Real approaches to virtual security

Amid all the hype around virtualisation, security shouldn't take second place, experts warn
Written by Tom Espiner, Contributor

Research carried out by ZDNet.co.uk has revealed that although virtualisation is not a priority for many companies at the moment, it rates highly in plans for the next five years.

However, while exciting possibilities exist with virtualisation, it can be a double-edged sword. As well as networking and workflow considerations, IT managers implementing virtualisation must also be aware of the security aspects of the technology.

One basic principle for virtualisation security is to treat all virtual systems as though they were as potentially vulnerable as physical machines, says Chris Mayers, senior security architect for Citrix.

He claims IT professionals should check that the security products they have already deployed can cope with virtual systems. Existing security software and services have to be compatible with all virtual machines, or those machines could be vulnerable. "IT professionals should ask vendors whether they support their security products in virtualised environments," says Mayers.

As well as the virtual machines themselves, the networks on which the machines reside needs to be visible to security products for any malicious traffic to be identified. Andy Buss, senior security analyst with Catalysis, recommends IT professionals make sure traffic to and from virtual and physical machines is inspected. Intrusion-detection systems mainly rely on the ability to monitor data packets flowing between points in a network, he explains. "It's about monitoring the situation to see changes in firmware," says Buss.

Many networking and security companies build products that can perform virtual network traffic analysis, including Internet Security Systems, TippingPoint, Juniper Networks and Cisco.

It's all about the patching
Maintaining the security of virtual machines that are inactive for any reason — perhaps an image of the machine in question is being shipped across the network — is another task that needs to be carefully managed, experts agree.

Virtual machines that might be offline from the processor that runs them are essentially just large files. If you compromise the file, it is easy to move around and can be redeployed by hackers in their own networks.

Think about virtual machines having the same problems as backup tapes or even CDs — you have to make sure you encrypt virtual machines and protect them when they're being moved, Mayers advises.

There are various ways to maintain offline virtual machines so they are fully up to date with patches when you bring them back online, says Buss. A lot of people take snapshots of systems to do backups, for high availability and easy recovery in the event of a systems failure. Imagine you have a snapshot-based backup — when bringing that back online, it may have missed a vital update. You need to process offline images of virtual machines, and there are various technologies being developed that will allow offline images to be scanned and have patches pushed to them.

According to Citrix's Mayers, the trick is to look at the virtual machine lifecycle as a whole, and to think of it as a workflow issue. Making sure antivirus is updated is "somewhat more complicated" than in a physical machine, but many antivirus vendors do allow lifecycle policy to be enforced.

However, no single vendor has a complete, overall view of virtualisation security, so IT professionals should consider "gluing the necessary pieces together" themselves, says Mayers.

If you have an offline fileserver you might write code to move it to a virtual machine, audit it, encrypt it, and move it back. You can then replace ad hoc solutions with products from vendors when they become available.

However, some virtualisation vendors do offer means to monitor the lifecycle of machines. VMware offers a product called the Update Management Tool, which allows IT managers to patch virtual machines offline via a virtual CD drive, while Citrix has similar tools under development. "Look for announcements in this space," says Mayers.

VMware also has VMsafe, which is essentially application programmable interfaces that allow security vendors and trusted third parties to build applications which are compatible with VMware products. Although opening up APIs also opens up applications to potential compromise, VMsafe enables developers to take a look at VMware's proprietary code. "Everything written by a human is not invulnerable to attack, but VMsafe is about making it generally harder to compromise," says Catalysis's Buss. "VMsafe enables security companies to look within VMware virtual machines, which is definitely a good step forward."

Beware the hypervisor
Hypervisors, also known as virtual-management consoles, are pared down pieces of software used to monitor and control virtual machines. These are indispensable, but if your hypervisor is hijacked, the attacker can manipulate virtual machines and control the whole virtual system. While there have been no reported successful attacks that subvert hypervisors, the hypervisor can still be an avenue of attack. These theoretical attacks are known as "hyperjacking".

