Virtualization Has A Security Blind Spot

The race is on. As organizations successfully slash the costs associated with buying, powering, and maintaining physical servers by embracing virtualization, are they leaving their systems vulnerable? Maybe so. Companies' efforts to virtualize are moving beyond the simple consolidation of servers and applications to fewer physical boxes, but there's an additional risk that can parallel the reward. And the risks lie not only where many might suspect--with the hypervisor or virtualization software itself--but also with the impact virtualization can have on traditional network and security controls.

Virtualization software, primarily the hypervisor, is no different than any other software application: It's bound to have defects and security bugs. What sets hypervisors apart is the risk of so-called "hyperjacking," a successful attack that leads to a compromised hypervisor, giving an attacker unfettered access to all virtual machines on the physical server. This could be quite the compromise, given that anywhere from a handful to dozens of VMs could be running on a single host.

While the consequences of a compromised host can be dire, it's generally thought that the vulnerabilities of the hypervisor are the least of a security professional's worries. "Virtualization security has nothing to do with the security of the hypervisor," says Andreas Antonopoulos, an analyst at Nemertes Research. "It has to do with the fact that we're fundamentally changing the IT architecture, operational patterns, deployment life cycles, and management methods of our servers. These issues will create more security issues for organizations than the hypervisor itself."

Along with the flexibility and agility gained through virtualization comes a security blind spot--the loss of visibility into network traffic. "You lose granularity on the network traffic between your virtual servers because that traffic never leaves the physical box, and your traditional security tools won't be able to analyze the traffic," says Lloyd Hession, an independent IT security consultant and former chief information security officer at financial network services firm BTRadianz.

Five Laws Of Virtualization Security

This lack of visibility into virtual network traffic is only likely to grow more troublesome as organizations move beyond simply stuffing less-than-mission-critical systems onto fewer physical hosts. More companies are beginning to manage more virtualized servers in the data center, and these servers are running mission-critical applications. Research firm IDC predicts that companies will invest nearly $11.7 billion in virtualization services by 2011, up from $5.5 billion in 2006.

Consider the experience of health care industry software services provider Quantros, which provides hospitals and health care providers with on-demand software that helps manage patient safety tracking, accreditation, and compliance. Last year, the company began investigating ways it could revamp its then-aging network. "Our network was expanding, and it was becoming cost-prohibitive to keep adding new physical servers," says Bryan Rood, director of Internet data center services at Quantros.

To help save costs while expanding its network, Quantros turned to VMware's ESX server virtualization platform to virtualize a number of its Web and development servers. "This was an ideal area of our infrastructure to start, and there was a strong business case for virtualizing these systems," Rood says.

BUILD ON SUCCESSFollowing the initial success, more virtualization efforts got under way, including virtualizing systems used for quality assurance. It soon became clear that Quantros' servers, which today consist of 55 physical and 40 virtualized servers, faced security challenges. First, traditional network-based intrusion-prevention systems wouldn't be able to protect multiple virtual servers on a single host from attacks on each other. And maintenance and patching cycles grew challenging, as they always do. Also, considering the ease at which virtual servers can be dispatched, Rood needed a way to make sure each virtual system adhered to the company's strict security and patch-level policies.

Quantros turned to Blue Lane Technologies and its ServerShield, which not only successfully identified and protected Quantros' physical severs, but all of the virtualized instances on those servers as well, Rood says. Blue Lane, which has its roots as a virtual patch proxy, is enhancing its technology to better protect virtual environments. Last year, the vendor made available its VirtualShield, which is specifically designed for VM-to-VM traffic-flow analytics and enforcement.

DIG DEEPER

VIRTUAL RISK

Don't rush into virtualization without fully considering its impact on your information protection practices.

Purchase this
Analytics Report

>> See all our Analytics <<

These are the types of security challenges that companies turning to virtualization need to be prepared for. "Most companies, when they started down this path, did so for their lab and testing systems. They found they could save some money and get additional business agility," says Kurt Roemer, chief security strategist at Citrix Systems. "But they didn't ask how virtualization would change their existing network infrastructures. The traditional controls are now abstracted."

That has security pros and audit teams a bit prickly. "They want to see how these virtualized environments will function and deliver the same security posture, availability, latency, and deliver on the SLAs that they enforced prior to moving to virtualization," says Chris Hoff, chief architect of security innovation at Unisys.

