Among my friends who work in IT, one of them is the director of a medium-sized business that experienced a serious security breach. Through sniffers, a hacker managed to locate the vCenter through his slave user computer under his control. It was easy since the vCenter was on the same subnet as the compromised machine. Now a hacker in control of your vCenter is not a good thing! Things got worse, The hacker created a local admin account and logged into vCenter server as admin. Then did a simple vmotion from one host to another, so he/she intercepts the VMs as they start moving between hosts. Data on those VMs got compromised, be it confidential clients data, or financials.
This is what I call a bad day in the office.
The first glaring mistake that organisation made was having the servers on the same sub-net as the users computers!
My recommendation to my friend to prevent (or I should say minimize) the chance of this happening again is the following:
- Have users computers and server farm on different sub-net with different physical switches. These two should never ever mix!
- Implement a combination of a layered defenses: firewall, anti-virus or intrusion detection system to protect the server farm.
- Restrict access to management interfaces of your hosts (ILOs, VMkernerl ..).
- Put our entire virtual infrastructure behind a firewall. This way you define who interacts with your virtual world.
There are other measure that can be taken but are outside the scope of this simple post. What is surprising is that many of the clients I have seen do not have any of these measures in place and are just waiting, for that hacker to waltz in.
So if you have not done so already, examine your security measures that you have in place. A security breach could be damaging to the brand name, pose a financial risk and even non compliance violations with all penalties associated with it. Not to mention it could be a CV generating event for those who end up getting the blame!
Just a word to the wise.
Thanks for reading.
Nick