Security Design Decisions Part 5 — Physical Layer

Welcome back to my blog series on Security Design Decisions where I explore the need for a solid security framework. As more and more companies invest in security automation, I will explain how Citrix Consulting uses a layered approach to security. In previous posts, I focused on the User Layer, the Access Layer, the Resource Layer and Control Layer. In this final blog post, I’ll discuss on how to secure the Physical Layer.

The main objective for designing a secure Physical Layer is to protect people and data. Physical protection must be addressed first in the Citrix layered methodology. If implemented without proper planning or assurance level, the logical stack built above the Physical Layer will not be able to provide security. It will not identify and rectify any weakness this layer has and this can lead to overall security failure.

Designing a secure Physical Layer requires us to ensure the following basic controls are in place:

  1. Physical access – ensure that there is layered physical access such as employee access card, barricade, lock, biometric, turnstile, log books, etc.
  2. Physical monitoring – this includes CCTV command center and security personnel.
  3. Environmental monitoring – continuously monitoring the temperature and humidity and ensuring that fire, smoke, and CO2 alarms are functional and tested.

Next, we need to address human resource physical control. The main objective is to avoid or minimize risk related to handling of the data to ensure it does not cause disruption, compromising the environment.

As shared previously in User Layer, humans are the biggest threat in information security – this still holds true in this layer. For an example, any personnel that is able to access the infrastructure physically is able to bypass the logical safeguards by shutting down machines or accessing the root or shell console that is already turned on. The following measures can be placed to reduce the risks related to human resources:

  1. Implement separation of duties and implement two-person control for high-value tasks or high-risk role combinations.
  2. Authorize only selected administrators to access the physical environment
  3. Perform a thorough background verification
  4. Have employee sign a NDA (Non-Disclosure Agreement) and Code of Conduct
  5. Schedule periodic awareness and company policy training

Aside from implementing physical and personnel controls, we should also take into consideration the hypervisor. Hypervisors are categorized into Type 1, which operates directly on the system hardware, e.g. Citrix XenServer, and Type 2, which operates on a host operating system, e.g. Citrix DesktopPlayer. Type 2 hypervisors have larger attack surface as they operate on a host operating system and inherit any vulnerability that exists within the host operating system. While virtualization offers many benefits, it also introduces virtualization-specific threats combined with existing guest operating system concerns, such as:

  1. Hyper jumping – this occurs when a malicious user is able to exploit an operating system and leverage it as a means to launch an attack on the environment.
  2. Inter-VM attacks – VMs are able to communicate via the hardware backplane bypassing the network, this creates a blind spot as the standard network based security controls are not able to detect and prevent this.
  3. Hypervisor attacks – This occurs when a malicious user is able to exploit the hypervisor vulnerability and launch an attack that impacts the availability of the hosted machines, causing denial of service.
  4. VM sprawl – The enterprise environment generally has large number of VMs to support the business requirements; if this is not monitored, it can create a large surface attack where the unmanaged or unused VMs can be targeted and exploited by an attacker.
  5. Data co-mingling – As there is a possibility of communicating via the hardware backplane, this opens up another means of data being shared or transferred between environments without being detected. This leads to different level of data classification exposed and accessed by unauthorized users
  6. Instant-on gaps – A virtual machine can be secure when it is powered off, however considering the dynamic nature of any security threat, it may no longer be the case when the virtual machine is powered on, leaving it exploitable.

The following remediation strategies can be applied to reduce or mitigate the impact stemming from concerns listed above:

  1. Grouping and separating physical uplinks or configuring a private VLAN (PVLAN) can be deployed to hide VMs from each other and apply policy based routing (PBR).
  2. Hardening guest operating systems combined with Antivirus, HIPS and HIDS, log monitoring, and file integrity checker.
  3. Hypervisor hardening measures, such as those described in the Citrix XenServer 7.x leading practice document.
  4. Leverage XenServer Direct Inspect APIs and Bitdefender Hypervisor Introspection (HVI) which offers real-time memory scanning and virtual machine monitoring. Additional information can be found here.
  5. Implement in-line blocking appliances, such as FireEye.
  6. Audit and review the virtual machine environment to identify any idle or unused VMs that can be powered off or removed if no longer serving any business function, any recently modified virtual machine image and any virtual machine movements between any geographic locations.
  7. Data Loss Prevention can be used to prevent any data comingling based on assigned data label or categories.
  8. Leverage Network Access Control (NAC) to inspect the traffic for any known attacks before powering on an existing virtual machine.

To summarize, here are some key takeaways when designing a secure Physical Layer:

  1. Ensure basic physical controls are in place to address physical access, physical and environment monitoring.
  2. Humans are the biggest threat in information security – have proper controls in place to address any people-related risks.
  3. Deploy Hypervisor-enabled antivirus (e.g. XenServer with BitDefender) to gain visibility into virtual machines and hypervisor level threats.
  4. Leverage Data Loss Preventions to identify and detect any unauthorized data movements.
  5. Deploy Network Access Control (NAC) to inspect any malicious traffic before powering virtual machines.
  6. Periodic monitoring and auditing of the virtual machines to identify any unused virtual machines.
  7. Physically and logically separate virtual machines and allow only authorized virtual machines to talk to each other if required.
  8. Establish a hardened guest operating system and hypervisor.

This ends our journey of exploring the methods and strategy of securing all the five layers. The Citrix Consulting Security Practice can help you with your design and hardening needs.

Feel free to reach out to The Citrix Consulting Security Practice, or you read more about our security practice.

For more information about Citrix security solutions, visit