encapsulation of the virtual IT systems and the applications operated on them are sufficiently met. Furthermore, the virtual IT systems used MUST meet the requirements for availability and data throughput. During ongoing operation, the performance of the virtual IT systems MUST be monitored.
SYS.1.5.A3 Secure Configuration of Virtual IT Systems (B)
Guest systems MUST NOT access devices and interfaces of the virtualization server. If such a connection is necessary, it MUST be allocated exclusively. It MUST ONLY be established by the administrators of the host system for the duration that is necessary. Binding rules MUST be established for this.
Virtual IT systems SHOULD be configured and protected in accordance with the institution’s security policies.
SYS.1.5.A4 Secure Configuration of a Network for Virtual Infrastructures (B)
It MUST be ensured that existing security mechanisms (e.g., firewalls) and monitoring systems cannot be bypassed via virtual networks. It MUST also be ruled out that undesired network connections can be established via virtual IT systems connected to multiple networks.
Network connections between virtual IT systems and physical IT systems, as well as for virtual firewalls, SHOULD be configured in accordance with the institution’s security policies.
SYS.1.5.A5 Protection of Administration Interfaces (B)
All administrative and management access to the management system and to the host systems MUST be restricted. It MUST be ensured that the administration interfaces cannot be accessed from untrusted networks.
Protocols considered secure SHOULD be used to administer or monitor the virtualization servers or management systems. If insecure protocols must nonetheless be used, a dedicated administration network MUST be used for administration.
SYS.1.5.A6 Logging in the Virtual Infrastructure (B)
The operational state, utilization, and network connections of the virtual infrastructure MUST be continuously logged. When capacity limits are reached, virtual machines SHOULD be migrated. Additionally, hardware expansion SHOULD potentially be considered. It MUST also be monitored whether the virtual networks are correctly assigned to the respective virtual IT systems.
SYS.1.5.A7 Time Synchronization in Virtual IT Systems (B)
The system time of all virtual IT systems used in production MUST always be synchronized.
Standard Requirements
Together with the basic requirements, the following requirements reflect the state of the art for this building block. They SHOULD generally be fulfilled.
SYS.1.5.A8 Planning a Virtual Infrastructure (S) [Planners]
The setup of the virtual infrastructure SHOULD be planned in detail. In doing so, the applicable regulations and policies for operating IT systems, applications, and networks (including storage networks) SHOULD be taken into account. If multiple virtual IT systems are operated on one virtualization server, there SHOULD be NO conflicts with regard to the protection needs of the IT systems. Furthermore, the tasks of the individual groups responsible for administration SHOULD be defined and clearly delineated from one another. It SHOULD also be regulated who is responsible for operating which component.
SYS.1.5.A9 Network Planning for Virtual Infrastructures (S) [Planners]
The setup of the network for virtual infrastructures SHOULD be planned in detail. It SHOULD also be checked whether a separate network must be set up and used for certain virtualization functions (such as live migration). It SHOULD be planned which network segments need to be set up (e.g., management network, storage network). It SHOULD be defined how the network segments can be securely separated and protected from one another. In doing so, it SHOULD be ensured that the production network is separated from the management network (see SYS.1.5.A11 Administration of the Virtualization Infrastructure via a Dedicated Management Network). The availability requirements for the network SHOULD also be met.
SYS.1.5.A10 Introduction of Management Processes for Virtual IT Systems (S)
Processes for commissioning, inventory, operation, and decommissioning SHOULD be defined and established for virtualization servers and virtual IT systems. The processes SHOULD be documented and regularly updated.
When planning the use of virtual IT systems, it SHOULD be defined which virtualization functions the virtual IT systems may use. Test and development environments SHOULD NOT be operated on the same virtualization server as productive virtual IT systems.
SYS.1.5.A11 Administration of the Virtualization Infrastructure via a Dedicated Management Network (S)
The virtualization infrastructure SHOULD ONLY be administered via a separate management network (see NET.1.1 Network Architecture and Design). The available security mechanisms of the management protocols used for authentication, integrity assurance, and encryption SHOULD be activated. All insecure management protocols SHOULD be deactivated (see NET.1.2 Network Management).
SYS.1.5.A12 Rights and Role Concept for Administering a Virtual Infrastructure (S)
Based on the tasks and roles defined in the planning phase (see SYS.1.5.A8 Planning a Virtual Infrastructure), a rights and role concept SHOULD be created and implemented for administering the virtual IT systems and networks, the virtualization servers, and the management environment. All components of the virtual infrastructure SHOULD be integrated into a central identity and authorization management system. Administrators of virtual machines and administrators of the virtualization environment SHOULD be distinguished. They SHOULD be equipped with different access rights.
Furthermore, the management environment SHOULD be able to group virtual machines into appropriate structures. The roles of administrators SHOULD be assigned accordingly.
