VM Security - VMware Communities

VMware vSphere 

Security & Networking 

Ofir Zamir, 

SE Team Leader, VMware 

© 2009 VMware Inc. All rights reserved

VMware Approach to Security 

Platform 

Security 

• Secure hypervisor 

architecture 

• Platform hardening 

features 

• Secure 

Development 

Lifecycle 

Secure 

Operations 

• Prescriptive 

guidance for 

deployment and 

configuration 

• Enterprise controls 

for security and 

compliance 

Virtualization of 


• Virtualizationaware 

security 

• Unique Advantage 

of virtualization

Security of VMware vSphere 

PLATFORM SECURITY

Architecture: Types of Server Virtualization 

Hosted (Type 2) Bare-Metal (Type 1) 

Virtualization Layer 

APP 

Windows, Linux, Mac 

VMware Workstation 

VMware Server 

VMware Player 

VMware Fusion 

Host OS 

changes 

security 

profile 

VMware ESX/ESXi

Isolation in the Platform 

VLAN A 

VLAN B 

Virtual Machines 

• Are not able to interact with 

each other (except via 

network) 

• Are not aware of underlying 

storage -- only their own 

virtual disk(s) 

• Are subject to strict resource 

controls 

Virtual Switches 

• Are complete, VLAN-capable, 

layer-2 switches 

• Have no mechanism for 

sharing network traffic 

Security Design of the VMware 

Infrastructure 3 Architecture 

http://www.vmware.com/resources/techres 

ources/727

vSphere Advantages: Best Hypervisor Architecture 

VMware Architecture 

• True thin hypervisor 

• No general-purpose OS 

• Direct driver model = I/O scaling 

• Drivers optimized for VMs 

• Page Sharing = Greater Density 

• Hypervisor owns the resources 

MSFT / Xen Architecture 

• Large general purpose OS in mgmt 

partition 

• Indirect driver model 

• Generic drivers in mgmt partition 

• I/O throughput degradation under load 

• All VMs down when mgmt partition fails 

(BSOD/Kernel panic)

Secure Implementation 

VMware ESXi 

• Compact footprint (less than 

100MB) 

• Fewer patches 

• Smaller attack surface 

• Absence of general-purpose 

management OS 

• No arbitrary code running on 

server 

• Not susceptible to common 

threats

Secure Implementation 

Platform Hardening 

• Integrity in Memory Protection 

• ASLR – Randomizes where core 

kernel modules load into memory 

• NX/XD – Marks writable areas of 

memory as non-executable 

• Kernel Integrity 

• Digital signing – ensures the integrity 

of drivers and modules as they are 

loaded by the VMkernel. 

• Integrity on Disk 

• TPM – helps assure that image that 

is booting off the disk has not been 

tampered with since the last reboot.

ESXi Security Model 

Physical / 

Console 

Management 

Network 

Production 

Network 

CIM Client 

VM 



vSphere API 

vSphere Client 

vCLI 

vSphere SDK 

VC 

hostd 

vpxa 

vmkernel 

CIM 

Broker 

VMsafe VM 

Tech Support 

Mode 

DCUI 

BIOS 

VMM 


Network 

Stack 

Storage 

Stack 


Trust Boundary 

IP-based 

Storage 

Inter-ESX 

network 

Fibre 

Channel 

Storage 

Keyboard 

or iLO/equivalent

Isolation by Design 

CPU & Memory Virtual Network Virtual Storage 

• VMs have limited 

access to CPU 

• Memory isolation 

enforced by 

Hardware TLB 

• Memory pages 

zeroed out before 

being used by a VM 

• No code exists to link 

virtual switches 

• Virtual switches 

immune to learning 

and bridging attacks 

• Virtual Machines only 

see virtual SCSI 

devices, not actual 

storage 

• Exclusive virtual 

machine access to 

virtual disks enforced 

by VMFS using SCSI 

file locks 

Confidential - INTERNAL ONLY 

Security Design of the VMware Infrastructure 3 Architecture 

http://www.vmware.com/resources/techresources/727 

10

Independently validated 

Common Criteria 

EAL 4+ Certification 

• Highest internationally recognized 

level 

• Achieved for ESX 3.0; in process 

for ESX 3.5 and vSphere 4 

DISA STIG for ESX 

• Approval for use in DoD information 

systems 

NSA Central Security Service 

• guidance for both datacenter and 

desktop scenarios 

11


SECURE OPERATIONS

vnic 

vnic 

vnic 

Isolation in the Architecture 

Segment out all non-production 

networks 

VMkernel 

• Use VLAN tagging, or 

Production 

Mgmt 

Storage 

• Use separate vSwitch (see 

diagram) 

vSwitch1 

vmnic1 2 3 4 

Prod 

Network 

Mgmt 

Network 

vSwitch2 

Strictly control access to 

management network, e.g. 

