Once upon a time, we used to think in terms of one hardware server equals one server operating system. Then, along came KVM, Hyper-V, VMware, and all the rest of the virtual machine (VM) hypervisors and more recently Docker with its containers. Now the idea of a single server operating system on a solo box is downright quaint.
Don't think, however, that just because your servers are virtual instead of physical that they are somehow safer from security threats. They're not.
As Symantec stated in its new report, Threats to virtual environments, "Virtual machine hosting servers are not any [more] secure than any other type of server. They are just as vulnerable to malware or targeted attacks."
Indeed, there are some security threats that are unique to virtual machines. The cloud company Nebula's senior security software engineer Matthew Garrett, for example, maintains that it is possible for a hacker who managed to crack a VM server to, in turn, attack the virtualization hypervisor itself. If the hacker can then break a hypervisor, all the virtual servers would be at his mercy.
Other experts, such as Simon Crosby, co-creator of the Xen hypervisor and the CTO of Bromium, an end-point security company, don't think hypervisor attacks are plausible. Crosby believes these attacks are unlikely because of the code quality of hypervisors, the extreme difficulty of such an attack, and the low potential payoff if such an assault were successful.
At the Linux Enterprise End User Summit in June, I asked Garrett about Crosby's objections and he said that hackers delight in working on hard security problems. He also added noted that — with so many servers available to be attacked — breaking into a hypervisor would be well worth a hacker's time and effort.
In addition to potential hypervisor threats, Symantec warns that VM-based servers are just as vulnerable to malware or targeted attacks as their hardware-based comrades. In addition, malware can target older VM server snapshots when they're provisioned during disaster recovery. In turn, infected VMs can attack other VMs over the virtual network. And VMs — while being brought down and then brought back up again on different servers with different network addresses — may not have the appropriate level of protection at their new physical home.
These aren't just theoretical attacks. Symantec noted that Crisis malware, a Java-based program, can attack Windows servers on VMware. The malware tries to spread to virtual machines that are stored on the local server — a host-to-guest infection. It does not exploit any VMware vulnerability per se to do this. Rather, it tries to modify inactive VMs. If it's successful, it then goes after other VMs on the same physical server.
Symantec would also agree with Garrett that the host server can be attacked from an infected VM. The company pointed out that 2009's Cloudburst attack used a vulnerability in VMware Workstation's VM display functionality to take over the host operating system.
So what can you do about this? Symantec has a list of best practice guidelines:
- Hardening: The host server needs to be well protected as it provides access to multiple virtual machines. Administrators can adjust policies and white-listing to only allow trusted system applications to run.
- Advanced malware protection: The host server, as well as any virtual machine running on it, needs to be protected against malware. To achieve this, advanced malware protection — with proactive components that go beyond classical static anti-virus scanner — needs to be in place.
- Access control: Administrators need to apply proper access control management to virtual machine hosting servers in order to ensure that only eligible users can perform changes. These are crucial servers that should use strong login processes, like two-factor authentication. These processes should include a proper logging of successful and failed logins for accountability.
- Disaster recovery: Virtual machines need to be integrated into the disaster recovery and business continuity plan. Administrators should apply high availability and backup strategies for the data.
- Virtual network protection: Administrators should ensure that network security tools like IPS/IDS have access to traffic in the virtual network between multiple virtual machines on the same host server. Most vendors provide access to hooks that can be used.
- Updating: Snapshots and images of virtual machines need to be included in the patch and upgrade cycle, so that they are up-to-date when deployed.
- Logging: Virtual machines need to be integrated into the security logging and SIEM visualization systems just like any other IT device. Since virtual machines can be provisioned dynamically and moved around the network, these activities need to be logged consistently as well.
Does all that sound familiar? It should. Virtual or physical, if you want to keep your servers safe you need to practice the security basics 24-hours a day, every day of the year.