Secure separation architecture for virtualised environments


Secure separation architecture for virtualised environments

With the increased dependency on cloud and virtualised computing environments, there is a need to ensure that virtual machines are appropriately separated from each other to restrict access to data on one VM from another. This is a typical scenario where each server, or VM, belongs to a different trust or security zone from the other. In risk management terms, we need to ensure that the low trust/security domain cannot access data on the high trust/security domain. This is best understood in a Government environment context, where we would want to reduce the likelihood of an attacker compromising an UNCLASSIFIED virtual machine as a platform to access
other virtual machines of a higher classification level e.g. SECRET or TOP SECRET.

In order to define a secure separation architecture for virtualised environments, we firstly need to understand the components of a virtualised environment and the business benefits of utilizing virtualisation.

Virtualisation is a method by which multiple virtual machines can exist on one physical instance. This benefits businesses by reducing the costs of physical boxes, reducing complexity and enabling consolidation of servers to one environment. This can greatly benefit businesses from a cost perspective. By using less hardware, the company saves costs on procurement as well as on-going maintenance. This is broadly how cloud computing works – cloud service providers harness extensive computing resources and allocate virtual machines to each of their customers. As their requirements increase, more virtual machines can be issued or retracted.

Virtual machines are controlled and managed on the box via a hyper visor that sits just above the VM’s. From a security perspective, if an attacker can own the hyper visor they have the capability to own all virtual machines controlled by that hyper visor. Additionally, in a standard configuration, each virtual machine will utilize the same resources as other machines unless configured differently e.g. virtual switches, virtual SAN’s and virtual NIC’s. So, how can we achieve a secure separation architecture for virtualised environments taking into account these points?

Firstly, it is important to note that the use of virtualisation technologies does not have to change your network topology. As mentioned, virtualisation simply allows greater use of physical resources and does not require a completely new architecture. The fundamental principles of good risk management still apply, security zones should be maintained wherever possible and data flows between security zones should be restricted through effective configuration. Fig 1 below shows a typical secure architecture for virtualised environments.


Fig 1: A secure virtualised architecture using physically separate hosts

In this example, a typical tiered architecture is utilized to segregate web, application and database layers. This ensures the most sensitive assets contained in the database are further protected via a defence in depth architecture. Data flows are restricted between zones via gateway devices. In terms of virtualisation, each zone is afforded a physically separate VMWare ESX host to prevent hopping from the web zone (low security, publicly accessible) to the database zone (higher security, sensitive data). Interaction with the database takes place via a tiered model, with no direct interaction with the database itself.

In this example, all virtual machines on each host are within the same security zone. Separation is achieved physically as each zone has its own ESX host. This type of architecture is typically in high threat environments such as the Government. As can be seen from the diagram, the management LAN also features separate interfaces to
each of the security zones to prevent an additional attack vector. It should be noted that the management LAN requires extensive monitoring to prevent compromise.

In the next example, we can see how security zones can be separated on the same physical ESX host.


Fig 2: A secure virtualisation architecture using the same hosts

In this example, separation is achieved at the virtualisation layer. Each set of virtual machines relating to the same trust zone is allocated separate virtual switches and virtual network interface cards (NIC’s). In this type of configuration, it is recommended that separation of duties is achieved to ensure that only privileged administrators can create virtual machines in sensitive zones, with less privileged users able to create VM’s in zones with less security requirements. As before, the management LAN should be separated, however, there is only one interface to the ESX box so stricter audit and monitoring controls are required here. This type of architecture represents cost savings for the organisation, however, may not be sufficient for a high threat environment.

For more information, have a look at VMWare’s white paper here.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *