Plotting Security Strategy In A Virtual World

XenSource's Crosby said that security will become a more important issue over the next year or two as a result of virtualization becoming more and more prevalent in customers' data centers.

XenSource's hypervisor has security technology contributed by organizations such as the National Security Agency and the Department of Defense, and is certified to Common Criteria Level 5 (CCL5) security, Crosby said. In addition, it is based on only about 60,000 lines of code, which makes it easier to secure than other technologies, he said.

However, Crosby admitted that because XenSource has been in the market for much less time than other technologies like VMware, it has not been subject to attacks yet.

"Our goal is to have a smaller code base than VMware," he said. "So statistically, the total number of vulnerability opportunities is lower. We focus on security by design. But we have not yet been subject to the same amount of scrutiny that others have had."

Server virtualization vendors also look at ways to ensure that one virtual server does not and cannot interfere with another.

The Solaris operating system, which runs an application inside its own container on a common operating system instead of giving each virtual server its own OS, allows users to create multiple name space environments within the same kernel, said Joost Pronk van Hoogeveen, product line manager for Solaris virtualization at Sun Microsystems.

Users can specify which of up to 52 distinct privileges each application's container has, such as the ability to plumb IP addresses, snoop on network traffic, and change process priority, van Hoogeveen said. Many of those privileges are by default turned off, he said. "Essentially, you are in your own isolated environment," he said.

The importance of controlling privileges is important because, if someone, even a root user, manages to hack into a container, he or she cannot impact the other containers. "They can't change their IP addresses, or look at kernel memory, or see CD-ROMs or hard drives unless specifically allowed to," he said. "So they can't format drives, and can't see any processes outside their own environment."

Other server virtualization technologies, including older versions of Solaris, may allow a user in one virtual server access at the root user level take advantage of those privileges to hack into other virtual servers, van Hoogeveen said.

For instance, he said that VMware has the ability to not show certain hardware devices. For instance, if a physical server has four network interface cards, the user can be set up to only see one of them. "But you can be on that one NIC snooping IP addresses, formatting hard drives, and messing up the operating system," he said.

One tack the industry is taking to secure virtual servers is with virtual security appliances, VMware's Lin said. VMware, for instance, offers a program under which an ISV can configure virtual security appliances which can then be downloaded into a host physical server. For example, a company with anti-spam software that would normally be loaded on a small physical server can instead load it on a virtual server with all the related software, and sell it as a pre-configured appliance.

"Virtual appliances provide a safer way to distribute and install applications," he said. "ISVs are thinning down and hardening their applications on virtual appliances before sending them out. For instance, a security appliance can be stripped of unnecessary operating system features that might otherwise give rise to security issues."

Lin cited several vendors that are already coming out with virtual security appliances, such as CatBird and Proofpoint, Cupertino, Calif.

CatBird's V-Agent software watches for unauthorized IP and network routing, unauthorized device monitoring, and vulnerability routing. In February, the company turned that software into a virtual appliance which works exactly the same as the software on a physical box, except it does not monitor rogue wireless access since that is more of a data center issue than it is an internal network issue, Berman said.

V-Agent actually sits in the virtual server infrastructure's hypervisor to monitor rogue servers, access control, and network access, Berman said. "Traditional security software can see physical rogue servers," he said. "But they can't see rogue virtual machines sitting in the hypervisor. If a guest server gets infected or goes rogue, the hypervisor can't see it."

The Catbird virtual appliances can be downloaded into VMware's ESX or Virtual Server environment and installed in a couple minutes after answering two questions, Berman said. "Everything is centralized, so V-Agent can be easily turned on or off, or moved, or whatever," he said.

V-Agent agents are available at no charge, while software to protect the host servers lists for $3,250 for one or two processor cores. Solution providers can either sell the software or virtual appliances, or host the software as a way of offering it as a managed service. The company is now in the process of recruiting VMware solution providers to work with its products.

Server virtualization can be a helpful tool for implementing a company's overall security infrastructure.

The flexibility of virtual servers compared to physical servers gives users more options with virtual servers for testing and isolating problems, Lin said.

For instance, Lin said, customers can use virtualization to simplify certain operations such as updating security patches.

"It's easy to test patches with different server platforms using virtual servers before applying the patches to production servers," Lin said. "And you can take a snapshot of a server using virtualization before updating it to make it easy to revert to an earlier version if needed."

Currently there are no standard ways to measure the security of a virtual server environment, but that issue is being addressed by the Center for Internet Security, a not-for-profit organization looking to benchmark virtual server security.

Dave Shackeford, CTO of the Center for Internet Security, said his organization is developing benchmarks aimed at addressing a number of security issues.

For instance, every time a virtual machine is created on a host server, a new network socket is created between the two. Filtering is needed to limit access to IP addresses and set rules about who can talk to who, Shackeford said. Other issues include how to limit how a data center's administration console interacts with guest operating systems, and how to prevent malicious code from escaping a guest operating system to the host and vice-versa, he said.