Virtual Vulnerability Assessment (VVA)

Process

The vulnerability testing process includes the set of procedures that would be employed in a non-virtualized environment, plus reviews unique to virtualization. In addition to the virtualized systems, a critical risk potential is in the Virtual Infrastructure Management. The Management systems themselves may have OS based weaknesses, but the application themselves, and the virtual management software must be specifically evaluated. CastleGarde utilizes security repositories such as Bugtraq (www.securityfocus.com), CERT (www.cert.org), US-CERT (www.us-cert.gov), CVE (cve.mitre.org), OVAL (http://oval.mitre.org) and Open Security Foundation (osvdb.org), standards from vendor neutral organizations like SANS as well as vendor reported issues and Best Practice recommendation.

Tools

CastleGarde utilizes its set of customized, commercial and industry standard scanning, profiling and service detection tools to locate and identify virtual guests and virtual management services. The same sets of tools are also used in a non-virtual environment. Depending on the types of virtual infrastructure; Server, Desktop, Application and the provider (VMware, MS Hyper-V for example) we employ different tools to analyze the installation of potential weaknesses. This involves using system and specific protocol tools to examine the Virtual Infrastructure Management network for unauthorized access or privilege escalation; gaining access to unintended functions, like gaining “root” or administrative authority.

Specific Threats in a Virtual Infrastructure

Each virtualization method commercially available today employs a layer of hardware, software, and administrative management beyond that of pre-virtualization. Most of the physical characteristics are supported if not mimicked by virtualization. In addition to the vulnerabilities of the guests (the hosted operating systems), and entirely new attack vector is exposed by the Virtual Infrastructure Management layer.

The key points unique to Virtualization include:

Isolation of networks between virtual guests – using VM-based software or physical devices, implementation using Firewalls and VLANs (802.1Q)
Isolation of the management network
Isolation of VM guests and IP storage (NAS, SAN) networks or fabric
Isolation of client (guest) data networks from each other and from the management network
Secure customer (guest machine users) access to the resources
Secure, consistent backup and restoration procedures
Strong authentication, authorization, and auditing mechanisms
Management and currency of operating system templates or model guest machine images
Resource management to identify and prevent over utilization of managed resources by guests monopolizing through accidental or DoS (Denial of Service) attack

Training and certification of technical staff supporting the Virtual Infrastructure
Encryption standards and practices applied to Virtual Infrastructure resources, such as backup of machine images, configuration databases
Security and maintenance of guest operating systems for patch management, configuration settings, hardening the OS; all the items that would also apply to a non-virtualized (real) operating system
Practices related to data copying, cloning, or migration of virtualized resources
Control of data access includes “Image Cloning” (copying of virtual machine images, data store, and virtual machine and profile configurations)