Proxmox VE cybersecurity

Company 

DynFi

Editor

Grégory BERNARD - +33 1 82 52 24 52

Project 

Securing the Proxmox hypervisor

License 

CC-BY-NC-SA

Brands

Proxmox® is a registered trademark of Proxmox Server Solutions GmbH.
DynFi® is a registered trademark of DynFi EURL. 

Version 

1.0.0

Why are we providing this white paper for free?

We believe in sharing knowledge. That’s why we’re making this study available free of charge to anyone who wants to benefit from it without selling it. Our team of engineers has been involved for twenty years in the development, implementation, deployment and maintenance of critical infrastructures in the cloud or within private networks entirely based on open source software.

Over the past 14 years, we have developed very specific knowledge in the field of cybersecurity and we believe that sharing some of this knowledge will help improve the overall resilience level of critical infrastructures of companies.

The other objective is to allow companies that do not have our skills to benefit from them by calling on our teams.

We offer you our services in the field of :

  • consulting,
  • design and network architecture
  • deployment of your Proxmox VE clusters (under Ceph, ZFS, NFS, …)
  • maintenance

This study contains 46 security points, 15 pages, only 10 points are displayed below. To download the complete study in PDF, just fill in the form below.

Cybersecurity of the Proxmox system

Proxmox VE (PVE) is a virtualization system that integrates the Virtual Machine (VM) management system KVM and the Container (CT) system LXC. In addition to these basic building blocks, Proxmox VE allows the deployment of these Virtual Machines and Containers on multiple File System environments (EXT4, ZFS, CEPH, …) but also on network mount systems (NFS, iSCSI) for example.

The remarkable integration between these different systems makes Proxmox VE the most popular open source hypervisor on the market. Its performance is so remarkable that PVE is now competing with VMWare, not only in terms of price (the solution is free - this seems to be a foregone conclusion), but also in terms of reliability, performance and above all simplicity of maintenance of the solution.

The objective of this white paper is to understand how to secure Proxmox VE environments in order to make them hardened.

We will use the document proposed by the [ANSSI] (https://www.ssi.gouv.fr/) to secure ESXi environments.

Resource pooling

As expressed in the ANSSI framework document, the partitioning of VMs is one of the main objectives that will ensure a good level of security for hosted VMs.

The first recommendation (R1) will therefore result in:

Avoid hosting devices with different security levels within the same hypervisor avoid exposing VMs that do not need to be exposed.

The second recommendation (R2) aims to limit the routing and filtering functions between VMs of different sensitivity.

It can be translated as :

  • Limiting the attack surface (i.e. the number of services deployed)
  • Isolating logical network levels with separate hardware that is not connected to each other.
  • Maintain security conditions

The third recommendation (R3 and R4) is to subscribe to software vulnerability notification services for your Hypervisor AND the VMs and TCs that make it up.

You should take care to subscribe to a [Proxmox Enterprise license] (https://shop.dynfi.com/category/abonnements-proxmox/6/) to ensure that your hypervisor has regular updates. On Proxmox-VE one can provide the deployment of the software vuls, on a dedicated container.
Or simply use the debsecan package.

The drivers of your hardware must be duly identified and retrieved only from the manufacturers' websites (R5).

The hardware drivers (BIOS) of the hosting platforms are rarely OpenSource. However, when good drivers exist in Open Source to replace the manufacturers' BIOSes, we recommend that you use them.

In reality, OpenSource BIOSes are very few and support very little hardware, especially on server motherboards.

Using Open Source software has an important advantage, because although it is possible to trust hardware manufacturers, the experiences of the last few years have proven that doubt is better than absolute trust.

In any case and in the absence of a viable alternative, it is imperative to regularly update your BIOS and make sure that your hypervisors do not contain software with identified security holes (CVS).

Point R6 is specifically about VMWare and the signing of binaries distributed as part of the updates.

On this point, we recommend that you subscribe to Proxmox’s Enterprise subscription services in order to have access to signed binaries from their enterprise directory.

Point R7 consists in making sure that the Kernel modules are 100% from identified sources.

As with R6, we recommend that you subscribe to Proxmox’s “Enterprise” services to ensure that you have secure and up-to-date linux kernels. A strong point of Proxmox compared to VCenter is that Proxmox upgrades, even on major versions, are very smooth. The steps of the update are detailed by the Proxmox team and can be found here :

At this stage if the first two links concern you: it means that you have not read our recommendations well, it is high time to take things in hand! Normally you should already be at version 6 of Proxmox.

Point R8 can be interpreted as the need to use sudo in order to restrict access to the root account, while still being able to conduct the necessary update operations for your system.

Point R9 is a critical point and Proxmox policy does not allow copying their APT directory of offline updates in order to sync your VMs to it.

A possible partial solution is to use a proxy server to ensure that only one server has access to the WEB. For projects that would be carried by IVEs, it is possible to negotiate specific licenses that allow offline access to Proxmox resources, please contact us about this.

Point R10 would specify that your proxy server must be protected by a stateful firewall service.

We recommend using a stateful firewall such as DynFi Firewall which meets the criteria required by ANSSI in this regard. Or the use of a NEXT-GEN firewall with L7 filtering features duly tested and validated.

Access the complete document

If you wish to download the complete study in PDF format, simply fill out the form below: