Plotting Security Strategy In A Virtual World
The wave of hype around server virtualization technology has already receded as solution providers and their customers bury their heads in their SANs and work with mature and maturing technologies from VMware and several competitors.
Yet like a Pacific Ocean tsunami, the departure of the wave signals not a falling tide, but the building of a new and larger wave of hype and confusion about how the growing virtualization of server infrastructures impacts the security of the data center.
Virtualized servers are in many ways similar to physical servers, with each individual virtual or physical server requiring processor time, memory, I/O, and an operating system to run an application which does not care on which type of server it is found.
Yet the difference between having an application run on a dedicated piece of hardware or on one of several virtual servers sharing resources within a physical server is spurring a debate about the best way to protect the virtual world.
In one camp are those who say that virtual servers primarily need the same type of protection tools—anti-virus, anti-spam, firewall—as any physical server.
In the other camp are those, especially a host of startups and relatively unknown technology developers, who say that server virtualization brings its own potential areas for malware exploits requiring a new set of tools to handle security issues.
While security is an important issue in any part of the data center, customers have yet to express concern about the security of their virtual servers, said Kevin Houston, business development manager and virtualization practice manager at Optimus Solutions, a Norcross, Ga.-based solution provider.
"A lot of people don't think virtual environments need protection," Houston said. "They have perimeter security to protect against external attacks, and an inside perimeter to protect against internal threats."
Within the host servers, virtual servers are often not protected, Houston said. "But no customers say they are worried," he said. "But remember, this is still new. Just a year ago, customers were still looking at whether they wanted to virtualize servers or not."
There is a great need for securing virtual server environments, Houston said. "But I don't think recognition of the importance has penetrated the customer environment yet. It probably won't happen until someone penetrates a virtual environment and gets a virus to spread from virtual machine to virtual machine."
Paul Adamonis, director of security solutions at Forsythe Solutions Group, a Skokie, Ill.-based solution provider, agreed that it will take a major breech to bring security to the forefront.
"That will happen when you see the first rootkit at the hypervisor level," Adamonis said. "Then you'll see everybody scrambling."
For now, Adamonis said, his company has discussed security in virtual environments and has concluded that the issues are similar to those of physical servers. "It comes down to, there is no difference," he said. "If you are going to do anti-virus or e-mail lockdown, you'll have to do it on the virtual server as well as on the physical server."
In many ways, securing virtual servers is little different from securing physical servers, said Patrick Lin, senior director of product management at VMware.
"At the end of the day, they are just Windows machines," Lin said. "When you turn a physical server into a virtual server, it's no more vulnerable that it was before. There are not new avenues of attack all of a sudden."
Even so, server virtualization vendors are taking steps to ensure that their technology is itself up-to-date in terms of security.
Lin said VMware Server ESX is currently certified at Common Criteria Level 2 (CCL2), a security standard, and is in the process of applying for CCL4 for its Virtual Infrastructure 3 (VI3) product suite.
Virtualization actually offers a great opportunity to do security right, said Simon Crosby, CTO of XenSource, the Palo Alto, Calif.-based virtual server vendor which is in the process of being acquired by Citrix.
First, Crosby said, the hypervisor has independent control over the virtual environment, and can see all the traffic of each guest operating system. Second, he said Intel has its Trusted Execution Technology and AMD its Presidio, both of which are extensions in their processors for implementing virtualization. "They can be used with the hypervisor to make sure only a trusted guest can be booted," he said.
Virtual machines need to be treated the same in terms of protection and management as physical servers, said Michael Berman, CTO of Catbird Networks, a Scotts Valley, Calif.-based developer of virtual security appliances.
"You can't assume virtual servers are any more secure," Berman said. "They're still affected by the same issues: spyware, viruses, patches. Even people with good security and who have deployed defense in depth in corporate environments are not extended it to their hypervisor environment."
Brandon Baker, security development engineer at Microsoft, said the two major areas related to security in virtualized environments are protection or isolation of the host environment, and how to manage and maintain the virtual machines.
On the host side, Microsoft's upcoming hypervisor-based virtualization technology, code named Viridian, will have a virtual machine monitor and provide additional security by running the hypervisor outside every instance of the operating system, including the host OS, Baker said.
Since Viridian is a part of the Windows Server 2008 operating system, any patches and updates done for the operating system also apply to Viridian, Baker said.
Viridian's first public data is expected to be released when Windows Server 2008 is released to manufacturing, with a full release planned for about 6 months later.
When Windows Server 2008 is used with Viridian, only the core functions of the operating system are installed in order to minimize the amount of updates needed and the number of potential attack points, Baker said. "So the host environment can be locked down with very little traffic," he said.
Baker said it is important to track virtual machines as they move, and especially as they are brought back from a dormant state. Viridian, he said, checks dormant virtual machines as they are brought back on-line in order to make sure that all necessary patches are done.
Tracking active and dormant virtual machines is a specialty of ConfigureSoft, a Colorado Springs, Colo.-based developer of software to ensure changes to a company's IT infrastructure do not impact any compliance issues that company is facing.
Andrew Bird, vice president of marketing at ConfigureSoft, said an increasing number of companies are seeing their personnel build virtual servers and add them to the network without ensuring they are compliant with corporate policies. Many of those virtual machines are put in a dormant stage when not in use, and when they are awoken do not have the required updates and patches.
