Virtual servers: No safer than any other kind

Virtual servers: No safer than any other kind

Summary: As we move our physical servers to virtual servers, don't think for one second they're any more secure.

SHARE:

Once upon a time, we used to think in terms of one hardware server equals one server operating system. Then, along came KVM, Hyper-V, VMware, and all the rest of the virtual machine (VM) hypervisors and more recently Docker with its containers. Now the idea of a single server operating system on a solo box is downright quaint.

it-security

Don't think, however, that just because your servers are virtual instead of physical that they are somehow safer from security threats. They're not.

As Symantec stated in its new report, Threats to virtual environments, "Virtual machine hosting servers are not any [more] secure than any other type of server. They are just as vulnerable to malware or targeted attacks."

Indeed, there are some security threats that are unique to virtual machines. The cloud company Nebula's senior security software engineer Matthew Garrett, for example, maintains that it is possible for a hacker who managed to crack a VM server to, in turn, attack the virtualization hypervisor itself. If the hacker can then break a hypervisor, all the virtual servers would be at his mercy.

Special Feature

Virtualizing the Enterprise

Virtualizing the Enterprise

Virtualization has swept through the data center in recent years, enabling IT transformation and serving as the secret sauce behind cloud computing. Now it’s time to examine what’s next for virtualization as the data center options mature and virtualization spreads to desktops, networks, and beyond.

Other experts, such as Simon Crosby, co-creator of the Xen hypervisor and the CTO of Bromium, an end-point security company, don't think hypervisor attacks are plausible. Crosby believes these attacks are unlikely because of the code quality of hypervisors, the extreme difficulty of such an attack, and the low potential payoff if such an assault were successful.

At the Linux Enterprise End User Summit in June, I asked Garrett about Crosby's objections and he said that hackers delight in working on hard security problems. He also added noted that — with so many servers available to be attacked  — breaking into a hypervisor would be well worth a hacker's time and effort.

In addition to potential hypervisor threats, Symantec warns that VM-based servers are just as vulnerable to malware or targeted attacks as their hardware-based comrades. In addition, malware can target older VM server snapshots when they're provisioned during disaster recovery. In turn, infected VMs can attack other VMs over the virtual network. And VMs — while being brought down and then brought back up again on different servers with different network addresses — may not have the appropriate level of protection at their new physical home.

These aren't just theoretical attacks. Symantec noted that Crisis malware, a Java-based program, can attack Windows servers on VMware. The malware tries to spread to virtual machines that are stored on the local server — a host-to-guest infection. It does not exploit any VMware vulnerability per se to do this. Rather, it tries to modify inactive VMs. If it's successful, it then goes after other VMs on the same physical server.

Symantec would also agree with Garrett that the host server can be attacked from an infected VM. The company pointed out that 2009's Cloudburst attack used a vulnerability in VMware Workstation's VM display functionality to take over the host operating system.

So what can you do about this? Symantec has a list of best practice guidelines:

  • Hardening: The host server needs to be well protected as it provides access to multiple virtual machines. Administrators can adjust policies and white-listing to only allow trusted system applications to run.
  • Advanced malware protection: The host server, as well as any virtual machine running on it, needs to be protected against malware. To achieve this, advanced malware protection — with proactive components that go beyond classical static anti-virus scanner — needs to be in place. 
  • Access control: Administrators need to apply proper access control management to virtual machine hosting servers in order to ensure that only eligible users can perform changes. These are crucial servers that should use strong login processes, like two-factor authentication. These processes should include a proper logging of successful and failed logins for accountability.
  • Disaster recovery: Virtual machines need to be integrated into the disaster recovery and business continuity plan. Administrators should apply high availability and backup strategies for the data.
  • Virtual network protection: Administrators should ensure that network security tools like IPS/IDS have access to traffic in the virtual network between multiple virtual machines on the same host server. Most vendors provide access to hooks that can be used.
  • Updating: Snapshots and images of virtual machines need to be included in the patch and upgrade cycle, so that they are up-to-date when deployed. 
  • Logging: Virtual machines need to be integrated into the security logging and SIEM visualization systems just like any other IT device. Since virtual machines can be provisioned dynamically  and moved around the network, these activities need to be logged consistently as well.