SYS.1.5.A13 Selection of Suitable Hardware for Virtualization Environments (S)
The hardware used SHOULD be compatible with the virtualization solution in use. It SHOULD be ensured that the manufacturer of the virtualization solution also provides support for the hardware in use over the planned period of use.
SYS.1.5.A14 Uniform Configuration Standards for Virtual IT Systems (S)
Uniform configuration standards SHOULD be defined for the virtual IT systems used. The virtual IT systems SHOULD be configured in accordance with these standards. The configuration standards SHOULD be regularly reviewed. They SHOULD be updated if necessary.
SYS.1.5.A15 Operation of Guest Operating Systems with Different Protection Needs (S)
If virtual IT systems with different protection needs are operated together on one virtualization server, it SHOULD be ensured that the virtual IT systems are sufficiently encapsulated and isolated from one another. In this case, the network separation in the virtualization solution used SHOULD also be sufficiently secure. If this is not the case, further security measures SHOULD be identified and implemented.
SYS.1.5.A16 Encapsulation of Virtual Machines (S)
The “Copy” and “Paste” functions for information between virtual machines SHOULD be deactivated.
SYS.1.5.A17 Monitoring the Operational State and Configuration of the Virtual Infrastructure (S)
The operational state of the virtual infrastructure SHOULD be monitored. Among other things, it SHOULD be checked whether sufficient resources are still available. It SHOULD also be checked whether there are potential conflicts involving shared resources of a virtualization server.
Furthermore, the configuration files of the virtual IT systems SHOULD be regularly checked for unauthorized changes.
If the configuration of the virtualization infrastructure is changed, the changes SHOULD be reviewed and tested before they are implemented.
SYS.1.5.A18 DISCONTINUED (S)
This requirement has been discontinued.
SYS.1.5.A19 Regular Audits of the Virtualization Infrastructure (S)
Regular audits SHOULD be performed to verify whether the actual state of the virtual infrastructure corresponds to the state defined in the planning. Regular audits SHOULD also be performed to verify whether the configuration of the virtual components complies with the specified standard configuration. The audit results SHOULD be traceably documented. Deviations SHOULD be remediated.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the protection level corresponding to the state of the art. The proposals SHOULD be considered in the case of high protection needs. The specific determination is made within the framework of an individual risk analysis.
SYS.1.5.A20 Use of High-Availability Architectures (H) [Planners]
The virtual infrastructure SHOULD be designed for high availability. All virtualization servers SHOULD be combined into clusters.
SYS.1.5.A21 Secure Configuration of Virtual IT Systems with High Protection Needs (H)
For virtual IT systems, overcommitment functions for resources SHOULD be deactivated.
SYS.1.5.A22 Hardening the Virtualization Server (H)
The virtualization server SHOULD be hardened. To additionally isolate and encapsulate virtual IT systems from one another and from the virtualization server, Mandatory Access Controls (MACs) SHOULD be used. Likewise, the IT system on which the management software is installed SHOULD be hardened.
SYS.1.5.A23 Restriction of Rights for Virtual Machines (H)
All interfaces and communication channels that allow a virtual IT system to read and query information about the host system SHOULD be deactivated or blocked. Furthermore, ONLY the virtualization server SHOULD be able to access its own resources. Virtual IT systems SHOULD NOT share the so-called pages of the main memory.
SYS.1.5.A24 Deactivation of Snapshots for Virtual IT Systems (H)
The snapshot function SHOULD be deactivated for all virtual IT systems.
SYS.1.5.A25 Minimal Use of Console Access to Virtual IT Systems (H)
Direct access to the emulated consoles of virtual IT systems SHOULD be reduced to a minimum. Virtual IT systems SHOULD be managed via the network wherever possible.
SYS.1.5.A26 Use of a PKI (H) [Planners]
A Public Key Infrastructure (PKI) SHOULD be used for certificate-protected communication between the components of the IT infrastructure.
SYS.1.5.A27 Use of Certified Virtualization Software (H)
Certified virtualization software at EAL 4 level or higher SHOULD be used.
SYS.1.5.A28 Encryption of Virtual IT Systems (H)
All virtual IT systems SHOULD be encrypted.
Additional Information
Good to Know
The BSI provides recommendations for the use of virtualization in its cybersecurity publication BSI-CS 113: “Server Virtualization”.
The Information Security Forum (ISF) makes requirements for the operation of virtual servers in its standard “The Standard of Good Practice for Information Security” in the chapter SYS.1.3 Servers Running Linux and Unix - Virtual Servers.
The National Institute of Standards and Technology (NIST) provides recommendations for the use of virtualization in NIST Special Publication 800-125 “Guide to Security for Full Virtualization Technologies”.