In The Rush To Virtualization, Many Clients Forget Security
But as the rush to virtualize continues to push the technology mainstream, solution providers need to be sure they're taking the same approach that they would with any emerging technology: identifying and containing security risks.
"Because of the rush to adopt virtualization for server consolidation efforts, many security issues are overlooked, best practices aren't applied and in some cases, the tools and technologies for addressing some of the security issues with virtualization are immature or non-existent," according to Neil McDonald, vice president and fellow at Stamford, Conn.-based consulting firm Gartner Inc. McDonald believes that through 2009, more than 60 percent of virtual machine deployments in production will be less secure than their physical counterparts.
"Based on conversations I've had with clients, 90 percent of the time they haven't thought through technology tools they need to purchase to plug security gaps," he said.
Simon Herring, founder of Columbus, Ohio-based security solution provider Jacadis LLC, said he has encountered the same problems.
"At a high level, I am seeing our clients adopt virtualization to decrease their investment in hardware, as well as the maintenance involved in multiple physical platforms," Herring said. "This makes great sense. But the ease with which new guests' operating systems can be created presents security challenges. Out of sight is out of mind. If it's high on people's adoption list, it's also high on the adversary's list to decompose, analyze and identify ways to attack."
The Hidden Threat
The National Vulnerability Database (NVD) is the U.S. government's repository of standards-based vulnerability management data and part of the National Institute of Standards and Technology (www.nist.gov). According to NVD's most recent data, security vulnerabilities or manipulations in a virtual environment may include denial-of-service attacks, memory exhaustion, remote attackers that execute arbitrary code via vectors, memory corruption around de-duplication of user IDs and vulnerabilities that cause user passwords to be recorded in clear text in server logs, which could enable local users to gain privileges.
In February 2008, Boston-based security software provider Core Security Technologies Inc., discovered that Palo Alto, Calif.-based VMware Inc.'s desktop virtualization software had a serious security flaw. A mechanism was discovered in VMware's shared folders that granted users of a Guest system read and write access to any portion of the Host's file system—including the system folder and other security-sensitive files. Exploiting that vulnerability allowed attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.
"What's most relevant about this vulnerability is that it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Core Security CTO Ivn Arce in a statement. "This vulnerability provides an important wake-up call to security-concerned IT practitioners. It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."
For their part, VMware said that when it comes to virtualization security flaws, the market tends to have a "knee-jerk reaction."
"This is the same thing we've been hearing about for years," said Nand Mulchandani, VMware's senior director of product management and marketing. "There are a lot of misconceptions—virtualization security problems are not much different from the physical server environment. As [Gartner's] Neil McDonald said, a lot of people in the industry haven't thought it through and the biggest threat is from misconception and misuse."
McDonald said he disagreed with VMware's views on the subject.
"Actually, what I said was that the problem lies in misconfiguration and mismanagement," he explained. "It is a mistake to say that everything is the same as in the physical world, and VMware compounds the problem if they say virtualization security flaws are the same and ignoring this puts people at risk."
Next: A Layered Approach A Layered Approach
Although any type of tech security issue is problematic at best and disastrous at worst, virtualization security flaws have provided opportunities for software security firms to step in. Channel-friendly companies such as Lexington, Mass.-based Montego Networks Inc., and Sunnyvale, Calif.-based Fortinet Inc., are providing solutions that prevent and fix virtualization security problems.
"The moral of the story is that we need to do a better job of providing education of the product line and have a discussion of the issues involved," VMware's Mulchandani said.
That's an opinion shared by Hezi Moore, co-founder and CTO of Atlanta-based Reflex Security Inc., which provides security solutions for VMware ESX server and Citrix XenServer.
"People need to understand not only virtualization capabilities and value, but also security issues like visibility, which is the No. 1 issue I see," he added.
Moore recommends that before companies make the leap in virtualization, they need to follow best practices, such as isolating the virtual network for management, preparing for VM mobility, controlling access and utilizing a testing environment prior to production network.
It's also essential, Moore said, for companies to understand the virtual infrastructure and what the goals are for implementing a comprehensive security solution. They should take a layered approach, he added, because addressing every security requirement with a do-it-all device at a single location is neither efficient nor practical in terms of efficacy, performance and manageability.
"Organizations should determine not only what business applications can benefit from virtualization, but also what IT applications can benefit and use this trusted platform as an enabler," he said.
The bottom line? Virtualization is hot for a reason, but make sure you're asking the tough questions first.
Checklist: How To Secure A Virtual Network
When readying security for your virtual network, you need to make sure you have the following bases covered, according to Hezi Moore, co-founder and CTO of Atlanta-based Reflex Security Inc.
* Virtual Environment:
• What virtualization platform will be used?
• What processing and memory resources will be available for the security system?
* Protected Resource:
• What types of servers, operating systems and applications require protection?
• What are the attributes of protected data? (Volume, format, sensitivity, etc.)
• What are the relevant resource availability and/or disaster-recovery requirements?
* Special Risk Factors:
• What are the potential consequences of a virtualized environment security breach
• Are there formal regulatory compliance (SOX, HIPAA, PCI etc.) or internal policies (such as COBIT) to consider?
* Physical Network Topology:
• Where is the virtual environment deployed with the physical network?
• What is the key topology and performance attributes of the physical environment?
* Potential Attack Vectors:
• What are the potential avenues of approach to the virtualized environment?
• Who might attack the virtualized environment, and why?
* Access Requirements:
• Who has access to the virtualized environment and for what purposes?
• What authorization, authentication and access provisions are appropriate
• What trust level and competencies are associated with virtual environment users?
* Pre-existing Network Measures:
• What pre-existing network security technologies (firewalls, IPS, etc.) are available?
• Are there special compatibility issues (i.e., encryption standards)?
* Administrative And Operational Constraints:
• What budget resources are available?
• How will the virtualized security solution integrate with existing security policies, technologies, reporting and administrative systems?