Fighting the next security war

Greg Ness is a strong believer in virtualization. What the vice-president of marketing for Blue Lane Technologies, a software security company and VMware partner doesn’t believe in is enterprises applying last-war security theories to the new world of virtual machines.

“It’s like the Maginot line,” he says, referring to France’s line of defense against the Germans preceding WWII. “The line had two problems: it was static, and it assumed that allies on the northern border would hold their own.”

Instead, the Germans spoofed an attack to distract the French, then went around the edges through Belgium and the Netherlands.

“The Maginot line was an over-investment in old technology, a perfect set up for the last war,” he says.

“What we need to address security in virtualized environments is another layer in front of the protected zone. We are seeing people who can mutate around static security partitions. As more data and assets are virtualized there will be more and more vulnerabilities.”

In a recent interview, Chris Whitener, Hewlett-Packard’s director of enterprise storage and server security, also raised some red flags regarding virtualization and security.

“It’s a bad idea to have a situation where you can switch out the operating systems with no logging, no security,” he says.

“As well, virtual machine user code and password systems often don’t integrate with the rest of the IT structure, including identity management structures.”

Virtualization security practices are improving, with some vendors taking the lead on the education front. Patrick Lin, WMware’s senior director of product management and product marketing said that best practices are a major focus.

But there are still challenges to be solved. “Where is the machine, what is it connected to, what license is it running on, and how are we managing deployments?,” asks Novell Canada CIO Ross Chevalier. In a virtualized environment it is easy to light up another machine and bring it online, whereas normally hardware would require a robust set of processes.”

Ness agrees, seeing further risk applying hardware-centric thinking to a virtualized environment. “There is change in front of and behind the network perimeter for virtualization that will erode the value proposition for traditional security approaches,” he says.

“Decisions have to be made as to which assets should be prioritized. You don’t protect your diamonds and toothbrushes in the same way. If you do, you’ll then lose fewer toothbrushes and more diamonds.”

One of the problems is that to “real-motion” a server may provide flexibility, but it also leaves the perimeter without knowledge of the IP-address location of the assets in need of protection. The challenge then becomes not to create policies that prove so cumbersome the benefits of virtualization are lost.

Virtual machines need to be tied in with security products, and the concern is that the security vendor community has been slow to see the risks associated with creating VMs on the fly.

The good news is that there are immense security advantages to virtualization, once attention is paid to the problem. “The hypervisor can function as a strategic access point,” says Ness, “and can help cover off the explosion in endpoints. Virtualization also allows us to take snapshots, to revert to previous versions.”

Alex Vasilevsky, CTO and founder of Virtual Iron, a company that provides enterprise-class virtualization management software, believes that virtualized environments have the potential to be extremely robust.

“It’s true that OS-hosted virtualization presented a wider surface for virus and malware attacks,” he says, “but we run a bare metal hypervisor that takes advantage of advances by Intel and AMD. With native virtualization the interface is very narrow, unlike a traditional OS that has thousands and thousands of APIs.”

From a security perspective, Andreas Antonopoulos, an analyst with New York City-based Nemertes Research, sees virtualization as providing short-term risk and long-term opportunity. “The complexities of real-time migration of a virtual machine have not yet been addressed by security vendors. There is a new security market emerging where the hypervisor layer can be used to supplement and enhance security.”

Antonopoulos echoes the advice of other experts that significant care has to be taken in deployment and segmentation. “VMware allows you to separate and compartmentalize applications, but these can also talk over the network without a firewall between them.” He is surprised there hasn’t been a broader response in the security vendor community, particularly as virtualization has experienced such robust growth, and is finding new uses in the data centre and labs.

“Cisco, Microsoft, and IBM have figured it out,” he says, “but Symantec, McAfee, and smaller players are oblivious to virtualization. When I was at the RSA show, I saw hundreds of vendors with niche products, but only a handful that were directly dealing with virtualization.”

This is because there has been too much of a network focus, and not enough of an understanding of how virtualization affects applications. For many years most of the attacks were at layers two, three, and four, with smaller companies focusing on the desktop and the network. Security companies, however, should be looking up stack at layers five to seven.

Alex Vasilevsky points out that virtualization is useful for sand-boxing and staging applications, that it is excellent for forensic analysis – even allowing for play-back of zero-day attacks – and that virtual honey pots can provide an envelope within which an OS attack can be observed and then analyzed.