• RDP to jump box, or 

• VPN through firewall 

VMware Infrastructure 3 Security Hardening Guide 

http://www.vmware.com/resources/techresources/726 

vCenter 

Other ESX/ESXi 

hosts 

IP-based 

Storage 

13

vSphere 4: Segmentation of Production Networks 

PVLAN (Private VLAN) 

Enables Layer-2 isolation between VMs on the same 

switch, even though they are on the same subnet 

Private VLAN traffic isolation 

between guest VMs 

Traffic from one VM forwarded out through uplink, 

without being seen by other VMs 

Communication between VMs on PVLANs can still 

occur at Layer-3 

Benefits 

Scale VMs on same subnet but selectivity restrict 

inter-VM communication 

Avoids scaling issues from assigning one VLAN and 

IP subnet per VM 

vSwitch with 

Private VLAN 

capability 

Common 

Primary VLAN 

on uplinks 

Implementation 

Available when using Distributed Switch

vNetwork Distributed Switching & Cisco Nexus 1000V Switch 

CURRENT 

vSwitch 

vSwitch 

vSwitch 

Enterprise networking vendors 

can provide proprietary 

networking interfaces to monitor, 

control and manage virtual 

networks 

Virtual machines retain policies, 

QoS as they move around the 

datacenter 

vDS 

vNetwork Distributed Switch 

Cisco Nexus 1000V

Cisco Nexus 1000V Architecture 

VM VM VM VM VM VM VM VM VM VM VM VM 

Nexus 

1000V 

VEM 

Nexus 

1000V 

VEM 

Nexus 

1000V 

VEM 

vSphere 

vSphere 

vSphere 

Virtual Supervisor Module (VSM) 

• Virtual or Physical appliance running 

Cisco Virtual NXOS Ethernet (supports Module HA) (VEM) 

• Performs • Enables management, advanced networking monitoring, & 

configuration Cisco capability Nexus on the 1000V hypervisor Installation 

• Tight • • Provides integration ESX & each ESXi with VM VMware with dedicated vCenter 

“switch port” 

