« Previous 1 2 3 4
Secure Your KVM Virtual Machines
Jailbreak: Guard Against Breakouts on Your Virtual Machines
Conductive
If you have set up port forwarding on the virtual machine, it should be limited to a single network interface (Figure 9). This approach makes it easier to distinguish between and identify the connections to the virtual machine and the host. Maintenance on the host computer then exclusively uses the eth0
interface, whereas access to the virtual machines only uses eth1
.
The libvirt
tools and the MacVTap driver can help here by directly connecting virtual machines with a network interface on the host system. Private and bridge modes of operation are of interest here, where the virtual machines cannot access the host system. In Private mode, even the virtual machines can no longer communicate with one another [7]. However, these actions do not mean that you can do without a firewall.
Qemu offers a built-in TFTP server that lets you quickly and easily share files between the host and guest system. However, communication is unencrypted, and there is no user authentication. Administrators will thus want to disable the built-in TFTP server and, instead, set up a properly secured FTP server or, preferably, SSH access on the guest.
Fide Sed Cui Vide
Administrators should always keep the guest system up to date and install only known software. Caution is also advised with prebuilt virtual machines (appliances): They could include malware from the outset. Anyone planning to migrate an existing system should examine it up front for malicious software. Otherwise, you could also infect the new host system. If you boot to the virtual machine over the network via PXE, the server contacted for this purpose must be trustworthy. This is especially true if you automated the process of creating new virtual machines by scripting.
In a live migration, only the host systems involved should be allowed access to a shared filesystem or an NFS share. After the migration, you would then subsequently restrict access to the migrated system. Live migration should take place over encrypted connections, such as SSH.
A virtual machine that goes haywire can hog computing time, whereas a DoS attack on a virtual machine blocks the physical network connection. Both cases also paralyze all other virtual machines at the same time. It is consequently advisable to set up a monitoring system and to organize the virtual machines in cgroups, as already mentioned.
Virtual machines can be automatically started using the start scripts when booting the host system or using libvirtd
. However, you should think twice about this approach: If you have a malicious program on the virtual machine, and the program manages to break out, it can access the system at a very early stage. In extreme cases, you have no opportunity to rein in and isolate the rogue virtual machine.
Conclusions
A virtual machine is not a practical jail. On the contrary, it even increases the number of attack vectors. Administrators should think of virtual machines as additional, physical computers on a network and thus initiate the same security measures or include the machines in their (existing) security concept. Guests also need regular updates and the same care as the host system. Finally, most defaults in KVM, Qemu, and libvirt
are designed for security, and administrators should therefore change them only for a good reason.
Infos
- Black Hat/DEFCON 2011 Talk: Breaking Out of KVM: https://blog.nelhage.com/2011/08/breaking-out-of-kvm/
- sVirt: http://selinuxproject.org/page/SVirt
- Cgroups and libvirt: http://libvirt.org/cgroups.html
- Redirecting the serial interface: http://qemu.weilnetz.de/qemu-doc.html#index-g_t_002dserial-80
- SPICE: http://qemu-buch.de/de/index.php/QEMU-KVM-Buch/_Anhang/_Spice
- Firewall and network filtering in libvirt: http://libvirt.org/firewall.html
- Libvirt: Direct attachment to physical interface: http://www.libvirt.org/formatdomain.html#elementsNICSDirect
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)