It is also becoming common to build virtual servers for disaster recovery purposes, and then let them go dormant until required in an emergency, Bird said.
"Eventually they'll bring these servers up for, say, disaster recovery, but the servers will be out of sync with patches," he said. "ConfigureSoft senses the new server as it comes up, and corrects it before it is brought up."
Next: Security concerns grow along with virtualization
XenSource's Crosby said that security will become a more important issue over the next year or two as a result of virtualization becoming more and more prevalent in customers' data centers.
XenSource's hypervisor has security technology contributed by organizations such as the National Security Agency and the Department of Defense, and is certified to Common Criteria Level 5 (CCL5) security, Crosby said. In addition, it is based on only about 60,000 lines of code, which makes it easier to secure than other technologies, he said.
However, Crosby admitted that because XenSource has been in the market for much less time than other technologies like VMware, it has not been subject to attacks yet.
"Our goal is to have a smaller code base than VMware," he said. "So statistically, the total number of vulnerability opportunities is lower. We focus on security by design. But we have not yet been subject to the same amount of scrutiny that others have had."
Server virtualization vendors also look at ways to ensure that one virtual server does not and cannot interfere with another.
The Solaris operating system, which runs an application inside its own container on a common operating system instead of giving each virtual server its own OS, allows users to create multiple name space environments within the same kernel, said Joost Pronk van Hoogeveen, product line manager for Solaris virtualization at Sun Microsystems.
Users can specify which of up to 52 distinct privileges each application's container has, such as the ability to plumb IP addresses, snoop on network traffic, and change process priority, van Hoogeveen said. Many of those privileges are by default turned off, he said. "Essentially, you are in your own isolated environment," he said.
The importance of controlling privileges is important because, if someone, even a root user, manages to hack into a container, he or she cannot impact the other containers. "They can't change their IP addresses, or look at kernel memory, or see CD-ROMs or hard drives unless specifically allowed to," he said. "So they can't format drives, and can't see any processes outside their own environment."
Other server virtualization technologies, including older versions of Solaris, may allow a user in one virtual server access at the root user level take advantage of those privileges to hack into other virtual servers, van Hoogeveen said.
For instance, he said that VMware has the ability to not show certain hardware devices. For instance, if a physical server has four network interface cards, the user can be set up to only see one of them. "But you can be on that one NIC snooping IP addresses, formatting hard drives, and messing up the operating system," he said.
One tack the industry is taking to secure virtual servers is with virtual security appliances, VMware's Lin said. VMware, for instance, offers a program under which an ISV can configure virtual security appliances which can then be downloaded into a host physical server. For example, a company with anti-spam software that would normally be loaded on a small physical server can instead load it on a virtual server with all the related software, and sell it as a pre-configured appliance.
"Virtual appliances provide a safer way to distribute and install applications," he said. "ISVs are thinning down and hardening their applications on virtual appliances before sending them out. For instance, a security appliance can be stripped of unnecessary operating system features that might otherwise give rise to security issues."
Lin cited several vendors that are already coming out with virtual security appliances, such as CatBird and Proofpoint, Cupertino, Calif.
CatBird's V-Agent software watches for unauthorized IP and network routing, unauthorized device monitoring, and vulnerability routing. In February, the company turned that software into a virtual appliance which works exactly the same as the software on a physical box, except it does not monitor rogue wireless access since that is more of a data center issue than it is an internal network issue, Berman said.
V-Agent actually sits in the virtual server infrastructure's hypervisor to monitor rogue servers, access control, and network access, Berman said. "Traditional security software can see physical rogue servers," he said. "But they can't see rogue virtual machines sitting in the hypervisor. If a guest server gets infected or goes rogue, the hypervisor can't see it."
The Catbird virtual appliances can be downloaded into VMware's ESX or Virtual Server environment and installed in a couple minutes after answering two questions, Berman said. "Everything is centralized, so V-Agent can be easily turned on or off, or moved, or whatever," he said.
V-Agent agents are available at no charge, while software to protect the host servers lists for $3,250 for one or two processor cores. Solution providers can either sell the software or virtual appliances, or host the software as a way of offering it as a managed service. The company is now in the process of recruiting VMware solution providers to work with its products.
Server virtualization can be a helpful tool for implementing a company's overall security infrastructure.
The flexibility of virtual servers compared to physical servers gives users more options with virtual servers for testing and isolating problems, Lin said.
For instance, Lin said, customers can use virtualization to simplify certain operations such as updating security patches.
"It's easy to test patches with different server platforms using virtual servers before applying the patches to production servers," Lin said. "And you can take a snapshot of a server using virtualization before updating it to make it easy to revert to an earlier version if needed."
Currently there are no standard ways to measure the security of a virtual server environment, but that issue is being addressed by the Center for Internet Security, a not-for-profit organization looking to benchmark virtual server security.
Dave Shackeford, CTO of the Center for Internet Security, said his organization is developing benchmarks aimed at addressing a number of security issues.
For instance, every time a virtual machine is created on a host server, a new network socket is created between the two. Filtering is needed to limit access to IP addresses and set rules about who can talk to who, Shackeford said. Other issues include how to limit how a data center's administration console interacts with guest operating systems, and how to prevent malicious code from escaping a guest operating system to the host and vice-versa, he said.