(click image for larger view)NEW TECHNOLOGIES (AND CHALLENGES)Those infrastructure changes can have a significant impact on security. Virtualized servers, which are hosted on the same physical box, can communicate directly with each other without any of their traffic hitting the physical network where traditional network security tools reside. Standard in-line security data tools, such as intrusion prevention, count on being in line with the conversation over the network. This lack of visibility can have unintended consequences: Tools for capturing network, database, and application reports from logs for regulatory compliance don't get all the information they need; host-based antivirus tools, if installed on numerous virtual servers, can bring the overall CPU utilization of the physical server to a crawl; and patch management apps may not offer good support for virtualized systems.

To make certain proper security controls are in place, companies have created logical security zones such as trusted, untrusted, and Internet-facing demilitarized zones. This way, virtualized instances that contain sensitive or proprietary information will be limited to physical hosts within zones ranked at the appropriate security level, with higher security settings in more trusted zones and loosely managed systems in the untrusted zones. These zones can be segmented much the same way security zones are used in physical networks. For instance, a network segment that supports the sales department of a pharmaceutical company would have much different security controls than research and development segments would have.

Yet attempting to secure virtualized environments in this way can significantly limit the utility of virtualization--being able to quickly add or shift virtualized instances to available host server resources. Because security zones lessen the number of virtual servers that can be consolidated, you'll need to add more physical servers for each zone."The benefits and ROI of virtualization naturally push organizations because they want the flexibly to allocate more databases, more Web servers, more application servers when needed," says analyst Antonopoulos. "But if you run out of capacity in the database pool, you can't shift demand to the application pool. You're now put in a difficult position of having to make explicit choices between business utility, flexibility, and ROI on one hand, and security on the other," he says.

CPU STRAINAnother challenge: The hardware capacity demands of running security software within multiple VMs, as well as on the physical host, can strain CPU loads. "Host-based security tools can work just fine, but you may not get the amount of consolidation you sought, and capacity-planning CPU cycles becomes even more important in virtualized environments," says Pete Lindstrom, a security analyst at research firm Burton Group.

As a workaround to this, companies have tried routing virtual server traffic through virtual switches out to the physical network, to be vetted by their traditional network security controls such as intrusion-prevention and anti-malware systems, and then back to the virtual server. But even this can get messy. "Trying to manage virtual system security the way you managed physical system security is both the best and worst answer," says Antonopoulos. "You scale that to any number of machines above a dozen, and the result is what I call 'VLAN spaghetti.' It's completely unmanageable."

Top Security Concerns Of Virtualization

A swath of security vendors is bringing to market tools to ease the security and manageability of virtualized systems. Some, like Skybox Security, are updating their tools to adapt to virtualization. Skybox supports virtual firewalls from Juniper and Cisco in its Skybox View 4.0 risk management and network-modeling suite. Others, including startups Altor Networks, Catbird, Fortisphere, and Montego Networks, offer tools that provide everything from virtual machine discovery and management to intrusion prevention and policy management and enforcement capabilities. "These toolsets virtualize security, not try to bring physical security methods to virtual systems," says Antonopoulos.

To help its partners better integrate security into virtualized environments, virtualization stalwart VMware recently kicked off its VMsafe initiative. VMsafe is a set of APIs that permit security apps to attain a level of visibility into VMware's hypervisor--that thin layer of virtualization software that abstracts the operating system and apps from the hardware platform. The APIs let security vendors develop tools to block viruses and Trojans, monitor network traffic, build firewalls that integrate more tightly with VMs, and even improve patch management and perform vulnerability assessments. About 20 suppliers have expressed interest in VMsafe, including Check Point Software, McAfee, Symantec, and VMware parent EMC's RSA Security unit."VMsafe is a signal to the market that VMware is taking security seriously and that they're willing to work with third-party security vendors to bring their solutions to the virtualized environment," says Lindstrom.

That openness is a double-edged sword. "By giving security vendors access to directly interact with, and in some cases control, functions will bring virtualized generations of security toolsets, but it will also present some interesting attack vectors that can be exploited by people who love to take advantage of that same set of APIs," says Unisys' Hoff.

While the risks to virtualized environments are real, the tools and best practices for securing them are fast becoming real, too. "The security tools will mature," says consultant Hession. "We'll see the same level of rapid innovation from the startup security vendors. Those tools will be tested and proven in the market, and eventually become part of the network fabric." That can't happen soon enough for companies looking to capitalize on the business benefits of virtualization.

Illustration by Dan Page

Continue to the sidebar:
The Right Security Tools0