Does all that sound familiar? It should. Virtual or physical, if you want to keep your servers safe you need to practice the security basics 24-hours a day, every day of the year.

Related Stories:

Topics: Security, Cloud, Servers, Virtualization

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • I call BS

    I have never heard of a virus attacking a "snapshot". A snapshot isn't even running. I think these guys are trying to spin paranoia to protect there own jobs.
    Sean Foley
    • It sounds like the theory

      It sounds like the theory is if you bring up a new VM from a snapshot during disaster recovery, that snapshot may be out of date on patches.
      Buster Friendly
    • @SF. BS is the content of all your comments....

      Worshipping Micro$haft the way you do.
      5735guy
    • "There own jobs"

      You probably mean "their own jobs", I guess.
      Smalahove
      • Okay

        The silly personal attack wasn't enough you had to go with a typo flame too? Grow up.
        Buster Friendly
  • This article fails to mention this point

    I've heard from some people that virtualising an old, out-of-support OS like Windows XP is the cure-all for security problems.

    I laugh.

    Switching to an embedded version is a better idea - smaller attack surface, and longer support lifecycle.
    Joe_Raby
    • What do you plan to do with it?

      What do you plan to do with the embedded version?
      Buster Friendly
      • Easy

        Turn the application system into an appliance.
        Joe_Raby
    • Joe_Raby: "This article fails to mention ..."

      Why on earth would this article, which deals with virtualized server security, mention anything about running the Windows XP desktop virtualized?

      Steven has already dealt with the issue of running Windows XP virtualized back in April, when Microsoft ended support for the operating system:

      http://www.zdnet.com/how-to-run-xp-on-linux-mint-with-oracle-virtualbox-7000028401/
      By Steven J. Vaughan-Nichols for Linux and Open Source | April 14, 2014

      From the linked article:
      "be wary of any XP programs that require network access, since that's the way the hackers will be trying to get to your virtual XP system just as if were running normally on a PC"
      Rabid Howler Monkey
      • Not the same

        Windows XP embedded is different from Windows XP.
        Buster Friendly
        • Joe_Raby: "an old, out-of-support OS like Windows XP"

          Reads the same to me. I assure you that Steven was not writing about an embedded version of Windows in the article I linked above.
          Rabid Howler Monkey
          • You're right

            He didn't. And that's why I made the point in the first place. Virtualization is NOT a solution to having no security updates. Virtualization is not a security mechanism.

            Turning an application system into an appliance device with an embedded operating is a valid solution though, and it can be done just as well with Windows Server Embedded as it can with Windows (Client) Embedded. Microsoft provides longer support lifecycles for embedded OS's. When you deploy an embedded OS, you do so with the knowledge that it is built (and licensed) to be used for a singular application (whether meant to be a "usage scenario" or "computer program"). When you strip out all of the unnecessary API's and software components that aren't used for the application, you can easily reduce the attack surface of the machine.
            Joe_Raby
          • Security by isolation depends heavily on virtualization

            Take a look at the Qubes OS desktop which is based on the Xen type 1 hypervisor:

            https://wiki.qubes-os.org/

            A user can still get into trouble with Qubes OS if s[he] uses a single VM for everything including online banking, email and general Internet surfing. In this case, there is only one VM and, therefore, there is no isolation.
            Rabid Howler Monkey
          • Another example of security provided by virtualization

            Samsung's KNOX Hypervisor used in its Android smartphones (and, presumably, tablets as well) is base on Green Hills INTEGRITY Multivisor:

            http://www.ghs.com/mobile/products/samsung-knox-hypervisor/

            P.S. You might like this solution as it is embedded virtualization.

            http://www.ghs.com/products/rtos/integrity_virtualization.html
            Rabid Howler Monkey