Security concerns cloud virtualization deployments

Virtual servers are prone to the same attacks as those that plague physical servers. They're also vulnerable to new threats that exploit weaknesses in hypervisor technology, experts warn.

Server virtualization makes it possible to run multiple applications and operating systems on fewer hardware resources, and it lets users quickly provision new resources based on demand. But the features that enable such flexible computing cause network and security managers to wonder whether a security threat in a virtualized environment could spread to the entire network.

"I am holding off on server virtualization, because I have already been hearing about security issues with the hypervisor," says Craig Bush, network administrator at Exactech Inc. in Gainesville, Fla. "One server being breached doesn't take down our entire network, but if it is possible for a hypervisor to do that, I'll just wait until the security angle is more played out before I jump into virtualization."

Here we address four of the top concerns about securing virtual environments and attempt to discern the hype from reality.

1. Virtual-machine escapes could propagate security problems

IT managers worry that security attacks designed to exploit a hypervisor could infect virtual machines that reside on the same physical host, in what is known as a "virtual-machine escape."

If a virtual machine is able to "escape" the isolated environment in which it resides and interact with the parent hypervisor, industry experts say it's possible an attacker could gain access to the hypervisor, which controls other virtual machines, and avoid security controls designed to protect the virtual machine.

"The Holy Grail of security in the virtual world is to bounce out of the [virtual machine] and take control," said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group, speaking during a recent webcast on virtualization security.

But while there have been documented attempts to execute a virtual-machine escape, some observers point out that a security disaster related to such an event has yet to be proved.

"To my knowledge, there has never been a hack that has allowed a security problem to propagate from one virtual host to another by way of the hypervisor technology," says Steve Ross, a consultant at Catapult Systems Inc., which is helping logistics provider Transplace Inc. in Plano, Texas, deploy and maintain its VMware virtual environments.

"It could happen, and the attacker or breach could hop" from virtual machine to virtual machine, "but I have yet to see it as a functional exploit out there today," adds Tim Antonowicz, a systems engineer at Bowdoin College in Brunswick, Maine.

Antonowicz, who uses VMware Inc.'s ESX to virtualize servers, says he tries to thwart such problems by sequestering virtual machines in resource clusters, depending on the sensitivity level of the applications or data the virtual machine is housing. "You have to segregate machines in that manner to heighten security," he says.

Edward Christensen, director of technical operations at Cars.com in Chicago, also is taking steps to insulate his company's virtual environments.

"The old-school ways of securing an environment involve putting firewalls between the database and application layers, for instance, but when you have a virtualized environment, those lines get crossed," Christensen says. The online automotive company uses VMware technology to virtualize servers on Hewlett-Packard Co. boxes, and Christensen says being able to store virtual environments off the network helps ease security worries. "It's one of the nice things about virtual environments," he says.

2. Virtual machines multiply patching burdens

The threat of virtual-server sprawl -- a scenario in which the ease of deploying virtual machines results in more instances than planned -- makes staying on top of patches and updates for operating systems critical in a virtual environment.

"Patching becomes more challenging, because [virtual machines] move around, and they multiply," Burton Group's Lindstrom said. "The ability to validate the patch status on individual machines becomes more important in the virtual world."

IT managers agree that patching is critical in virtual environments, but the real difference between virtual- and physical-server patching isn't a security issue; it's about volume.

"We need to keep in mind that our servers that are virtualized require the same patch management and maintenance as physical servers," says Ross. Transplace has three virtual environments -- two inside its network and one in its DMZ -- that include about 150 virtual machines. "The hypervisor adds another layer to focus on in patching, but patching itself is equally critical on physical and virtual machines," Ross says.

For Bowdoin's Antonowicz, staying in front of virtual-server sprawl is a priority now, because the time it takes to patch machines increases when servers multiply beyond his direct control. In the past, he routinely patched 40 servers, but now he is responsible for securing more than 80. He hopes one day to find tools to better automate the process.

"Virtual environments can grow too fast without physical constraints," Antonowicz says. "Before we roll out more [virtual machines], I want to look into more automation around patching." 3. Running virtual machines in a DMZ

As a rule, many IT managers avoid putting virtual servers in a DMZ, and other IT managers won't run mission-critical applications on virtual machines in a DMZ or even on machines protected by corporate firewalls. According to Burton Group's Lindstrom, however, it can be done when using proper security measures. "You can run virtualization inside the DMZ as long as the firewall or separating device is physical. And in most cases, as long as you are separating out resources, you are good to go," he said.

Antonowicz says DMZ or not, he sets up his virtual environments with the mind-set that exploits exist, and he works to limit the access among clusters of virtual resources. "Each cluster has its own set of resources and accesses, so you can't get from one to the other and there is no way to jump within each cluster," he explains.

Many IT managers work to segment their virtual servers and keep them within corporate firewalls. Some place virtual machines in a DMZ -- but only with noncritical services running on them. Scott Engle, director of IT infrastructure at Transplace, says everything of value is behind the firewall at his company, and those applications running on virtual machines in the DMZ include such services as DNS.

Transplace runs virtual machines "in a trusted segment on a trusted host," says Engle. "In our DMZ, we will run physical boxes with a few VMware instances, but we do not bridge the gap between trusted and untrusted networks."

4. The newness of hypervisor technology could be an invitation to hackers

Any new operating system is rife with flaws. So does that mean hackers are champing at the bit to find virtual-operating-system vulnerabilities and launch attacks?

Industry watchers advise security managers to remain a bit skeptical about virtual operating systems and their potential to introduce more holes and vulnerabilities than it's possible to patch manually.

"Virtualization is essentially a new operating system, which is something that hasn't been done for a long time, and it enables an intimate interaction between underlying hardware and the environment," says Rich Ptak, founder and principal analyst at Ptak, Noel & Associates. "The potential for messing things up is significant."

A virtual hypervisor may not represent as much of a security threat on its own as people might think, however. Having learned from Microsoft's well-publicized problems patching Windows, companies such as VMware may have worked to limit the potential for security holes in their hypervisor offerings.

"VMware has done a good job compared to Microsoft, and the vendor seems to be ahead of that type of issue," says Peter Christy, principal at Los Altos, Calif.-based Internet Research Group. "But a hypervisor is a small piece of code that represents a small and limited surface area, which is easier to make more secure than 80 million lines of code."

This story, "Security concerns cloud virtualization deployments" was originally published by Network World.

Copyright © 2007 IDG Communications, Inc.

  
Shop Tech Products at Amazon