Securing the Hypervisor: Tools and Guides from Leading Vendors

A recent breach of the SSL tools website www.openssl.com appears to be the result of insecure passwords on the service provider’s hypervisor, which allowed access to the guest virtual servers and resulted in defacement of the website. More information on the breach can be found on the OpenSSL website.

Although it appears a more secure password would have prevented this breach, securing the hypervisor has become increasingly important as businesses continue to virtualize critical workloads. Andrew Carlson discusses password complexity and management in a previous post, and there are hardening guides and tools available to assess compliance.

According to Gartner, the leading commercial hypervisor vendors are VMware and Microsoft. Other vendors in the space include Oracle, Citrix, RedHat and Parallels. This post is will preview some of the guides and tools available for the commercially available hypervisors.

Vendors

VMware uses ESXi to power its virtualization suite. ESXi is a bare-metal hypervisor, meaning it installs directly on hardware and does not need another operating system to function.

The hardening guide for the latest release of ESXi, 5.5, can be found here. The guide is a collection of VMware’s recommended settings to ensure a more secure environment.

VMware publishes compliance checking tools to assist in validation of the settings found in the hardening guide. The VMware vSphere 5.5 Compliance Checker is a stand-alone tool that can be used with vSphere 5.0, 5.1 and 5.5 and can be downloaded here.

As part of the vCenter Operations Management Suite, the vCenter Configuration Manager can also assist in compliance audits and will validate best practice recommendations found in the hardening guide linked previously.

A third-party tool, Tenable Nessus, supports compliance auditing of VMware vSphere through a remote API.

Microsoft offers the Hyper-V hypervisor in two forms - a role in Windows Server or as a standalone installable. Both can be hardened using a combination of tools and published documents provided by Microsoft.

Begin with the Hyper-V Security Guide found on Technet and the Hyper-V Security Guide found in the Download center. Microsoft also publishes planning and best practice guides that can be found here and here.

Both Windows Server 2008 R2 and 2012 can be checked for compliance using the Best Practices Analyzer (BPA). Be sure to update the BPA with the latest policies before running.

Once again, Tenable Nessus supports auditing Microsoft Hyper-V through remote API or local install on Microsoft Windows Server.

Oracle and Citrix both distribute and provide support for the open-source Xen hypervisor, marketed as Oracle VM and Citrix XenServer respectively. Although Citrix does not provide a hardening guide for XenServer, a third-party tool can be used to audit XenServer instances. Tenable provides a plugin to be used with the scanning and auditing tool Nessus that is based off of Unix and Linux hardening guides and best practices.

Oracle provides a document named Oracle VM Security Guide for Release 3 for securing Oracle VM. A third party company, Mokum Solutions, offers OVMProf, a tool designed to capture configuration of Oracle VM deployments. According to Mokum Solution’s website, the output of OVMProf can be used to validate configurations and best practices.

Red Hat develops and supports KVM as its commercially available hypervisor and publishes a hardening guide here. KVM runs on top of a base operating system to provide virtualization services.

For auditing, Red Hat contributes to OpenSCAP, an open source audit tool that is included as a package in the Red Hat Enterprise Linux (RHEL) operating system. OpenSCAP can use the Open Vulnerability and Assessment (OVAL) specification to audit RHEL systems for patches, signs of compromise and security configuration settings.

Tenable Nessus, a third-party tool, can be also used to audit the RHEL operating system for hardening best practices.

Parallels Virtuozzo Containers is a hypervisor based on the Linux kernel and is closely related to the RHEL kernel and operating system. Although the knowledge base has security-related articles, limited information exists on best practices and hardening.

The same tools used to audit RHEL can be used to audit a system running Virtuozzo Containers. These tools include OpenSCAP and Tenable Nessus.

Conclusion

Regular reviews of patches, configuration and vulnerabilities should be part of the lifecycle of any system. While the number of intrusion attempts is not likely to decrease over time, minimizing the attack surface and following vendor-provided best practice guides to harden the hypervisor will reduce the likelihood of compromise.