Many IT administrators out there think that deploying virtual servers will make their VMs bulletproof to security vulnerabilities and malicious attacks. But according to virtualization security experts like Edward L. Haletky, IT managers will be surprised to learn at how much more they can to do protect their virtual infrastructure.
“The biggest security issue right now, as it relates to virtualization, is that people don’t understand what they’re doing,” Haletky, who owns Worchester, Mass.-based AstroArch Consulting Inc. and is also writing a book on virtualization security, said. “The virtualization administrator is not a security administrator. They can’t be because there’s too much to learn. Nor is the virtualization administrator a storage manager and they have to know that as well.”
While virtualization technology is not inherently vulnerable, the wide education gap between security administrators and virtualization administrators often leads to insecure virtualization server deployments. Most virtualization security experts out there — and at this point these experts are very few and far between — recommend virtualization administrators better educate themselves on security, try and implement proper policies and auditing measures for their VMs, and ensure that functionality and content on their VMs are spilt up into isolated operating environments.
More in Network World Canada Isolating your VMs
According to Haletky, virtualization administrators have four networks that they need to worry about: the administrative network, the storage network, the virtual machine network and the VMotion network. Some of the biggest security vulnerabilities, he said, can occur when virtualization administrators don’t isolate these networks.
“Some administrators are putting all four of those networks smack tab in their DMZ (the exposed portion of a corporate network, which might contain Web and other networked servers), when only one should go there,” he said. Haletky said there are hard and fast rules that govern what IT can do within the DMZ — first and foremost being a ban on systems with more than one network connection. Haletky said the same rule should also apply to virtual servers and he advised IT administrators to keep them as far away from the DMZ as possible.
David Senf, director of security and software research at IDC Canada, agreed. “To avoid mixing security policies and preventing things like escalation of privileges, some IT departments won’t allow VM sessions in their DMZ to reside on hosts behind the DMZ, for example,” he said
John Sloan, senior research analyst at London, Ont.-based Info-Tech Research Group, said that administrators can use network isolation by grouping VMs together in specific security zones. “You could have machines that are hived off from other machines and given varying levels of security,” he explained.
Sloan also advised that administrators using live migration functionality — which refers to the ability to move a running virtual machine from one physical server to another to optimize performance and reduce downtime — be wary of its impact on security.
More in Network World Canada “You can have situations where servers might require higher levels of security, but they will get moved on the fly to other boxes for performance reasons, as opposed to security reasons,” he said. “So, that adds much more complexity, because you will also have to look at how physical servers are zoned and ensure that even with live migration, ‘like’ servers are staying together on the same platforms.”
One solution provider that’s trying to address the need for organizations to run their workloads in a secure and isolated environment is Columbia, Md.-based Tresys Technology. The company’s flagship product, VM Fortress, focuses on desktop virtualization security, allowing virtualization administrators to control their VMs by confining them to sandboxes.
“If you have VMs that are going to be connecting to a network that controls a nuclear power plant as well as another corporate network, you want to make sure that those two networks stay separated,” Karl MacMillan, director of technology engineering at Tresys, said. “The most pressing security need is to make certain that vulnerabilities in the virtualization software itself, doesn’t allow the guest VM to wreak havoc on their system and potentially reach in and touch other guests.”
With sandboxes that group VMs with the same access rights together, comes the ability to isolate individual applications on individual VMs. He said this will ensure your HR application is not compromised by your Web browser.
If you have VMs that are going to be connecting to a network that controls a nuclear power plant as well as another corporate network, you want to make sure that those two networks stay separated.
Karl MacMillanDirector of technology engineering,Tresys Text
“The advantage to that is you can have strong separation using the ability to create many more VMs,” MacMillan said. “But with the proliferation of VMs, you also need to secure each of those operating systems. You have to update them, patch them, and just keep track of them in general.”
Managing VM sprawl
According to Info-Tech’s Sloan, one of the major benefits of using VMs is that they are more isolated from the underlying hardware. “If a VM becomes infected with a virus or is somehow attacked maliciously by one means or another, the repercussions can be minimized because it’s very easy to sequester and stop that VM,” he said.
But while the VMs itself may be more resilient, Sloan said, security monitoring and management is still essential for VMs doing mission critical work.
“The same goes for management in general, if you don’t have policies and procedures in place for your VMs, then you’re going to create more risk,” he said. “You have to have security management that is sophisticated enough to track and manage your VMs.”
Now most people would agree that it’s hard to break into a physical data centre and steal a bunch of data. But what happens when an attacker can simply create a VM without actually stepping foot into your data centre and use it to gain access to sensitive data. Chances are you wouldn’t know it was even being done, Haletky said.
“Security doesn’t improve when you use virtualization, it actually goes the opposite direction,” he said. “Another major reason is because you now have VM sprawl.”
A recent breach report compiled by Verizon Business earlier this year found that 27 per cent of attacks came from unsuspected connections to a system and 10 per cent came from inappropriate privileges to a system.
“The administrators didn’t know the machines existed,” Haletky said. “With virtualization, new VMs are extremely easy to implement within the environment and that ease of implementation, if not slowed down, governed or verified, will cause security problems.”
Haletky said that unless companies have the proper auditing in place, data centres will continue to be vulnerable to VMs that they can’t see and were created on their network without permission. The solution for IT administrators, he said, is to employ some form of workflow approval process to monitor and audit their systems.
“Right now, virtualization security is a whole bunch of auditing,” Haletky said. “You need auditing, you need to get the reports, and you need to get the notifications. If you can do that much, you are far ahead of the game.” But the biggest roadblock to solid auditing, he said, is the fact that no great tools are out there on the market today.
“There’s really nothing that tells you that a new VM has been added, you have to go and look,” Haletky said. “On VMware ESXi, you can actually have alarms fire if VMs power on and you can get an e-mail telling you this. But you don’t really get any information on what the VM does.”
It’s not just network security Haletky said the three major security monitoring guides available today — which include guides from VMware, CISecurity and DISA/STIG — don’t go into much depth and fail to provide start scripts for users looking to put ESX server auditing and monitoring into practice. He said that the guides outline some of what needs to be audited, but are far from complete.
Another inherent problem, according to Haletky, is that most virtualization administrators are looking at virtual security from strictly a networking perspective. “Protecting the virtual environment encompasses more than the service console, the management appliance, and the network” he said. “It also includes storage, backups, disaster recovery and business continuity cases. It includes pretty much everything and there are tools for specific ones.”
VMs are becoming more of an attack surface and people just aren’t realizing that, he added. “Placing a VM inside of a virtualization server, no matter which vendor you’re using, doesn’t offer you adequate protection. Network security will take you a long way, but I’m not sure it’s sufficient.”
If you can’t find or afford a virtualization security expert to help you get started, experts suggest that companies simply look for a security person with an understanding of virtualization. For most organizations, it will come down to a risk analysis, before they ultimately decide what kind of monitoring processes they need.
“If you look at a lot of the designs out there for virtualization server implementations, security is not even mentioned anywhere in the designs,” he said. “They’re saying we’ve got to get it out there, we’ve got to save on our costs and cooling, but they don’t say we need to be secure.”