5.2. Network Security Recommended Practices
Network security is a critical part of a secure virtualization infrastructure. See the following recommended practices for securing the network:
- Ensure that remote management of the system takes place only over secured network channels. Tools such as SSH and network protocols such as TLS or SSL provide both authentication and data encryption to assist with secure and controlled access to systems.
- Ensure that guest applications transferring sensitive data do so over secured network channels. If protocols such as TLS or SSL are not available, consider using one like IPsec.
- Configure firewalls and ensure they are activated at boot. Only network ports needed for the use and management of the system should be allowed. Test and review firewall rules regularly.
5.2.1. Securing Connectivity to SPICE
The SPICE remote desktop protocol supports SSL/TLS which should be enabled for all of the SPICE communication channels (main, display, inputs, cursor, playback, record).
5.2.2. Securing Connectivity to Storage
You can connect virtualized systems to networked storage in many different ways. Each approach presents different security benefits and concerns, but the same security principles apply to each: authenticate the remote store pool before use, and protect the confidentiality and integrity of the data while it is being transferred.
The data must also remain secure while it is stored. Red Hat recommends that data is encrypted or digitally signed before storing, or both.
For more information on networked storage, see the Using Storage Pools section of the Red Hat Enterprise Linux Virtualization Deployment and Administration Guide.