• VUM & Manual Installation 

• Collection of VEMs = 1 vNetwork 

• Distributed VEM installed/upgraded Switch 

like an ESX 

patch 

vCenter 

Nexus 1000V VSM

Scaling Server Virtualization with Nexus 1000V 

Offload VM networking to network team 

• Abstracts network configuration from virtualization 

team 

• Network administrator to provide consistent network 

configuration to VM 

Optimize bandwidth to server w/ greater 

availability 

• Dual connectivity to non-clustered switches 

• Quality of Service for VMotion, Service Console, and 

VM traffic 

Enable virtual machines to be basic building 

blocks of data center 

• Consistent network operational model for physical 

and virtual infrastructure 

• Easier regulatory compliance 

SG0 SG1 SG0 SG1 

Po1 

Po2 

Cisco VEM 

C P 

SC VMK 

VM Data

Cisco Nexus 1000V – Faster VM Deployment 

Cisco VN-Link: Virtual Network Link 

Policy-Based 

VM Connectivity 

Mobility of Network & 

Security Properties 

Non-Disruptive 

Operational Model 

VM VM VM VM VM VM VM VM 

Defined Policies 

WEB Apps 

HR 

DB 

DMZ 

Nexus 

1000V 

VEM 

vSphere 

Nexus 

1000V 

VEM 

vSphere 

VM Connection Policy 

• Defined in the network 

• Applied in Virtual Center 

• Linked to VM UUID 

vCenter 

Nexus 1000V VSM

Cisco Nexus 1000V – Richer Network Services 


Policy-Based 







VM VM VM VM 

VMs Need to Move 

• VMotion 

• DRS 

• SW Upgrade/Patch 

• Hardware Failure 

Nexus 

1000V 

VEM 

vSphere 

Nexus 

1000V 

VEM 

vSphere 

VN-Link Property Mobility 

• VMotion for the network 

• Ensures VM security 

• Maintains connection state 

vCenter 

Nexus 1000V VSM

Cisco Nexus 1000V - Increased Operational Efficiency 


Policy-Based 







VI Admin Benefits 

• Maintains existing VM mgmt 

• Reduces deployment time 

• Improves scalability 

• Reduces operational workload 

• Enables VM-level visibility 

Nexus 

1000V 

VEM 

vSphere 

Nexus 

1000V 

VEM 

vSphere 

Network Admin Benefits 

• Unifies network mgmt and ops 

• Improves operational security 

• Enhances VM network 

features 

• Ensures policy persistence 

• Enables VM-level visibility 

vCenter 

Nexus 1000V VSM

Key Features of the Nexus 1000V 

Switching 


Provisioning 

Visibility 

Management 

• L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX) 

• IGMP Snooping, QoS Marking (COS & DSCP) 

• Policy Mobility, Private VLANs w/ local PVLAN Enforcement 

• Access Control Lists (L2–4 w/ Redirect), Port Security 

• Automated vSwitch Config, Port Profiles, Virtual Center Integration 

• Optimized NIC Teaming with Virtual Port Channel – Host Mode 

• VMotion Tracking, ERSPAN, NetFlow v.9 w/ NDE, CDP v.2 

• VM-Level Interface Statistics 

• Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks 

• Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)

Policy Based VM Connectivity 

Enabling Policy 

1. Nexus 1000V automatically 

enables port groups in 

VMware vCenter 

2. Server Admin uses vCenter 

to assign vnic policy from 

available port groups 

3. Nexus 1000V automatically 

enables VM connectivity at 

VM power-on 

WEB Apps: 

PVLAN 108, Isolated 

Security Policy = Port 80 and 443 

Rate Limit = 100 Mbps 

QoS Priority = Medium 

Remote Port Mirror = Yes 

1. 

3. 

vCenter 

2. 

Nexus 

1000V 

VEM 

Defined Policies 

WEB Apps 

HR 

DB 

DMZ 


vSphere 

Nexus 1000V VSM

Policy Based VM Connectivity 

What can a policy do 


Policy definition supports: 

• VLAN, PVLAN settings 

• ACL, Port Security, ACL 

Redirect 

• Cisco Trust Sec (SGT) 

• NetFlow Collection 

• Rate Limiting 

• QoS Marking (COS/DSCP) 

• Remote Port Mirror (ERSPAN) 

Nexus 

1000V 

VEM 

vSphere 

vCenter 

Nexus 1000V VSM

Mobility of Security & Network Properties 

Following your VMs around 

1. vCenter kicks off a 

Vmotion (manual/DRS) 

and notifies Nexus 

1000V 

2. During VM replication, 

Nexus 1000V copies VM 

port state to new host 


Nexus 

1000V 

VEM 

vSphere 

Nexus 

1000V 

VEM 

vSphere 

Mobile Properties Include: 

Port policy 

Interface state and counters 

Flow statistics 

Remote port mirror session 

1. 

vCenter 

VMotion Network Notification 

Persistence 

• Current: VM port VM1 config, state Server 1 

• New: VM monitoring VM1 Server statistics 2 

2. 

Nexus 1000V VSM

Mobility of Security & Network Properties 

Following your VMs around 

1. vCenter kicks off a 

Vmotion 

(manual/DRS) and 

notifies Nexus 1000V 

2. During VM 

replication, Nexus 

1000V copies VM port 

state to new host 

3. Once VMotion 

completes, port on 

new ESX host is 

brought up & VM’s 

MAC address is 

announced to the 

network 


Nexus 

1000V 

VEM 

VM VM VM VM VM VM VM 

vCenter 

vSphere 

Nexus 

1000V 

VEM 

Network Update 

• ARP for VM1 sent 

to network 

• Flows to VM1 MAC 

redirected to Server 2 

vSphere 

Nexus 1000V VSM 

3.