The hypervisor is easier to secure than a full-blown operating system, as there is not much code in it to guard. However, hypervisors are becoming fatter, which could make them harder to secure and lock down, according to Buss.

Different approaches to securing hypervisors include embedding security code...

...either in the system itself, or in a virtual machine which then acts as a security enforcer for the hypervisor.

Some experts even claim security software embedded in the hypervisor could be more efficient than traditional antivirus installed on separate physical machines. However, there is still the necessity for the hypervisor to be as compact as possible for information assurance purposes, as the bigger the system is, the more code there is to exploit.

It's also possible to embed security in virtual systems by using platform integration mechanisms, which work by scanning systems on start-up to detect changes. When booting up, the systems hardware itself checks for any systems changes, which would detect whether any malicious code had been installed. This isn't used very often, as systems can legitimately change too: for example, if you patch them. However, Mayers argues that platform integration can work for hypervisors as the code doesn't change very often.

"With platform integration, you can tell if you get a hyperjacking attack," says Mayers. If you do suffer such an attack, you can tell when the system reboots. To overcome the issue for systems that are not rebooted very often, Mayers said security should run in a separate virtual machine, with the caution that virtual machines cannot provide physical enforcement.

The problem of how to provide physical as well as virtual enforcement can be partially overcome by keeping networks separate. Experts agree that different types of network, such as LAN, iSCSI and VLAN, should be kept apart.

Virtual local area networks (VLANs) use virtual switches to route data, and these virtual switches are also potentially open to attack, according to analyst Buss. For example, one server with a hypervisor running five virtual operating systems, will communicate over a virtual network interface, and connect to a virtual switch acting as an ethernet port. A firewall or intrusion prevention system between the hypervisor and the virtual switch protect the applications in the virtual environment from being compromised.

Avoid single points of failure
After setting up a virtualised system, a disaster-recovery test is a good way to check that the security implementation hasn't introduced single points of failure into systems, advises Mayers. Hypervisors should be installed in more than one place, so if one part of the system goes down the whole edifice doesn't topple.

To test for single points of failure in virtualised systems, Mayers recommends live disaster-recovery tests. "A test will discern if you have any single points of failure. Look at the impact of concentration: how many virtual machines you have on a single physical machine. If that fails, what load does that place on other machines?"

Static security policies — basically pre-defined rules of how to secure a fixed network — might be de rigueur for networks composed of physical devices with fixed software, but they are practically no use when it comes to virtualised systems. "When you have a static policy, you need to think that this machine will communicate with one over there," says Mayers. "If a physical system fails you need to think where a virtual can be moved, and still be secure. If this virtual machine moves, does this break the security policy?"

Beware 'vmsprawl'
And the idea that too much of good thing can be bad for you also holds true for virtualisation. Avoiding 'vmsprawl' — basically deploying new virtual machines unchecked — is a must according to experts. "They'll [virtual machines] proliferate if you're not careful," says Mayers. "You can control vmsprawl proactively, by controlling who produces virtual machines, or you can use discovery to detect virtual machines."

Organisations with tighter security needs often control who can create virtual machines, whereas businesses that need more flexibility monitor their virtual network to discover when virtual machines have been created. However, companies using the latter method have to decide about the risk to their business of rogue virtual machines that have been taken over by malicious controllers.

"What do you do about rogue virtual machines? You need to be able to take those down quickly. IDS [intrusion detection system] relies on being able to see all of the communications in a network — you can still have rogue machines communicating outside the network," says Mayers.

Virtualisation has had a disruptive effect on the whole area of server and network management, and is widely seen as a technology that rewards a brave and bold approach. However, when it comes to securing the systems, experts seem to agree that a measured and step-by-step approach is best and that virtualised systems face as many security issues as their physical forebears. Get the implementation of security for virtualised systems right first time, and you'll save yourself headaches further down the line.

Editorial standards