Interop: People a big security threat to virtualization
- 19 September, 2008 08:53
Interop New York 2008
While VMware this week is holding its own VMworld party in Las Vegas, attendees at Interop New York were told about the potential security risks of virtual environments, not the least of which are people.
Virtualization today is ahead of compliance. If they get into the hypervisor, the game is over
At least for now, virtual servers, the hypervisors that oversee them, the management platforms that govern them and the IT staff that sets them up and runs them are all potential attack vectors, said Joshua Corman, principal security analyst for IBM/ISS. "Virtualization is a game changer for good and for bad," he said.
IT staffs under financial pressure to implement virtual servers may be overworked and lose the diligence to properly plan secure deployments Corman said. "Virtualization requires more discipline and enforcement of policies than before," he said.
Just as teams of server, network, security and application specialists typically oversee the deployment of traditional physical server farms, the same group should plan virtual rollouts, Corman said. But often, the security team is left out and server administrators may inherit the responsibility without the proper expertise. "Before there was a healthy balance of skill sets distributed well [among a variety of administrators]," he said.
This lack of balance generates unproductive finger pointing when things go awry and in some cases creates grabs for power as IT staff recognizes a shift in how work is being distributed. In either case, security can suffer, Corman said.
Meanwhile, virtual technology presents weak spots for attackers to take advantage of, he said. "Virtualization will set you back on your risk posture," he said. In particular, virtual environments are a "management nightmare" where each virtual machine may spawn another that could appear virtually anywhere. This makes instances of servers hard to find, let alone protect, he said, and this "server sprawl" can lead to catastrophic failures.
Individual virtual machines, called guests, can fall into vulnerable configuration due to a feature of virtualization that suspends them when they are not used, Corman said. When the applications these guests host are needed, they are brought back online, but in the meantime may have missed critical security updates and are left open to exploits.
Once a guest is taken over, it can contend for the available processing power within the same hardware and cause bottlenecks for applications on the other guests within the physical machine, he said.
Corman told a story about a business that set up 2200 virtual servers. When some of them got overloaded they replicated onto other physical machines, where they drained CPU capacity on those machines forcing more virtual servers to migrate to yet other hardware servers as well, overloading them. The whole scenario caused a cascading crash of the servers, Corman said.
This live migration of servers to new physical hosts is itself a vulnerability if limits are not set on where virtual servers can migrate to, Corman said. While the image is being transferred from one hardware server to another it is unencrypted and vulnerable to man-in-the-middle attacks that could, for instance, alter the administrative rights to the replicated machine. The new virtual server could then be controlled by an attacker, he said.
Hypervisors that oversee virtual servers are designed to be small and simple to make them more difficult to attack, so they lack encryption capabilities that would bloat their size, he said.
Hypervisors themselves can be successfully exploited according to publicly announced research, and that allows unlimited access to all the virtual machines they control, Corman said. "If they get into the hypervisor, the game is over," he said. "You want to trust that it's sound and secure, but it may not be."
Virtualization could have a big impact whether businesses can meet regulatory demands, such as payment card industry security standards, Corman said. The standards allow deploying databases on the same physical server with applications as long as they cannot intermingle, but live migration that automatically creates new server instances can undo that, he said.
"A real-server architecture that is compliant when set up in a virtual environment might not," Corman said. He recommends keeping in close contact with regulatory auditors to learn how they are interpreting what virtual environments are compliant. "Virtualization today is ahead of compliance," he said.
While potential problems with virtual machines are prevalent, Corman said they can be effectively dealt with. Some of his recommendations:
- Make sure new virtual machines receive security provisioning.
- Clearly define and restrict the physical machines to which virtual servers can live-migrate.
- Implement perimeter security around the physical environment that hosts the virtual environment.
- Install host-based security on each guest virtual machine.
- Lock down management consoles so only the features being used are accessible.
- Use virtual LANs to segment guests from each other within a single server chassis.
- Beware security products promising to be silver bullets for virtual security.
In the future, security APIs will allow third-party security vendors to make effective virtual security products, Corman said. Developing tools will help discover when virtual machines have been compromised, he said. For instance, virtual trusted platform modules -- hardware on server chips -- will be able to confirm whether a virtual machine has been altered from a known safe state, helping identify exploited machines, he said.