Source 

Group 

Cisco Nexus 1000V – VM Security 




I 

P C 

C 

I 

vSphere vSphere vSphere 

Private VLAN 

• Promiscuous port 

• Isolated port 

• Community port 

Security Features 

• Access Control List 

• Port Security 

• DHCP Snooping 

• IP Source Guard 

• Dynamic ARP Inspection 

Cisco TrustSec 

• Admission control: 802.1X 

• Hop-by-hop crypto: 802.1AE 

• Security Group Tag 

SGACL 

Matrix 

Destination Group 

- + 

+ -

Security: 

Virtual Service Domain 

Virtual Service Domain define a logical group of virtual machines 

protected by a virtual appliance. 

All the traffic entering or leaving the group will be sent to that 

particular virtual appliance. 

27

Nexus 1000V Installation Application 

Even Easier Installation 

Virtualization Admin deploy 

VSM virtual appliance with 

configuration parameters 

Network Admin configure 

VSM with GUI wizard 

Watch the video: https://www.myciscocommunity.com/videos/4057 

28


VIRTUALIZATION OF SECURITY 

29

VMware vShield Zones 

Capabilities 

Define VM zones based on familiar VI 

containers 

Monitor allowed and disallowed 

activity by application-based 

protocols 

One-click flow-to-firewall blocks 

precise network traffic 

Benefits 

Pervasive: well-defined security 

posture for inter-VM traffic anywhere 

and everywhere in virtual 

environment 

Persistent: monitoring and assured 

policies for entire VM lifecycle, 

including VMotion live migrations 

Simple: Zone-based rules reduces 

policy errors

Protecting data flows - DLP integration with VShields 

DLP is now embedded 

within the vSphere 

infrastructure 

Can protect internal data 

flows 

31

VMsafe Enables Application Protection 

VMsafe API and Partner Program 

• Protect the VM by inspection of virtual 

components (CPU, Memory, Network and 

Storage) 

• Run outside the VM 

• Complete integration and awareness of 

VMotion, Storage VMotion, HA, etc. 

• Fundamentally changes protection available 

for VMs running on VMware Infrastructure vs. 

physical machines 

• Provides an unprecedented level of 

security – “Virtual is more secure than 

Physical” 

ESX with ESXVMsafe 

VMsafe 

http://vmware.com/go/vmsafe

vNetwork Appliance API (aka VMsafe-Net) 

VMware ESX 3.5 

VMware ESX 


Appliance VM 

Run the 

Firewall in a 

Bridge 

Appliance 


VMware vSphere 

VMware 4 ESX 

vSwitch 

vSwitch 

vSwitch 

vNetwork 

Appliance 

vSwitch 

External 

Firewall 

Appliance 

Disadvantages: 

• Overhead 

• Lack of flexibility 

• Lack of Mobility 

Advantages: 

• Less overhead 

• vNetwork Platform 

provides mobility

vNetwork Appliance API (aka VMsafe-Net) 

• vNetwork Appliance API can 

inspect/alter/drop/inject any 

frame on a given port 

• Fast Path Agent 

• Runs in the Vmkernel 

• Might send packets to the 

slow path 

• Slow Path Agent 

• Runs in an Appliance VM 

• APIs for 3 rd Party Vendors to 

develop vNetwork Appliances 


VNIC 

Local Data Plane 

PKT 

Appliance VM 

Slow Path Agent 

Filter 

Filter 

Fast Path Agent 

Vmkernel

VMsafe Partner Releases, Q1 2010 

Category Partner Solution Status 

Firewall 

VPN1-VE 

Firewall VF 3.0 

ALTOR 

NETWORKS 

UTM - Firewall, IPS, App FW 

Firewall, network monitoring 

Early Access 

GA 

IDS/IPS 

IBM ISS Proventia 

Hybrid host/network IPS + Anti-rootkit + Virtual NAC 

GA 

DLP 

Protecting data flows 

DLP integration with VShields 

GA 

IDS/IPS 

VMC 

vTrust network zoning, network IPS, virtualization mgmt 

GA 

Antivirus Virusscan for Offline Virtual Images (OVI) 2.0 

Offline AV 

Antivirus Core Protection for Virtual Machines 1.0 

Online / Offline AV 

GA 

GA

Where to Learn More 


• Hardening Best Practices 

• Implementation Guidelines 

http://vmware.com/go/security 

Compliance 

• Partner Solutions 

• Advice and Recommendation 

http://vmware.com/go/compliance 

Operations 

• Peer-contributed Content 

http://viops.vmware.com

Thank You 

© 2009 VMware Inc. All rights reserved

VM Security - VMware Communities

Create successful ePaper yourself

Delete template?

Save as template?