NIST lays out the basics of hypervisor security-- system admins take note
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
October 23, 2014
American standards body the National Institute of Standards and Technology (NIST) has laid out the basics of hypervisor security in a draft publication released for comment on October 20.
The system admin guide presents no less than twenty-two security recommendations, under the key headings of isolating virtual machines from each other and the host hypervisor.
It also hints admins at controlling access and device emulation and preventing VMs from executing privileged operations.
The publication also talks about various VM management and managing settings for interactions with the hypervisor itself.
The report notes that some threat types are well known, well understood, and common to any server-based virtualisation software.
For example, system admins should already be aware that they need to secure against network-based attacks, and likewise that Web-based management interfaces are a real risk point.
On the other hand, security threats from rogue VMs being used as an attack vector through “channels such as shared hypervisor memory and the virtual network inside the hypervisor host” are specific to the virtualised environment.
Rogue VMs can arise through misconfiguration of the hypervisor and/or its guest container; or malicious/vulnerable device drivers, the document says, which provide vectors for attacks such as rootkit installation or attacks against other VMs on the same host.
On the network itself the report says, a rogue VM could spoof IP or MAC addresses, hop across the VLANs that are meant to isolate traffic of different tenants, or try to intercept network traffic.
Rogues can also be used for denial-of-service attacks, by way of resource starvation. The draft, written by NIST director and George Mason University professor Ramaswamy Chandramouli, is open for comment until November 10.
Source: The National Institute of Standards and Technology.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!