Virtualization--the next frontier for hackers?

Threats to vulnerabilities the technology presents are imminent, but enterprises are not prepared to manage the security implications, say industry observers.

Virtualization, with its rapid pace of adoption, is becoming a frontier for attackers, but not all businesses are aware of, or act on the risks adequately, according to market observers.

Graham Titterington, principal analyst at Ovum, told ZDNet Asia in an e-mail interview that with the increasing prominence of virtualization, threats to virtual machines (VMs) are becoming more significant.

"There is little evidence of attacks on the foundation layers of virtualized environments yet, but we need to be vigilant as attacks will surely come," he noted. "Virtualization [can offer] the attacker the bonus of taking down many VMs with one attack, if successful. There is also the risk of attacks on the information held in all the VMs sharing the same physical platform if hypervisor security is broken.

Ronnie Ng, Symantec's manager for systems engineering in Singapore and Indonesia, concurred with Titterington's assessment. "While actual hypervisor breaches are still rare, there is still the potential threat of the hypervisor layer being compromised, putting at risk all the virtual servers running business applications," he said in an e-mail.

The key problem with the growth in the adoption of server virtualization, he explained, is the lack of control--or VM sprawl--in the data center. The ease of deployment of virtual servers makes it difficult to audit and enforce security policies, noted Ng.

Increased patching no cause for concern

Businesses do not need to be unduly concerned with the increasing number of patches released, market watchers told ZDNet Asia.
Virtualization market leader VMware released a host of patches in early September to address multiple vulnerabilities in its server and workstation virtualization software. Later in the month, it released a patch for a buffer overflow vulnerability in its hypervisor software.
"Software fixes and enhancements are a norm today for both physical and virtualized environments as vendors strive to improve the overall quality of their software," Ronnie Ng, Symantec's manager for systems engineering in Singapore and Indonesia, pointed out in an e-mail interview.
Frost & Sullivan's research director of ICT practice Andrew Milroy, said in a phone interview the patching may be a sign that VMware is "becoming increasingly aware of where risks might lie" given the increased adoption of virtualization.
Graham Titterington, principal analyst at Ovum, noted in an e-mail interview: You have to compare [VMware's patch releases] with the volume of patches on other operating systems such as Windows or Linux. What [the patching] does show is that there is a potential problem and that we are right to be concerned with this issue and need to take appropriate action."
Jeff Jennings, global vice president of products at VMware, pointed out that the vast majority of the company's security updates are related to its "service console", which is essentially a modified version of Linux. The kernel, which is proprietary, has not been compromised, he said at the sidelines of VMware's Virtualization Forum in Singapore.
That's not to say we'll never have a security patch [related to the kernel]," said Jennings. "But I do think that we have reacted quickly and effectively to [vulnerabilities] that have risen."

Benjamin Low, managing director of Asia South at Secure Computing, added in an e-mail that the mobility of virtual environments and the fact that VMs can "hide" when they are not active make it difficult for traditional network security tools to monitor and control traffic within virtual networks. Acknowledging that it would be a matter of time before hackers act on "unprotected vulnerabilities that the technology presents", he warned: "Virtualization may become the next frontier for black hats."

Virtual defense not adequate
According to Andrew Milroy, research director of ICT practice at Frost & Sullivan, the approach toward virtualization security is not so much the tools that need to be changed, but the mindsets of businesses.

"It's not that you need brand new security products…it's just the way the way the security products are deployed and managed," he said in a phone interview. "From our perspective, it's really a cultural change and understanding of how to deploy the security products more effectively in a different architecture."

The analyst added that greater awareness and education needs to be in place, as there is "always a lag for organizations getting onto the security implications of new implementations".

Secure Computing's Low noted that at times, enterprises rush into implementing virtualization and relegate security to an afterthought, or purchase security tools that do not meet their needs. "Some system administrators may be lulled into thinking that because something is running virtually rather than physically on a server, the same level of attention to risk management, security policies and compliance such as OS hardening is not necessary," he said.

Ovum's Titterington said: "Until recently security product vendors claimed to secure virtual environments if their products were capable of running in a compartment--a virtual machine--within a virtualized environment. This protects the application running in that compartment but overlooks the possibility on the wider environment disabling the virtual machine."

In addition, the technology to defend virtual environments is only "partially available", Titterington noted. Citing VMware's VMsafe, he pointed out that the initiative was unveiled in February and security vendors are still in the process of "developing products to work with this".

Secure Computing, according to Low, has developed security gateway virtual appliances including virtualized Secure Firewall, Secure Web and Secure Mail based on the VMsafe API (application programming interface).

To improve security of virtualized environments, Frost & Sullivan's Milroy said companies need to ensure passwords of VMs are varied enough, and that their IP addresses are not sequential. Servers and operating systems on the host should also be kept "to an absolute minimum", he added.

"If you keep the same security policies and software in a virtualized environment, your risks will go up," said Milroy. It's not to say you'll be a sitting duck--it's just [more risky] because there's so much in one machine, [so] should that one machine be broken into or infected by something then the consequences are more severe than if you have many more [physical] servers.