Placing hypervisors in a security pool and tagging workloads with a trust domain

NSX distributes network and security services to the hypervisor, enabling a new level of control and operational agility. Thus, a network security team can prevent threats from moving laterally within an environment by, for example, creating security groups that include dynamic membership criteria defined by security tags. Security groups can also be governed by a security policy. For more information, see Configuring Security Policy.

NSX security groups, tags, policies, and other capabilities can isolate virtual workloads in trust domains by their risk and sensitivity levels. For example, such a trust domain lets you place sensitive functions in one host pool and vulnerable functions in another host pool, thereby limiting the attack surface.

Enforcing separation between trust domains

Most processors from Intel and AMD include the following features to assist virtualization and improve performance:

• Hardware-assisted CPU virtualization

• MMU virtualization

• I/O MMU virtualization

Hardware-assisted CPU virtualization assistance is called VT-x in Intel processors and AMD-V in AMD processors. It automatically traps sensitive events and instructions in the VMware virtualization fabric, allowing trap-and-emulate style virtualization and reducing the overhead in managing these traps.

Hardware-assisted I/O MMU virtualization is called Intel Virtualization Technology for Directed I/O (VT-d) in Intel processors and AMD I/O Virtualization (AMD-Vi or IOMMU) in AMD processors. Hardware-assisted I/O MMU virtualization is an I/O memory management feature that remaps I/O DMA transfers and device interrupts. In the VMware virtualization fabric, this feature is a function of the chipset instead of the CPU. This feature enables VMs to have direct access to hardware I/O devices such as network cards, storage controllers (HBAs), and GPUs. IOMMU maps virtual addresses to physical addresses. For more information, see Performance Best Practices for VMware vSphere.

Eliminating cross-host impacts

SpoofGuard prevents spoofing on an NSX logical switch. Using SpoofGuard, you can authorize the IP addresses reported by VMware Tools or IP discovery. For more information, see Prevent Spoofing on a Logical Switch and Using SpoofGuard.

Running containers on VMs to enforce trust domains with hypervisors

Containers alone are inadequate security boundaries. A compromised workload on a container can compromise the host operating system and all other workloads running on that host operating system.

The NIST Application Container Security Guide, also known as NIST Special Publication 800-190, says containers “do not offer as clear and concrete of a security boundary as a VM. Because containers share the same kernel and can be run with varying capabilities and privileges on a host, the degree of segmentation between them is far less than that provided to VMs by a hypervisor.”

To establish a strong security barrier for containers, VMware runs containers on VMs. By running containers on VMs, you can leverage security innovations in virtualization technology. The Secure Encrypted Virtualization (SEV) technology integrates memory encryption with AMD-V virtualization to support encrypted VMs, which are ideal for multi-tenant environments.

SEV with Encrypted State (SEV-ES) reduces the attack surface and provides increased protection for a guest VM from the hypervisor even if the hypervisor is compromised. When a VM stops running to prevent information leakage from CPU registers to the hypervisor, SEV-ES blocks attacks by encrypting and protecting all CPU register contents. SEV-ES can detect and prevent malicious modifications to the CPU register state.

For more information, see CNFs on Virtual Machines or Bare Metal, Securing, Managing, and Optimizing CNFs and 5G Services at Scale.

VMware supplies technology such as Kubernetes and VIM that can manage containerized services programmatically at scale.